Technology in Financial Transactions
Banks and other financial institutions have always been at the forefront of technology usage for their business purposes. This is partly driven by the need to cut costs as well as the desire to provide better customer service. Automatic Teller Machines (“ATM”) came into vogue and telephone banking, which allows customers to perform over the telephone, a range of financial transactions which do not involve cash or financial instruments (such as cheques), without the need to visit a bank branch or ATM, became popular. Once internet usage spread, internet banking came into play. Internet banking was introduced to India in 1998 by ICICI. As simple mobile phones were replaced by smartphones, mobile banking gained momentum. Mobile banking needs to be distinguished from telephone banking and internet banking. In mobile banking, customers download an application developed by the relevant bank to conduct financial transactions remotely, through a smartphone.
The term “FinTech” is short for “financial technology” and could apply to any kind of technology that is used to drive a financial transaction or service, offered by any entity. However, in business and regulatory jargon, FinTech has come to mean the technology used by financial service providers that disrupt the traditional way of providing such services. Thus, businesses such as PayTM, PhonePe, RazorPay, MobiKwik, PayU are all classified as fintech businesses.
Over the last 6 (six) years, the Indian FinTech market has grown tremendously and consumer adoption of FinTech solutions has been increasing. India is on par with China on FinTech adoption and leads globally. Since Indian consumers have had positive experiences with tech firms offering non-financial services such as cab aggregation and hotel bookings, they have come to expect and demand similar standards from FinTech service providers. The overall transaction value in the Indian FinTech market is estimated to jump from approximately $65 billion in 2019 to $140 billion in 2023. India has overtaken China as Asia’s top FinTech funding target market with investments of around $286 million across 29 (twenty nine) deals, as compared to China’s $192.1 million across 29 (twenty nine) deals in the first quarter of 2019. All of this, of course, was prior to the advent of the novel coronavirus disease, but assuming everything goes back to normal in a few months, FinTech is the space to watch out for in the Indian business ecosystem, as India progresses and modernises.
Payment and Settlement Systems Act, 2007
The Payment and Settlement Systems Act, 2007 (“P&SS Act”) was enacted in December 2007 in order to provide for the regulation and supervision of payment systems in India. The P&SS Act designates the Reserve Bank of India (“RBI”) as the authority for such purpose. A “payment system” is defined to mean a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. As per section 4 of the P&SS Act, an authorisation issued by the RBI is required, in order to commence or operate a payment system. Systems enabling the operation of credit or debits cards, smart cards, prepaid payment instruments would qualify as payment systems.
Regulation of Prepaid Payment Instruments by the RBI
Prepaid Payment Instruments (“PPIs”) are instruments that facilitate the purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. On October 11, 2017, the RBI issued the Master Direction on Issuance and Operation of Prepaid Payment Instruments (“PPI Master Directions”) under section 18 read with section 10(2) of the P&SS Act. Even prior to issuing the PPI Master Directions, the RBI had issued a number of circulars from time to time on the issuance and operation of PPIs. In the light of developments in the field, progress made by PPI issuers and experience gained and with a view to foster innovation and competition, ensure safety and security, customer protection, etc., the RBI reviewed the instructions relating to the issuance and operation of semi-closed and open system PPIs, consulted with stakeholders and issued the comprehensive PPI Master Directions to regulate PPIs.
The PPI Master Directions prescribe the eligibility criteria for issuing PPIs for banks and non-banks. For non-banks, the criteria are as follows:
As per paragraph 2.3 of the PPI Master Directions, three types of PPIs can be issued, namely, (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs.
Open System PPIs may be issued only by RBI approved banks and can be used at any merchant’s location for purchase of goods and services, including financial services, remittance facilities, etc.
Closed System PPIs may be issued by any entity to facilitate the purchase of goods and services from such entity and do not permit cash withdrawal. These instruments cannot be used for payments or settlement for third party services and therefore, their issuance and operation are not classified as a payment system requiring approval by the RBI.
Semi-closed System PPIs may be issued by banks and non-banks (which are approved by the RBI) for purchasing goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations / establishments which either have a specific contract with the issuer or a contract through a payment aggregator / payment gateway to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks.
A non-bank entity that issues semi-closed system PPIs should be a company incorporated in India and registered under the Companies Act, 1956 / Companies Act, 2013. Such a non-bank entity shall have a minimum positive net-worth of Rs. 5,00,00,000 (Rupees five crore) as per its latest audited balance sheet at the time of submitting the application, which shall be certified by its chartered accountant(s). By the end of the third financial year from the date of receiving final authorisation, the entity is required to have a minimum positive net-worth of Rs. 15,00,00,000 (Rupees fifteen crore). The net worth has to be maintained by the entity at all times. Issuers of semi-closed PPIs are required to submit to the RBI their audited balance sheet and net-worth as on March 31 of the relevant financial year within 6 (six) months of the close of the relevant financial year, failing which the entity may not be permitted to carry out its business.
Non-bank entities having foreign direct investment (“FDI”) or foreign portfolio investment (“FPI”) or foreign institutional investment (“FII”) are additionally required to meet the capital requirements under the consolidated FDI policy guidelines of Government of India, as applicable and as amended from time to time.
A certificate of authorization issued by the RBI for the issuance of semi-closed System PPIs shall be valid for 5 (five) years.
As per paragraph 7.6 of the PPI Master Directions, cash loading to PPIs shall not exceed Rs. 50,000 (Rupees fifty thousand) per month, for all categories of PPIs. This is further subject to the overall limit of the PPI. Paragraph 9.1 of the PPI Master Directions prescribes further limits on cash loading for semi-closed PPIs, along with various operational requirements, including the Know Your Customer (“KYC”) documents to be obtained, which are as follows:
Banks having an AD-I licence are permitted under the PPI Master Directions to issue to Indian residents in India, reloadable semi-closed or open system PPIs which are KYC compliant to be used in cross-border outward transactions. However, such issuance is limited to permissible current account transactions under the Foreign Exchange Management Act, 1999 (“FEMA”). Such PPIs cannot be used for any cross-border outward fund transfer and/or for making remittances under the RBI’s Liberalised Remittance Scheme. Banks issuing such PPIs on the request of PPI holders are limited by a per transaction limit not exceeding Rs. 10,000 (Rupees ten thousand) and a per month limit not exceeding Rs. 50,000 (Rupees fifty thousand). If the banks issue the PPI in card form, then the PPI has to be Europay, Mastercard, Visa (EMV) Chip and PIN compliant.
A money changer’s licence issued by the RBI is required to carry on the business of money changing. As per section 10(1) of FEMA, an authorised money changer may include any person, authorised by the RBI to deal in foreign exchange or in foreign securities. As per the Master Direction on Money Changing Activities dated January 1, 2016 issued by the RBI, an authorised money changer can be a (i) full-fledged money changers, which are entities authorised to purchase foreign exchange from non-residents visiting India and residents, and to sell foreign exchange for private and business travel purposes only, (ii) an Authorised Dealer Category -I Bank (“AD Category–I Bank”) and (iii) Authorised Dealers Category – II entities (“ADs Category–II”) which are authorised by the RBI to deal in foreign exchange for specified purposes. Money changers who fall under (i) above, that is, full-fledged money changers cannot issue PPIs to be used in cross-border outward transactions. Non-bank PPI issuers, who have been appointed as the Indian agent of an authorised overseas principal, can issue PPIs to beneficiaries of inward remittance under the Money Transfer Service Scheme (“MTSS”) of the RBI. Such a non-bank entity needs to be an authorised PPI issuer as well as an Indian agent under MTSS and shall be permitted to issue such PPI for a period of 3 (three) years from the date of the PPI Master Direction. The PPIs are required to be KYC compliant, reloadable, and issued only in electronic form, including cards. Amounts of up to Rs. 50,000 (Rupees fifty thousand) from individual inward MTSS remittances are permitted to be loaded or reloaded in PPIs issued to beneficiaries. Any single transaction amount in excess of Rs. 50,000 (Rupees fifty thousand) shall be paid by credit to a bank account of the beneficiary.
Regulation of Payment Intermediaries by the RBI
Payment intermediaries include all entities which collect monies received from customers for payment to merchants using any electronic/online payment mode, for goods and services availed by them and thereafter facilitate the transfer of these monies to the merchants in final settlement of the obligations of the paying customers. However, intermediaries who facilitate transactions which are akin to a delivery versus payment arrangement shall not fall under the definition of a payment intermediary.
The Directions For Opening And Operation Of Accounts And Settlement Of Payments For Electronic Payment Transactions Involving Intermediaries (“2009 EPT Directions”) were issued by the RBI in November 2009 under section 18 of the P&SS Act with a view to safeguard the interests of the customers and to ensure that the payments made by them are duly accounted for by the intermediaries receiving such payments and remitted to the accounts of the merchants who have supplied the goods and services without undue delay.
The 2009 EPT Directions define “intermediaries” to include all entities that collect monies received from customers for payment to merchants using any electronic/online payment mode, for goods and services availed by them and subsequently facilitate the transfer of these monies to the merchants in final settlement of the obligations of the paying customers. Thus “intermediaries” would include not only payment aggregators and payment gateway service providers, but also electronic commerce and mobile commerce (e-commerce and m-commerce) service providers who provide platforms for facilitating electronic payments. “Merchants” are defined to include all electronic commerce or mobile commerce service providers and other persons (including but not limited to utility service providers) who accept payments for goods and service provided by them, through electronic or online payment modes.
The 2009 EPT Directions provide that all accounts which are opened and maintained by banks for facilitating collection of payments by intermediaries from customers of merchants, shall be treated as internal accounts of the banks and such accounts shall not be maintained or operated by the intermediaries. The accounts shall be subject to concurrent audits and the bank has to submit compliance certificates to the RBI on a quarterly basis.
The 2009 EPT Directions permit credits which are: (i) payments from various persons towards purchase of goods/services; (ii) transfers from other banks as per a pre-determined agreement into the intermediary’s nodal bank account; and (iii) transfers representing refunds for failed/disputed transactions. The permitted debits are: (i) payments to various merchants/service providers; (ii) transfers to other banks as per a pre-determined agreement, from the intermediary’s nodal bank account; (iii) transfers representing refunds for failed/disputed transactions; and (iv) commissions to the intermediaries at pre-determined rates/frequency. The 2009 EPT Directions provide that no payment other than the commissions at the pre-determined rates/frequencies shall be payable to the intermediaries. Such transfers shall only be effected to a bank account intimated to the bank by the intermediary during the agreement.
For easier settlement of funds for merchants, the 2009 EPT Directions require that all payments to merchants which do not involve transfer of funds to nodal banks shall be effected within a maximum of T+2 settlement cycle (where T is defined as the day of intimation regarding the completion of transaction). All payments to merchants involving nodal banks shall be effected within a maximum of T+3 settlement cycle.
The RBI recently issued the Guidelines on Regulation of Payment Aggregators and Payment Gateways dated March 17, 2020 (“PAPG Guidelines”) under section 18 read with section 10(2) of the P&SS Act. The PAPG Guidelines are to come into effect from April 1, 2020 other than for activities for which specific timelines are mentioned.
Payment Aggregators (“PAs”) are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs enable merchants to connect with acquirers. In the process, PAs receive payments from customers, pool and transfer them on to the merchants after a time period. Payment Gateways (“PGs”) are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in the handling of such funds.
As mentioned above, the 2009 EPT Directions applied to “intermediaries”, which is wider than, but includes PAs and PGs. With the advent of the PAPG Guidelines, which state that they will ‘regulate in entirety the activities of PAs’, the 2009 EPT Directions will cease to apply to PAs who will now be bound solely by the PAPG Guidelines. The PAPG Guidelines also ‘provide baseline technology-related recommendations to PGs’, which PAs are required to mandatorily adopt. The 2009 EPT Directions will continue to apply to PGs.
The PAPG Guidelines have detailed rules regarding: (i) the criteria for receiving authorisation as a PA or a PG; (ii) capital requirements; (iii) governance; (iv) merchant on-boarding; (v) settlement and escrow account management by non-bank PAs of the amount collected by them; and (vi) security, fraud prevention and risk management framework. While the PAPG Guidelines are to be mandatorily adhered to by PAs, PGs may or may not adhere to the baseline technology-related recommendations provided in the guidelines.
A PA shall be a company incorporated in India under the Companies Act, 1956 or the Companies Act, 2013 and the memorandum of association of the PA applying for registration must cover the proposed activity of operating as a PA. While banks carrying on the activity of a PA do not need any separate authorisation, non-bank entities which offer PA services will have to apply for authorisation on or before June 30, 2021. The PAPG Guidelines prohibit e-commerce marketplaces which also provide PA services to continue providing such activities beyond June 30, 2021 and mandate such marketplaces to separate their PA activities from the marketplace business, if they desire to continue conducting PA activities.
To meet the eligibility requirement, existing PAs as on the date of the PAPG Guidelines need to achieve a net-worth of Rs. 15,00,00,000 (Rupees fifteen crore) by March 31, 2021 and a net-worth of Rs. 25,00,00,000 (Rupees twenty five crore) by the third financial year, i.e., on or before March 31, 2023 which shall be maintained at all times thereafter. New PAs need to have a minimum net-worth of Rs. 15,00,00,000 (Rupees fifteen crore) at the time of application for authorisation and shall attain a net-worth of Rs. 25,00,00,000 (Rupees twenty five crore) by the end of the third financial year of grant of authorisation.
The PAPG Guidelines state that the PAs shall be professionally managed, and the promoters of the entity have to satisfy the ‘fit and proper criteria’ prescribed by RBI. However, such criteria are yet to be prescribed. PAs shall have a board approved policy for merchant on-boarding and shall undertake background and antecedent checks before on boarding merchants. PAs will be responsible for making sure that the merchant’s infrastructure is compliant with data security standards as prescribed and does not store any customer card and related data.
Non-bank PAs shall maintain the amount collected by them in an escrow account with any scheduled commercial bank, however, an escrow account balance can only be maintained with one scheduled commercial bank at any point of time. Just like the 2009 EPT Directions, the PAPG Guidelines also list out the permissible credits and debits to the escrow account and the timelines for settlement with the merchant, however the timelines and classifications of the settlements are different. Amounts deducted from the customer’s account shall be remitted to the escrow account maintaining bank on a Tp+0 / Tp+1 basis, where ‘Tp’ stands for the date of charge / debit to the customer’s account against the purchase of goods / services. For the final settlement with the merchant by the PA, where the PA is responsible for delivery of goods or services, the payment to the merchant shall be not later than on Ts + 1 basis, where ‘Ts’ is the date of intimation by the merchant to the intermediary about shipment of goods. Where the merchant is responsible for delivery, the payment to the merchant shall be not later than on Td + 1 basis, where ‘Td’ is the date of confirmation by the merchant to the intermediary about delivery of goods to the customer. Where the agreement with the merchant provides for keeping the amount by the PA till expiry of refund period, the payment to the merchant shall be not later than on Tr + 1 basis, where ‘Tr’ is the date of expiry of refund period as fixed by the merchant. PAs are permitted under the PAPG Guidelines to pre-fund the escrow account with their own or the merchant’s funds. However, in the latter scenario, the merchant’s beneficial interest shall be created on the pre-funded portion.
The 2009 EPT Directions do not mandate any authorization from RBI for intermediaries, including the non-bank PAs and PGs. However, the PAPG Guidelines provide that the latter shall require authorization from the RBI. Moreover, the PAPG Guidelines provide that the PAs seeking authorization have to be a company incorporated in India under the Companies Act, 1956 / 2013. No such criterion is expressly specified in the 2009 EPT Directions. The timelines for final settlement of funds with merchants by the PAs are also different under the PAPG Guidelines. The 2009 EPT Directions classifies settlement based on whether the payment was made by the intermediary to the merchant involving transfers to a nodal bank or without such involvement of the nodal bank. The PAPG Guidelines however, mandate the PAs to maintain all amounts which are to be settled in an escrow bank and classifies settlement based on whether the PA or merchant is responsible for the delivery of goods.
The PAPG Guidelines provide for certain ‘Baseline Technology-related Recommendations’ on aspects such as security and information technology systems, information security governance, data security standards, security incident reporting, information technology governance, risk assessments, etc. Apart from the security-related recommendations, certain other recommendations include restrictions on storage of customer card credentials, instructions on storage of payment system data, refunds to be made and authentication of cards. As mentioned earlier, these recommendations are to be mandatorily adopted by PAs but are non-binding on PGs.
A payments bank functions like a bank but operates on a smaller scale and cannot advance loans or issue credit cards. Such banks are registered as public limited companies under the Companies Act, 2013, and licensed under section 22 of the Banking Regulation Act, 1949, with specific licensing conditions restricting its activities mainly to the acceptance of demand deposits and provision of payments and remittance services.
The Guidelines for Licensing of Payment Banks dated November 27, 2014 was issued by the RBI with the objective of furthering financial inclusion by providing: (i) small savings accounts; and (ii) payments/remittance services to migrant labour workforce, low income households, small businesses, other unorganised sector entities and other users.
The Operating Guidelines for Payments Banks dated October 6, 2016 were issued as a need was felt for separate operating guidelines for payments banks, considering the differentiated nature of business and financial inclusion focus of these banks.
The minimum paid-up equity capital for payments banks is Rs.100,00,00,000 (Rupees one hundred crore). Each payment bank is required to have a leverage ratio of not less than 3% (three percent), that is, its outside liabilities should not exceed 33.33 times its net worth (paid-up capital and reserves). The promoter's minimum initial contribution to the paid-up equity capital of such payments bank shall at least be 40% (forty percent) for the first 5 (five) years from the commencement of its business. Foreign shareholding in payment banks is permitted in accordance with the FDI policy for private sector banks. Currently, 74% (seventy four percent) FDI is permitted in private sector banking (which includes payments banks), of which, up to 49% (forty nine percent) is permitted through the automatic route and beyond 49% (forty nine percent) and up to 74% (seventy four percent) is permitted through the government approval route.
As mentioned above, payment banks are not allowed to undertake lending activities. Moreover, such banks are required to invest a minimum of 75% (seventy five percent) of their "demand deposit balances" in Statutory Liquidity Ratio eligible Government securities/treasury bills with maturity up to 1 (one) year. Payment banks must also hold a maximum of 25% (twenty five percent) of their "demand deposit balances" in current and time/fixed deposits with other scheduled commercial banks for operational purposes and liquidity management, apart from amounts maintained as Cash Reserve Ratio with the RBI on its outside demand and time liabilities.
When technology is used to provide a disruptive insurance related service, it is called InsurTech. Some of the leading InsurTech players in India are Acko, Policy Bazaar and Digit Insurance.
The Insurance Regulatory and Development Authority of India (“IRDA”), the insurance regulator in India, has issued a set of guidelines and policies to regulate InsurTech in India. They are:
The Repositories and Electronic Issuance of Policies Guidelines were issued to regulate the functioning of insurance repositories. An Insurance Repository (“IR”) is a company which is licensed by IRDA and maintains records of insurance policies in electronic form on behalf of insurers. The Repositories and Electronic Issuance of Policies Guidelines require every insurer issuing and maintaining ‘e-insurance policies’ to mandatorily utilize the services of an IR and enter into service level agreements with one or more IRs. These guidelines prescribe the eligibility criteria for an entity to function as an IR and mandates every IR to obtain a valid certificate of registration from the IRDA for them to function as an IR. Such certificate shall be valid for a period of 3 (three) years. An IR is tasked with maintaining robust internal monitoring, review and evaluation of systems and controls and ensuring that a review of the controls, systems, procedures and safeguards put in place by the insurance regulator is carried out, at least once a year, by an external system audit firm approved by the IRDA. The IR has to maintain various electronic records, separated insurer wise, such as, records of e-insurance accounts with a unique number, the date of assignment along with particulars of endorsement in insurance policies issued in electronic form, a register and an index of policyholders and their nominees / assignees / beneficiaries in the respective e- insurance policies. Further, various classes of insurance policies shall be held in the electronic form by the IR, including life insurance policies, general insurance policies, etc. Currently, the following IRs operate in India.
The Issuance of e-insurance Policies Regulations makes it mandatory for issuers to issue electronic insurance policies to persons paying certain prescribed annual premiums and insured sums. The regulations provide for different thresholds for annual premiums and sums insured for different lines of businesses which range from pure term, other than pure term, pensions policies, individual health, etc. The insurers may directly issue the policies to the policy holders or issue it through an IR. Such policy holders mandatorily need to have an electronic insurance account. For policies which are directly issued to the policy holders, the issuers also have to issue the policy in physical form, unless it is exempt. The Issuance of e-insurance Policies Regulations further specify the mode of issuing such policies to policy holders, including the physical policies and the requirements for a valid issuance.
Insurance e-Commerce Guidelines enable insurers and insurance intermediaries to set-up Insurance Self-Network Platforms (“ISNPs”) to sell and service insurance policies. ISNP has been defined under these guidelines to mean an electronic platform set-up by any applicant with the permission of the IRDA. The Insurance e-Commerce Guidelines lay down the manner and procedures of grant of permission for establishing an ISNP for undertaking insurance e-commerce activities in India as well as the code of conduct to be adhered to by ISNPs.
The IRDA enacted the Insurance Regulatory and Development Authority of India (Insurance Web Aggregators) Regulations, 2017, with the objective to supervise and monitor web aggregators as an insurance intermediary who maintains a website for providing an interface to the insurance prospects for price comparison and information of products of different insurers and other related matters. Such insurance web aggregators have to obtain a certificate of registration from the IRDA to carry out their activities. Their activities include, inter alia, displaying product comparisons on insurance web aggregator website, selling insurance online or through telemarketing and other such marketing activities.
UPI and BHIM
Unified Payments Interface (“UPI”) is a system that powers multiple bank accounts into a single mobile application (of any participating bank), merging several banking features, seamless fund routing & merchant payments into one hood. It also caters to the “Peer to Peer” collect request which can be scheduled and paid as per requirement and convenience.
Bharat Interface for Money (“BHIM”) is a payment application that facilitates simple, easy and quick transactions using UPI. It is possible to make direct bank payments to anyone on UPI using the payee’s UPI ID or by scanning the payee’s quick response (“QR”) code with the BHIM application. A person may request money through the app from a UPI ID.
UPI and BHIM have been developed by the National Payments Corporation of India (“NPCI”), an umbrella organisation for operating retail payments and settlement systems in India. The NPCI is an initiative of the RBI and the Indian Banks’ Association under the provisions of the P&SS Act for creating a robust payment and settlement infrastructure in India.
Considering the utilitarian nature of the objects of NPCI, it has been incorporated as a “Not for Profit” Company under the provisions of section 25 of Companies Act, 1956 (now section 8 of Companies Act, 2013), with an intention to provide infrastructure support to the entire banking system in India for physical as well as electronic payment and settlement systems. The 10 (ten) core promoter banks of NPCI are State Bank of India, Punjab National Bank, Canara Bank, Bank of Baroda, Union Bank of India Limited, Bank of India Limited, ICICI Bank Limited, HDFC Bank Limited, Citibank N. A. and Hongkong and Shanghai Banking Corporation. In 2016 the shareholding was broad-based to 56 (fifty six) member banks to include more banks representing all sectors.
Currently, only banks are allowed to integrate UPI into their online portals or mobile applications for use by their customers. However, banks may tie-up with non-banks for the provision of technology or design or operation of UPI powered payments.
The UPI Procedural Guidelines and the UPI Operating and Settlement Guidelines have been issued by NPCI in October, 2019 and these provide for various requirements that have to be complied with by an entity to participate in UPI as a payment systems provider. The guidelines prescribe, inter alia, the entities who can participate in UPI, such as payment service providers, their roles and responsibilities, permissible transactions that may be carried out by such payment services providers and their liabilities. The guidelines also prescribe rules for settlement of UPI transactions.
A cryptocurrency is a digital or virtual currency that is secured by cryptography, which makes it nearly impossible to counterfeit or double-spend. Many cryptocurrencies are decentralized networks based on blockchain technology—a distributed ledger enforced by a disparate network of computers. A defining feature of cryptocurrencies is that they are generally not issued by any central authority, rendering them theoretically immune to government interference or manipulation.
The RBI has always taken a dim view of cryptocurrencies, termed “virtual currencies” in its circulars. Through public notices issued December 24, 2013, February 1, 2017 and December 5, 2017, the RBI cautioned users, holders and traders of virtual currencies, including Bitcoins, regarding various risks associated in dealing with such virtual currencies. Through a circular dated April 6, 2018, the RBI pronounced that, with immediate effect, entities regulated by the RBI shall not deal in cryptocurrencies or provide services for facilitating any person or entity in dealing with or settling cryptocurrencies (“RBI Circular”). The prohibited services included maintaining accounts, registering, trading, settling, clearing, giving loans against virtual tokens, accepting them as collateral, opening accounts of exchanges dealing with them and transfer / receipt of money in accounts relating to purchase/ sale of cryptocurrencies. Entities regulated by the RBI which were already providing such services were called on to exit the relationship within 3 (three) months from the date of the aforementioned RBI Circular.
The Internet and Mobile Association of India and various crypto exchanges and traders filed writ petitions challenging the RBI Circular on several grounds including, inter alia, that since the RBI Circular forbade banks from extending a range of services to facilitate entities dealing with cryptocurrencies, the virtual currency exchanges would shut down and that there was lack of proportionality in the RBI Circular in that the regulatory action was disproportionate to the goals that such action was seeking to achieve. On March 4, 2020, the Supreme Court of India in the case of Internet and Mobile Association of India v. Reserve Bank of India, struck down the RBI Circular and thereby the curb on cryptocurrency trade in India. The Supreme Court held as follows:
“The position as on date is that VCs are not banned, but the trading in VCs and the functioning of VC exchanges are sent to comatose by the impugned Circular by disconnecting their lifeline namely, the interface with the regular banking sector. What is worse is that this has been done (i) despite RBI not finding anything wrong about the way in which these exchanges function and (ii) despite the fact that VCs are not banned
It is no doubt true that RBI has very wide powers not only in view of the statutory scheme of the 3 enactments indicated earlier, but also in view of the special place and role that it has in the economy of the country. These powers can be exercised both in the form of preventive as well as curative measures. But the availability of power is different from the manner and extent to which it can be exercised. While we have recognized elsewhere in this order, the power of RBI to take a pre-emptive action, we are testing in this part of the order the proportionality of such measure, for the determination of which RBI needs to show at least some semblance of any damage suffered by its regulated entities. But there is none. When the consistent stand of RBI is that they have not banned VCs and when the Government of India is unable to take a call despite several committees coming up with several proposals including two draft bills, both of which advocated exactly opposite positions, it is not possible for us to hold that the impugned measure is proportionate.” (emphasis supplied)
However, even whilst striking down the RBI Circular, the Supreme Court also held that anything that may pose a threat to, or have an impact on, the financial system of the country, can be regulated or prohibited by the RBI, despite the said activity not forming part of the credit system or payment system. Evidently, the RBI failed to convince the Supreme Court that cryptocurrencies pose a threat to or have an impact on the financial system of the country.
P2P Lending Platforms
P2P lending is a type of crowd-funding wherein people who want to borrow money can raise funds through loans from people who want to invest. It may be done through online platforms that match lenders with borrowers to provide unsecured loans. Such form of lending eliminates the need to have financial institutions as intermediaries and provides recourse to borrowers who are unable to obtain credit from financial institutions.
The Master Directions – NBFC – Peer to Peer Lending Platform Directions, 2017 (“P2P Directions”) were issued by the RBI under sections 45IA, 45JA, 45L, and 45M of the Reserve Bank of India Act, 1934 (“RBI Act”), to provide a framework for the registration and operation of non-banking financial companies (“NBFC”) in India which carry on the business of a peer to peer lending platform. A peer to peer lending platform is defined in the P2P Regulations as an intermediary providing the services of loan facilitation via an online medium or otherwise, to persons who have entered into an arrangement with an NBFC-P2P to lend on it or to avail of loan facilitation services provided by it.
The P2P Directions cap the aggregate exposure of a lender to all borrowers across all P2P platforms, at Rs. 50,00,000 (Rupees fifty lac). Further, such investments by lenders through P2P platforms need to be consistent with their net-worth. Any lender investing more than Rs. 10,00,000 (Rupees ten lac) across the P2P platforms has to produce a certificate to such platforms from a chartered accountant certifying a minimum net-worth of Rs. 50,00,000 (Rupees fifty lac).
The aggregate loans taken by a borrower at any point of time, across all P2Ps, are subject to a cap of Rs. 10,00,000 (Rupees ten lac) and the exposure of a single lender to the same borrower, across all P2Ps, shall not exceed Rs. 50,000 (Rupees fifty thousand). The P2P Directions limit the maturity of the loans to 36 (thirty-six) months.
On the lines of the banking ombudsman scheme introduced by the RBI in 1995, in January 2019, the RBI introduced an Ombudsman Scheme for Digital Transactions (“Ombudsman Scheme”) under section 18 of P&SS Act. This scheme came into effect from January 31, 2019. Each ombudsman for digital transactions is a senior official appointed by the RBI to redress customer complaints against System Participants as defined in the Ombudsman Scheme for deficiency in certain services covered under the grounds of complaint specified under clause 8 of the Ombudsman Scheme.
The Ombudsman Scheme defines a ‘System Participant’ as any person other than a bank participating in a payment system as defined under section 2 of the P&SS Act. System Providers are excluded from this definition. A System Provider is defined under the P&SS Act as a person who operates an authorised payment system.
Currently around 21 (twenty one) ombudsmen for digital transactions have been appointed with their offices located mostly in state capitals.
Applicability of NBFC Regulations
An entity which carries on FinTech business may have to be registered with the RBI as an NBFC if it falls within the prescribed criteria.
An NBFC has been defined in section 45I(f) of the RBI Act as follows:
“‘‘non-banking financial company’’ means–
Vide press release 1998-99/1269 dated April 8, 1999, the RBI had announced that in order to identify a particular company as an NBFC, it will consider both, the assets and the income pattern as evidenced from the last audited balance sheet of the company to decide its principal business. The company will be treated as an NBFC if its financial assets are more than 50% (fifty percent) of its total assets (netted off by intangible assets) and income from financial assets is be more than 50% (fifty percent) of the gross income. Both these tests are required to be satisfied as the determinant factor for principal business of a company. This is also referred to as the “asset income” test.
The “asset income” test has been reiterated by the RBI in a notification issued by the RBI dated October 19, 2006 titled “Amendment to NBFC regulations - Certificate of Registration (CoR) issued under Section 45-IA of the RBI Act, 1934 – Continuation of business of NBFI - Submission of Statutory Auditors Certificate – Clarification”.
In terms of section 45-IA of the RBI Act, no NBFC can commence or carry on business of a non-banking financial institution without: (a) obtaining a certificate of registration from the RBI and without having a net owned fund of Rs. 25,00,000 (Rupees twenty five lac) and not exceeding Rs. 100,00,00,000 (Rupees one hundred crore). However, in terms of the powers given to the RBI, to obviate dual regulation, certain categories of NBFCs which are regulated by other regulators are exempted from the requirement of registration with RBI. Thus, an InsurTech business, which is regulated by the IRDA, does not have to be registered with the RBI.
Anti-Money Laundering Laws and KYC
In keeping with global moves to fight the laundering of proceeds of crime, drug sales and other forms of dirty money, India enacted the Prevention of Money Laundering Act, 2002 (“PMLA”) and the PMLR, which came into effect from July 1, 2005. The PMLA and PMLR impose obligations on banking companies, financial institutions and intermediaries to verify the identity of clients, maintain records and furnish information in a prescribed form to the Financial Intelligence Unit - India (“FIU-IND”). FIU-IND was set by the Government of India vide an office memorandum dated November 18, 2004 as the central national agency responsible for receiving, processing, analysing and disseminating information relating to suspect financial transactions. FIU-IND is also responsible for coordinating and strengthening efforts of national and international intelligence, investigation and enforcement agencies in pursuing the global efforts against money laundering and financing of terrorism. FIU-IND is an independent body reporting directly to the Economic Intelligence Council (“EIC”) headed by the Indian Finance Minister.
The Master Direction on KYC dated February 25, 2016 (“KYC Master Directions”), issued by the RBI, applies to all “Regulated Entities”, which is defined by regulation 3(b)(xiii) of the KYC Master Directions to include, inter alia, all Payment System Providers (“PSPs”)/ System Participants (“SPs”) and Prepaid Payment Instrument Issuers (“PPI Issuers”). The KYC Master Directions require all Regulated Entities to implement a KYC policy, a customer acceptance policy and a risk based approach for risk management.
Regulated Entities are required to undertake identification of customers: (i) at the time of commencement of an account-based relationship with the customer; (ii) when carrying out any international money transfer operations for a person who is not an account holder of the bank; (iii) when there is a doubt about the authenticity or adequacy of the customer identification data it has obtained; (iv) selling third party products as agents, selling their own products, payment of dues of credit cards/sale and reloading of prepaid/travel cards and any other product for more than Rs. 50,000 (Rupees fifty thousand); (v) carrying out transactions for a non-account-based customer, that is a walk-in customer, where the amount involved is equal to or exceeds Rs. 50,000 (Rupees fifty thousand), whether conducted as a single transaction or several transactions that appear to be connected; (vi) when a Regulated Entity has reason to believe that a customer (account-based or walk-in) is intentionally structuring a transaction into a series of transactions below the threshold of Rs. 50,000 (Rupees fifty thousand).
Section 57 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act 2016”) permitted private companies to use aadhaar to establish the identities of individuals. Further, the Aadhaar (Authentication) Regulations, 2016, ("Aadhaar Regulations") permitted an entity that was authorised to use e-KYC authentication facilities under the Aadhaar Regulations to share the e-KYC data of the holder of the aadhaar number with other entities for a specified purpose, subject to the consent of the concerned individual having been obtained. Many Fin-Tech companies that had online operations were reliant on the OTP based e-KYC in order to comply with the requirement of the customer identification process, which was recognised under the Aadhaar Act 2016 and the KYC Master Directions.
On September 26, 2018 the Supreme Court of India in the case of Justice Puttaswamy (Retd.) v. Union of India, (“Aadhaar Case”) struck down parts of the Aadhaar Act that permitted the use of an individual’s aadhaar number to establish the identity of such individual for any purpose by private businesses. As a result of this judgement, companies are no longer able to use the authentication facilities authorized under the Aadhaar Regulations.
In the Aadhaar Case, while striking down a part of section 57 of the Aadhaar Act 2016 as violative of the fundamental right to privacy of individuals to the extent it allowed any company or any person to use the aadhaar numbers to establish the identity of individuals for any purpose pursuant to a contract, the Supreme Court observed as follows:
“Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as: (a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny. (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met. (c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.” (emphasis supplied)
Post the Aadhaar Case, FinTech companies have been developing innovative methods for onboarding new customers without aadhaar based authentication. While some companies have started using video-based authentication that uses government issued identifications like PAN cards, drivers licenses and passports with further innovations underway, others have been using selfie-based identification through mobile phones. Through these new methods of customer authentication, the costly route of physical verification has been avoided. For instance, a peer to peer lending platform developed a video-based customer authentication application through which the ‘liveliness test’ of a customer could be obtained. At the end of the loan approval process, the camera in the applicant's phone or laptop prompts the customer to read the displayed writing. If the customer is able to read the writing, the application matches the video with the applicant's photograph and draws a conclusion about the identity of the person. Similarly, some companies in the digital lending space have developed a video-based solution that uses PAN cards to verify the genuineness of customers. An applicant is prompted to move their head right or left, hold their PAN card and read out their PAN card number while the application in the phone or laptop records the process.
The Unique Identification Authority of India (“UIDAI”) a statutory authority established under the Aadhaar Act 2016 has introduced an offline QR code for aadhaar that holds users’ non-sensitive details and the user is not required to share their aadhaar number, biometrics or mobile number with private entities.
Regulatory Sandbox for FinTech
A sandbox is a safe environment where parents let their children play without the fear of them getting hurt. In order to encourage innovation in FinTech, the RBI has facilitated the establishment of a FinTech sandbox where banks and FinTech players can experiment with innovative financial products or services or newly developed technologies for a specific duration and within safe boundaries. Within a sandbox, the characteristics exhibited by the production environment are mimicked on a real-time basis, generating responses from all the systems that such a product or application would interface with. Appropriate safeguards would be in place to help contain the consequences of any failure.
RBI had issued an Enabling Framework for Regulatory Sandbox dated August 13, 2009 (“RS Framework”). As per the RS Framework, the entities eligible to participate are FinTech companies, including start-ups, banks, financial institutions and any other company partnering with or providing support to financial services businesses. The regulatory sandbox is meant to be a medium to encourage innovations intended for use in the Indian market in areas where: (i) there is an absence of governing regulations; (ii) there is a need to temporarily ease regulations for enabling the proposed innovation; and (iii) the proposed innovation shows promise of easing/effecting delivery of financial services in a significant way.
The RS Framework provides an indicative list of innovative products, services and technology which could be considered for testing under the regulatory sandbox:
The RS Framework also provides an indicative negative list of products, services and technologies which may not be accepted for testing under the rules, such as:
Regulatory Sandbox for InsurTech
The IRDA notified the Insurance Regulatory and Development Authority of India (Regulatory Sandbox) Regulations, 2019 (“IRDAI RS”) on July 26, 2019 with the objective of striking a balance between the orderly development of the insurance sector on one hand and the protection of interests of policyholders on the other, while at the same time facilitating innovation. The IRDAI RS, which shall be in force for a period of 2 (two) years from the date of its publication in the official gazette, allows an applicant to seek permission from IRDAI for promoting or implementing innovation in insurance sector in the following:
The IRDAI RS also prescribes the procedure for making such applications to the IRDA as well as the conditions for granting such permission to applicants.
This paper has been written by Vinod Joseph (Partner), Deeya Ray (Associate) and Protiti Basu (Associate).Download Pdf
 Writ Petition (Civil) No.528 of 2018 with Writ Petition (Civil) No.373 of 2018
 Writ Petition (Civil) No. 494 OF 2012
11, 1st Floor, Free Press House
215, Nariman Point
Mumbai – 400021
9 – 10 Bahadur Shah Zafar Marg
Delhi – 110002
68 Nandidurga Road
Bengaluru – 560046
3rd Floor, 27B Camac Street
Kolkata – 700016
Ahmedabad – 380054
The rules of the Bar Council of India do not permit advocates to solicit work or advertise in any manner. This website has been created only for informational purposes and is not intended to constitute solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work in any manner. By clicking on 'Agree' below, you acknowledge and confirm the following:
a) there has been no solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
b) you are desirous of obtaining further information about us on your own accord and for your use;
c) no information or material provided on this website is to be construed as a legal opinion and use of this website will not create any lawyer-client relationship;
d) while reasonable care has been taken in ensuring the accuracy of the contents of the website, Argus Partners shall not be responsible for the results of any actions taken on the basis of information provided in this website or for any error or omission in the website; and
e) in cases where the user has any legal issues, the user must seek independent legal advice.