Taking forward the objective of financial inclusion as a prime motivation for development of FinTech in India, 2019 saw significant advances in the FinTech sector. Perhaps more importantly, these advances have been broad ranging, spanning the innovation, product design and implementation, investment and regulatory fronts.
The RBI’s vision statement for the years 2020 and 2021 echoes the above and seeks to spur digital payment technologies in India (Payment and Settlement Systems in India: Vision 2019-2021, released by the RBI on May 15, 2019). Even in a recent report on financial inclusion prepared by RBI in consultation with all financial sector regulators in India, the focus is on ensuring delivery of financial services by leveraging FinTech, including by encouraging increased adoption of digital payment systems (National Strategy for Financial Inclusion, released by the RBI on January 10, 2020). Further, on the global investment front, while 2019 saw fewer number of mega-deals as compared to 2018, PE/VC funding for FinTech entities (particularly start-ups in India) as well as global expansion of FinTech players was consistent through 2019 and is expected to continue for the foreseeable future (Report on the Pulse of FinTech, released by KPMG in July, 2019).
In India, there have been several noteworthy developments in FinTech to address varied concerns with financial inclusion, led by a range of players. For instance, financial sector regulators have constituted various committees to study the possible impact of FinTech on furthering the financial inclusion agenda. Through the course of the year, regulators have also set up framework or sought public comments on regulatory sandboxes for development of FinTech and InsurTech. These developments on the regulatory front have given a fillip to both traditional players such as banking companies as well as new entrants such as FinTech start-ups, to participate in the growth of FinTech in India.
Similarly the recently introduced draft framework to set up a pan-India umbrella entity to set up, manage and oversee new payment systems, particularly in the retail space, is also a marker of the growth of FinTech in India and regulators’ inclination to nudge further development in this space.
In this overview, we seek to explore a few specific areas that have seen growth in India over the past few years. We have selected these areas owing to the different regulatory approaches contemplated in relation to them and the continuous development witnessed. Part I deals with the current status of peer-to-peer lending in India, which has seen high growth in India particularly in the unsecured consumer lending space. Part II focuses on robo-advisory and its challenges in India. Part III discusses the New Umbrella Entity, which aims to manage and operate the retail payment systems in order to curb the monopoly of National Payments Corporation of India Limited in digital repayment systems. Part IV focuses on cryptocurrencies and the legal framework around them in India. Part V deals with the interplay of technology and financial regulation, specifically in areas of data protection and data localisation. Of special importance in this regard is the regulatory flux on data localisation. Part VI focuses on the development of technology-enabled customer identification and verification processes in India, including the interplay with Aadhaar.
PART I – PEER TO PEER LENDING
1. Business model and regulatory framework
(a) Peer to Peer Lending (“P2P Lending”) platforms are intermediaries providing loan facilitation services, either online or otherwise to lenders and borrowers. P2P Lending has the potential to improve access to finance especially for small and medium sized enterprises which are otherwise usually declined credit from banks due to their risk portfolios.
(b) Fundamentally, P2P Lending platforms operate as intermediaries and are prohibited from undertaking any lending activities themselves or holding any funds of their participants (lenders or borrowers) on their books. Towards this end, the movement of funds occurs through an escrow mechanism.
(c) Legal recognition of this sector in 2017 by the Reserve Bank of India (“RBI”) has led to the growth of P2P Lending platforms and this consequently enabled lending at competitive rates. These P2P Lending platforms are governed by the RBI as non-banking financial companies (“NBFCs”). Additionally, it may be noted that P2P Lending platforms that operate solely as service providers to banks or NBFCs etc., are not treated as P2P Lending platforms.
2. Regulatory challenges
(a) The restrictive regulatory framework for P2P Lending platforms has distorted the level playing field between P2P Lending platforms and traditional lenders, and blocked significant revenue streams for P2P Lending platforms. This also prevents cost efficiencies for P2P Lending platforms - thus precluding both innovation and competition.
(b) While P2P Lending platforms are not permitted to lend off of their own balance sheets, the regulatory requirement of minimum net-owned fund of INR 20 million has increased costs for the businesses.
(a) The legal recognition of this sector has encouraged setting up of more P2P Lending platforms and consequently enabled lending at competitive rates. However, stricter supervision of such P2P Lending platforms has stifled their growth. Given that this sector in India is still nascent it requires a more “light touch” regime to allow flexibility to evolve further.
PART II – ROBO-ADVISORY SERVICES
1. Business models and features
(a) Robo-advisors are wealth management companies providing automated support for all financial advisory services without any human intervention. Robo-advisory companies collect and analyse customer information such as financial background of consumers, existing investments and other historical data. Based on this information, robo-advisory companies generate consumer profiles, recommend suitable investments/financial products and provide other financial advice, including, inter alia, tax benefits and retirement planning.(b) Robo-advisors assist investors in determining the probability of achieving their investment goals by analysing customised information provided by the investor, for instance the investor’s financial health, risk appetite and investing experience. The portfolio of the consumers may be rebalanced based on changes in circumstances, including movement in the financial market. Consumers are usually able to view their current and past investments and related transactions on the robo-advisory platform.
2. Growth of robo-advisory firms and implementation issues
(a) The Indian robo-advisory market is expected to have a double-digit growth rate in the upcoming few years (Report on the expansion of Robo-Advisory in Wealth Management released by Deloitte in August, 2016). Additionally, numerous wealth management firms and other financial institutions are also expected to unveil their robo-advisory business. Increasing internet penetration and the rapid rate at which technology is being adopted have been the key factors for the growth of robo-advisory services in India.
(b) In India, there are no separate regulations for robo-advisors. However, the capital markets regulator, Securities and Exchange Board of India (“SEBI”) in a consultation paper dated October 7, 2016, noted that under the current investment advisor regulations, there is no express prohibition for use of automated advice tools by SEBI registered investment advisors. Accordingly, robo-advisors will be governed within the ambit of their regulation as investment advisers.
(a) It is pertinent to note that robo-advisors merely assist investors in achieving their investment goals and to that extent it is purely an algorithmic advice being rendered to the investors and without any guarantee. Additionally, robo-advisory companies only render advice based on data analysis of the investment objectives, risk appetite, etc. of the client. Automation of the order execution mechanism and enablement of a one-touch solution that would allow the client to seamlessly implement the advice by placing trading instructions, would require further regulatory innovation.
(b) Additionally, SEBI in its consultation paper dated October 7, 2016 has recommended that investment advisory firms using automated tools must ensure certain compliance requirement, inter alia including (i) ensuring that automated tools used are fit for the purpose; (ii) robust systems and control in place to ensure any advice made using the automated tools is in the best interest of the client; and (iii) comprehensive system audits are put in place.
PART III - NEW UMBRELLA ENTITY (“NUE”)
1. What is NUE?
(a) In order to curb the monopoly of National Payments Corporation of India (“NPCI”) in digital repayment systems, the RBI has proposed to set up New Umbrella Entity (“NUE”) to manage and operate new payment systems in the retail space.
2. Scope of the activities of NUE
The proposed NUE is to undertake and perform a range of activities which will include:
(a) Setting up, managing and operating a new retail payment system by establishing ATMs, white label PoS, providing Aadhaar based payments and remittance services, developing new payment methods, standards and technologies, monitoring the issues pertaining to the payment system nationally and internationally, taking initiatives to increase awareness of alternative payment systems etc.
(b) Operating clearing and settlement systems, identifying and managing relevant risks pertaining to settlement, credit, liquidity and operations and preserving the integrity of the system, monitoring developments in the retail payment systems and all the related issues nationally and internationally to prevent frauds and contagions that may have an adverse effect on the economy and the system.
(c) Fulfilling its policy objectives and ensuring that principles of fairness, equity and competitive neutrality are applied in determining participation in the system, framing necessary rules and guidelines with processes to ensure a safe and sound system for efficient payment system.
(d) Carrying out any other business which may further strengthen the ecosystem of retail payments in the country.
3. Eligibility for NUE
(a) It has been proposed by the RBI that the NUE will be owned and controlled by Indian residents and may be a for-profit or not-for-profit entity as per the Companies Act, 2013.
(b) Entities applying as promoter/promoter group will be owned and controlled by Indian residents.
(c) The minimum paid-up capital and net worth of the NUE will be INR 5 billion and INR 3 billion respectively, at all times.
(d) The promoters will have to make an upfront contribution of at least 10% of the paid-up capital, i.e. INR 500 million subject to a maximum contribution of a single promoter to the extent of 40% in the capital of NUE.
(e) After five years of commencement of business of the NUE, the promoter shareholding will be diluted to 25% of the capital of NUE.
(f) Fit and proper: the promoter or promoter group must:
i. possess financial integrity, honesty, and good reputation and character, under the ‘fit and proper’ guidelines of the regulator;
ii. not be convicted by any court of moral turpitude, or economic offences;
iii. not have been barred from accessing the financial system by any regulator;
iv. be financially and mentally sound and should not have been declared financially insolvent; and
v. have a past record of sound credentials and integrity.
(a) The NPCI has grown in the scale and scope of its operations, offering multiple payment systems and products. By virtue of the numerous payment systems that it operates, NPCI has emerged as a systemically important payment system entity. NUE offers similar products as NPCI, which will address issues regarding concentration risk, and encourage competition and innovation, thus contributing to the financial stability of the digital economy. By offering alternative digital retail payment systems to consumers, the NUE would help in enhancing the reach of digital payments to a larger number of people and thereby reduce the dependency on cash.
PART IV - REGULATION OF CRYPTOCURRENCY
1. Legal Background and Regulatory Updates
(a) The legal framework with respect to virtual currencies in India is restrictive. Historically, the RBI has issued several press notes and notices to holders of, and dealers in, virtual currencies cautioning against their unclear legal status, their “speculative” nature and the money laundering risks that may result from their usage.
(b) In April 2018, the RBI passed a notification prohibiting all entities regulated by it (which include banks, NBFCs, payment system operators and other intermediaries) from dealing in, or providing services to, “any person or entity dealing with, or settling” virtual currencies. The absence of a clear definition of virtual currencies, and the inclusion of a restriction prohibiting the transfer or receipt of money in accounts “relating to the purchase or sale” of virtual currencies has led to much ambiguity in interpretation and implementation by the industry.
(c) Various petitions challenging the RBI notification have been filed before the Supreme Court of India. While the Supreme Court has declined to grant any interim relief staying the notification, it has reportedly required that comprehensive legislation governing the area be passed in a time bound manner.
(d) During the course of last year, a high level inter-ministerial committee proposed a draft ‘Banning of Cryptocurrency & Regulation of Official Digital Currency Bill, 2019’ (“Draft Cryptocurrency Bill”). The Draft Cryptocurrency Bill defines cryptocurrencies as “any information, code, or token which has a digital representation of value and has utility in a business activity, or acts as a store of value, or a unit of account”.
(e) The Draft Cryptocurrency Bill proposes to ban mining, trading, holding, issuance or disposal of cryptocurrencies in India and imposes monetary as well as penal consequences (imprisonment up to 10 years) for violation. However, usage of technology underlying cryptocurrencies for experiment, research or teaching has been permitted.
(f) The Draft Cryptocurrency Bill also proposes to introduce an ‘official digital currency’ wherein RBI may issue the Indian Rupee in a digital format and recognize certain foreign digital currencies as well. While there were indications that the Draft Cryptocurrency Bill would be introduced during the last year, the Government has not provided a timeline yet for the introduction of the Draft Cryptocurrency Bill before the Parliament.
(a) The regulatory environment for cryptocurrencies in India continues to be adverse. For instance, in its ‘Report on Enabling Framework for Regulatory Sandbox’ dated August 13, 2019, cryptocurrencies were specifically excluded from the ambit of regulatory sandboxes.
(b) Clearly delineating the nature and extent of activities proscribed under regulation, and providing clear guidance to regulated entities will be of essence to ensure the effective regulation of cryptocurrencies and avoid a chilling effect on adjacent areas of innovation, including the blockchain and distributed ledger technologies.
PART V – DATA PROTECTION AND DATA LOCALIZATION
1. Data Protection - Legal and Regulatory Background
(a) During the last two years, there have been a series of legislative and judicial developments which propose to usher in a fundamental shift in data privacy and data protection laws in India. The Government of India set up a committee of experts to provide a report on formulating a comprehensive personal data protection regime. The committee held wide public consultations and submitted a report along with a draft personal data protection bill in July, 2018 (“Draft Bill”). In December, 2019, the Government has tabled the PDP Bill before the Lok Sabha. The PDP Bill has been referred to a joint parliamentary committee for further review. The joint parliamentary committee is currently seeking public views and suggestions on the PDP Bill.
(b) The PDP Bill proposes to extend to all processing of personal data within India, of Indian persons (natural, State or corporate) and processing of data outside India, if it is in relation to services in India. The PDP Bill proposes a consent based, data principal (person whose data is being collected) centric approach, wherein data fiduciaries (entities collecting and processing the data) have significant obligations on transparency and accountability for collection and processing of personal data, other than limited exceptions on grounds such as employment, medical, health and public emergencies; and reasonable purposes (as may be specified by regulations), manual processing by small entities, research, archiving and statistical purposes.
(c) The PDP Bill categorizes data into personal data, sensitive personal data and critical personal data. Financial data, including any number or other personal data used to identify any account or payment instrument issued by a financial institution to a data principal or any personal data indicating a relationship between a financial institution and data principal including financial status, credit history, debit or credit cards would be considered to be sensitive personal data for the purposes of the PDP Bill.
(d) The PDP Bill affords specific exemptions to processing of personal data in relation to financial data. It allows the Data Protection Authority (“DPA”) to make regulations to allow processing personal data for reasonable purposes including credit scoring, prevention and detection of unlawful activity including fraud, debt recovery without having to obtain consent from the Data Principal. Further, the PDP Bill also provides for a sandbox to encourage innovation in artificial intelligence, machine-learning or other emerging technology in public interest. Businesses may utilize this as part of their business processes.
(e) The DPA is empowered to exempt processing of personal data necessary for research, archiving and statistical purposes if it meets specified criteria. FinTech companies engaged in the aforementioned activities may take advantage of the exemption as and when the DPA operationalizes such exemption.
(f) Data principals have various rights, such as ability to opt in or opt out of specific grounds of processing, right to access, review and modify their personal data and the right to erasure under certain circumstances. The PDP Bill also requires enhanced and granular consent requirements for processing sensitive personal data (which includes financial information, health data, biometric data, genetic data, faith or intersex data) and critical personal data (to be defined).
(g) Upon enactment, business will need to reimagine their existing data privacy structures and internal policies to comply with the requirements. The realignment will have to be carried out at two levels.
(h) Firstly, based on the nature of personal data being processed, businesses will have to determine the contents of the consent notices and determine the grounds of processing including the ability to transfer and process data outside India. Secondly, based on turnover, sensitivity of data being collected or any other parameters as may be specified by the Government, data fiduciaries may be categorized as significant data fiduciaries, guardian data fiduciaries or social media intermediaries all of which have certain specific and enhanced requirements such as conducting data impact assessment, data audits, prior consent from guardians and appointment of data protection officer (to be based out of India).
(i) Unlike the implementation of the GDPR, the PDP Bill does not propose a phased implementation. If enacted in the current form, businesses will be required to be ready and geared towards achieving compliance with immediate effect. This may be particularly difficult in light of requirements such as data localization given the substantial investment of resources required for compliance. Further, the uncertainty around the operation and intent of the clauses would further cause uncertainty given that sizeable operative portions of the PDP Bill are dependent upon codes of practice, regulations and guidance provided by the DPA.
(j) The PDP Bill also enables the Government of India to requisition anonymized personal data or non-personal data from a data fiduciary for broad purposes of formulating evidence based policies or better targeting of delivery or services. The requisition of non-personal data may have challenges with regards to confidential data or trade secrets of businesses being compulsorily requisitioned by the Government.
(k) While the PDP Bill is a welcome step towards implementing a structured and comprehensive data protection legislation in India, there are certain challenges that remain ahead for companies in the FinTech sector.
(l) Given that financial data is considered ‘sensitive personal data’ for the purposes of the PDP Bill, FinTech businesses may be required to comply with stringent obligations under the PDP Bill including restrictions on cross-border transfer, data localization and meeting consent requirements. Further, if the volume of such sensitive personal data is higher and/or such data is processed using new or innovative technologies, such businesses may be classified as Significant Data Fiduciaries and may be subject to compliance of a significantly high threshold including conducting data protection impact assessments, data audits, appointment of a data protection officer etc.
(m) The PDP Bill does not provide sufficient guidance on treatment of historic data collected prior to enactment of the PDP Bill. In light of a lack of a bright-line standard for anonymization, businesses will need to prepare by relying on globally accepted standards and anonymize existing personal data being processed or warehoused.
(n) Overall, the PDP Bill is a step in the right direction and once enacted will have the distinction of being one of the most comprehensive data protection regimes governing the largest cross section of individuals across the world. The implementation of the PDP Bill should be carefully calibrated to ensure minimal disruption to business by providing adequate guidance and time for implementing the requirements.
2. Overview of Data Localization Requirements
(a) In recent years, India has witnessed an increasing regulatory trend for the localization of data. This trend has been led by directions from key financial regulators such as the RBI, Insurance Development Regulatory Authority and Ministry of Corporate Affairs.
(b) The draft National E-Commerce Policy which was published on February 23, 2019 seeks to treat data generated in India as a national asset and proposes to impose restrictions on cross-border data flow. It proposes a restriction on the transfer outside India of certain types of data including data collected by internet-of-things devices installed in public spaces, data generated by users in India on e-commerce platforms, social media websites and search engines. Legislative action by the Parliament would be required before any of the recommendations in the Policy can come into effect.
(c) Further, the Government has proposed a slew of laws seeking to expand the types and categories of data-sets that are required to be localized in India. For example, the Personal Data Protection Bill, 2019 (“PDP Bill”) provides that sensitive personal data is required to be stored in India at all times and such data can only be transferred outside India for processing upon obtaining explicit consent of the data principal and fulfilling certain additional conditions specified in the PDP Bill. Furthermore, a specific category of personal data classified as critical personal data (to be notified as such by the Central Government) can only be processed in India.
(d) The notification on Storage of Payment System Data dated April 6, 2018 issued by the RBI (“Notification”) requires storing data relating to payment systems only in India. The Frequently Asked Questions (“FAQs”) to the Notification further clarified that the requirement extends to storing all end-to-end transactional data including customer related data, payment related data, payment credentials and transaction data. The clarification pursuant to the same provided that: (a) data may also be stored abroad in case of cross-border payment transactions; and (b) data may be processed outside India, however, such data must be deleted brought back to India subsequent to processing no later than 1 (one) business day or 24 (twenty-four) hours from processing, whichever is earlier.
(e) Following the general trend towards localization, the proposed Information Technology Intermediaries Guidelines (Amendment) Rules, 2018 requires that all intermediaries with more than 5,000,000 (five million) users, and other notified intermediaries be incorporated under Indian laws, have an office in India and appoint people for round-the-clock coordination with law enforcement agencies. While this amendment has received significant criticism, it is demonstrative of the Government's intent to push towards data and (in this case) entity localization. The Government has also set up a committee to examine and recommend a comprehensive regulation for non-personal data.
PART VI - RECENT DEVELOPMENTS IN AADHAAR BASED E-KYC
1. Legal Background and Regulatory Updates
(a) The regulatory landscape surrounding the use of Aadhaar numbers for KYC compliance has witnessed dramatic changes in the recent years. In a recent judgment (Justice Puttaswamy v. Union of India, (2019) 1 SCC 1) (“Judgment”) the Supreme Court has read down specific provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”) resulting in private entities being prohibited from performing Aadhaar based e-KYC authentication. Further, the Judgment required banking entities to perform Aadhaar authentication only if it is for granting of a subsidy or benefit under the Aadhaar Act or if sanctioned by law. This resulted in private entities resorting to more traditional means of complying with KYC requirements to on-board customers, resulting in undue delay. Subsequently, the Unique Identification Authority of India (“UIDAI”) introduced the offline verification process to facilitate KYC of Aadhaar number holders pursuant to the requirements of the Judgement.
(b) The amendments to the Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (“PMLR”) have brought in much-needed comfort to reporting entities (“RE”). First, they were allowed to perform authentication if they were notified under the Notification of the Ministry of Finance dated May 9, 2019 (“MoF Notification”). However, such notified REs were required to store Aadhaar numbers in data vaults in accordance with the circular of the UIDAI dated July 25, 2017. If REs were not notified, they could use offline verification or proof of possession of Aadhaar for KYC compliance. The RBI Master Direction – Know Your Customer (KYC) Direction, 2016 (“KYC-MD”) was amended on January 9, 2020 to align the same in line with the PMLR.
(c) Additionally, with an aim to provide simpler and a more-efficient KYC compliance to REs which were not notified under the MoF Notification, the Digital KYC process was introduced through the amendments in the PMLR. This process enabled simpler and digital on-boarding of customers; however, it required a physical touch-point for completion of the KYC process. Subsequently, amendments to the KYC-MD introduced the live video-customer identification process (“V-CIP”) to establish an account based relationship through collection of documents, recording of video and capturing of photograph as illustrated in detail as part of the KYC-MD and removed the physical touchpoint obstacle.
With the Reserve Bank of India seeking to achieve the vision of ‘empowering every Indian with access to a bouquet of e-payment options that is safe, secure, convenient, quick and affordable’ by 2021, ‘retail payments’ will continue to be the buzz word in the FinTech space for a while to come (Payment and Settlement Systems in India: Vision 2019-2021). Innovation in the FinTech space, especially on retail payments is bound to persist. Increased focus on data usage, cyber security and privacy, considering its intrinsic link to FinTech offerings, will become imminent.
Financial products that offer B2C and B2B solutions and are tailor made for specific sectors seem to be a promising area for development given the focus of the regulator to increase access to credit in the SME and the MSME sector.
One of the factors that makes India an exciting market to offer digital products is the swiftness with which markets adopt new technology and products offered through digital platforms; to illustrate India is ranked 28th in the Government E-payments Adoption Ranking, 2018. Perhaps, this is a function of the lack of access to traditional banking systems against ease of access to financial services delivered by FinTech entities. Effective financial literacy will become key to ensure maturity and deepening of the financial market and will be the key indicator of true financial inclusion.
The willingness and enthusiasm of traditional banking players to integrate with the incoming FinTech players is encouraging and indicates favourably towards the trend to modernizing and digitizing financial products and services. That being said, the prohibition on virtual currencies and reluctance on readily permitting virtual banks/‘neobanks’ seem like they are here to stay.