Changes in KYC and Outsourcing regimes, more scrutiny on lending, signals from RBI's Annual Report and more...

01 June 2023

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri and Vinay Kesari. We have a double edition this month, covering developments from April and May, so let’s dive in! (Thank you to Drishti Ranjan, who helped us with the April edition!)

Amendments to KYC Master Directions, KYC for gaming companies, RBI tags non-face to face customers as high risk

The Reserve Bank of India (RBI) notified the amendments to the KYC Master Directions on April 28th to align with the Prevention of Money Laundering Act and Weapons of Mass Destruction Act. Here are the highlights: 

• The amendments introduce enhanced due diligence for non-face to face customers (such as C-KYC (Centralised KYC), Digilocker verification), which include obtaining current address proof, and verifying this via positive confirmation before allowing operations in the account (such as providing an address verification letter or contact point verification) . 

• These customers also need to be automatically categorised as high risk, and their accounts subjected to enhanced monitoring. This is a notable development, given that the C-KYC Registry was touted as a less cumbersome and inexpensive method to conduct KYC. We wonder if this is likely to significantly increase the adoption of video KYC as the go-to method.

• For accounts opened in non-face to face mode using Aadhaar OTP based eKYC, Regulated Entities (REs) need to ensure that transaction alerts, OTPs and other communication is only delivered to the mobile number linked with the customer’s Aadhaar.

• REs cannot permit the use of alternate mobile numbers after the due diligence process to prevent fraud, and need to ensure that the first transaction in these accounts are credits from an existing KYC-compliant bank account of the customer, with the PAN number of the customer verified.  There is ambiguity on the exact requirement here, and whether this means (i) that an RE needs to verify whether KYC has been completed of the originating account for this first transaction, and use C-KYC to verify this, or (ii) that an RE can assume that KYC is completed for an operating bank account and use existing processes such as bank account verification to validate this. 

• The threshold for disclosure of Beneficial Ownership has decreased from 25% and 15% for companies and trusts, to 10%. Additional due diligence and documentation will be needed for trusts, companies and partnership firms. 

• During the development of new products/technologies/business practices, REs need to evaluate the money laundering and terrorist financing implications as well, adopting a risk based approach and transaction monitoring. This is also likely to impact service providers in partnership with REs for these new technologies and products. 

• For Video based Customer Identification (V-CIP), REs need to ensure that data remains with them and not with service providers either in their systems or on the cloud.

• REs need to lay down principles for risk categorisation of customers, accounting for types of transactions, type of products/ services offered, delivery channel used for delivery of products/ services, and geographical location. 

• The RBI also suggests that REs could use AI/ML based innovations for ongoing due diligence.

• REs, banks, and financial institutions need to ensure that wire transfers contain complete information about the originator and beneficiary to prevent them from being used as a channel for money laundering, terrorist financing platforms. For domestic transfers, this applies to transfers of of ₹50,000 and above, where the originator is not an account holder of the ordering RE.

Overall, this signals tighter scrutiny on REs’ compliance with KYC norms and implementing robust practices to ensure this (we covered recent regulatory action on this here and below), and will also open opportunities for fintechs providing KYC and verification services by adding features which help REs comply with these amendments  (in addition to increased monitoring by the REs availing of these services). 

It’s worth noting another KYC related development in April which creates opportunities in this space - the notification of the amendments to the IT Rules to cover ‘online gaming intermediaries’ (which we covered here, and the notification can be found here), which mandate that online gaming intermediaries accepting any deposits in cash or kind need to verify user identity as per the RBI's KYC norms for the commencement of an account based relationship, and display this to users clearly. This is definitely a process overhaul for real money gaming and payment related functionalities within online gaming apps, namely in-app purchases,  PPIs used for gaming apps and withdrawal of winnings.

RBI notifies the Outsourcing Directions 

As mentioned in our previous issue, the RBI has notified the final Master Directions on Outsourcing of Information Technology Services, which will come into effect on October 1st, 2023. These directions will be crucial to the arrangements between REs such as banks and NBFCs, and technical service providers (TSPs). Here are the key takeaways from our review: 

• Overall, there will be strict oversight by REs into outsourcing service providers, and a review of existing contractual arrangements to address the criticality of the outsourced task, associated risks, and strategies for mitigating or managing them. Cross border outsourcing will require a detailed review of the jurisdiction where the service provider is based.

• REs also need to ensure that a risk based approach is adopted for due diligence on service providers on an ongoing basis, taking into account financial, operational, legal, and reputational factors as well as market feedback. This could significantly affect onboarding processes and increase monitoring of TSPs. The directions focus heavily on infosec and cybersecurity requirements, which will necessitate review by TSPs to ensure readiness. 

• Final accountability will lie with REs - with detailed provisions on grievance redressal, roles of management and the board, policies to be formulated, and requirements for inter-group outsourcing. A consequence of this would be strict reporting frameworks implemented with service providers, to ensure that REs have constant visibility on any outsourced activities as well as scrutiny during exit and transition periods. 

• Cloud computing services are now subject to increased scrutiny, with a separate schedule detailing the requirements to be followed when engaging a cloud service provider (CSP) - we are curious how this would affect current engagements with major CSPs, where self-service onboarding is the norm,  legal agreements cannot be negotiated, and provisions such as audit requirements are not included.

• Helpfully, the services which are not considered outsourcing are also listed - such as Business Correspondent services, external audit services and off-the-shelf products. 

• The RBI has also provided an indicative list of entities which are not considered third party service providers under these directions - notable additions to this list are Payment System Operators (which would include Payment Aggregators) and partnership based fintech firms such as those providing co-branded applications (this would be considered outsourcing of financial services and not IT services). The list also excludes services of fintechs for data retrieval, data validation and verification services such as bank statement analysis, GST returns analysis and digital document execution - which should come as a big relief for fintechs engaged in providing data based insights to REs, an increasingly growing space. 

With the increasing use of AI for the purposes of underwriting and the RBI’s own guidelines on the use of AI for credit risk assessment, we are also curious to see how these guidelines will affect the use of AI models in the finserv space, and any further guidelines on fairness, criteria for decision making, and algorithmic transparency. 

News coverage we liked on this topic: This explainer in Livemint, and for AI enthusiasts, an interesting read on the impact of GPT-4 on data localisation compliance for fintechs in The Ken (paywalled). 

RBI releases draft circular on penal charges on loans

On April 12th, the Reserve Bank of India (RBI) released a draft circular on ‘Fair Lending Practice - Penal Charges in Loan Accounts’. The RBI aims to prevent penal charges (i.e., interest on unpaid amounts) from being used as a revenue source for lenders, and instead, promote the original purpose of encouraging better credit discipline/dissuading borrower default (you can read more about this in our previous issue here). 

Here are some of the key proposals in the draft: 

• Lenders can’t introduce any additional component to the rate of interest on credit facilities, including conditions for reset of interest rates. Additionally, lenders shouldn’t engage in capitalisation of penal charges, which means no further interest computed on such charges.  However, this will not affect the normal procedures where lenders earn revenue through contracted interest rates, which can be charged on a compounding basis.

• The rate of interest on a loan should include an appropriate credit-risk premium reflecting the credit-risk profile of the borrower - which means that penalties need to be proportionate to the default in question. If the credit-risk profile of the borrower changes, lenders will be free to alter credit risk premium as per their terms and conditions. 

• Penal charges and the conditions associated with them should be clearly disclosed by lenders to customers in the loan agreement, most important terms & conditions/Key Fact Statement (KFS), and displayed on the lender’s website. Lenders also cannot discriminate against borrowers within a particular loan/product category.

Essentially, the aim of these new regulations is to ensure that lenders are not operating with the wrong incentives, such as profiting off of default by borrowers, or use penalties as a mechanism for compensation for money’s time value and becoming an additional source of revenue. This paves the way for a more borrower friendly lending ecosystem, however, the final iteration of these rules is left to be seen - including information on cut off dates for compliance. Comments from stakeholders were invited by the RBI until 15th May. 

A notable input is from the FIDC, which is the representative body of NBFCs. According to this media report, the key objections of the FIDC are (i) the use of the term ‘penal charges’ rather than ‘penal interest’, which they contend will lead do a GST burden on consumers and accounting hassles for NBFCs, (ii) the lack of criteria to determine the ‘materiality’ of the default by the borrower, in order to levy a proportionate penal charge, and (iii) since penal interest is charged based on a lapse in time, this cannot be categorised as a ‘fee’ or ‘charge’.

News coverage we liked on this topic: This explainer in The Hindu

• Setu and Agya at SamvAAD 23:  The team at Setu and Agya Technologies (our in-principle licensed Account Aggregator) were at SamvAAD, the first event held for the Account Aggregator ecosystem by Sahamati, the ecosystem regulator. Our team also won the award for our Account Aggregator flow under the category ‘Access to credit for short term needs’, in partnership with Snapmint. The event brought together participants in the AA ecosystem, regulators, designers and researchers to connect on the growth of the AA ecosystem and new use cases, as well as the impact of regulatory frameworks around data privacy, outsourcing and KYC, among others. Access our AA whitepaper here! 

• FLDG Guidelines expected: According to media reports, the second round of  digital lending regulations is likely to create an enabling regulatory framework for First Loss Default Guarantees (FLDG), which remains in a regulatory grey area as to its permissibility, after the introduction of the Digital Lending Guidelines, 2022. The guidelines effectively treated FLDG similarly to synthetic securitisation, which is prohibited for banks and NBFCs. [Listen to our explanation on FLDG here!] It’s reported that rather than being prohibited, the new regulation will attempt to bring in accountability by setting guardrails around the FLDG, which should come as a relief for lenders and fintechs exploring alternate models and who faced operational difficulties.

• SBM India blocks fintech-partnered credit cards: Since March 31st, the State Bank of Mauritius Bank (SBM) has blocked corporate credit cards issued in partnership with several fintech players in India following a mandate by the RBI to update their KYC details. This move has reportedly affected all major fintechs with credit card offerings in partnership with SBM India, and the move was also made without prior notice. SBM and its fintech partners have informed their customers to complete the re-KYC process to avoid any further disruptions. You can read our previous coverage on regulatory action against SBM  here.

• Google Play Store updates its Personal Loans Policy: Google has updated its Personal Loans policy on Play Store, which prohibits apps which provide or facilitate personal loans from accessing sensitive user data, effective May 31st. This comes in response to the reported rise of predatory behaviour from some lenders utilizing personal data of borrowers. Although implemented in multiple countries, Google's move is particularly relevant in India, where the RBI has laid down guidelines governing digital lending to crack down on unregulated lending activities in order to save borrowers from harassment and predatory lending (you can read more about this in our previous issue here). On the Indian government’s orders, Google had already removed nearly 2,000 personal loan apps from its Play Store by August last year, which accounted for more than half of the total apps in the lending category. 

• Visa and RuPay Launch CVV Free Payments: Visa and RuPay are the first payment networks to introduce CVV free tokenisation, where the card holder’s CVV is collected during the initial token provisioning, but merchants and acquirers can stop collecting CVV during subsequent token-based domestic CNP transactions. The RBI brought tokenisation into effect from October 1st, 2022, as a method to reduce card fraud. This is perhaps the first significant advancement of the tokenisation regime since introduction.

• MEITY proposes amendment to Aadhar authentication rules: The Ministry of Electronics and Information technology (MeitY) has proposed new rules to allow private entities to use Aadhaar authentication for prescribed purposes. Entities other than a Government Ministry or Department can use Aadhaar authentication by submitting a proposal to the concerned Ministry or Department of the Central or State Government. Entities need to provide justifications on how the authentication sought will serve the ‘interest of the state’, for the purpose of ‘promoting ease of living of residents and enabling better access to services for them’, terms which we hope will be clarified in the final amendments. 

• RBI’s Annual Report signals more scrutiny: The RBI’s 2022-23 annual report reveals that penalties ₹ 40 Crore were imposed on REs in 2022-23. Key areas of scrutiny on the RBI’s regulatory agenda among others, were KYC, fraud reporting and prevention, cybersecurity and IT governance. The RBI is also looking to put out half yearly reports on enforcement actions, improve compliance culture among REs through periodic compliance testing, and examine the feasibility of a ‘scale based approach’ to enforcement. The RBI is also looking to improve the Account Aggregator ecosystem by addressing technical issues and making the framework more robust. It’s also worth noting that the RBI’s Governor recently commented that it is continuing to monitor and regulate the fintech sector.

• Proposal to create a Self-Regulatory Organisation for the payments industry: RBI’s Governor recently proposed the creation of a self-regulatory organisation (SRO) for the payments industry in India. The Payments Council of India (PCI), which represents payment firms, had intended to take on the role of an SRO, but the RBI objected to the proposal as it includes unregulated firms. The RBI wants all regulated payment companies to come together and form a single SRO, but this is challenging given the diverse players in the payments industry. You can read our previous coverage on the role of SROs here.

• IRDAI approves establishment of online insurance marketplace ‘Bima Sugam’: The Insurance Regulatory and Development Authority of India (IRDAI) has approved the establishment of an online insurance marketplace called 'Bima Sugam'. The platform is designed to operate as a D2C platform, offering a range of insurance solutions from all IRDAI-approved companies offering life and non-life insurance products.

• NSE restricts use of its data: On April 20th, the National Stock Exchange of India (NSE) released a circular mandating that NSE’s data can only be used for legitimate trading purposes by trading members and their clients. The directive was issued after certain market participants utilized NSE data for gaming and virtual trading purposes, in violation of fair and transparent trading principles, and a previous circular, which advised trading members to only use authorized sources of data and technical software provided by the NSE or authorized vendors for internal usage and not for redistribution.

• Extension of CBDC Pilot: The RBI is reportedly exploring extension of the CBDC pilot, due to low adoption caused by factors such as customer preference for UPI, reluctance to utilise separate QR codes for CBDC, and lack of awareness. You can read our previous coverage on CBDCs here. 

This wraps up the updates which caught our eye in April and May ‘23! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our June  edition.