Credit on UPI gets official, Breaking down the Data Protection Act, Slice-NESFB merger, relief for GPay and more...

11 October 2023

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri and Vinay Kesari. 

Here are the highlights since our last issue! 

UPI’s credit boost gets official

On September 04th, the RBI released a notification, officially announcing the expansion of UPI to enable transfers to/from pre-sanctioned credit lines, including as a funding account. We covered this proposal in our March issue, when it was announced in the RBI’s quarterly policy statement. As of now, the RBI has permitted payments through a pre-sanctioned credit line only from Scheduled Commercial Banks, with the prior consent of the customer. Banks may specify terms and conditions in relation to these credit lines (like credit limits, interest rates, etc). 

Following this on September 20th, the NPCI released an Operating Circular on the subject which sheds some light on the process: 

• Permitted lenders can enable linking of existing credit line products and innovate new credit line products, and acquirers need to enable the acceptance of these credit lines at the merchant’s end. This brings us back to the question we raised in our previous coverage - what types of new revolving credit products can be built to best utilise UPI rails? After the crackdown on some new types of BNPL products (by barring credit lines linked to PPI, the Guidelines on Digital Lending, etc.) we could now see a resurgence in BNPL products built over UPI. 

• The NPCI has set out the following construct: (i) Customers should be able to discover their credit line accounts from the issuer based on their registered mobile number and link it to their UPI ID on the UPI app, (ii) credit line settlements will be settled as per existing UPI settlement processes, and (iii) inward payments to the customer’s UPI ID linked to the credit line account from a current or savings account should be treated as repayment of the credit line. AutoPay can be enabled for this as well. 

• Here are the rules to which this construct is subject: 

  • During credit line onboarding on the UPI app, the device binding and UPI pin setting process will be construed as customer consent for credit line linking.

  • Acquirers need to ensure that cash withdrawal isn’t permitted, overall compliance and blocking for restricted MCCs, and educate merchants regarding these guidelines. 

  • Standard UPI transaction limits will continue to apply. 

  • Apps need to ensure transparency by making the customer’s transaction history accessible through a clear user interface, check their available balance, total outstanding and other information based on the credit line. Issuers and apps need to send appropriate notifications to the customer at each stage of the credit life cycle. Merchants also need to receive instant notifications on transactions linked to the credit line.

  • Customers should be able to set default options between any of their linked accounts for these transactions and repayment. Refunds and reversals need to be directly credited into the credit line account. 

With this operational clarity, we could see a wide range of existing credit lines ( including the revolving credit lines at banks underlying Visa/MasterCard credit cards) linked to UPI, along with the possibility of new types of credit products being developed expressly to take advantage of UPI’s unique UX and ubiquity. As we mentioned in our previous coverage, it will be interesting to see if NBFCs will be brought within the fold (since this is now only restricted to Scheduled Commercial Banks) to unlock the full potential of credit on UPI. 

Breaking down the Digital Personal Data Protection Act

The Digital Personal Data Protection Act (the Act), was enacted on the 11th of August, bringing an end to India’s long wait for a standalone legislation addressing data protection and privacy. As we promised in our previous issue where we outlined some provisions which stood out, here is our detailed breakdown of the and what we think are the implications for fintech and finserv. [Capitalised terms we use here are as defined in the Act]

Before we get into it, the latest news from an industry consultation held in September is that we could see some rules by the end of October, notifying the constitution of the Data Protection Board (with any breaches occurring in the interim to be taken up by the Board), with a graded timeline for compliance based on 3 categories of Data Fiduciaries (Centre/State panchayats or MSMEs and non-digital businesses being the first, smaller companies and startups being the second, and big companies being the third category which will need to comply the earliest). Timelines for compliance are likely to be between 6 months to a year, without a likelihood for extensions. 

Of particular relevance to fintechs, the government is envisioning an EKYC framework for obtaining parental consent and to meet age gating requirements under the Act. There is also no likelihood of an exemption for entities already regulated by financial services regulators, and will be regulated by both bodies.

1. Applicability outside India: The provisions of the Act will apply to all Data Fiduciaries, even if the processing of personal data is outside India if (i) the processing is done in connection with goods and services offered to Data Principals (individuals from whom personal data is collected), or (ii) in connection with the profiling or monitoring of Data Principals located in India. This will likely have implications for several fintechs and banks incorporated outside India, but who are offering services in the Indian market which could include partnerships with Indian fintechs.

2. Who’s who?: A Data Fiduciary is an entity which determines the ‘purpose and means’ of processing personal data, with a Data Processor being an entity which processes personal data on behalf of the Fiduciary’s instructions. It will be important for businesses to assess their role as Data Fiduciaries and Processors, depending on the context - and, it is possible that they could be more than one of these. For example, a Payment Aggregator could argue that it is a Data Processor in relation to customer information collected on its platform, since it is processing that data on behalf of the merchant from whom the customer is purchasing goods or services. However, the merchant could argue that since the customer is being redirected to the PA’s platform to make the payment, making the PA a Data Fiduciary in relation to any personal information processed on the platform. These conundrums are likely to come up in the context of new types of business models, payout flows and transactions, and it will be interesting to see the interpretations followed.

3. Enhanced notice and consent requirement, usage of ‘public’ data: As we covered previously, the requirement under the Act now, is for the Data Fiduciary to precede every request for consent with a notice. Taking consent via a privacy policy upon entering a website/application once may not be enough, if there are multiple touchpoints within the app involving data collection. The illustration provided in the Act is that if a user opens a bank account and needs to complete video KYC, a specific privacy notice needs to be shown at the point of beginning the V-KYC process). This would involve a detailed evaluation of different touch points within a platform/product where personal information of users could be collected - this seems particularly relevant where Data Fiduciaries have white-labeled journeys created for them, or where users are redirected to the platform or screen of a different entity than the Data Fiduciary. 

   Importantly, personal information which is made public or caused to be made public by the Data Principal or any other person in order to fulfill a legal obligation is no longer considered personal data at all - the scope of this exemption and how industry interprets it is left to be seen, especially in the context of using public data for training of AI models. 

4. Operationalising Data Principal rights, safeguards and accuracy: Previously, Data Principals’ rights were only applicable to their ‘sensitive’ personal information. With this categorisation being removed in the Act, it will be important for businesses to ensure that their rights can be effectively exercised in relation to all of their personal data - this may be especially challenging when it comes to enabling revocation of consent and deletion of personal information on behalf of a Data Fiduciary. With no specific definition of ‘technical and organisational’ measures to be implemented as well, the finserv industry may end up adopting a certain industry standard for an acceptable level of data protection (such as the ISO or SOC2 standards). Data Fiduciaries also need to now ensure that the personal data processed and passed onto third parties is ‘accurate’, which may be difficult to operationalise in practice given that this would come from the Data Principal - a possible interpretation could be that this means the integrity of the data should be maintained and prevented from any type of tampering/corruption.

5. Simplified requirements for data processors: Many fintechs are (in certain circumstances) Data Processors for regulated financial institutions, i.e., they process personal data as directed by the Data Fiduciary. Previous drafts of the Bill included requirements for Data Processors themselves such as protecting data in their control, implementing reasonable security safeguards, and penalties for failure to meet these requirements. The Act does away with these, with the only requirement being for Data Processors to be appointed through a valid contract. While this may come as a relief to data processing fintechs, this could also lead to more stringent contractual provisions to protect the Data Fiduciaries they work with. This could lead to practical difficulties for processors to follow the requirements of each Data Fiduciary they are dealing with (including in relation to data erasure and retention) - what may be beneficial to the industry is a similar approach to the RBI’s Outsourcing Directions, which lay down a detailed list of requirements in contracts and safeguards, which standardises these processes to a certain extent. 

6. Leeway for sectoral data localisation?: Instead of the previous approach to whitelist countries where cross border transfers are allowed, cross border transfers are now permitted by default until a country is ‘blacklisted’. Importantly, this provision also clarifies that this won’t stop the operation of any laws currently in force which ‘provides for a higher degree of protection for or restriction on transfer of personal data’ outside India. This seems to provide an express confirmation that specific types of data (such as payment data) are likely to still be subject to data localisation requirements provided for under RBI or other guidelines. It is left to be seen how the blacklisting approach will operate, and how this will affect the use of foreign cloud service providers. 

7. Data breaches and grievance redressal: Directions released by the CERT-IN in April 2022, provided for a 6 hour window to report data breaches to the CERT-IN, specifying which categories need reporting. The Act does not seem to be harmonised with the CERT-IN Rules, and says that the rules for reporting data breaches will be notified subsequently. Additionally, the timeline for grievance redressal is not specified - we hope this might be harmonised with the timeline of 30 days would be more practical and aligned with other regulations such as the existing Intermediary Rules, 2021.

8. Exemptions: The Act retains broad exemptions granted to government agencies for any purposes in the public interest. Data Fiduciaries in the fintech ecosystem, particularly those in the B2C space, would need to walk a fine line between safeguarding customer interests and complying with information requests from law enforcement and other government entities.

9. Consent Managers: A good development is the change in definition of a ‘consent manager’, which no longer classifies these entities as ‘Data Fiduciaries’. This seems an apt change, given that they may not have access to the underlying encrypted financial information, and do not decide the purpose or means of processing. In the case of consent managers like Account Aggregators, they simply log consent, and transfer encrypted information based on this consent. What is welcome is that the Act creates a basis for intermediaries similar to AAs to exist in other sectors as well. With the explicit mention of interoperability as a requirement of the consent management platform, this could also signal the operationalisation of a right to data portability, in the absence of a specific provision. 

News coverage we liked on this topic:  This general explainer on the Future of Privacy Forum and this analysis of its impact on the fintech industry by Ikigai Law. 

SEBI moots ‘Finfluencer’ regulations via consultation paper 

In our November ‘22 edition, we covered SEBI’s announcement on potential guidelines to regulate ‘financial influencers’ or ‘finfluencers’.  On August 25th, SEBI released a consultation paper to this effect, the contents of which were open to public consultation by September 15th, 2023. The past few years have seen a rise of several finfluencers on social media, either independently providing investment advice or associated as brand ambassadors with fintech and financial services platforms. Depending on their model, these finfluencers earn an affiliate commission from the brands themselves, non-cash benefits, profit sharing models and/or ad revenue through the relevant social media platforms they operate on. 

SEBI’s primary concern has been that such individuals being unregistered with the regulator unlike RIAs, would lack the requisite skills and qualifications to effectively provide advice to the public - the risk bolstered by the fact that some of them are incentivized through their associations with SEBI registered entities, leading them not to disclose conflicts of interest to the public. This means that they operate outside the purview of SEBI regulations/Codes of Conduct. Here are the highlights of SEBI’s proposals to address these issues: 

• Any individual/entity looking to provide investment advice will have to be registered with SEBI as Investment Advisers. SEBI registered REs and intermediaries will not be allowed to have any associations, whether paid or otherwise, with unregistered entities, including finfluencers. No confidential information can be shared with such unregistered players. 

• Registered finfluencers will need to display certain specified details to the public, include appropriate disclaimers on all posts/content, and comply with advertising codes of conduct. 

• The REs will also need to take active measures to disassociate themselves from unregistered entities and undertake enforcement action under criminal law on unregistered entities which create associations with REs. 

• In a bid to address any skewed incentives, SEBI has proposed banning REs from paying trailing commissions based on the number of referrals, only permitting limited referrals from retail clients and stockbrokers. 

These proposals have been met with some praise, to curb instances of fraud and misleading the public - a case in point was SEBI’s order against finfluencer PR Sundar earlier this year, barring the options trader from trading for a year for providing investment advice in the absence of a registration. However, there have been some concerns raised on the stringency of the regulations, when there are already a lower number of RIAs than desirable with the recent increase in qualifications required. Could a compromise be to create a separate category of advisers which do not have to go through the requirements for RIAs but can still associate with SEBI REs subject to suitable disclaimers and conflict checks? We will be tracking how the regulations evolve post the public consultation period. 

News coverage we liked on this topic: This coverage in The Fintech Chronicler. 

• Slice merges with North East Small Finance Bank: In a major development, the credit card and payments fintech company Slice received approval from the RBI to merge with North East Small Finance Bank. This makes it the first consumer-focused fintech with a banking license. This merger (the shareholding pattern of which is not public) follows Slice’s earlier acquisition of 5% of the stake in NESFB in March ‘23. While a consortium consisting of BharatPe and a major NBFC was allowed to take over PMC Bank in the past to form Unity SFB, in this case it would appear that Slice will be the major/dominant partner in the resulting entity. This is an encouraging move from the RBI, that might signal increasing confidence in governance and compliance at fintechs. This also represents a major step forward for Slice, which was among the companies heavily impacted by the RBI’s directive last year halting the linkage of credit lines with PPIs.

• RBI releases guidelines for penal charges on loans: Following its draft circular on the subject which we covered here, the RBI has released the final guidelines on Penal Charges in Loan Accounts, effective from January 1st, 2024 - for existing loans, lenders need to ensure compliance by the earlier of the renewal of the loan, the next review, or 6 months from the effective date of the guidelines. As indicated in the draft, the intent of these guidelines is to ensure that lenders are not operating with the wrong incentives, such as profiting off of default by borrowers, or use penalties as a mechanism for compensation for money’s time value and becoming an additional source of revenue. This paves the way for a more borrower friendly lending ecosystem. Despite objection from some corners, the guidelines reflect the same key proposals as were made in the draft - (i) Lenders cannot introduce any additional component to the rate of interest on credit facilities, including conditions for reset of interest rates, (ii) lenders cannot engage in capitalisation of penal charges, which means no further interest computed on such charges, (iii) penalties should be proportionate to the default in question, and (iv) penal charges and the conditions associated with them should be clearly disclosed by lenders to customers in the loan agreement, most important terms & conditions/Key Fact Statements, and displayed on the lender’s website. Lenders also cannot discriminate against borrowers within a particular loan/product category. 

• Delhi HC rejects PIL to stop GPay’s operations and PayPal appeals: A Division Bench of the Delhi High Court recently dismissed two Public Interest Litigation petitions which sought for GPay’s operations in India to be halted, due to alleged violations of regulatory and privacy norms. The Court ruled that GPay is only a third party app provider which is not a Payment System Operator requiring any authorisation under the Payments and Settlements Systems Act, observing that it is the NPCI which operates UPI, and GPay is only a facilitator within the UPI infrastructure. The Court also rejected the contention that GPay’s operations violate any privacy norms, observing that as a TPAP, GPay would only store limited customer data in an encrypted format and is not permitted to hold any sensitive payments data which serves as an adequate safeguard. This is an interesting judgment, since it stands in contrast to the recent wide interpretation of the term ‘Payment System Operator’ by a single Judge of the Delhi High Court, which we covered in our previous issue. Incidentally, PayPal has appealed the same decision characterising it as a Payment System Operator before the Division Bench - the Court has sought a reply from the Finance Ministry on the issue. 

• SEBI consultation paper on AA framework: On 1st August, SEBI released a consultation paper on use cases for which SEBI registered intermediaries and REs can be Financial Information Users in the Account Aggregator ecosystem. The paper raises important questions to these entities, on whether any entities should be excluded from being FIUs, additional categories of financial information which can be included, and safeguards required in the AA ecosystem to prevent fraud and misuse of financial information provided by customers for these use cases. It will be interesting to see the inputs provided in response, which will provide valuable insights into the future growth of the AA ecosystem. 

This wraps up the updates which caught our eye in August and September ‘23! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our October edition.