Data protection law almost enacted, Proposed changes to card network arrangements, Possibility of fintech regulations and more...

11th August 2023

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri and Vinay Kesari. 

Here are the highlights from July (and a bit of August)! 

Digital Personal Data Protection Bill approved by Parliament

In a momentous development, the Digital Personal Data Protection Bill has been approved by Parliament, and is expected to shortly be signed into law by the President. This caps the end of a long wait for a dedicated data protection law in India, which has seen many draft bills be discarded over the years. While we will break down the Bill in greater detail in a separate piece, here are some key points for the finserv and fintech industries:

1. Enhanced notice and consent requirement: An earlier draft required Data Fiduciaries (i.e., those entities collecting personal data) to provide the Data Principal (i.e., the person from whom personal data is collected) with a notice of the data collected on or before requesting them for their consent. Under the Bill now, the requirement is for the Data Fiduciary to precede every request for consent with a notice. Taking consent via a privacy policy upon entering a website/application once may not be enough, if there are multiple touchpoints within the app involving data collection. The illustration provided in the Bill is that if a user opens a bank account and needs to complete video KYC, a specific privacy notice needs to be shown at the point of beginning the V-KYC process).

2. Simplified requirements for data processors: Many fintechs are (in certain circumstances) Data Processors for regulated financial institutions, i.e. they process personal data as directed by the Data Fiduciary. Previous drafts of the Bill included requirements for Data Processors themselves such as protecting data in their control, implementing reasonable security safeguards, and penalties for failure to meet these requirements. The new Bill does away with these, with the only requirement being for Data Processors to be appointed through a valid contract. While this may come as a relief to data processing fintechs, this could also lead to more stringent contractual provisions to protect the Data Fiduciaries they work with. 

3. Leeway for sectoral data localisation?: Instead of the previous approach to whitelist countries where cross border transfers are allowed, cross border transfers are now permitted by default until a country is ‘blacklisted’. Importantly, this provision also clarifies that this won’t stop the operation of any laws currently in force which ‘provides for a higher degree of protection for or restriction on transfer of personal data’ outside India. This seems to provide an express confirmation that specific types of data (such as payment data) are likely to still be subject to data localisation requirements provided for under RBI or other guidelines.

We’ll be decoding all this and more in our August issue -  do reach out to us on the form linked below for any specific questions on the Bill or aspects you’d like to see us cover!

News coverage we liked on this topic:  This summary of the Bill on MediaNama.

RBI proposes allowing users to choose their card network

In a potentially huge change, the RBI has proposed in a draft circular that customers be allowed to choose the card network of their choice for credit, debit, and prepaid cards. The current practice worldwide is that the card network is pre-determined through agreements between the networks and issuing banks. Through this circular, the RBI would potentially prohibit card issuers from entering into arrangements with card networks which restrict customers from choosing their preferred card network. Here are the highlights of the draft, along with the potential implications: 

• Apart from not entering into restrictive agreements, card issuers are required to (i) issue cards across more than one network, and (ii) allow customers to make their choice both at the time of issue and at any subsequent time. 

• Issuers and networks must adhere to these requirements at the time of amendment/renewal of existing agreements, or through fresh agreements issued after the effective date of the circular. 

• Effective October 1st, 2023, issuers and card networks will have less than 90 days to comply, which will necessitate rapid organizational changes in a short amount of time. 

What are the possible implications?

• More choice for customers and increased competition in the market, could see more innovation by banks and card networks in the effort to retain customers, such as rewards. Portability across card networks will also allow customers to maintain their accounts, credit balances and credit history when switching to a new network.

• With the recent expansion of Unified Payments Interface (UPI) to enable transfers to/from pre-sanctioned credit lines, there could now be additional incentive for existing Visa/MasterCard credit cards to now be linked to UPI, given that this would be a reason for customers given the choice between networks, to opt for RuPay. We covered this possibility when it was rumoured in February, in our March issue.

• With no lock-in period between changes between card networks, this could increase operational costs for issuers. The specification to offer choices to ‘eligible customers’ will also involve several changes on the backend, which could be an issue for smaller banks or non-bank issuers.

• Existing contractual arrangements would require an overhaul, since most agreements are likely to be exclusive, and in force for multiple years with specific grounds for termination. This could also impact multi-year co-branded partnerships which are also dependent on the back to back contractual arrangement between the card network and the issuer.

• Global card networks like Mastercard, Visa and Diners Club could face issues with compliance, given the short window to implement these changes. This is similar to the situation in 2021, when Mastercard and Diners Club were temporarily barred from onboarding domestic credit card customers due to the failure to implement compliance with the RBI’s data localization norms within a period of 6 months.

It’s possible that while this measure is meant to boost competition, it could see tie-ups among card networks to make offerings more attractive to customers. Some commentators have also speculated that this could be a move to increase the penetration of RuPay in the credit market (following linking RuPay credit cards to UPI and prepaid forex cards which we covered here), given that RuPay holds a small percentage of the share in the credit card market as opposed to its majority share in the debit card market. 

News coverage we liked on this topic: This explainer in LiveMint, and these interesting articles on Finshots and The Hindu Business Line on this issue in the context of the measures implemented to promote the growth of RuPay. 

Delhi High Court rules on dispute between PayPal and FIU-IND

On 24th July, a single judge bench of the Delhi High Court (Court) ruled on the dispute between PayPal and the Financial Intelligence Unit India (FIU-IND). What was the crux of the dispute? PayPal challenged an INR 96 Lakh penalty for violations of reporting obligations under the Prevention of Money Laundering Aact (PMLA). PayPal argued that it is an Online Payment Gateway Service Provider (OPGSP), which does not make it a ‘reporting entity’ under the PMLA (which comes with compliance requirements to furnish transaction records and report suspicious transactions, among several others). The FIU-IND contended that PayPal is a Payment System Operator (PSO) and does in fact handle funds in India, bringing it within the ambit of the PMLA.

Here are the highlights of the decision:

• Given the objective of Anti Money Laundering (AML) laws and the role of the FIU-IND in preventing financial fraud, data analysis is key to its functioning, especially with the increased processing of digital payments. The Court decided to adopt a liberal interpretation of the term 'reporting entity' (RE) under the PMLA to avoid defeating the spirit of the law, ensuring that data is continually available and not only on demand.

• Crucially, the Court held that the fact that an OPGSPs does not qualify as an RE under the Payments and Settlement Systems Act (PSS Act) does not mean that it can’t be considered an REs under the PMLA. The Court did not find it justifiable to include within the PMLA only entities which are directly engaged in the handling, retention or transfer of funds. If this is the position going forward, it could significantly extend the scope of REs under the PMLA.

• Ultimately, PayPal has been held to be a PSO under the PMLA, since the transaction connected with a payment being processed between two parties would fall within the scope of the expression "payment system" under the PMLA, and the tech on which the platform rests enables this transfer. This is definitely likely to see a challenge through an appeal.

• The Court did decide to waive the penalty imposed by the FIU-IND though, since it found that PayPal had proceeded on a good faith belief that it was not a PSO, a stand it had consistently taken in the face of regulatory ambiguity. This did not amount to wilful disobedience, with the Court noting that all communication indicated a mutually collaborative approach from PayPal. This is an encouraging balance, given the ambiguity present in several fintech regulations which leads to entities taking interpretations and risk calls, in order to move ahead with business.

The FIU-IND or PayPal could appeal aspects of the judgment which they consider unfavourable to them. In its present form however, this judgment will force many fintechs to examine whether they need to operate as if they are REs under the PMLA, despite operating businesses that do not require an RBI license.

News coverage we liked on this topic:  Coverage of the judgment and dispute in the Indian Express, and Bar and Bench.

• Conversational UPI & enhancements to UPI Lite: The RBI’s quarterly policy statement outlined three upcoming enhancements to UPI payments. The per-transaction limit for UPI Lite has been enhanced from Rs. 200 to Rs. 500, though the overall limit of the device wallet has been retained at Rs. 2000. UPI Lite will also be allowed to use NFC technology, which may bring tap-and-pay functionality on phones similar to what is possible for cards. Taken together these could provide a major fillip to small retail payments using UPI Lite. In addition, the RBI wants to foster conversational UPI payments, which ‘enable users to engage in a conversation with an AI-powered system to initiate and complete transactions in a safe and secure environment’. The intention is to make this available on both smartphones and feature phones, and more details should be available once instructions are issued to NPCI.

• Fintech regulations expected: The Deputy Governor of the RBI recently announced that the RBI is working on regulations for fintechs. He mentioned that the regulation must strike a balance between ‘fostering innovation and ensuring adherence to norms’, and that it could potentially address ‘governance, compliance, business conduct, and adopting risk mitigation practices’. While other specifics were not hinted at, we anticipate that any such regulations could address onboarding processes, compliance with KYC norms, oversight over data collection and sharing, as well as increased scrutiny into partnerships between fintechs and Regulated Entities. On a related note, here are interesting pieces on MoneyControl and The Morning Context (paywalled) on why Payment Aggregator (PA) license applications are stuck and the key regulatory roadblocks. 

• NPCI simplifies e-mandates: On July 21st, the National Payments Corporation of India (NPCI) released a circular (see circular no. 003)  to simplify the e-mandate registration process, to improve customer experience and encourage further digitisation of recurring payments. Now, in addition to existing modes of e-mandate authentication (i.e., debit card or net banking for values up to INR 15,000), these mandates can also be verified through the customer’s Aadhaar number, PAN number, or customer ID of the bank. This must be followed by OTP authentication. Mandate limits across all variants (i.e., physical and digital) have been harmonised at a uniform INR 1 Crore.

• New fraud reporting requirements: According to this media report, the RBI has asked all banks to report frauds irrespective of the amount, including those below INR 1 Lakh, in response to rising cases of digital payment fraud. Reportedly, the RBI has also questioned banks regarding fraud prevention and response mechanisms. Fraud prevention is among the RBI’s key agenda points for the upcoming financial year, which we covered here.

• SEBI ramps up cybersecurity norms: Securities and Exchange Board of India (SEBI) has issued a consultation paper on 'Consolidated Cyber Security and Cyber Cyber Resilience Framework (CSCRF) for Sebi Regulated Entities'. This is based on the National Institute of Standards and Technology framework, which is a global cybersecurity standard and set of best practices. The paper deals extensively with incident detection, reporting and response, information security measures to be adopted, as well as audits for SEBI REs. This follows a trend of financial regulators prioritising cybersecurity in the past year, an issue we’ve previously covered here and here. 

• SEBI overhauls dispute resolution: In a welcome move which is likely to streamline grievance redressal and dispute resolution processes, SEBI has notified the Securities and Exchange Board of India (Alternative Dispute Resolution Mechanism) (Amendment) Regulations, 2023. The amendments have been affected across a host of SEBI regulations, for all disputes under the purview of SEBI to be referred to alternative dispute resolution mechanisms such as arbitration and mediation. If the investor is dissatisfied, they will also now be able to escalate disputes to a designated body for review. Following this, SEBI released a circular on July 31st, launching a Common Online Dispute Resolution Portal for all market participants to enroll on. This portal can be used for resolving disputes through conciliation, mediation and arbitration (for which qualified professionals will be appointed). 

• SEBI moves to T+1 settlement cycle: SEBI’s chairperson has announced that effective October 1st, 2023, it will move to a T+1 settlement cycle for all scrips, instead of the current two day settlement cycle for settlement of trades. This is in an effort to reduce the risk of settlement failures and increase transparency. The chairperson has also said that the regulator is working on moving towards instantaneous settlement of trades in the next financial year. 

• FACE Code of Conduct for Digital Lending: The Fintech Association for Consumer Empowerment (FACE) which is a non-profit industry body comprised of digital lending companies, has released a soft launch version of its Code of Conduct for Digital Lending (Code). The Code is mapped to the requirements under the Digital Lending Guidelines, 2022 and addresses practices that members must adopt, such as inclusivity as an approach to lending, best practices for underwriting, measures for transparency in dealings with borrowers and disclosures, grievance redressal, fair practices during promotion and recovery,  among several other aspects. This comes on the heels of crackdowns against the digital lending industry, an issue we’ve covered previously here, here, and here.

• Reads we liked this month: This study conducted by the Vidhi Center for Legal Policy evaluating the performance of the Account Aggregator framework, reasons for low consumer adoption, and recommendations for a more robust governance framework. We also found informative this report prepared by the team at Spice Route Legal on incident reporting obligations under various regulations in the financial sector.

This wraps up the updates which caught our eye in July  ‘23! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our August  edition.