FLDGs see a green-light, RBI scrutiny on co-branding and customer service, SEBI's action on broking and more...

05 June 2023

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri and Vinay Kesari. 

Here are the highlights from June! 

FLDG Guidelines Notified 

After much foreshadowing, the RBI issued the promised guidelines permitting First Loss Default Guarantees (FLDGs). Here are the highlights:

• Regulated Entities (REs) can enter into default loss guarantee (DLG) arrangements only with Lending Service Providers (LSPs) or another RE which has entered into an outsourcing arrangement with an LSP. 

• FLDG is limited to 5% of the loan portfolio, hence corporate guarantees are no longer an acceptable type of FLDG. 

• FLDGs are only permitted in the form of cash deposits, fixed deposits and bank guarantees in favour of the RE. This means corporate guarantees will not be allowed as a form of DLG.

• FLDGs must be backed by a contractual arrangement, specifying the extent of DLG cover, form in which DLG cover is to be maintained with the RE, timeline for DLG invocation, and disclosure requirements. 

• To increase transparency, REs need to put in place a mechanism to ensure that LSPs with whom they have a DLG arrangement publish the total number of portfolios and the respective amount of each portfolio on which DLG has been offered on their websites. 

• The guidelines introduce more due diligence requirements, such as putting in a board approved policy, and the need for the RE to obtain information to satisfy itself that the entity extending DLG would be able to honour it. This includes a declaration from the DLG provider on the aggregate DLG amount outstanding, the number of REs and the number of portfolios against which DLG has been provided. 

• DLG arrangements cannot be a substitute for credit appraisal requirements and implementing robust credit underwriting standards. This is important, given that a key value proposition for FLDG by unregulated fintechs is demonstrating the quality of their credit risk assessment through underwriting algorithms, and in turn, incentivising lenders to open their books to borrowers referred by fintechs. 

Overall, this has been viewed as a positive development across the lending and fintech ecosystem, providing more certainty and increasing credit penetration. One clarification required would  be whether the LSP providing the guarantee must also be the same LSP which helped the RE originate the portfolio, since this is not explicitly mentioned in the guidelines. However, this is likely to be the logical conclusion given that it wouldn’t be the regulator’s intent to create a passive ecosystem of guarantee providers classifying themselves as LSPs. 

News coverage we liked on this topic: This explainer on Livemint and this article on the business impact in ET BFSI. 

RBI constituted panel reviews customer service standards for REs

An expert panel set up by the RBI in May 2022, has released its report on customer service standards for REs (which include banks, NBFCs, credit information companies and Account Aggregators, among others). This report provides crucial insights into procedures which could be mandated for REs in the future. Among the most notable recommendations of the committee (which are open for comments until July 7th) are: 

• The RBI could release a ‘principle-based’ regulation for customer grievance redressal, including formulating an enforceable charter of customer rights. This charter could potentially be extended to NBFCs - it is left to be seen how this will lead to changes in existing frameworks, such as the requirement for Account Aggregators to publish Citizens’ Charters. This could also be accompanied by a customer service and protection index maintained by the RBI. 

• For the RBI to put in a ‘suitable structure of incentives and disincentives’ to encourage REs to take proactive steps towards improvements in customer service while imposing penalties for entities where the quality of customer service is deficient. 

• The RBI Ombudsmen should be empowered to direct the RE concerned to review and undertake suitable corrective action in all such cases and confirm compliance to the RBI. This signals closer regulatory scrutiny on service deficiencies. 

• An interesting recommendation is that the RBI, during supervisory processes, should take a view on the reasonableness of charges levied by REs for the services they offer. This could signal some scrutiny on any perceived market consolidation, price fixing/gouging arrangements and comparative pricing and unduly expensive services.

• Cross selling of third-party products by the sales teams of REs could be subject to verification by the audit function of the RE to ensure that there was no mis-selling and compliance with all guidelines. 

The committee also made some recommendations on Know Your Customer (KYC) processes: 

• That Video based Customer Identification Process (V-CIP), should be increasingly used as an alternate method of customer identification with more secure modes of two-factor authentication. We highlighted in our previous issue, how with the classification of non-face to face customers as high risk (which includes CKYC and Digilocker), V-CIP could become the new expected norm. 

• That while the REs should take necessary steps to periodically update KYC, it must be ensured that operations in the account are not stopped.

• That REs should maintain a centralised database of KYC documents of all customers, linked to a unique customer identifier, obviating the need for submitting KYC documents repeatedly for availing multiple facilities from the same RE. This would also enable KYC updations by customers to be reflected across all facilities. 

• We could see a more nuanced approach for risk categorisation of the customers. An example given by the committee is that salary earners with inflows and outflows consistent with the customer’s profile need not necessarily be categorised as high risk, even though they may be “high net worth” individuals. Similarly, they recommend that students can also be categorized as low-risk.

News coverage we liked on this topic: This explainer in The Hindu

RBI notifies draft Master Directions on Cybersecurity for PSOs 

Cybersecurity has been a key priority for the RBI in recent months, with its annual report also emphasising that it will be a crucial agenda point for the following financial year. On June 2nd, the RBI released the Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators (PSOs), which has some notable updates for security in digital payments. Importantly, PSOs need to ensure compliance with the directions by any unregulated entities that they work with, such as payment gateways and third-party service providers. Here are the highlights: 

• The directions apply to all non-bank PSOs, with phased implementation. For large PSOs like Payment Aggregators (PAs), card payment networks, large Prepaid Payment Instruments (PPI) issuers, non-bank ATM networks, and White Label ATM Operators, compliance is required by April 1, 2024. For medium PSOs like Cross-border (in-bound) money transfer operators under Money Transfer Service Scheme (MTSS) and Medium PPI Issuers, the timeline is April 1, 2026. For small PSOs like Small PPI Issuers and Instant Money Transfer Operators, the timeline is April 1, 2028. 

• PSOs are required to formulate a comprehensive information security policy and cyber crisis management plan, report breaches to the RBI within 6 hours, and have in place robust policies for incident response, access management, network security, fraud prevention, and put in place authentication measures to establish the identity of the communicating APIs, among several other requirements also harmonised with the Outsourcing Directions (which we covered here). 

• For all digital payment transactions, PSOs need to (i) enable alerts for parameters like transaction velocity, excessive activity, geo-location, transactions to Virtual Payment Addresses on whom phishing or other types of fraud are registered, (ii) display merchant names on all transactions, and (iii) enable easy reporting of fraudulent transactions. 

• Mobile payment providing PSOs need to, among other requirements, terminate sessions with interference or inactivity, implement a maximum number of failed login attempts, prevent remote access services, and a cooling period for transactions where there’s a change in phone number or email address. 

• For card payments, card networks need to implement transaction limits at the card, Bank Identification Number, as well as at the card issuer level. Card details need to be encrypted both by the networks and their vendors. 

• PPI issuers need to enable support for transaction alerts and other details to be communicated in vernacular languages, and implement a cooling period for funds transfer and cash withdrawal after such funds are electronically loaded onto the PPI.

News coverage we liked on this topic:  This summary of the directions on MediaNama. 

• RBI halts UPI for co-branding arrangements: According to this media report and a regulatory communication, the RBI has asked entities such as Dreamx (Dream11), Fampay, Akudo, and Muvin to stop offering PPI-UPI linkage through co-branding arrangements. PPI holders must be onboarded on UPI only directly by the PPI issuer, which must only link its customers’ wallets to the handle issued by it. The co-branding partner also cannot onboard customers of any bank, or any other PPI issuer. While the regulator’s reasons for this move are yet unclear, this does signal more scrutiny into co-branding partnerships, an issue we’ve previously covered here. 

• Updates from RBI’s Statement on Developmental and Regulatory Policies: Apart from the FLDG guidelines, there were other noteworthy updates from the RBI - (1) We can expect guidelines on the process flow for BBPS transactions and membership criteria for onboarding operating units in BBPS, to enhance efficiency and participation in the ecosystem. This follows the RBI’s expansion of BBPS in December ‘22 (which we covered here), into a general-purpose bill payments platform, unlocking multitudes of new use cases across consumer and business payments. (2) The  scope of the  e-RUPI voucher is likely to be expanded by permitting non- bank PPI issuers to issue them, and for the vouchers to be issued on behalf of individuals, (3) New RuPay prepaid forex cards are to be introduced, along with enabling RuPay debit, credit, prepaid cards to be issued in foreign jurisdictions. See Vinay’s take on this here! 

• SEBI revises position on Brickworks Ratings: In our October ‘22 edition, we covered how Securities and Exchange Board of India (SEBI) ordered the Credit Ratings Agency (CRAs) Brickworks Ratings (BWR) to shut shop, due to BWR’s failure to declare fresh ratings on companies despite having knowledge that the companies had defaulted on borrowings and other debt related obligations. This was followed by increased regulation for CRAs, which we covered in our February edition. BWR then appealed the order before the Securities Appellate Tribunal (SAT), which recently ruled in its favour, finding that BWR did not act with an intent to defraud and any violations were trivial in nature or in the nature of operational errors. 

• SEBI bars IIFL Securities from onboarding clients: By way of an order on June 19th, SEBI has banned IIFL Securities from onboarding new clients for 2 years. According to SEBI’s investigation, IIFL was mixing client funds with its own proprietary funds as a broker. This is in violation of SEBI regulations which mandate that client funds and brokerage funds are to be maintained in separate accounts, and labeled as such. SEBI also observed that client funds in the pooled account could have been used for its own operations or investments in its PE debt fund, and used clients’ credit balances to offset the debit balances of other clients. IIFL is likely to appeal this order before the SAT, so the final outcome is left to be seen. However, it is clear that this could have significant effects on the broking ecosystem.

• RBI fines credit bureaus: RBI has fined the credit bureaus CIBIL, Experian, Equifax and CRIF High Mark for regulatory violations, namely (1) certain data related to credit information which was maintained, was not complete, and (2) failure to update the credit information of borrowers upon complaints from them within 30 days, and not updating the borrowers with reasons for their failure to comply. Read the RBI’s press release here. 

• RBI framework for compromise settlements sees objections: On June 8th, the RBI released a circular for Compromise Settlement and Technical Write-offs. The circular allows for borrowers and lenders to enter into a settlement agreement in cash, with a waiver of some of the due amounts by the RE. The RBI has also stated that banks can undertake compromise settlements or technical write-offs in respect of accounts categorised as wilful defaulters. This led to objections against the regulation by bank trade unions and raised questions regarding the RBI’s 2019 guidelines prohibiting restructuring of loans. Objections were also raised regarding the potential for misuse by wilful defaulter. The RBI has responded through subsequent FAQs, that the primary objective of the circular is to enable multiple avenues for lenders to recover amounts in default without delay, adding that compromise settlements are not a matter of right for borrowers, rather at the discretion of the lender. The RBI has also clarified that the circular does not dilute existing penal provisions, and introduces safeguards such as a cooling off period, mandatory board approved policies for compromise settlements, and consent decrees from courts of law where judicial proceedings are pending.

• IRDAI considering Managed General Agencies: It’s been reported that the Insurance Regulatory and Development Authority of India (IRDAI) is considering allowing the entry of Managed General Agencies (MGAs). MGAs, which are popular in the USA and Singapore, are similar to NBFCs in the insurance sector, to onboard customers, underwrite customers, and share risk. Industry representatives are reportedly discussing this with the IRDAI, and the regulatory framework around risk sharing, and customer lifecycle management as well as what activities MGAs would be permitted to do, is left to be seen. 

• SEBI amends AML and CFT guidelines: On June 16th, SEBI introduced new guidelines in line with the amendments to the Prevention of Money Laundering Act. Stock exchanges and registered intermediaries are now required to identify and assess money laundering and terrorist financing risks associated with new products, business practices, delivery mechanisms, and technologies. They are also encouraged to leverage technological innovations and tools for effective implementation of name screening to meet sanctions requirements. These amendments are similar to the RBI’s recent amendments to the KYC regime for RBI regulated entities, which we covered in our previous issue. 

• New Account Aggregator: On June 7th, Unacores AA Solutions became the latest entity  to receive their Certificate of Registration to operate as an Account Aggregator. This brings the total count of operational AAs in the ecosystem to 11. 

This wraps up the updates which caught our eye in June ‘23! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our July  edition.