MeitY releases new draft DPDPB, BHIM goes Open Source, SEBI regulates Online Bond Platform Providers and more...

1st December, 2022

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri and Vinay Kesari. 

This issue, we dive into what the new draft Digital Personal Data Protection Bill means for finserv,  NPCI’s plan for an open-sourced version of the BHIM App, SEBI’s regulation of Online Bond Platform Providers, and more! 

MeitY releases draft Digital Personal Data Protection Bill 

In its 4th iteration in 5 years, MeitY released the draft Digital Personal Data Protection Bill (DPDPB) on the 18th of November. However, readers should note that the Bill has only been released for public consultation, post which it is likely to be presented before Parliament during the Winter Session (December 2022) or the Budget Session (February 2023). A lot can happen before then, and we will be continually monitoring the progress of the Bill to see if any changes are made. While it continues to be uncertain if the DPDPB will be enacted in its current form, we break down some of the major points, changes from previous drafts, what this means for fintechs, and some issues we hope will be addressed. 

Categories of data: A major change from previous drafts is the removal of the distinction between ‘personal data’ and ‘sensitive personal data’. The current Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, contain this distinction which has been followed by companies collecting and processing personal data for a decade now. Of particular relevance for fintechs is the fact that ‘financial information’ was classified as ‘sensitive personal information’, which involved heightened scrutiny and the right for Data Principals to exercise certain specific rights over this information. With the classification now removed, Data Principals will be able to exercise all rights provided for with respect to all their personal data collected and not just sensitive personal data. From an industry perspective, this could mean a higher compliance burden, implementing changes to privacy policies, and org-level information security measures. The RBI also uses this distinction in various regulations including the Master Directions on Digital Payment Security Controls and Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, which could cause  confusion unless these RBI regulations are also harmonised.

Significant Data Fiduciaries: ‘Significant Data Fiduciaries’ are a class of Data Fiduciaries which will be notified subsequently, which will be subject to increased compliance requirements, including the requirement to conduct periodic audits and Data Protection Impact Assessments. While the exact criteria are not yet certain, one of the grounds for such a classification is the ‘volume and sensitivity of personal data processed’. More clarity on this would be essential, given that fintechs in partnership with Regulated Entities such as banks and NBFCs process high volumes of financial information which are currently classified as ‘sensitive personal information’. Would this make fintechs automatically more likely to be classified as a ‘Significant Data Fiduciary’? We need to wait and see.

No NPD: The new draft does not cover Non-Personal Data (NPD), which comes as a welcome relief to most entities dealing in aggregated or anonymised data for a host of different purposes, from providing services to analytics.

Applicability outside India: The provisions of the DPDPB will apply to all Data Fiduciaries, even if the processing of personal data is outside India if (i) the processing is done in connection with goods and services offered to Data Principals (individuals from whom personal data is collected), or (ii) in connection with the profiling or monitoring of Data Principals located in India. This will likely have implications for several fintechs and banks incorporated outside India, but who are offering services in the Indian market which could include partnerships with Indian fintechs.

Interaction with RBI guidelines: Perhaps the biggest question we’ve seen among fintechs, is which regulations trump which? - given that some regulations from the RBI such as the Digital Lending Guidelines, Outsourcing Guidelines and circulars on storage of payment and card related data deal with the treatment of personal data. The general rule of interpretation is that laws dealing with specific subjects will continue to govern those subjects, with the DPDPB being a baseline for general treatment of personal data. This could mean that fintechs impacted by specific guidelines of the RBI can continue to follow those guidelines for specific types of data (for e.g. payments data), and follow the DPDPB as a general rule in other areas. Specific clarity on this would be a key industry ask.

Compliance window: A key change from previous iterations of the Bill is the lack of a compliance window (which allows companies time to become compliant with the new law), which means that the law would be effective immediately on the date of notification. While the Bill says that provisions may be notified separately, this could still mean uncertainty for industry. Data protection laws in Europe and US states like California have also provided for a compliance window, and this would be good to include in India too to give entities the time to put measures in place. 

Consent manager: This draft retains the concept of ‘Consent Managers’, which are Data Fiduciaries that enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. India has been at the forefront of innovation when it comes to navigating the tension between individual rights over personal information and corporate access to this information for productive purposes. The RBI Account Aggregator (AA) framework from 2016 created a specific implementation of such a  ‘Consent Manager’ in the context of financial information. Given the growth of the AA Framework, this is of particular relevance to fintechs, since Account Aggregators (AAs) would squarely fall within this definition. There are some complex questions to address, however - for example should Consent Managers be classified as ‘Data Fiduciaries’, given that they may not have access to the underlying encrypted financial information, and do not decide the purpose or means of processing? In the case of AAs, they simply log consent, and transfer encrypted information based on this consent. What is welcome is that the Bill creates a basis for intermediaries similar to AAs to exist in other sectors as well. 

New to the Account Aggregator conversation? Here’s a handy explainer on the ecosystem from our team!

Cross border data transfers: A big relief for fintechs is the relaxation of the requirement under earlier iterations of the Bill of data localisation (i.e. mandatory storage of data in India) for certain notified categories of data and ‘critical personal data’. The new draft proposes that transfers to certain ‘trusted jurisdictions’ may be allowed upon notification - it remains to be seen what these criteria will be. However, specific types of data such as payment data are likely to still be subject to data localisation requirements provided for under RBI guidelines. 

Data breaches and grievance redressal: Directions released by the CERT-IN in April 2022, provided for a 6 hour window to report data breaches to the CERT-IN, specifying which categories need reporting. We would hope that the new Bill is harmonised with the CERT-IN Rules, instead of the current language which states that rules in relation to reporting data breaches will be notified subsequently. Additionally, the timeline for grievance redressal is now 7 (seven) days which could be onerous, especially for fintechs which function in partnership with Regulated Entities and banks. A timeline of 30 days would be more practical and aligned with other regulations such as the existing Intermediary Rules, 2021.

Exemptions: The new draft retains broad exemptions granted to government agencies for any purposes in the public interest. Data Fiduciaries in the fintech ecosystem, particularly those in the B2C space, would need to walk a fine line between safeguarding customer interests and complying with information requests from law enforcement and other government entities.

News coverage we liked on this topic: A summary of the new Bill, on Medianama. 

BHIM goes Open Source 

On the 9th of November, the NPCI announced the release of the ‘BHIM App Open Source licensing model’, under which the code of the BHIM App will be licensed to Regulated Entities participating in the UPI ecosystem, which do not have a UPI application of their own. The NPCI’s objective is to boost financial inclusion by making UPI features available to these entities. This will enable them to offer these features to customers in a much more economical manner, reducing the time to go-to-market and the cost of research and development. 

This is a welcome initiative that is in keeping with the spirit of UPI, which aims to foster innovation by reducing barriers to entry through an interoperable public platform. It could be particularly useful for smaller banks and startups, which may lack the resources or in-house tech expertise to develop their own UPI consumer app from scratch.

While the industry awaits further information from the NPCI on this initiative including the exact licensing terms, we break down how open source licenses work, where the opportunities/risks lie for banks and fintechs, and what we believe needs attention as this initiative is operationalised. 

What are open source licenses (“OSL”)? Simply put, an OSL is a license which allows software to be freely used, modified, and shared subject to certain conditions. While a common misconception is that an OSL allows usage of code and modifications free of cost and without any restrictions, OSLs can actually take different shapes and include a variety of legal terms and restrictions, including commercial terms. It’s important for Regulated Entities and fintechs using this license, to make sure that they’re compliant with the license and assess risks accordingly. 

While there are many variations of OSLs, they broadly fall into two types - Copyleft and permissive licenses. Copyleft licenses are the stricter of the two, and generally require that any work derived from the software be released under the same software license as the original. What this means is that the modified code (here, the code written by the Regulated Entity/fintech on top of NPCI’s code), needs to be as ‘open’ as the original - and available to all the recipients of the original code. This would ultimately lead to none of the code being proprietary to any one entity. The intention behind this is to ensure that improvements are shared among the community. In the highly competitive environment that is fintech in India (which is surely likely to become more competitive with this initiative), this may not be the most appealing method for various Regulated Entities and fintechs which may want to build on the NPCI’s code with their own secret sauce, and commercialise this. 

For this environment, a permissive license may be more suitable. Permissive licenses typically only require a copy of the license text to be included along with the original copyright notice in any redistribution of the original code, with no other restrictions. This would mean that a bank or fintech can take NPCI’s code, modify it to create a new app, and then keep the code of that app proprietary and commercialise it. While there are many nuanced variations even within these two licenses, it will be crucial to understand what licensing approach NPCI hopes to use, and why. Since open source licenses don’t always need to be free, we should also wait to see if the NPCI sees this as  an opportunity for monetisation.

News coverage we liked on this topic: A good overview of this initiative and other collaborative initiatives launched by the NPCI, on Inc42. 

RBI launches retail CBDC Pilot

As detailed in our previous issue, the RBI had launched a pilot for CBDCs in the wholesale segment, with 9 banks chosen to participate. The RBI has now launched a pilot for retail CBDCs as well, with 5 banks shortlisted for the pilot so far. To recap, retail CBDCs will entail account and fund verification, like current digital transactions. How this will be integrated within the existing payment infrastructure, the role of private players and app providers, and who’s allowed to participate, are aspects that will determine the competitiveness and efficiency of the ecosystem. CBDCs will be made interoperable with current digital payments, and current QR codes and UPI platforms will also be made interoperable with the retail CBDC. Reports also suggest that the RBI has engaged enterprise blockchain firms to build out the architecture for the retail CBDC. We’ll be monitoring how the pilot efforts shape up, and in particular, what opportunities shape up for Token Service Providers (possibly fintechs) to distribute, manage and provide value added services around CBDCs. 

News coverage we liked on this topic: Insights on the road ahead for CBDCs, in The Morning Context [Paywall]. 

SEBI regulates Online Bond Platform Providers (OBPPs)

On 14th November, SEBI came out with its circular regulating OBPPs. OBPPs are tech platforms, mostly fintechs, which are not recognised stock exchanges. OBPPs allow non-institutional investors (i.e, individuals) to participate in debt securities. While previously not within SEBI’s regulatory purview, OBPPs will now be required to implement several compliance measures in a bid to increase transparency, protect investors through checks and balances, mitigate payment and settlement risks and put in place mechanisms for grievance redressal. 

OBPPs now need to be entities incorporated in India and obtain registration as a stock broker. They are also only permitted to deal in listed debt securities or debt securities proposed to be listed. The rules detail multiple compliance requirements, including in relation to the appointment of personnel, technology and operating frameworks, obligations to conduct KYC and risk profiling for potential issuers and investors, and minimum disclosure requirements. The circular also requires OBPPs to issue order receipts, deal sheets and quote receipts post execution of the order. Investor protection seems to be of paramount importance, with detailed information which OBPPs need to incorporate into advertisements including a ban on the usage of celebrities in these advertisements. Does this signal the stance which SEBI will take on financial influencers? (see Quick Takes below). 

Long story short, fintechs functioning as OBPPs are now faced with an overhaul - given that the circular came into effect on the day of introduction, these entities now need to put in place all the compliance measures and then obtain registration as a stock broker. This could mean a pause in operations, increased scrutiny from SEBI, and crackdowns in the event of non-compliance.

News coverage we liked on this topic: An explainer on the circular, in The Hindu. 

• Stories from D91: D91 Labs has put out this great explainer on the UPI Lite model, its use cases and design suggestions for payment apps offering UPI Lite. Do also check out this infographic on sources of credit for Indian households!

• GSTN and more added to the Account Aggregator Framework: Following SEBI’s approval of Asset Management Companies and Depositories to be FIPs  on the Account Aggregator ecosystem, the IRDAI has notified that insurers can also be FIPs. This allows them to share financial information with the explicit consent of customers, to FIUs. The IRDAI’s circular discusses contractual requirements and technical safeguards required. This bodes well for the AA framework as a whole, and opens up opportunities for fintechs who are Account Aggregators, Technical Service Providers to Account Aggregators and most importantly, users who can now also share their insurance information with ease. The RBI has also officially notified the Goods and Service Tax Network as an FIP to facilitate cash flow based lending to MSMEs, with the Financial Information being forms GSTR-1 (Statements of Outward Supplies) and GSTR-3B (simplified summary return of GST liabilities). This is likely to significantly smoothen the process of accessing credit facilities for small businesses. 

• SEBI to regulate ‘financial influencers’: A SEBI official announced on 17th November, that the regulator is soon to come out with guidelines to regulate financial influencers, who are celebrities, financial advisors or any personality offering the general public financial advisory tips, such as investment advice and stock tips. This has largely been hailed as a much needed level of oversight to avoid inexperienced members of the public from being manipulated and to curb obtaining illegal profits.

• SEBI re-looks at Ratings Scales used by Credit Ratings Agencies: Last issue, we discussed SEBI’s order for Brickworks Ratings to shut shop. Following this, the SEBI is seemingly looking to increase oversight, by issuing standard descriptors to be used when an issuer/security is placed on a ‘ratings watch’ (CRA’s view on the expected direction of the rating movement in the short term) and ‘ratings outlook’ (CRA’s view on the expected direction of the rating movement in the medium term).

• Overhaul of insurance regulatory framework: The Ministry of Finance has released a draft of proposed wide-ranging amendments to the Insurance Act, 1938 and associated laws. They propose new classes of insurers, new types of insurance intermediaries, and much more. The drafts are open for public comment until 15 December 2022.

This wraps up the updates which caught our eye in November ‘22! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our December edition.