MoneyRules Returns! 9th November 2021

RBI's views on bank-fintech partnerships, new scale-based regulatory framework for NBFCs, SEBI closing the digital gold window for RIAs, and more...

Hello everyone, and welcome back to MoneyRules. We’ve been away for a bit, but the regulatory tide has waited for no one: there is much to stay on top of, and even more tea leaves to read! We are now switching to a monthly cadence, and will cover regulatory developments and news from the previous four weeks (we’ve admittedly taken some liberties with this time frame given that this is a comeback edition).

For those of you who are new here, MoneyRules is a newsletter from Setu written by Atulaa Krishnamurthy and Vinay Kesari. We aim to alert you to regulatory updates relevant to fintech in India, and to break down the implications of these changes. Let’s dive right in!

In this edition, we share our take on the RBI’s recent statements on digital banking, and cover, naturally, the outcomes of the recurring payments mandate, NBFC scale-based regulation, and SEBI’s guidelines to RIAs barring them from dealing in ‘non-regulated’ businesses. 

RBI emphasizes need for responsible innovation in light of fintech partnerships of banks and NBFCs

The TL;DR: Through recent public statements, and in a possible lead up to third party banking regulation, the RBI (i) stresses on the need for customer centricity to be built into fintech innovation, and (ii) specifies the need for certain functions to remain solely with licensed financial institutions.

The longer story:

In a previous edition, we covered the RBI’s focus on digital lending apps and the establishment of a working group to study their operation. One concern of the RBI continues to be around ensuring that digital lending apps, which make loans in partnership with licensed NBFCs, do not adopt predatory lending and collection practices. Deputy Governor M Rajeshwara Rao, speaking at the CII NBFC Summit last month, highlighted that NBFCs are innovative and agile in developing financial products, but also that they must do so responsibly, without cutting corners on regulatory, prudential and disclosure requirements.

The speech also emphasizes the need for accountability by regulated entities - while third party apps may play a role in onboarding customers, the ultimate responsibility to ensure that there are no “harsh recovery practices, breach of data privacy, ... fraudulent transactions, cybercrime, excessive interest rates and harassment” rests with the licensed entity. Another concern it highlights, and one for fintechs partnering with banks to note, is the need for customers to have standardized experiences regardless of the delivery channel through which they avail financial products. 

Deputy Governor T Rabi Sankar, speaking at the Global Fintech Festival, said that there were limits to the role fintechs could play in service delivery — only banks can perform core fund intermediation as holders of deposits, and all central functions in credit and payments. The speech also identifies a current ‘legislative and regulatory deficit’ in dealing with data, and the need to slow down innovation until regulation can catch up with it.

While fintech players think hard and deeply about expanding embedded finance use cases, it is also useful to bear in mind the RBI’s core concerns about these partnerships, and build in checks around fraud, data security, and customer protection, while also ensuring that key bank/NBFC responsibilities remain with these licensed entities. These comments also highlight the need for clarity when it comes to roles and responsibilities in fintech partnerships.

SEBI-registered investment advisers not to deal in digital gold (and potentially crypto) 

The TL;DR:

SEBI has instructed all registered investment advisors to cease advising on, distributing and executing orders for ‘unregulated products’, specifically calling out digital gold as an example.

The longer story:

The basis for the restriction is that neither digital gold nor other unregulated products such as virtual currencies fall under the Securities Contract (Regulation) Act’s definition of a ‘security’. While reports suggest that the Indian government may move to regulate cryptocurrencies as an asset in the vicinity of the 2022 budget, their current status remains unregulated, with no indication of which financial sector regulator will have responsibility for them. 

Apps registered as RIAs likely anticipated movement on this front given the National Stock Exchange’s circular to its members earlier this year. The exchange stated that it had received a letter from SEBI, noting that some of the NSE’s members, including stockbrokers, sold digital gold on their platforms, which was against the provisions of the Securities Contracts (Regulation) Rules, 1957 (briefly, this states that members of exchanges cannot carry out any business other than in securities and commodities). The NSE subsequently directed all its members to cease dealing in digital gold by September 10.

While the path forward for SEBI-registered entities is clear, it’s not the end of the road for digital gold. There is no bar on non-SEBI regulated platforms from offering these products to their customers, which will only deepen these entities’ partnerships with refineries such as MMTC-PAMP and Augmont.

RBI introduces framework for scale based regulation of NBFCs

The TL;DR: Demonstrating its intent to move from activity-based regulation to proportionate activity and size-based regulation, the RBI released a new framework to regulate Non-banking Banking Finance Companies by scale, effective from October 1, 2022. 

The longer story:

As promised in its December 2020 Statement on Developmental and Regulatory Policies, and its February 2021 discussion paper on the same subject, the RBI released a framework for a scale-based approach to regulate NBFCs.

A quick TL;DR on the position today: NBFCs are more lightly regulated than banks on the assumption that they operate on a smaller scale and are less likely to create systemic risks. The IL&FS crisis however proved this thesis wrong. RBI Deputy Governor Dr Rajeswara Rao (in a speech that we’ll be discussing later in this newsletter) recently pointed out that several NBFCs are now the size of the largest urban cooperative banks and regional rural banks, and some new-age private sector banks as well.

On one hand, this is a post-IL&FS world where NBFCs are growing faster than banks. On the other, NBFCs will require lighter touch regulatory prescriptions, to give them greater operational flexibility, and the ability to financially intermediate underserved populations. To balance both these concerns, the RBI believes a new dynamic approach is required. Here’s what the move to a scale-based approach to regulating NBFCs would look like:

• Introduction of four tiered ‘layers’ based on size, nature of business and risk (base, middle, upper and top) with different degrees of regulatory oversight on each layer;

• Certain NBFCs, such as Account Aggregators, P2P, non-operative financial holding companies and NBFCs without customer funds or interface, will always fall in the Base Layer;

• The Middle Layer will consist of all deposit-taking NBFCs, non-deposit taking NBFCs with a loan book of over ₹1000 crore, and NBFC-IFCs, CICs and HFCs.

• Upper Layer NBFCs will be identified through a score calculated keeping in mind parameters like size, systemic impact, complexity of product, etc.

• The Top Layer will remain empty, unless the RBI is of the view that an Upper Layer NBFC requires enhanced oversight and moves it to the Top Layer.

The broad regulatory changes in the new framework include standardizing NPA classification to all assets which are 90 days past due, and limiting all NBFC exposure to IPO financing to under ₹1 crore per borrower. 

The new scale-based framework is likely to have the most impact on the ‘top 50 NBFCs’ based on on and off-balance sheet exposures, who will be assessed annually to determine their place in the Upper Layer.

RBI mandate on recurring card payments comes into effect

The TL;DR: Customers experience declined standing instructions on card payments over the past month, but you knew that already.

The longer story: 

If you spent any time on social media in the last few weeks, you are certain to have encountered repeated stories of disrupted subscriptions and failed payments on much-needed digital services. Or maybe you faced this yourself! What did the RBI want banks and card companies to do to avoid this?

Back in August 2019, to increase security around card-not-present transactions, the RBI issued guidelines on processing recurring payments set up on cards (and later, via UPI) (“Guidelines”). In short, the Guidelines require banks, prepaid instrument issuers and card issuers to (a) carry out additional factor authentication while registering each new e-mandate, (ii) send a pre-transaction notification to a customer prior to adding any charge or debit to their card, and (b) carry out an additional factor of authentication (AFA), such as an OTP, each time a recurring payment instruction of over ₹5000/- is scheduled. These notifications also need to enable customers to opt-out of an upcoming payment.

As we highlighted in a previous edition, the Guidelines themselves are two years old, the RBI announced in December 2020 that non-compliant recurring transactions would have to cease from April 1, 2021, and provided a further 6 month extension to this until October 2021. Banks appear to have paused auto-debits (at least to some merchants) and require customers to manually enter their card details to process subscription payments this month. While banks and card networks are working overtime to implement the Guidelines in time for next month’s payment cycles to save their customers further heartburn, merchants could also consider alternatives such as sending their customers collection requests via payment apps, BBPS or UPI.

Despite entreaties from various stakeholders, the RBI has held firm on the revised deadline, showing once again (similar to its earlier mandate on localisation of payments data) that it is not averse to causing some discomfort and disruption while doing what it believes is in the best interests of customer protection. 

Relaxation in current account opening guidelines 

The TL;DR: Entities with total debt exposure of under ₹5 crore can now have current accounts opened and CC/OD accounts provisioned by any bank.

The longer story:

Back in August 2020, the RBI issued a notification which broadly set out that any entity availing credit facilities through a CC/OD account could not open a separate current account, and would have to route all transactions through the existing CC/OD account. It also set out different specifications for entities that had debt exposure of differing levels, but not through CC/OD facilities. This notification set out that even entities with loans of less than ₹5 crore could only have current accounts opened with their lending banks. 

Based on representations from the Indian Banks Association, these restrictions stand slightly relaxed. Key provisions in a recent RBI circular will require banks to apply the below rules before opening a current account or provisioning a CC/OD account for an entity:

1. If a customer already has a cash credit/overdraft account with a bank, 

   1. And such facility is less than ₹5 crore, any bank can open a current account or provision a CC/OD.

   2. And such facility is ₹5 crore or more, then the bank with which it holds a CC/OD, and 10% (or highest) of its total exposure to the banking system, can open a current account.

2. If a customer does not have a cash credit/overdraft account already, a bank's ability to open a current account depends on the total credit facilities availed by the customers:

   1. If more than ₹50 crore, the customer will require an escrow mechanism. Only the escrow managing bank can open a current account. Other lenders can open collection accounts (where credits are freely allowed, but debits are only allowed to escrow account above). Non-lenders cannot open any type of current account.

   2. If between ₹5 to 50 crore, any lender can open a current account, but non-lenders can only open a collection account (which debits only to the aforementioned current account).

   3. If less than INR 5 crore, any bank can open a current account.

This change means more flexibility for smaller entities in accessing current account services, but also that banks need to continuously monitor aggregate borrowings of customers, based on self-reporting or otherwise. This will need diligence at the current account opening stage as well as on an ongoing basis, in case the customer crosses any of the above credit limits.

News: 

Here are a few news pieces and developments that caught our eye this past month:

1. Mauritius is now off the Financial Action Task Force (FATF) grey-list! This is good news for venture-funded fintech startups angling for RBI licenses, as the RBI had placed caps on investments in applicants from FATF non-compliant jurisdictions.

2. Speaking of the FATF, it released a Guidance on regulating virtual assets and their service providers. The Guidelines suggest that any developer, owner or operator exercising significant control over a DeFi protocol be asked to comply with KYC, AML, licensing and transaction reporting requirements. Crucially, it specifies that the sector cannot be left to self-regulate, and requires some level of regulator review. We can potentially expect FATF members (including India, which reportedly is due to release a law regulating virtual currencies in early 2022) to take a leaf out of the Guidance in forthcoming crypto regulation.

3. The Account Aggregator framework, first introduced in the RBI’s NBFC-AA Master Directions in September 2016, went live in August this year, driving a consent-first mode of sharing financial data between regulated financial institutions. Eight banks, including SBI, Axis, ICICI, and HDFC, are already live on AA rails. Read our colleagues Sahil and Neeti talk about how this new category of consent manager could improve access to credit in India.

4. The Ken writes about API infrastructure providers powering new embedded financial service delivery. You might spot a familiar name in there!

5. Our friends at D91 Labs have new pieces up in collaboration with operators in financial services startups around widening financial inclusion nets, how MSMEs can benefit from AA, and what to consider while building for the next billion.

6. In a giant leap for fintech-kind, the BharatPe-Centrum consortium recently received its SFB operating license, and will soon be all set to take over Punjab and Maharashtra Cooperative Bank’s loan book.

7. The Fintech Nerd Collective answers a question top of mind for banks and fintechs across geographies: how can traditional banks compete with fintechs, and what is their moat?

These are all our updates, folks! Both of us (Atulaa and Vinay) are on twitter, so feel free to DM us with feedback and topics to include next month. If you liked this, please share it with people interested in Indian fintech regulation.