(More) changes to KYC & Outsourcing, New rules for cross border payments and AA, signals from RBI penalties, RBI's take on SROs and more...

03 November 2023

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri, Vinay Kesari, Parth Kantak and Sumedh Niyogi. 

Here are the highlights since our last issue! 

KYC amendments strengthen customer due diligence and transaction monitoring

On October 17th, the Reserve Bank of India (RBI) amended the Master Directions on KYC with immediate effect. This follows the recent set of amendments made in April, which we previously covered here. The broader context of these amendments is to further align India’s KYC regime with the standards of the Financial Action Task Force (FATF), which is an international body (currently consisting of 39 member countries) working to encourage countries to implement its guidelines on money laundering (ML) and terrorist financing (TF) through national legislation, and conducting reviews to ensure that these national laws meet its benchmarks. The measures prescribed by the FATF are accepted on a global scale which makes a country’s performance important for its global standing. It is likely that these amendments were made in time for India’s upcoming review. It’s also worth noting that similar amendments have been made to the Prevention of Money Laundering Act, 2002 and Rules, 2005 on October 17th, by the Ministry of Finance. 

Expanding CDD and identifying high risk customers

• A running theme across the amendments is the enhancement of Customer Due Diligence (CDD) requirements, following its previous classification of non-face to face customers as ‘high risk’ and requiring ‘enhanced due diligence’, given the increase in digital customer onboarding processes for a variety of financial services.

• CDD at the time of commencement of an account based relationship now must include: (i) identification of the customer, verification of their identity using reliable and independent sources of identification, obtaining information on the purpose and intended nature of the business relationship, where applicable, (ii) taking reasonable steps to understand the nature of the customer's business, and its ownership and control and (iii) determining whether a customer is acting on behalf of a beneficial owner, identifying the beneficial owner and taking all steps to verify the identity of the beneficial owner, using reliable and independent sources of identification. This aligns with the FATF’s guidance on CDD and will mean that Regulated Entities (REs) need to clearly be able to map documents collected for customer identification to these criteria. 

• In line with this, there are specific amendments requiring that REs need to keep CDD records updated and accurate, particularly when the customer is classified as high risk, and expansion of the ambit of ‘on-going due diligence’ to also include the collection of information on business, risk profile and source of funds/wealth.

• REs must now ‘consider filing a Suspicious Transaction Report (STR) if they are unable to complete the CDD process in line with the criteria’. Given that a customer is usually not allowed to transact until the completion of CDD, how this provision needs to be implemented remains to be seen.

• Enhanced DD is required for opening accounts for  Politically Exposed Persons (PEPs). This is now subject to approval of senior management (previously, approval was required at a ‘senior level’), and enhanced DD is also applicable to accounts opened by family members and close associates of the PEPs. 

• Given that customers being onboarded after verification via the CKYC Registry are now high risk customers, REs also now have to ensure that if third parties are being used to conduct CDD, the KYC documents are obtained from the third party immediately. This is a change from the previous position where REs had 2 days to collect these documents, and also signals more scrutiny on record maintenance and accuracy. 

Monitoring ML/TF Risk 

• Another theme is ensuring establishment of governance processes in REs to effectively monitor ML/TF risks. To this end, REs which are part of a corporate group need to establish group wide policies for monitoring ML and TF risks, though it remains to be seen how non-REs within the group will be affected by this. Banks also need to implement specific due diligence to identify money mule accounts. 

• While there is a simplified process for low value NBFC accounts, NBFCs now also need to conduct the full-fledged KYC process as they would for a normal account, if there are AML/CFT suspicions. 

• To ensure accountability in reporting, a Principal Officer for the purpose of ML reporting now must be an employee in a management position. 

Terms such as ‘reasonable’, ‘reliable’ and ‘independent’ are still open to interpretation, and risk & onboarding teams will need to take a call on, for example, what is considered a ‘reliable and independent source of identification’. This gives REs some leeway to establish processes which are specific to their business operations. With the RBI considering a framework for SROs (See Quick Takes below), a potential way to solve this could be through sector-specific SROs coming out with uniform standards that flesh out these requirements.

Cross-border payments becomes a licensed activity

On October 31st, the RBI issued a circular on the Regulation of Payment Aggregators - Cross Border (PA-CB), in replacement of existing circulars including those on OPGSPs and the draft Online Export Import Facilitators (OEIF) Guidelines. Going forward, entities facilitating cross border payments for the import and export of services will be treated as Payment Aggregators, and come under the purview of RBI regulation. This means that Online Payment Gateway Service Providers (OPGSPs) which facilitate cross border transactions and settlements now will be considered as Regulated Entities, and need to comply with the requirements for PAs under the Payment Aggregator Guidelines. 

Authorised Dealer Banks do not require separate RBI authorisation to conduct these activities. However, non-bank entities providing PA-CB services need to apply to the RBI for authorisation before April 30, 2024 to operate either only in respect of imports, exports, or both imports and exports. Until receipt of authorisation, they can continue their business. Currently authorised non-bank Payment Aggregators (whether in-principle approved or operational), need to notify the RBI within 16 days from October 31st if they are conducting/planning to conduct PA-CB activities, and if they wish to continue, seek authorisation. Any authorised PA needs to seek authorisation to commence PA-CB business. To sum up, OPGSPs can now either continue their business as an unlicensed entity by tying up with an AD Bank, or, seek authorisation to become a licensed PA-CB. 

Within 3 months from the date of the circular and in parallel to obtaining authorisation by the given deadline, entities currently carrying out PA-CB activities need to put in place compliance with guidelines on governance, merchant onboarding, baseline technology requirements, cybersecurity and fraud prevention from the PA Guidelines, and if they fail to do so, this could be grounds for refusal for authorisation as a PA-CB. 

Importantly, potential non-bank PA-CBs need to register with the Financial Intelligence Unit - India (FIU-IND) as a Reporting Entity before applying for authorisation from the RBI, and PA-CBs will be deemed to be ‘designated payment systems’ under the Payments and Settlements Systems Act. This interestingly seems to follow the interpretation of the Delhi High Court in the dispute between PayPal and the FIU-IND which we covered previously here. The Court there did accept the FIU-IND’s submission that an OPGSP like PayPal would be a Payment System Operator, with the rationale that the transaction connected with a payment being processed between two parties would fall within the scope of the expression "payment system" under the PMLA, and the tech on which the platform rests enables this transfer.

This is definitely a significant change for the OPGSP and cross border payment regime, and raises the question as to whether the ambit of what is considered a payment system under financial regulation is set to expand further. 

AA regulations amended to strengthen reciprocity principle and ease access to pensions data

On October 26th, the RBI mandated that all RBI Regulated Entities (for clarity, this excludes AA ecosystem participants regulated by SEBI, IRDAI, and PFRDA) that are Financial Information Users (FIUs) also need to become Financial Information Providers (FIPs) as long as they hold 'specified financial information' and fall under the definition of an FIP under the Account Aggregator Master Directions. The RBI observed that some entities which are onboarded as FIUs are only receiving financial information through the AA flow, while not providing financial information themselves. This move could help expand the FIP pool (to entities like deposit taking NBFCs and payments banks, many of which are only FIUs at the moment) and seems to mandate reciprocity in data sharing among the ecosystem. We’ll be tracking how the AA Master Directions are amended following this, the new types of financial information which are added, and any specific references/directions on interoperability among ecosystem participants that may be released. It will also be interesting to see how ‘reciprocity’ is interpreted, and whether this is expanded to ensure data availability from FIPs in real time. 

An important aspect of this issue is that only FIUs which already have an FIP schema, would need to become FIPs. Simply put, an FIP schema is a standardised format in which FIPs are mandated to deliver financial information to AAs and then to FIUs. Different FIPs which maintain databases of accounts and transaction details may have different conventions, nomenclature and formats in which this information is stored. Having no specifications of what format to send data in, means every FIP sends data in their format making it difficult and expensive to share and/or utilise data. However, all financial accounts have a common structure at their core. The AA FIP Schema standardised by ReBIT sets out a specification of the core components of the specific type financial information, format, fields, and validations required. This means that non-deposit taking NBFCs and RIAs, which currently do not have a schema, are not required to become FIPs (at least for now). 

Through a second notification, the RBI has also stated that the Central Record Keeping Agency will now be the designated FIP with respect to data on NPS subscribers and balances. This is because it is the designated holder of critical information, rather than the pension funds although they are the REs. This development indirectly provides guidance on the right approach in the worlds of mutual funds and shares as well, where RTAs and depositories are the source of truth on key customer information relating to holding of mutual fund units/ shares, instead of the AMCs and other relevant REs. 

RBI levies penalties on multiple banks 

The RBI has penalised three big banking companies through October, namely ICICI Bank, Kotak Mahindra Bank, and Paytm Payments Bank. 

• PayTM Payments Bank: A monetary fine of ₹5.39 crores was imposed for failure to identify Beneficial Owners of companies onboarded for the purpose of payout services, failure to conduct adequate monitoring of payout transactions and risk profiling of those availing payout services, reporting a cyber security incident with delay, failure to implement device binding control measures related to ‘SMS delivery receipt check’ and failure to prevent connections from IP addresses outside India in its V-CIP infrastructure. 

• ICICI Bank: ICICI was subject to a monetary fine of ₹12.19 crore for sanctioning loans to companies in which 2 of the directors were also directors of ICICI, failure to report frauds within prescribed timelines, and engaging in marketing and sale of non-financial products. 

• Kotak Mahindra Bank: A monetary fine of ₹3.95 crore was imposed for failing to conduct due diligence on a service provider, charging interest rates in a manner contrary to the terms of sanction, levying foreclosure charges in a manner contrary to the loan agreement and contacting customers before 7 AM and after 7 PM. 

Based on these and previous enforcement actions from the RBI (see our previous coverage here, here , and here), read with the RBI’s stated regulatory priorities in its 2022-23 Annual Report (which we covered here) and the amendments to the KYC Master Directions mentioned above, REs will likely need to double down on compliance with KYC and AML norms, ongoing risk and fraud monitoring with timely reporting, due diligence for outsourced service providers, record maintenance, ensuring consumer protection, cybersecurity and overall compliance culture. These enforcement trends could also lead to stricter monitoring of third party service providers and fintechs offering services in partnership with REs. 

• Omnibus framework for SROs to be formulated: In its Statement on Regulatory and Developmental Policies dated October 6th, the RBI has announced that it will issue an ‘omnibus framework’ for the recognition of self-regulatory organisations (SROs) for different Regulated Entities. SROs are non-governmental organisations which set and enforce standards and rules of member entities for a particular industry sector - addressing broader concerns such as customer protection, and training and education of members, the industry and the ecosystem as a whole. The RBI aims for the framework to lay out the broad objectives, eligibility criteria, functions and governance standards which would be common for all SROs across sectors. It may also prescribe sector-specific additional conditions while calling for applications for recognising such SROs. As on date, the RBI has laid down frameworks for the establishment of SROs for two sectors – NBFC-Micro Finance Institutions (NBFC-MFIs) and Payment System Operators (PSOs). In recent months, the need to establish SROs has again gained prominence, particularly in emerging areas such as fintech and digital lending. In a speech delivered by RBI Deputy Governor Mr. M. Rajeshwar Rao in March  2023, he highlighted the complementary role that SROs can play alongside the formal regulator. In other speeches delivered by RBI Deputy Governor Mr. M.K. Jain in March 2023, the RBI Governor Mr. Shaktikanta Das in September 2023, they emphasised the importance of the establishment of SROs in the fintech sector to uphold market integrity, conduct, data privacy, cybersecurity, and risk management.

• RBI notifies Draft Directions on Outsourcing of Financial Services: On October 26th, the RBI released the draft Master Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services, which is open for public consultation until 28th November. Similar to the Master Directions on Outsourcing of IT Services (which we covered here), these Directions will apply to all RBI Regulated Entities which outsource financial services, such as application processing, claims administration, and document processing. The requirements for outsourcing are largely similar to those under the directions for IT outsourcing - such as ensuring that material functions are not outsourced, strict oversight into outsourced service providers via contracts and inspections, and final accountability on the REs in respect of the services outsourced. The draft Directions also mention that there will be regular audits conducted by the relevant supervisory authority for the RE in question to ensure compliance with the Directions. Importantly, the supervisory authority will specifically be checking that fundamental decision making has not been outsourced by the RE, which is going to require REs to implement a clear audit trail in relation to outsourced activities which proves ownership of the function by the RE. 

• NPCI releases guidelines on Hello! UPI: On October 27th, the NPCI released guidelines for the operation of ‘Hello! UPI’, a new feature for voice assisted navigation on UPI - including user onboarding, payments, balance enquiry, complaints, fraudulent transaction alerts, smart prompts for improving UX, etc. This will be made accessible to users in-app, through a call, or on IoT based devices. The guidelines detail the modalities of enabling this feature, including the requirement to follow NPCI branding guidelines, and ensuring that specific and relevant consent of the user is taken (with the option to enable and disable the feature). Participants can use either self developed AI language models to enable this, or the NPCI’s models, making sure to enable new languages within 3 months from NPCI enablement. All other responsibilities of the banks, PSPs, and TPAPs will remain the same.

• Framework for compensation to customers of Credit Information Companies: In a significant development for Credit Institutions (CIs) and Credit Information Companies (CICs), the RBI has introduced a compensation framework for customers in case of a failure/delay in updating their credit information within 30 days of receipt of a customer complaint. The compensation will be set at INR 100 per calendar day, after the initial 30 day period for resolution of the complaint. This follows the penalty levied by the RBI on all 4 CICs earlier in July for failure to rectify credit information within the 30 day period and for failure to maintain accurate records (see our previous coverage on this here). This is accompanied by a notification on strengthening customer service rendered by CIs and CICs. Read along with the obligation on Data Fiduciaries to ensure accuracy and completeness of personal information under the new Digital Data Protection Act, 2023 (see our last issue), the aspect of ensuring data integrity may be a regulatory area of focus. 

• SEBI cracks down on finfluencer Mohammad Nasiruddin Ansari: In an interim order cum show cause notice on 25th October, SEBI has barred the finfluencer Mohammad Ansari who operated under the name ‘Baap of Chart’ from accessing securities markets until further notice, having observed that he was offering illegal investment advisory services through his social media platform without registration (along with assuring viewers of certainty in outcomes), and under the garb of educational content. He has also been directed to deposit INR 17.2 crore in an escrow account to compensate for illegal gains. This order signals the heightened scrutiny on finfluencers, with SEBI having released a consultation paper (covered in our last issue) on regulating them. 

• RBI announces 5th cohort of regulatory sandbox: The RBI has announced the opening of applications for its regulatory sandbox, which is an initiative allowing eligible entities to propose innovative products/services in the domain of financial services which are currently in a regulatory grey area. These can be tested in a controlled regulatory environment, where the regulator and these entities can together assess the benefits and risks of the new technology, and its impact on public interest and consumers, subject to safeguards.  Importantly, unlike previous cohorts of the sandbox, there is no specific theme and applications are invited for products and services cutting across all areas of financial services.

• NPCI urges companies offering Aadhaar-enabled Payment System (AePS) to bring in additional security measures: To prevent the rising incidents of fraud attacks on networks hosting AePS, the NPCI has reportedly issued a notification to banks to introduce mandatory security norms for AePS transactions [while there is a reference to the this notification on the NPCI’s website, the contents only seem to be disclosed to the banks themselves]. Banks are required to terminate AePS services for accounts where there have been no AePS debits in the last 12 months by the end of next month. Banks are also reportedly expected to obtain explicit consent from the customers regarding offering of this service and to provide the option to either enable or disable AePS as a mode of debit across platforms. 

• MeiTY urges KYC for Digital Finance Apps: According to media reportage, MeitY has asked the RBI to design a detailed KYC process called KYDFA (Know Your Digital Finance App) for entities looking to enter the digital finance and banking ecosystem. The aim of KYDFA is reportedly to ensure that only legitimate financial apps which abide by the law make use of the Indian banking system and curb the proliferation of illegal loan apps, or other such entities which could cause harm to consumers.

• Scale based NBFC Regulations: In order to better consolidate the regulatory landscape for NBFCs, the RBI has released the Master Directions - Reserve Bank of India (Non-Banking Financial Company– Scale Based Regulation) Directions, 2023, which classifies NBFCs into 4 layers based on size, perceived risk, and activity. Certain specific types of NBFCs need to continue to comply with applicable directions for their activity as specified. 

• New in-principle approved PA: Following its initial rejection and re-application for a PA licence in 2022, Mobikwik’s Zaakpay has received an in-principle approval from the RBI.

This wraps up the updates which caught our eye in October ‘23! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our November edition.