RBI expands UPI and BBPS, new gaming regulations could impact fintechs, warning signs for crypto in RBI's Financial Stability Report and more...

06th January 2023

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri and Vinay Kesari. 

From all of us at Setu, we wish you a happy new year! We hope you had a restful holiday with loved ones. We’re back from our org-wide break (which is incidentally why we are slightly late on this issue), and ready to jump into recapping the developments from December 2022. We’re excited for what 2023 holds for the world of fintech! 

RBI expands UPI and BBPS 

On December 7th, the RBI in its regular Statement on Developmental and Regulatory Policies made some announcements which have created a buzz within the fintech industry, including on expansion of the scope of the Unified Payments Interface (UPI) and the Bharat Bill Pay System (BBPS). 

A big upcoming change under UPI will be the introduction of a single-block-multiple-debit functionality. Since 2018, a single-block-single-debit functionality has been enabled on UPI, which allows for autopay transactions and processing of Initial Public Offering (IPO) applications. How does this work? This essentially means that a user can pre-authorise a UPI payment, by ear-marking a certain amount of money towards a specified purpose. This has been most commonly used for blocking of funds for making IPO applications, with more than half of such applications being processed through this mode currently. The limitation of single-block-single-debit is that a user could only block one debit transaction in their accounts. So, if a user wants to block funds for an IPO subscription, they could only block that specific amount for the specific purpose as a one time debit. 

With single-block-multi-debit, payments and especially recurring payments, will become a whole lot easier. This will essentially amount to the ability for users to block a certain larger amount of funds towards multiple transactions, for example on a frequently used e-commerce website, where the merchant has an assurance that the bank account has sufficient funds. Then, in a similar method to autopay, this block can be auto-debited through the user’s UPI app until it is exhausted. This is likely to change the landscape of recurring payments (particularly those currently dependent on credit card blocks), for example, in the hospitality and subscription service industry, and uncover a whole new set of use cases for UPI. From the perspective of investments in securities, this could also effectively remove the need for the broker as a middle man which increases the security in relation to holding of investor funds until securities are allotted. The opportunity, of course, lies for fintechs building on the UPI APIs, in terms of the fastest, most successful, and secure way to autopay and multi-debit.

Incidentally, this comes on the heels of the NPCI’s deadline extension for the implementation of a 30% market share cap on any single payments application - perhaps to allow for the expansion of UPI to result in a more organic change in market dynamics. 

In the same statement, the RBI also speaks of expanding the ambit of the BBPS ecosystem. To recap, the BBPS ecosystem which was launched in 2013 is an interoperable platform run by the NPCI which was originally created to facilitate recurring utility payments such as electricity and piped gas. Over the years, NPCI has expanded BBPS to also include other recurring payments such as loan EMIs and educational fees. In a significant move, NPCI has now expanded BBPS to include non-recurring payments or collection requirements across practically all categories. While the RBI has said that separate guidelines will follow, which presumably will throw more light on the precise scope of the expansion, this move marks the transformation of BBPS into a general-purpose bill payments platform. This can unlock multitudes of new use cases across consumer and business payments. 

News coverage we liked on this topic: Coverage of this move in Outlook, which includes inputs from several players in the fintech industry. Here’s another interesting piece in The Morning Context [paywalled] on the tussle between banks and fintechs with respect to the costs associated with the UPI infrastructure. 

Clarifications on the Draft Digital Personal Data Protection Bill 

In our last issue, we covered what the new draft Digital Personal Data Protection Bill (the Bill) means for finserv, and broke down some key changes, and some provisions where we hoped to see clarity. Later in December, Rajeev Chandrasekhar, Minister of State for Electronics & Information Technology held an open house discussion for stakeholders regarding the Bill. One clarification we are particularly interested in is the one about ‘Consent Managers’. To recap, ‘Consent Managers’ are defined as ‘Data Fiduciaries’ (entities which decide the purpose and means of processing personal data) by providing a technology based platform where a user can give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. The RBI Account Aggregator (AA) framework from 2016 can be considered a specific implementation of such a  ‘Consent Manager’ in the context of financial information. Given the growth of the AA Framework, this is of particular relevance to fintechs, since Account Aggregators (AAs) would squarely fall within this definition.

One of the key questions we hoped would be addressed is the issue of whether Consent Managers should be classified as ‘Data Fiduciaries’ at all - given that they may not have access to the underlying encrypted financial information, and do not decide the purpose or means of processing. In the case of AAs, they simply log consent, and transfer encrypted information based on this consent. In the open house, Mr. Chandrashekhar clarified that Consent Managers ‘will be independent of ‘data fiduciaries’ and will work to protect the interest of users whose data is collected, especially those who are at the bottom of the pyramid.’

A key industry ask would be further clarity, since this does not address the issue of whether Consent Managers will now be excluded from the definition of a ‘Data Fiduciary’ and hence from the heightened obligations of a Data Fiduciary, although it is encouraging to see the conceptual separation which seems to have been created. It would also be important to know what obligations or requirements will be placed on Consent Managers in furtherance of achieving the objective of ‘protecting the interest of users’, and how this will interact with sectoral regulations already governing AAs. 

News coverage we liked on this topic: Coverage on the open house discussion in The Hindu Business Line, which details the other clarifications made.

New regulations for online gaming intermediaries could impact fintechs 

On 23rd December, the Central Government brought ‘matters related to online gaming’ within the purview of the Ministry of Electronics and Information Technology (MeitY). Soon after, MeitY released draft amendments to the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the Rules) which expanded the scope of the Rules to ‘online gaming intermediaries’. While there is a lot of debate on the  pros and cons of the regulations for the online gaming industry, what we are particularly interested in tracking is the interaction between regulations enacted by MeitY and the RBI with respect to the payment related functionalities within online gaming apps, namely in-app purchases, wallets, PPIs used for gaming apps and withdrawal of winnings. From the draft of the amendments, it seems that the intention will be to harmonise central and sectoral regulations - since it states that the procedure to be followed for verification at the time of creation of an account based relationship between a user and the online gaming intermediary is the procedure followed by RBI regulated entities at the commencement of an account based relationship. This could potentially mean more opportunities for fintech players providing KYC and verification services to the online gaming space (check out Setu’s KYC products here). We will be tracking how the final version of the amendments or subsequent guidelines may impact entities at the intersection of finserv and gaming. 

SEBI releases consultation papers on Online Dispute Resolution and Cloud frameworks 

SEBI has been busy in the space of digitisation, releasing consultation papers on the improvement of adoption of Online Dispute Resolution (ODR) mechanisms for investor related grievances and the adoption of cloud frameworks by SEBI regulated entities. The paper on ODR details how the current system of dispute resolution can be moved to virtual platforms with an emphasis on mediation and conciliation as go-to methods to avoid drawn out disputes which increase costs for investors and regulated entities alike. It also raises crucial questions which need further thought, such as the issue of how to split costs, qualifications for mediators/arbitrators, tracking of adherence to settlements and how to publish data regarding these settlements since some may be covered by confidentiality. It is encouraging to see the development of ODR since it provides a speedy and cost effective mechanism to resolve disputes, and indicates that this might be more widely adopted by multiple regulators including the RBI. 

The paper on cloud frameworks deals with the issue of outsourcing by regulated entities, similar to the RBI’s Outsourcing Directions. No limitations are proposed in relation to cloud deployment models. However, regulated entities will be held solely responsible for all cloud related activities, even if outsourced and are required to implement a host of technical, infosec and contractual arrangements to ensure a tight review of service providers. Interestingly, it is also suggested that cloud services should only be availed from data centres of cloud service providers which are empaneled with MeitY, which is not suggested in the RBI’s Outsourcing Directions (which provide a lot more flexibility with respect to service providers for IT related services in general). We will be tracking how the final version of the paper translates into compliance requirements. However, this paper and the RBI’s recent interaction with fintech industry associations make it clear that infosec, risk mitigation and data protection are among the regulators’ top priorities and it is time for regulated entities as well as fintechs servicing them to run a tight ship when it comes to handling data along the supply chain. 

• Stories from D91: Check out D91’s work on Project Pratima (blog and project documentation), an initiative launched by the Payments Council of India aimed at standardising the icons used by payment apps in India. D91 has also started its very own podcast on financial inclusion and fintech, which we hope you will find informative!

• Setu Talks: Our Legal Manager, Sriya, recently spoke on a panel hosted by the Law and Technology Society, National Law School of India University on the Draft Digital Personal Data Protection Bill, where she explored the key takeaways and missed opportunities, as well as the impact of the Bill on fintech and finserv. Here’s a link for interested readers. 

• E-KYC Setu: The Ministry of Finance has eased the process for KYC, for entities which are classified as reporting entities under anti-money laundering laws. The system for authentication is run by the NPCI, and will enable authentication without disclosing Aadhaar numbers of citizens to reporting entities, which is encouraging from the perspective of user privacy in the ecosystem. This will also reduce compliance burden and costs for these entities, since reporting entities will not need to develop their own Aadhaar KYC infrastructure. 

• Revised fraud reporting mechanisms: Through a notification released in late December, the RBI authorised non-bank Payment System Operators (PSOs) (such as the NPCI, BBPOUs and Payment Aggregators) and payment system participants (Agent Institutions, Billers, merchants and Payment Gateways) are now required to report all payment frauds (regardless of value, even if attempted, and whether detected or reported by customers) within 7 days. All reporting needs to be done on the DAKSH platform in the new reporting format provided. 

• RBI’s Financial Stability Report holds warning signs for crypto: A key mention in this edition of the RBI’s report which raised some eyebrows is the mention of prioritising the design of an appropriate policy approach to govern the crypto ecosystem, ‘to promote responsible innovation and mitigate financial stability risks’. The Report goes on to say that such a policy could potentially include the ‘prohibition of  unbacked crypto assets, stablecoins and defi’. Given the RBI’s sharp stance on the crypto industry and the recent volatility globally  with FTX’s collapse, it is possible we can see some regulation in this space in India soon. 

• RBI Nods for PPIs and PAs: Slice has received an in-principle approval from the RBI to launch its Prepaid Payment Instrument (PPI), which comes on the heels of the RBI prohibiting NBFCs from providing credit on PPIs. Open Financial Technologies and PaySharp also recently got nods from the RBI for in-principle approval to operate as a Payment Aggregator. 

This wraps up the updates which caught our eye in December ‘22! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our January edition. 

Comments

[Harry]

Must read newsletter. All the important stuff and development in fintech, RBI latest direction on payment matters and stance of meyit and role in various Fintech, Data , Issues.