RBI halts NUE licenses (again), New regulations for Credit Ratings Agencies, SBM and fintechs face restrictions on LRS and more...

02nd February, 2023

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri and Vinay Kesari. 

2023 promises to be an exciting year for all things fintech, and we’re committed to tracking and demystifying all the latest regulatory developments for you. So without further ado, let’s dive into what happened in January. 

RBI puts a halt on NUE licenses 

In early January 2023, we saw media reports that the RBI had put on hold the issuance of licenses for the New Umbrella Entity (NUE), which was to compete with NPCI as a retail payments system operator. Large conglomerates like Jio, Amazon, Facebook, Tata Group, and Google, along with private and public banks, were among six consortiums who submitted applications to the RBI, but have reportedly been rejected for not meeting the RBI’s requirements in terms of operationalisation of their plans, and proposing plans which were similar to that of the NPCI and lacking in novel technology. Another reported consideration of the RBI is the strengthening of the Payments and Settlements Systems Act to address the rapid expansion of the digital payments landscape as a first priority. It is worth noting that this isn’t the first time that NUE authorization has been put on hold - it was halted earlier in 2021, due to concerns about the abuse of user data, data breaches, data storage and localization issues. At the time, this came on the heels of the restrictions placed on Mastercard, Diners Club and Amex for violation of the RBI’s regulations on data storage and localization. 

But let’s take a step back - what is the NUE framework and why was it introduced? (read our previous coverage on the NUE framework here!) The RBI proposed the NUE framework in August 2020, envisaging it as a new entity which would create and run new payments infrastructure to complement and compete with NPCI. The NUE would have similar freedom to build and maintain payment systems across all categories, including online, white label PoS, Aadhaar based payments and ATM transactions, and offer value added services around payments and lending, all while being interoperable to the extent possible, with the systems of the NPCI. This had understandably created a large amount of interest among financial services firms and major conglomerates, looking to enter the retail payments  market which is absolutely dominated by NPCI. 

From both the perspective of the regulator and the market, NUE also seemed like a good idea to reduce the burden on the NPCI’s infrastructure, with the surging volumes of UPI transactions especially due to COVID lockdowns (with around 16% growth between 2021 and 2022). The strain on infrastructure is evident, with transaction rejection rates being close to two percent as of October ‘22. In comparison, the rejection rate was less than a percent in March 2021. The big hope was that the NUE framework would offset this with more innovation and diversification of payments options, bringing in new technologies in relation to payment and settlement mechanisms, and reduce the concentration risk of one entity (NPCI) running most of the country’s retail payments systems. 

The framework was met with opposition in 2021 from banking unions and some banks, due to concerns around the usage of user data and a larger opposition from the unions to avoid the introduction of a for-profit motive to the digital payments network. Of course, the other side of the debate is that allowing private players to participate and make a profit would create more efficiency in the ecosystem through innovation. This debate continues, with the Finance Ministry clarifying in August 2022, that UPI would remain a public good, and would remain free of any charges. 

While the precise motivations of the RBI in halting the NUE licensing process remains unknown, it is clear that there are a myriad of considerations when it comes to evaluating whether or not the framework can tangibly offer something new to the digital payments world, and work as a viable alternative to the NPCI. It is also possible that the introduction of the upcoming data protection law could be a compliance related factor which further delays this process. We’ll be tracking further developments to this interesting issue which, if operationalized, could have wide ranging implications for financial inclusion and potentially  increase opportunities for fintech players in India.

News coverage we liked on this topic: This piece in the Hindu Business Line, which analyzes the pros and cons of the NUE framework, and this analysis in Livemint on UPI as a public good.

SEBI issues operational circular for Credit Ratings Agencies (CRAs)

In our October issue, we covered SEBI’s crackdown on Brickworks Ratings, and in our November issue, its subsequent guidelines on the standardization of credit ratings to be used by CRAs. In a clear attempt to bring in stricter regulation and enforcement, SEBI has on January 06th, released its operational circular for CRAs, which supersedes 39 circulars which previously governed CRAs and provides a unifying framework (the list of previous circulars can be referred to under Annex A of the operational circular). 

The circular includes several changes to the disclosures required during the application process (including details of pending litigations and investor complaints) and detailed procedures in relation to suspension or revocation of a CRA certificate of registration. In alignment with its previous circular, the operational circular also deals with the standardization of credit ratings and symbols, including an additional ratings symbol for ‘Expected Losses’ for ratings of projects/instruments associated with the infrastructure sector - which seems to be clearly flowing from the shut down of Brickworks for the ratings it granted to the instruments of Dewan Housing Finance Limited (DHFL). While the publication of ratings criteria, outlook and policies were required previously, the circular now prescribes a lot more detail to be incorporated into these policies in the interest of investor safety, including an enhanced requirement for periodic monitoring, a monthly requirement to obtain a no default certificate from the issuer of securities, standardized press releases required upon the release and review of ratings and more detailed operating procedures in the event of defaults by the issuer. 

To avoid conflicts of interests and unethical incentives between issuers and CRAs, the circular also prescribes an enhanced governance framework for CRAs, which includes policies on conflicts of interest between CRAs, issuers, affiliates and associated persons in the securities market, internal codes of conduct on governance norms and accountability of ratings analysts, and continuous disclosures. Any reviews of ratings requested by issuers must now be conducted by a separate committee than the committee which first issued the ratings, with independent members who do not have a pecuniary relationship with the issuer. The circular also provides for a detailed set of guidelines in relation to half yearly internal audits to be conducted by CRAs and mandatory contractual requirements to be incorporated within the agreements entered into between issuers and CRAs, which includes a prohibition on the issuance of ratings in the absence of an executed contract.

While there are many more provisions to decode, this circular is a welcome move to bring accountability to a system which has been in flux and mired with controversy over the past year. What is interesting is the hybrid approach adopted under this circular, with several prescriptive requirements from the regulator, as well as self-regulatory provisions which involve the CRAs formulating policies under broad requirements. 

Overall, the introduction of increased transparency through the requirement for executed contracts, increased accountability through audit and governance frameworks, increased monitoring and notification requirements and the attempts to tackle problematic conflicts of interests are in the public interest. Given that the public, which includes laypersons and non-institutional investors, relies on credit ratings to assess the worthiness of securities they are investing in, this is an important move to ensure that investors are not caused losses due to cases of issuer fraud or default, which do not then translate to downgraded ratings. While the long term impact, compliance and enforcement of the new framework  is left to be seen, this sends a strong signal from SEBI that investor protection is a priority. 

UPI for NRIs

On 10th January, the NPCI issued a circular which allows for non-resident bank accounts (including NRE and NRO accounts) linked to mobile numbers of the ten countries mentioned to be on-boarded and transact on UPI subject to compliance with FEMA regulations and checks in place for anti-money laundering (the countries being Singapore, Australia, Canada, Hong Kong, Oman, Qatar, USA, Saudi Arabia, UAE and the United Kingdom). This move is largely viewed as a welcome one, which will expand the scope of UPI as an instant payment method. The NPCI has directed all members of UPI, including banks and payments platforms to comply with the circular by 30th April of this year. This comes on the heels of the recent expansion of UPI through the introduction of the single-block-multiple-debit functionality, which we covered in our last issue. 

Earlier, NRIs on international phone numbers weren’t able to access UPI because of the SIM binding feature which was restricted to Indian SIM cards. With UPI now permitted, an Indian SIM will not be needed to operate a UPI Virtual Private Address (VPA) handle and NRIs can use UPI to transact using their NRE/NRO accounts. Further clarity is needed to understand what types of transactions will be permitted, given that FEMA restrictions will continue to apply.

We’ll be tracking how this move is operationalised through further guidelines.

News coverage we liked on this topic: This explainer in LiveMint [paywalled.]

SBM LRS restrictions

On January 23rd, 2023, the RBI directed the State Bank of Mauritius (SBM) to stop all transactions under the Liberalised Remittance Scheme (LRS) route with immediate effect, citing ‘material supervisory concerns’. The LRS route allows foreign remittances of up to USD 250,000 per year by Indian residents for purposes such as studies abroad, medical treatment, maintenance of close relatives, and investments and travel. While the precise reason for these restrictions is unknown, media reports suggest that it was due to concerns regarding the overseas money transfer practices of one or more of SBM’s fintech partners. SBM has been at the cutting edge of partnering with fintechs across multiple categories including neobanking and cross-border payments and investments. The current RBI move has affected some of these partners to varying degrees, including Niyo, INDMoney and Vested, who partner with SBM for products such as international travel cards and foreign stock investments. The restrictions have since been partially relaxed until March 15th, 2023, by allowing ATM/POS transactions under the LRS route through KYC compliant internationally active debit cards issued by the bank. While further clarity is awaited from the RBI, this is likely to spark a review and tightening of onboarding and monitoring procedures for such partnerships between banks and fintechs.

News coverage we liked on this topic: This analysis of the issue in Finshots.

• Stories from D91: Check out D91’s recent work in the 'Banking on Women' Series, an initiative to understand and design for the financial lives of women in India. Also out, as part of the 'Digital Payments for the 'Next Half Billion' Series is D91's third blog exploring the potential of voice technology in enabling digital payments for the underserved. Finally, watch the latest episode of the D91 Labs Idea Series that discusses the potential of WhatsApp in enabling financial inclusion in Rural India.

• Setu Talks: Our General Counsel, Vinay and Legal Manager, Sriya, participated on a panel discussion with the team at the law firm Samvad Partners, on how the new data protection bill impacts the fintech and finserv sectors, the industry perspective on various provisions and larger debates on why we need regulation of new technology, and the balance between access to information needed by the industry and privacy. Here’s a link for interested readers. 

• New credit cards on UPI: In our October issue, we covered the launch of credit cards on UPI and the subsequent circular issued by the NPCI for its operation. According to certain media reports, the RBI is now looking to allow credit cards issued by the card networks Visa and Mastercard to be linked with UPI. Due to the massive scale of these networks (with around 70 million active cards), this is expected to significantly increase the scope of this venture - although the operational aspects and interaction with the NPCI’s circular is left to be seen. 

• New consent requirements for Aadhaar authentication: In a press release on 23rd January, UIDAI has now made it mandatory for Regulated Entities (REs) which conduct Aadhaar authentication to obtain the ‘informed consent’ of residents from whom Aadhaar data is collected, either by paper or electronically. While the precise modalities seem to be left to the REs themselves, they have been directed to ensure that residents understand the type of data being collected, and the purpose of authentication. Logs of authentication transactions need to be maintained only for the duration provided in the Aadhaar regulations, and purged upon expiry. REs are also not permitted to store the data without masking the first 8 digits of the Aadhaar number, and without authorization. In addition, they have been directed to report suspicious activity to the UIDAI. Coming on the heels of the UIDAI’s crackdown on a major industry player, this development signals that enforcement of Aadhaar regulations is likely to become stricter.

• Re-KYC gets easier: In a welcome move which is likely to expedite KYC related processes, the RBI has on 05th January, clarified that if there is no change in the KYC information of customers of banks, a self-declaration from the customer is sufficient to complete the re-KYC process. Banks have been directed to provide customers the facility to provide their re-KYC declarations through various non-face-to-face channels such as registered email ID, registered mobile number, ATMs, digital channels (such as online banking, mobile application, letter, etc.,) without the need to visit bank branches.

• More RBI Nods for PAs: The RBI has reportedly granted in-principle approval to BharatPe, Enkash, and Hitachi Payment Services to operate as payment aggregators.

This wraps up the updates which caught our eye in January ‘23! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our February edition.