Updates from RBI's MPC, more scrutiny on lending, new PA licensees and more...

21 December 2023

Welcome back to MoneyRules, Setu’s newsletter on fintech regulatory developments in India, written by Sriya Sridhar, Madhuri, Vinay Kesari, Parth Kantak, and Sumedh Niyogi. 

Here are the highlights since our last issue! 

Highlights from RBI Monetary Policy Committee meeting 

On December 08th, the RBI Governor released a statement following the meeting of the Monetary Policy Committee, with some interesting ‘additional measures’ announced from a regulatory perspective, which are relevant for fintechs: 

1. Easing e-mandates: e-Mandates are becoming an increasingly popular method of making recurring payments, like subscriptions, credit cards and loan repayments. Currently, an additional factor of authentication is required for e-mandates exceeding INR 15,000 which the RBI proposes to enhance to a limit of INR 1 lakh for mutual fund subscriptions, insurance premium subscriptions and credit card repayments. This move is likely to significantly expand the usage of e-mandates and create opportunities for technology service providing fintechs powering these mandates. This has been formalised by the RBI via a notification on December 12th. 

2. Establishing a cloud facility: The RBI is looking to establish a cloud facility of its own, for the storage of data by banks and other financial institutions, to promote ‘data security, integrity and privacy’, as well as ‘facilitate scalability and business continuity’. This raises the question of whether in future, RBI Regulated Entities will be mandated to move to this cloud facility established by the RBI, rather than using private players, like Amazon Web Services, and whether government systems would have the capability of these volumes. Currently, the RBI’s guidelines on outsourcing allow REs the freedom to choose their own cloud service provider, subject to complying with the relevant safeguards which are prescribed. As we covered in our previous issue, cybersecurity has been among the RBI’s top priorities, and it is possible that the RBI is looking to heighten information security requirements. If this is the case, it could come as a blow to REs, fintechs and cloud service providers, and will involve a large-scale migration activity which could prove costly. It is left to be seen whether the RBI will prescribe this for a certain category of financial institutions, and leave REs the freedom to remain with private players. 

3. Hike in UPI transaction limit: With the ever growing ubiquity of UPI, the RBI is proposing to raise the transaction limit to educational institutions and hospitals, from INR 1 Lakh to INR 5 Lakhs, which will increase the usage of UPI and ease the payments process for these critical services. This has been formalised by the NPCI via circulars here, and here.

4. Reviewing the framework for web-aggregation of loan products: The digital lending ecosystem also contains services where loans from different lenders are aggregated and presented to borrowers, also known as web-aggregation of loan products. Some lenders use the services of LSPs for this purpose as well. The RBI states that having received reports of aggregation of products which are harmful to consumer interests, it is looking to come out with a regulatory framework to curb such practices to promote transparency in digital lending. As covered in several of our previous issues, digital lending is a continually scrutinised sector, with the RBI on December 11th, putting out another statement cautioning against unauthorised campaigns on loan waivers.

5. Fintech repository: In what could be a really interesting initiative, the RBI is proposing setting up a fintech repository, in light of rapid growth of the sector and increasing numbers of partnerships between Regulated Entities like banks and NBFCs with fintechs (which has been the subject of scrutiny). Fintech entities will be ‘encouraged’ to contribute to the repository. While the nature of information which the RBI is looking for is unknown, this has the potential to be a forum for collaboration between the regulator and the industry, promoting transparency and sustainable innovation. This also follow the RBI’s proposal to create an omnibus framework for SROs (which we covered here), and the possibility of specific fintech regulation, which we covered here.

RBI tackles unsecured personal loans 

In a move to regulate the growth in unsecured personal loans, the Reserve Bank of India (RBI) released a circular to increase risk weights on unsecured retail loans (i.e., loans that are not backed by collateral, like consumer loans and credit cards) on November 16th. Through this circular, the RBI has raised the risk weight attached to such loans offered by banks and NBFCs by 25%. 

What is a risk weight? Simply put, risk weights determine the amount of capital that a lender, be it a bank or NBFC, needs to put aside for different categories of loans, depending on the risk profile of borrowers. The higher the risk weight, the more funds need to be set aside by the lender to service that loan in the event of default - this is also known as the Capital Adequacy Ratio (CAR). India has seen a sharp increase in unsecured loans. This poses an increased systemic risk if the loans are not backed by robust underwriting, increasing the chances of default. The RBI has also emphasised that Regulated Entities (RE) should review their current sectoral exposure limits for consumer credit and institute board-approved limits with respect to varied segments that come under consumer credit.

The RBI’s measure is applicable to unsecured consumer loans, and loans against Fixed Deposits/Stocks, and excludes housing, educational, vehicle, gold, and microfinance/SHG loans. This will have a differing impact on both consumers and fintechs. For consumers, collateral-free loans are likely to become more expensive, with a possibility of fewer loans offered to new-to-credit customers. For fintechs, this will mean a hike in lending rates passed onto customers to make up for the increased capital requirements, more scrutiny which will need to be implemented in the vetting and lending process, and perhaps a shift in product offerings to secured loans. 

In general, this seems consistent with the RBI’s increased scrutiny of lending, which we’ve previously covered here and here, and in quick takes below. 

News coverage we liked on this topic: This coverage in LiveMint. 

• RBI authorises Card on File tokenisation at Issuer Bank level: Via a circular on December 20th, the RBI has authorised generating CoF tokens for card issuing banks or institutions through mobile and internet banking channels. Currently, tokenisation services are provided at the point of purchase and on merchant websites. Now, this can be done by card holders directly at the issuer level, and for multiple merchants through a single process. Upon selection, the token generated will be made accessible at the merchant’s payment page. This process can be done with the explicit consent of the cardholder, and with Additional Factor Authentication for data security. The RBI has helpfully clarified that where multiple merchants are chosen by the cardholder, the AFA validation can be combined across the merchants.

• Reported scrutiny of peer-to-peer lending: According to this report from Reuters, the RBI has reportedly conducted inspections on major peer-to-peer lending platforms in India, and notified them to halt certain practices upon finding regulatory violations. As per the report, the violations include, improper re-lending of repaid funds, marketing of products as an alternative to bank deposits, and allowing other financial institutions to lend via their platforms. While there has been no official communication from the RBI as yet, this is an issue to watch out for given the rapid growth of P2P lending as a sector.

• Notification from PFRDA comes as a blow to RAs: Via this circular, the PFRDA has clarified that only registered Points of Presence can be Financial Information Users, in the Account Aggregator framework. This means that other registered intermediaries such as Retirement Advisers will no longer be able to use that license to receive financial information via the Account Aggregator ecosystem, and will need to transition to a different type of license instead. In our previous issue, we also covered the PFRDA’s clarification that the Central Record Keeping Agency would be the Financial Information Provider for NPS data and the implications of this move.

• NPCI instructs UPI members to deactivate inactive UPI IDs: Via this circular, the NPCI has instructed all UPI members to deactivate the UPI IDs and numbers that have been inactive for more than a year. This decision has been taken to avoid the transfer of money to unintended recipients in instances where customers change their mobile number without delinking their previous number from the banking system. TPAPs and PSP banks need to identify UPI IDs and linked phone numbers of customers who have not made any financial (debit or credit) or non-financial transactions for the past 1 year and deactivate for inward credit transactions. In our previous issue, we covered how data accuracy and integrity are likely to be a regulatory area of focus with the new Digital Personal Data Protection Act, 2023. UPI participants will also need to prioritise ensuring data accuracy in the coming days.

• RBI releases the draft Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices: These draft directions applicable to RBI REs, focus on implementing robust IT governance which includes risk management, performance and resource management, strategic alignment, and business continuity. The directions will come into effect from April 1, 2024. Among other requirements, REs need to implement an IT Service Management Framework to support their information systems and infrastructure in alignment with internationally accepted standards, and put in place a documented data migration policy and policies that enable data integrity and consistency. The directions mandate conducting audits of system logging capabilities along with creating provisions for audit trails in cases where IT applications can access or affect sensitive information of customers. Information security has been a big priority for the RBI, as we’ve covered here, here, and here. 

• RBI penalty on Bajaj Finance: The RBI has directed Bajaj Finance to halt the disbursal of loans under two of its products - ‘eCOM’ and ‘Insta EMI Card’. This is a significant penalty, with Bajaj Finance being India’s largest consumer financier. The reason for this penalty was the failure by Bajaj to issue Key Fact Statements and deficiencies in the Key Fact Statements, in violation of the Digital Lending Guidelines, 2022. This penalty, coupled with the recent one on Kotak Mahindra Bank which we covered last issue, signals the need for REs to be vigilant with respect to their lending practices and compliance.

• Instamojo suspends payment aggregator business, Razorpay and Cashfree get PA licenses: With the RBI having rejected its application for a payment aggregator license, Mastercard-backed Instamojo has clarified that its payouts business will be undertaken in partnership with licensed PAs and has shuttered its core payments business. There has been a lot of coverage in recent months on the difficulty in obtaining Payment Aggregator licenses, and the possible reasons for this - such as on MoneyControl and the Ken. Here is also a useful read on this from the team at Ikigai Law. On that note, after a long wait, Razorpay and Cashfree, along with Neobank Open and Enkash have obtained their licenses to operate as Payment Aggregators. These firms can also now, after a pause directed by the RBI, resume onboarding merchants. 

This wraps up the updates that caught our eye in November and December ‘23! Feel free to DM us on Twitter or LinkedIn, or fill out this form with feedback or topics to include in our January edition.