31 January 2022
The digital payments ecosystem in India has seen an excellent growth in the past few years. The term “Digital Payments” comprises of different types of systems of online payment which cover transactions done through Real Time Gross Settlement (RTGS), National Electronic Fund Transfer (NEFT), Immediate Payment Service (IMPS), Digital Wallets and Unified Payments Interface (UPI). Of these, Digital Wallets and UPI have amplified their operations in the wake of demonetization in the November of 2016.
Payment systems are not only the lifeline of an economy but are increasingly being recognized as a means of achieving financial inclusion and ensuring that economic benefits reach the bottom of the pyramid.
Regulating the payment and settlement systems in the country enables businesses, companies, and consumers to manage their financial transactions and payments efficiently. Implementing fintech laws and regulations ensures safety and security to financial institutions, providing services and the customers using them.
The term "FinTech" is short for "financial technology" and could apply to any kind of technology that is used to drive a financial transaction or service, offered by any entity. However, in business and regulatory jargon, FinTech has come to mean the technology used by financial service providers that disrupt the traditional way of providing such services. Thus, businesses such as PayTM, PhonePe, RazorPay, MobiKwik, PayU are all classified as fintech businesses.
Key Fintech Offerings
Some of the key services that are offered by FinTech companies broadly fall within the ambit of either Digital Payments or digital lending.
PPI – Prepaid Payment Instruments (“PPIs”) are instruments that facilitate the purchase of goods and services including financial services, remittances etc. against a stored value on such instruments. PPIs may be issued under one of the three categories –
Each of these categories permits a different scope of transactions.
UPI Payments – UPI is a payment platform managed and operated by the National Payments Corporation of India (“NPCI”). The UPI enables real time, instant, mobile based bank to bank payments. It primarily relies on mobile technology and telecom infrastructure to offer easily accessible, low cost facilities to the users. UPI enabled payments constitute majority of the digital payment transactions in India.
Digital Lending - With expanding propels in innovation, technology, and telecommunications foundations, several Non-Banking Financial Institutions (NBFCs) in India have moved to advanced stages of digital platforms for credit items, especially to retail and Small and Medium Enterprises (SME) clients. They have developed intuitive applications and websites to empower end-to-end digital customer journeys.
Payment Intermediaries/Aggregators and Payment Gateways - Payment intermediaries or aggregators are entities which simplify online sale and purchase transactions primarily on e-business platforms. They facilitate collecting electronic payments from customers and pool them and transfer them to the merchants. Payment Gateways provide technology infrastructure to route or facilitate processing of online payment transactions, without handling any funds.
P2P lending platforms - Peer-to-peer (P2P) lending platforms are online platforms that offer loan facilitation services between lenders registered on the platform and prospective borrowers. Under RBI regulations, P2P lending platforms may be operated by eligible Indian companies registered with the Reserve Bank of India (“RBI”) as NBFC.
Payment Banks - Payment banks are bodies authorized by the RBI to offer fundamental online banking services to their clients. These are allowed to accept small deposits (up to INR 100,000). However, they are not permitted to issue credit cards, give loans or offer any credit products
Laws and Regulations
The RBI is the primary regulator for most Fintech activities in banking, payments and lending. The jurisdiction of other regulators may also get attracted, depending on the nature of the services being offered, including of the Securities and Exchange Board of India (“SEBI”) when dealing in the securities market, the Insurance Regulatory and Development Authority of India (“IRDAI”) for the insurance sector, as well as the Ministry of Electronics and Information Technology (“MEITY”) and the Ministry of Corporate Affairs (“MCA”), as may be applicable.
Regulations governing Digital Payments
Master Direction on Issuance and Operation of Prepaid Payment Instruments (“Master Direction”) which was issued by the RBI by virtue of Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 (“PSS Act”). PPIs can be issued as cards, wallets, and any such form / instrument which can be used to access the PPI and to use the amount therein. PPIs in the form of paper vouchers cannot be issued.
Capital and other eligibility requirements
The issuers can issue two types of semi-closed PPIs based on the level of their Know Your Customer (“KYC”) compliance, that is to say, on the level of identification-related information provided by the user. The first type can be issued with minimum or limited KYC. The minimum KYC details include the customer’s mobile number verified through One-Time-Pin (OTP), and a self-declaration of name and a government identification number to authenticate the account.
The amount of funds loaded in this type of an instrument, during any month, cannot exceed ten thousand rupees and the total amount loaded during the whole of financial year cannot exceed one lakh rupees. Only the purchase of goods and services is allowed and bank transfer and interoperability of the instrument is not permissible for PPIs with a limited KYC compliance.
These minimum-detail instruments are mandatorily required to be converted within 18 months into full-KYC compliant, semi-closed PPIs. On the other hand, the full KYC-compliant PPIs, apart from allowing for purchase of goods and services, offer the option of ‘fund transfer back to the source’, bank account transfers as well as transfer to beneficiaries of up to one lakh rupees per month.
Prevention of Money Laundering
The entity operating a digital payment system is required to adhere to the RBI Master Direction on Know Your Customer (KYC), 2016 for customer identification. These Master Directions have provided for a sound framework for the prevention of money-laundering and since the non-bank issuers are essentially in the business of operating a payment system, compliance with Prevention of Money Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 framed thereunder, is necessary.
Additionally, PPI issuers are required to maintain the log of all transactions for a period of ten years. This data shall be made available for scrutiny to RBI or any other agency / agencies as may be advised by RBI. PPI issuers are also required to file Suspicious Transaction Reports (STRs) to the Financial Intelligence Unit (FIU-IND).
Security of Payments
A strong risk management system is necessary for the PPI issuers to meet the challenges of fraud and ensure customer protection. PPI issuers shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.
All PPI issuers shall put in place information security policy for the safety and security of the payment systems operated by them, and implement security measures in accordance with this policy to mitigate identified risks. PPI issuers shall review the security measures (a) on on-going basis but at least once a year, (b) after any security incident or breach, and (c) before / after a major change to their infrastructure or procedures.
Some of the mandatory requirements to be followed by the private entities to prevent fraudulent transactions are:
The ability of customers to use a set of payment instruments seamlessly with other users within the segment are based on adoption of common standards by all providers of these services so as to make them inter-operable. Accordingly, it has been decided to implement it in phases:
UPI was developed by the NPCI and was launched in 2016. It facilitates inter-bank transactions in real-time which are processed either on web or a mobile platform. It also caters to the “Peer to Peer” collect request which can be scheduled and paid as per requirement and convenience.
How is it unique?
For the functioning of UPI there is a Unified Payment Interface Guidelines by the NPCI. These guidelines are framed under the provisions of the Payment and Settlement of System Act, 2007. These guidelines are binding in nature and hence every member of UPI has to abide by them.
The Payment Service Provider/member should be a regulated entity by RBI under Banking Regulations Act 1949 and should be authorized by RBI for providing mobile banking service.
The member should comply with the Procedural Guidelines, certification requirements and efficiency and risk guidelines issued by NPCI from time to time.
Lastly, the bank should be live on Immediate Payment Service (IMPS).
Once the bank-enabled UPI agrees the entity can build their PSP (Payment Service Provider) which is well known as a third-party application. The partnered banks are entirely liable for all the financial and operation liability of these applications.
The data of clients should be maintained by the banks, and the merchant app shouldn’t have access to it. The payment concerning the responsive data, credentials should by no means reach these merchant apps and only exist in the UPI system of the bank. It imposes accountability on the bank for the proper functioning of the apps and to make sure that the application assists supports all versions of Android and iOS.
These NPCI guidelines also offer freedom to the client for downloading any application as they want. Clients can have two applications in a single device, and no application should obstruct the working of the other while installing, operating or any function done by the application.
The present members can be suspended or terminated anytime from undertaking the functions by NPCI if the member fails to obey any UPI or NPCI product, procedural NPCI guidelines for UPI or any provisions by RBI or NPCI. It can further be terminated if the member’s RTGS account with the RBI is suspended. Moreover, in the case where the member bank is amalgamated or combined with another member bank, the membership is terminated or suspended. At last, if the RBI suspends the consent of the mobile application, then the also merchant stops being a member.
Obligation of PSP
Considering the sensitivity of these transactions, NPCI obligates the Third Party Application Provider (TPAP) as well as the PSPs certain requirements to be fulfilled to enable such transactions. Before initiating operations, the TPAP is mandated to seek a written permission from the NPCI and is required to give the names of the participating banks. The responsibility of the participating banks is immense as they are primarily responsible for providing security against any kind of breach of customer data that could happen through the third party apps. As the responsibility for storing payment sensitive data of the customers is with the PSP, they must perform an audit on the TPAP’s infrastructure to ensure that the integrity of such data is maintained and that the functioning of the app is secure. Along with the TPAP, the PSPs are also responsible for addressing the complaints of the consumers.
PSP should conduct due diligence on the potential technology service provider before selecting and entering into any form of outsourcing relationships. A bank should conduct an in-depth assessment of the third party’s ability to perform the said activities in compliance with all applicable laws and regulations and in a safe and sound manner. The PSP should consider the following during due diligence: a) Legal and Regulatory Compliance b) Financial Condition c) Business Experience and Reputation d) Qualifications, Backgrounds, and Reputations of Company Principals e) Risk Management f) Information Security g) Incident-Reporting and Management Programs h) Business Continuity Program.
Obligations of TPAP
The obligation on the third parties is to store only that customer data to which the customers have given their consent. A record of details like customer’s name, mobile number, gender, email id etc. can only be in an encrypted format and all the information exchange between the third party and the bank is to be done through a secure channel. As a caveat, it has also been provided that the third party shall not share the details of individual transactions with any other third party, including their holding company or subsidiary and the Indian Government or Intelligence without the prior consent of the PSP and NPCI.
Payment Gateways and Payment Aggregators
The RBI vide its Circular dated March 17, 2020, has issued the 'Guidelines on Regulation of Payment Aggregators and Payment Gateways' (the "Guidelines") through which, the RBI has decided to (a) regulate in entirety, the activities of payment aggregators; and (b) provide baseline technology-related recommendations to payment gateways.
PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.
PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.
The Guidelines have been issued to regulate in entirety the activities of payment aggregators. In this regard, the RBI has also mandated payment aggregators to adopt the technology-related recommendations provided in the Guidelines. While the RBI has clarified that the domestic leg of import and export related payments facilitated by payment aggregators shall also be governed by these Guidelines, these Guidelines will not regulate Cash on Delivery (COD) payments.
The RBI, as a measure of good practice, has stated that PGs may adhere to the baseline technology-related recommendations provided in the Guidelines.
The Guidelines provide that any entity seeking to make an application for authorization must be a company incorporated in India under the Companies Act 1956/ 2013 and shall ensure that the business activity of operating as a PA is covered under the scope of its memorandum of association.
Banks, however, provide PA services as part of their normal banking relationship and do not therefore require a separate authorisation from RBI. Non-bank PAs shall require authorisation from RBI under the PSS Act.
E-commerce marketplaces providing PA services shall not continue this activity beyond the deadline prescribed i.e. June 30, 2021. If they desire to pursue this activity, it shall be separated from the marketplace business and they shall apply for authorisation.
PGs shall be considered as ‘technology providers’ or ‘outsourcing partners’ of banks or nonbanks, as the case may be. In case of a bank PG, the guidelines issued by Reserve Bank of India, Department of Regulation (DoR) vide Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks and other follow up circular(s) shall also be applicable.
PAs existing as on March 17, 2020 are required to achieve a net-worth of INR 15 crore by March 31, 2021, and a net-worth of INR 25 crore on or before March 31, 2023, which must be maintained at all times thereafter.
New PAs need to have a minimum net-worth of INR 15 crore at the time of application for authorisation and a net-worth of INR 25 crore by the end of third financial year of grant of authorization, which must be maintained at all times thereafter.
Non-bank PAs are required to annually submit a certificate to the RBI evidencing compliance with the applicable net-worth requirement.
Lastly, the Guidelines require that the net-worth consist only of paid-up equity capital, preference shares that are compulsorily convertible to equity ("CCPS"), free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets but not reserves created by revaluation of assets adjusted for accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any. In this regard, the CCPS can be either non-cumulative or cumulative and the shareholder agreements should specifically prohibit any withdrawal of this preference capital at any time.
PAs shall submit a certificate in the specified format from their Chartered Accountants to evidence compliance with the applicable net-worth requirement while submitting the application for authorisation. Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate in the enclosed format from their Chartered Accountants regarding the current net-worth along with provisional balance sheet.
The Guidelines provide a comprehensive governance framework for PA, key elements of which have been summarised below:
Applicability of KYC/ AML/ CFT provisions
The KYC, anti-money laundering (AML)/ combating financing of terrorism (CFT) guidelines issued by RBI shall apply to all entities, along with Prevention of Money Laundering Act, 2002 and Rules framed thereunder.
Security, fraud prevention and risk management framework
All PAs are required to put in place adequate information and data security infrastructure and systems for prevention and detection of frauds, which must be aligned with its Board approved information security policy for safety and security of the payment systems operated by them. To this extent, PAs are required to comply with data storage requirements as applicable to payment system operators, which also includes obligations pertaining to data sovereignty.
PAs have additionally been directed not to store any customer card credentials within their database or server, which can be accessed by the merchant.
PGs have been considered as 'technology providers' or 'outsourcing partners' of banks and non-banks, as the case may be and have been advised to adopt the baseline technology-related recommendation provided in the Guidelines. To this extent, PGs may desire to adhere to the prescribed minimum standards in order to remain at power with similar IT and security standards adopted by non-bank PAs and other stakeholders in the digital payment ecosystem.
Bank PGs are further subject to RBI Guidelines on 'Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks.
The content of this article is for information purpose only and does not constitute advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer to relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that the Author / Treelife Consulting is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof.
Treelife Ventures Services Private Limited.
All Rights Reserved. © 2022.