Fintech 2022 Comparisons

As per a recent report by Blinc Insights, as of 2021, the fintech market in India accounts for USD31 billion of the financial services sector in India, which was recorded as USD500 billion. In its December 2021 publication, Regulatory Initiatives in the Financial Sector, the Reserve Bank of India (RBI) recognised India as one of the fastest growing fintech markets in the world, with 87% of digitally active population adopting fintech products and services, in one form or another. India’s fintech industry is estimated to be the third largest in the world, behind the USA and China. The National Investment Promotion and Facilitation Agency attributes to India one of the highest fintech adoption rates, globally.

The spurt in digital transactions was likely fuelled by COVID-19 and corresponding lockdowns and has been facilitated by institutional and economic factors such as a strong policy shift towards digitisation and increasing banking and smartphone penetration. The Indian digital payments industry is estimated to hit the USD1 trillion mark by financial year (FY) 2026, compared to USD300 billion in FY2021.

The Past 12 Months

Key developments that have contributed to significant growth of the fintech sector over the past 12 months.

Lowering customer onboarding cost

Changes in law (particularly around the permissibility of Aadhaar-based know-your-customer (KYC) checks for onboarding customers) significantly increased the costs of operation for non-bank fintech players.

With the view to lower customer onboarding costs, the RBI has, through a circular dated 13 September 2021, permitted regulated entities (in addition to banks) such as non-banking financial companies (NBFCs) and payment system operators/system participants to obtain authorisation to undertake Aadhaar-based E-KYC authentication of their customers. This will help lower customer on boarding costs as, once authorised, such entities may leverage the Aadhaar database, similar to banks, to undertake KYC verification of customers.

Managing concentration of digital transactions with select market players

A key, emerging priority for the RBI and the National Payments Corporation of India (NPCI) is the management of systemic and operational risk associated with the concentration of digital payments transactions in the hands of a few operators. Towards this objective, the NPCI directed payment service providers and third-party application providers for UPI transactions (TPAP) to ensure that the total volume of UPI transactions processed through a TPAP does not exceed 30% of the overall volume of transactions processed on the UPI network during the preceding three months, on a rolling basis (the “UPI Volume Cap Circular”).

Existing TPAPs have been granted a two-year timeline, starting January 2021, to comply with these limits in a phased manner. As per the detailed standard operating procedures issued by the NPCI on 25 March 2021, the volume cap will be implemented by controlling the onboarding of new users by TPAPs, with an option for TPAPs to apply for relaxations (up to a maximum time period of six months) to achieve compliance. The concentration of UPI transactions will be monitored periodically and alerts will be sent to the TPAPs and their partner banks, if the TPAPs move close to breaching the prescribed threshold.

Focus on enhancing interoperability of payment instruments and systems

The RBI has been building on its broad 2018 guidelines for interoperability across prepaid payments instruments (PPIs) and bank accounts with concerted regulatory measures. Payment system operators are now only permitted to issue interoperable QR codes. In addition, recognising the need for further regulatory intervention to increase interoperability, the RBI, through its notification dated 19 May 2021, has mandated PPI issuers to mandatorily provide interoperability features to holders of all fully KYC PPIs. Interoperability may be implemented by PPI issuers through card networks (for PPIs issued in the form of cards) and UPI (for PPIs issued in the form of mobile wallets).

Expanding use-cases for PPIs issued by non-bank PPI issuers

As an incentive for PPI issuers to move to a full KYC model (and thereby be mandatorily required to provide interoperability features), the RBI has permitted cash withdrawals through PPIs issued by non-bank entities – a facility which was available only for PPIs issued by banks. Holders of full KYC PPIs can opt for cash withdrawals from ATMs or point-of-sale terminals subject to prescribed transaction limits. The maximum balance which may be held in full KYC PPIs, at any point of time, has also been increased from INR100,000 to INR200,000 as a fillip to increase adoption of interoperable PPIs.

Introduction of framework to govern small value offline digital payments

On 3 January 2022, the RBI introduced a framework to facilitate small value digital payments in offline mode. Under the framework, authorised payment system operators, system participants, issuing and acquiring banks may offer payment solutions which provide for small value digital payments which may be undertaken in the absence of internet connectivity. Such payments can only be carried in proximity and are subject to per transaction limit of INR200 with an overall limit of INR2000 per payment instrument without the requirement of internet/telecom services for their processing.

Focusing on data security standards for storage of card data

Through a series of notifications, the RBI has restricted all entities (other than card networks and card issuers) involved in the card transaction/ payment chain from storing the actual card credentials of customers in their servers and systems. Entities which require card details to be stored in their systems, may only store such credentials using tokenization or other similar solutions (as may be devised by industry stakeholders) in connection with any specific use cases.

The Next 12 Months

Data protection and privacy

Personal Data Protection Bill 2021

A draft Personal Data Protection Bill 2019 which has now been renamed as the Data Protection Bill, 2021 (the “DP Bill”) was recently reviewed by the Joint Parliamentary Committee. The Joint Parliamentary Committee recommended several changes to the DP Bill including regulation of non-personal data, processing of personal data of children, implementation of data localisation norms and stricter regulation of social media companies as platforms/publishers of content rather than intermediaries. Social media platforms may be held responsible for content from unverified accounts on their platforms. Such platforms are also required to set up an office in India, if they do not already have one. Additionally, a media regulatory authority is proposed to be set up to regulate content on these platforms.

Once it comes into force, the DP Bill will bring Indian data protection and privacy closer to global standards. The DP Bill will regulate the access, use, processing and storage of personal data of individuals. It also envisages concepts and institutions such as:

• a central data protection authority of India;
• periodic data audits of certain data-handling entities;
• data localisation norms; and
• ascribing data trust scores to "data fiduciaries" based on their capacity to handle data securely.

The introduction of the DP Bill will require businesses operating in India to re-think their data policies, infrastructure and practices, as far as data privacy is concerned, to match the shift to heavier regulations.

Cryptocurrency and blockchain

While currently cryptocurrency is not prohibited in India, the RBI and the government of India have each indicated that "private cryptocurrencies" do not constitute valid legal tender in India. However, market sentiment seems to indicate that the government may not completely prohibit all virtual currencies, but, may permit certain use cases (such as crypto as an asset), in each case, subject to regulation. More clarity is awaited when the Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 (the “Cryptocurrency Bill”) is tabled in the parliament in 2022.

The RBI is also due to launch its own Digital Currency as an alternative to private cryptocurrencies as digitised legal tender.

See 12.7 Virtual Currencies for recent announcements related to taxation of transactions involving cryptocurrencies. The proposed taxation regime for cryptocurrencies indicates that cryptocurrency may be regulated as an asset class (and not as legal tender), however, this will depend on the final form of the Cryptocurrency Bill which is tabled before the parliament.

Move towards regulation of digital lending

In India, digital lending is primarily undertaken by regulated entities such as banks and non-banking financial companies (NBFCs). However, the digital lending landscape involves other entities and platforms (which may or may not be regulated) that provide value-added services such as data analytics, underwriting processes, credit modelling and distribution of credit products.

In January 2021, the RBI constituted a working group to review digital lending activities by regulated as well as unregulated entities with the objective of formulating a regulatory framework for digital lending. This working group released its report on 18 November 2021 (the “Report”). The Report envisages certain principles to regulate digital lending in India. Key recommendations of the Report include:

• with an objective to contain systemic risk to the financial ecosystem, permitting on balance sheet lending by regulated entities only, consequently restricting synthetic structures such as first-loss default guarantee (FLDG) issued by unregulated fintech entities;
• creation of a nodal agency to ensure that only approved digital lending apps are available for use by consumers including on playstores;
• prescribing standards on data protection/storage and grievance redressal mechanisms from a consumer protection standpoint; and
• setting up of a "self-regulatory organisation" which shall prescribe code of conduct and other compliance standards for loan service providers/digital lending apps.

The RBI has sought inputs from market stakeholders and a new regulatory regime for digital lending basis market feedback is expected to be introduced soon.

The various fintech business models or verticals that are currently predominant in India are, broadly:

• digital payments;
• digital lending; and
• a host of intermediary services such as payment aggregation, payment gateway services, credit analysis, post-disbursement services etc, that serve to create a seamless user experience.

Products pertaining to other significant aspects of fintech such as insurtech, regtech and wealthtech are also starting to emerge in the market.

Key product offerings across each of the predominant verticals are: 

Digital Payments

PPIs

PPIs are stored-value instruments that facilitate the purchase of goods and services (including financial services). They may be issued as pre-paid cards or virtual wallets and may be issued by banks, authorised non-banking entities and/or under a co-branding arrangement between licensed and non-licensed entities. As per the revised Master Directions on Prepaid Payment Instruments (PPIs) issued by the RBI on 27 August 2021 (“PPI Master Directions”), PPIs may be issued under one the following categories:

• closed-system PPIs, for purchase of goods or services offered only by the PPI issuer; there is no prior approval required from the RBI for issuance of such class of PPIs; or
• PPIs that require RBI approval/authorisation prior to issuance are classified under two types, small PPIs and full-KYC PPIs.

Small PPIs are issued by banks and non-banks after obtaining minimum details of the PPI holder. They can be used only for purchase of goods and services. Funds transfer or cash withdrawal from such PPIs is not permitted. Small PPIs can be used at a group of clearly identified merchant locations/establishments which have a specific contract with the issuer (or contract through a payment aggregator/payment gateway) to accept the PPIs as payment instruments.

Full-KYC PPIs are issued by banks and non-banks after completing KYC of the PPI holder. These PPIs can be used for purchase of goods and services, fund transfers or cash withdrawal.

Other notable changes include the inclusion of interoperability between PPIs issued, permitting cash withdrawal through interoperable PPIs and increasing the limit for Full KYC PPIs from INR100,000 to INR200,000.

UPI

The UPI is a payments platform managed and operated by the NPCI, which enables real-time, instantaneous, mobile-based bank-to-bank payments. It leverages India’s fast-growing mobile technologies and telecommunications infrastructure to offer easily accessible, low-cost and universal remittance facilities to users. UPI-enabled payments have constituted a significant percentage of the consumer-to-merchant and peer-to-peer (P2P) digital payment transactions, crossing the INR2 billion mark in October 2020 and crossing 75 lakh crore transactions in FY2021 precipitating regulatory developments such as the UPI Volume Cap Circular (see 1.1 Evolution of the Fintech Market).

Access to central payments systems

The RBI as part of its drive to encourage digital payments, announced that all non-bank payment system providers like PPI issuers, white label ATM operators and card networks will also be granted access to central payments systems like NEFT and RTGS. This is to promote stability and minimise risk in the payments and settlements ecosystem.

Digital Lending

Digital lenders

In India, banks and NBFCs alike have moved to digital platforms for credit products, particularly to cater to relatively underbanked sectors such as micro, small and medium enterprises (MSME) and retail clients. Digital lending platforms typically provide an end-to-end digital customer experience, from on-boarding and initial credit verification and checks to disbursement (see 1.1 Evolution of the Fintech Market).

P2P lending platforms

Online P2P lending platforms are governed by the RBI and offer loan facilitation services between lenders registered on the platform and prospective borrowers, ie, they constitute a regulated online marketplace for P2P lending. To offer such services, eligible entities are required to obtain registration with the RBI as a NBFC–P2P lending platform.

Payment Intermediaries

Payment aggregators

These entities facilitate online sale and purchase transactions primarily on e-commerce platforms, without requiring e-commerce merchants to create a separate payment integration system. Payment aggregators receive payments from customers, and pool and transfer them to the merchants after a period of time.

Payment gateways

Payment gateways are entities that provide technology infrastructure to route/facilitate processing of online payment transactions, without handling any funds.

PA/PG Guidelines

In view of significant growth in digital payments facilitated by payment aggregators and payment gateways, in March 2020, the RBI issued a full-fledged regulatory framework (the “PA/PG Guidelines”) requiring payment aggregators to be licensed by the RBI, while prescribing recommendatory technical standards for payment gateways. The PA/PG Guidelines illustrate a paradigm shift in regulatory regimes governing such payment intermediaries, which were earlier subject to only light-touch regulation.

The regulatory framework governing key verticals (see 2.1 Predominant Business Models) and industry participants is fragmented and spread across several legislations and regulations. There are no state-specific variations in terms of the regulatory framework.

The Payment and Settlement Systems Act, 2007 (PSS Act)

It is the principal legislation governing payments regulation in India. The PSS Act prohibits the commencement and operation of a "payment system" without prior authorisation of the RBI. A "payment system" is defined as “a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service of all of them, but does not include a stock exchange”, ie, includes card network operations, PPIs, UPI payments, and other digital payment services.

The Prevention of Money Laundering Act, 2002 (PMLA)

This is the primary anti-money laundering regulation governing entities offering financial products, and is supplemented by the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (“PML Rules”). The PMLA read with the PML Rules prescribe detailed procedures for financial sector entities to undertake "know your customer" and "anti-money laundering" verifications and reporting of suspicious transactions.

RBI Master Directions/Circulars

The RBI being the principal financial regulator, periodically issues "master directions" and circulars governing and regulating specific offerings in the fintech space. For instance, the RBI Master Directions on PPIs (dated 1 October 2017, and last updated on 17 November 2020) govern issuance of PPIs, eligibility criteria for PPI issuers, transaction limits, settlement cycles, etc. Similarly, the RBI has issued subject-specific master directions regulating:

• various categories of NBFCs;
• P2P lending;
• the PA/PG Guidelines;
• account aggregators; and
• other market participants and offerings.

The RBI Master Directions on KYC (dated 25 February 2016 and last updated on 10 May 2021) draw from the PMLA and the PML Rules and further prescribe that all entities regulated by the RBI must undertake identity verification of their customers before commencing any account-based relationship or other prescribed transactions with such customers.

The RBI introduced a circular dated 13 September 2021, which permits regulated entities such as NBFCs, payment systems operators/system participants to obtain an authorisation to conduct Aadhaar-based E-KYC authentication of their customers.

NPCI Circulars

UPI payments in India are governed by periodic procedural guidelines issued by the NPCI. These circulars govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions, etc.

Data Protection Framework

Currently, the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Current Data Privacy Framework”) govern protection of personal data in India. However, given the increasing collection and use of customer data, these have widely been recognised as dated and insufficient – and the enactment of the DP Bill will completely overhaul the existing data protection framework.

Separately, the RBI has also issued a circular in April 2018 (“Data Localization Circular”) that requires all payments data to be stored on servers located in India. While such data can be taken outside of India for processing, it must return to India within 24 hours. While the RBI’s Data Localization Circular only focuses on “payments data”, the DP Bill contemplates a wider localisation requirement that extends beyond just payments data to all sensitive and critical personal data.

See 1.1 Evolution of Fintech Market for the RBI’s instructions around storage of card credentials.

Compensation models across key product offerings typically take the following form.

• PPIs/debit cards/credit cards/UPI: MDR, ie, charges payable by the merchant to the payment acquirer and/or the card network/payment system operator.
• Digital lenders: loan processing fees and interest from their customers, each usually being dependent on volume and tenor of the loan.
• Payment aggregators/gateways: charge the e-commerce marketplaces and merchants for the payment aggregation services and/or technological support provided by them. These charges are in some instances contractually passed on to the customer transacting on the e-commerce or merchant platform.

For certain transactions, with the intention of promoting indigenous payment instruments, the Government of India has mandated zero MDR  – which may have the effect of impacting the cost competitiveness and revenue flows of foreign fintech players vis-à-vis Indian players.

The overarching regulatory requirement surrounding disclosures in connection with these compensation models mandate that:

• regulated lending entities (such as banks, NBFCs) adopt a "fair practices code", to be made available on their websites (in English as well as in the vernacular language), setting out clearly all charges, fees and interest rates in connection with the credit product offered by them;
• that such banks and NBFCs ensure compliance with such code by non-regulated entities lending in partnership with them; and
• all regulated entities (such as PPI Issuers, payment intermediaries, banks, NBFCs) adopt suitable customer grievance redressal mechanisms and designate "nodal officers" to address customer complainants, so as to ensure fairness in operation of such products, including the compensation models employed by them.

On a holistic overview, the regulatory framework (see 2.2 Regulatory Regime) is agnostic to new fintech players and legacy players (such as banks).

A key area of difference, however, emerges in the ability of banks to undertake Aadhaar-based E-KYC checks to undertake customer on-boarding – and the corresponding prohibition incumbent on non-bank players (such as NBFCs), raising cost of compliance for non-bank players. This disparity has been addressed, to some extent, as the RBI has now also permitted non-bank players to acquire authorisations to undertake Aadhaar-based E-KYC authentication, allowing them to use the services provided by UIDAI for E-KYC services. 

RBI

Framework and eligibility

The RBI issued an "Enabling Framework for Regulatory Sandbox" in August 2019. The regulatory sandbox framework enables eligible FinTech companies  to test their products in the regulatory sandbox, provided that such product is compliant with the ongoing theme of the sandbox cohort.

Entities that satisfy the following eligibility criteria may approach the RBI for testing their products in a sandbox:

• net worth of at least INR1 million;
• satisfactory credit score/history of promoters and directors;
• promoters and directors of the applicant entity meeting the prescribed “fit and proper” criteria;
• demonstrated ability to comply with personal data protection laws; and
• adequate IT infrastructure and safeguards to protect against unauthorised access, destruction and disclosure.

Cohort-based model and stages of sandboxing

The RBI framework envisages product testing by a few select entities in a single regulatory sandbox cohort (ie, end-to-end sandbox process, typically lasting up to six months each), where products broadly fall within a shared theme. While certain regulatory requirements may be relaxed for the duration of the sandbox, the RBI has mandated that applicants will have to comply with data protection laws and KYC requirements. Separately, applicants will also continue to be liable to customers for financial products tested in the sandbox.

The framework outlines the five stages of the sandbox process for a single cohort.

• Stage 1: preliminary screening of applications to the cohort (four weeks);
• Stage 2: finalisation of test design by the FTU via an interactive process with applicants (three weeks);
• Stage 3: application assessment and vetting of test design (three weeks);
• Stage 4: assessment of tests based on closely monitored empirical evidence and data (12 weeks); and
• Stage 5: final outcome of the testing of the product or technology that was sandboxed, particularly against parameters of viability/acceptability, to be assessed by the RBI (four weeks).

recently opened its third cohort on “MSME Lending” in September 2021 and the fourth cohort on “Prevention and Mitigation of Financial Fraud”, in October 2021.

IRDAI and SEBI

Similar to the regulatory sandboxes implemented by the RBI for fintech products, the Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have proposed similar regulatory sandboxes products in the insurtech space, and for market-linked financial products offered by SEBI-regulated entities, respectively.

The regulatory regime governing the fintech space across most key verticals is primarily driven and implemented by the RBI, with support on specific, specialised aspects from the NPCI, the Unique Identification Authority of India (UIDAI), IRDAI and the SEBI (see 2.2 Regulatory Regime), as set out below.

RBI

The primary regulator for fintech in India is the central bank itself. The RBI has, over the past few years, demonstrated a clear shift from a light-touch approach to fintech regulation to a full-regulation model. The RBI is responsive to market changes and technological advances, and there have been near-contemporaneous updates in the regulations to account for such developments.

NPCI

The NPCI is an umbrella, quasi-regulatory organisation for operating retail payments and settlement systems in India. It is a joint initiative of the RBI and the Indian Banks’ Association under the PSS Act, and was established with a view to create an innovative and robust payment & settlement infrastructure in India.

UIDAI

The UIDAI is a statutory body responsible for administering the Aadhaar programme – the largest identity project in India and one of the largest globally. The UIDAI has been central to framing the rules governing use of Aadhaar by fintech players as a means for customer on-boarding and verification.

IRDAI

The IRDAI is the primary regulator in the insurance sector in India and supplements the regulatory framework of the RBI applicable to fintech players, to the extent of insurtech elements.

SEBI

The SEBI is the key financial markets regulator in India charged with the function of regulating the securities market and protecting investor interest. Aspects of fintech pertaining to robo-advisors, algorithmic trading and financial research platforms, albeit nascent in India, fall within the ambit of the SEBI’s jurisdiction.

The permissibility of outsourcing regulated functions in the Indian fintech space is governed largely by the outsourcing guidelines issued by the RBI, which are applicable to banks and NBFCs. Broadly speaking, the core regulated activities cannot be outsourced to unregulated entities, under the extant regulatory framework. The RBI also issued Outsourcing Guidelines with respect to non-bank payment system operators on 3 August 2021 (collectively with the outsourcing guidelines applicable to banks and NBFCs, the “Outsourcing Guidelines”) in order to mitigate any risk in relation to the outsourcing of payments and settlements related activities.

Outsourcing Guidelines

These guidelines require that banks, payment system operators and NBFCs have a board-approved outsourcing policy and that they do not outsource “core management functions”, such as internal audit, undertaking regulatory compliances, and decision-making roles such as determining compliance with KYC requirements, etc. The RBI imposes a geographical limitation in connection with even the outsourcing of non-core functions – the service provider should not, even in such permissible cases, be situated outside of India. Further, any outsourced functions are required to be suitably supervised by the regulated entity outsourcing the activities.

The twin objectives behind this regulatory position are that outsourcing arrangements should not take away from the regulated entities accountability to its customers and that the RBI’s effective supervision of such regulated entities should not be impeded. The outsourcing guidelines mandate regulated entities to undertake appropriate due diligence of the service providers and to include appropriate safeguards in the outsourcing agreement in order to ensure audit and access rights by the regulated entity and the RBI, if so required.

The RBI follows a model whereby it imposes all "gatekeeping" obligations on the entities directly regulated and supervised by it – and in connection with whom suitable corrective and/or enforcement action can be undertaken by the RBI. Illustratively:

• banks, payment system operators and NBFCs are required to retain ultimate control over any outsourced activities and cannot pass on customer accountability to the service provider;
• payment aggregators are responsible for checking the technical and security infrastructure of the merchants on-boarded by them, and for assessing compliance with regulatory and industry security standards; and
• banks and NBFCs that lend through partner digital lending platforms are required to ensure that their names are disclosed on such lending platforms, that customer grievances are resolved by them, and that the lending platforms comply with requirements of the fair practices code including disclosure of details of the grievance redressal officer, clear disclosure of applicable costs and charges and employing reasonable and lawful means for recovery of dues, without causing undue harassment to the borrowers. From time to time the RBI prescribes specific requirements on regulated entities entering into outsourcing arrangements with loan service providers and for providing loans through mobile/web applications.

A common industry practice is that the risk carried by regulated entities as "gatekeepers" is passed on contractually to unregulated entities, backed by suitable indemnity provisions. However, it is only the cost associated with a non-compliance that can be passed on contractually – and reputational risks continue to rest with the regulated entity. In some cases, the RBI expects that the regulated entity will ensure appropriate contractual safeguards to ensure compliance with regulatory requirements by the unregulated partner or service provider.

Enforcement actions may be undertaken by the RBI in the event of non-compliance from the regulatory framework (see 2.2 Regulatory Regime) in terms of the Reserve Bank of India Act, 1934; the Banking Regulation Act, 1949; or the PSS Act.

Enforcement actions typically take the form of monetary fines and penalties and in exceptional cases, revocation of the authorisations and licences granted by the RBI to regulated entities. The RBI has, in the past, prohibited regulated entities from on-boarding new customers for non-compliance with its instructions on KYC verification for a specified period of time.

Additionally, in 2021, the RBI issued notifications prohibiting American Express, MasterCard and Diners Club International from on-boarding new customers until such a time they achieve compliance with the RBI’s instructions on localisation of payments data.

Certain non-financial services regulations (such as those relating to privacy/data protection, social media content, and access to Aadhaar for customer verification) are governed by independent regulatory frameworks, which indirectly impact delivery of financial services.

• the current Data Privacy Framework requires certain regulated entities (including banks, NBFCs, PPI issuers) to maintain a publicly-available privacy policy and handle customer data in accordance with the framework and such policy;
• the Data Localization Circular (see 2.2 Regulatory Regime);
• the Aadhaar framework (see 2.4 Variations between the Regulation of Fintech and Legacy Players); and
• the intermediary guidelines/rules enacted in 2011 under the Information Technology Act, 2000, require "intermediaries" to monitor the display and sharing of data on their platforms and to ensure that such data is not appropriated from someone else, does not infringe intellectual property, and does not violate any other prevailing laws. The DP Bill is likely to supersede these rules.

"Intermediaries" are defined as any person or service who, on behalf of another person, receives, stores or transmits an electronic record or provides any service with respect to that record.

A key distinction that exists between new fintech players and legacy participants in this regard is the ability to undertake Aadhaar-based E-KYC checks (see 2.4 Variations between the Regulation of Fintech and Legacy Players).

Besides regulators and quasi-regulatory bodies (see 2.6 Jurisdiction of Regulators), the regulatory framework (see 2.2 Regulatory Regime) requires regulated entities to have in place several checks and balances that serve to "review" the functioning and operations of industry participants. By way of an indicative overview:

• banks and NBFCs are subject to a detailed ongoing compliance framework that involves review of their operations by external auditors/accountants; and
• the RBI has set up designated ombudsman offices under its management and supervision, charged with the function of receiving and considering complaints from customers, relating to the deficiencies in banking or other digital payment services, creating an additional, consumer-driven oversight mechanism on regulated entities.

These compliances represent hard regulatory requirements, deviation from which can lead to enforcement actions and/or penal consequences by the RBI (see 2.9 Significant Enforcement Actions). Thus, industry practice is fairly aligned with the regulatory mandate and there is little room for adopting alternative approaches.

While "regulated" products are offered by regulated entities (such as banks, NBFCs, PPI issuers), several intermediaries and service providers (that may not fall within the regulatory framework) have emerged to cater to gaps that may arise in the delivery of financial services and to ensure a seamless, end-to-end digital product delivery. Some of these have led to the emergence of interesting market trends in the Indian fintech space.

Credit Analysis

While access to credit information of consumers in the financial services sector is restricted to specialised, regulated entities termed as "credit information companies" and regulated entities such as banks and NBFCs, the regulatory framework governing credit analysis dates back to 2005. This has led to the development of a market space for unregulated players to undertake non-traditional "behavioural scoring" by utilising data that does not strictly constitute "credit data" and is therefore, currently not subject to regulatory limitations.

The RBI has recently permitted eligible fintech entities to access credit information companies. A key eligibility requirement is that such fintech entities must be owned and controlled by resident Indian citizens.

Such behavioural scoring may be based on social media presence of consumers, consumption patterns on e-commerce websites, etc. However, the enactment of the DP Bill will likely bring even such data collection and analysis within the regulatory ambit.

Virtual Credit Lines

Virtual credit lines (such as easy EMIs, pay-later products) and similar features are popular on e-commerce platforms – as they offer the consumer the flexibility to pace out payments towards purchases. While the credit line for such products is offered by regulated players (banks/NBFCs), the front-facing user interface is typically that of the e-commerce platform itself, which acts as a facilitator for distribution of these credit products to consumers and also offer customer on-boarding services.

The RBI’s report on digital lending has recommended that deferred payment structures such as pay-later products should be treated as on balance sheet lending by regulated entities implying that such credit facilities can only be offered by regulated entities. The anticipated regulatory framework on digital lending is expected to include guidelines on such pay-later models.

Booking Services

Authorised PPI issuers are also offering ticketing (railways, airlines, etc) and hotel booking services in addition to their core product offering to provide their customers a seamless customer experience.

The KYC Master Directions apply to all entities regulated by the RBI, including scheduled commercial banks, NBFCs, PPI issuers, and payment system providers. The KYC Master Directions require such entities to abide by the provisions of the PMLA and various rules framed under it. Regulated entities must file reports of suspicious transactions, including transactions relating to terrorism, with the Financial Intelligence Unit-India. Regulated entities are also required to appoint a principal officer who is responsible for monitoring and reporting of all transactions and sharing of information as required under the law.

Unregulated entities are not required to comply with the provisions of the PMLA and various rules framed under it. The Outsourcing Guidelines also restrict banks, payment system operators and NBFCs from outsourcing core functions such as KYC compliance.

The robo-adviser financial market has been evolving rapidly in India over the last few years; however, the regulatory framework is at a very nascent stage.

While undertaking the business of investment advice requires registration with the SEBI, current regulations do not stipulate a specific requirement for registration of robo-advisers with SEBI.

As a matter of market practice, robo-advisers have focused on one or more asset classes, depending on their client base and area of expertise. There are a range of robo-advisers in India which focus on offering advice in connection with equity-based investments, while others focus on investments in funds and other general wealth advisory.

The legacy players in India have been quick to recognise and utilise the potential of robo-advisers. There are a number of players that have been quick to establish a multi-asset robo-advisory platform.

Legacy players across India have taken a two-pronged approach towards inculcating robo-advisory in their services through:

• acquisition or partnerships with players in the robo-advisory space; or
• development of in-house technology, using internal analytical information for dispensing robo-advisory to their clients, in competition with new and upcoming specialised start-ups.

The robo-advisory landscape in India is still evolving. A focus area has been to solve for network creation and connectivity issues between the client and the robo-adviser platform, which may affect the speed of execution.

Further, it is critical that the nuances of the material and procedural aspects of investments in various assets through a robo-advisory platform are covered by the internal policies of the robo-adviser entities. This is especially important from the perspective of new or first-time investors operating through a robo-advisory platform.

Broadly, the regulatory framework governing loans does not differ across borrower segments. However, the regulations differ depending on the category of lender, ie, whether banks or NBFCs. Both banks and NBFCs, are required to comply with specific capital adequacy, asset quality and prudential norms, however, while banks are generally heavily regulated, NBFCs are only subject to relatively less stringent regulation.

From a business perspective, banks primarily extend secured credit to large entities that pose a lower credit risk and have substantial credit history and business operations. A significant proportion of fintech lenders are licensed as NBFCs – which typically cater to MSMEs and start-ups, which may be unable to demonstrate the same degree of credit strength and operations as large corporations. In the retail/individual borrower space, traditional forms of credit such as home loans/mortgage-backed loans are offered by banks, and more unique products, including smaller ticket, salary/cashflow-backed loans are largely the domain of NBFCs/fintech players.

The RBI has also issued a designated regulatory framework for P2P lenders, ie, entities that do not lend on their own books, but offer loan facilitation services between lenders registered on the platform and prospective borrowers.

Further, the Indian financial sector also often sees lending partnerships between banks and NBFCs – whereby the bank brings the advantage of capital, and the NBFC partner assists with the customer distribution channels and technological aspects.

Traditionally, as a market practice, industry participants have been relying on the following key parameters for credit underwriting processes:

• credit score and credit reports from credit bureaus (such as TransUnion CIBIL, Equifax, Experian and CRIF High Mark);
• annual income and sources of income; and
• status of existing loan accounts, viz, any delayed repayments, defaults, etc.

Notably, the traditional credit underwriting processes are focused on identifying red flags on a historical performance basis.

However, with technological developments, lenders have started to develop and adopt modern credit analysis techniques, which go beyond the traditional sources of data. These techniques involve analysing a prospective borrower’s spending behaviour and pattern, digital footprint, social media behaviour, and other behavioural factors. Technology platforms that already have access to some of this behavioural data have taken the lead in development of these alternate credit scoring models.

In addition, with the objective of facilitating easy credit to borrowers with little or no credit/operating history or weak balance sheets such as start-ups and MSMEs, lenders are also developing alternate credit underwriting models and risk management frameworks that seek to rely on alternate factors while making credit decisions.

While credit underwriting processes are not strictly dictated by legislation, players have traditionally identified the key points of analysis, on the basis of market practice. However, the RBI regulations do dictate detailed regulatory requirements and procedures to be followed for undertaking KYC and anti-money laundering checks on prospective borrowers at the time of on-boarding.

Future Changes in the Underwriting Process

Going forward, account aggregators will play an instrumental role in the credit underwriting process. In September 2016, the RBI issued the NBFC-Account Aggregator Directions setting out the regulatory framework within which account aggregators will operate. Since then, the RBI has issued licences to a select group of entities as account aggregators. Account aggregation is poised to become the next big tool in accessing and unlocking value in multiple financial data sets.

Data of a customer linked to bank accounts, investment products such as mutual fund units, shares and bonds, and insurance policies can now, under the RBI account aggregator framework be “pulled” from a financial information provider and “pushed” to a financial information user (FIU). The account aggregator is the intermediary that manages and controls this data flow. The FIU analyses the aggregated data to determine the eligibility of the customer for various kinds of financial products and services.

Different lender categories in India rely on varied sources of capital for lending. Traditional lenders primarily rely on deposits for providing loans to borrowers and are governed by capital requirements and prudential norms prescribed by the RBI. Further, the RBI restricts banks from sanctioning loans for certain specified end-uses, such as:

• banks are prohibited from sanctioning loans against the security of its own shares;
• banks are prohibited from sanctioning such loans to companies that are proposed to be utilised for buy-back of securities; and
• banks are restricted from granting loans to their directors or their relatives, save and except with the approval of the bank’s board of directors and compliance with other specified restrictions.

NBFC

NBFCs primarily rely on borrowed funds (either from domestic banks or external commercial borrowings, ie, borrowings taken from eligible overseas lenders) and equity funds, to provide loans to customers. NBFCs are also regulated by prudential regulations prescribed by the RBI which inter alia include maintenance of leverage ratio, capital adequacy norms, etc.

The Bond Market

The bond market in India is growing and investors in corporate debt securities include primarily banks, mutual funds, and wealth management funds. The investor entities in debt securities may either be domestic or foreign portfolio investors registered with the SEBI. In case of foreign portfolio investors, there are restrictions on end-uses, in other words, funds raised from such foreign portfolio investors cannot be used for investments in real estate business, capital markets and purchase of land. Given the rating requirements linked to issue of debt securities, access to debt capital markets tends to be restricted to larger corporates and has not been fully tapped into by the newer fintech platforms.

Eligible entities are permitted to borrow funds as external commercial borrowings from eligible overseas lenders, subject to compliance with requirements such as all-in cost ceilings, minimum average maturity periods, end-use restrictions, etc.

P2P Lending

The RBI also permits P2P lending via regulated entities which act as facilitation platforms for lenders to identify prospective borrowers through a digital platform. Under such P2P lending arrangements, only unsecured plain vanilla loans are permitted. Such loans are also subject to maximum exposure limits on lenders sanctioning loans to borrowers through such platforms. The P2P lending platform is itself restricted from providing any loans or granting credit support to loans disbursed on its platform.

Syndication of loans is a common practice in India for funding large borrowing requirements, primarily by corporates. Syndication primarily involves distribution of credit exposure amongst a consortium of lending banks with a common security agent/trustee appointed for holding security for the benefit of the lending banks. The arrangement typically also involves appointment of a “lead bank” for administrative and decision-making purposes.

The lending banks typically also enter into a security-sharing or inter-creditor arrangement, which sets out their respective rights and obligations and the approach to be followed in case of a default by the borrower and enforcement of security.

The RBI has mandated information sharing measures to be followed by banks while granting loans under multiple banking/consortium arrangements. The key measures mandated by the RBI include obtaining declarations from the borrower of the credit facilities availed by them from other banks, establishing a system of exchange of information with respect to the borrower’s credit facilities as between the banks (upon obtaining appropriate consent from the borrower), etc. 

Payment processors primarily rely on existing payment rails for processing and completing payment transactions. For example, payment processors such as payment aggregators use the existing payment rails such as card networks (for card transactions), NEFT and RTGS (for online banking transactions), etc, to process payments. TPAPs for UPI transactions rely on the UPI (operated by the NPCI) for processing and completing UPI payment transactions.

Cross-border payments and remittances are primarily regulated under the Foreign Exchange Management Act, 1999 (FEMA) and the rules, regulations and circulars issued thereunder. The FEMA prescribes different regulations and compliance requirements, depending on the nature of transaction (ie, whether a capital account transaction or a current account transaction) and whether remittances are inward bound to India or outward from India. Such transactions are undertaken by authorised dealers authorised under the FEMA to deal in foreign exchange, on behalf of their clients.

For personal remittances bound inwards to India, residents may use the facility to receive such payments through money transfer operators.

For export and import of goods, the RBI permits authorised dealer category-I banks (“AD-I Banks”) to enter into arrangements with online payment gateway system providers to facilitate payments for such export and import transactions in partnership with the AD-I Banks, subject to compliance with requirements governing timelines for settlement, funds-flow, etc.

Fund administrators/managers such as mutual funds, alternative investment funds, portfolio managers, etc, are regulated by the SEBI. Depending on the nature and scope of their activities, entities engaged in providing investment services through mutual funds, alternative investment funds, portfolio management services, etc, are required to obtain authorisation from the SEBI for undertaking their business activities.

Fund administrators in India are directly regulated by the SEBI and are required to comply with the regulations specified by the SEBI from time to time, depending on the nature of their business. Requirements pertaining to assured performance and accuracy are primarily guided by the SEBI under regulations and not contractually between fund advisors and fund administrators.

Under Indian laws, the key marketplaces and trading platforms for trading in securities are registered stock exchanges and privately managed platforms operated by stockbrokers, each of which are registered with the SEBI.

Stock exchanges facilitate trade in a number of assets such as equity, equity derivatives, currency derivatives, commodity derivatives, debt securities, units in pooled investment vehicles such as infrastructure investment trusts and real estate investment trusts, etc. Different asset classes are governed by varying regulations, depending on the nature of the asset (ie, whether equity linked, debt linked or pooled investment vehicle, etc).

The principal regulators for stock exchanges are the SEBI, the Ministry of Finance and the RBI, depending on the asset class being traded on the stock exchange. Stock exchanges are highly regulated entities and also operate as quasi-regulators, to some extent, by enacting their own separate by-laws and guidelines which govern trading in securities on the stock exchange.

In addition to traditional stock exchanges, the RBI has also recognised electronic trading platforms for transactions in financial market instruments regulated by the RBI. Such electronic trading platforms must be registered with the RBI and are required to comply with minimum capital norms, technological standards and other safeguards.

See 7.1 Permissible Trading Platforms. 

Cryptocurrency, as a legal tender, is not viewed favourably by Indian regulators. In April 2018, the RBI had prohibited all entities regulated by the RBI from facilitating trade in cryptocurrencies by any person. While this prohibition was struck down by the Supreme Court of India in Internet and Mobile Association of India v Reserve Bank of India, the government is proposing to enact a legislation prohibiting trading, use or possession of cryptocurrencies by any person. Upon this legislation coming into force, cryptocurrency exchanges in India will be severely impacted as a majority of their business activities will not be permitted under the proposed legislation (see 12.7 Virtual Currencies).

Listing standards and disclosure requirements are governed by the SEBI and registered stock exchanges. SEBI regulations on listing are fairly comprehensive and detailed and have separate requirements for public issues and private placements. In addition, the regulations also prescribe continuous disclosure requirements in connection with listed securities, based on materiality of events and their impact on the performance of the listed securities.

Placement of orders and settlement of funds for trades completed on the stock exchange are governed by applicable procedural rules which stipulate settlement cycle, timelines for placement of orders and completion of trades, etc. Given that listed securities are mandated to be in dematerialised form, transactions are undertaken through dematerialised accounts through registered brokers or agents.

As far as digital lending is concerned, currently there are 21 P2P lending platforms authorised by the RBI in India. P2P lending platforms have simplified delivery of credit to interested borrowers from non-traditional lenders such as small digital lending platforms and lending start-ups.

Given the extant regulatory framework and regulatory stance against cryptocurrency in India, P2P cryptocurrency trading platforms have very limited operations in India.

In 2010, the SEBI had approved the smart order routing facility to improve the procedure of execution of trades on the stock exchanges. The facility was introduced to enable brokers and trading engines to systemically choose the execution destination based on factors such as price, costs, speed, likelihood of execution and settlement, size, nature or other relevant considerations in connection with execution of an order.

The SEBI prescribes procedural rules for processing of payments for trades in listed securities. For example, in 2018, the SEBI introduced the electronic book process (EBP) for private placement of listed debt securities. Under the EBP, subscription monies in respect of the debt securities must be routed through an escrow account or the bank account of the Clearing Corporation of India Limited and should be credited to the issuer’s account upon allotment of the debt securities.

Trading in securities in India is regulated and governed primarily by SEBI through policy moves for market surveillance and risk mitigation measures at the stock exchanges. The market surveillance systems of SEBI also oversee if appropriate systems and safeguards have been adopted by stock exchanges to check market movements and flag any issues.

An illustration of a tool for risk management at stock exchanges is review of the margining system on a timely basis.

The SEBI, by way of a circular dated 3 April 2008, introduced the concept of Direct Market Access (DMA) and provided a legal framework for regulating such access to the DMA framework.

Further, SEBI permitted institutional investors to use DMA through SEBI-registered investment managers.

In respect of algorithmic trading, SEBI notified the Broad Guidelines on Algorithmic Trading and subsequently notified another set of additional guidelines pertaining to the same.

Additionally, SEBI notified the Measures to strengthen Algorithmic Trading and Co-location/Proximity Hosting framework, which discussed the framework around managed co-locations, measurement of latency for co-location and proximity hosting and free of charge tick-by-tick data feed (“TBT Feed”), penalties on order to trade ration (OTR), unique identifier for algorithms/tagging of algorithms and the testing requirements for software and algorithms. These obligations were directed towards stock exchanges (except commodity derivatives exchanges) in the country.

Recently, the SEBI also notified additional guidelines for OTR for algorithmic trading focused on putting in place effective economic disincentives for high daily OTR of algorithmic trading orders placed by trading members.

The circulars cumulatively constitute the key regulatory framework governing high-frequency and algorithmic trading.

The Guidelines for Market Makers (“Market Maker Guidelines”) require market makers to register with the stock exchanges as per the relevant requirements notified by the stock exchanges.

Generally, any member of a stock exchange is eligible to act as Market Maker provided the criteria laid down by the exchange are met.

Currently, the regulations do not distinguish between funds and dealers in the algorithmic trading space.

The regulatory framework governing the trading algorithms and other electronic trading rules, lay down the following obligations on programmers:

• all algorithmic orders be tagged with a unique identifier provided by the stock exchange in order to establish audit trail; and
• the testing procedure which are to be followed by market participants before deployment of software and algorithms.

The companies or individuals operating Financial Research Platforms are required to be registered as research analyst or research entity under the Securities And Exchange Board Of India (Research Analysts) Regulations, 2014 (“Research Analyst Regulations”) provided they fall under the definition of a research analyst and that of a research entity under the Research Analyst Regulations.

A Research Analyst requires registration if they are primarily responsible for:

• preparation or publication of the content of the research report;
• providing research report;
• making "buy/sell/hold" recommendation;
• giving price target; or
• offering an opinion concerning public offer, with respect to securities that are listed or to be listed in a stock exchange.

A research entity is subject to registration, provided it is an intermediary registered with SEBI that is also engaged in merchant banking, investment banking, brokerage services or underwriting services and issue research report or research analysis in its own name through the individuals employed by it as research analyst and includes any other intermediary engaged in issuance of research report or research analysis.

The Research Analyst Regulations lay down the various check and balances that allow for thorough vetting of the research report and sieving out any unverified information.

Additionally, the Research Analyst Regulations also include obligations for acting with honesty and in good faith, conducting appropriate due diligence, abiding by professional standards and a strict responsibility for the senior management. Non-compliance with the prescribed code of conduct has legal repercussions under the Research Analyst Regulations.

The financial research platforms in India usually do not allow for readers to post on the platforms, they function as closed digital publications. However, in case of any unacceptable behaviour being observed, the financial research platforms usually reserve the right to modify and regulate the content being posted on their websites through their terms and conditions of use.

Additionally, liabilities for persons indulging in unacceptable behaviours such a pump and dump schemes, spreading of insider information, etc, are set out in specific regulations such as the SEBI (Prohibition of Insider Trading) Regulations, 2015, the Indian Penal Code, 1860, the Information Technology Act, 2000, etc.

Entities undertaking insurance business in India are required to be registered as an insurer or an insurance intermediary with the IRDAI. The underwriting processes to be undertake by insurers and insurance intermediaries are specified by the IRDAI and include making appropriate disclosures on costs, expenses and charges payable on insurance policies, rates, terms and conditions of the policy, audit and reporting mechanisms, etc.

Different kinds of insurance business are subject to different regulatory frameworks. Broadly, insurance business may be categorised into two main categories: life insurance and general insurance. General insurance further includes sub-types such as fire insurance, marine insurance, vehicle insurance, etc.

Regtech providers in India are currently primarily centred around providing KYC and related on-boarding services to their clients who are mandatorily required to adopt specified procedures under the PMLA and other AML regulations. Such regtech providers are typically engaged as agents of the regulated entities through outsourcing arrangements and are subject to indirect regulation to some extent through audit, access rights and other similar checks and balances.

In addition, under the regulatory framework governing use of Aadhaar, there are certain specific data security requirements such as masking of Aadhaar information, requirements on storage of Aadhaar, etc, which are also relevant for regtech providers utilising the Aadhaar database for providing their services.

See 11.1 Regulation of Regtech Providers and 2.7 Outsourcing of Regulated Functions.

Traditional financial services players such as banks are unearthing effective and interesting applications for use of blockchain for the financial services industry in India. Currently, 11 Indian banks have aligned in a consortium to introduce and execute a blockchain-based loan system for MSMEs in India.

Further, Banks as well as NBFCs are looking to rely on the blockchain technology for facilitation of KYC procedures. Certain players are also looking to utilise the blockchain technology for order processing and streamlining of internal processes.

The stance of the Indian government towards the Blockchain technology and its various applications has been positive. NITI Aayog, the policy think tank of the government of India, published a report titled Blockchain: The India Strategy, where the use cases for Blockchain as a tool towards enabling ease of business, ease of living and ease of governance were highlighted. The government in its budget speech of 2022 announced that the RBI will issue a Central Bank Digital Currency called the "Digital Rupee" based on the utilisation of the blockchain. It is expected that the "Digital Rupee" will be rolled out in FY2022–23.

Blockchain assets are not considered a form of regulated financial instruments. They have not been classified as securities and are not regulated under the current legal framework laid down by SEBI.

The “issuers” of blockchain assets as well as initial sales or offerings of blockchain assets are not regulated under a dedicated legal framework. Protection against potential fraud by the issuer or intermediaries involved will be based on appropriate legal recourse under general penal laws and consumer protection legislations such as Indian Penal Code, 1860, The Consumer protection Act, 2019 etc.

Blockchain asset trading platforms as well as secondary market trading networks for blockchain assets are not currently regulated by a consolidated framework. See 7.3 Impact of the Emergence of Cryptocurrency Exchanges and 7.7 Issues Relating to Best Execution of Customer Trades.

The current regulatory framework does not contemplate blockchain assets. In such a scenario, the funds investing in blockchain assets stand unregulated.

Owing to a lack of legal framework surrounding blockchain technology and its implementation in India, there is no formal definitions for virtual currencies or blockchain assets and by extension, no differentiation in their treatment under law.

The 2022 budget speech brought some regulatory clarity for the cryptocurrency ecosystem. The government announced that RBI will issue the "Digital Rupee", an Indian Central Bank Digital Currency (“CBDC”)

The government of India is examining the implementation of the Goods and Services Tax (GST) on various virtual asset transactions and has announced that now income from transfer of virtual assets including cryptocurrencies is to be taxed at the rate of 30%. Further, the government also announced a TDS of 1% on all cryptocurrency-based transactions. Gift of virtual digital asset is also proposed to be taxed in the hands of the recipient.

The Cryptocurrency Bill was not introduced in the budget session and is anticipated to be released sometime in 2022.

DeFi has not been defined under any regulations in India, at present. There is a regulatory vacuum with regard to DeFi Platforms. Moreover, India operates in terms of the centralised finance model with RBI acting as the chief financial regulator and does not recognise a DeFi system or related activities.

The regulatory landscape surrounding NFTs is unclear. The only indication of their legality in India is the announcement of the Government allowing the taxation of all digital assets – no clarifications have been made in the context of NFTs whatsoever. More clarity is expected with the tabling of the Cryptocurrency Bill sometime in 2022.

Open banking in India is at a very early stage of development. The first steps towards open banking in India have been:

• introduction of the UPI; and
• introduction of a regulatory framework for account aggregators.

The UPI enables TPAPs (which are primarily technology-based entities) to provide their customers the ability to send and receive payments through their linked bank accounts by utilising mobile technology and infrastructure in a real-time and seamless manner.

Account aggregators are entities which are authorised to collect and collate all financial information of a customer and provide them to financial services providers (when so required for on-boarding purposes), on the basis of approved consent artefacts obtained from customers.

Market players in India are generally gearing up for implementation of the DP Bill, which will overhaul the existing data privacy and security framework, upon enactment. Banks, financial institutions, technology platforms and fintech players will need to align their existing systems and processes to comply with the detailed consent architecture prescribed in the DP Bill and with the limitations around use, processing and storage of data that are mandated by the DP Bill.