News and developments
Fintech Primer - II
The first Automatic Teller Machine (“ATM”) was set up in Mumbai in 1987. By 1997, there were around 1,500 ATMs in India. Soon telephone banking, which allows customers to perform over the telephone, a range of financial transactions which do not involve cash or financial instruments (such as cheques), without the need to visit a bank branch or ATM, became popular. As internet usage spread, internet banking became commonplace. As simple mobile phones were replaced by smart phones, mobile banking[1] gained momentum. FinTech businesses came in the wake of mobile banking.
FinTech
The term “FinTech” is short for “financial technology” and could apply to any kind of technology that is used to drive a financial transaction or service, offered by any entity. However, in business and regulatory jargon, FinTech has come to mean the technology used by financial service providers that disrupt the traditional way of providing such services. Thus, businesses such as PayTM, PhonePe, RazorPay, MobiKwik, PayU are all classified as fintech businesses.
Over the last 9 (nine) years, the Indian FinTech market has grown tremendously and consumer adoption of FinTech solutions has been increasing. Since Indian consumers have had positive experiences with tech firms offering non-financial services such as cab aggregation and hotel bookings, they came to expect and demanded similar standards from FinTech service providers. India was one of the largest and fastest growing FinTech markets, according to a 2022 report by EY[2]. In fact, digital transactions in India in 2022 was more than four times that in USA, Britain, Germany and France combined, according to Indian Electronics & Information Technology Minister, Ashwini Vishnaw.[3] India has a fintech adoption rate of 87% against the global average of 64%.[4]
Payment and Settlement Systems Act, 2007
The Payment and Settlement Systems Act, 2007 (“P&SS Act”) was enacted in December 2007 in order to provide for the regulation and supervision of payment systems in India. The P&SS Act designates the Reserve Bank of India (“RBI”) as the authority for such purpose. A “payment system” is defined to mean a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. As per section 4 of the P&SS Act, an authorisation issued by the RBI is required, in order to commence or operate a payment system. Systems enabling the operation of credit or debits cards, smart cards, prepaid payment instruments would qualify as payment systems.
Regulation of Prepaid Payment Instruments by the RBI
Prepaid Payment Instruments (“PPIs”) are instruments which facilitate the purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. On October 11, 2017, the RBI issued the Master Direction on Issuance and Operation of Prepaid Payment Instruments (“2017 PPI Master Directions”) under section 18 read with section 10(2) of the P&SS Act. The 2017 PPI Master Direction consolidated the various circulars that had been issued by the RBI, until then, regarding the issuance and operation of PPIs. Further, in light of the various amendments made to the 2017 PPI Master Directions since 2017, the RBI issued the Master Directions on Prepaid Payment Instruments (PPIs) (“PPI Master Directions/PPI MD”) on August 27, 2021[5]. The salient features of the PPI Master Directions are as follows.
The PPI Master Directions state that no entity can set up and operate payment systems for PPIs without the prior approval/ authorisation of RBI.
Meaning and categorisation of PPIs
As per Para 2.8 of the PPI Master Directions, “Prepaid Payment Instruments” are instruments that facilitate purchase of goods and services, financial services, remittance facilities, etc., against the value stored therein. PPIs that require RBI approval / authorisation prior to issuance are classified under two types: (i) Small PPIs, and (ii) Full-KYC PPIs. Detailed features of such PPIs have been mentioned below.
It is interesting to note that while the 2017 PPI Master Directions categorised PPIs that could be issued in India into three categories: (i) Closed System PPIs, (ii) Semi-closed System PPIs and (iii) Open System PPIs, the PPI MD does not specifically make the above-mentioned categorisation. The PPI MD simply defines ‘Closed System PPIs’ as follows: “PPIs issued by an entity for facilitating the purchase of goods and services from that entity only and does not permit cash withdrawal. These instruments cannot be used for payment or settlement for third party services. The issuance or operation of such instruments is not classified as a payment system requiring approval / authorisation by RBI and are, therefore, not regulated or supervised by RBI.” Hence, any ‘Closed System PPIs’ are outside the purview of the PPI MD.
The PPIs that require RBI’s authorisation for issuance have not been categorised into open or semi closed PPIs. Instead, such PPIs have been classified into (i) small PPIs and (ii) full-KYC PPIs, depending upon whether full KYC is required to be done before such PPI can be issued.
Salient features of Small PPIs and Full-KYC PPIs
Paragraph 9.1 of the PPI Master Directions prescribes further limits on cash loading for PPIs, along with various operational requirements, including the Know Your Customer (“KYC”) documents to be obtained, which are as follows:
- Small PPIs: PPIs of up to Rs. 10,000 (Rupees ten thousand) may be issued with minimum details of the PPI holder. The minimum details shall necessarily include mobile number verified with One Time Password (“OTP”) and self-declaration of name and unique identification number of any of the ‘officially valid documents’ defined under rule 2(d) of the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 (“PMLR”). The amount loaded during any month or the outstanding amount in the PPI at any point of time shall not exceed Rs. 10,000 (Rupees ten thousand). Further, the total amount loaded during the financial year shall not exceed Rs. 1,20,000 (Rupees one lac twenty thousand). Such PPIs may be used only for purchase of goods and services. Cash withdrawal from such PPIs or fund transfers from such PPIs to bank accounts or to PPIs of the same or other issuers is not permitted.
- Full KYC PPIs: PPIs of up to Rs 1,00,000 (Rupees one lac) may be issued after completing full KYC of the PPI holder. The Video-based Customer Identification Process, as detailed in the RBI Master Direction on KYC dated February 25, 2016, can be used to open full-KYC PPIs as well as to convert Small PPIs into full-KYC PPIs. The amount outstanding at any point of time in such PPIs shall not exceed Rs. 2,00,000 (Rupees two lac). These PPIs shall be used for purchase of goods and services, funds transfer or cash withdrawal.
- should be a company incorporated in India and registered under the Companies Act, 1956 / Companies Act, 2013.
- if regulated by any of the financial sector regulators, should submit a ‘No Objection Certificate’ from its regulator, to the RBI, when seeking authorisation under the PSS Act.
- shall have a minimum positive net worth of Rs. 5,00,00,000 (Rupees five crore) as per its latest audited balance sheet at the time of submitting the application, which shall be certified by its chartered accountant(s). By the end of the third financial year from the date of receiving final authorisation, the entity is required to have a minimum positive net worth of Rs. 15,00,00,000 (Rupees fifteen crore). The net worth has to be maintained by the entity at all times.
- shall be required to submit a net-worth certificate every year, to evidence compliance with the applicable net-worth requirement, within six months of completion of that financial year.
- If the non-bank entity has any foreign direct investment (“FDI”) or foreign portfolio investment (“FPI”) or foreign institutional investment (“FII”), such non-bank entity is additionally required to meet the capital requirements under the consolidated FDI policy guidelines of Government of India, as applicable and as amended from time to time.
- full compliance with the terms and conditions subject to which authorisation was granted;
- fulfilment of entry norms such as capital, networth requirements, etc.;
- no major regulatory or supervisory concerns related to operations of the PSO, as observed during onsite and / or offsite monitoring;
- efficacy of customer grievance redressal mechanism; and
- no adverse reports from other departments of RBI / regulators / statutory bodies, etc.
- All PPIs shall have a minimum validity period of one year from the date of last loading / reloading in the PPI. PPIs can be issued with a longer validity as well.
- The PPI Issuer shall clearly indicate the expiry period of the PPI to the customer at the time of issuance of PPIs. Such information shall be clearly enunciated in the terms and conditions of sale of PPI.
- PPI issuer shall caution the PPI holder at reasonable intervals, during the 45 days’ period prior to expiry of the validity period of the PPI.
- In case the PPI holder approaches the PPI issuer for refund of the outstanding balance in the PPI, at any time within a period of three years from the expiry date of PPI, then the same shall be paid to the PPI holder in a bank account.
- Gift PPIs: Maximum value of each such prepaid gift instrument shall not exceed Rs.10,000 (Rupees ten thousand). Such instrument shall not be reloadable. Cash-out or funds transfer shall not be permitted for such instrument.
- PPIs for Mass Transit Systems (PPI-MTS): These PPIs shall be issued by MTS operators after authorisation to issue such PPIs under the PSS Act. Such PPIs shall contain the Automated Fare Collection application related to transit service to qualify as such. Apart from MTS, such PPIs shall be used only at those merchant outlets whose activities are allied / related to or are carried on within premises of the MTS. PPI issuer may decide about customer details, if any, required to be obtained for issuance of such PPIs. PPI-MTS issued shall be reloadable in nature and maximum value outstanding in such PPIs shall not exceed the limit of Rs.3,000 (Rupees three thousand) at any point of time. Cash-out or refund or funds transfer shall not be permitted.
- PPIs to Foreign Nationals / Non-Resident Indians (NRIs) visiting India: Banks / Non-banks permitted to issue PPIs can issue INR denominated full-KYC PPIs to foreign nationals / NRIs visiting India, after physical verification of Passport and Visa of the customers at the point of issuance. The PPIs can be issued in the form of wallets linked to UPI and can be used for merchant payments (P2M) only. Loading / Reloading of such PPIs shall be against receipt of foreign exchange by cash or through any payment instrument. The conversion to Indian Rupee shall be carried out only by entities authorised to deal in Foreign Exchange under FEMA. The amount outstanding at any point of time in such PPIs shall not exceed the limit applicable on full-KYC PPIs.
- Directions For Opening And Operation Of Accounts And Settlement Of Payments For Electronic Payment Transactions Involving Intermediaries dated November 24, 2009 (“2009 EPT Directions”); and
- Guidelines on Regulation of Payment Aggregators and Payment Gateways dated March 17, 2020 (“PAPG Guidelines”).
- financial integrity;
- good reputation and character; and
- Honesty
- Convicted by a court for any offence involving moral turpitude or any economic offence or any offence under the laws administered by the RBI;
- Declared insolvent and not discharged;
- An order, restraining, prohibiting or debarring the person from accessing / dealing in any financial system, passed by any regulatory authority, and the period specified in the order has not elapsed;
- Found to be of unsound mind by a court of competent jurisdiction and the finding is in force; and
- Is financially not sound.
- a financial institution which is a company;
- a non-banking institution which is a company and which has as its principal business the receiving of deposits, under any scheme or arrangement or in any other manner, or lending in any manner;
- such other non-banking institution or class of such institutions, as the Bank may, with the previous approval of the Central Government and by notification in the Official Gazette, specify;”
- e-sign service,
- an electronic equivalent of a document, with a valid digital signature issued by the issuing authority of the document, including those documents that are issued to the digital locker account of the investor as per Rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016, and
- electronic signatures, including eSign mechanism of aadhaar shall be accepted in lieu of wet signature and all these three would be accepted as technological innovations facilitating online KYC.
- Retail payments
- Money transfer services
- Marketplace lending
- Digital KYC
- Financial advisory services
- Wealth management services
- Digital identification services
- Smart contracts
- Financial inclusion products
- Cyber security products
- Mobile technology applications (payments, digital identity, etc.)
- Data Analytics
- Application Program Interface (APIs) services
- Applications under block chain technologies
- Artificial Intelligence and Machine Learning applications
- Credit registry
- Credit information
- Crypto currency/ Crypto assets services
- Trading/investing/settling in crypto assets
- Initial Coin Offerings, etc.
- Chain marketing services
- Any other product/service which has been banned by the regulators/Government of India.
- Insurance Solicitation or Distribution
- Insurance Products
- Underwriting
- Policy and Claims Servicing
- Any other category recognised by IRDA.
- Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only. Adequate safeguards shall be put in place to ensure that PAN cannot be found out or obtained from the token and/or vice versa, by anyone except the card network. Integrity of token generation process shall be ensured at all times.
- Tokenisation and de-tokenisation requests should be logged by the card network and available for retrieval, if required.
- The actual card data, token and other relevant details of the card shall be stored in a secure mode. Token requestors shall not store the PAN or any other card related detail.
- The card network shall get the token requestor certified for (a) token requestor’s systems, including hardware deployed for this purpose, (b) security of token requestor’s application, (c) features for ensuring authorised access to token requestor’s app on the identified device, and, (d) other functions performed by the token requestor, including customer on-boarding, token provisioning and storage, data storage, transaction processing, etc.
- Card networks shall get the card issuers/acquirers, their service providers and any other entity involved in payment transaction chain, certified in respect of changes done for processing tokenised card transactions by such persons.
- All certification/security testing by the card network shall conform to international best practices/globally accepted standards.
- Registration of card on token requestor’s app shall be done only with explicit customer consent through Additional Factor of Authentication (AFA), and not by way of a forced/default/automatic selection of check box, radio button, etc.
- AFA validation during card registration, as well as, for authenticating any transaction, shall be as per the existing RBI regulations for authentication of card transactions.
- Customers shall have option to register/de-register their card for a particular use case, i.e., contactless, QR code based, in-app payments, etc.
- Customers shall be given option to set and modify per transaction and daily transaction limits for tokenised card transactions.
- Suitable velocity checks (i.e., how many such transactions will be allowed in a day/week/month) may be put in place by card issuers/card network as considered appropriate, for tokenised card transactions.
- For performing any transaction, the customer shall be free to use any of the cards registered with the token requestor app.
- Secure storage of tokens and associated keys by token requestor on successful registration of card shall be ensured.
- Card issuers shall ensure easy access to customers for reporting loss of “identified device” or any other such event which may expose tokens to unauthorised usage. Card network, along with card issuers and token requestors, shall put in place a system to immediately de-activate such tokens and associated keys.
- Dispute resolution process shall be put in place by card network for tokenised card transactions.
- Card network shall put in place a mechanism to ensure that the transaction request has originated from an “identified device”.
- Card network shall ensure monitoring to detect any malfunction, anomaly, suspicious behaviour or the presence of unauthorized activity within the tokenisation process and implement a process to alert all stakeholders.
- Based on risk perception, etc., card issuers may decide whether to allow cards issued by them to be registered by a token requestor.
- The facility of tokenization shall be offered by the TSPs only for the cards issued by/ affiliated to them.
- The ability to tokenise and de-tokenise card data shall be with the same TSP.
- Tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by card issuer.
- If card payment for a purchase transaction at a merchant is being performed along with the registration for CoFT, then AFA validation may be combined.
- The merchant shall give an option to the cardholder to de-register the token. Further, a token requestor having direct relationship with the cardholder shall list the merchants in respect of whom the CoFT has been opted through it by the cardholder; and provide an option to de-register any such token.
- A facility shall also be given by the card issuer to the cardholder to view the list of merchants in respect of whom the CoFT has been opted by her/him, and to de-register any such token. This facility shall be provided through one or more of the following channels – mobile application, internet banking, Interactive Voice Response (IVR) or at branches / offices.
- Whenever a card is renewed or replaced, the card issuer shall seek explicit consent of the cardholder for linking it with the merchants with whom (s)he had earlier registered the card.
- The TSP shall put in place a mechanism to ensure that the transaction request has originated from the merchant and the token requestor with whom the token is associated.
- Other than the card issuer and the card network, the merchant or its Payment Aggregator (PA) involved in settlement of such transactions, can save the CoF data for a maximum period of T+4 days (“T�� being the transaction date) or till the settlement date, whichever is earlier. This data shall be used only for settlement of such transactions and must be purged thereafter.
- For handling other post-transaction activities, acquiring banks can continue to store CoF data until January 31, 2023.
- The CBDC general purpose (retail) (“CBDC-R”), to be used by the private sector and consumers; and
- CBDC wholesale (“CBDC-W”), to be used by banks and settlement systems.