India: JSA Newsletter - Fintech

What's New?

MeitY publishes draft Digital Personal Data Protection Bill, 2022

The Ministry of Electronics and Information Technology ("MeitY") published the draft Digital Personal Data Protection Bill ("DPDP Bill"). The DPDP Bill is considerably concise compared to its predecessors.

Notable Features of DPDP Bill

1. The DPDP Bill no longer classifies personal data into sensitive or critical personal data. It now covers all digital personal data. In addition, the DPDP Bill does not cover 'non-personal data' or anonymized data.
2. The DPDP Bill does not expressly prohibit cross-border data transfers or prescribe any specific compliances (such as standard contractual clauses or prior Government approval) for the transfer of personal data outside India. Instead, it permits a data fiduciary / data controller to transfer personal data outside India to whitelisted countries. The list of whitelisted countries and associated terms and conditions for the cross-border transfer of data are to be notified by the Central Government.
3. The DPDP Bill has done away with criminal penalties and only prescribes monetary penalties.

Issues

1. Unlike its predecessor, the DPDP Bill does not contain a transition period following its enactment.
2. The DPDP Bill grants data principals the right to view privacy and consent notice in English and in such other languages that are specified in the Eighth Schedule to the Constitution of India. This will create an onerous obligation on data fiduciaries to prepare privacy and consent notices in 23 (twenty three) different languages.
3. The DPDP Bill does not clarify its overlap with the CERT-IN Directions, 2022 in relation to breach reporting.

DPDP Bill is expected to be discussed in the Parliament in the 2023 Budget Session (January- February 2023).

For a detailed analysis, please refer to JSA Prism of November 21, 2022.

RBI launches pilot CBDC-R

On October 07, 2022, the RBI issued a concept note on 'Central Bank Digital Currency' ("CBDC"). CBDC, unlike private virtual currencies, is essentially paper currency in digital form backed by the RBI.

The concept note identifies the following two models of CBDCs which could be introduced:

1. A retail-oriented CBDC ("CBDC-R"), which would be available for use by all (i.e., private sector, non-financial consumers and businesses); and
2. A wholesale-oriented CBDC, for settlement of interbank transfers, which would be used and accessed only by selected financial institutions.

In furtherance of the concept note, the RBI has launched its first pilot for retail digital rupee (e?-R) (as CBDC-R). Currently, the program has been launched in 4 (four) cities – Bengaluru, Bhubaneshwar, New Delhi and Mumbai, and will cover a selected group of participating customers and merchants. It will also see participation from four banks – namely, State Bank of India, ICICI Bank, Yes Bank and IDFC First Bank. Gradually, the RBI proposes to expand the program to Ahmedabad, Gangtok, Guwahati, Hyderabad, Indore, Kochi, Lucknow, Patna and Shimla.

The CBDC is expected to reduce dependency on cash, lower currency management costs and reduce settlement risk.

IRTG releases SOP for Interoperable Regulatory Sandbox

The Inter-Regulatory Technical Group ("IRTG") was constituted for inter-regulatory co-ordination among the financial sector regulators on FinTech related issues. The IRTG has proposed a Standard Operating Procedure ("SOP") for hybrid products/services that fall within the remit of two or more financial sector regulators.

The purpose of the SOP is to simplify procedures for innovators who propose to test products/models/features that fall within the ambit of two or more financial sector regulators. A common window has been created for them so that they do not have to engage with multiple regulators. This SOP also aims to promote innovation in the FinTech sector as a whole by simplifying compliance and procedures imposed by different regulators.

As per the SOP, the RBI's FinTech Department will act as the nodal point for receiving applications and the regulator under whose remit the dominant feature of the product falls will be designated as the principal regulator. The product/model/feature will be governed by the regulatory sandbox framework of the principal regulator.

RBI issues draft Master Directions on Information Technology Governance, Risk, Controls and Assurance Practices ("Draft IT MD")

The RBI has issued the Draft IT MD to consolidate and update the guidelines relating to information technology governance, practices, controls, business continuity, disaster recovery management, addressing cyber security related risk and information systems audit. The Draft IT MD intend to mitigate any financial, operational and reputational risks to regulated entities such as scheduled commercial banks, small finance banks, payments banks, non-banking financial companies, financial institutions and credit information companies.

The RBI sought stakeholders comments up to November 20, 2022; and has not yet published the final master directions. The final master directions will are to take effect 6 (six) months from the date they are published on the RBI website.

Notably, in June 2022, RBI had issued a draft Master Direction on Outsourcing of IT Services to ensure effective management of associated risks in outsourcing IT activities by regulated entities. The final draft of these master directions is also yet to be published.

Payment Aggregator License

Between July and September 2022, RBI had issued in-principal approvals for payment aggregator ("PA") licenses to several FinTech firms including Razorpay, Stripe, 1PayMobileware, Pine Labs, and Cashfree Payments. Recently, in November, 2022 – the RBI granted in-principle approval to Open Financial Technologies Pvt Ltd and SabPaisa. These approvals are subject to these entities conducting an audit within six months.

Notably, RBI recently instructed Razorpay, Stripe and Cashfree to temporarily stop onboarding new merchants until they submit their security audit reports.

RuPay Credit Card linked to UPI

With a view to widen the applicability of UPI, the RBI launched UPI-linked RuPay credit cards in September 2022.

In view of the above, the National Payments Corporation of India ("NPCI") issued an operating circular for RuPay credit card linkage to UPI. Notably, unlike other transactions under UPI, which are free of cost, for credit card-linked transactions of over INR 2,000/- (Indian Rupees Two Thousand only), an interchange fee will be charged out of which 0.08% (zero point zero eight percent) of the transaction value will be paid out to payer Payment Service Provider ("PSP") and the UPI App each in case of retail merchant category transactions. In all other cases, 0.04% (zero point zero four percent) of the transaction value will be paid to each of them.

Notably, no merchant discount rate should apply for merchants with turnover of up to INR 20,00,000/- (Indian Rupees Twenty Lakh only) in previous financial year for transaction amount less than and equal to Rs. 2,000/- (Indian Rupees Two Thousand only).

NPCI extends period to comply with volume cap under UPI

In November, 2020, the NPCI had imposed a volume cap of 30% (thirty percent) on all third party application providers ("TPAPs") and payment system provider banks ("PSPs") in the UPI ecosystem with effect from January, 2021. Existing players who had a market share of over 30% at the time were given a period of 2 (two) years to comply with the cap.

As the deadline for compliance approached, the NPCI further increased the timeline by two more years (till December 31, 2024) to comply with the market cap, keeping in view the present usage of UPI and the goal to widen the scope and penetration of UPI.

This extension has been welcomed by market leaders having a market cap of over 30% each as it will help them navigate new waters, with the introduction of CBDC-R or other alternatives to UPI.

Quick Snapshots

1. The RBI has launched a new supervisory technology called 'DAKSH' to monitor compliance by regulated entities such as banks and non-banking financial companies. DAKSH is also proposed to enable seamless communication, inspection planning and execution, cyber incident reporting and analysis, etc. with anytime-anywhere secure access.
   
   The RBI instructed the migration of the Central Payments Fraud Information Registry (CPFIR) to DAKSH with effect from January 1, 2023. From January 1, 2023, all entities have to report payment frauds through DAKSH.

2. The RBI has cancelled Paytm Payment Services Limited's ("PPSL") PA application and granted a 120 (one hundred twenty) day period for resubmission. During this period, the RBI has instructed PPSL to comply with guidelines on foreign direct investment and seek necessary approvals for past downward investment from One 97 Communications Limited to PPSL. PPSL has also been restricted from onboarding new online merchants during this period.
3. NPCI has updated its Procedural Guidelines for UPI. While existing obligations for UPI participants have been retained, NPCI has added additional procedures pertaining to new offerings such as invoice in a box (whereby merchants can share invoice with their customers before they authorize the transaction), signed intent and QR and UPI International.
4. NPCI International Payments Ltd., NPCI's international arm, has collaborated with Worldline to expand the acceptance of UPI and RuPay by European merchants. We are also anticipating the launch of UPI's linkage with PayNow (Singapore's real-time payment system) which will allow instant transfer of money between users in the two countries and could cut cross-border transaction fees by half.
5. NPCI Bharat BillPay Ltd. ("BBPS") partnered with Kotak Mahindra Bank Limited ("Kotak") to offer payment of Kotak credit cards through the BBPS framework. Kotak is now the first private bank to go live as a biller in the credit card category.
6. NPCI announced the launch of BHIM App open-source license model under which it will license BHIM's App's source codes to PSPs who do not have UPI apps of their own. This move is in furtherance of NPCI's 'Digital Payments for All' goal.
7. The big market players in cryptocurrencies such as WazirX, Hike, Coinswitch, Coinbase, CoinDCX and Polygon have announced formation of a new association, 'Bharat Web3 Association'. This association will focus on encouraging and promoting Web3 industry, making people aware about technology in domain of Web3, promoting dialogue between key stakeholders, and setting standardized principles for Web3 industry.
   
   

Investments in the Fintech Sector

Below are some of the notable investments in the FinTech sector this quarter:

1. FinTech SaaS startup Lentra raises $60,000,000 (United States Dollars Sixty Million) in Series B funding round led by Bessemer Venture Partners and SIG Venture Capital. This round also saw participation from Citi Ventures. This fresh funding is proposed to be used for international expansion.
2. FinTech credit provider KreditBee has raised $80,000,000 (United States Dollars Eighty Million) in Series D funding. Investors include Premji Invest, Motilal Oswal Alternates, MUFG Bank, NewQuest Capital Partners, and Mirae Asset Ventures.
3. PhonePe is reportedly set to raise $700,000,000 (United States Dollars Seven Hundred Million) at a valuation of $12,000,000,000 (United States Dollars Twelve Billion).
4. Surat-based Vijaya Fintech Pvt. Ltd., a B2B Wealth Management software and platform provider, raises $1,000,000 (United States Dollars One Million) in its angel round.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.