India: Corporate & Commercial Monthly Newsletter July 2023

Guidelines on the FLDG Framework

Arrangements between Regulated Entities¹ (RE/REs) and Lending Service Providers (LSPs) or between two REs involving Default Loss Guarantee (DLG)² are commonly known as First Loss Default Guarantee (FLDG).

When the FLDG was introduced, there were concerns about the guarantee arrangement limit that fintech 'mainly unregulated' gives to banks, which could be as high as 100%. In August 2022,³ the RBI issued a total ban on FLDG, referring to them as synthetic securitization⁴ in terms of which it was stated that the recommendation pertaining to FLDG was under examination with the Reserve Bank. It was examined by the RBI and now, it has been decided to permit such arrangements subject to certain guidelines. Such DLG arrangements conforming to these guidelines shall not be treated as 'synthetic securitization' and shall also not attract the provisions of 'loan participation'.⁵

On June 8, 2023, the Reserve Bank of India (RBI) issued Guidelines on Default Loss Guarantee in Digital Lending (Guidelines)⁶. The Guidelines are issued under the provisions of the Banking Regulation Act, 1949, Reserve Bank of India Act, 1934, National Housing Bank Act, 1987 and Factoring Regulation Act, 2011.

Key aspects:

• Under the framework, RBI mandates that the total amount of DLG cover on any outstanding loan portfolio must not exceed 5% of the loan portfolio's value.
• This limit is specified upfront⁷. In the event, where there are implicit guarantee arrangements, the DLG provider (the entity providing the guarantee) is not permitted to take on performance risk greater than 5% of the underlying loan portfolio.⁸
• The REs responsible for managing the distressed loan portfolio are required to invoke the DLG within a maximum overdue period of 120 days, unless the borrower has made good the overdue amount before that⁹.
• Individual loan assets in the portfolio must be identified as Non-Performing Asset (NPA) and provisioned as per existing asset classification and provisioning criteria, regardless of any DLG coverage available at the portfolio level.
• The DLG amount invoked shall not be adjusted against the underlying individual loans. If the RE manages to recover any amount from the loans on which the DLG has been invoked and realizes the funds, the REs can share this recovery with the DLG provider as per the terms of the agreement.¹⁰
• The duration of the DLG agreement shall not be less than the longest tenor of the loan in the underlying loan portfolio.¹¹
• The RE shall establish a method to guarantee that LSPs with whom they have a DLG arrangement announce on their website the total number of portfolios and the respective value of each portfolio on which DLG has been offered.¹²
• REs are required to establish a board-approved policy before engaging in any FLDG arrangement. This policy will have to be carefully drafted from a legal and regulatory perspective to ensure that it encompasses the eligibility criteria for FLDG providers, the nature and scope of the cover, the process for monitoring and reviewing the arrangement, and the details of any fees payable to the DLG provider¹³. Additionally, robust credit underwriting standards must be implemented regardless of the presence of DLG cover¹⁴
• In the event when a RE enters into or renews a DLG arrangement, it must procure sufficient information to ensure that the entity extending the DLG can honour it. This information must include, at a minimum, a declaration from the DLG supplier, confirmed by the statutory auditor, on the total amount of DLG outstanding, the number of REs, and the number of portfolios against which DLG has been issued. The disclosure must also provide past default rates on comparable portfolios.¹⁵
• Guarantees covered under the following schemes/entities shall not be covered within the definition of DLG¹⁶:
• • Guarantee schemes of Credit Guarantee Fund Trust for Micro and Small Enterprises (CGTMSE).
  • Credit Risk Guarantee Fund Trust for Low Income Housing (CRGFTLIH).
  • Individual schemes under National Credit Guarantee Trustee Company Ltd (NCGTC).
  • Credit guarantee provided by Bank for International Settlements (BIS).
  • International Monetary Fund (IMF) as well as Multilateral Development Banks^17.

Master Directions on cyber resilience and digital payment security controls for Payment System Operators

RBI, in exercise of powers conferred under Section 10 (2) read with Section 18 of the Payment and Settlement Systems Act, 2007 (PSS Act), released the Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators (Master Directions) for inviting comments from all stake holders.

In furtherance of the objectives of the PSS Act, which is the overarching governing law for Payment System Operators (PSOs) in India, the Master Directions aim to ensure that the PSOs are resilient to traditional and emerging information systems and cyber security risks; have robust governance mechanisms for identification, assessment, monitoring, and management of such risks; and in addition, to also maintain baseline security measures for ensuring system resiliency for safe and secure digital payment transactions.

Key aspects:

• Payment system and PSOs: The PSS Act defines 'payment system' as a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. Thus, transactions undertaken through credit or debit cards, online transfer of money, any money transfer operations or similar operations would be included under the definition of 'payment system'. Therefore, a PSO is someone who operates an authorized payment system.
• Categorization of PSO's in the Master Directions:
• • Large non-bank PSOs (such as Clearing Corporation of India Ltd (CCIL), National Payments Corporation of India (NPCI), NPCI Bharat Bill Pay Ltd, etc.
  • Medium non-bank PSOs (such as cross-border (in-bound) money transfer operators under Money Transfer Service Scheme)
  • Small non-bank PSOs (Small Prepaid Payment Instruments issuers and Instant Money Transfer Operators).
• Governance controls:
• • As per the Master Directions, the Board of Directors (Board) of the PSO shall be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience. However, primary responsibility may be delegated to a committee of the Board which must meet at least once every quarter.
  • The PSO is also responsible for developing a Board approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialized, which will be reviewed annually. The IS policy shall cover at the minimum:
  • • Roles and responsibilities of Board/Sub- Committees of the Board, senior management and other key personnel;
    • Measures to identify, assess, manage and monitor cyber security risk which shall also include various types of security controls for ensuring cyber resiliency along with processes for training and awareness of employees/stakeholders.
• Cyber security preparedness: The PSO is required to prepare a distinct Cyber Crisis Management Plan (CCMP) to detect, contain, respond, and recover from cyber threats and attacks, which is to be approved by Board and should refer to relevant guidelines for guidance from CERT-In; National Critical Information Infrastructure Protection Centre (NCIIPC); IDRBT etc.
• Risk assessment and monitoring: The Board of a PSO is required to entrust the responsibility and accountability for implementing the IS policy and the cyber resilience framework to a senior level executive, such as a Chief Information Security Officer (CISO), etc. Further, the PSO will define appropriate Key Risk Indicators (KRIs) to identify potential risk events and Key Performance Indicators (KPIs) to assess the effectiveness of security controls which will be continuously monitored by the sub-committee of the Board referred to above.
• Business continuity plan: The draft master Directions also provides, amongst others, that the PSOs shall develop a Business Continuity Plan which includes comprehensive cyber incident response, resumption, and recovery plans to manage cyber security events or incidents.
• Employee awareness/training: Emphasis has also been placed on employee awareness and training programs that will play a vital role in ensuring information security and mitigating cyber risks. The Master Directions states that regular evaluations of cyber security awareness among employees is to be conducted and employees with an awareness level below a benchmark score may be restricted/prohibited from accessing information assets.

By putting these governance controls in place, the Master Directions has provided the PSOs a framework for overall information security preparedness as well as entrusted them with the responsibility of protecting their customers from cyber threats and monetary losses.

To view the full article please click here.

Footnotes

1 The guidelines apply to DLG arrangements entered into by REs in 'Digital Lending' activities.

2 Guidelines on Default Loss Guarantee (DLG) in Digital Lending, Regulation 2.1, Default Loss Guarantee (DLG): A contractual arrangement, called by whatever name, between the Regulated Entity (RE) and an entity meeting the criteria laid down at para 3 of these guidelines, under which the latter guarantees to compensate the RE, loss due to default up to a certain percentage of the loan portfolio of the RE, specified upfront. Any other implicit guarantee of similar nature linked to the performance of the loan portfolio of the RE and specified upfront, shall also be covered under the definition of DLG. https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12514&Mode =0

3 https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=54187

4 https://yourstory.com/2023/06/fldg-explained-new-rules-changes-impact-borrowers-fintechs-banks

5 Supra note 2, paragraph 2 of the RBI circular issuing the First Loss Default Guarantee (FLDG) guidelines as on June 8, 2023.

6 https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12514&Mode =0

7 Guideline 6.

8 Id.

9 Guideline 9.

10 Guideline 7.

11 Guideline 10.

12 Guideline 11.

13 Guideline 12.1.

14 Guideline 12.2.

15 Guideline 12.3.

16 Guideline 14.1,14.2.

17 Master Circular - Basel III Capital Regulations, May 12, 2023, See Clause 5.5 Claims on MDBs, BIS and IMF : (a) World Bank Group: IBRD and IFC, (b) Asian Development Bank, (c) African Development Bank, (d) European Bank for Reconstruction and Development, (e) Inter-American Development Bank, (f) European Investment Bank, (g) European Investment Fund, (h) Nordic Investment Bank, (i) Caribbean Development Bank, (j) Islamic Development Bank and (k) Council of Europe Development Bank (l) International Finance Facility for Immunization (IFFIm) (m) Asian Infrastructure Investment Bank (AIIB). 31MCE5308DBA8F0D411C80989DDF3259E843.PDF (rbi.org.in)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.