An Investor’s Guide to The India Fintech Landscape

1. What legislative and regulatory provisions govern the fintech space in your jurisdiction and who enforces these?

The laws that regulate the technology used by service providers to furnish financial services to users is coined/ referred to as fintech laws.

A. The following legislative provisions govern the fintech space in India:

a) Payment and Settlement Systems Act, 2007:

Payment and Settlement Systems Act, 2007 (“PSA Act”), came into force on December 20, 2007, to regulate and supervise payment systems in India.

Under the PSA Act, a payment system is defined to mean a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. It is typically a system enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations. In order to commence or operate a payment system, a person/ an entity is required to obtain an authorisation from the Reserve Bank of India (“RBI”). RBI has the right to access information of a payment system and the power to enter and inspect any premises where a payment system is being operated.

b) Information Technology Act, 2000:

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”), came into force on April 11, 2011, with an intent to prescribe reasonable security practices and procedures to body corporates that possess, deal or handle any personal data and sensitive personal data.

The Information Technology Act, 2000 (“IT Act”), read with the SPDI Rules mandate an entity collecting, disclosing or transferring sensitive personal data or information (inter alia, password, financial information like bank account or credit card or debit card or other payment instrument details, etc) to obtain consent of the provider of such sensitive personal data or information.

Further, any entity that collects, receives, possesses, stores, deals or handles personal information (i.e., information that relates to a natural person) of an individual, which includes sensitive personal data or information, is mandated to provide a privacy policy and handle such data in line with the prescribed security standards.

c) Personal Data Protection Bill, 2019:

Personal Data Protection Bill, 2019 (“PDP Bill”), was drafted to provide protection to individuals with respect to sharing of their personal data, specifying the flow and usage of personal data, creating a relationship of trust between persons and entities processing their personal data, cross-border transfers, accountability of entities processing personal data, etc.

On the PDP Bill being passed in its current form, the entities that collect personal data/ sensitive personal data and those companies determining the purpose and means of processing such personal data would be required to additionally adhere to data localisation requirements applicable to sensitive personal data, as prescribed under the PDP Bill.

B. The following regulatory provisions govern the fintech space in India:

a) RBI – Master Direction on issuance and operation of pre-paid payment instruments issued on October 11, 2017 (“PPI Master Direction”):

i. Nature of PPIs: Pre-paid instruments (“PPI”) fall within the ambit of payment instruments under the PSA Act.

ii. Role of PPIs: PPIs facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments.

iii. Types of PPIs:

• Closed PPIs: These are instruments that facilitate the purchase of goods and services from the entity issuing such instruments only, with no cash withdrawals being allowed in such PPIs. Such PPIs can be issued by any entity and does not require prior approval/ authorisation by the RBI.
• Semi-closed PPIs: These are instruments that facilitate the purchase of goods and services, including financial services, remittance facilities, etc., with identified merchant locations/ establishments that have a specific contract with the entity issuing such PPI; and can be issued by banks/ non-bank entities.
• Open PPIs: These are instruments that can be used for the purchase of goods and services from any merchants, including financial services, remittance facilities, etc. Such open PPIs may also be encashed and can only be issued by banks.

iv. Authorisation from RBI: Both bank and non-bank entities, regulated by any financial regulator, are mandated to apply to the Department of Payment and Settlement Systems (“DPSS”), and the RBI with a no objection certificate from their respective regulator. Additionally, non-bank entities, seeking authorisation from the RBI, should hold a prescribed amount as capital and follow other eligibility requirements stipulated by the RBI.

v. Policies: PPI issuers are mandated to have in place an information security policy and a customer grievance redressal framework. Additionally, non-bank entities issuing semi-closed PPIs are mandated to have a customer protection policy.

vi. Reporting: A net-worth certificate, declaration & undertaking by the director, list of co-branding partnerships, auditor certificate on maintenance of balance in escrow account, PPI customer grievance report, PPI statistics, etc., have to be submitted in the prescribed manner. Additionally, non-bank entities are required to submit their system audit report — including a cyber security audit that is conducted by the Indian Computer Emergency Response Team’s empanelled auditors — within two months of the financial year close to DPSS.

b) RBI notification on processing and settlement of import and export related payments, facilitated by online payment gateway service providers, dated September 24, 2015 (“OPGSP Notification”):

i. Domestic entities are permitted to facilitate cross-border transactions if such entities are functioning as intermediaries for electronic payment transactions in terms of the guidelines stipulated by DPSS. Further, such entities are required to maintain separate accounts for domestic and cross-border transactions.

ii. Foreign entities are allowed to operate as online payment gateway service providers (“OPGSP”), adhering to certain eligibility requirements prescribed under the OPGSP Notification.

iii. Transactions permitted:

• Import: Only goods and software (as permitted) of value not exceeding USD 2,000 can be imported. Further, only the prescribed debits and credits can be carried on in the OPGSP import collection account.
• Export: Only goods and software (as permitted) of value not exceeding USD 10,000 can be exported. Further, only the prescribed debits and credits can be carried on in the OPGSP export collection account maintained in India.

c) RBI Guidelines on payment aggregator and payment gateway issued on March 17, 2020 (“RBI PA/ PG Guidelines”):

i. Payment Aggregators (“PAs”) are a link that facilitate payments from customers to e-commerce sites and merchants. Payment Gateways (“PGs’) provide technology infrastructure to route and facilitate processing of an online payment transaction, without handling any funds.

ii. Authorisation from RBI: PAs are divided into bank PAs and non-bank PAs. Whereas bank PAs are not required to obtain a separate authorisation from the RBI, non-bank PAs are required to abide by the prescribed eligibility requirements and seek authorisation from the RBI. Non-bank PAs are mandated to obtain a no-objection certificate from the RBI under the PSS Act and abide by certain conditions such as capital requirements, governance (fit and proper), authorisation provisions, money laundering provisions, merchant on-boarding, escrow account management, baseline technology related recommendations, etc.

iii. Policies: PAs are mandated to put in place a formal, publicly disclosed customer grievance redressal and dispute management framework, board approved information security policy, IT policy and mechanism governing cyber security incident reporting with details as prescribed.

Reporting: Annual (net worth, audit report & cyber security audit report), quarterly (auditors’ and bankers’ certificate on escrow account), monthly (statistics of transactions held) and non-periodic (declaration & undertaking by directors, reports from banks and cyber security incident reports) reports, in accordance with the stipulated timelines, are required to be submitted by PAs.

d) RBI – Ombudsman Scheme for Digital Transactions, 2019 (“Ombudsman Guidelines”): In order to protect the interest of the public and the conduct of businesses relating to payment systems, the RBI vide the Ombudsman Guidelines, has granted an option to any person to approach the Ombudsman for deficiency in services pertaining to PPIs or mobile/ electronic fund transfers or payment transactions through unified payment interface (“UPI”)/ Bharat Bill Payment System (“BBPS”)/ Bharat QR Code/ UPI QR Code.

e) National Payments Corporation of India (“NPCI”): In order to promote peer to peer and peer to merchant payment systems, the RBI along with NPCI operates online retail payments and settlement systems in India. NPCI, a registered not-for-profit company promoted by banks, provides a wide range of payment platforms such as Rupay, immediate payment service, national automated clearing house, aadhaar payment bridge system, aadhaar enabled payment system, national financial switch, UPI, BBPS and national electronic toll collection. Participants in such payment platforms (banks and third-party application providers) are required to abide by, inter alia, the membership, customer on-boarding, roles & responsibilities, settlement, audit, compliance & regulations, intellectual property rights requirements/ conditions prescribed under the procedural guidelines.

f) NUE: In order to promote new payment systems in the retail space such as ATMs, white label point of sale, aadhaar based payment systems and remittance services, etc., the RBI has formulated a framework for authorisation of pan-India umbrella entity for retail payments. Any entity on meeting the prescribed eligibility, fit & proper, capital and foreign investment requirements (as may be applicable), etc. may apply to RBI to be authorized as a new umbrella entity.

g) RBI – Master Direction on non-banking financial company – peer to peer lending platform directions issued on October 4, 2017 (“RBI Peer Lending Master Direction”):

i. A peer-to-peer lending platform is an intermediary providing the services of loan facilitation via online medium or otherwise, to participants.

ii. Authorisation from the RBI: A company can commence or carry on the business of peer-to-peer lending platform, only upon obtaining a certificate of registration from the RBI. Further, such entities are required to, inter alia, maintain the net owned fund, carry on activities, prudential norms, fit and proper criteria, appointment of nodal officer, etc., as prescribed.

iii. Policies: In order to ensure effective compliance, all peer-to-peer lending platforms are mandated to have in place, inter alia, code of conduct, participant grievance redressal framework, operational guidelines policy, fit and proper criteria policy, outsourcing policy, etc.

iv. Reporting: Quarterly statements, as prescribed, are required to be submitted to the RBI.

h) RBI – Master Direction on non-banking financial company – Account aggregator directions issued on September 2, 2016 (“RBI Account Aggregator Master Direction”):

i. An account aggregator is a non-banking financial company that undertakes the business of providing, under a contract, the service of retrieving or collecting such financial information, pertaining to its customer, as may be specified by the banks and as may be prescribed from time to time; and consolidating, organizing and presenting such information to the customer or any other financial information user as may be specified by the bank, inter alia, a banking company or a corresponding new bank or the State Bank of India, etc., (“Banks”) for a fee or otherwise.

ii. Registration: Only a company can commence or carry on the business of an account aggregator and such a company would be required to obtain a certificate of registration from the Banks. Further, such entities are required to, inter alia, maintain a net owned fund, adhere to the duties & responsibilities, data security requirements, technical specifications, appointment of nodal officer, fit & proper criteria, etc., as prescribed.

iii. Policies: In order to ensure effective compliance, all account aggregators are mandated to have in place, inter alia, policies on handling/ disposal of customer grievances/ complaints, pricing of services, fit & proper criteria, out-sourcing policy, etc.

iv. Reporting: Account aggregators are required to submit timely returns as prescribed by the Banks.

i) RBI notification on storage of payment system data dated April 6, 2018, (“Data localisation Circular”): mandates payment systems, scheduled banks, including regional rural bank, urban cooperative banks, state co-operative banks, district central co-operative banks, payment banks, small finance banks and local area banks to ensure that the entire data relating to payments data (full end-to-end transaction details/ information collected/ carried/ processed as part of the message/ payment instruction) is stored only in India. Such data may be stored outside only if such a transaction has a foreign leg and such data may be transferred outside India for processing payment transactions only for 24 hours. This restriction may not be directly applicable to fintech companies if they do not fall under the ambit of the Data Localisation Circular. However, such a restriction may be passed on contractually to fintech companies by RBI regulated entities.

C. Enforcement: The IT Act and the SPDI Rules are enforced by the Ministry of Electronics and Information Technology. Further, the PSA Act, PPI Master Direction, OPGSP Notification, RBI PA/ PG Guidelines, Ombudsman Guidelines, NPCI & its services and RBI Peer Lending Master Direction, RBI Account Aggregator Master Direction and the Data localisation Circular are enforced by the RBI. However, regulations by other regulators such as the Securities and Exchange Board of India (“SEBI”), the Insurance Regulatory and Development Authority of India (“IRDAI”), etc., would be applicable to such fintech companies depending upon the activities carried on by them.

2. How are the regulators adapting to fintech?

In order to regulate and supervise the fintech space in an optimum manner, regulators have introduced the regulatory sandbox model and certain regulations to govern the fintech space in in India as follows:

A. Regulatory sandbox:

In order to boost, support and facilitate financial innovation, regulatory sandbox was operationalised by the RBI, SEBI, etc. Regulatory Sandbox refers to live testing of new products or services in a controlled/ test regulatory environment for which regulators may permit certain regulatory relaxations for the limited purpose of testing.

a) RBI: Regulatory sandbox by the RBI is targeted at fintech companies, including start-ups, banks, financial institutions, and any other company partnering with or providing support to financial services business. Applicants to each cohort are selected basis their compliance to eligibility requirements as prescribed. Further, applicants to regulatory sandbox may be granted regulatory relaxations such as liquidity requirements, board composition, management experience, financial soundness, track record, etc.

i. Practical implication: As of date, the RBI has announced the opening of two cohorts under the regulatory sandbox. The first cohort was themed ‘retail payments’ and the second one ‘cross border payments’.

ii. Themes: The RBI notification on Enabling framework for Regulatory Sandbox, dated August 13, 2019, lays down the following themes, which may be considered for testing by RBI in the future: money transfer services, marketplace lending, digital know your customer, financial advisory services, wealth management services, digital identification services, smart contracts, financial inclusion products, cyber security products, mobile technology applications, data analytics, application program interface, applications under block chain technologies, artificial intelligence & machine learning applications.

b) SEBI: Regulatory sandbox by SEBI is also targeted at fintech companies. All entities registered with SEBI under Section 12 of the SEBI Act, 1992, are eligible for testing in the regulatory sandbox. Applicants are selected basis their compliance to the prescribed eligibility criteria. Further, exemptions/ relaxations are decided by SEBI on a case-by-case basis.

B. RBI Peer Lending Master Direction: Please refer to our response under question no. 1.

C. Anti-money laundering: In order to facilitate and promote fintech operations, the Prevention of Money Laundering Act, 2002 (“PMLA”), has granted an option to regulated entities to carry on the prescribed know your customer (“KYC”) exercise digitally. This process enabled simpler and faster digital on-boarding of customers. However, it required a physical touch-point for completion of the KYC process. Subsequently, amendments to the RBI – Master Direction – Know Your Customer Direction, 2016 (“KYC Master Direction”), introduced the live video-customer identification process to establish an account-based relationship through collection of documents, recording of video and capturing of photograph as illustrated in detail as part of the KYC Master Direction and removed the physical touchpoint obstacle.

D. SEBI Mutual Funds Regulations, 1996: Recently, SEBI, vide an amendment to these regulations, paved way for fintech companies to be sponsors of mutual funds. The amendment replaced the profitability track record requirement with a minimum net worth requirement of INR 100 crore to be maintained for five consecutive years.

E. RBI PA/ PG Guidelines: Please refer to our response under question no. 1.

3. Are there specific regulatory provisions that have recently changed or been put in place through Fintech’s use of key technologies such as AI, Distributed ledger technology and cloud computing for example.

Please refer to our response under question no. 2. RBI, vide its regulatory sandbox framework, has included themes such as smart contracts, cyber security products, block chain technology, artificial intelligence and machine learning applications, etc. Subject to such testing, the RBI may release a regulatory framework, expressly permitting the utilisation of such technology while maintaining prescribed standards.

4. How are fintech companies exposed to data protection and AML regulations in your jurisdiction?

PMLA, the principal legislation that governs anti-money laundering in India, prohibits money laundering and financial crimes. PMLA mandates reporting entities (which includes a banking company, financial institution, intermediary or a person carrying on a designated business or profession) to maintain records of transactions for a prescribed period, furnish information as called for by the authorised personnel, inter alia, the details of transactions, record of documents evidencing identity of clients, etc,. and granting access to such information to authorised personnel. Fintech companies, falling under the ambit of ‘reporting entities’, would be required to cater to the aforementioned obligations.

Further, a fintech company classified as a scheduled commercial bank/ regional rural bank/ local area bank/ primary urban co-operative bank/ state and central co-operative banks/ all India financial institutions/ NBFC/ Miscellaneous non-banking company/ residuary non-banking company/ payment service providers/ system participants/ PPIs/ authorised persons/ agents of money transfer service scheme/ PAs/ PGs will be required to undertake KYC checks mandated by the RBI vide KYC Master Direction.

5. Which aspect of the fintech industry and specifically which services stand out in your jurisdiction?

India’s fintech industry provides key products such as PPIs, UPI payments, NBFC – peer-to-peer lending platforms, digital lending platforms, PAs and PGs.

6. How are fintech companies commonly structured and financed in your jurisdiction?

A. Structure: Fintech companies in India are typically companies incorporated in India under the Companies Act, 2013, given that most of the authorisations required to be obtained by RBI, inter alia, require such businesses to be incorporated as a company under Indian laws.

Further, when such companies offer both regulated and unregulated products or services, they are bifurcated into two companies, one company would offer regulated products or services (capitalised to the extent required under law) and the other company would offer unregulated products or services. The purpose of such a bifurcation is to enable hassle free investment.

B. Financing/ fund raising:

Typically, the modes of raising funds/ finances by fintech companies in India are as follows:

a) Equity: Fintech companies raise capital by selling their equity either privately through angel investors or private equity investors or by raising funds from public via initial public offering.

b) Debt: Fintech companies can also raise funds by issuing debentures or obtaining term loan/ working capital facilities from banks and non-banking financial companies.

c) Foreign investment: The percentage of foreign direct investment (FDI) a fintech company is entitled to, is dependent upon the nature of the business activity/ nature of product or service offered by such fintech company. Most fintech companies are entitled to 100% FDI and may raise funds by way of such investments. Further, in order to raise funds, fintech companies may also avail external commercial borrowing facilities from foreign lenders.

7. How do they fit in the overall financial services ecosystem?

A. Third party application providers: Majority of the Fintech companies fall under the ambit of a third-party application provider and do not provide any core financial services. Hence, the regulatory framework applicable to such companies would be limited to RBI PA/ PG Guidelines and/ or NPCI procedural guidelines, depending upon the type of payment provided on such application.

B. Core financial activities: Certain number of fintech companies are registered as NBFCs and accordingly, they would be required to adhere to the requirements prescribed by RBI to NBFCs, in addition to the RBI PA/ PG Guidelines and/ or NPCI procedural guidelines, depending on the type of payment provided.

Majority of fintech companies fall within the ambit of a third-party application provider and do not provide any core financial services. Accordingly, the regulatory obligations applicable to such fintech companies are typically much lighter than those applicable to traditional financial service players.

8. What innovation protection tools are in place for fintech companies.

Innovations in Indian are protected under the Patents Act, 1970, Copyright Act, 1957, Designs Act, 2000, and Trademark Act, 1999. Each legislation identifies the creator of the product and provides protection, depending upon the uniqueness of the innovation.

Fintech innovations would usually fall under the ambit of copyright, trademark and design laws in India.

9. Are there specific government incentives in place to encourage the development of local talent and to help Fintech companies recruit?

The Indian government is in favour of developing local talent and providing comfort to fintech companies to recruit and the same can be evidenced by Finance Minister Nirmala Sitharaman’s proposal in the Budget speech 2020-21 on start-ups. The proposal suggested shifting from the existing practise of taxing employee stock options (“ESOP”) at the time of exercise to deferring tax payment of such ESOPs by five years or till the time such employee leaves the company or when such employees sell their shares, whichever is earlier. Further, it is pertinent to note that most of the fintech companies in India are start-ups.

10. How do you see the fintech industry in your jurisdiction over the next 12 months?

The future of the fintech industry looks bright and should grow at a rapid pace. However, such growth would also be dependent on the rise of start-ups in the fintech industry, penetration of users of smart phones, continuous build-up of the digital infrastructure and overall streamlining of financial processes in many industries. Basis a recent market research report by Research and Markets, as of March 2020, the fintech market in India was valued at INR. 1,920.16 billion in 2019 and is expected to reach INR 6,207.41 billion by 2025, expanding at a compound annual growth rate of approximately 22.7 percent during the 2020-25 period.

Below are some key regulations/ changes expected to shape the fintech industry in India over the next 12 months:

A. PDP Bill: Given that it is only one month from now, the chances of the PDP Bill being introduced before the Indian Parliament in the upcoming budget session in January 2021 seems unlikely. Realistically speaking, it might be better to expect the introduction of the PDP Bill in the upcoming monsoon session (typically held in August/September) and on the PDP Bill coming into force in its current form, the Fintech companies would be required to adhere to data localisation and other privacy requirements as prescribed.

B. Cryptocurrency/ blockchain: The next 12 months may be a defining moment to determine the legality of cryptocurrency/ chain in India. As of date, the Government of India has prepared a draft legislation, i.e., the ‘Banning of Cryptocurrency and Regulation of Official Digital Currency Act, 2019’, and the Supreme Court on March 4, 2020, struck down RBI’s ban on cryptocurrency. Post the said judgment, there have been discussions/ speculations of a new law governing cryptocurrency to be introduced by the Parliament of India.

C. Robo advisory firms: Robo advisors are wealth management companies providing automated support for all financial advisory services, without any human intervention. The Indian robo-advisory market is expected to have a double-digit growth rate in the upcoming few years.[1] Additionally, numerous wealth management firms and other financial institutions are also expected to unveil their robo-advisory business. Increasing internet penetration and the rapid rate at which technology is being adopted have been the key growth factors for robo-advisory services in India. In India, there are no separate regulations for robo-advisors. However, SEBI, in a consultation paper dated October 7, 2016, mentioned that under the current investment advisor regulations, there are no express prohibition on the use of automated advice tools by SEBI registered investment advisors. Accordingly, robo advisors will be governed within the ambit of regulated investment advisers.

[1] According to the Report on the expansion of Robo-Advisory in Wealth Management release by Deloitte in August, 2016).

For further information, please contact:

Anu Tiwari – Partner (Co-Head – Fintech)

anu.tiwari@cyrilshroff.com

Anu is a Partner in the corporate and financial regulatory practice and Co-Heads Fintech sector at Cyril Amarchand Mangaldas. Anu has represented many Indian and multinational fintech, banking, broker-dealer, exchange, asset management, speciality finance and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private M&A, capital raising, commercial agreements and activism matters. He also advises financial services clients on matters before the Reserve Bank of India, Securities and Exchange Board of India, Ministry of Finance, Enforcement Directorate, Serious Fraud Investigation Office, appellate tribunals and Supreme Court of India.

Ritu Sajnani – Senior Associate

Ritu has represented several Indian and multinational fintech, banking, broker, exchange and asset management companies on transactional and regulatory matters and has been instrumental in setting up of Gift tech cities, receivables exchanges, trading segments and NSE Academy Limited in the NSE Group. She has been an in-house legal counsel for the NSE, Tata and the Reliance group in the past and is adept at handling a wide array of corporate actions and transactions, including demergers, acquisitions, slump sales, business transfers, public issues, private placements and buy-backs.

Karthik Koragal – Associate

Karthik has a demonstrated history of working in the regulatory, fintech and other fields of law. He has represented several Indian and multinational fintech, banking and asset management company on transactional and regulatory matters. Karthik advises financial services clients on matters before the Reserve Bank of India and Securities and Exchange Board of India. His transactional practice focus is on acquisitions, capital raising and commercial agreements.