Banking Law

[By Shriyansh Singhal] The author is a student of National Law University Odisha.   Introduction The Reserve Bank of India (‘RBI’) has initiated a new regulation aimed at aligning the regulatory frameworks of Housing Finance Companies (HFCs) with Non-Banking Finance Companies (NBFCs) to ensure greater consistency and financial stability. The RBI decision align with the guidelines stated in paragraph 4 of the dated 22nd October 2020 which recommended gradually harmonizing the regulations governing HFC and NBFC entities over the next two years, for a smoother transition. Changes of significance have been implemented in the following areas; (a) guidelines for receiving deposits that HFC registered certificate holders can receive or retain; (b) guidelines for accepting public deposits by NBFC holding certificate holders; and (c) additional significant directives, to both HFC and NBFC entities.  Rationale Behind the Proposal The Reserve Bank assumed the responsibility of overseeing HFC operations from the National Housing Bank (‘NHB’) starting on 09 October 2019. It had implemented different guidelines treating HFC as a subset of NBFC entities. The rules governing both HFC and NBFC sectors were reviewed to ensure alignment in regulations while considering the features of HFC operations.  After reviewing the current regulations given to HFCs, RBI decided to release updated guidelines. Some of the laws related to NBFCs have also been looked into and a few changes have been made to them and the same will come into force from 1st January 2025. At present, NBFCs and HFCs which are allowed to accept deposits from the public are under higher measures on prudential regulation of deposits. This shift toward a unified regulatory regime is intended to address potential risks, ensure the safety of public deposits, and maintain financial stability.  Introduction of Key Changes Increased Liquid Assets and Safe Custody   Earlier, the HFCs had to maintain 13% of the public deposits in the form of liquid assets as per Section 29B of the NHB Act, 1987. The previous regulations have set this requirement at 10% while the new regulations have increased the same to 15% which is to be implemented gradually by July 2025. This moderated rise starting from 13% on January 1, 2025, and 15% in July is targeted to ensure that HFCs have adequate cash flows to fulfill their obligations. This change aligns HFCs with the NBFC liquid assets regulation and is expected to improve the liquidity profile of the housing finance sector.  The regulation concerning the safety of liquid asset custody has been revised to be comparable to the regulation of NBFCs. It is now compulsory for the HFCs to park their liquid funds with the entities as mentioned in the Master Direction – Non-Banking Financial Companies Acceptance of Public Deposits (Reserve Bank) Directions, 2016. This change enhances the definition and safeguards in liquid asset management, ensuring that HFCs have a sound mechanism for protecting the depositors’ funds. According to the new guidelines, HFCs are also required to sustain complete asset coverage for the public deposits that are made.  This stipulation, which was previously enforced for NBFCs, ensures that HFCs possess sufficient assets to support their held deposits, thereby lowering the risk of financial failure. In situations where the asset coverage falls below the required level, HFCs must promptly notify the NHB, enabling regulatory supervision and reducing potential threats to depositors’ funds.  Stricter Credit Rating & Deposit Ceiling  HFCs now must have a minimum credit rating of investment grade to accept public deposits. This explicitly annual review means that a lower rating during the year would render the HFC ineligible to accept any new deposits or renew existing ones until the rating is regained. Through this means, the central bank is ensuring that the firms are of reasonable financial integrity. Since HFCs are public deposit-taking institutions to that extent, the safety aspect of the public’s money is secure. Concurrent with this, the leverage of HFCs has been brought down hugely by not allowing them to take in public deposits in 1995, they could accept up to 300 percent of their net worth in public deposits but by mid-1996 they were forced to cut this limit down to 150 percent.  Terms of public deposits have been reduced from a maximum of 120 months to 60 months. This adjustment is intended to enhance asset-liability management by reducing the long-term interest rate risk on HFCs and achieving a better maturity match between assets and liabilities.  Restriction on Investments in Unquoted Shares  The modified regulations bring HFCs in line with NBFC rules, whereby there were pre-existent limits on unquoted shares that the housing sector lender could invest in. Said investments are also considered a part of the HFC’s overall exposure to the capital market and they need to set their internal limits accordingly. This will ensure that HFCs do not have undue exposure to completely illiquid and volatile investments, putting their financial stability at risk.  The new rules for HFCs have been modified in line with NBFC regulations as there were already limits on unquoted shares an entity could invest, the people said. These investments are also deemed to be part of the overall capital market exposure weathered by HFCs and they must fix internal limits for these as well. This would help HFCs not have full domestic exposure and reduce the chances of them having high levels of completely illiquid (and now volatile) investments that could jeopardize their financial stability.  Impact of the Amendment The convergence of regulations is anticipated to have several effects on the housing finance system and the financial services industry as a whole since the New Depository and Asset cover norms are expected to enhance the liquidity position of HFCs. Aggregated excess liquidity would make HFCs more efficient and well capable of withstanding depositors’ demands as regards funds even during enhanced financial stress.  This will bring a ceiling on the excessive deposit mobilization by HFCs due to reasons such as being able to reduce the end deposit ceiling from three times to 1.5 times the Net Owned Fund (‘NOF’) and the

[By Aryan Dash & Debasish Halder] The authors are students of National Law University Odisha.   FROM UPI TO DPS: NPCI’S JOURNEY TOWARDS FINANCIAL INCLUSION India has witnessed a remarkable rise in digital payments over the past decade, facilitated by the National Payments Corporation of India (NPCI). NPCI, an umbrella organization for retail payments in India, has played a pivotal role in developing and promoting digital payment systems such as Unified Payments Interface (UPI), Bharat Interface for Money (BHIM), RuPay cards, and others. These initiatives have significantly reduced the dependence on cash transactions, fostering financial inclusion and digital literacy across the country.  NPCI has recently proposed the concept of Digital Payment Scores (DPS) as a tool for lenders to assess the creditworthiness of borrowers. DPS would analyse an individual’s digital payment behaviour, including factors like transaction frequency, volume, and patterns. This data-driven approach aims to provide lenders with an alternative risk assessment mechanism, supplementing traditional credit scoring models.  This blog examines NPCI’s role in advancing financial inclusion through DPS. It addresses key questions about how DPS can assess creditworthiness beyond traditional models, the necessary legal frameworks for privacy and fairness, and how to mitigate challenges like data security and algorithmic bias while promoting inclusivity in India’s financial landscape.  RETHINKING CREDIT ASSESSMENT BEYOND TRADITIONAL MODELS India’s credit scoring relies heavily on past credit history, leaving rural or underbanked populations without access to loans. Digital payments offer new avenues for creditworthiness assessment. Transaction data reveals income levels, spending habits, and financial stability. Timely bill payments and engagement with savings platforms demonstrate financial discipline. However, using alternative data sources raises privacy and bias concerns, necessitating robust ethical and regulatory frameworks. Fair and non-discriminatory lending practices require careful integration of such data.  LEGAL AND REGULATORY CONSIDERATIONS The implementation of DPS would require a robust legal and regulatory framework to address concerns related to data privacy, consent, and fair lending practices. Authorities would need to establish clear guidelines for data collection, usage, and security to ensure consumer protection and prevent discriminatory lending practices. Additionally, measures would be required to safeguard against potential biases and ensure transparency in the scoring methodology.  Data Privacy The implementation of DPS raises important data privacy considerations, particularly within the framework of the Information Technology Act, 2000, which includes provisions like the Right to be Forgotten. User consent is crucial, requiring clear and informed agreement from individuals regarding the collection and utilization of their digital transaction information. Clear communication regarding the purpose, scope, and potential consequences of DPS calculations is essential. Furthermore, data anonymization is critical to safeguard individual privacy. Robust anonymization techniques should be employed to ensure that transaction data used for DPS calculations undergo thorough anonymization, removing or obfuscating personally identifiable information while preserving relevant behavioral patterns.   To implement DPS effectively while ensuring data privacy, several techniques can be employed. Differential privacy adds randomness to data queries, preventing anyone from inferring personal information even if they know some details about an individual. Synthetic data generation creates fake datasets that replicate real transaction behavior, allowing safe analysis without exposing actual personal information.  Data masking replaces sensitive details with random values, protecting user data from unauthorized access. Pseudonymization substitutes real names with artificial identifiers, making it challenging to link transactions back to individuals while still enabling necessary analysis. Lastly, local suppression and global partitioning control data visibility, minimizing the risk of revealing identities while still allowing for meaningful insights. Together, these strategies enhance privacy protection in the context of DPS.   Additionally, stringent measures for secure storage and processing are imperative to maintain the confidentiality and integrity of the transaction data. This entails implementing strict data security measures, including secure storage, access controls, and rigorous encryption protocols during both data processing and transmission.  Fair Lending Practices The DPS model must be meticulously crafted and audited to mitigate potential biases stemming from factors such as income levels, geographic location, or digital literacy. These biases could inadvertently create unfair disadvantages for specific population segments, thereby undermining the overarching goal of financial inclusion. Transparency and explainability are paramount to ensure equitable lending practices. Thus, the DPS algorithm should be transparent and explainable, providing both lenders and borrowers with clear insights into how scores are calculated and the factors influencing the final assessment.   To reduce bias in the DPS model, several strategies can be employed. First, ensuring diverse data collection is key; datasets should include information from underrepresented groups to promote fair representation. Utilizing bias detection tools helps identify and correct any unfair patterns before they impact lending decisions.  Regular evaluation and monitoring of the scoring model can track fairness across different demographic groups, allowing for timely interventions when biases emerge. Involving human oversight in the development process ensures that diverse perspectives are considered, helping to identify issues that automated systems might overlook. Establishing clear ethical guidelines for data use further promotes responsible practices and compliance with legal standards.  However, legal challenges may arise, particularly if the DPS is categorized as a credit scoring system subject to regulations like the Fair Credit Reporting Act or similar laws in India. Such classification could lead to legal disputes, particularly if the scoring methodology is perceived as discriminatory or lacks adequate consumer protection measures.  Regulatory Framework for Credit Scoring At the heart of credit information regulation in India lies the CIRC Act, a legislative cornerstone that casts a wide net in defining credit information. Its expansive purview encompasses various financial transactions, from conventional loans to digital payment footprints. This broad definition, notably captured in Section 2d, sets the stage for integrating digital transactions—such as utility payments and e-commerce purchases—into the fabric of creditworthiness assessment. However, NPCI, as the vanguard of DPS provision, must tread cautiously, ensuring compliance with registration mandates under Section 5 of the CIRC Act and meticulous adherence to privacy guidelines outlined in the Credit Information Companies (Regulations), 2006.  Navigating the Privacy Paradox: Insights from the DPDP Act Amidst the regulatory tapestry, the DPDP Act emerges as a critical arbiter, safeguarding the sanctity of sensitive personal

[By Dhawni Sharda & Anshika Agarwal] The authors are students of National Law University Odisha.   INTRODUCTION   Through Budget 2024, the Government of India has pioneered an ambitious objective to set up over a hundred Payment banks as a significant step towards financial inclusion and security. These banks have been a modicum between the formal banking institutions and the unbanked population. This fosters greater financial literacy, encouraging savings and ensuring economic security amongst the economically weaker sections of society.   However, whether an increase in the number of these payment banks would provide the solution for the problems plaguing  them is a question to be addressed. The authors, through this article, aim to highlight the strategic importance of partnerships between payment banks and institutions like Micro Finance Institutions (MFIs) and Business Correspondents (BCs) . While BCs enable access to unbanked areas, MFIs provide financial services like microcredit, micro-insurance, and savings, etc. This is done.to overcome the inherent barriers in their performance.  Starting with the rationale behind setting up such banks to analysing the recent actions faced by such banks for the failure of compliances, the authors adopt such an approach concerning how the lacuna of these banks can be resolved through strategic partnerships and tie-ups which can further broaden the understanding of such payment banks as beyond the digital wallets and can lead to being a host of variety of services.   TRACING THE ORIGIN AND AFTERMATH   Given the significant risks associated with Prepaid Payment Instrument(PPI) model such as concerns around KYC compliance, and the need for quick access to payment services at the grassroots level, a recommendation was made to establish the payment banks. These banks provide their essential payment services and function such as a digital wallet wherein the customers like MSME’s and low-income individuals can maintain their bank balance and use it to serve their needs.   With all this in process, payment banks started functioning as a miniature model of scheduled commercial banks. These banks were required to follow certain mandates as prescribed by RBI in the same way as Scheduled Commercial Banks do. Alongside, these banks were granted rights and privileges which came with the grant of the license.   Their performance was further enhanced by their strategy of branchless banking wherein the network of such banks was spilled over semi-urban, and rural areas. This phenomenon got fillip when these banks started entering into strategic partnerships.   STRATEGIC TIE-UPS   In recent years, the financial infrastructure of the underbanked areas has been boosted by the various deals between traditional banks, fintech companies, and payment banks. Doing so would ultimately broaden the horizon of the payment banks and help them to overcome their limitations which they would otherwise encounter if they would operate solely.   Microfinance institutions have already an established customer base in the low-income regions. Payments banks can use these channels to venture into new markets thereby leading to reduced cost, financial inclusion, and efficiency in operations.   In a deal, Multilink announces tie-up with NSDL payments bank. This move would contribute to financial services to all societal sections. To elaborate it further Multilink has around 3000 distributors, 200 mass distributors, and 60 API distributors. They even have strong associations with  renowned platforms like IRCTC, Yes Bank, TATA AIG, Kotak Life, and so on. This NSDL-Multilink partnership would help customers perform all banking facilities around the clock through BC agent points.  Such partnerships are entered not only to avail the benefits of a well-established clientele base created by the MFIs/BCs, but also to avail the advantage of merging resources leading to efficiency in operations. Additionally, established monitoring and audit regulations are available to the payment bank.  SPOT ON ANALYSIS   Going Beyond the Conventional Perspective.   Going beyond the brick-and-mortar aspect of payment banks wherein they function as digital wallets, such collaborations with BCs or MFIs would become a good source of lending, thus fulfilling the debt gaps or the cash crunch requirements in the lower segment areas. If these two entities join hands, the issue of such operational needs of the banks would also be fulfilled.   Improved Market Offerings   The host of activities undertaken by the BCs can prove to be catalysts in the performance of the payment banks through their aid and assistance considering the low-cost model of BCs in branchless banking. So, these BCs can act as nodes to the branchless banking model of the payment banks, thereby amplifying the scope of financial activities.    Additionally, Payments banks can use MFIs’ strategic partners which have an established base in providing cross-banking marketing services to their clients, besides their experience in providing financial services to the low-income segment. This can work as a win-win situation for both the parties.   Plugging the Internal Problems   The abovementioned problems relate to the external issues which can be resolved through such alliances. However, certain internal issues are barriers to their expansion.   Payment banks in their initial years of set-up need to meet the high fixed costs leading to elevated break-even points. This further leads to the higher need for significant transactional volumes and substantial scale. In the process of doing the same, payment banks spend a considerable amount of time and resources in increasing profitability. Consequently, they miss on their sole purpose of creating better market offerings and attaining RBI’s objective of financial inclusion.   Need for Diversification   These payment banks fulfill the dire needs of the micro-finance institutions wherein these institutions plan to makeover their negative image of being involved in the unethical practices used in lending activities. In the wake of this situation, the state government came up with laws that completely put a halt to their operations. Given such a payment bank with a strong government and institutional support at the backend, the MFIs would get a relaxation in terms of regulatory oversight permitting their free and fair operations.   WAY FORWARD   Strategic partnerships are not an easy path to tread since these payment banks can’t enter such strategic alliances as independent entities because they are subsidiaries implying that they are controlled and influenced by their

[By Manav Pamnani & Teesha Arora] The authors are students of NALSAR University of Law, Hyderabad and Symbiosis Law School, Pune respectively.   Introduction and Background  In a recent move, the Reserve Bank of India (RBI) has imposed restrictions on Paytm Payments Bank, prohibiting it from accepting fresh deposits in its accounts, facilitating credit transactions, and offering fund transfers, including the Unified Payment Interface (UPI) facility, after March 15, 2024. This has emerged in light of the multiple violations on the part of the bank to meet the regulatory requirements and directions given by the RBI.    Paytm Payments Bank, an associate of One 97 Communications Limited (OCL), is an Indian Payments Bank founded in 2017. It is a part of the financial network of one of India’s largest payment companies, Paytm. In fact, on October 7, 2021, it was officially added to the second schedule of the RBI Act of 1934. In its press release on March 11, 2022, the RBI directed the Paytm Payments Bank to stop onboarding new customers. It further added a condition that such onboarding would only be permissible if the bank appointed an Information Technology (IT) audit firm to conduct a comprehensive system audit of its IT system and if, after a thorough review, the audit report seemed satisfactory. This audit report would comprise compliance checks with reference to Section 43A and Section 79 of the IT Act. The reason for ensuring compliance with the aforementioned provisions of the IT Act can be inferred from the preamble of the Act itself which lays down its objective, which is to facilitate lawful digital transactions while mitigating cybercrimes and other potential non-compliances. Since the operations of Paytm involve digital transactions and storage of data, these provisions become relevant. In this regard, Section 43A deals with compensation for failure to protect data. It requires a body corporate to uphold acceptable security standards and procedures while managing, dealing with, or having any sensitive personal data or information on a computer resource that it owns, controls, or manages, failing which, it would have to compensate the affected people who have incurred wrongful loss. On the other hand, Section 79 encompasses an exception, according to which, intermediaries may be immune from liability if they operate as mere middlemen in the transmission, storage, or exchange of third-party information or data.   The audit report, however, indicated persistent non-compliance on the part of the bank coupled with material supervisory concerns. It reflected that lakhs of accounts had not followed the mandatory Know Your Customer (KYC) procedure. Adhering to KYC guidelines is non-negotiable due to the significant purpose it serves which mainly includes verifying the identities of customers in order to prevent money laundering activities. The omission on part of Paytm thus violated Section 12 of the Prevention of Money Laundering Act, 2002 which mandates the verification of the identities of clients before entering into financial transactions. The importance of the KYC procedure leads financial institutions and conventional banks to strictly follow it. In the given case, since Paytm has repeatedly violated this crucial norm, RBI’s clampdown is justified. The exacerbating factor in this case is that the transactions in the non-KYC accounts exceeded millions of rupees, far beyond the prescribed regulatory limits, as specified in the Reserve Bank of India (Know Your Customer) Directions, 2016.   Moreover, over a thousand users had the same Permanent Account Number (PAN) linked to their accounts which further raised money laundering concerns. This led the RBI to utilise its power under Section 35A of the Banking Regulation Act, 1949 and issue the aforementioned directions. It also passed an order on October 10, 2023, imposing a monetary penalty of rupees 5.39 crore on Paytm Payments Bank for breaching the several regulatory requirements.   Justification of the Action in light of Section 35A of the Banking Regulation Act, 1949   Section 35A of the Banking Regulation Act provides for the power of the RBI to give directions. This power extends not only to specific banking companies in cases of non-compliance but also to general guidelines or circulars issued in interest of the overarching banking framework. For example, in 2016, the RBI issued the Master Directions on Fraud to consolidate and update seven earlier circulars on the classification, reporting and monitoring of fraud. Thus, the power enshrined under this section has a wide ambit and can be utilised in any scenario right from breaches pertaining to banking norms to introducing guidelines or amendments to upkeep the integrity of the banking sector. In this regard, Section 35A states, “(1) Where the Reserve Bank is satisfied that – (a) in the public interest; or (aa) in the interest of banking policy; or (b) to prevent the affairs of any banking company being conducted in a manner detrimental to the interests of the depositors or in a manner prejudicial to the interests of the banking company; or (c) to secure the proper management of any banking company generally, it is necessary to issue directions to banking companies generally or to any banking company in particular, it may, from time to time, issue such directions as it deems fit, and the banking companies or the banking company, as the case may be, shall be bound to comply with such directions.” This implies that the RBI has the power to issue such directions if any of the three conditions specified in this Section are met. These conditions are disjunctive, and even if only one among them is fulfilled, the RBI can utilise this power. The present situation entails an overlap of all the stated requirements. Adherence to the regulatory requirements and guidelines is paramount to the effective functioning of the financial ecosystem, and any form of deviance affects the confidence of the investors and affiliated business entities, thus negatively affecting the public interest. Non-compliance also indicates that the management of the banking company is not being conducted properly. Therefore, since the conditions mentioned in this Section (at least one) are fulfilled, the utilisation of the power prescribed is

[By Nakshatra Gujrati] The author is a student of National Law University, Odisha.   Introduction The Reserve Bank of India (“RBI”) on April 24, 2024 directed Kotak Mahindra Bank Limited (“Bank”) to suspend the onboarding of new customers through online channels and the issuance of new credit cards (“action”). The action resulted from significant deficiencies and non-compliances on the part of the bank. The RBI in its press release stated “…Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch, and change management, user access management, vendor risk management, data security, and data leak prevention strategy…”. These compliances are of pivotal importance under the newly notified “Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023” (“IT Directions”)  This post aims to analyze the RBI’s actions against Kotak Bank, encompassing its new IT Directions, and their impact on stakeholders. It begins by reviewing the events precipitating the RBI’s intervention. Subsequently, it examines the recent IT Directions and regulatory requirements set forth by the RBI. Thirdly, it investigates the impact of the RBI’s actions on stakeholders, namely banks and customers. Lastly, it offers recommendations to maximize the benefits derived from these IT Directions.  Background of RBI’s Move against Kotak RBI conducts a Statutory Inspection for Supervisory Evaluation (“ISE”) to assess compliance of regulations by the banks. In 2018-19 an ISE of Kotak Bank was conducted by RBI and it was observed that among non-compliance of its directives, Kotak bank failed to “…credit (shadow reversal) the amount involved in the unauthorized electronic transactions to the customers’ account within 10 working days from the date of notification by the customer, in certain cases…”. This was in contravention of Regulation 9 of the RBI’s directions on “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”. The RBI imposed a monetary penalty of ₹1,05,00,000/- on Kotak Bank for non-compliance with its directives vide an order dated July 04, 2022.  In October 2023, again a penalty of ₹3.95 crore was imposed on Kotak bank by RBI for non-compliance with its directives. Further, Kotak bank had failed to ensure minimum standards of customer service as stipulated in the RBI’s directions on “Customer Service in Banks”.   On April 15, 2024, several users of Kotak Bank complained that they were not able to use its mobile banking services. Some customers were not able to make payments through the bank’s debit card and UPI services as well. In light of this, several customers via social media expressed their dissatisfaction with the bank’s services. The RBI took cognizance of this issue and as per Section 35A of Banking Regulation Act, 1949, it is empowered to make directions on its own motion in public interest, in the interest of banking policy or prevent banks to act in prejudicial manner.   RBI’s Directions on IT Governance and Risk Management RBI has from time to time via circulars provided directions pertaining to Information Technology (IT) Governance and Risk Management. In November 2023, the RBI consolidated all the circulars on IT Governance and notified “Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023” (“IT Directions”) that came into force on April 1, 2024.   These directions are applicable on all banking companies, non-banking financial companies, credit information companies and foreign banks operating in India. The directions are uniform for these entities, but the post discusses its applicability on banks only.   Analysis of RBI’s IT Directions Over time, banking has significantly transitioned to e-Banking, making it hard to imagine a bank today without substantial IT involvement in its key processes. The growing customer base has compelled banks to digitalize processes for registrations, transactions, and timely provision of other financial services. While IT in banking offers numerous advantages, potential concerns must not be overlooked. For instance, vast amounts of customer data are stored on cloud servers for centralized and quick access, which poses a risk of breaches and theft of sensitive customer information. In 2022, BharatPe, a digital financial services provider, experienced a significant data breach, with data from around 150 million customers reportedly stolen.  To address such events, the IT Directions mandate the creation of IT Governance frameworks in banks. Banks should establish IT Governance frameworks and IT strategy committees comprising board members, and technical experts having experience in IT and Cybersecurity. The objective should be to develop an effective IT strategy. The committee should convene quarterly to assess IT-related risks periodically. This involves analyzing existing IT-related risks and proactively preparing strategies to mitigate them.  Additionally, a Disaster Recovery policy should be implemented to ensure business continuity in the event of disruptive incidents. Disaster Response sites must be established in geographically distinct locations from the primary operating sites to avoid being affected by the same threat. These sites should be equipped with necessary e-Surveillance measures. To ensure data security during transmission, the IT Directions prescribe the use of strong encryption and cryptographic controls in accordance with international standards.  Banks are required to establish a Change and Patch Management policy. This involves identifying system features that can be improved or fixed, primarily focusing on security updates, bug fixes, and minimizing downtime. Additionally, banks must ensure that their systems support business functions and maintain service availability. A vendor risk assessment process must also be implemented to ensure that third-party vendors comply with the prescribed standards for safeguarding consumer data.  Impact on Stakeholders The IT directions directly impact the banks and customers and therefore it is crucial to analyze the directions from the viewpoint of both stakeholders.  Impact on Banks  The RBI has repealed 12 circulars to introduce the IT Directions and hence made it easier to comply with one consolidated direction. As many foreign banks operate in India through their branches, they will be subjected to a ‘comply or explain’ approach instead. This provides certain discretion to foreign banks with respect to non-mandatory provisions of IT Directions as they merely need to explain the reasons behind non-compliance. This is to ensure that foreign

[By Dewansh Raj] The author is a student of National Law University, Odisha.   Introduction   The evolving landscape of cryptocurrency has left India’s legal landscape behind and places it at a critical juncture. Despite global advancements, India’s stance remains uncertain. With millions of Indians involved, regulatory clarities is crucial. The 2022 crypto crash and subsequent resurgence highlight the urgency for a structured approach. As debates on regulatory oversight intensify, the government’s delayed response raises concerns about investor confidence and the future of India’s crypto market.  Recent developments   In December last year Mr. Jayant Sinha, Chair of the standing committee on Finance stated that it would take another 18 months for any regulation relating to cryptocurrency. This could be a huge setback for the crypto market in India. With a new wave of cryptos, the investors and stakeholders would be forced to operate in the shadows and uncertainty.  The 2023 was a year when cryptocurrency slowly started to come back and in a one of a kind move, the Security and Exchange Commission (SEC) recently gave a go-ahead to the listing of spot bitcoin ETP, which is expected to bring a new wave of crypto products that saw a decline after the FTX crash. This step could mark a recurrence in cryptocurrency which was slowly fading away. The resurgence highlights the need for a mechanism to regulate cryptocurrency in India. The blog tries and analyse the current and future regulatory landscape of the crypto sphere.  The Crypto Comeback   The markets have recovered substantially following the 2022 implosion, and the market sentiments too reflect a positive outlook. The crash was so throbbing that it slashed nearly two-thirds of the value of all major cryptocurrencies by the time the FTX drama was over.   However, the growth showed that, even after the 2022 crash and the idea of cryptocurrency being questioned, the investors remain optimistic and confident. Its popularity in India is also evident from the fact that Indian investors contribute nearly 19 million investors, despite constant fear of its prohibition. Further, the fact that the majority of these investors lie in the age group of 18 to 35 reflects its popularity among the younger generation which could further be a point of concern, as these people usually don’t have a proper financial understanding and such a large on of these people investing in such a volatile investment can negatively impact the economy.  Who Should Regulate   Before delving into the current regulatory landscape and the future of these currencies, a fundamental question is, who should regulate cryptocurrency?   One would ordinarily believe that since cryptocurrencies are believed to be the substitute for currency, the Reserve Bank of India (RBI) should monitor them. The draft bill reiterated this idea and provides for the Central Board of the Reserve Bank of India to regulate cryptocurrencies.  But when it comes to cryptocurrencies which unlike traditional currencies don’t have government banking and can be much more volatile, could be trickier to handle. Hence, if cryptocurrencies continue to be legitimate then it might be best suited for the government to create a specialised agency that oversees the crypto market.  Another approach that the government can take is decentralising its regulation to various agencies. This approach finds support in the U.S. where several agencies oversee different aspects of cryptocurrency. While the reserve bank could handle regulations for exchange among consumers, SEBI and the investigating agencies could work towards its listing and preventing misuse for criminal activities.  Regulations till now   The world of cryptocurrency came to the spotlight during COVID-19 when the value of cryptocurrency grew leaps and bounds, every new currency that promised to transform the world was welcomed with open arms. But the response to these currencies was never unanimous.  India’s position on cryptocurrency has been ambiguous and lacks clarity, which creates uncertainty among the public and stakeholders. the government although doesn’t endorse the idea of an unregulated currency but on the flip side embraces blockchain technology. The Indian government even plans to introduce its very own government-backed cryptocurrency.  The Reserve Bank of India from inception has been thwarting virtual currencies from being recognised as legal tender. The Reserve Bank of India also tried to constantly dissuade investors from investing in cryptocurrencies. The breaking point came when the monetary authority in a notification dated dated 6th April 2018 directed all financial institutions to stop providing any services concerning cryptocurrencies. This move acted as an indirect ban on cryptocurrencies and was justified by labelling cryptocurrencies as dangerous for the economy.  The Supreme Court later lifted the ban on the grounds that the move infringed the right to trade under Article 19(1)(g). The court in its judgement stated that RBI failed to consider other less intrusive measures, thereby pointing towards the abruptness and severity of the step. Even after the upliftment of the ban, it seems that RBI hasn’t changed its stance.  Initially, the government too hinted towards a blanket ban, with a report suggesting a complete ban on virtual currency being discussed in an Inter-ministerial committee in 2019. Nevertheless, this step never saw the daylight and with the Supreme Court judgement, the murmur around also started to die down.  When a bill titled Cryptocurrency and Regulation of Official Digital Currency Bill 2021 was listed for the 2021 winter session, the buzz around cryptocurrency was reignited but the bill too was never introduced and has been deferred indefinitely citing the complexities involved.   The government later announced in the Union Budget of 2022 a 30% tax on all transactions involving virtual currency. The measure could serve as a temporary means to dissuade the citizens from engaging in cryptocurrency and in process benefit the exchequer. Since the budget, the government remained silent. The silence has left the crypto community on the edge, eagerly waiting to see what the government decides.  Why is it important to clear the doubt over cryptocurrencies   The need to regulate cryptocurrency is one whose need has been felt from the very beginning. The excuse is that a very small number of people are invested and the complexities involved don’t hold good. Even after the FTX crash,

[By Runjhun Sharma] The author is a student of Dr. Ram Manohar Lohiya National Law University.   Introduction  Indian commercial landscape has encountered a wide array of variations throughout the entire course of this decade. Regulatory authorities face the challenge of ensuring smooth transitions and efficient transactions amidst increased accessibility to financial services and digitization of the economy To underpin this assertion, the author highlights the shift in the approach of market regulators over the decade.  The Securities and Exchange Board of India (SEBI) has permitted the Association of Mutual Funds to govern the functioning of Mutual Fund Distributors since the early 2000s. Insurance Regulatory and Development Authority of India introduced a set of guidelines to govern ‘Bima Vahaks, which is an insurance distribution channel. The Reserve Bank of India (RBI) rationalized the licensing framework by introducing multiple licenses for entities engaging in foreign exchange (Forex) services, back in 2006. In a fashion similar to other market regulators, the RBI, very recently, introduced a Draft Licensing Framework for Authorised Persons (APs) to rehaul the existing forex framework. In the said framework, it intends to delegate the task of governing a novel entity, Forex Correspondent (FxC), to Authorised-Dealer Category I (AD-Cat I) and Authorised-Dealer Category II (AD-Cat II) entities. AD-Cat entities are authorized dealers licensed by the RBI under Section 10(1) of the Foreign Exchange and Management Act, 1999 (FEMA) to deal with foreign exchange transactions. The said framework will be discussed in detail in this piece. Hence, it is well-established by the aforesaid instances that regulatory authorities are switching to a self-regulatory approach from a direct regulatory one.  Need of the Draft Licensing Framework  The recent framework introduced by the RBI was a much-warranted move, in light of the de-concentration of financial services, which has led to inclusivity in the access to such services. The increased usage of these services has resulted in a regulatory burden for the RBI and posed hindrances to efficient governance. With regard to the aforesaid, the financial regulator is compelled to look for additional modes of governance to streamline the provision of financial licensing services. The Draft Framework by RBI intends to expand the scope of services provided by AD-Cat entities and ease the eligibility criteria to engage in forex services. This move goes a long way to instill inclusivity for forex service providers and mitigate the load of governance of forex transactions.  Comparative Review of the Draft Framework with the Existing Mechanism  The major highlight of the Draft Framework is the introduction of  FxCs. FxCs are a category of money changer entities that are in an agency arrangement with AD-Cat entities. The transactions undertaken by them will be reflected in the books of the AD-Cat banks. The rationale behind the introduction of this novel entity seems to facilitate the accessibility of forex to general masses, businesses and tourists while ensuring checks and balances. Another motivation for this move may be that the majority of forex transactions do not necessitate the involvement of the RBI and take place at the level of APs. Under Section 10(1) of FEMA, AD-Cat banks are required to secure a license from the RBI to engage in forex transactions. However, in light of the agent-principal relationship between FxCs and AD-Cat banks, FxCs will not be required to secure separate licensing from the RBI and they will be able to deal in forex transactions. Before the introduction of the said Draft Framework, the licensing framework of the RBI sought to authorize entities that may deal in forex as: APs and Full-Fledged Money Changers (FFMCs). The authorization granted was exclusive to the aforesaid entities allowed to deal in forex transactions.   In the extant framework, an AD-Cat II license is initially granted for a period of one year, followed by subsequent renewal of license for one to five years. However, the Draft Framework does away with the specified timelines and introduces renewal of AD-Cat II licenses on a perpetual basis, conditional upon fulfillment of the revised eligibility criteria. This move comes in the face of promoting ease of doing business in transactions involving forex.   The Draft Framework is also seen as relatively liberal, which is evidenced from the expansive definition of ‘annual forex turnover’. It has outlined a comprehensive interpretation of “annual forex turnover,” encompassing the total sum of foreign currency notes, coins, and travelers’ checks acquired from or dispensed to the public, including transactions conducted through agents or franchisees, as well as the total value of remittances facilitated throughout the fiscal year. The criteria for annual forex turnover in the Draft Framework is most suitable as it excludes the turnover of Financial Year 2020-21 and 2021-22 to compute the ‘annual forex turnover’. This is so because the aforesaid years saw a striking decline in revenue generation and turnover in light of the impact of the pandemic. The concept of ‘annual forex turnover’ is of relevance as it provides a basis for determining whether a money changer entity should be deemed an FxC or AD-Cat entity.  Coming to the disclosure requirements and compliances for an FxC in the novel Draft, it is noteworthy that the financial regulator has proposed stringent disclosure requirements to make the mechanism watertight. The rationale behind this seems to be the complex nature of forex transactions which poses multiple apprehensions, including Anti-Money Laundering concerns. The disclosure requirements for an FxC are more or less similar to that of a Business Correspondent, with additional requirements of a Banker’s Report and a No Objection Certificate (NOC) from the Enforcement Directorate. Furthermore, since the permission to engage in forex dealings to all the outlets of FxCs is to be granted by the principal Authorised Dealer (AD) under the FxC Agreement, the said AD will be liable for the actions of the FxC. This is also underpinned by the relationship of agency between the principal AD and the FxC. Hence, the aforesaid provisions sufficiently highlight the fact that the RBI has opted to assuage the regulatory burden upon itself and strengthen the

[By Siddh Sanghavi] The author is a student of National Law University Odisha.   Introduction On January 15, 2024, the Reserve Bank of India released the draft regulation outlining a framework for self-regulatory organisations in the fintech industry. These self-regulatory organisations have been named SRO-FT. As per the RBI’s outlined framework, a Self-Regulatory Organization for Fintech (SRO-FT) will be a non-profit entity established under section 8 of the Companies Act of 2013 and will have to fulfil certain requirements and comply with governance standards to gain recognition by the RBI.   This idea of having a self-regulatory organisation for the Fintech industry is not something that is new and can be traced back to the Report of the Working Group on Fintech and Digital Banking released by the RBI in 2018, where the idea of a self-regulatory organisation for the Fintech industry was first proposed.   This blog analyses the Reserve Bank of India’s (RBI) draft regulations on establishing Self-Regulatory Organizations (SROs) for the Fintech industry in India. It discusses the need for regulation, why self-regulation is currently the best approach, and how the RBI’s steps will bridge the gap between regulators and the industry. It also highlights potential issues with the draft regulations and suggests improvements.  Need for regulation  As per the Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps fintech lending entities in India are of two types:   1) Those which the RBI regulates by granting them NBFC licenses. And 2) those that are currently unregulated. The new draft framework is aimed at regulating the second category of Fintechs.   One of the main functions of the Fintech sector is that it provides solutions to the already regulated entities in the form of an outsourced information technology provider as well as providing lending services such as KYC (Know Your Customer) tasks. This involves fintech’s amassing a large amount of sensitive financial data, and therefore ensuring robust cyber security measures becomes extremely important.   By the nature of its functions itself, it is understandable why it is important to regulate this sector. If not regulated, it may pose significant risks towards consumers’ data privacy and cyber-security in the banking system. It is proposed that these SRO-FTs will help develop codes of conduct, ensuring all the members follow the basic industry standards and meet the expectations of the RBI.   Why self-regulation will be the best route.  Section 45I(f)(iii) of the RBI Act 1934, allows the RBI with the approval of the Central Government to notify any class of companies as an NBFC (Non-banking financial company). Through this section, RBI has the power to notify fintech entities that are involved in the process of lending as NBFCs. Since NBFCs are already regulated by the RBI, this notification of classifying Fintech companies as NBFCs would have allowed RBI to bring them under the same regulation.    However, RBI has in its press release stated that it prefers the approach of self-regulation as it will help get a balanced approach between innovation and meeting regulatory requirements.   Further, the RBI in its draft omnibus stated that “Self-Regulatory Organisations (SROs) enhance the effectiveness of regulations by drawing upon the technical expertise of practitioners and also aid in framing/fine-tuning regulatory policies by providing inputs on technical & practical aspects, nuances and trade-offs involved.”  As stated by the RBI in its draft omnibus it may not be prudent to bring Fintech’s under the same regulation as an NBFC, there has to be industry-specific regulation and till the time RBI doesn’t come up with regulations specifically dealing with Fintech self-regulation will be the best route.    Further, this approach of self-regulation taken by the RBI is appropriate since the Fintech industry in India is poised for growth, innovation and investments and burdening it with mandatory and excessive regulations may not be the right move currently and is something that can be considered in the future.   Success of Self-Regulatory Organisations across sectors.  The concept of a self-regulatory body is not new in India; it has also been effectively used in the past to close the gap between the regulated and the regulators without requiring excessive regulation.   The most famous example is the Association of Mutual Funds India (AMFI). The AMFI has acted as a link between SEBI/ RBI and the Mutual fund ecosystem. AMFI has also worked to set standards for “best practices” which then become the status quo of the industry and is followed by all in the eco-system. The AMFI has also been recognised by the SEBI and now also acts as the licensing body for all Mutual funds in the industry.   Other examples of successful self-regulatory organisations include the Indian Bank’s Association (IBA), and the Foreign Exchange Dealers Association of India (FEDAI), they have also been successful in collaborating with regulators in the past and ensuring compliance and upholding ethical standards.  The RBI by providing a framework for Self- Regulatory organisations for the Fintech Industry aims to achieve a similar purpose. An SRO-FT will act as an interface between the industry and the RBI.   The Key ingredients of success: Recognition by the RBI and active participation.   According to the new draft guidelines for an entity to be recognised by the RBI it must receive a letter of recognition from the RBI. From the examples mentioned above, the system of self-regulatory organisations can only work smoothly and truly act as a representative of the industry it needs to gain recognition from the regulator. Since the SRO acts as a representative of the entire industry, recognition from the RBI will grant them legitimacy.   Further, recognition by the RBI will automatically increase participation and membership of an SRO. As mentioned above Fintech entities are usually service providers to the already regulated entities, therefore accreditation by an RBI recognised entity (SRO) will increase trust and marketability of the fintech entity. This is also one of the important reasons why a Fintech entity would be motivated to voluntarily subject itself to regulations and supervision by an SRO-FT. Therefore