Banking Law

[By Manav Pamnani & Teesha Arora] The authors are students of NALSAR University of Law, Hyderabad and Symbiosis Law School, Pune respectively.   Introduction and Background  In a recent move, the Reserve Bank of India (RBI) has imposed restrictions on Paytm Payments Bank, prohibiting it from accepting fresh deposits in its accounts, facilitating credit transactions, and offering fund transfers, including the Unified Payment Interface (UPI) facility, after March 15, 2024. This has emerged in light of the multiple violations on the part of the bank to meet the regulatory requirements and directions given by the RBI.    Paytm Payments Bank, an associate of One 97 Communications Limited (OCL), is an Indian Payments Bank founded in 2017. It is a part of the financial network of one of India’s largest payment companies, Paytm. In fact, on October 7, 2021, it was officially added to the second schedule of the RBI Act of 1934. In its press release on March 11, 2022, the RBI directed the Paytm Payments Bank to stop onboarding new customers. It further added a condition that such onboarding would only be permissible if the bank appointed an Information Technology (IT) audit firm to conduct a comprehensive system audit of its IT system and if, after a thorough review, the audit report seemed satisfactory. This audit report would comprise compliance checks with reference to Section 43A and Section 79 of the IT Act. The reason for ensuring compliance with the aforementioned provisions of the IT Act can be inferred from the preamble of the Act itself which lays down its objective, which is to facilitate lawful digital transactions while mitigating cybercrimes and other potential non-compliances. Since the operations of Paytm involve digital transactions and storage of data, these provisions become relevant. In this regard, Section 43A deals with compensation for failure to protect data. It requires a body corporate to uphold acceptable security standards and procedures while managing, dealing with, or having any sensitive personal data or information on a computer resource that it owns, controls, or manages, failing which, it would have to compensate the affected people who have incurred wrongful loss. On the other hand, Section 79 encompasses an exception, according to which, intermediaries may be immune from liability if they operate as mere middlemen in the transmission, storage, or exchange of third-party information or data.   The audit report, however, indicated persistent non-compliance on the part of the bank coupled with material supervisory concerns. It reflected that lakhs of accounts had not followed the mandatory Know Your Customer (KYC) procedure. Adhering to KYC guidelines is non-negotiable due to the significant purpose it serves which mainly includes verifying the identities of customers in order to prevent money laundering activities. The omission on part of Paytm thus violated Section 12 of the Prevention of Money Laundering Act, 2002 which mandates the verification of the identities of clients before entering into financial transactions. The importance of the KYC procedure leads financial institutions and conventional banks to strictly follow it. In the given case, since Paytm has repeatedly violated this crucial norm, RBI’s clampdown is justified. The exacerbating factor in this case is that the transactions in the non-KYC accounts exceeded millions of rupees, far beyond the prescribed regulatory limits, as specified in the Reserve Bank of India (Know Your Customer) Directions, 2016.   Moreover, over a thousand users had the same Permanent Account Number (PAN) linked to their accounts which further raised money laundering concerns. This led the RBI to utilise its power under Section 35A of the Banking Regulation Act, 1949 and issue the aforementioned directions. It also passed an order on October 10, 2023, imposing a monetary penalty of rupees 5.39 crore on Paytm Payments Bank for breaching the several regulatory requirements.   Justification of the Action in light of Section 35A of the Banking Regulation Act, 1949   Section 35A of the Banking Regulation Act provides for the power of the RBI to give directions. This power extends not only to specific banking companies in cases of non-compliance but also to general guidelines or circulars issued in interest of the overarching banking framework. For example, in 2016, the RBI issued the Master Directions on Fraud to consolidate and update seven earlier circulars on the classification, reporting and monitoring of fraud. Thus, the power enshrined under this section has a wide ambit and can be utilised in any scenario right from breaches pertaining to banking norms to introducing guidelines or amendments to upkeep the integrity of the banking sector. In this regard, Section 35A states, “(1) Where the Reserve Bank is satisfied that – (a) in the public interest; or (aa) in the interest of banking policy; or (b) to prevent the affairs of any banking company being conducted in a manner detrimental to the interests of the depositors or in a manner prejudicial to the interests of the banking company; or (c) to secure the proper management of any banking company generally, it is necessary to issue directions to banking companies generally or to any banking company in particular, it may, from time to time, issue such directions as it deems fit, and the banking companies or the banking company, as the case may be, shall be bound to comply with such directions.” This implies that the RBI has the power to issue such directions if any of the three conditions specified in this Section are met. These conditions are disjunctive, and even if only one among them is fulfilled, the RBI can utilise this power. The present situation entails an overlap of all the stated requirements. Adherence to the regulatory requirements and guidelines is paramount to the effective functioning of the financial ecosystem, and any form of deviance affects the confidence of the investors and affiliated business entities, thus negatively affecting the public interest. Non-compliance also indicates that the management of the banking company is not being conducted properly. Therefore, since the conditions mentioned in this Section (at least one) are fulfilled, the utilisation of the power prescribed is

[By Nakshatra Gujrati] The author is a student of National Law University, Odisha.   Introduction The Reserve Bank of India (“RBI”) on April 24, 2024 directed Kotak Mahindra Bank Limited (“Bank”) to suspend the onboarding of new customers through online channels and the issuance of new credit cards (“action”). The action resulted from significant deficiencies and non-compliances on the part of the bank. The RBI in its press release stated “…Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch, and change management, user access management, vendor risk management, data security, and data leak prevention strategy…”. These compliances are of pivotal importance under the newly notified “Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023” (“IT Directions”)  This post aims to analyze the RBI’s actions against Kotak Bank, encompassing its new IT Directions, and their impact on stakeholders. It begins by reviewing the events precipitating the RBI’s intervention. Subsequently, it examines the recent IT Directions and regulatory requirements set forth by the RBI. Thirdly, it investigates the impact of the RBI’s actions on stakeholders, namely banks and customers. Lastly, it offers recommendations to maximize the benefits derived from these IT Directions.  Background of RBI’s Move against Kotak RBI conducts a Statutory Inspection for Supervisory Evaluation (“ISE”) to assess compliance of regulations by the banks. In 2018-19 an ISE of Kotak Bank was conducted by RBI and it was observed that among non-compliance of its directives, Kotak bank failed to “…credit (shadow reversal) the amount involved in the unauthorized electronic transactions to the customers’ account within 10 working days from the date of notification by the customer, in certain cases…”. This was in contravention of Regulation 9 of the RBI’s directions on “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”. The RBI imposed a monetary penalty of ₹1,05,00,000/- on Kotak Bank for non-compliance with its directives vide an order dated July 04, 2022.  In October 2023, again a penalty of ₹3.95 crore was imposed on Kotak bank by RBI for non-compliance with its directives. Further, Kotak bank had failed to ensure minimum standards of customer service as stipulated in the RBI’s directions on “Customer Service in Banks”.   On April 15, 2024, several users of Kotak Bank complained that they were not able to use its mobile banking services. Some customers were not able to make payments through the bank’s debit card and UPI services as well. In light of this, several customers via social media expressed their dissatisfaction with the bank’s services. The RBI took cognizance of this issue and as per Section 35A of Banking Regulation Act, 1949, it is empowered to make directions on its own motion in public interest, in the interest of banking policy or prevent banks to act in prejudicial manner.   RBI’s Directions on IT Governance and Risk Management RBI has from time to time via circulars provided directions pertaining to Information Technology (IT) Governance and Risk Management. In November 2023, the RBI consolidated all the circulars on IT Governance and notified “Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023” (“IT Directions”) that came into force on April 1, 2024.   These directions are applicable on all banking companies, non-banking financial companies, credit information companies and foreign banks operating in India. The directions are uniform for these entities, but the post discusses its applicability on banks only.   Analysis of RBI’s IT Directions Over time, banking has significantly transitioned to e-Banking, making it hard to imagine a bank today without substantial IT involvement in its key processes. The growing customer base has compelled banks to digitalize processes for registrations, transactions, and timely provision of other financial services. While IT in banking offers numerous advantages, potential concerns must not be overlooked. For instance, vast amounts of customer data are stored on cloud servers for centralized and quick access, which poses a risk of breaches and theft of sensitive customer information. In 2022, BharatPe, a digital financial services provider, experienced a significant data breach, with data from around 150 million customers reportedly stolen.  To address such events, the IT Directions mandate the creation of IT Governance frameworks in banks. Banks should establish IT Governance frameworks and IT strategy committees comprising board members, and technical experts having experience in IT and Cybersecurity. The objective should be to develop an effective IT strategy. The committee should convene quarterly to assess IT-related risks periodically. This involves analyzing existing IT-related risks and proactively preparing strategies to mitigate them.  Additionally, a Disaster Recovery policy should be implemented to ensure business continuity in the event of disruptive incidents. Disaster Response sites must be established in geographically distinct locations from the primary operating sites to avoid being affected by the same threat. These sites should be equipped with necessary e-Surveillance measures. To ensure data security during transmission, the IT Directions prescribe the use of strong encryption and cryptographic controls in accordance with international standards.  Banks are required to establish a Change and Patch Management policy. This involves identifying system features that can be improved or fixed, primarily focusing on security updates, bug fixes, and minimizing downtime. Additionally, banks must ensure that their systems support business functions and maintain service availability. A vendor risk assessment process must also be implemented to ensure that third-party vendors comply with the prescribed standards for safeguarding consumer data.  Impact on Stakeholders The IT directions directly impact the banks and customers and therefore it is crucial to analyze the directions from the viewpoint of both stakeholders.  Impact on Banks  The RBI has repealed 12 circulars to introduce the IT Directions and hence made it easier to comply with one consolidated direction. As many foreign banks operate in India through their branches, they will be subjected to a ‘comply or explain’ approach instead. This provides certain discretion to foreign banks with respect to non-mandatory provisions of IT Directions as they merely need to explain the reasons behind non-compliance. This is to ensure that foreign

[By Dewansh Raj] The author is a student of National Law University, Odisha.   Introduction   The evolving landscape of cryptocurrency has left India’s legal landscape behind and places it at a critical juncture. Despite global advancements, India’s stance remains uncertain. With millions of Indians involved, regulatory clarities is crucial. The 2022 crypto crash and subsequent resurgence highlight the urgency for a structured approach. As debates on regulatory oversight intensify, the government’s delayed response raises concerns about investor confidence and the future of India’s crypto market.  Recent developments   In December last year Mr. Jayant Sinha, Chair of the standing committee on Finance stated that it would take another 18 months for any regulation relating to cryptocurrency. This could be a huge setback for the crypto market in India. With a new wave of cryptos, the investors and stakeholders would be forced to operate in the shadows and uncertainty.  The 2023 was a year when cryptocurrency slowly started to come back and in a one of a kind move, the Security and Exchange Commission (SEC) recently gave a go-ahead to the listing of spot bitcoin ETP, which is expected to bring a new wave of crypto products that saw a decline after the FTX crash. This step could mark a recurrence in cryptocurrency which was slowly fading away. The resurgence highlights the need for a mechanism to regulate cryptocurrency in India. The blog tries and analyse the current and future regulatory landscape of the crypto sphere.  The Crypto Comeback   The markets have recovered substantially following the 2022 implosion, and the market sentiments too reflect a positive outlook. The crash was so throbbing that it slashed nearly two-thirds of the value of all major cryptocurrencies by the time the FTX drama was over.   However, the growth showed that, even after the 2022 crash and the idea of cryptocurrency being questioned, the investors remain optimistic and confident. Its popularity in India is also evident from the fact that Indian investors contribute nearly 19 million investors, despite constant fear of its prohibition. Further, the fact that the majority of these investors lie in the age group of 18 to 35 reflects its popularity among the younger generation which could further be a point of concern, as these people usually don’t have a proper financial understanding and such a large on of these people investing in such a volatile investment can negatively impact the economy.  Who Should Regulate   Before delving into the current regulatory landscape and the future of these currencies, a fundamental question is, who should regulate cryptocurrency?   One would ordinarily believe that since cryptocurrencies are believed to be the substitute for currency, the Reserve Bank of India (RBI) should monitor them. The draft bill reiterated this idea and provides for the Central Board of the Reserve Bank of India to regulate cryptocurrencies.  But when it comes to cryptocurrencies which unlike traditional currencies don’t have government banking and can be much more volatile, could be trickier to handle. Hence, if cryptocurrencies continue to be legitimate then it might be best suited for the government to create a specialised agency that oversees the crypto market.  Another approach that the government can take is decentralising its regulation to various agencies. This approach finds support in the U.S. where several agencies oversee different aspects of cryptocurrency. While the reserve bank could handle regulations for exchange among consumers, SEBI and the investigating agencies could work towards its listing and preventing misuse for criminal activities.  Regulations till now   The world of cryptocurrency came to the spotlight during COVID-19 when the value of cryptocurrency grew leaps and bounds, every new currency that promised to transform the world was welcomed with open arms. But the response to these currencies was never unanimous.  India’s position on cryptocurrency has been ambiguous and lacks clarity, which creates uncertainty among the public and stakeholders. the government although doesn’t endorse the idea of an unregulated currency but on the flip side embraces blockchain technology. The Indian government even plans to introduce its very own government-backed cryptocurrency.  The Reserve Bank of India from inception has been thwarting virtual currencies from being recognised as legal tender. The Reserve Bank of India also tried to constantly dissuade investors from investing in cryptocurrencies. The breaking point came when the monetary authority in a notification dated dated 6th April 2018 directed all financial institutions to stop providing any services concerning cryptocurrencies. This move acted as an indirect ban on cryptocurrencies and was justified by labelling cryptocurrencies as dangerous for the economy.  The Supreme Court later lifted the ban on the grounds that the move infringed the right to trade under Article 19(1)(g). The court in its judgement stated that RBI failed to consider other less intrusive measures, thereby pointing towards the abruptness and severity of the step. Even after the upliftment of the ban, it seems that RBI hasn’t changed its stance.  Initially, the government too hinted towards a blanket ban, with a report suggesting a complete ban on virtual currency being discussed in an Inter-ministerial committee in 2019. Nevertheless, this step never saw the daylight and with the Supreme Court judgement, the murmur around also started to die down.  When a bill titled Cryptocurrency and Regulation of Official Digital Currency Bill 2021 was listed for the 2021 winter session, the buzz around cryptocurrency was reignited but the bill too was never introduced and has been deferred indefinitely citing the complexities involved.   The government later announced in the Union Budget of 2022 a 30% tax on all transactions involving virtual currency. The measure could serve as a temporary means to dissuade the citizens from engaging in cryptocurrency and in process benefit the exchequer. Since the budget, the government remained silent. The silence has left the crypto community on the edge, eagerly waiting to see what the government decides.  Why is it important to clear the doubt over cryptocurrencies   The need to regulate cryptocurrency is one whose need has been felt from the very beginning. The excuse is that a very small number of people are invested and the complexities involved don’t hold good. Even after the FTX crash,

[By Runjhun Sharma] The author is a student of Dr. Ram Manohar Lohiya National Law University.   Introduction  Indian commercial landscape has encountered a wide array of variations throughout the entire course of this decade. Regulatory authorities face the challenge of ensuring smooth transitions and efficient transactions amidst increased accessibility to financial services and digitization of the economy To underpin this assertion, the author highlights the shift in the approach of market regulators over the decade.  The Securities and Exchange Board of India (SEBI) has permitted the Association of Mutual Funds to govern the functioning of Mutual Fund Distributors since the early 2000s. Insurance Regulatory and Development Authority of India introduced a set of guidelines to govern ‘Bima Vahaks, which is an insurance distribution channel. The Reserve Bank of India (RBI) rationalized the licensing framework by introducing multiple licenses for entities engaging in foreign exchange (Forex) services, back in 2006. In a fashion similar to other market regulators, the RBI, very recently, introduced a Draft Licensing Framework for Authorised Persons (APs) to rehaul the existing forex framework. In the said framework, it intends to delegate the task of governing a novel entity, Forex Correspondent (FxC), to Authorised-Dealer Category I (AD-Cat I) and Authorised-Dealer Category II (AD-Cat II) entities. AD-Cat entities are authorized dealers licensed by the RBI under Section 10(1) of the Foreign Exchange and Management Act, 1999 (FEMA) to deal with foreign exchange transactions. The said framework will be discussed in detail in this piece. Hence, it is well-established by the aforesaid instances that regulatory authorities are switching to a self-regulatory approach from a direct regulatory one.  Need of the Draft Licensing Framework  The recent framework introduced by the RBI was a much-warranted move, in light of the de-concentration of financial services, which has led to inclusivity in the access to such services. The increased usage of these services has resulted in a regulatory burden for the RBI and posed hindrances to efficient governance. With regard to the aforesaid, the financial regulator is compelled to look for additional modes of governance to streamline the provision of financial licensing services. The Draft Framework by RBI intends to expand the scope of services provided by AD-Cat entities and ease the eligibility criteria to engage in forex services. This move goes a long way to instill inclusivity for forex service providers and mitigate the load of governance of forex transactions.  Comparative Review of the Draft Framework with the Existing Mechanism  The major highlight of the Draft Framework is the introduction of  FxCs. FxCs are a category of money changer entities that are in an agency arrangement with AD-Cat entities. The transactions undertaken by them will be reflected in the books of the AD-Cat banks. The rationale behind the introduction of this novel entity seems to facilitate the accessibility of forex to general masses, businesses and tourists while ensuring checks and balances. Another motivation for this move may be that the majority of forex transactions do not necessitate the involvement of the RBI and take place at the level of APs. Under Section 10(1) of FEMA, AD-Cat banks are required to secure a license from the RBI to engage in forex transactions. However, in light of the agent-principal relationship between FxCs and AD-Cat banks, FxCs will not be required to secure separate licensing from the RBI and they will be able to deal in forex transactions. Before the introduction of the said Draft Framework, the licensing framework of the RBI sought to authorize entities that may deal in forex as: APs and Full-Fledged Money Changers (FFMCs). The authorization granted was exclusive to the aforesaid entities allowed to deal in forex transactions.   In the extant framework, an AD-Cat II license is initially granted for a period of one year, followed by subsequent renewal of license for one to five years. However, the Draft Framework does away with the specified timelines and introduces renewal of AD-Cat II licenses on a perpetual basis, conditional upon fulfillment of the revised eligibility criteria. This move comes in the face of promoting ease of doing business in transactions involving forex.   The Draft Framework is also seen as relatively liberal, which is evidenced from the expansive definition of ‘annual forex turnover’. It has outlined a comprehensive interpretation of “annual forex turnover,” encompassing the total sum of foreign currency notes, coins, and travelers’ checks acquired from or dispensed to the public, including transactions conducted through agents or franchisees, as well as the total value of remittances facilitated throughout the fiscal year. The criteria for annual forex turnover in the Draft Framework is most suitable as it excludes the turnover of Financial Year 2020-21 and 2021-22 to compute the ‘annual forex turnover’. This is so because the aforesaid years saw a striking decline in revenue generation and turnover in light of the impact of the pandemic. The concept of ‘annual forex turnover’ is of relevance as it provides a basis for determining whether a money changer entity should be deemed an FxC or AD-Cat entity.  Coming to the disclosure requirements and compliances for an FxC in the novel Draft, it is noteworthy that the financial regulator has proposed stringent disclosure requirements to make the mechanism watertight. The rationale behind this seems to be the complex nature of forex transactions which poses multiple apprehensions, including Anti-Money Laundering concerns. The disclosure requirements for an FxC are more or less similar to that of a Business Correspondent, with additional requirements of a Banker’s Report and a No Objection Certificate (NOC) from the Enforcement Directorate. Furthermore, since the permission to engage in forex dealings to all the outlets of FxCs is to be granted by the principal Authorised Dealer (AD) under the FxC Agreement, the said AD will be liable for the actions of the FxC. This is also underpinned by the relationship of agency between the principal AD and the FxC. Hence, the aforesaid provisions sufficiently highlight the fact that the RBI has opted to assuage the regulatory burden upon itself and strengthen the

[By Siddh Sanghavi] The author is a student of National Law University Odisha.   Introduction On January 15, 2024, the Reserve Bank of India released the draft regulation outlining a framework for self-regulatory organisations in the fintech industry. These self-regulatory organisations have been named SRO-FT. As per the RBI’s outlined framework, a Self-Regulatory Organization for Fintech (SRO-FT) will be a non-profit entity established under section 8 of the Companies Act of 2013 and will have to fulfil certain requirements and comply with governance standards to gain recognition by the RBI.   This idea of having a self-regulatory organisation for the Fintech industry is not something that is new and can be traced back to the Report of the Working Group on Fintech and Digital Banking released by the RBI in 2018, where the idea of a self-regulatory organisation for the Fintech industry was first proposed.   This blog analyses the Reserve Bank of India’s (RBI) draft regulations on establishing Self-Regulatory Organizations (SROs) for the Fintech industry in India. It discusses the need for regulation, why self-regulation is currently the best approach, and how the RBI’s steps will bridge the gap between regulators and the industry. It also highlights potential issues with the draft regulations and suggests improvements.  Need for regulation  As per the Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps fintech lending entities in India are of two types:   1) Those which the RBI regulates by granting them NBFC licenses. And 2) those that are currently unregulated. The new draft framework is aimed at regulating the second category of Fintechs.   One of the main functions of the Fintech sector is that it provides solutions to the already regulated entities in the form of an outsourced information technology provider as well as providing lending services such as KYC (Know Your Customer) tasks. This involves fintech’s amassing a large amount of sensitive financial data, and therefore ensuring robust cyber security measures becomes extremely important.   By the nature of its functions itself, it is understandable why it is important to regulate this sector. If not regulated, it may pose significant risks towards consumers’ data privacy and cyber-security in the banking system. It is proposed that these SRO-FTs will help develop codes of conduct, ensuring all the members follow the basic industry standards and meet the expectations of the RBI.   Why self-regulation will be the best route.  Section 45I(f)(iii) of the RBI Act 1934, allows the RBI with the approval of the Central Government to notify any class of companies as an NBFC (Non-banking financial company). Through this section, RBI has the power to notify fintech entities that are involved in the process of lending as NBFCs. Since NBFCs are already regulated by the RBI, this notification of classifying Fintech companies as NBFCs would have allowed RBI to bring them under the same regulation.    However, RBI has in its press release stated that it prefers the approach of self-regulation as it will help get a balanced approach between innovation and meeting regulatory requirements.   Further, the RBI in its draft omnibus stated that “Self-Regulatory Organisations (SROs) enhance the effectiveness of regulations by drawing upon the technical expertise of practitioners and also aid in framing/fine-tuning regulatory policies by providing inputs on technical & practical aspects, nuances and trade-offs involved.”  As stated by the RBI in its draft omnibus it may not be prudent to bring Fintech’s under the same regulation as an NBFC, there has to be industry-specific regulation and till the time RBI doesn’t come up with regulations specifically dealing with Fintech self-regulation will be the best route.    Further, this approach of self-regulation taken by the RBI is appropriate since the Fintech industry in India is poised for growth, innovation and investments and burdening it with mandatory and excessive regulations may not be the right move currently and is something that can be considered in the future.   Success of Self-Regulatory Organisations across sectors.  The concept of a self-regulatory body is not new in India; it has also been effectively used in the past to close the gap between the regulated and the regulators without requiring excessive regulation.   The most famous example is the Association of Mutual Funds India (AMFI). The AMFI has acted as a link between SEBI/ RBI and the Mutual fund ecosystem. AMFI has also worked to set standards for “best practices” which then become the status quo of the industry and is followed by all in the eco-system. The AMFI has also been recognised by the SEBI and now also acts as the licensing body for all Mutual funds in the industry.   Other examples of successful self-regulatory organisations include the Indian Bank’s Association (IBA), and the Foreign Exchange Dealers Association of India (FEDAI), they have also been successful in collaborating with regulators in the past and ensuring compliance and upholding ethical standards.  The RBI by providing a framework for Self- Regulatory organisations for the Fintech Industry aims to achieve a similar purpose. An SRO-FT will act as an interface between the industry and the RBI.   The Key ingredients of success: Recognition by the RBI and active participation.   According to the new draft guidelines for an entity to be recognised by the RBI it must receive a letter of recognition from the RBI. From the examples mentioned above, the system of self-regulatory organisations can only work smoothly and truly act as a representative of the industry it needs to gain recognition from the regulator. Since the SRO acts as a representative of the entire industry, recognition from the RBI will grant them legitimacy.   Further, recognition by the RBI will automatically increase participation and membership of an SRO. As mentioned above Fintech entities are usually service providers to the already regulated entities, therefore accreditation by an RBI recognised entity (SRO) will increase trust and marketability of the fintech entity. This is also one of the important reasons why a Fintech entity would be motivated to voluntarily subject itself to regulations and supervision by an SRO-FT. Therefore

[By Lavanya Chetwani] The author is a student of National Law University Odisha.   INTRODUCTION  Recently, the Reserve Bank of India (‘RBI’) vide its circular dated December 19 has issued guidelines to prevent all Regulated Entities (‘RE’) from holding units of Alternative Investment Funds (‘AIF’) which have invested in a debtor company of the RE. AIFs are currently regulated by the Securities and Exchange Board of India (‘SEBI’)  under the SEBI (AIF) Regulations, 2012 (‘The Regulation’) and  SEBI Master Circular For AIFs, 2023 (‘MC-AIF’).  The guidelines issued by the RBI is motivated by a consultation paper issued by SEBI on 19 May 2023. SEBI had identified in its consultation paper certain structures which could be used for “evergreening” of loans by regulated entities. However, the guidelines might have an impact beyond the stated intent.   UNDERSTANDING THE GUIDELINES  AIFs have been defined by SEBI in paragraph 2(1)(b) of the Regulation as any fund established or incorporated in India which is a privately pooled investment vehicle which collects funds from sophisticated investors, whether Indian or foreign, for investing it in accordance with a defined investment policy for the benefit of its investors. As per paragraph 3(4) of the regulations, there are three categories of AIFs. Category I include infrastructure funds, angel funds, venture capital funds etc. Category II include funds like private equity funds, debt funds etc. and Category III includes funds which give returns under a short period of time like hedge funds.  The latest guidelines by the RBI bring the following changes:  1. Investment Restriction   The guidelines prohibit REs from investing in any scheme of the AIFs which has downstream investments in a ‘debtor company of the RE’. Downstream investments, though not defined in these guidelines, have been defined under Rule 23 Explanation (g) of the Foreign Exchange Management (Non-Debt Instrument) Rules, 2019 as investment made by an Indian entity which has total foreign investment in it, or an Investment Vehicle in the capital instruments or the capital, as the case may be, of another Indian entity. The circular is unfavourable for REs with genuine investments in these AIFs, and due to strict timelines, there is a high probability that these REs will struggle to liquidate their investments.    2. Liquidation time  Moreover, if in case, the RE has already invested in an AIF scheme and that AIF later makes a downstream investment in the debtor company of the RE then the RE has to liquidate its investments in such AIF scheme within 30 days. Additionally, should the RE already have invested in an AIF scheme, the 30-day timeframe will start on the date of issuance of circular i.e. 19 December 2023. The guidelines also lay out that the REs have to make 100 percent provision on such investments if they are unable to comply with the stipulated timelines. These regulations strengthen transparency and compliance through clear definitions and timeframes, but also raises concerns about administrative burden, exit challenges, and potential unintended consequences like decreased RE participation and concentration risk.  3. Priority Distribution Model  The directions also provide that investment by REs in the subordinated units of any AIF scheme with a ‘priority distribution model’ will be subject to a full deduction from RE’s capital funds. The explanation of this clause provides that ‘priority distribution model’ shall have the same meaning as in the circular issued by SEBI. According to paragraph 3 of the circular it means AIF schemes that use a waterfall distribution model suffer a share loss relative to other investor classes or unit holders that is greater than pro rata to their investment in the AIF because the latter has priority in distribution over the former.   While transparency and risk mitigation improve, REs face limited options and AIFs with these models may struggle to attract investors.  EVERGREENING OF LOANS   The RBI in its circular mentioned that the guidelines have been issued in order to deal with the problem of REs ‘evergreening’ loans through the AIF route. The similar issue was highlighted and informed by the SEBI to the RBI last year. In simple words, evergreen loans mean loans that never end. Evergreening of loans imply instances when REs provide the borrower another loan through AIF as an investment vehicle in order to repay the previous in default debt. Then, in order to demonstrate a low percentage of non-performing assets on their books, REs turn to these loans. The REs do so because once classified as such, they will have to provide for losses, which will in turn reduce profits. It has the  potential to mislead about the profitability and asset quality of banks and to postpone the identification and resolution of stressed assets.   However, the circular is unclear about whether AIFs in the Debtor Companies are pursuing this evergreening through fresh debt or equity infusion. Consequently, the circular refers to “investments” without making a distinction between debt and equity infusion.    DECIPHERING THE GUIDELINES: UNVEILING KEY CONCERNS    It is pertinent to highlight that SEBI, through paragraph 11 of the MC-AIF, has already imposed a restriction on arrangements incorporating priority distributions. Consequently, this broad prohibition by the RBI has the potential to negatively affect REs’ capacity to engage with AIFs that provide risk-adjusted returns for diverse groups of investors via various unit classes.   Additionally, the RBI Circular appears to be at odds with the inherent characteristics of AIFs. AIFs (Category I and Category II) are legally structured as privately pooled blind investment vehicles, characterized by a close-ended nature. AIF investors typically lack visibility into the AIFs’ investments and lack the right to freely redeem their units due to the highly illiquid nature of the AIF’s investments. Moreover, any transfer of AIF units necessitates explicit consent from the investment manager of the AIFs. In contrast, the RBI Circular mandates regulated entities to liquidate their investments in AIFs with downstream investments in debtor companies within 30 days. Assuming consent from the investment manager for the transfer, regulated entities may encounter challenges in finding buyers in the market, given

[By Sibasish Panda & Janhavi Mahalik] The authors are students of National Law University Odisha. Introduction India had been touted to bring a digital technology revolution in this decade with the Central Bank playing a pivotal role. It is at the cusp of a Fin-tech revolution with the market expected to hit $150Bn by 2025. It had to play a balancing role to facilitate innovative approaches by the Fin-tech companies vis-a-vis protection of consumer rights. To further this goal, the Reserve Bank of India (RBI) has also set up separate Fin-tech units under the Department of Payments and Settlement of Systems. Securing the cross-border payments was at the helm of the RBI’s focus. In light of recent judicial pronouncements, the RBI has overhauled the regulatory framework governing cross-border payment service providers. Formerly requiring partnership with an authorised dealer bank, Online Payments Gateway Service Providers (OPGSPs) are now directly overseen by the RBI and renamed Payment Aggregators – Cross Border (PA-CB). In this article the authors aim to analyse the stance of the Fin-tech companies post the guidelines. Understanding the Scope of the Regulations Under the new regulations, entities involved in the processing of import and export activities of cross-border payment transactions must comply with the instructions laid out by the RBI. This includes Authorised Dealer (AD) banks, Payment Aggregators (PAs), and PA-CBs.  Non-banks aiming to operate as Payment Aggregators for cross-border transactions need RBI authorisation by April 30, 2024. This authorisation categorised as import-only, export-only, or both, is essential for offering cross-border payment services. Existing non-bank providers of these services must notify the RBI about their activities within 60 days and seek approval to continue. Entities offering cross-border trade settlement services must have a minimum net worth of Rs 15 crore at the application time, increasing to Rs 25 crore by March 31, 2026. Non-bank lenders without prior business in the segment must have a minimum net worth of Rs 15 crore when applying. Payment aggregators are now under the PMLA microscope. The current RBI regulations require all Payment Aggregators and Payment Gateways to undergo registration with the Financial Intelligence Unit India (FIU-IND) before seeking authorization. Consequently, they will be categorized as “reporting entities” by the Prevention of Money Laundering Act (PMLA). From now any payment transaction deemed suspicious will be reported to the Financial Intelligence Unit as per the new guidelines.  This finally comes as a clear stance from the RBI on the issue that was contested in PayPal Payments Private Limited v Financial Intelligence Unit India. The tussle of whether PayPal qualified to be a “payment system operator” under the act was answered in affirmative by the court, thus qualifying it to be a reporting entity as defined under section(1)(a) of the act. This move is aimed at bolstering India’s position which is under the Financial Action Task Force (FATF) review which was scheduled in November this year. Payment aggregators asserted their role as mere “transaction interfaces,” facilitating import-export transactions between Indian and overseas parties without directly handling payments between payer and beneficiary. Despite this, classifying them as reporting entities increases compliance burdens, especially for Fintech startups with modest business plans. The start-up Fintech companies with a small goal business plan now have to rewire their finances and meet the costs that come with setting the infrastructure to maintain and furnish records of all the transactions.  The broad definition of reporting entities encompasses banks and payment firms conducting their Know Your Customer (KYC) checks, extending to technology service providers. Now to mandate even technology service providers to do the same will increase the cost of compliance and will also be burdensome on the state machinery to process the data multiple times. The authors however feel that keeping in mind the stringent nature of the PML act, Fintech companies must take a conservative reading of the same before reporting any transaction to the FIU-IND. Balancing stringency and the ease of doing business. The recent stringent control by regulators on Fin-tech companies, coupled with current guidelines, underscores India’s aim to secure cross-border transactions giving paramount importance to customer data, privacy, and security. The payment aggregator business is heavily influenced by merchant onboarding policies and adherence to anti-money laundering (AML) and counter-terrorist financing (CFT) regulations. While the BIS-CPSS principles may not cover AML/CFT and customer data privacy, these factors directly impact merchant operations and customer safeguarding. When designing a payment aggregator business model, considerations extend to regulations like data privacy, competition policy promotion, and specific investor and consumer protections. The PA-CB Guidelines mandate payment aggregators to comply with KYC/AML/CFT regulations outlined by the RBI, following the “Master Direction – Know Your Customer (KYC) Directions,” and now by categorising them as “reporting entities” also adhere to the provisions of Money Laundering under the PMLA act and rules. The added due diligence checks during merchant onboarding along with KYC and transaction monitoring added to the woes of these Fin-tech companies. While the compliance checks seem burdensome, the RBI has made an attempt to ensure the seamless processing of all trade payments efficiently. The latest guidelines have streamlined fund flows, making transactions more convenient. Such as the OPGSP guidelines, which aim to simplify transactions, PA-CBs are required to uphold an Import Collection Account (ICA) and an Export Collection Account (ECA) for their corresponding transactions. Notable distinctions include the OPGSP guidelines, which required the transfer of balances in the ICA to the overseas exporter’s account within two days of receiving funds. The RBI, as per the PA – CB Directions, has aligned the timelines for fund settlement from the ICA with those specified in the Payment Guidelines for settling funds from domestic payment aggregators’ escrow accounts. This adjustment provides greater flexibility to PA–CBs, allowing settlement timelines from the ICA to be tied to the receipt of delivery confirmation intimation or the expiration of relevant refund periods. Additionally, PA-CBs involved in export transactions are not obliged to establish separate Nostro accounts for fund flows. It is also felt that applying as an export PA-CB will

[By Aryan Dash & Rishita Sinha] The authors are students of National Law University Odisha. INTRODUCTION: In the bustling landscape of India’s financial technology sector, the crescendo of UPI transactions have reached a staggering 9.3 billion in June 2023. Projections paint a vibrant future for the Indian fintech industry, eyeing a valuation surpassing $2 trillion by 2030. The meteoric rise of UPI has not only transformed the payment ecosystem within India but has also sparked a global ripple effect. The primary purpose of the extension of UPI abroad is to boost cross-border transactions, foster financial inclusion, and reduce reliance on cash transactions. However as the National Payments Corporation of India (NPCI) extends UPI services beyond borders, a critical conversation emerges – one that delves into the implications of managing vast data under the existing data protection regulations and the recently introduced Digital Protection & Data Privacy Act 2023 (DPDP Act). THE NPCI’S ROLE AND GLOBAL UPI EXPANSION: In an era where global connectivity is paramount, the expansion of UPI services abroad marks a pivotal step in revolutionizing cross-border transactions. Founded in 2008 as a not-for-profit under the RBI and Indian Banks’ Association, the NPCI has been a linchpin in providing cutting-edge payment system technologies, including RuPay and UPI. In a bid to cater to Indian tourists and the diaspora abroad, NPCI’s wholly-owned subsidiary, NPCI International Payments Limited (NIPL), has embarked on an ambitious initiative to extend UPI services globally. Agreements with countries like Singapore, France, Malaysia, South Korea, and Japan underline NPCI’s intent to facilitate cross-border transactions, enhance financial inclusion, and reduce dependence on traditional payment methods. The NPCI envisions a two-pronged approach, developing international interoperability for travellers and collaborating with central banks to fortify UPI ecosystems worldwide. RBI’S STANCE ON DATA LOCALIZATION: In an era dominated by digital transactions, robust data privacy regulations are imperative, especially for sensitive information like banking transactions. Safeguarding critical data ensures not only the security of individuals but also the integrity of financial systems. Preceding the current surge in data protection concerns, in 2018, the RBI introduced the Storage of the Payment System Data circular to regulate data storage in the context of cross-border transactions. RBI’s Guidelines for In-Country Storage with Foreign Transaction Exceptions This circular mandates banks and payment service providers to store data within India, with exceptions for foreign components in a transaction. For foreign data processing, there is a 24-hour limit set for data storage abroad, after which it must be deleted and brought back to India. Real-Time Settlements and In-Country Data Storage: Regarding payment settlements, transactions settled outside India require real-time basis settlement with exclusive data storage within the country. The RBI’s circular encompasses all banks, payment system providers, and third-party applications providing UPI services, with the data stored in India being eligible for limited sharing, subject to necessary permissions. CROSS-BORDER DATA SHARING AND THE DPDP ACT: The DPDP Act, in its current form, introduces some shifts in data-sharing dynamics. Section 16 of the Act allows unrestricted data sharing with countries whitelisted by the government, while blacklisted countries are ineligible for such arrangements. Undefined Territories: The Need for DPDP Rules Presently, the DPDP Act lacks a predefined roster of countries classified as either blacklisted or whitelisted. The government aims to address this gap by formulating detailed DPDP rules. These regulations will outline the criteria for categorizing countries onto the blacklist, based on considerations the government deems necessary to safeguard the data of Indian citizens and businesses. Consent Matters: Obligations of Data Fiduciaries However, data fiduciaries, including third-party applications and payment service providers, are obligated to obtain valid consent from users before sharing sensitive financial data. DPDP Act vs. RBI Circular The Act seemingly contradicts the RBI’s circular, especially in terms of data localization and sharing. While the RBI circumscribes cross-border data transfer, the DPDP Act presents a more lenient approach, opening avenues for data sharing under consent. This creates a nuanced landscape where reconciling the differences between the two becomes imperative. BALANCING ACT: RBI CIRCULAR VS. DPDP ACT: In the intricate regulatory dance between the DPDP Act and the RBI’s Circular, achieving a delicate balance becomes paramount. DPDP’s Section 16, permitting global data sharing with consent, collides with the RBI’s stringent data localization directives. The DPDP Act seemingly contradicts the RBI’s data localization directive, which requires deleting processed data abroad within 24 hours. While the RBI allows data sharing for processing outside India, the DPDP Act prohibits exporting Indian data, even for processing. Despite government assurances that RBI regulations will endure, reconciling these disparities in practice remains a challenge. Notably, DPDP’s Section 17 introduces exceptions, aligning with the RBI’s circular, allowing data sharing for legal claims or breaches. Crafting a cohesive framework that respects user privacy, aligns with global standards, and adheres to financial data mandates is a crucial task in this evolving regulatory landscape. EXPANSION OF UPI SERVICES: NRIS AND FOREIGN TOURISTS: In a move to broaden UPI services, the RBI, in a circular dated 10 February 2022, greenlit the extension of UPI services to Non-Resident Indians (NRIs) and foreign tourists. NRIs can set up a UPI ID using their international numbers, linked to NRE/NRO accounts, provided they comply with KYC regulations. Similarly, foreign tourists can avail themselves of Prepaid Payment Instruments (PPIs) from banks or corporate entities, loaded using various methods, adhering to RBI’s guidelines. The Indian government has been actively forging strategic agreements to enhance cross-border transactions and simplify fund transfers for the Indian diaspora worldwide. Under NPCI’s global UPI initiative, services have been extended for foreign remittances, exemplified by the UPI-PayNow linkage between India and Singapore. the collaboration between India and France marked a milestone, allowing Indian tourists to effortlessly make payments in INR using their UPI apps, even from the iconic Eiffel Tower. Early on, Bhutan joined hands with India to introduce UPI-based transactions, initially limited to the BHIM app for Indian travelers and residents in the country. This move showcased the early adoption of UPI technology beyond India’s borders. A significant leap forward