INTRODUCTION
A quick assessment of the developments in the Indian fintech sector over the 2022 calendar year gives one an optimistic outlook to what lies ahead in 2023. The Indian fintech sector is now one of the fastest growing sectors globally with nearly five thousand start-ups and twenty-two unicorns in the space1. Business models and investments in this space have diversified and expanded beyond back-end technologies and digital payments, to cover more financial services such as lending, insurance, brokerage, mutual funds distribution, and wealth management.
The expansion of Indian fintech sector has been fuelled by technology innovation, reducing data costs, higher smartphone penetration, improved digital infrastructure and a regulatory environment that promotes fintech and digital penetration in India. That said, venture backing in the sector seems to have plateaued to a marginal increase of about three per-cent in funding over the past few quarters even though the volume of deals has increased by about thirty per-cent.2 However, the growth projections of the sector indicate up to a fourfold increase in the sector's valuation in the short to mid-term3
The October-December quarter has witnessed several regulatory movements including the introduction of the Central Bank Digital Currency ("CBDC") and the introduction of the Digital Personal Data Protection Bill, 2022 ("DPDPB") which have the potential of bringing about a sea of change in the fintech sector.
This newsletter highlights the key developments and measures as well as other developments in the Indian fintech space from October 01, 2022 to December 31, 2022.
RECENT LEGAL & REGULATORY DEVELOPMENTS
Introduction of the Central Bank Digital Currency
The Reserve Bank of India ("RBI") on October 7, 2022 issued a concept note on CBDC4 which proposed to introduce the CBDC or "Digital Rupee" as a legal tender that coexists with and complements existing forms of money in a digital format.5 It is evident from a reading of the said concept note that the primary impetus for the RBI to explore the issuance of CBDC is to mitigate the systemic risk posed by private cryptocurrencies.
The aforesaid concept note envisions two broad categories of CBDC i.e., (a) Retail CBDC ("CBDC-R"); and (b) Wholesale CBDC ("CBDC-W"). CBDC-R is intended to be the general-purpose digital currency which would be available for use by private sector, non-financial consumers and businesses while CBDC-W is intended to be made available only to financial institutions specifically for the purpose of inter-bank transfers and settlement of transactions.
Following this, the RBI, on October 31, 2022, issued a press release6 stating the commencement of a pilot for CBDC-W for the specific use-case of settlement of secondary market transactions in government securities, which was launched with the cooperation of 9 (nine) commercial banks. Shortly after, the RBI issued a press release on November 29, 20227 launching a pilot for CBDC-R. The CBDC-R pilot covers selected locations in closed user groups, comprising of participating customers and merchants. The CBDC-R has been issued in this pilot in the form of a digital token that represents a legal tender in the same denomination as traditional currency. Payments (for both person to person and person to merchant transactions) are enabled through a digital wallet offered by the participating banks, which are available on mobile phones / devices.
While the introduction of CBDC and the aforesaid pilot programs is a forward step in the right direction, the effects and impacts of such a measure on the financial sector and public is yet to be seen.
Introduction of Inter-operable Regulatory Sandbox ("IoRS")
The RBI, the Securities and Exchange Board of India ("SEBI"), the Insurance Regulatory and Development Authority of India ("IRDAI") and the International Financial Services Centres Authority ("IFSCA") through press releases dated October 12, 20228 have introduced the IoRS as a mechanism for regulating and encouraging the development of hybrid financial products / services falling within the regulatory ambit of more than one financial sector regulator. The IoRS is intended to be a single window for fintech entities to interface with multiple regulators for the purpose of testing innovation and novel hybrid fintech products. The press releases also contemplate a Standard Operating Procedure ("SoP") for the IoRS.
The SoP prescribes that the FinTech department of RBI shall be the nodal point for receiving applications in the prescribed format.9 The regulator under whose regulatory domain the 'dominant feature' of a particular product falls, will be the 'Principal Regulator' ("PR") and the regulator under whose remit other features apart from the dominant feature of the product fall, will be the 'Associate Regulator' ("AR"). The dominant feature of a product would be decided based on: (i) the type of enhancement to the existing product like loans, deposits, capital market instruments, insurance etc.; and (ii) the number of relaxations sought by an entity to undertake the test wherein greater weightage would be given to (i) above. The PR prescribes the eligibility criteria and the net worth criteria of applicants while the AR provides specific inputs, conditions regarding the aspects falling under its remit. Upon the applicant entity successfully exiting the IoRS, the PR and the AR are required to provide authorisation for launching the product in the market on a wider scale.
Framework on Regulation of Online Bond Platform Providers
The SEBI, upon noticing a rise in the number of 'Online Bond Platforms' ("OBPs") operated by unregulated fintech entities which offer debt securities (usually obtained through subscriptions to public issues / private placements and through secondary market), to non-institutional investors, has issued the 'Registration and Regulatory Framework for OBPs'10 ("OBP Framework").
The OBP Framework has been issued by the SEBI pursuant to the SEBI (Issue and Listing of Non-Convertible Securities) Regulations, 2021 wherein OBP providers have been mandated to be registered as stockbrokers with the SEBI, specifically as brokers who deal in the debt segment of stock exchanges. Further to the registration, such OBP providers have been mandated to cease offering securities that are not listed as debt securities or that are proposed to be listed through a public offering. Additionally, the OBP Framework inter alia prescribes the following key requirements for OPB providers: (i) the appointment of a compliance officer who is a qualified Company Secretary; (ii) putting in place a well-defined grievance redressal platform; (iii) putting in place a fair and objective criteria for registration of the users or the investors or the sellers on its OBP and to undertake their diligence thereof; (iv) conducting Know Your Customer ("KYC") of the investors and the sellers; and (v) executing agreements with the sellers of debt securities for offering such securities on its OBP.
With the extensive leveraging and outsourcing of IT services by regulated entities in the financial system and the increasing dependence of the customers on digital channels to avail financial services, the RBI has identified the need for enhanced regulation of banks and non-banking financial companies ("NBFCs") with regard to IT governance. Accordingly, the RBI, through a circular dated October 20, 2022 has issued the Draft Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices ("Draft IT Master Directions")11 which is intended to apply to all banks and NBFCs and regulated entities (except the NBFCs in the base layer under the scale-based regulatory framework) ("REs")12.
The Draft IT Master Directions obligate REs to adopt a robust IT Governance Framework comprising of governance structure and processes that are necessary to meet the RE's business / strategic objectives as well as to comply with requirements such as (i) establishing a board-level IT Strategy Committee; (ii) formulating policies such as IT policies, information systems policies, IT risk management policies; (iii) appointing a senior level officer as the 'Head of IT Operations'; and (iv) constituting an information security committee etc.
The Draft IT Master Directions are currently under review by the RBI after receiving stakeholder comments. The final version of the Draft IT Master Directions will have to be analysed in greater detail once the RBI notifies the said master directions with changes (if any).
In 2011, the SEBI had launched the centralised web-based complaints redress system ("SCORES") as an administrative platform to address the grievances of aggrieved investors which have remained unresolved by the listed companies, registered intermediaries or recognised market infrastructure institutions. Recently, the SEBI issued a consolidated master circular dated November 07, 2022 on redressal of investor grievances through SCORES ("SCORES Master Circular")13.
The SCORES Master Circular requires all investors to first take up their grievances for redressal with the entity concerned, through their designated persons /officials who handle issues relating to compliance and redressal of investor grievances before filing a complaint on SCORES platform. Further, the SCORES Master Circular also allows investor grievances to be filed through recognised investor associations. An investor is also allowed to file 'direct complaints' to the concerned entity on the SCORES platform and all such complaints are required to be addressed within 30 (thirty) days. Additionally, it is pertinent to note that the complaint must be lodged within 1 (one) year from the date of the cause of action. Such direct complaints can be filed on the grounds that: (i) the complaint filed by an investor is rejected by the concerned entities; (ii) no communication has been received from such entities; or (iii) if the complainant is not satisfied with the reply received from the concerned entity. An entity failing to comply with the SCORES Master Circular may be suspended from trading on stock exchanges and / or fined.
SEBI Consultation Paper on Cloud Computing
The SEBI, through a consultation paper dated November 04, 2023 ("Consultation Paper")14 has proposed a principle-based framework containing 9 (nine) high-level principles which are intended to guide regulated entities, based on their business and technology risk assessment, to adopt cloud computing into their business models. The Consultation Paper defines cloud computing to mean a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provided and released with minimal management effort or service provider interaction.
Further, the SEBI regulated entities have been allowed to engage cloud service providers who are empanelled with the Ministry of Electronics and Information Technology ("MeitY"). However, the regulated entity would have to bear the burden of any compliance. Additionally, the SEBI regulated entity is obligated to retain complete ownership of its data, encryption keys, logs etc., which reside on the cloud. The regulated entity that deploys cloud solutions is also required to monitor the same through an in-house or third-party security operations centre.
It remains to be seen if the Consultation Paper leads to an actual binding regulation from the SEBI. For the moment, there are no limitations placed on the SEBI regulated entities from deployment of cloud-based solutions.
Footnotes
1. https://inc42.com/reports/state-of-indian-fintech-report-q3-2022/
2. https://www.vccircle.com/fintechstartups-raise-3-4-bn-in-2022-so-far-report
3. https://www.livemint.com/companies/news/fintech-valuations-to-rise-3-5-times-by-fy26-bain-study-11666720221958.html
4. https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1218
5. Reserve Bank of India - Reports (rbi.org.in)
6. https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=54616
7. Reserve Bank of India - Press Releases (rbi.org.in)
8. Reserve Bank of India - Database (rbi.org.in); https://www.sebi.gov.in/media/press-releases/oct-2022/standard-operating-procedure-for-inter-operable-regulatory-sandbox-iors-_63948.html; https://www.irdai.gov.in/ADMINCMS/cms/whatsNew_Layout.aspx?page=PageNo4826&flag=1; https://ifsca.gov.in/Document/Legal/standard-operating-procedure-for-inter-operable-regulatory-sandbox-iors-12102022043007.pdf
9. https://rbidocs.rbi.org.in/rdocs/content/pdfs/IoRS12102022_APP.pdf
10. SEBI | Registration and regulatory framework for Online Bond Platform Providers
11. Reserve Bank of India - Database (rbi.org.in)
12. https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12179&Mode=0
13. SEBI | Master Circular on the redressal of investor grievances through the SEBI Complaints Redress System (SCORES) platform
14. SEBI | Consultation Paper on Cloud Framework
Click here to continue reading . . .
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
