India: Fintech Newsletter: Unveiling India's Latest Legal Shifts And Market Waves

INTRODUCTION

India is witnessing an exponential growth in the use of digital banking, UPI, and fintech platforms, along with various developments in the fintech sector, such as introduction of cash withdrawal through the use of UPI. The ease of availing loans facilitated by fintech platforms, has in-turn, led to an increase in the need for improved regulation of the fintech sector. In the recent past, the financial regulators have been actively taking steps to keep-up with the developments in the fintech sector and amend any loopholes or ambiguity in the existing regulations, to ensure that the rights of the consumers are protected.

A similar determination was depicted by the financial regulators in the months of October and November as well which prompted them to inter alia, introduce the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices, 2023 and the NBFC – Scale Based Regulation) Directions, 2023 alongside making amendments to the Know Your Customer ("KYC") directions. On the other hand, several fintech players including inter alia Instamojo, PayU, Razorpay, LIC, Mobikwik and Paytm have also undertaken some intriguing initiatives (covered in this newsletter), thereby boosting the fintech space in India.

In this backdrop, we present to you our Fintech newsletter which captures key developments and updates in the Indian fintech landscape from October 01, 2023, to November 30, 2023.

REGULATORY DEVELOPMENTS

RBI regulates entities that facilitate remittance for export/import in the online mode

By its circular dated October 31, 2023, on 'Regulation of Payment Aggregator ("PA") – Cross Border (PA - Cross Border)' ("PA-CB Guidelines"),¹ the RBI will now directly regulate entities that facilitate cross-border payments for the import/export of permissible goods and services in the online mode. All non-bank entities intending to facilitate cross-border transactions would now be required to obtain authorization from the Reserve Bank of India ("RBI") in that regard, as a PA-Cross Border ("PACB"). Prior to the notification of the PA-CB Guidelines, non-bank entities which sought to facilitate cross-border payment transactions, were required to be registered as an Online Payment Gateway Service Provider ("OPGSP") with an Authorised Dealer Category-I scheduled commercial bank ("AD-I Bank").

The PA-CB Guidelines, also obligate non-bank entities to register with the Financial Intelligence Unit – India ("FIU-IND") before seeking the authorization from the RBI to act as a PA-CB. The entities currently involved in such services are required to apply for this authorization before April 30, 2024, and till RBI's pronouncement of a decision on the same, they can continue to offer PA-CB services.

Non-bank authorized PAs already offering such services are supposed to inform RBI about their intention to continue to offer the same within 60 (sixty) days from the date of notification of the aforementioned circular. The PA-CB Guidelines direct PA-CBs to inter alia undertake customer due diligence in line with RBI's extant guidelines on offshore PAs or merchants/e-commerce platforms for import transactions, and their domestic counterparts for export transactions. PA-CBs have also been allowed to directly on-board such merchants under the PA-CB Guidelines.

RBI issues Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices

On November 7, 2023, the RBI issued the Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices ("IT Master Direction"). The IT Master Direction seeks to establish a resilient IT governance framework for Regulated Entities ("REs"), involving board-level approval and oversight. The following are the requirements of the IT Master Direction, among others:

• REs must establish an IT Governance Framework that inter alia specifies:
  • the governance structure and processes required to meet the RE's strategic and business objectives;
  • the governance structure and processes required to meet the RE's strategic and business objectives;
  • oversight mechanisms to ensure accountability and mitigation of IT and cyber/information security risk.
• The REs enterprise-wide risk management policy should now include periodic assessments of ITrelated risks.
• REs must establish a Board-level IT Strategy Committee ("ITSC") which will be inter alia responsible to ensure that the RE has an effective IT strategic planning process in place, among others. The ITSC shall meet at least on a quarterly basis.
• REs must establish an IT Steering Committee which shall assist the ITSC in strategic IT planning, oversight of IT performance, among others.
• REs must appoint a Head of IT Function, who will inter alia be responsible to ensure effective assessment, evaluation and management of IT controls and IT risk, as the first line of defence.
• REs must implement a data migration policy specifying a systematic process for data migration, ensuring data integrity, completeness, and consistency.

The IT Master Direction will not be applicable to NBFCCore Investment Companies and local area banks. The IT Master Direction will be enforceable from April 1, 2024.

RBI and SEBI introduced amendments to incorporate the changes prescribed in the Prevention of Money Laundering Act, 2002²

RBI, vide its circular dated October 17, 2023 ("RBI Circular"),³ and the Securities and Exchange Board of India ("SEBI") vide its circular dated October 13, 2023 ("SEBI Circular"),⁴ has introduced significant amendments to the Master Directions – KYC Directions 2016 ("KYC Directions") and the Guidelines on AntiMoney Laundering ("AML") Standards and Combating the Financing of Terrorism ("CFT"), to align them with the changes introduced in other enactments such as the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 ("PMLA Rules") under the Prevention of Money Laundering Act, 2002 ("PMLA").⁵

Pursuant to the RBI Circular, banks, Non-Bank Financial Companies ("NBFCs"), financial institutions, and other REs have been obligated to follow a risk-based approach and comply with the prescribed board-approved policies and procedures for the identification of customers to mitigate the risks associated with money laundering and terrorism financing (collectively, "ML/TF"). Some of the key changes introduced vide the amendment to the KYC Directions have been listed below:

• Expanding the regulatory purview: The scope of the KYC Directions has been broadened to encompass asset reconstruction companies as an RE.
• Identification of Beneficial Owner: The threshold for determining the beneficial owner in partnership firms has been lowered to 10% (ten percent) ownership or profit share (from the earlier threshold of 15% (fifteen percent), in line with the changes in the PMLA Rules.
• Mirroring the changes introduced in the PMLA Rules: Apart from nominating a 'principal officer' (who is at least of a management-level position) to furnish the relevant information to the Director of FIU-IND, REs that are members of a group are bound to implement the group-level policies to ensure compliance with the PMLA Rules. Banks are also bound to implement measures to identify money mules accounts and report contraventions relating to the same to FIU-IND.
• Customer due diligence ("CDD"): REs are now obligated to only rely on CDD data obtained immediately from third-parties as opposed to the earlier time-frame of 2 (two) days.
• Enhanced reporting and record-management obligations: REs are bound to maintain records of 'customer information' with the duty to also retain particulars of "walk-in customers".

Similar changes have also been prescribed vide the SEBI Circular. For instance, reporting entities (which include all securities market intermediaries registered under the SEBI Act, 1992) that are members of a financial group are obligated to establish group-wide AML/ CFT policies, which shall be applicable to all branches and majority-owned subsidiaries of the financial group. Further, the provisions on the identification of beneficial ownership have been revised for companies, partnership firms, unincorporated associations, listed entities, and foreign investors. The rationale behind introducing the aforementioned revisions is to bolster the effectiveness of the AML/CFT framework and to delimit the responsibilities of reporting entities, as outlined under the PMLA and allied regulations.

To view the full article, click here.

Footnotes

1. https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12561&Mode=0

2. https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12549&Mode=0

3. https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12549&Mode=0

4. https://www.sebi.gov.in/legal/circulars/oct-2023/amendment-to-the-guidelines-on-anti-money-laundering-aml-standardsand-combating-the-financing-of-terrorism-cft-obligations-of-securities-market-intermediaries-under-the-prevention-ofmoney-laund-_77975.html

5. https://www.sebi.gov.in/legal/circulars/oct-2023/amendment-to-the-guidelines-on-anti-money-laundering-aml-standardsand-combating-the-financing-of-terrorism-cft-obligations-of-securities-market-intermediaries-under-the-prevention-ofmoney-laund-_77975.html

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.