1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?
India does not have a unified code of laws governing fintech. Fintech activities in India are primarily regulated by the Reserve Bank of India (RBI), India's banking regulator. Regulation takes the form of acts passed by the legislature and rules and regulations passed by the RBI and other regulators.
Payments are the most evolved fintech sub-category in India, in terms of both business and regulations governing this space. The Payment and Settlement Systems Act, 2007 (PSSA) governs and regulates the operation of payment systems in India. The PSSA authorises the RBI to regulate payment system participants. Any entity wishing to operate a payment system in India is required to obtain RBI authorisation under the PSSA.
Certain fintech activities may be regulated by other regulators. For example, fintech activities involving securities trading/securities advisory functions are regulated by the Securities and Exchange Board of India (SEBI). These activities include fund administration, peer-to-peer trading, algorithmic trading and exchange-traded funds. Similarly, fintech activities falling under insurtech or otherwise under the insurance sector are regulated by the Insurance Regulatory and Development Authority of India (IRDAI).
Other applicable laws include:
- data protection laws in India, primarily the Information Technology Act, 2000 and allied rules;
- know-your-customer (KYC) and anti-money laundering (AML) laws, primarily under the Prevention of Money Laundering Act, 2002; and
- consumer protection laws, primarily under the Consumer Protection Act, 1986 and the Consumer Protection Act, 2019.
1.2 Do any special regimes apply to specific areas of the fintech space?
Yes. A good example is the payments space, where the regulatory regime is comparatively well developed. Digital payments in India are predominantly executed through prepaid payment instruments (PPIs) and debit cards (by volume), and the Real-Time Gross Settlement system and National Electronic Funds Transfer system (by value).
The PSSA is the primary legislation governing payment systems in India. Separately, the RBI, as the payments regulator, issues rules and regulations covering different aspects of the payments ecosystem from time to time. Examples include the following:
- Card network providers are governed by specific regulations issued by the RBI from time to time regarding debit/credit card operations.
- PPIs, including mobile wallets, are governed by the RBI's Master Direction on Issuance and Operation of Prepaid Payment Instruments. The PPI Master Direction divides PPIs into three categories:
- closed loop;
- semi-closed loop; and
- open loop.
- It further prescribes the compliance requirements that apply to entities issuing each type of PPI in India.
- The RBI mandates the implementation of two-factor authentication for all domestic card-not-present transactions. Low-value transactions (less than INR 2,000) are exempt.
- The RBI imposes data localisation requirements on all information relating to payment systems in India.
- The RBI passes rules and regulations from time to time governing, among other things:
- KYC and AML compliance;
- transaction limits and fraud prevention compliance;
- reporting obligations; and
- dispute resolution mechanisms
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
There is no single fintech regulator in India. The nature of regulations and the relevant regulator will depend on the nature of the fintech business. The regulator may be the RBI, SEBI, the IRDAI or another sectoral regulator. The regulator is responsible for enforcing applicable laws and regulations.
Given that most fintech activities currently fall within the domain of payments, banking and finance, lending or related financial services, the RBI – as the principal regulator of these activities – has been responsible for enforcing applicable laws and regulations. Regulators such as the RBI, SEBI and the IRDAI have extensive powers to oversee compliance with applicable laws. These include the power to:
- authorise certain activities;
- refuse authorisation and blacklist certain fintech activities;
- impose conditions of business and operations;
- audit business and operations;
- require appropriate filings to be made with them; and
- impose penalties for non-compliance with applicable laws and regulations.
Indian courts may be called to test the validity of certain laws and regulations. The courts' jurisdiction may also be invoked in situations where the position adopted by or the procedure followed by a regulator is questioned.
1.4 What is the regulators' general approach to fintech?
The regulations applicable to the fintech industry do not differ significantly from those applicable to traditional financial service providers in India. This is primarily because these entities are largely regulated by an existing regulator – either the RBI or other regulators such as SEBI or the IRDAI. Although there have been proposals for the establishment of an independent authority to regulate the payments industry, these proposals have not yet been accepted.
In most cases, the compliance requirements and obligations applicable to traditional financial institutions are more onerous than those applicable to their new counterparts. Traditional banks and non-banking financial institutions are subject to more demanding capitalisation requirements, reporting requirements, consumer grievance redressal obligations and other operational restrictions. For instance, while a fintech company can outsource parts of its operations relatively easily, a similar outsourcing arrangement in a bank would be subject to numerous restrictions and requirements, including requirements to include specific clauses and provisions in outsourcing agreements. Banks and non-banking finance companies are also required to have several committees and policies in place; such requirements do not always apply to fintech companies.
Regulators today recognise the need to update and modify their regulations to accommodate the introduction of new technologies by fintech companies and make compliance with such regulations easier for non-banking entities. With this objective in mind, the RBI has introduced the concept of a regulatory sandbox for fintech companies. SEBI has separately issued guidelines for a fintech regulatory sandbox. In both instances the first cohort is expected to begin operating in 2020. The RBI has already opened applications for the first cohort, which has ‘retail payments' as its theme.
1.5 Are there any trade associations for the fintech sector?
There is no single official trade association for the fintech sector. However, each fintech sub-category may have one or more associations or consortia representing its interests. Examples include:
- the Digital Lenders Association of India, a consortium of entities involved in core lending business and facilitation of digital lending; and
- the Payments Council of India, which represents the interests of the payments industry.
2 Fintech market
2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?
The digital payment sub-sector is the fintech industry sub-sector which has achieved the greatest penetration in India. Prepaid payment instruments (PPIs) – most commonly mobile wallets –are instruments that facilitate the purchase of goods and services against value stored on such instruments. India has one of the fastest-growing markets in terms of mobile wallet adoption. Mobile wallet transactions increased from INR 24 billion in 2013 to INR 955 billion in 2017, and surpassed the INR 1 trillion mark in early 2018.
Payments through the indigenously developed Unified Payments Interface (UPI) have also rapidly increased. The UPI adoption rate has been phenomenal: by August 2019, 10 billion UPI transactions had been executed. Nearly 80% of those transactions were executed between September 2018 and August 2019.
2.2 What products and services are offered?
The products and services in the digital payments space include the following:
- PPIs that allow customers to use stored value to purchase goods and services from an array of registered merchants;
- card tokenisation services;
- electronic point of sale services;
- QR code processing;
- technology services provided through UPI-enabled payment platforms;
- digital identity verification services within the payments process; and
- data encryption services which are embedded in the payments flow.
2.3 How are fintech players generally structured?
Most fintech players are structured as companies incorporated in India. This is generally due to legal requirements. For example, entities that undertake payment and settlement activities in India require prior authorisation from the Reserve Bank of India (RBI) under the Payment and Settlement Systems Act, 2007. One requirement to obtain such authorisation is that the entity be a company incorporated in India.
Where fintech entities offer both regulated and unregulated services or products, those products and services may be offered through different legal entities. Entities that undertake regulated business may be capitalised only to the extent required under law. Affiliated entities which provide unregulated products or services may potentially also receive investments. These affiliates may also incur expenses relating to marketing, research and development and corporate partnerships.
Complex structuring is largely no longer required for fintech businesses in India. Most will fall under a category whereby foreign investment is permitted up to 100% of the shareholding, with no prior approval requirements.
2.4 How are they generally financed?
Fintech companies may raise funds through equity or debt financing rounds. Equity financing rounds involve the issuance of stock to equity investors, which will then own a share in the business. Debt financing is usually through term loan or working capital facilities arranged through banks and non-banking financial companies.
Foreign direct investment (FDI) of up to 100% is automatically permitted in most fintech businesses and is a common financing option. Since 2016, fintech companies have consistently attracted the maximum FDI financing. Fintech start-ups can also avail of external commercial borrowing facilities from foreign lenders.
Financing through the public issuance of shares and other innovative models such as crowdfunding has not taken off significantly thus far, but may in future once the sector matures.
2.5 How are they positioned within the broader financial services landscape?
Fintech players frequently position themselves as technology enablers and service providers. While some venture into the regulated core financial services space, most fintech players operate at the periphery, offering value-added services to traditional financial players. As the ecosystem matures, it is expected that more fintech players will offer core financial services. Neo-banking, micro-lending and risk assessment are increasingly finding traction among fintech players.
Given the general positioning of fintech business, the regulatory regime which applies to them is generally much lighter than that applicable to traditional financial service players. Even where a fintech business is regulated (eg, clearing and settlement of payments), the applicable rules and requirements may not be as stringent as those applicable to traditional financial services players such as banks and non-banking financial companies (NBFCs).
2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?
Yes, it is typical for both start-ups and established fintech providers to outsource their back-office functions.
Where the outsourcing fintech entity is not a bank or NBFC, Indian law imposes no mandatory obligations on the outsourcing partner. However, the RBI prohibits banks and NBFCs from outsourcing regulated functions as part of their licence conditions, meaning that only non-core functions may be outsourced. These requirements flow from guidelines and directions issued by the RBI on managing risks and codes of conduct in the outsourcing of financial services. Therefore, any fintech company which is a bank or NBFC will be similarly restricted.
The outsourcing of IT service functions by banks is regulated by the RBI's Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Fraud. The guidelines impose conditions on safeguards against the commingling of information, records and assets. They also contain guidance on the content of IT outsourcing contracts and prescribe certain minimum requirements.
The RBI's Master Direction on Issuance and Operation of PPIs imposes certain conditions on PPI providers that outsource operations. These include requirements on the RBI's audit and access rights, compliance with data localisation requirements and the obligation to disclose security breaches.
3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)
(a) Internet (e-commerce)
E-commerce is primarily regulated by data privacy, intermediary liability and foreign investment regulations. Details of the data privacy regulations are set out in question 5.1.
E-commerce marketplaces are categorised as intermediaries under the IT Act. The IT Act provides a conditional safe harbour or exemption (intermediary exemption) for entities that operate websites, applications or computer systems that host or provide access to user-generated content. The justification here is that such intermediaries have minimal control over content transmitted by third parties. Search engines, online payment sites, online marketplaces and social media platforms usually claim the intermediary exemption.
In a recent development, however, the Delhi High Court distinguished between passive and active intermediaries. The High Court issued interim orders in favour of direct selling companies Amway, Modicare and Oriflame, restraining several e-commerce platforms – including Amazon and Flipkart – from allowing sales of products under the brand names of the direct selling companies unless the respective seller or merchant produced written consent letters authorising such online sales. The court observed that the e-commerce platforms were providing value-added services to sellers and merchants.
While foreign direct investment (FDI) in business-to-business e-commerce is generally permitted, FDI in business-to-consumer (B2C) e-commerce is heavily regulated by Indian foreign exchange laws. Further, FDI in e-commerce marketplaces is subject to various conditions. These include restrictions on ownership of inventory, restrictions on activities that the marketplace entity can undertake in terms of value-added services, and restrictions on concentration of sales in a single vendor or group. FDI in an inventory-based model of B2C e-commerce is not generally permitted.
(b) Mobile (m-commerce)
M-commerce platforms are subject to the same regulations as e-commerce platforms.
(c) Big data (mining)
Big data is not specifically regulated in India. However, general data protection laws (as described in question 5.1) will apply to any data mining activities. Additional requirements may apply, depending on the nature of the data mined. For example, if the data mined contains credit information, restrictions will apply to how that data can be used. Similarly, if the data includes data relating to payment transactions in India, that data may need to be localised in India. Additionally, if data mining forms part of outsourced IT activities, obligations imposed by the Reserve Bank of India (RBI) on outsourced activities (as described in question 2.6) will apply.
The Indian government has proposed an overhaul of the data protection regime. In July 2018 a committee of experts established by the government released a first draft of the Personal Data Protection Bill 2018. Among other things, the bill (as presently drafted) provides for the imposition of additional obligations on entities which are categorised as significant data fiduciaries. The relevant authority will categorise a data fiduciary as a ‘significant data fiduciary' based on factors including the following:
- the volume of personal data processed;
- the sensitivity of the personal data processed;
- the turnover of the data fiduciary;
- the risk of harm resulting from any processing; and
- the use of new technologies.
Significant data fiduciaries must be registered with the relevant authority and must implement trust scores, data audits and data protection impact assessments. The Bill is expected to be tabled for legislation in the winter session of the Parliament in 2019, or the subsequent session.
(d) Cloud computing
No specific regulations govern cloud computing in India. However, existing data protection laws (as described in question 5.1) will apply to cloud computing in connection with data collected and handled by cloud service providers. Additionally, a cloud service provider may be considered to be an intermediary under the Information Technology (Intermediaries Guidelines) Rules 2011. These rules impose certain obligations on intermediaries, including a prohibition on hosting certain categories of information, the deletion of information upon receiving notification and a requirement to have a physical presence in India.
In certain circumstance, cloud service providers may be treated as vendors for outsourced financial or back-office services. In such situations the outsourcing requirements (discussed in question 2.6) may be triggered.
The government is considering introducing rules and regulations on cloud computing and related services.
(e) Artificial intelligence
There are no regulatory guidelines for the adoption of artificial intelligence (AI). However, the core function of AI involves handling huge amounts of data. To this extent, the applicable data protection regulations (described in question 5.1) will apply.
Earlier in 2019 the finance minister announced a government proposal to set up a National Centre for Artificial Intelligence and a national AI portal. There are also indications that a legal framework for AI will be established.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Indian laws do not regulate the use of distributed ledger technology (DLT). However, DLT and blockchain technology are seen as important tools for the development of banking processes and are thus expected to attract the government's attention in the coming year. The RBI is implementing several initiatives to introduce regulations that can be adopted by banks and financial institutions to implement blockchain technology.
In September 2017 the Institute for Development and Research in Banking Technology (IDRBT) – the RBI's research arm on banking technology – released a white paper entitled "Applications of Blockchain to the Banking and Financial Sectors in India". The recommendations in the white paper include:
- providing secure distributed databases of client information across banks; and
- automating the underwriting process by storing financial data on blockchain.
The IDRBT also conducted a proof of concept on the use of blockchain technology in a trade finance application, which involved the participation of banks, solutions providers and the National Payments Corporation of India (a retail payment organisation). The IDBRT has since released a blueprint for blockchain platforms in India.
Despite these initiatives, the government's approach to the use of cryptocurrencies has been negative. The RBI has asked its own regulated entities (eg, banks) to stop providing services that facilitate trade in cryptocurrencies. Prohibited services include maintaining accounts; registering, trading, settling or clearing cryptocurrencies; issuing loans against virtual tokens; accepting virtual tokens as collateral; opening accounts of exchanges that deal in cryptocurrencies; and transferring or receiving funds in accounts relating to the purchase or sale of cryptocurrencies. Cryptocurrencies are not legal tender in India. While cryptocurrency exchanges are not prohibited from operating, the RBI Crypto Circular restricts the use of banking channels and credit cards in connection with the purchase and sale of cryptocurrencies, which has made it very difficult for such cryptocurrency exchanges to operate.
4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.
(a) Crowdfunding, peer-to-peer lending
Online lending in India is increasingly conducted on peer-to-peer (P2P) platforms. The Reserve Bank of India (RBI) regulates P2P lending under its Master Direction – Non-Banking Financial Company – Peer to Peer Lending Platforms (Reserve Bank). P2P platforms must be registered with the RBI as non-banking financial institutions (NBFC-P2Ps). An NBFC-P2P may connect borrowers with lenders and facilitate the granting of loans by providing services such as due diligence, credit assessment and risk profiling. NBFC–P2Ps must have a board-approved policy setting out, among other things, the eligibility criteria for participants. An NBFC–P2P is not permitted to lend on P2P platforms.
Other applicable conditions include the following:
- Only unsecured loans can be granted.
- While multiple loans may be given or taken, there are limits on the aggregate amount of loans that one lender may provide or one borrower may borrow.
- Certain maximum maturity periods are prescribed for the loans.
Crowd-funding platforms that facilitate P2P lending are regulated in the same manner as P2P platforms. Structures based on donations or rewards are generally permitted without any specific licensing or registration requirements. However, the regulatory status of equity-based crowdfunding platforms is not fully resolved. In 2014 the Securities and Exchange Board of India (SEBI) released a consultation paper seeking to establish an enabling framework for equity-based crowdfunding platforms. The proposal included conditions such as eligibility of participants/investors, the maximum capital that may be raised and other integrity and solvency requirements. However, this legal framework is yet to be formulated. The consequence is that today, equity-based crowdfunding may be considered prohibited under the existing SEBI rules and regulations.
(b) Online lending and other forms of alternative finance
Apart from NBFC-P2Ps, Indian banks and NBFCs also use their own online platforms to carry out lending activities. They may also use the services of independent service providers to facilitate the lending process by outsourcing activities such as the following, in accordance with the applicable regulations prescribed by the RBI in relation to the outsourcing of activities by banks and NBFCs:
- verification of the identity of borrowers;
- collection and preliminary processing of loan applications; and
- recovery of principal and/or interest.
India is also witnessing innovation in relation to the platforms through which payments are made. For example, there are proposals for blockchain-based information networks between financing entities to accelerate the processing of financing transactions.
The online lending activities of banks and NBFCs are generally regulated by the same rules and regulations imposed on these entities – that is, their respective credit policies and applicable regulations prescribed by the RBI, such as:
- in relation to banks, the Master Circular on Loans and Advances – Statutory and Other Restrictions issued by the RBI; and
- in relation to NBFCs:
- the Master Direction – Non-Banking Financial Company – Systemically Important Non-Deposit Taking Company and Deposit taking Company (Reserve Bank) Direction, 2016; and
- the Master Direction – Non-Banking Financial Company – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016.
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)
Payment services are primarily regulated under the Payment and Settlement Systems Act, 2007 (PSSA) (see questions 1.1 and 1.2). Marketplaces that route payments from customers to suppliers, such as Uber and Airbnb, may also be subject to the requirements under the PSSA and associated rules and regulations of the RBI. Additionally, the location of the customer and the supplier on such marketplaces may affect which requirements apply to payments made through such portals. If the customer and supplier are both Indian residents, an online card-not-present (CNP) payment for goods/services will ordinarily need to be authenticated using a two-factor authentication mechanism based on information not visible on the relevant cards. Further, such transactions must be effected through a bank in India and should be settled only in Indian currency. This mandate arises from the RBI's notification of 22 August 2014 on Security Issues and Risk Mitigation Measures Relating to CNP Transactions. This necessitated a change in operational structure for marketplaces based outside India which connect customers and suppliers from India. Such marketplaces have now adopted structures through which CNP transactions involving domestic customers and suppliers are completed within India, and are not routed through the foreign marketplaces themselves.
Where a payment service involves a ‘cross-border money transfer' element, it will be subject to certain restrictions and conditions under applicable laws.
Forex transactions are primarily governed by the Foreign Exchange Management Act, 1999 (FEMA). FEMA provides that only an entity which is authorised under the legislation (‘authorised person') may deal in foreign exchange. An entity may operate as an authorised person only if it has obtained authorisation from the RBI under Section 10 of FEMA. There are essentially three types of authorised persons:
- Authorised Dealer Category I (typically, commercial banks);
- Authorised Dealer Category II (typically, upgraded full-fledged money changers, cooperative banks and regional rural banks); and
- full-fledged money changers.
Forex transactions are strictly regulated and multiple sets of rules and regulations instruct participants as to how they must be dealt with. In many instances, a forex transaction may require prior approval from the RBI.
For example, in terms of pre-paid forex cards, the Master Direction – Money Changing Activities, issued by the RBI on 1 January 2016, specifically permits entities with an Authorised Dealer Category I/II licence to issue forex pre-paid cards to residents for personal or business travel abroad. No other entities are permitted to issue these instruments.
Two types of trading platforms are permissible in India: recognised stock exchanges and electronic trading platforms.
Recognised stock exchanges are stock exchanges which are recognised by the central government and are governed by the Securities Contracts (Regulation) Act, 1956. The Securities Contracts Act prescribes requirements which a company must comply with before its shares can be listed on any recognised stock exchange in India. SEBI acts as the principal regulator of stock exchanges in India. Its primary functions include protecting investors' interests and promoting and regulating the Indian securities markets. Fintech companies which perform financial intermediary functions may fall under SEBI's regulatory scope. The Bombay Stock Exchange and the National Stock Exchange are the leading stock exchanges in India.
The RBI's Electronic Trading Platform (Reserve Bank) Directions, 2018 regulate entities that operate electronic trading platforms (ETPs) – that is, any electronic system, other than a recognised stock exchange, on which transactions in eligible instruments (ie, securities, money market instruments, foreign exchange instruments, derivatives or other instruments of a similar nature, as may be notified by the RBI from time to time) are contracted. ETPs must be authorised by the RBI. However, ETPs operated by banks for their customers (acting as users) on a bilateral basis are exempt from registration with the RBI.
(f) Investment and asset management
Asset classes in India include equity, debt, commodities, real estate and cash. All asset classes (other than real estate) are ultimately regulated and monitored by the Ministry of Finance, SEBI and the RBI. Real estate comprising real property as an asset class is regulated by real estate regulatory authorities established in each state under the Real Estate (Regulation and Development) Act, 2016. However, real estate investment trusts, where money is pooled and invested in commercial properties to generate income, are regulated by SEBI in a similar way to mutual funds.
The rules and regulations applicable to asset classes extend to member registration, securities listing, transaction monitoring and investor protection, among other things.
In 2015 the regulatory body for commodities trading – the Forward Market Commission – merged with SEBI. Commodity trading on these exchanges requires standard agreements as per the instructions, so that trades can be executed without visual inspection.
Foreign exchange trading is generally restricted to the inter-bank segment, with participant banks holding authorised dealer (AD) licences granted by the RBI under FEMA. Retail customers buy and sell foreign exchange through AD banks. The RBI has proposed a framework for a foreign exchange platform (along the lines of the ‘FX-Clear' interbank US dollar/Indian rupee spot trading platform of the Clearing Corporation of India Limited) for retail participants, to encourage transparent and fair pricing in the retail forex market. However, this framework has not yet come into effect.
(g) Risk management
Indian laws generally seek to regulate risk management activities such as underwriting. In the fintech context, the P2P Master Direction requires NBFC-P2Ps to conduct due diligence and undertake credit assessment and risk profiling of prospective borrowers on a P2P platform. The results must be disclosed to lenders on the P2P platform, effectively managing the lenders' risk. The NBFC-P2P is not permitted to arrange any credit enhancement or provide any form of credit guarantee.
The P2P Master Direction does not restrict lenders from using their own underwriting processes; nor does it specify the underwriting activities which may be undertaken by such lenders. However, as the RBI governs the regulatory framework for P2P platforms in India, it is quite possible that the RBI may issue guidelines on underwriting by P2P lenders.
Roboadvisers are not specifically regulated in India, apart from general data protection rules. However, traditional financial services players have implemented various roboadvice solutions, which include:
- offering simple financial planning models on an intermediary's website;
- generating lists of investment funds, securities and portfolios categorised on the basis of risk;
- helping customers to evaluate the probability of achieving their investment goals; and
- generating recommendations for customers to meet their investment goals.
In India, insurtech companies are registered with the Insurance Regulatory and Development Authority of India (IRDAI) as either an insurance company or an insurance web aggregator company. Underwriting processes are generally governed by an insurance company's underwriting policy. However, insurtech companies must draft underwriting policies in accordance with the guidelines set out by the IRDAI. Further, an insurtech company must file its underwriting policy with the IRDAI once it has been approved by the insurtech company's board.
As per the IRDAI guidelines, insurtech companies (registered as insurance companies) must ensure that certain details are included in their underwriting policies. Further, every insurtech company must establish a technical audit department to ensure that its underwriting complies with the guidelines. An audit must be conducted every six months and the report prepared by the technical audit department must be presented to the board of directors.
5 Data security and cybersecurity
5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?
The Indian data privacy regime is set out in the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules). As per the Privacy Rules, an entity that collects or processes sensitive personal data (including bank account information and payment instrument details) pertaining to an individual must:
- provide mandatory notice/disclosure to the data subject before collecting the information;
- appoint and provide details of a grievance officer;
- allow data subjects to access and update their information;
- ensure that data collected is not retained for longer than necessary under applicable law;
- obtain the prior consent of the data subject when collecting sensitive personal information;
- implement reasonable security measures and standards to protect this information; and
- ensure compliance with requirements for the transfer and of sensitive personal information.
The compliance requirements under the IT Act and Privacy Rules apply uniformly to both new fintech entrants and legacy players.
The Indian data protection regime is set for a revamp, as the government has proposed passing new legislation this year. The original bill was prepared by a committee of experts and submitted to the government in July 2018. Once passed, the new legislation will go some way towards aligning India's data protection laws with the EU General Data Protection Regulation. The Bill is expected to be tabled for legislation in the winter session of the Parliament in 2019, or the subsequent session.
Some fintech companies engage in the business of account aggregation – that is, they facilitate the sharing of structured financial data between financial information providers and users. Given that this involves sensitive financial data, the Reserve Bank of India (RBI) has established a specific consent framework, including other registration requirements, for entities engaged in this business.
5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?
The RBI has issued various regulations and directions to entities regarding the cybersecurity measures to be implemented by banks, non-banking financial institutions and other payment service providers. In July 2016 the RBI issued a notification on Cybersecurity Frameworks in Banks, which requires banks, among other things, to:
- establish cybersecurity policies;
- undertake vulnerability tests;
- monitor cyber risks in real time; and
- establish a cyber crisis management plan.
The Master Direction on Issuance and Operation of Prepaid Payment Instruments imposes similar – although slightly less onerous – compliance requirements on mobile wallet providers. Among other things, an entity operating a mobile wallet must:
- conduct an annual cyber security audits;
- constitute a Security Operations Centre (SOC) for managing security incidents;
- implement disaster recovery measures to recover rapidly from cyber-attacks/other incidents and safely resume critical operations; and
- report cyber security incidents immediately to the RBI.
6 Financial crime
6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?
The Prevention of Money Laundering Act, 2002 (PMLA) prohibits money laundering in India. The PMLA and the rules framed thereunder oblige banks, financial institutions and intermediaries (collectively, ‘reporting entities') to verify the identity of customers, maintain records pertaining to transactions and report suspicious transactions to the government. Fintech companies may fall within the definition of a ‘reporting entity', depending on the nature of their business.
Reporting entities must report certain transactions to the Financial Intelligence Unit – India. These include the following:
- Cash transactions reports: All cash transactions (or a series of integrally connected transactions) undertaken on the payment system with a value of more than INR 1 million.
- Suspicious transaction reports: All transactions without economic rationale or good faith; transactions that give rise to suspicions that they may involve the proceeds of an offence or the financing of terrorism; and otherwise unusually complex transactions.
- Cross-border wire transfer reports: All cross-border wire transfers of more than INR 5 million where either the origin or the destination of the funds is in India.
The Companies Act, 2013 contains provisions prohibiting fraudulent and other criminal activities. Further, if a financial crime involves corruption, the provisions and penalties under the Prevention of Corruption Act, 1988 may also apply to the offender.
7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?
At present, the fintech sector presents no challenges or concerns from a competition perspective, other than those faced in any sector. However, the government recently expressed concerns that digital payment transactions undertaken through the Unified Payments Interface are concentrated among a few non-banking players, and that this may create systemic risk in the digital payment ecosystem. Consequently, there is a proposal that each company's market be limited to no more than 30% of all UPI transactions. A decision is yet to be taken in this regard.
8.1 How is innovation in the fintech space protected in your jurisdiction?
Copyright is the primary instrument through which innovation in software products is protected in India.
Copyright is governed by the Copyright Act, 1957. Copyright protection is available for original works of authorship expressed in tangible form. Registration is not essential for a copyright to be valid and the rights arise once the original work is captured on a tangible medium. That said, to assert one's right over a work, it is advisable to ensure that this is recorded, along with the date, in a manner that may be admissible in court.
In India, patent protection is not available for software per se, so entities rely on copyright protection to protect software and other computer programs. However, software may be patented if it is part of an invention – such as software combined with hardware that is both inventive and capable of industrial use. The Patent Act, 1970 stipulates that computer programs are not patentable per se. Hence, the software must be integrated in some other patentable product. A patent application pertaining to software only will be rejected.
8.2 How is innovation in the fintech space incentivised in your jurisdiction?
In August 2019 the Reserve Bank of India released a framework for a regulatory sandbox for fintech innovation. The framework covers a specific set of products, including:
- money transfer services;
- marketplace lending;
- digital know-your-customer (KYC) services;
- financial advisory services;
- financial inclusion products;
- applications under blockchain technology;
- mobile technology applications; and
- cybersecurity products.
It specifically excludes certain products from its ambit, such as:
- credit registration;
- credit information;
- cryptocurrency services; and
- initial coin offerings.
Applicants benefit from relaxed regulatory requirements in relation to customer privacy and data protection, secure storage and access to payment data, KYC/anti-money laundering requirements and statutory restrictions, among other things.
The Securities and Exchange Board of India (SEBI) released a framework for an innovation sandbox on 20 May 2019. The innovation sandbox is a testing environment in which fintech players and other entities not regulated by SEBI can utilise the data made available by stock exchanges, depositories and similar entities for offline testing of their products in isolation from the market. Participants will be given access to historical and anonymised market data such as order logs, trade logs and KYC data to test solutions in the innovation sandbox.
Start-ups in India enjoy certain regulatory and tax incentives under the government's Start-Up India initiative. Fintech companies that qualify as start-ups, as recognised by the government, are also entitled to these benefits.
9 Talent acquisition
9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?
Employment law in India is well developed and numerous aspects of the employment relationship are protected. Generally, more important forms of protection (eg, regarding social insurance payments and discrimination) are set out in federal law. Laws at state level primarily concern more detailed local conditions and issues (eg, opening and closing hours of establishments and leave entitlements). Generally, given the socialist ethos that has prevailed since Indian independence (1947), laws are interpreted in a manner that is more favourable to employees.
The employment laws also reflect certain objectives prescribed in the Indian Constitution. These include laws relating to working conditions, industrial relations, wages and remuneration, social security benefits, equality and prohibitive laws.
The main employment laws include:
- the Industrial Disputes Act, 1947 (an independence-era law which has generated a vast body of jurisprudence);
- the Industrial Employment (Standing Orders) Act, 1946;
- the Contract Labour (Regulation & Abolition) Act, 1970;
- the Maternity Benefit Act, 1961;
- the Equal Remuneration Act, 1976;
- the Employees' Provident Fund and Miscellaneous Provisions Act, 1952;
- the Payment of Gratuity Act, 1972; and
- the Trade Unions Act, 1926.
There are no specific implications for fintech companies under these employment laws.
9.2 How can fintech companies attract specialist talent from overseas where necessary?
There are no legal restrictions on the hiring of foreign nationals, other than compliance with the applicable visa and work permit requirements. Employment visas may be granted to foreigners who are highly skilled or qualified professionals. A foreign national who is sponsored for an employment visa in any sector must draw a gross salary in excess of INR 1.625 million per annum, including allowances paid in cash and perquisites, which should be quantified and indicated in the employment contract. If the foreign national is entering the country on an employment visa for a period of less than one year, the minimum salary requirement will be determined on a pro-rata basis.
Independent contractual arrangements may also be pursued, provided that they are well documented and carefully reviewed from a tax perspective.
10 Trends and predictions
10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The Indian fintech sector has grown exponentially in the last few years and is attracting significant foreign investment into India. The largest global technology players have now established themselves or are setting up in the fintech space. Anticipated developments include the following:
- Growth of Unified Payment Interface (UPI): The UPI platform has grown exponentially over the last year. In terms of scale, it is among the largest digital payment experiments in the world and thus far it has proved quite successful. It is expected that the UPI experience will eventually be exported to other countries.
- Alternative lending: There has been significant growth in the alternative lending space. Powered by artificial intelligence and data analytics tools, alternative lending companies have acquired a sizeable chunk of the retail and small and medium-sized enterprise loan market, and have targeted borrowers who are data rich, but collateral poor. We expect this growth to continue.
- Alternate fintech: Other allied verticals of fintech – such as healthtech, proptech and agritech – are expected to grow rapidly.
- Neo-banks: A number of neo-banks have emerged in India this year. These are expected to grow rapidly both in number and in activity.
- Regulatory sandbox: The first cohorts in the sandboxes established by the Reserve Bank of India (RBI) and the Securities and Exchange Board of India are expected to commence soon. This should hopefully open up new opportunities for cooperation between businesses and regulators.
- Payment gateway regulations: The RBI is expected to announce regulations to govern payment intermediaries and gateways. These businesses have previously remained outside the RBI's regulatory ambit.
11 Tips and traps
11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?
The Indian financial services ecosystem is quite different from its counterpart in more mature financial markets. The need for financial inclusion has spurred the growth of financial service providers and allied services. As a consequence, while penetration of financial services is still quite low, adoption rates are much higher and the available opportunities are quite attractive. The fact that Indian data access costs are among the lowest in the world helps in this regard. Fintech companies that wish to enter the Indian market must adapt their business and products to suit this ecosystem.
The fact that there are multiple regulators and nascent legislation may make it more difficult for foreign players to navigate the Indian fintech landscape. They must also be aware that India fintech has reached a pivotal moment, with a host of new regulations expected. It should not be assumed that today's regulatory landscape will remain the same a year from now.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.