“My faith is brightest in the midst of impenetrable darkness”
-Mahatma Gandhi (1968)
We wish you were reading this in happier times.
We hope you and your loved ones are healthy and safe. Hang in there. We will get through this.
Welcome to the 6th edition of FinTales. If you missed our previous editions, you could read them here. Write to us if you (or someone you know) wants to subscribe.
Last month saw many fintech developments. The RBI Governor introduced a relief package for sectors hit by the pandemic. Specifically, fintech firms stand to gain with relaxation in Video KYC norms. In stark contrast, two card operators faced penalty for flouting RBI’s data storage rules. While some welcome developments kept the crypto industry’s mood high, payment service providers are on tenterhooks as RBI mulls over new cyber security rules. And finally, a new RBI body is working to make regulations simpler!
Let’s get started.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
RBI relaxes KYC norms
Digitisation of financial service has helped during the pandemic. Digital payments made it easy to avoid physical exchange of cash. While loan apps bridged the liquidity crunch many individuals were facing. Increasingly, convenience and scalability are outweighing the security concerns around digitisation, at least during the pandemic. Which led to RBI relaxing Know-Your-Customer (KYC) norms last month.
KYC is a way to verify the identity of customers. It is to check whether you are the same person you claim to be. Without this check, a fraudster could impersonate you. So, every account needs to be KYC-compliant before a customer can operate it. Traditionally, this used to happen in person. An agent would meet you – match your ID with your face – and approve the KYC. This is of course a cumbersome, expensive and insecure way of doing KYC. A bank will not, for instance, spend INR 150-300 to conduct physical KYC to offer you an INR 2000 loan.
Which is why KYC processes are becoming more sophisticated. Lowering the cost and friction of KYC is in the interest of service providers and crucial to promote financial products.
Video KYC and Aadhaar OTP-based e-KYC can both be conducted remotely. Which significantly reduces the cost and friction of conducting KYC. No branch visit or in-person verification needed. But these KYC methods could not be used for all financial products. Which RBI has now relaxed.
Scope of video-KYC extended
What was: Video KYC could only be used to on-board individual customers.
What changed: Video KYC can be used to on-board proprietorship firms and authorised signatories and beneficial owners of legal entities.
Extending the use of Video KYC to legal entities and proprietorship firms will boost the usage of Video KYC. Specially, younger companies and MSMEs will have quicker access to credit. And save on the cost of personnel and hardware for in-person verification.
Aadhaar OTP-based e-KYC accounts can be upgraded using Video KYC
What was: Aadhaar OTP-based e-KYC can be conducted remotely. No in-person verification was required. It significantly lowered customer acquisition and on-boarding cost (comparable to KYC needing in-person verification). But this form of KYC is not considered as full-KYC. And has limited use cases: (a) maximum deposit of INR 1 lakh; (b) maximum credit of INR 2 lakh in a year; and (c) availability of only term loans. These accounts need to be upgraded to ‘full KYC’ within one year. Full KYC required in-person verification (in most cases). For example, Aadhaar bio-metric KYC (finger-print or retina scan) is considered as full KYC – but it requires an in-person visit and expensive hardware.
What changed: Entities can use Video KYC to convert accounts opened by conducting Aadhaar OTP-based e-KYC into full KYC accounts.
Users will no longer need to visit their bank to access complete banking services. Banks will also benefit from not having to put any personnel or devote time in compiling KYC details. All of this can now be automated. The deadline to convert Aadhaar OTP-based e-KYC accounts into full KYC accounts has also been extended to 31 December 2021.
KYC identifier used for Video KYC
The Central KYC Registry (CKYCR) is a central repository of KYC data. Through CKYCR, if you have a KYC-ed account with one regulated entity (like a bank or e-wallet), you can port all your KYC details to open an account with another regulated entity. It saves you from re-doing the process every time. And enables you to open your second account remotely – through the CKYCR facility.
What was: KYC identifier could not be used during Video KYC
What changed: KYC identifier can be used to validate identity during Video KYC.
By allowing the KYC identifier for Video KYC verification will simplify customer on-boarding. The KYC identifier is a 16-digit KYC Identification Number (KIN). KIN is generated once CKYC is complete. The customer’s identify information is already stored in CKYCR and can be retrieved instantly using her KIN. This reduces the number of steps and friction in Video KYC.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
RBI regulations will get simpler!
New financial products and services are entering the market (almost) every day. Each offering presents a unique regulatory concern – which RBI tries to balance through newer rules, guidelines, and reporting requirements. As a fintech entrepreneur, you need to navigate a maze of RBI regulations and guidelines (which often come thick and fast) before you can go-live with your product. Keeping up with these regulations can sometimes be overwhelming. RBI issued 211 circulars and 234 notifications in 2020 alone!
But things are about to change.
Last week, the RBI set up the Regulatory Review Authority (RRA) to simplify its regulations. The RRA will suggest ways to streamline reporting, revoke redundant instructions, and promote online submissions. This is a welcome move. Simplified and narrow regulations will help regulated entities and their tech partners navigate their regulatory universe. Clearer demarcation of regulations will also make RBI’s supervision of regulated entities more effective.
We believe the current RRA will have a transcending impact. Much like the first RRA did in 1999 after which RBI started putting public information on its website. The current RRA is welcoming public feedback. You can write to them at feedbackrra@rbi.org.in.The last date is 15 June 2021.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
American Express and Diners Club penalized for flouting data storage norms
In 2018, RBI directed all payment system providers (like banks) to store payments data locally within India. This included customer details, account details, payment credentials, and transaction details. RBI gave entities 6-months to comply. And asked them to undergo an audit conducted by CERT-IN (India’s nodal agency for cyber security). With the deadline long gone, RBI is on the lookout for non-compliance.
Last month, it penalized American Express and Diners Club for not storing payments data locally and banned them from on-boarding new customers starting 1 May 2021.
Foreign companies have been grappling with the data localisation requirements ever since RBI first issued them. While major players like Visa, Mastercard, and WhatsApp are complying with the norms, they have raised concerns over infrastructure cost, ineffectual fraud detection, and negative investments in the past. But from RBI’s perspective data localisation equals greater data security. India has witnessed several data breaches recently exposing sensitive financial information of millions of Indians. RBI believes relaxing data localisation norms may hinder its ability to probe breaches, fix accountability, and retrieve data in time. Although this may come at the cost of losing service providers who lack the resources to store data locally.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
India’s crypto industry sees positive trends, but regulatory uncertainty looms again
Crypto news is trending in India. Be it Dogecoin’s recent boom, CoinSwitch’s growth after a series of IPL ads, or the increasing interest of Indians over 45 years towards cryptocurrency investments. SpaceX even announced a mission to the moon funded by Dogecoin
While India awaits a new law to regulate the cryptocurrency industry, the RBI seems to be taking a contrary position to the Union Finance Minister’s previous remarks dismissing a ban on cryptocurrency in India.
RBI informally instructs banks to deny cryptocurrency transactions
The RBI has reportedly instructed banks to stop processing cryptocurrency transactions. Consequently, payment gateways have blocked cryptocurrency exchanges. This ‘informal direction’ from RBI has come despite the Supreme Court’s March 2020 judgement striking down RBI’s 2018 circular that prohibited banks from servicing cryptocurrency transactions. The National Payments Corporation of India (NPCI) reportedly refused to restrict direct UPI transactions between investors and crypto exchanges, citing the Supreme Court’s judgement. Instead, NPCI has asked banks to block these transactions on their own systems, and advised them to consult their legal teams before taking action.
IndiaTech proposes to classify cryptocurrencies as assets
IndiaTech.org, an industry association, recently released a whitepaper on cryptocurrency. It proposed that cryptocurrencies should be classified as ‘assets’ like gold. It also proposed a system to register Indian crypto exchanges with the intent of saving billions in revenue paid to foreign crypto exchanges. Issues around compliance, reporting, taxation, import, and self-regulation were also covered in the whitepaper.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Coming soon: cybersecurity rules for payment system providers
Recent data breaches and cybersecurity issues has made RBI cautious. In 2019, it asked several banks to probe data leak of over 1.3 million cards. This was followed by the operationalisation of the payment infrastructure development fund (aimed to build security) in January this year. And in February, RBI issued detailed guidelines for banks and NBFCs on digital payments security control (read more here).
Now, RBI is looking to ramp up security rules for payment system providers (PSPs). RBI recognises that as digitisation increases, security features of PSPs need to mature too. It is unclear whether these rules will be limited to authorised PSPs or extend (directly or indirectly) to their tech service providers as well. But either way, implementing these norms may be challenging for both PSPs and the RBI.
PSPs will need to spend on infrastructure, technology, and personnel to enhance security standards. Which may be counter-productive given the market competition. At the same time, RBI may need to identify and curate specific standards as per the PSP’s product or service. Different products have unique challenges and a one-size-fits-all standard may not work. Hence, RBI may need to actively work with industry players, identify their unique challenges, and accordingly give them appropriate security standards to comply.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Tell us what you think about the developments we covered. Or if you’d like us to cover any other development in our next edition.
Write to us at contact@ikigailaw.com.
See you in June!
Yours,
Ikigai Fintech Team
