FinTales Issue 34: The BoB Fraud, FATF Review & PA licenses

“Fraud really thrives in moments of great social change and transition.”

Maria Konnikova

In the 1970s, Donald R. Cressy, a criminologist, published a theory – ‘Fraud Triangle’ – to explain the causes of occupational fraud. The theory’s hypothesis was that frauds happen when these conditions converge: pressure, opportunity, and rationalization. The ‘pressure’ (or motivation) to commit frauds is typically greed or need. Situations like lack of management controls create ‘opportunity’. Lastly, the fraudsters must have reasons to ‘rationalize’ the act – so that their own act appears intelligible to them. For instance, by thinking that it’s necessary for the business or they’re just following orders of top brasses. Auditors rely on the theory to evaluate risks of frauds in organizations.

The recent exposé of the Bank of Baroda (BoB) App fraud validates the Fraud Triangle theory. BoB is the second largest public sector bank. It launched its mobile app - ‘bob World’ – in September 2021. Shortly after the launch, a few BoB managers started coercing their employees to onboard more customers on the app. The employees were chided, threatened, and humiliated if they failed. Out of desperation, a few employees devised a workaround. They realised that only bank account details and a phone number linked to it are needed for onboarding. So, they identified BoB accounts without phone numbers and linked them to any phone numbers they could get their hands on – numbers of bank staff, business correspondents and other customers. Linked to phone numbers of strangers, the accounts were susceptible to misuse. Eventually, the risk was realised. Many customers had funds withdrawn from their accounts fraudulently. Despite being a flagrant violation of RBI regulations and bank policies, the act went unchecked. In fact, in a few cases, some BoB managers were also hand-in-gloves with the employees fronting this. Gradually, it became a widespread (and sort of acceptable) practice within BoB. It continued until Al Jazeera – a news outlet – blew the lid off it. After that, the RBI stepped-in to suspend any further customer onboarding on the BOB app.

In this saga, the managers not just failed to detect the ‘fraud triangle’ but, in some cases, contributed to it too. What pushed them towards it? Was it the need to keep up with other tech-savvy banks? Was it the quest for relevance as fintech becomes mainstream? Or was it just plain disdain for rules for short term gains? Whatever it may be, the debacle has shaken the trust in India’s banking system. It will most likely trigger stricter scrutiny of other financial entities too.

Now onto our FinTales menu for the month.

Main Course: meaty stories about India’s ongoing FATF review and the regulator being hypercautious with payment aggregator licenses.     

Dessert: sweet news about borrower-friendly credit information reporting rules.

Mints: a refresher on recent fintech developments.

Main Course

India should evaluate its approach to FATF evaluations

The RBI amended its KYC directions this month. A key objective of the amendment is to align the KYC directions with the Financial Action Task Force (FATF) recommendations. The FATF is the global money laundering and terrorist financing (ML/TF) watchdog. It also recommends anti-money laundering (AML) measures. It has 39 full time member, and over 200 countries have committed to implement the FATF’s recommendations. The FATF evaluates the AML regime of its members at a regular cadence. India’s latest evaluation round is underway. As part of the evaluation, FATF assessors also visit the country being evaluated – India’s onsite review is scheduled in November 2023. In this backdrop, we discuss the importance of the FATF’s evaluations for India and its probable impact on India’s KYC regime. We also recommend the vantage point from which India should approach the evaluation.

KYC is often the first line of defence for AML risks. Financial entities conduct KYC – at account-opening stage and on an ongoing basis – to intercept any AML risks. This is why FATF recommendations also largely focus on KYC standards. The failure of a country to comply with the FATF recommendations (partially or fully) can attract sanctions (from member countries). The RBI, for instance, limits the extent to which its regulated entities can accept investments from the non-compliant countries. These countries also face increased scrutiny in cross-border transactions (from financial entities of other countries), which makes their global trade costlier. The International Monetary Fund’s research indicates that such countries are less likely to receive foreign investments and low-cost loans. Conversely, if a country fully complies with FATF standards, it is considered a favourable jurisdiction for business.

Given the FATF’s significance, India has, over years, solidified its position with the FATF. In 2006, India was an ‘observer state’ – it could participate in FATF meetings, but it didn’t have decision-making rights. In 2010, India completed its first FATF evaluation successfully. This helped India secure a FATF membership. The membership, however, does not absolve a country of FATF’s scrutiny. Each member country must undergo mutual evaluation – a recurring peer review (by FATF members) of the country’s AML regime. The evaluations assess the members on two key parameters: strength of the AML measures (on paper); and their implementation (if they’re delivering the right results).

India’s latest (and second) evaluation round has already started. The evaluation is a multi-step process. It starts with technical analysis of a country’s AML measures. Next, FATF’s assessors, during their visit to the country, assess the quality of implementation and enforcement (of the AML measures). Right after the visit, the assessors draft a mutual evaluation report which is discussed in one of the FATF meetings. For India, the FATF discussion is scheduled in June 2024. After that, FATF declares if a country is non-compliant, partially compliant, or fully compliant with each FATF recommendation. It also recommends measures that a member country must implement to strengthen its AML regime. The country under assessment can improve its FATF ratings once it implements the FATF recommendations. For instance, Japan’s mutual evaluation was completed in June 2021. It was re-rated on certain aspects in September 2022, after it implemented a few FATF recommendations.

As India’s review progresses, Indian financial entities must expect increased focus on bolstering India’s KYC regime. After the publication of the FATF’s assessment report, Indian government and its financial sector regulators (including the RBI) may revise the KYC norms to implement the report’s recommendations. If the report annotates lacunae in implementation of KYC norms, the enforcement may also become stricter.

India must, however, ensure that any KYC regime reform is done mindfully. It shouldn’t become a tick-in-the-box exercise with a sole focus to achieve glowing FATF rating. Since KYC is the pre-condition to access any financial service, any misstep can be a set-back for India’s financial inclusion goals. We base this concern on the fact that financial inclusion is not a core consideration for the FATF review. The World Bank research indicates that in the FATF review reports, countries are rarely criticized for overly restrictive KYC norms. To make things worse, the FATF adopts a cautious tone in recommending simplified KYC norms. The World Bank also observes that developing countries are less confident and overly cautious during FATF review. Mostly because they are unsure about their AML risk assessment and want to avoid a negative FATF rating at all costs. They, therefore, often introduce overly stringent KYC measures just to do well in the reviews. The risk-based approach to KYC takes a backseat. At the same time, however, they also need financial inclusion friendly policies – like risk-based KYC – more than the developed world. India’s position is no different.

As a solution to this, India should conduct an impact assessment before it acts on any FATF observations in the evaluation report. Especially because FATF’s global standards and approach may need to be tailored to address issues that are unique to India. India’s recent KYC frauds, for instance, may be attributed more to the lack of digital literacy in India than lacunae in KYC regulations. Therefore, making KYC norms stricter to address this issue may not be fruitful.

In the long term, India should build capacity to deepen understanding of its money laundering risks. It can, for example, make threat intelligence more sophisticated by promoting information sharing about AML risks between the regulators, industry players and law enforcement. The self-regulatory organisations (in the financial services industry) can act as a facilitator for this. This will help India frame more pointed and risk-based AML policies. It will also give it enough ground (and confidence) to prove before FATF and other world forums that its policies are commensurate to the risks.

Payment aggregator licenses in limbo

The fintech industry may have to wait a bit longer for its first payment aggregator (PA) authorization. Recently, the RBI has stepped-up its scrutiny of PA applicants – their business, past practices and  corporate structures are all under scanner. In light of this development, we discuss the nuances of PA licensing process. We also deliberate on what prompted the RBI to adopt an overcautious approach.

PAs were unregulated until March 2020. In 2019, the RBI floated a discussion paper for PA regulations and notified the PA guidelines a year later. The guidelines prescribe a two-step process for PA licensing. The first step is the in-principle authorization – an applicant must meet eligibility criteria like the net-worth requirement to apply for it. The second step is the final authorization. The PAs with in-principle approval have 6 months from the approval date to prepare for it. To apply for the final authorization, the PAs must submit a System Audit Report (SAR) and net-worth compliance certificate. They must also comply with any other condition that the RBI specifies. If the RBI is satisfied that the PA is compliant is all respects, it grants the final authorization. The PAs with an ongoing business in March 2020 could, after submitting the PA application, continue their operations. New PAs, however, must wait till they get the final authorization.

In July 2022, a few PAs received the RBI’s in-principle authorization, followed by a dozen more in February 2023. But, so far, none of the applicants have received the final approval. Even after 3.5 years of the PA guidelines being notified, the final PA licenses are in limbo. Here are a few stats:

152 PA applications submitted to the RBI till date.

61 PA applications refused/returned by the RBI.

26 applications under process.

5 PA applications withdrawn.

37 existing PA applicants received in-principle authorization.

23 new PA applicants received in-principle authorization.

‘0’ PA applicants have the final PA authorization.

Here are a few reasons that may have made the RBI hypervigilant and delayed the grant of final PA authorizations:

·        The ‘X’ factor of funds: A PA license stands out from other non-banking licenses. The PA guidelines, for instance, don’t limit the amounts of funds that a non-bank PA can handle. In contrast, however, a non-bank prepaid instrument (PPI) issuer can hold only upto Rs. 2 Lakh (at a time) for each PPI holder. So, perhaps, since a PA is entrusted with an unlimited pool of public money, the RBI is more cautious while granting PA licenses.

One might argue that NBFCs are also non-banks that manage substantial public funds. The RBI has, however, doled out over 9,000 NBFC licenses so far. If RBI was really concerned about non-banks handling limitless public funds, then it wouldn’t have granted so many NBFC licenses. It is also unlikely that the RBI is being conservative with PA licences solely because PAs are tech players. Many NBFCs were tech players before they applied for NBFC license.  

The RBI is, perhaps, more careful with granting PA licenses because PA’s core functions – facilitating and settling payments – are technology-driven. Because of this, PAs pose unique risks. Moreover, recently, the RBI has become frugal with fintechs’ NBFC applications too. This indicates that with technology driving most financial activities, the RBI’s approach may have shifted.

·        Lack of regulatory capacity: The RBI is flooded with PA applications right now. Majority of the payment ecosystem participants have applied for a PA license – even if they don’t need it. The applicants includes payment gateways, merchants, e-commerce websites, and even insurance intermediaries. They fear that if they don’t apply they will either breach PA guidelines (which define ‘payment aggregator’ quite broadly), or miss out on a potential business opportunity. The deluge of applications has compromised the RBI’s capacity to separate chaff from the grain. 

·        Source of funds: The RBI has placed certain restrictions on foreign investments made in payment system operators (like PAs) from FATF non-compliant jurisdictions. The RBI is scrutinizing the capital structure of applicants carefully so that those in breach of the restrictions don’t get the license.

·        Complex corporate structures: The RBI is evaluating the shareholding structure of PA applicants. It is also scrutinizing investors that hold more than 10% shareholding (of the applicants) to identify who really owns the applicants – a tricky exercise especially when identity of the owner is hidden under multiple layers of legal entities. The complexity poses the risks that the RBI may give out licenses to entities without a ‘fit and proper’ management. To recap, earlier this year, the RBI had asked PayU to stop onboarding new merchants and re-apply with an explanation of its complex corporate structure.

·        Controls to monitor access to customer’s sensitive data: PAs sit on a honey pot of critical and sensitive customer data. The RBI wants to ensure that PA applicants have built sufficient controls to curb unauthorized access to the data. This will help PAs avoid data breaches similar to that of Juspay, where unauthorized access to Juspay’s servers compromised the personal and financial data of millions of customers.

·        Evolving risks: As technology evolves, so do the associated risks. The RBI wants to stress-test if the KYC measures and infrastructure of applicants are adequate to counter such risks. The miscreants have, in the past, used PA services to launder money or orchestrate fraudulent transactions. Last year, ED investigated several PAs for their alleged involvement in money laundering transactions. More recently, hackers breached Safexpay’s (a PA) system, got hold of its escrow account details, and transferred around Rs. 25 crore to unknown bank accounts. Subsequent police investigations revealed that funds siphoned-off may have, in fact, been over Rs. 16,180 crores.

To conclude, PA licenses are sacred. The first entity to get a final PA license will be the north-star for the rest of the industry. The RBI, therefore, wants to dot all the i’s and cross all the t’s before taking the leap.

Dessert

RBI introduces borrower-friendly credit information reporting rules

Last month, the RBI has released two circulars to make credit information reporting mechanism fairer and transparent for borrowers. Both circulars will come into effect within 6 months from the notification date.

The first circular prescribes new responsibilities for both credit bureaus and lenders. For example, it requires credit bureaus to inform customers whenever a lender accesses their credit information. They must also update their databases within 7 days of receiving credit information about a customer from a lender. Lenders, on other hand, must appoint a nodal officer to help credit bureaus with grievance redressal. They must also inform customers when they submit loan default data of customers to credit bureaus. The second circular introduces a mechanism to compensate customers if the credit bureaus and lenders fail to resolve their grievances.

The RBI released the circulars after it witnessed an increase in customer complaints about discrepancies in credit information reporting and the functioning of credit bureaus. In June this year, the RBI also penalized credit bureaus - TransUnion CIBIL, Equifax, Experian and CRIF – with fines ranging between Rs. 24-26 lakhs. The inability of credit bureaus to maintain accurate and complete credit information of customers led to this. They failed to update information of borrowers even after receiving complaints from them.

Mints

All-in-one framework for outsourcing of financial services 

The RBI has released the draft master directions on outsourcing of financial services by RBI regulated entities (RE). The current outsourcing framework is fragmented – a patchwork of regulations govern outsourcing arrangements between REs and their service providers. The draft directions consolidate and harmonize the existing framework. The RBI is accepting comments on the draft directions till 28 November 2023.

New guidelines for PAs processing cross-border payments 

The RBI has notified new guidelines to regulate entities that process online cross-border payments. Until now, these entities were called online payment gateway service providers (OPGSP). Now, they will be regulated as ‘Payment Aggregators – Cross Border’ (PA-CB). They will need RBI’s license to operate. Existing OPGSPs must apply for the license by 30 April 2024. Interestingly, non-bank PA-CBs must also register with the Financial Intelligence Unit-India before applying to the RBI.   

 RBI proposes a framework for self-regulation

The RBI has proposed to release a framework for self-regulatory organizations (SRO). The framework will be sector-agnostic and list broad objectives, functions, eligibility criteria, governance standards, etc. for SROs. The RBI will notify sector-specific requirements for SROs later – just before it starts accepting SRO applications. Self-regulation has scores of benefits for the fintech sector. It will enable effective-policy making and promote responsible innovation in the industry. 

 FIUs to onboard as FIPs too on Account Aggregator platforms

As per a new RBI rule, RBI-regulated financial information users (FIU) ecosystem must also onboard as financial information providers (FIP) on the account aggregator ecosystem. This rule applies only if FIUs hold financial information and qualify as FIPs. So far, many entities were using the account aggregator ecosystem to only receive information (as FIUs). The rule, once implemented, will ensure optimal data sharing within the ecosystem.

Razorpay’s quest for the Malaysian market

Curlec (a Razorpay entity) has obtained a license from the Malaysian central bank for its payment gateway services. It has also become a member of the Payments Network Malaysia Sdn Bhd (PayNet) – the national payments network for Malaysia’s financial market. As a PayNet member, Curlec aims to promote DuitNow – Malaysia’s real time payments system. Razorpay’s expansion to Malaysia will strengthen its presence in the south-east Asian market. 

That’s it from us. We’d love to hear from you. Write to us at contact@ikigailaw.com. Or sign up for Ikigai Fintech Office Hours to chat with our team about all things fintech regulation and policy.

See you next month.

If you enjoyed this edition of FinTales, do share it.

Challenge
the status quo

Bringing what's next...