FinTales Issue 37: Anti-Fragile Fintechs

“Antifragility is beyond resilience or robustness. The resilient resists shocks and stays the same; the antifragile gets better.”

-        Nassim Taleb

Of all the fintech events we’ve been a part of, the recently concluded Global Fintech Fest (GFF) stands out for its sheer scale - with 800 speakers, 350 sessions and 80,000 delegates. The Prime Minister, RBI Governor, SEBI Chairperson and many policymakers, regulators, senior bankers, founders and academicians, from India and abroad, featured in its speakers list. In different GFF sessions and our conversations, ‘compliance, governance, fraud prevention and collaborations’ emerged as recurring themes – unlike earlier when fintech was all about new ideas and disruptive technologies. We even heard a joke or two about NPCI and RBI launching more products at this year’s GFF than all fintechs combined.

GFF is the industry’s barometer. And the sentiment of 2024 being a tough year for fintechs was evident throughout. Inspections, warnings, fines, business suspensions, license cancellations – fintechs have seen it all. RBI attention on them has been stronger than ever. And fintech funding has dropped by 60%.

Not all fintechs will survive this phase. Some may exit the financial services business. Others may join hands with existing players. New market entrants may become few and far. With the market headed towards consolidation, the big question is which fintechs will emerge as winners.

We think it will be those that best predict the regulator’s moves and moods. Make governance and compliance a priority. The ones which turn this regulatory heat into a competitive advantage. These are the ones that will not just survive but also thrive: the anti-fragile.

In this edition of FinTales, we explore how to be anti-fragile. 

Main Course: meaty stories about how fintech must strengthen their data privacy disclosures and prevent frauds by adopting innovative payment authentication techniques.  

Dessert: sweet news about RBI’s fintech-related initiatives.

Mints: a refresher about recent fintech developments

**********************************************************************************

 Main Course

 

📖 Reading the fineprint

 

At the heart of any fintech is its ability to use its customers’ data well. Several sessions at this year’s GFF centered around the power of data - its ability to drive inclusion, resilience, and innovation.

 

For several years, data was mildly regulated in India. The DPDP Act took several years to be passed. And the barely enforced SPDI Rules continued to govern the use of sensitive data. But in recent times, regulatory intent has been clear. DPDP aside, effective data governance is an RBI priority as well.  Prominent RBI actions this year have involved concerns around data use. RBI’s action against Kotak Mahindra Bank, cancellation of two NBFC licenses, the action against Paytm Payments Bank – all involved concerns around use/ sharing of data. RBI’s regulations have also increasingly addressed data security and privacy. For instance, the Digital Lending Guidelines (DLG) set out dos and don’ts around data use and sharing by regulated entities. The master directions on cards barred co-branding partners from accessing transaction data. The draft outsourcing directions set out more details on what the RE-OSP outsourcing agreement must cover around data use.

 

So, to be resilient, fintechs must make data compliance and governance a priority.

 

A quick recap of where to start and what to do (and more writing here, here and here): 

 

§   -  Know yourself: Identify if you control the data (i.e. you are a data fiduciary) or you process it for someone else (i.e. data processor).

 

§   -  Know your data: Identify what data you collect and why.

 

§  Share with care: Evaluate why you need to share your customers’ data with third parties, and share with appropriate checks. 

 

§   -  Tell it all: Disclose everything to your customers. 

 

The first three steps are all about getting your house in order. We hope you’ve done these by now.

 

Today we focus our energies on the last step – telling your users about your data practices.

 

Isn’t this just our privacy policy? you ask. We can see the dismissive head shakes. After all, for several years, the only people who cared about disclosures have been us lawyers.

 

But we think disclosures are more than a verbose treatise relegated to one webpage on your website. The DPDP Act might simply say give users a “notice”. But we think it calls for lawyers to join hands with product/tech teams and get involved in product design.

 

A few ideas to start with:

 

Privacy by design on the UI/UX

 

Transparency means telling users relevant information at relevant times. Which means embedding disclosures within the user interface/ user experience (UI/UX) so they make informed choices.

 

This means reviewing the customer journey on your platform - from app download, to a user creating an account, signing in, using the platform, to account deletion - to see precisely when to tell users what, giving them choices on the UI itself, rather than expecting them to read a long-form privacy policy. At the same time, the more text users see on the UI, the more confused they may get. And so, one must not go overboard – and avoid inundating the user with too much text and more choices than they can grasp.

 

For instance, a lot of text and checkboxes in one go may overwhelm a user:

 

Source

But snippets of information at the right time may be more impactful:

 

 

Source

Or breaking up the text onto different screens:

 

Source 

A short-form notice

 

Several platforms still only provide a statement to the users seeking their agreement to the terms and privacy policy. While these documents are hyperlinked and a user could click on a link to read the policy - the chances of that happening are slim. Instead, a short notice with the big headlines could provide users meaningful information on the UI itself. For instance:

 

For reference, fintechs would be familiar with the disclosure required to be displayed when accessing credit scores for a user on their behalf from credit bureaus, or the notice one gets while pulling an Aadhaar XML from digilocker. 

 

Layered notices

 

A layered notice embedded on the platform rather than a web URL can make for better reading:

 

 

 

Source

 

Beefing up the privacy policy

 

Of course, the long-form privacy policy is still a critical document. This is the only opportunity that a company gets to tell users in some detail about what data is collected, why, how it’s used, who it’s shared with, what are their choices around data, etc. And so, companies must get this right.

 

For instance, so far, we’ve been used to seeing separate sections that describe what information is being collected (usually categorized as information that the user provides, information that is automatically collected, and information that is collected from third parties) and how the information is being used (to provide the platform/services, for fraud prevention, customer support, etc.). But for better transparency - companies could consider mapping the data point collected against the purposes. Or describe in greater details what data is collected at which stage.

With DPDP rules around the corner, and RBI focussing increasingly on data use, fintechs that focus on a privacy conscious UI/UX and tech architecture will be better placed to absorb shocks.  

🕵🏻‍ Finding new payment authentication methods

The RBI has been encouraging the industry to adopt innovative payment authentication methods – and move away from ‘SMS-based OTP’. It recently released a draft framework to prescribe principles for the adoption of such methods. The deadline to submit comments is 15 September.

Payment service providers must authenticate payments to ensure that payers are who they say they are. Authentication factors are typically from three categories:

 - Something the user knows: password, PIN, passphrase, card details (printed on card), etc.

- Something the user has: possession of a sim card evidenced by SMS OTPs; possession of a device evidenced by an app installed on the device; hardware or software tokens linked to device, etc.

- Something the user is: fingerprint scanning, voice recognition, retina and iris scanning, etc.

In 2009, RBI mandated 2-factor authentication (2 FA) for digital payments (except for a few low-risk payments) in response to rising frauds. 2 FA is akin to putting two different locks on a door. To make UPI payments, for instance, users must have their mobile phone (first factor) and know their PIN (second factor). Similarly, the first authentication factors for online card payments are card details, and for net/mobile banking payments are user IDs. The SMS-based OTP became a natural choice as the second authentication factor for card/net-banking payments because: it was dynamic and easy to use; users from all demographies were already familiar with SMSs; all devices supported it; it was scalable; and users didn’t need to remember passwords or download a new software to access it.

14 years later, the OTP seems to have run its course as an authentication factor. OTPs’ key advantages – ease of adoption and the industry’s familiarity with it – are working against it. Miscreants have also now identified many different ways to exploit its weaknesses. It has become susceptible to frauds like phishing/vishing/smishing. The National Institute of Standards and Technology (NIST), a federal agency of the United States, has also recommended moving away from OTP as an authentication factor. It says, “you can use this puppy for now, but it’s on its way out”. The use of SMS as a second factor is less effective than other available innovations: voice printing which authenticates customers on any device used for payments; behavioural biometrics which detect frauds based on abnormal user behavior; OTP delivery with geo-tagging (systems are alerted if OTP is delivered at a place other than customer’s usual location); mobile-app based device authenticators, etc. At the GFF 2024, MasterCard has also launched a new biometric authentication technique to replace OTPs. These developments have prompted the RBI to craft the framework. The RBI wants the ecosystem to be ready for the transition.

The RBI’s new draft framework, however, does not make adoption of innovative authentication factors mandatory – it just nudges the industry in that direction. It gives the issuer of payment instruments (e-wallet issuers, banks/NBFCs holding deposit accounts or issuing credit lines, etc.) the right to pick and the responsibility to implement new authentication modes. In the past, voluntary frameworks of this nature have rarely moved the needle. Changes of this magnitude have been possible only when the RBI has mandated it and led it from the front. The industry must definitely put in efforts to avoid the same fate for adoption of the new authentication mechanisms.

When RBI made 2 FA mandatory for digital transactions processed remotely, it faced a lot of industry resistance. Since customers had to enter a new password along with the usual card details, the friction for payments increased. Payments and e-commerce companies saw an immediate drop in transactions. However, the payment volumes were restored soon. Not only this, but card payment fraud also dropped by a great margin. With 2 FA, customers felt way more secure transacting online. Eventually, both the industry and customers benefitted as digital payments soared.

The industry’s experience with card tokenization – replacing card details with a token – was also similar. The RBI introduced a voluntary tokenization framework in 2019, encouraging the industry to adopt tokenization. However, since implementation required massive coordination between merchants, payments aggregators, card issuers, etc., the industry made little progress on this on its own. Eventually the RBI decided to mandate card tokenization. The tokenization rules prohibited payment aggregators, merchants, and others from saving card details of payers. The RBI faced massive industry push back on this too, however, it did not relent. In RBI’s view, though the rules disrupted operations (in the short term), they were necessary to address data privacy and safety concerns arising from loss of card data during cyber security breaches.

Adoption of innovative authentication factors seem to be going the same way. Reportedly, the banks/issuers have indicated that they are not ready to give up the SMS based OTP just yet. This is because the cost, time and effort to implement a new authentication mechanism can be massive. For instance, merchants and technology service providers control user-facing interfaces for payments. To implement a new authentication mechanism, the issuers will need to coordinate with these players to tweak their interfaces. The issuers will also need to share standard APIs/SDKs with payments aggregators, acquiring banks and merchants, to ensure that the user experience with new authentication methods is uniform and RBI norms for security are met. An issuer may also need to coordinate with other issuers to get enough data sets to test new authentication mechanisms against frauds, etc. The issuers may lack the muscle and capacity to carry out coordination at such scale on their own. Europe had to face similar issues with its payment authentication framework’s implementation even when regulators were overseeing the entire implementation. The deadline had to be extended multiple times to enable coordination within the ecosystem.

As we write this, OTP-based frauds are reaching a tipping point. For instance, smishing – a social engineering fraud which uses fake text message to access SMS OTP – accounts for 55% of digital payment frauds in India. As OTP becomes riskier as an authentication factor, the regulator may be forced to prescribe a deadline for phasing out SMS-based OTPs if the industry does not act on its own. Taking cue from past experiences, the industry should consider taking proactive steps to avoid sharp timelines or over-prescriptive rules from the RBI. It must gather consensus on feasible authentication methods and their implementation process – instead of waiting for a regulatory diktat.

This time around, the industry has a new forum to drive this. The self-regulatory organizations (SROs) for both regulated entities and fintech companies can help them achieve this objective. The SROs could play the same role that NPCI did to set standards for the UPI ecosystem. They may coordinate amongst the issuers to frame uniform authentication processes, test them, issue certifications for compliance with RBI security norms and make each ecosystem player accountable. The SROs are anyway empowered by the RBI to enforce regulatory standards, promote ethical conduct and resolve disputes. As an ally of RBI, fostering innovation will also be one of the SRO’s key objects. All this makes them well-placed to drive adoption of new authentication mechanisms.

The RBI may, on its part, consider acknowledging SRO’s role in promoting the adoption of new authentication modes. The SEBI, for instance, acknowledges the role of AMFI – an SRO for mutual funds – in its regulations. Many SEBI circulars are addressed to AMFI so that AMFI can ensure its enforcement. This may actually encourage the industry to become more independent of the regulator when it comes to adopting new innovations to make payment systems more robust.

Dessert

⬆️ A sweet fintech trilogy

At the GFF, the RBI and NPCI launched three key initiatives:

‘UPI Circle’: using this feature, also called ‘delegated payments’, UPI users can allow use of their UPI-linked accounts by other people whom they trust. The feature has two modes:

- full delegation: the users authorize a trusted secondary user to initiate and complete UPI transactions as per defined spend limits. 

- partial delegation: the users authorize initiation of payment requests from secondary users. The primary user can then complete the UPI transaction with UPI Pin.

A primary user can add up to 5 secondary users and a secondary user can accept delegation from only one primary user. Full delegation allows a maximum monthly limit of Rs. 15,000 per delegation and a maximum per transaction limit of Rs. 5000. Existing UPI limits will apply in case of partial delegation. A live demonstration of UPI Circle was showcased at the GFF launch event.  

Unified Lending Interface (ULI): The RBI has launched its pilot on ULI – a platform which will aggregate customer’s digitised financial and non-financial data from multiple data service providers and share with lenders. The RBI hopes that this will bring down the time for credit appraisal – especially for thin-file borrowers with limited or no credit history. The ULI’s architecture will follow a ‘plug and play’ approach – similar to UPI. This means that lenders will be seamlessly able to integrate the ULI with their own platforms.

Expansion of Bharat Billpay (BBPS) services: The RBI Governor has announced the expansion of BBPS services to businesses too. Indian businesses will soon be able to use the BBPS platform to make payments to other businesses. Offerings such as business onboarding, search and add businesses, purchase order creation, invoice management, automated reminders, guaranteed settlement, financing, and online dispute resolution will be inbuilt in the platform.

☘️ Mints

🏧 RBI and NPCI launch UPI- ICD

The RBI in partnership with NPCI has introduced the UPI Interoperable Cash Deposit (UPI-ICD) facility. The feature will allow UPI users to deposit cash using UPI to their own or any other bank account.

✅ We have an SRO -FT

The RBI has recognized the Fintech Association of Customer Empowerment (FACE) as an SRO for fintechs. FACE has received this recognition under the fintech SRO framework notified by the RBI last month.

👩‍💻 Biometric authentication for UPI payments

NPCI is in discussions with start-ups to enable biometric authentication for UPI payments. At present, a six-digit PIN is used as the second authentication factor for UPI payments (device binding being the first authentication factor). This initiative by NPCI stems from RBI’s concern regarding UPI scams and PIN- related frauds.

🏦 NPCI sets up a WOS

NPCI has set up a new subsidiary called NPCI BHIM Services Limited (NBSL). NBSL will be led by Ms Lalitha Nataraj (as the CEO) and Mr. Rahul Handa (as the CBO). Through the subsidiary, the NPCI aims to keep up with demands for digital transactions and evolving market expectations, promote financial inclusion, and to keep up with customer preferences.

🔁 E-mandates for recurring transactions

The RBI issued a circular to clarify that FASTag and National Common Mobility Cards (NCMC) will now get auto-replenished as soon as the balance falls below the threshold set by the customer. The RBI has decided that as payments for auto- replenishment are recurring and without any fixed periodicity, they would be exempted from the requirement of a pre-debit notification.

💼Another SRO but for Financial Markets

The RBI released the framework for SROs in financial markets. The framework is based on the ‘Omnibus Framework for SROs’ for regulated entities issued by RBI in March 2024. The framework prescribes broad principles such as functions, objectives, characteristics, eligibility criteria and responsibilities of SROs in the financial markets. RBI has also invited applications for SROs in this sector.

🚫P2P Lending NOT an investment product

The RBI recently amended its Master Directions on P2P lending. Some of the key changes are: (a) NBFC- P2P will not assume any credit risks for transaction through its platform; (b) NBFC- P2P are not permitted to cross sell any insurance products; (c) a board approved policy is to be put in place for mapping lenders with borrowers on a non- discriminatory basis; and (e) the P2P platform will not promote peer to peer lending as an investment product.

📰 RBI penalises P2P lending platforms

RBI has penalized LiquiLoans and LenDen Club for violating the P2P lending guidelines. The non-compliances include: (a) loan disbursal without specific approval from the lenders; (b) routing of the disbursal amount and collection amount through a co-lending escrow account; and (c) undertaking partial credit risk by foregoing the service fee (fully/partially). 

Challenge
the status quo

Dividing by zero...