In a country where the vast population could not think beyond cash payments even 5 years back, here we are, projected to reach $10 trillion in digital payments by 2026. How has this change come about?
The impact of technology in the financial market in India has seen a substantial growth in recent years and India is as such gradually becoming the flag-bearer of digitization of the financial market primarily through digital wallets, which have been flooding the market at an astonishing pace since the pandemic. The pandemic has brought about major behavioural changes in the industry and society in general towards facilitating and accepting digital payments where FinTech and BigTech companies are fast expanding their scope of business into payment systems, which now is strictly regulated by data protection and privacy laws both in India and internationally. India has mandated local storage of payments data and is also in the process of legislating its own data protection law. This in turn giving legal-tech companies in India a challenge to constantly update their content and facilitate to those changes.
However, the aim is to digitally enable all smartphone and feature phone users and create a secure framework for offline and online card transactions as well as those that involve standing instructions by the users. Further, the plan is to bring critical payment intermediaries into the formal regulated / supervised framework and the directions issued for Payment Aggregators (PAs) are a step in this direction.
All activities relating to prepaid payment instruments in India are regulated by Reserve Bank of India (RBI) under the Payment Settlement Systems Act, 2007 and RBI’s individual master directions.
Unified Payments Interface (UPI)
The National Payments Corporation of India (NPCI) was created by RBI to regulate as a chief component of India’s payment ecosystem. All the directions issued by NPCI are in adherence to RBI directions. It operates the Unified Payments Interface (UPI) that facilitates instant transactions and settlements.
The main success behind the use of technology in the financial market is the creation of Unified Payments Interface it has played the major role in changing the payment system throughout the country.
UPI offers the option of Interoperability which has also helped it to reach milestones in different corners of the country. It saves one from the hassle of entering Bank name, account number, IFSC code whenever one is sending money using technology. It saves time. The role of UPI in charging up the financial market in India is immense and is in no bounds for a write up. Its flexibility has allowed to pay using technology in a wide arena. This is the kind of role UPI has played.
The year 2021 turned out to be historic for UPI, one of the key trends going forward will be the continued growth of UPI’s share in overall retail transactions in India. With the incorporation of Tokenisation, card details will not be stored on websites and a token number that represents encrypted card details will be used instead.
Some compliances for issuer processing e-mandate in Unified Payments Interface (UPI) for recurring transactions are:
- Ensure to put in place a grievance redressal system to facilitate the cardholder to lodge grievance/s
- Continue to provide UPI services post withdrawal of customer consent to share location / geographical details for the App
Prepaid Payments Instrument (PPI)
The RBI Master Direction on “Policy Guidelines on Issuance and Operation of Pre-paid Payment Instruments in India” laid down a comprehensive set of rules and regulations for prepaid payment instruments in India.
As per Payment and Settlement Act, 2005, Prepaid Payment Instruments are those instruments of payment that facilitate buying of goods and service, transfer of funds, etc, against the value stored within or against the instrument. According to RBI, there are over 35 non-bank PPI issuers in the country, including the likes of Amazon Pay, Bajaj Finance, Ola Financial Services, PayU Payments Pvt Ltd, Phone Pe Pvt Ltd, among others.
2022 is also an important year for wallets as RBI has mandated interoperability starting financial year 2023, meaning customers will now be able to move money from one wallet to another.
The Reserve Bank of India (RBI) has notified via a circular that non-bank prepaid payment instruments (PPIs) cannot be loaded through credit lines. The clarification has hit many Buy Now Pay Later (BNPL) offerings – including the new-age ‘challenger credit cards’ that were working on this model – such as PPI cards offered by fintech’s, which were backed by NBFC-offered credit lines. The provision simply lists the modes through which any PPI can be funded, indicating that now all PPIs cannot be funded through a credit line.
This means that BNPL offerings from banks/fintech’s, challenger credit cards from neo banks, and even postpaid facilities via wallets using this route have been impacted.
Immediate remedy is an NBFC licence with approval to issue credit cards, as permitted under the recent RBI MD on credit card and debit card issuance Co-branded and debit/credit/prepaid cards, which can be offered by banks or non-banks are another immediate option.
Future options for credit payments at PoS include UPI-based credit transactions via UPI linked to credit cards (starting with RuPay), which the RBI announced earlier in June, and OCEN, which will create ‘lending service providers’ with multiple lending partners.
Consumer Protection
The Digital Financial Services (DFS) has increased the risk of cyberattacks, lack of data privacy, aggressive marketing and a lot more issues. Regulatory bodies like the RBI, SEBI are working hard for the protection of the consumers using the DFS. Some of the regulatory authorities and their steps are;
- The Directions on “Guidelines for security controls of RBI”, lays down Data storage, security and privacy protections which are operational risks, including fraud risk; Compliance with cyber security requirements; etc, to name a few. The Master Direction on Payment Security Controls covers key areas such as general controls, internet banking security controls, mobile payment application security control and card payment security. We have listed below only 2 compliances under general controls whereas there are many.
- Governance and management of security- This pertains to identification, analysis, monitoring and management of fraud risk and compliance risk linked with digital payment products through risk governance and risk management programs.
- Application security life cycle- Regulated entities with digital payment applications must implement all the necessary security controls to handle, store and protect payment data. There are several standards and guidelines developed to ensure protection of applications such as OWASP, data protection guidelines in ISO 12812 and threat catalogues by NIST which must be adhered to right from the application development phase.
- The RBI Master Circular “Policy Guidelines on Issuance and Operation of Pre-paid Payment Instruments in India” lays down a comprehensive set of rules and regulations for prepaid payment instruments in India. This also identifies three types of payment instruments such as closed system payment instruments, semi-closed system payment instruments and open system payment instruments. Certain eligible banks who comply with all the required terms and conditions given under the guidelines can use such a scheme.
- Other acts like Information Technology Act, 2000 and Indian Penal Code, 1860 are few laws which govern cyber-crimes committed over the internet through e-banking. Punishments and penalties in the form of civil as well as criminal are imposed by the former act while the latter act imposes criminal liability only upon cheating, forgery, fraud, counterfeit currency, etc.
- Right to Privacy is a Fundamental Right under Article 21 of the Indian Constitution. Employers collect Sensitive Personal Data Information (SPDI) of their employees for various reasons such as for selection process, record retention purpose, employee evaluations or other legitimate business purposes. In case if employer is negligent in implementing and maintaining the SPDI of employee, it may cause employer to be held liable to pay compensation to relevant employee. There are several compliances under the SPDI Rules, we will list down only two-
- SPDI must only be collected where there is need to collect such information.
- Employees shall have well documented privacy policy as required by IT Act and it shall be available on employer’s website also.
The pandemic has been a thrust to companies and individuals at large to widen their horizons, be it working from home or their payment infrastructure and have been forced to think outside of payments in cash, which was once considered the only mode of payment. RBI’s plans to form a New Umbrella Entity (NUE) on the lines of and to rival NPCI will help boost the payments ecosystem in India and increase the bandwidth of transactions that the economy can handle as a whole. Besides this, the Central Bank Digital Currency (CBDC), where further clarity on the model of implementation is still awaited from the RBI, will usher in a new era in digital payments and transactions in India.
With the increasing number and fast evolving modes of digital payments, we can only hope that the laws can keep pace, securing data and information, yet propelling the FinTech market to the next level.
Written by: Sweta Chaubey
Co Authored by: Ananya Shukla
Disclaimer
All material included in this blog is for informational purposes only and does not purport to be or constitute legal or other advice. This blog should not be used as a substitute for specific legal advice. Professional legal advice should be obtained before taking or refraining from an action as a result of the contents of this blog. We exclude any liability (including without limitation that for negligence or for any damages of any kind) for the content of this blog. The views and opinions expressed in this blog are those of the author/(s) alone and do not necessarily reflect the official position of Lexplosion Solutions. We make no representations, warranties or undertakings about any of the information, content or materials provided in this blog (including, without limitation, any as to quality, accuracy, completeness or reliability). All the contents of this blog, including the design, text, graphics, their selection and arrangement are the intellectual property of Lexplosion Solutions Private Limited and/or its licensors.
ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.
Author References:
- https://www.indiafilings.com/learn/national-payments-corporation-of-india-npci/
- https://wap.business-standard.com/article-amp/finance/upi-hits-record-high-in-april-with-5-58-bn-transactions-worth-rs-9-83-trn-122050100480_1.html
- https://www.google.co.in/amp/s/www.thehindubusinessline.com/companies/indias-fintech-market-projected-to-touch-150160-billion-by-2025-affle-report/article65334947.ece/amp/
- https://m.rbi.org.in//Scripts/BS_ViewMasDirections.aspx?id=12156
- https://www.consultantsreview.com/cxoinsights/the-role-of-upi-in-digital-payments-vid-888.html