Fintech Framework: Regulatory responses to financial innovation

/0 Comments/in , /by

Timothy Lopes, Executive, Vinod Kothari Consultants

finserv@vinodkothari.com

The world of financial services is continually witnessing a growth spree evidenced by new and innovative ways of providing financial services with the use of enabling technology. Financial services coupled with technology, more commonly referred to as ‘Fintech’, is the modern day trend for provision of financial services as opposed to the traditional methods prevalent in the industry.

Rapid advances in technology coupled with financial innovation with respect to delivery of financial services and inclusion gives rise to all forms of fintech enabled services such as digital banking, digital app-based lending, crowd funding, e-money or other electronic payment services, robo advice and crypto assets.

In India too, we are witnessing rapid increase in digital app-based lending, prepaid payment instruments and digital payments. The trend shows that even a cash driven economy like India is moving to digitisation wherein cash is merely used as a way to store value as an economic asset rather than to make payments.

“Cash is King, but Digital is Divine.”

  • Reserve Bank of India[1]

The Financial Stability Institute (‘FSI’), one of the bodies of the Bank for International Settlement issued a report titled “Policy responses to fintech: a cross country overview”[2] wherein different regulatory responses and policy changes to fintech were analysed after conducting a survey of 31 jurisdictions, which however, did not include India.

In this write up we try to analyse the various approaches taken by regulators of several jurisdictions to respond to the innovative world of fintech along with analysing the corresponding steps taken in the Indian fintech space.

The Conceptual Framework

Let us first take a look at the conceptual framework revolving in the fintech environment. Various terminology or taxonomies used in the fintech space, are often used interchangeably across jurisdictions. The report by FSI gives a comprehensive overview of the conceptual framework through a fintech tree model, which characterises the fintech environment in three categories as shown in the figure.

Source: FSI report on Policy responses to fintech: a cross-country overview

Let us now discuss each of the fintech activities in detail along with the regulatory responses in India and across the globe.

Digital Banking –

This refers to normal banking activities delivered through electronic means which is the distinguishing factor from traditional banking activities. With the use of advanced technology, several new entities are being set up as digital banks that deliver deposit taking as well as lending activities through mobile based apps or other electronic modes, thereby eliminating the need for physically approaching a bank branch or even opening a bank branch at all. The idea is to deliver banking services ‘on the go’ with a user friendly interface.

Regulatory responses to digital banking –

The FSI survey reveals that most jurisdictions apply the existing banking laws and regulations to digital banking as well. Applicants with a fintech business model must go through the same licensing process as those applicants with a traditional banking business model.

Only a handful of jurisdictions, namely Hong Kong, SAR and Singapore, have put in place specific licensing regimes for digital banks. In the euro area, specific guidance is issued on how credit institution authorisation requirements would apply to applicants with new fintech business models.

Regulatory framework for digital banking in India –

In India, majority of the digital banking services are offered by traditional banks itself, mainly governed by the Payment and Settlement Systems Act, 2007[1], with RBI being the regulatory body overseeing its implementation. The services include, opening savings accounts online even through apps, facilitating instant transfer of funds through the use of innovative products such as the Unified Payments Interface (UPI), which is governed by the National Payments Corporation of India (NPCI), facilitating the use of virtual cards, prepaid payment instruments (PPI), etc. These services may be provided not only by traditional banks alone, but also by non-bank entities.

Fintech balance sheet lending

Typically refers to lending from the balance sheet and assuming the risk on to the balance sheet of the fintech entity. Investors’ money in the fintech entity is used to lend to customers which shows up as an asset on the balance sheet of the lending entity. This is the idea of balance sheet lending. This idea, when facilitated with technological innovation leads to fintech balance sheet lending.

Regulatory responses to fintech balance sheet lending –

As per the FSI survey, most jurisdictions do not have regulations that are specific to fintech balance sheet lending. In a few jurisdictions, the business of making loans requires a banking licence (eg Austria and Germany). In others, specific licensing regimes exist for non-banks that are in the business of granting loans without taking deposits. Only one of the surveyed jurisdictions has introduced a dedicated licensing regime for fintech balance sheet lending.

Regulatory regime in India –

The new age digital app based lending is rapidly advancing in India. With the regulatory framework for Non-Banking Financial Companies (NBFCs), the fintech balance sheet lending model is possible in India. However, this required a net owned fund of Rs. 2 crores and registration with RBI as an NBFC- Investment and Credit Company.

The digital app based lending model in India works as a partnership between a tech platform entity and an NBFC, wherein the tech platform entity (or fintech entity) manages the working of the app through the use of advanced technology to undertake credit appraisals, while the NBFC assumes the credit risk on its balance sheet by lending to the customers who use the app. We have covered this model in detail in a related write up[2].

Loan & Equity Crowd funding

Crowd funding refers to a platform that connects investors and entrepreneurs (equity crowd funding) and borrowers and lenders (loan crowd funding) through an internet based platform. Under equity crowd funding, the platform connects investors with companies looking to raise capital for their venture, whereas under loan crowd funding, the platform connects a borrower with a lender to match their requirements. The borrower and lender have a direct contract among them, with the platform merely facilitating the transaction.

Regulatory responses to crowd funding –

According to the FSI survey, many surveyed jurisdictions introduced fintech-specific regulations that apply to both loan and equity crowd funding considering the similar risks involved, shown in the table below. Around a third of surveyed jurisdictions have fintech-specific regulations exclusively for equity crowd funding. Only a few jurisdictions have a dedicated licensing regime exclusively for loan crowd funding. Often, crowd funding platforms need to be licensed or registered before they can perform crowd funding activities, and satisfy certain conditions.

Table showing regulatory regimes in various jurisdictions

Fintech-specific regulations for crowd funding
Equity Crowd Funding Equity and Loan Crowd Funding Loan Crowd Funding
Argentina           Columbia

Australia             Italy

Austria                Japan

Brazil                   Turkey

China                   United States

 Belgium                Peru

Canada                 Philippines

Chile                      Singapore

European Union  Spain

France                   Sweden

Mexico                  UAE

Netherlands         UK

 Australia

Brazil

China

Italy

 

Source: FSI Survey

Regulatory regime in India

  1. In case of equity crowd funding –

In 2014, securities market regulator SEBI issued a consultation paper on crowd funding in India[3], which mainly focused on equity crowd funding. However, there was no regulatory framework subsequently issued by SEBI which would govern equity crowd funding in India. At present crowd funding platforms in India have registered themselves as Alternative Investment Funds (AIFs) with SEBI to carry out fund raising activities.

 

  1. In case of loan crowd funding –

The scenario for loan crowd funding, is however, already in place. The RBI has issued the Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017[4] which govern loan crowd funding platforms. Peer to Peer Lending and loan crowd funding are terms used interchangeably. These platforms are required to maintain a net owned fund of not less than 20 million and get themselves registered with RBI to carry out P2P lending activities.

 

As per the Directions, the Platform cannot raise deposits or lend on its own or even provide any guarantee or credit enhancement among other restrictions. The idea is that the platform only acts as a facilitator without taking up the risk on its own balance sheet.

Robo- Advice

An algorithm based system that uses technology to offer advice to investors based on certain inputs, with minimal to no human intervention needed is known as robo-advice, which is one of the most popular fintech services among the investment advisory space.

Regulatory responses to robo-advice –

According to the FSI survey, in principle, robo- and traditional advisers receive the same regulatory treatment. Consequently, the majority of surveyed jurisdictions do not have fintech-specific regulations for providers of robo-advice. Around a third of surveyed jurisdictions have published guidance and set supervisory expectations on issues that are unique to robo-advice as compared to traditional financial advice. In the absence of robo-specific regulations, several authorities provide somewhat more general information on existing regulatory requirements.

Regulatory regime in India –

In India, there is no specific regulatory framework for those providing robo-advice. All investment advisers are governed by SEBI under the Investment Advisers Regulations, 2013[5]. Under the regulations every investment adviser would have to get themselves registered with SEBI after fulfilling the eligibility conditions. The SEBI regulations would also apply to those offering robo-advice to investors, as there is no specific restriction on using automated tools by investment advisers.

Digital payment services & e-money

Digital payment services refer to technology enabled electronic payments through different modes. For instance, debit cards, credit cards, internet banking, UPI, mobile wallets, etc. E-money on the other hand would mostly refer to prepaid instruments that facilitate payments electronically or through prepaid cards.

Regulatory responses to digital payment services & e-money –

As per the FSI survey, most surveyed jurisdictions have fintech-specific regulations for digital payment services. Some jurisdictions aim at facilitating the access of non-banks to the payments market. Some jurisdictions have put in place regulatory initiatives to strengthen requirements for non-banks.

Further, most surveyed jurisdictions have a dedicated regulatory framework for e-money services. Non-bank e-money providers are typically restricted from engaging in financial intermediation or other banking activities.

Regulatory regime in India –

The Payment and Settlement Systems Act, 2007 (PSS) of India governs the digital payments and e-money space in India. While several Master Directions are issued by the RBI governing prepaid payment instruments and other payment services, ultimately they draw power from the PSS Act alone. These directions govern both bank and non-bank players in the fintech space.

UPI being a fast mode of virtual payment is however governed by the NPCI which is a body of the RBI.

Other policy measures in India – The regulatory sandbox idea

Both RBI and SEBI have come out with a Regulatory Sandbox (RS) regime[6], wherein fintech companies can test their innovative products under a monitored and controlled environment while obtaining certain regulatory relaxations as the regulator may deem fit.  As per RBI, the objective of the RS is to foster responsible innovation in financial services, promote efficiency and bring benefit to consumers. The focus of the RS will be to encourage innovations intended for use in the Indian market in areas where:

  1. there is absence of governing regulations;
  2. there is a need to temporarily ease regulations for enabling the proposed innovation;
  3. the proposed innovation shows promise of easing/effecting delivery of financial services in a significant way.

RBI has already begun with the first cohort[7] of the RS, the theme of which is –

  • Mobile payments including feature phone based payment services;
  • Offline payment solutions; and
  • Contactless payments.

SEBI, however, has only recently issued the proposal of a regulatory sandbox on 17th February, 2020.

Conclusion

Technology has been advancing at a rapid pace, coupled with innovation in the financial services space. This rapid growth however should not be overlooked by regulators across the globe. Thus, there is a need for policy changes and regulatory intervention to simultaneously govern as well as promote fintech activities, as innovation will not wait for regulation.

While most of regulators around the globe have different approaches to governing the fintech space, the regulatory environment should be such that there is sufficient understanding of fintech business models to enable regulation to fit into such models, while also curbing any unethical activities or risks that may arise out of the fintech business.

[1] https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/86706.pdf

[2] http://vinodkothari.com/2019/09/sharing-of-credit-information-to-fintech-companies-implications-of-rbi-bar/

[3] https://www.sebi.gov.in/sebi_data/attachdocs/1403005615257.pdf

[4] https://rbidocs.rbi.org.in/rdocs/notification/PDFs/MDP2PB9A1F7F3BDAC463EAF1EEE48A43F2F6C.PDF

[5] https://www.sebi.gov.in/legal/regulations/jan-2013/sebi-investment-advisers-regulations-2013-last-amended-on-december-08-2016-_34619.html

[6] https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=938

https://www.sebi.gov.in/media/press-releases/feb-2020/sebi-board-meeting_46013.html

[7] https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=48550

[1] Assessment of the progress of digitisation from cash to electronic – https://www.rbi.org.in/Scripts/PublicationsView.aspx?id=19417

[2] https://www.bis.org/fsi/publ/insights23.pdf

Sharing of Credit Information to Fintech Companies: Implications of RBI Bar

/0 Comments/in , , /by

-Financial Services Division | Vinod Kothari Consultants Pvt. Ltd.

(finserv@vinodkothari.com)

The RBI recently wrote a letter, dated 16th September, 2019, to banks and NBFCs, censuring them over what seems to have been a prevailing practice – sharing of credit information sourced by NBFCs from Credit Information Companies (CICs), to fintech companies. The RBI reiterated that such sharing of information was not permissible, citing several provisions of the law, and expected the banks/NBFCs to affirm steps taken to ensure compliance within 15 days of the RBI’s letter.

This write-up intends to discuss the provisions of the Credit Information Companies (Regulation) Act, 2005 [CICRA], and related provisions, and the confidentiality of credit information of persons, and the implications of the RBI’s letter referred to above.

Fintech companies’ model

Much of the new-age lending is enabled by automated lending platforms of fintech companies. The typical model works with a partnership between a fintech company and an NBFC. The fintech company is the sourcing partner, and the NBFC is the funding partner. A borrower goes to the platform of the fintech company which provides a user-friendly application process, consisting of some basic steps such as providing the aadhaar card or PAN card details, and a photograph. Now, having got the individual’s basic details, the fintech company may either source the credit score of the individual from one of the CICs, or may use its own algorithm. If the fintech company wants to access the data stored with the CICs, it will have to rely on one of its partner NBFCs, since CIC access is currently allowed to financial sector entities only, who have to mandatorily register themselves as members of all four CICs.

It is here that the RBI sees an issue. If the NBFC allows the credit information sourced from the CIC to be transferred to a fintech company, there is an apparent question as to whether such sharing of information is permissible under the law or not.

We discuss below the provisions of the law relating to use of credit information.

Confidentiality of credit information

By virtue of the very relation between the customer and a banker, a banker gets access to the financial information of its customers. Very often, an individual may not even want to share his financial data even with close family members, but the banker any way has access to the same, all the time. If the banker was to share the financial details of a customer, it would be a clear intrusion into the individual’s privacy, and that too, arising out of a fiduciary relationship.

Therefore, the principle, which has since been reiterated by courts in numerous cases, was developed by UK courts in an old ruling in Tournier v National Provincial and Union Bank of England [1924] 1 KB 461. Halsbury’s Laws of England, Vol 1, 2nd edition, says: “It is an implied term of the contract between a banker and his customer that the banker will not divulge to third persons, without the consent of the customer, express or implied, either the state of the customer’s account, or any of his transactions with the bank or any information relating to the customer acquired through the keeping of his account, unless the banker is compelled to do so by order of a Court, or the circumstances give rise to a public duty of disclosure or the protection of the banker’s own interests requires it.

The above law is followed in India as well.

In Shankarlal Agarwalla v. State Bank of India and Anr. AIR 1987 Cal 29[1], it was held that compulsion to disclose must be confined to the regular exercise by the proper officer to actual legal power to compel disclosure.

In case any information is disclosed without a legal compulsion to disclose, the same is wrongful on the part of the lender.

Credit Information Companies and sharing of information

When an RBI Working Group set up in 1999 under the chairmanship of N. H. Siddiqui recommended the formation of CICs in India, the question of confidentiality of credit information was discussed. It was noted by the Working Group that all over the world, there are regulatory controls on sharing of information by credit bureaus:

The Credit Information Bureaus, all over the world, function under a well defined regulatory framework. Where the Bureaus have been set up as part of the Central Bank, the regulatory framework for collection of information, access to that information, privacy of the data, etc., is provided by the Central Bank. Where Bureaus have been set up in the private sector, existence of separate laws ensure protection to the privacy and access to the data collected by the Bureau. In the U.S.A. where Credit Information Bureaus have been set up in the private sector, collection and sharing of information is governed by the provisions of the Fair Credit Reporting Act, 1971 (as amended by the Consumer Credit Reporting Reform Act of 1996). The Fair Credit Reporting Act is enforced by the Federal Trade Commission, a Federal Agency of the U.S. Govt. In the U.K., Credit Bureaus are licensed by the Office of the Fair Trading under the Consumer Credit Act of 1974. The Bureaus are also registered with the Office of the Data Protection Registrar, appointed under the Data Protection Act, 1984 (replaced by the Data Protection Commissioner under the new Act of 1998). In Australia, neither the Reserve Bank of Australia nor the Australian Prudential Regulation Authority (APRA) plays a role in promoting, developing, licensing or supporting Credit Bureaus. APRA holds annual meetings with the major Bureaus in Australia. The sharing of information relating to customers is regulated in Australia by the Privacy Act. This Act is administered by the Privacy Commissioner, who is vested with the responsibility of framing guidelines for protection of privacy principles and to ensure that Bureaus in Australia conform to these guidelines. In New Zealand, a situation similar to that of Australia exists. In Sri Lanka, the Bureau was formed by an Act of Parliament at the initiative of the Central Bank. A Deputy Governor of the Central Bank is the Chairman of the Bureau in Sri Lanka and the Bank is also represented on the Board of the Bureau by a senior officer. In Hong Kong, the Hong Kong Monetary Authority (HKMA), though not being directly involved in the setting up of a credit referencing agency has issued directions to all the authorised institutions recommending their full participation in the sharing and using of credit information through credit referencing agencies within the limits laid down by the Code of Practice on Consumer Credit Data formulated by the Privacy Commissioner. HKMA also monitors the effectiveness of the credit referencing services in Hong Kong, in terms of the amount of credit information disclosed to such agencies, and the level of participating in sharing credit information by authorised institutions.[2]

The inherent safeguards in the CIC Law

CICRA provides the privacy principles which shall guide the CICs, credit institutions and Specified Users in their operations in relation to collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information. In this regard, the purpose of obtaining information, guidelines for access to credit information of customers, restriction on use of information, procedures and principles for networking of CICs, credit institutions and specified users, etc. must be clearly defined.

Further, no person other than authorised person is allowed to have access to credit information under CICRA. Persons authorised to access credit information are CICs, credit institutions registered with the CICs and other persons as maybe specified by the RBI through regulations.

The Credit Information Companies Regulations provide that other persons who maybe allowed to access credit information are insurance companies, IRDAI, cellular service providers, rating agencies and brokers registered with SEBI, SEBI itself and trading members registered with Commodity Exchange.

Clearly, fintech companies or technology service providers are not authorised to access credit information. Access of information by such companies is a clear violation of CICRA.

Secrecy of customer information: duty of the lender

Paget on the Law of Banking observed that out of the duties of the banker towards the customer among those duties may be reckoned the duty of secrecy. Such duty is a legal one arising out of the contract, not merely a moral one. Breach of it therefore gives a claim for nominal damages or for substantial damages if injury is resulted from the breach.

Further, in case of Kattabomman Transport Corporation Ltd. V. State Bank of India, the Calcutta High Court held that the banker was under a duty to maintain confidentiality. An appeal[3] was filed against this ruling, the outcome of which was the information maybe disclosed by the banks, only when there is a higher duty than the private duty.

NBFCs providing access to the fintech companies is undoubtedly a private duty and thus, is a breach of duty on the part of the lender.

The case of Fintech Companies and NBFC partnership:

The letter of the RBI under discussion, dated 17th September, 2019, has been seen as a challenge to the working of the fintech companies. However, to understand in what way does this affect the working of fintech companies, we need to understand several situations.

Before coming to the same, it must be noted that the RBI’s 17th September circular is not writing a new law. The law on sharing of credit information has always been there, and the inherent protection is very much a part of the CICRA itself. The RBI circular is, at best, a regulatory cognition of an existing issue, and is a note of caution to NBFCs, who, in their enthusiasm to generate business, may not disregard the provisions of the law.

The situations may be as follows:

  • Fintech company using its own algorithm: In this case, the fintech company is relying upon its own proprietary algorithm. It is not relying on any credit bureau information. Therefore, there is no question of any credit information being shared. In fact, even if the fintech uses the score developed by it, without relying on CIC data, with other entities, it is a proprietary information, which may be shared.
  • NBFC sharing credit information with Fintech company, which is sourcing partner for the NBFC: If the NBFC is sharing information with a fintech company, with the intent of using the information for its own lending, can it be argued that there is a breach of the provisions of the CICRA? It may be noted that regulation 9 of the CIC Regulations requires CICs to protect credit information from unauthorised access. As already discussed, access by such fintech companies is unauthorised.
  • NBFC sharing credit information with Fintech company, which is not partnering with the NBFC: In case, the NBFC is not partnering with the NBFC and is still sharing credit information, there seems to be no reason for such sharing other than information trading. Several NBFCs have at many instances, been reported to have engaged in information trading for additional income.
  • NBFC sharing credit information with another NBFC/bank, which is a co-lender: The NBFC may authorise its co-lender to obtain credit information from CICs and the same shall not be an unauthorised access of information, since the co-lender is also a credit institution and is registered with CICs.
  • Bank sharing credit information with another NBFC which is a sourcing partner and not a c0-lender: If the sourcing partner is a member of CICs, it may access the credit information directly from the CICs. If the sourcing partner is not a member of CICs, sharing of credit information is violation of customer privacy, and thus, shall not be allowed.

Conclusion

The credit bureau reports are actually being exchanged in the system without much respect to the privacy of the individual’s data. With the explosion of information over the net, it may even be difficult to establish as to where the information is coming from. Privacy and confidentiality of information is at stake. At the same time, the very claim-to-existence of fintech entities is their ability to process a credit application within no time. Whether there is an effective way to protect the sharing of information stored with CICs is a significant question, and the RBI’s attention to this is timely and significant.

 

[1] https://indiankanoon.org/doc/1300997/

[2] https://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=76

[3] https://indiankanoon.org/doc/908914/