Not Just a Marketplace: Lender Primacy, Disclosures and Consent Architecture in Digital Loan Sourcing

/0 Comments/in /by

Archisman Bhattacharjee (finserv@vinodkothari.com)

Key Themes and Takeaways

Digital loan sourcing through DLAs is no longer a marketing function; it is a regulated gateway into the lending relationship.

The regulatory framework under the Reserve Bank of India and the Digital Personal Data Protection Act, 2023 together reshape how sourcing interfaces must be designed.

REs remain the principal and legally accountable lender, even where DLAs and LSPs perform front-end sourcing functions.

Lender identity, branding, and role must be clearly disclosed to borrowers from the first interaction on the DLA.

Multi-lender platforms must operate in a fair and transparent manner, with visibility of matched and unmatched lenders.

Sourcing flows must be consent-driven, with purpose-specific, granular and non-bundled consents.

Borrowers must be shown relevant privacy policies before any data is shared with an RE or any third party.

REs are ordinarily the data fiduciaries; DLAs/LSPs usually act as data processors unless they independently determine purposes.

Platforms must support practical exercise of data principal rights, including withdrawal of consent and deletion requests.

Data retention, segregation, access control and localisation are central to compliant sourcing architecture.
Read more

RBI Proposes Uniform Recovery Norms Across All Lenders

/0 Comments/in /by

Tejasvi Thakkar and Simrat Singh | Finserv@vinodkothari.com 

Introduction

Pursuant to the RBI’s stated intent in the Statement on Developmental and Regulatory Policies to harmonise the conduct of Regulated Entities in relation to loan recovery, comprehensive draft instructions have been proposed, to be effective from July 1, 2026, consolidating and rationalising the existing scattered provisions. The instructions are applicable to all NBFCs, excluding Mortgage Guarantee Companies, Core Investment Companies, NBFC-Account Aggregators, Standalone Primary Dealers, Non-Operating Financial Housing Companies, and NBFCs not having any customer interface. The key requirements of the proposed framework are summarised below:

Key highlights

Policy Requirement

REs shall formulate a separate policy on recovery of loan dues, engagement of recovery agents and taking possession of security. The policy shall, inter-alia, cover:

  • Eligibility and due diligence criteria for engagement of recovery agents.
  • Specified recovery activities permitted to be carried out.
  • Code of Conduct requirements.
  • Performance evaluation standards, inspection and control mechanism.
  • Procedures and penal actions in case of non-compliance by recovery agents.
  • Recovery procedures in case of demise of borrower.
  • Mechanism to identify borrowers facing repayment difficulties and provide guidance on recourse options
  • Incentive structures not inducing harsh recovery practices..
  • Enforcement and possession framework including legal action not to be adopted as the first resort.

Issue: Whether this can be combined with the policy on Code of Conduct for DSAs/DMAs?

Our view: Since the present requirement specifically deals with recovery conduct, possession and enforcement of security interest, and engagement of recovery agents, the same should ideally be maintained as a separate policy. The DSA/DMA CoC policy deals largely with sourcing-stage conduct such as mis-selling and consequent compensation-related aspects. However, where there are overlapping requirements, NBFCs may structure the same within a broader conduct framework, divided into separate sections. However, it should remain distinct from the outsourcing policy.

Due diligence (DD) requirements

  1. Frame and implement a due diligence framework in line with the RBI Outsourcing Directions, 2025.
  2. RE to ensure that recovery agencies shall undertake due diligence and verification of their employees/representatives at the time of engagement and on a periodic basis. Policy to specify such periodicity and scope of verification.

Training Requirements 

  1. Recovery agents shall mandatorily possess certification from the Indian Institute of Banking and Finance (IIBF) for debt recovery agents. (Aligned with the HFC Master Directions)
  2. Existing agents without certification shall obtain the same within one year from issuance of directions

Code of Conduct for recovery Agents

  1. REs shall put in place a CoC for recovery agents and employees engaged in recovery and obtain undertakings for adherence.
  2. The CoC shall include, inter alia:
    1. Fair and respectful treatment of borrowers.
    2. Sharing only limited borrower information necessary for recovery and preventing misuse.
    3. Mandatory documents to be carried (ID card, copy of recovery letter etc)
    4. Permissible hours of contact
    5. Place of contact rules
    6. Restriction on contacting third parties
    7. Detailed prohibition of harsh practices
    8. Borrower information confidentiality
    9. No recovery action where grievance is pending, unless found to be frivolous
    10. Recording of recovery calls with due borrower intimation.

Issue: Whether the CoC prescribed earlier under HFC Directions stands subsumed?

Our view: Yes. The earlier HFC provisions largely stand harmonised and subsumed within the present draft framework, except for certain differences which have been captured in the Annexure below.

Recovery agents shall be required to carry recovery notice, identity card and authorisation letter, and shall adhere to the following conduct requirements:

  • Interact only with the borrower / guarantor and not approach relatives or other contacts; maintain civil behavior;
  • Contact / visit borrowers only between 08:00 hours and 19:00 hours;
  • Honour borrower’s request to avoid calls / visits at particular times in normal circumstances;
  • Contact borrowers ordinarily at the place of their choice, failing which at residence, and thereafter at place of business / occupation.
  • Avoid calls / visits during inappropriate occasions such as bereavement, calamities, marriage functions, festivals, etc.
  • In case of microfinance loans, undertake recovery at a mutually decided designated place, with field visits permitted only upon repeated non-appearance.
  • Ensure only duly authorised representatives visit borrower’s premises for recovery activities.
  • Ensure any written communication to borrowers has RE’s approval.
  • Promptly issue proper acknowledgement / receipt for collections made.
  • Refrain from harsh practices, including use of abusive language, excessive or anonymous calls, intimidation or harassment, threats of violence, misleading representations, or intrusion into borrower’s privacy.

Grievance redressal mechanism

  • Establish a dedicated recovery-related grievance redressal mechanism.
  • Provide complete details of the Grievance Redressal Officer and the mechanism in all recovery communications and loan agreements.
  • Define criteria for identification and closure of frivolous complaints with appropriate internal oversight.

Responsibilities of REs

REs shall:

  • Prominently display an up-to-date list of empanelled recovery agents on all customer interface channels. Details to be provided
    • names of agents, 
    • details of individuals engaged and 
    • period of engagement.
  • Promptly intimate the termination of recovery agents to prevent unauthorised interaction.
  • Inform borrowers of the details of the recovery agent at the time of forwarding cases for recovery through written communication (letter, SMS or email), and immediately notify any change in the recovery agent during the recovery process.

Possession of mortgaged / hypothecated assets

Loan agreements shall contain a legally enforceable possession clause, clearly disclosed at the time of execution. The agreement shall, inter alia, specify:

  • Notice period and circumstances for waiver;
  • Procedure for taking possession of security;
  • Final opportunity to the borrower for repayment prior to sale/auction;
  • Procedure for restoration of possession;
  • Transparent process for sale or auction of the secured asset.

Periodic review, monitoring and control

REs shall put in place a management structure to monitor and control the activities of recovery agents and ensure that such agents refrain from actions that could harm the RE’s integrity and reputation. Accordingly, the RE should ensure:

  • Appropriate monitoring and conduct provisions shall be incorporated in agreements with recovery agents.
  • Remain fully responsible for the actions of recovery agents.
  • Undertake periodic review of recovery mechanisms to learn from experience and effect improvements.

For Housing Finance Companies:

Most of the proposed requirements are not entirely new in substance for HFCs, as they were already reflected in the Guidelines for Engaging Recovery Agents under paragraph 170 of the RBI HFC Directions, 2025. The proposal now is to delete those HFC-specific guidelines and require HFCs to comply with the proposed Directions.

However, while the underlying principles remain largely consistent, the proposed Directions significantly strengthen and formalise the recovery framework. The approach shifts from principle-based guidance to a more structured, prescriptive, and compliance-oriented regime. The key changes are as follows:

  1. Mandatory written recovery policy: Under the HFC Directions, compliance was required with paragraph 170, but there was no express requirement to frame a consolidated written policy governing recovery of loans, engagement of recovery agents, and repossession of security. The proposed Directions now mandate a formal, documented recovery policy. Such policy must specifically cover eligibility criteria for engagement of agents, due diligence standards, performance evaluation parameters, inspection and audit mechanisms, and penal actions for non-adherence. This marks a shift from guideline-based adherence to a structured governance framework.
  2. Borrower distress identification mechanism: The HFC Directions required utilisation of credit counsellors in cases where a borrower was considered to “deserve sympathetic consideration,” which was discretionary and reactive in nature. The proposed Directions introduce a mandatory mechanism to identify borrowers facing repayment difficulties, engage with them, and provide guidance on available recourse. The regulatory trigger is the existence of repayment difficulty itself, rather than a subjective assessment of sympathy, thereby institutionalising borrower engagement.
  3. Explicit data governance controls: While the HFC Directions required training of recovery agents on respecting customer privacy, the proposed Directions go further by mandating that only limited borrower information be shared with recovery agents and that adequate safeguards be put in place to prevent misuse or unauthorised transfer of customer data. This introduces clearer data governance and accountability obligations.
  4. Restriction on initiating legal action as first resort: The HFC Directions did not prescribe any sequencing rule regarding enforcement remedies. The proposed Directions now expressly provide that legal action for recovery or enforcement of security shall not be initiated as a first resort, thereby imposing a structured progression in recovery measures.

Conclusion

Recovery is as vital to lending as disbursement, if not more. Credit often begins with a courteous engagement by the lender, but too often, the standards of professionalism seen at the time of sanction weaken at the stage of enforcement. The right to recover is unquestionable; harassment is not. The proposed Directions seek to correct this imbalance by requiring lenders to uphold the same standards of fairness, transparency and discipline during recovery as at the time of origination.

See our other resources:

  1. Regulator’s February Bonanza: RBI’s  Sweet Surprises for NBFCs;
  2. From Consent to Compensation: RBI’s Draft Directions for REs on Sales Practices;
  3. Vehicle financiers must follow SARFAESI process for repossession: Patna High Court;
  4. A Guide to Accounting of Collateral and Repossessed Assets.

Not a Broker, Not an Insurer: Welcome to the world of MGAs

/0 Comments/in , /by
Introduction

The insurance industry globally has witnessed the emergence of several hybrid operating models that do not fit neatly within traditional regulatory classifications. One such model is that of the Managing General Agent (‘MGA’), an entity that performs significant insurance functions such as underwriting and risk assessment, pricing of insurance products, binding of policies, etc on behalf of the insurer.

While MGAs are well-recognised in mature insurance markets such as the USA, UK and Canada, their position under Indian insurance law has recently begun to take shape. An MGA typically acts as a middleman between the insurer and the insured.

In this article, we dive into the functioning of an MGA and how it differentiates from the existing insurance intermediaries, prevalent in the insurance sector in India. 

Read more

Webinar on Selling of Financial Products by Banks and NBFCs

/0 Comments/in /by

Register here: https://forms.gle/bXGa4SxeraRfMzKS7

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [353.88 KB]

From Consent to Compensation: RBI’s Draft Directions for REs on Sales Practices

/0 Comments/in /by

Highlights

  • Mis-selling, among others, will include selling an unsuitable financial product; consequences include compensation                                                                                                                               
  • Prohibition on Compulsory Bundling, eg., sale of insurance policy along with a loan
  • Explicit consent, wherever required, to be based on unambiguous affirmative action
  • Bank to do a due-diligence of a third party financial product that it markets, to avoid reputational risk
  • DSAs and DMAs of banks to come for tighter scrutiny; with undertaking for compliance with bank’s code and disciplinary action upon violation
  • Pricing difference, if any, between directly marketed bank products and indirectly (through agents) to be disclosed
  • Banks to take after-sale feedback from customers, and make necessary amendments in selling practices
  • Dark patterns not be used by regulated entities; periodic audit mandated
  • Controls over incentives favouring mis-selling
Read more

Shashtrarth 27: Type 1 NBFC Exemption

/0 Comments/in /by

Watch our youtube video: https://www.youtube.com/watch?v=IBv09etJb2g

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [209.89 KB]

Disrupting Traditional Card based Payments – Smart Contract based Payment Infrastructure using Stablecoin

/0 Comments/in /by

Subhojit Shome, Senior Manager | Finserv@vinodkothari.com 

Introduction

The payments ecosystem is often described as the “plumbing” of commerce—rarely visible to consumers, yet fundamental to economic activity. For decades, this plumbing has been dominated by credit and debit card systems, operated by banks and card networks under tightly regulated frameworks. In recent years, however, global technology platforms have begun experimenting with alternative payment infrastructures, particularly those built on blockchain technology, with the aim of reducing remittance fees and achieving faster settlement.1

One such initiative is the payment infrastructure jointly developed by Shopify and Coinbase (“Shopify–Coinbase Payment Infrastructure”), which enables merchants to accept payments using stablecoins, most notably USD Coin (USDC), without relying on traditional card networks.

Shopify–Coinbase Payment Infrastructure has been initially launched in at least 34 countries where merchants can accept USDC payments via the Base (blockchain) network. This includes a range of markets across the United States, most of Europe, Canada, Australia, Japan, Singapore2. A number of these countries/ regions (e.g. United States3, EU4,  Japan5, Singapore6) have statutorily recognised, and regulate the use of stablecoins.

This article examines the Shopify–Coinbase Payment Infrastructure in comparison with traditional card payment rails and analyses the regulatory concerns that would arise if such a system were to operate in India, with particular reference to the Payment and Settlement Systems Act, 2007 (“PSS Act”) and the regulatory stance of the RBI.

Understanding Payment “Rails” and the Card System

To appreciate what Shopify and Coinbase seek to replace, it is first necessary to understand the traditional debit/ credit card “payment rails”. The term “rails” is a metaphor, referring to the underlying infrastructure that carries a payment transaction from the payer to the payee—much like railway tracks carry trains.

In a credit or debit card transaction, the rails consist of several interconnected elements. When a customer uses a card, the merchant does not receive money immediately. Instead, the transaction is routed through the card network (such as Visa, Mastercard, or RuPay), which communicates with the customer’s bank (the issuer) and the merchant’s bank (the acquirer). The customer’s bank first checks whether sufficient funds or credit are available and places a temporary hold on that amount. This is known as authorisation (“auth”). The actual transfer of money happens later, when the merchant confirms the transaction—a step known as capture. Settlement between banks typically occurs after a delay of one or two business days.

This system is heavily regulated in India – card networks operate under RBI oversight, settlement occurs through RBI-regulated banking channels, and consumers are protected through structured dispute resolution mechanisms, including chargebacks7. The entire system functions within the legal framework of the PSS Act and the RBI’s directions on payment systems and card networks, payment aggregators, and consumer protection.

The Shopify–Coinbase Payment Infrastructure

The Shopify–Coinbase Payment Infrastructure proposes a fundamentally different way of moving money. Instead of using banks and card networks as intermediaries, it relies on stablecoins, which are digital tokens designed to maintain a stable value by being backed by traditional currency reserves. The stablecoin USDC, for example, is designed to track the value of the US dollar.

In this system, when a customer pays a merchant, the payment is executed on a blockchain network. The funds are first locked in a digital escrow mechanism controlled by software (a “smart contract”) and once the merchant fulfils the order, the funds are automatically released to the merchant. This process replicates the familiar card concepts of authorisation and capture (“auth and capture”), but replaces banks and card networks with software rules and cryptographic verification.

From the user’s perspective, the checkout experience may look familiar. From a legal perspective, however, the system represents a shift from institution-based trust (banks and regulators) to code-based execution. Settlement is near-instant, global, and does not depend on banking infrastructure.

Auth/ Capture using Stablecoins and Smart Contracts

In card payment systems, authorisation and capture are two distinct but linked stages in how a transaction is processed and settled. One of the unique characteristics of the Shopify–Coinbase Payment Infrastructure is that it is able to replicate such an auth/ capture settlement process which is observed in traditional card rails.8

Authorisation is the preliminary step. When a customer enters card details at checkout, the merchant seeks confirmation that the cardholder has sufficient funds or credit and that the transaction is permitted. At this stage, no money actually moves. Instead, the issuing bank places a temporary hold on the relevant amount, effectively earmarking those funds. From a legal perspective, authorisation represents a conditional and revocable promise by the issuer to honour the transaction, subject to subsequent validation and compliance with network rules.

Capture occurs later, when the merchant confirms that the goods or services have been provided (or are about to be provided) and formally requests payment. Upon capture, the transaction becomes final for settlement purposes. The temporary hold created at the authorisation stage is converted into an obligation to transfer funds through the card network’s clearing and settlement process. Only after capture does the merchant acquire an enforceable right to receive payment, subject to chargeback and dispute mechanisms.

The Shopify–Coinbase Payment Infrastructure seeks to recreate this familiar commercial logic—authorisation first, settlement later—while removing traditional card networks entirely. In this model, the customer pays using a stablecoin (typically denominated in a foreign currency such as the US dollar). Rather than immediately transferring funds to the merchant, the payment is first routed into a smart contract–based escrow. This escrow functions as the economic equivalent of card authorisation. The funds are not credited to the merchant and cannot be unilaterally withdrawn. They are effectively “locked,” signalling the payer’s intent and financial capacity, much like a card authorisation hold. The legal character of this stage differs fundamentally from card authorisation. In card systems, the issuer’s promise is conditional and revocable, and the funds remain within the regulated banking system. In a blockchain escrow, by contrast, the customer has already transferred the funds out of their wallet. Control is no longer exercised by a regulated intermediary but by pre-programmed contractual logic embedded in code.

The equivalent of capture occurs when the merchant satisfies predefined conditions—such as confirmation of shipment or lapse of a dispute window. Once those conditions are met, the smart contract automatically releases the stablecoins to the merchant’s wallet. Settlement is thus executed not through interbank clearing, but through an on-chain state change that is immediate, final, and typically irreversible. From a legal standpoint, this mechanism replaces discretionary decision-making by regulated institutions with deterministic execution by software.

Comparing Card Rails with Stablecoin-Based Payments

The contrast between card rails and the Shopify–Coinbase model is not merely technical; it is institutional and legal.

Card payments are embedded within a regulated financial ecosystem. Every participant—issuer banks, acquirers, networks, payment aggregators—is subject to licensing, capital requirements, audit obligations, and RBI supervision. Settlement occurs in Indian Rupees, and consumer protection is enforced through mandatory refund and dispute resolution frameworks.

By contrast, the stablecoin model shifts settlement outside the traditional banking system. Funds are represented not as bank deposits but as digital tokens. Settlement does not occur through RBI-regulated systems such as RTGS, NEFT, or card clearing arrangements, but on a distributed ledger maintained by a global network of computers. While this may reduce costs and increase speed, it also raises fundamental questions about regulatory oversight, legal accountability, and consumer protection.

The Indian Legal Framework Governing Payment Systems

The Payment and Settlement Systems Act, 2007 establishes a comprehensive legal framework under which the RBI is the sole authority empowered to regulate and supervise payment systems.

No person, other than the Reserve Bank, shall commence or operate a payment system except under and in accordance with an authorisation issued by the Reserve Bank under the provisions of this Act (Section 4 of the PSS Act)

Under the PSS Act, no person may operate a payment system in India without authorisation from the RBI. A “payment system” is defined broadly to include any arrangement that enables payments to be effected between a payer and a beneficiary. This definition is technology-neutral and focuses on function rather than form. Consequently, even a novel digital arrangement may fall within the regulatory perimeter if it facilitates payment and settlement.

In addition to the PSS Act, the RBI has issued detailed regulations governing card payments, payment aggregators and payment gateways, which impose obligations relating to customer funds, escrow arrangements, settlement timelines, dispute resolution, and grievance redressal. These regulations reflect the RBI’s core concern: protecting consumers and preserving the integrity of the payment system.

From an Indian statutory and regulatory standpoint, several concerns arise if a Shopify–Coinbase-type payment infrastructure were to be used by Indian merchants or consumers.

First, there is the issue of authorisation under the PSS Act. A stablecoin-based payment system that enables Indian users to make payments would likely qualify as a “payment system” under the Act. In the absence of explicit RBI authorisation, operating such a system in India would be impermissible, regardless of its technological sophistication.

Second, there is the question of settlement in Indian Rupees. Domestic payment systems in India settle in INR through RBI-regulated channels. Online card payments made in India using Indian cards cannot be routed through foreign banks or settled in foreign currency — they must be handled by Indian banks and settled in INR.9 Also, “Wallets”, i.e., prepaid payment instruments (PPI) essentially need to be loaded in INR.10 Stablecoin settlement, particularly when denominated in a foreign currency such as the US dollar, bypasses these channels. While stablecoins may be created so as to be denominated in INR, no recognition currently exists for stablecoins as settlement instruments for domestic payments.

Third, custody and consumer protection pose significant challenges. RBI regulations require that customer funds be held with regulated entities, typically banks, and that clear mechanisms exist for refunds, reversals, and dispute resolution. Blockchain-based escrow mechanisms are governed by software rather than law, and once a transaction is final, reversing it may be impossible without voluntary cooperation by the merchant. This stands in tension with RBI’s consumer-centric regulatory approach.

Fourth, there are foreign exchange and monetary policy considerations. Stablecoins backed by foreign currency reserves raise concerns under India’s foreign exchange regime and broader monetary sovereignty objectives. RBI has repeatedly expressed caution about private digital currencies and stablecoins, citing risks to financial stability and policy transmission.11

Conclusion

The Shopify–Coinbase Payment Infrastructure represents a significant evolution in global commerce, demonstrating how technology can replicate—and potentially outperform—traditional card systems in terms of speed and cost. However, from an Indian legal perspective, innovation in payments is not evaluated solely on efficiency. It is assessed through the lens of statutory compliance, regulatory oversight, consumer protection, and monetary stability.

While the logic of authorisation and capture may be technologically reproduced through blockchain-based escrow mechanisms, the legal foundations of payment systems in India remain firmly anchored in the PSS Act and RBI regulation. Until stablecoin-based payment infrastructures are brought within this framework—through authorisation, INR settlement mechanisms, and enforceable consumer protections—their direct adoption in the Indian domestic payments landscape would face substantial legal and regulatory hurdles.

  1. Stablecoins on the Blockchain – Stablecoins offer significant advantages over traditional remittance rails, primarily through reduced fees and faster settlement. While the World Bank reports a global average cost of ~6.6% for a ~$200 remittance, and annual transaction costs exceeding $41 billion, stablecoins can cut fees dramatically, often to ~$0.01 for high-volume transactions. Beyond cost, stablecoins provide near real-time settlement, a stark contrast to traditional cross-border remittances that can take days, with additional delays from holidays or bank closures. Ref. https://www.dbresearch.com/PROD/RI-PROD/PDFVIEWER.calias?pdfViewerPdfUrl=PROD0000000000610103&rwnode=REPORT
    ↩︎
  2. Ref. https://coinspaidmedia.com/news/shopify-launches-usdc-payments-34-countries/
    ↩︎
  3. In 2025, the GENIUS Act was enacted, creating a regulatory framework specifically for payment stablecoins – https://www.congress.gov/bill/119th-congress/senate-bill/1582
    ↩︎
  4.  EU Markets in Crypto-Assets Regulation (MiCA) places stablecoins under a category of asset-referencing tokens that are allowed to circulate and be used for payments – https://eur-lex.europa.eu/eli/reg/2023/1114/oj/eng ↩︎
  5.  Amendments to Japan’s Payment Services Act define certain types of fiat-pegged stablecoins as electronic payment instruments – https://www.fsa.go.jp/en/newsletter/weekly2023/540.html
    ↩︎
  6.  The Monetary Authority of Singapore (MAS) has developed a stablecoin regulatory framework under its Payment Services Act – https://www.mas.gov.sg/news/media-releases/2023/mas-finalises-stablecoin-regulatory-framework
    ↩︎
  7. A chargeback is a consumer protection process that allows a cardholder to dispute a transaction they believe is fraudulent, unauthorized, or not as described. The cardholder requests their bank to reverse the transaction, and the funds are debited from the merchant’s account. Ref. https://razorpay.com/blog/what-is-a-chargeback/
    ↩︎
  8. Ref. https://shopify.engineering/commerce-payments-protocol ↩︎
  9.  …where cards issued by banks in India are used for making card not present payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.Ref. https://www.rbi.org.in/commonperson/english/scripts/Notification.aspx?Id=1496 ↩︎
  10. PPIs shall be permitted to be loaded / reloaded by cash, debit to a bank account, credit and debit cards, PPIs (as permitted from time to time) and other payment instruments issued by regulated entities in India and shall be in INR only.https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12156 ↩︎
  11.  Widespread adoption of stablecoins would undermine central banks’ ability to control money supply and interest rates. ‘If both an official currency and a crypto asset are used for pricing goods and services, domestic prices could become highly unstable due to the inherent volatility of the crypto asset.’ (IMF-FSB 2023). If residents increasingly hold or transact stablecoins, changes in domestic policy rates may have limited influence on economic decisions, weakening the effectiveness of monetary policy. – Keynote address by Mr T Rabi Sankar, Deputy Governor of the Reserve Bank of India, available here – https://www.bis.org/review/r251216i.htm. ↩︎

See our other resources

  1. Tokenisation of Real World Assets – The Way Ahead for Creating Securities;
  2. Cryptos: Are They Back in Business?;
  3. Security Token Offerings & their Application to Structured Finance;
  4. Decentralised Finances;
  5. Cryptocurrency on the path to Legalisation?;
  6. Cryptocurrency – A Cautionary Tale for India;
  7. Trustless System;
  8. Blockchain based lending; A peer-to-peer system;
  9. Financial Services firms foray into the metaverse.

Significant Risk Transfer: Market, Structures, Economics and Risks

/0 Comments/in /by

Vinod Kothari and Dayita Kanodia | Finserv@vinodkothari.com 

Introduction

Known by various alternative names as “synthetic risk transfers”, “credit risk transfers”, “on balance sheet securitisation” or “synthetic securitisation”, Significant Risk Transfers (SRT) have a history of over 25 years but have recently grown faster than other components of either traditional securitisation or credit derivatives.  The pool value of banks’ synthetic securitizations has surpassed $670 billion, and the global sales of SRTs are expected to expand 11% annually on average over the next two years. 

This article discusses SRT Transactions, the state of the market, different structures used, risks, capital benefits, and the regulatory permissibility of such transactions in different countries. Finally and quite significantly, this article makes a case as to why India, which is one of the very countries in the world presently prohibiting such structures, should rethink.

Market Overview

As per a report published by the International Association of Portfolio Managers, by the end of 2024, over € 700 bn of securitized loans were protected by $ 75 bn (9%) of SRT tranches, some 70% being issued by European banks. Further, the International Association of Credit Portfolio Managers reported that between 2016 and 2023, nearly 500 SRT transactions protected underlying portfolios adding to $ 1 trillion in loans, ranging from corporate loans to auto loans. 

Period 2016- 2024 portfolio under SRTs totaled Euro 1311 billion (or roughly USD 1500 billions). In 2024, Europe, excluding the UK, took Euro 152 billion out of the Euro 260 billion protected portfolio. 

Thus, nearly half of the SRT deals have originated from EU countries. The proportion was even larger historically, but US banks started aggressively getting into SRT Transactions in 2025. 

SRT transactions have existed even before the Global Financial Crisis. In 2021, EU regulators extended the benefit of lower regulatory capital consuming “simple transparent and standard” (STS) securitisation treatment to synthetic transactions too. This has proved to be the game changer.

Asset classes

While corporate loans still represent almost two-third of the underlying pool assets (63%) in 2024, composition of other asset classes were: SMEs (13%), auto loans (7%), residential mortgages (3%), and specialized lending (3%). As in the past, in 2024 some 80% of issued synthetic securitizations support commercial lending to Corporates and SMEs. 

Investors

Specialised credit funds, aka private credit funds,  and debt fund managers are the largest investors. The following graph shows the composition of SRT investors: 

Some Recent transactions

The following are examples of some of the recent SRT transactions:

Banco Santander IFC transaction (2024)

The International Finance Corporation (IFC), a member of the World Bank Group, announced that it will provide a credit guarantee of $93 million to Banco Santander Mexico so that it can allocate more resources to financing small and medium-sized businesses (SMEs) in the country.

Aareal Bank (2025)

Aareal Bank, a German Bank completed its first SRT transaction, synthetically referencing a portfolio of performing European commercial real estate loans. With this transaction, Aareal Bank offered investors an opportunity to take exposure to a €2 billion CRE portfolio, which is equivalent to approximately 6 per cent of Aareal Bank’s overall CRE portfolio. 

Basic Structure of SRT 

Synthetic securitisation uses credit derivatives or similar devices to transfer the risk of a mezzanine tranche(s) of the credit risk of a pool of assets to capital markets by embedding such risk into credit-linked securities. The word “synthetic” is used in distinction to a traditional securitisation, which may be called “cash securitisation” or “true sale securitisation”. In every traditional or cash securitisation, there is a pooling of credit assets to constitute a reasonably diversified pool. The pool is then tranched into multiple tranches, such that, usually, the first loss tranche is retained by the originator, and mezzanine and senior tranches are moved to capital markets through a special purpose vehicle. The result is funding as well as risk transfer. The first loss piece, retained by the originator, neither leads to funding, nor risk transfer. However, for the mezzanine and senior tranches, there is a movement of money from the investors to the originator through the SPV, and risk transfer in the opposite direction. In synthetic securitisation, the purpose is not funding: the purpose is risk transfer. Therefore, the first loss piece still typically stays with the originator, but the risk in the mezzanine is moved to capital markets through the issue of credit-linked securities. The transfer of risk, without funding, may happen using credit default swaps, or guarantees

Structural Variations 

SPV versus non-SPV structures

Over three-quarters of the reported trades in 2024 are issued without SPV. The percentage of protected tranche notional issued directly by banks increased from some 25% in 2016 to 73% in 2024.

SPV Structure:

In the case of an SPV structure, an SPV is brought in as an intermediary between the investors and the originator. In case of cash or traditional securitisation arrangements, an SPV is brought in to hold the assets as a repository for the investors. In synthetic structures, there is no transfer of assets at all, an SPV is commonly used for the following reasons: 

  1. The funding raised by the investors is held and invested by the SPV. If there were no SPV, the funding would be held by the Originator, which would expose the originator to a counterparty risk as the originator would become the obligor for the securities. 
  2. Further, the rating of the securities would consequently be capped at the originator’s rating due to the counterparty risk in case of an SPV structure.
  3. If the SPV was not there, the originator would issue the securities, which may impose withholding tax requirements on the originator. Which is why, typically for a cross border issuance, the SPV is located in a tax haven jurisdiction that will avoid tax implications. 

The structure of SRT transactions has not changed from what it was before the GFC.  For example, n December 2001, DBS Bank Singapore introduced its first synthetic securitisation transaction involving a reference portfolio of approximately S$2.8 billion of corporate loans. The transaction used credit default swaps to transfer credit risk to an SPV, ALCO 1 Limited, without a true sale of assets. The SPV issued around S$224 million of multi-currency, multi-tranche notes (rated from AAA to BBB), while DBS retained the first-loss and super-senior exposures. The deal enabled regulatory capital relief and risk-weighted asset optimisation, and is widely regarded as one of Asia’s earliest synthetic CLO-style transactions outside Japan, marking a milestone in regional structured finance markets. Although this transaction was undertaken more than two decades ago, the structure used primarily remains the same. The following diagram illustrates a common SRT SPV structure:

Non – SPV Structure:

As explained above, typically an SPV is required in cash or traditional structures for holding the asset, isolating it from the originator, protecting the assets from bankruptcy risks of the originator. A rating arbitrage, that is, any of the securities of the SPV being rated higher than the originator, is not theoretically possible if any of the securities represent a claim against the originator. In synthetic structures, there are no actual assets, only synthetic; therefore there is no need to protect the assets (meaning assets of the investors). However, synthetic CDOs do have assets to the extent of funding contributed by the investors. If this funding were to be prepaid or invested in the originator the claims of the investors are backed up by the claim against the originator, and hence, are subject to the rating cap of the originator. 

It is understandable that the cash assets of a synthetic structure is only a fraction of the synthetic assets and hence the need for originator bankruptcy isolation is less prominent. A number of synthetic transactions have found it less necessary to involve a facade between the originator and the investors and have gone ahead with non- SPV structures. In this structure, the securities are issued by the originator himself and therefore represent a claim against the originator. 

There are various Non-SPV structures observed in the market, Unfunded bilateral guarantee/CDS with no SPV, Funded bilateral guarantee/CDS with no SPV, Funded Credit Linked Note issued by originator with no collateral. 

The table below shows the difference between SPV and Non-SPV structures:

SPV StructureNon-SPV Structure
Counterparty riskIn the case of an SPV structure, the entire money paid by the investors will be held by the SPV. This ensures that the investors are protected from the counterparty risk w.r.t the originator since any amount paid by them is held by a bankruptcy remote vehicle. In this case, the investor will be exposed to both the risk of default in the assets as well as counterparty risk of the originator, as opposed to the SPV structure, where the counterparty risk is eliminated. 
Rating CapThe SPV is a separate bankruptcy remote entity, and hence no cap on rating because of the counterparty risk of the originator. The rating of the securities will be capped at the rating of the originator due to counterparty risk.

Other structures

  1. Blind portfolio structures

In a blind reference pool SRT, the bank does not reveal borrower details to the investor or protection provider, and the investor only has access to high-level characteristics of the reference loan portfolio (such as industry distribution, credit ratings, or geographic exposure). Under this type of structure, investors face higher uncertainty as they must rely on the bank’s understanding of standards and risk management practices instead of conducting their own loan-level risk analysis. 

  1. Funded Structures

In case of funded structures, the originator and the investor enter into a bilateral credit protection contract which may be drafted as a guarantee or a credit derivative. The investor then places a collateral equivalent to the maximum payment obligation under the contract. The money from this collateral amount deposited is only paid to the originator when losses hit the protected tranche. The collateral amount remaining after absorbing the losses is returned to the investor. 

  1. Unfunded structures

Unfunded SRTs are transactions not secured by financial collateral. The investor (protection provider) does not make any upfront payments to cover potential losses and is only required to compensate the bank if a credit event occurs. The protection provider is considered to have a high enough credit quality to mitigate the counterparty risk and is subject to eligibility criteria in Europe. The protection providers are typically, in Europe, insurance companies, pension funds, or multilateral development banks. The bank originating the SRT is exposed to counterparty credit risk.

  1. SRT with replenishment period

SRTs with a replenishment period allow a bank to add new loans to the loan portfolio as old loans mature, subject to eligibility criteria. Typically, the loans will come from the same portfolio and share the original loan’s credit characteristics. The risk for the investor is potential asset quality deterioration of the reference pool, as the likelihood of credit losses could increase from lower asset quality loans being added, or from changes in the risk profile of the reference pool.

Economics of Risk Transfer

Consider a room with bombs placed in 5 different regions, as opposed to all the bombs placed in one place. The probability of a person stepping on the bomb will be far less in the first case than in the second one. The same is the case with assets. 

The economics of risk transfer in securitisation are rooted in the principles of integration and differentiation that underpin structured finance. A diversified set of underlying assets is first aggregated into a single pool, enabling risk to be spread across a broader portfolio rather than remaining concentrated at the individual loan level. This pooled risk is then differentiated through tranching, whereby cash flows and credit risk are allocated among distinct tranches with varying risk-return profiles. Such structuring facilitates more efficient risk allocation and diversification, making the protection buyer better off as compared to obtaining guarantees or credit protection on each loan on a standalone basis, where risk remains fragmented and less efficiently distributed. 

Thus, integration and differentiation ensure that correlation risk, or the risk that other assets also default on a default by one asset, is minimal. 

Risks of SRT

The following are some of the risks associated with SRT Transactions:

  1. System-wide leverage and risk migration
    SRTs transfer credit risk from banks to non-bank financial institutions (notably hedge funds and credit funds) that are typically less constrained by capital requirements and can employ higher leverage. This can increase aggregate leverage in the financial system, even if bank balance sheets appear safer. In many cases, banks also provide leverage to SRT investors, meaning part of the risk may remain indirectly within the banking system.
  2. Interconnectedness and contagion risk
    By redistributing bank-originated credit risk across banks, asset managers, hedge funds, insurers, and custodians, SRTs deepen inter-sector linkages. The private and opaque nature of many SRT deals makes it harder for supervisors to map exposures, raising the risk that stress in one segment (e.g., leveraged funds) propagates rapidly across the financial system.
  3. Investor concentration and rollover risk
    The SRT investor base is highly concentrated. Credit funds and asset managers account for a majority of demand, with a small group of large investors holding a dominant share of outstanding exposure. Further, since SRT maturities (typically 3–5 years) are often shorter than the underlying loan tenors, banks face rollover risk that is if investor appetite dries up, banks may experience a sudden increase in RWAs, capital pressure, and higher funding costs.
  4. Weaker underwriting incentives over time
    Strong demand for high-yield SRT tranches may attract more risk-tolerant investors, encouraging aggressive deal structuring or looser credit standards. Increased competition for SRT issuance can lead to sub-par due diligence, potentially worsening the quality of underlying loan pools and increasing vulnerability to credit shocks.

Regulatory capital

In an SRT transaction, a bank buys protection for the mezzanine tranche by issuing CLNs to investors. Under securitization treatment, the senior tranche carries 20 percent RWA, and the first-loss tranche carries 1,250 percent RWA. The RWA for the mezzanine tranche becomes zero because the bank is no longer exposed to the losses from this tranche.

The following examples illustrates maintenance of capital in case of SRT vs non-SRT transactions:

Non-SRT (in USD million)SRT (in USD million)
Asset Pool100Asset Pool100
RWA ratio50%First Loss Tranche %0.50%
RWA50RWA ratio1250%
Tier 1 Capital10.50%RWA6.25
Tier 1 Capital Required5.3Mezzanine Tranche %4.50%
RWA ratio (as risk transferred, backed by cash)0%
RWA0
Senior Tranche95%
RWA ratio20%
RWA19
Total Capital Required2.7

Thus, the capital required to be maintained in case of SRT structures is significantly lower as compared to non-SRT structures thus allowing originators capital relief. This, however, is a function of the size of the junior tranche. In the same example as above, if the thickness of the junior tranche was 3%, the required capital would have gone up.

Regulatory Permissibility of SRT

In India, synthetic securitisation, which is defined as a structure where the credit risk of an underlying pool of exposures is transferred, in whole or in part, through the use of credit derivatives or credit guarantees that serve to hedge the credit risk of the portfolio, which remains on the balance sheet of the NBFC, is prohibited. [para 5(3) of the Reserve Bank of India (Non-Banking Financial Companies – Securitisation Transactions) Directions, 2025]. Accordingly, SRT transactions where there is only a transfer of the risk and rewards without the transfer of the asset are prohibited in India. 

The below table shows the regulatory permissibility of SRT in various jurisdictions:

CountriesRegulatory Permissibility of SRT
IndiaProhibited
AustraliaNot eligible for capital relief
UKPermissible
Hong KongPermissible
CanadaPermissible
IndonesiaProhibited
ChinaProhibited
JapanPermissible within regulatory limits
EUPermissible
KoreaProhibited
SingaporePermissible

Over the years, SRTs have become a very potent tool for regulatory capital and risk management. SRTs have also permitted private credit funds to acquire exposure on loan portfolios without organically creating them. The regulatory antipathy for synthetic securitisation was the multiple layers of risk transfers as seen during the GFC. This was, however, more in case of structured finance CDOs and arbitrage transactions. SRTs are currently mostly related to on-balance sheet assets – hence, the question of any unwarranted risk transfers or risk build up do not arise. Of course, any securitisation transaction creates an interconnection between the banking system and capital markets, but that is also a cushion against risk as it has a potential for risk of contagion. 

Bibliography

  1. 2026 Regulatory Reviews Mark Inflection for Securitisation SRT Market | FitchRatings
  2. Rated Securitisations: Using SRTs to Optimise Financial Balance Sheets | FitchRatings
  3. Global SRT Insurance Survey – Select Results | IACPM
  4. Recycling Risk: Synthetic Risk Transfers | IMF
  5. Unveiling the impact of STS on-balance-sheet securitisation on EU financial stability |European Systematic Risk Board
  6. 2025 wrapped: Structured finance year in review | Structured Credit Investor

Uneasy Ease: RBI Proposes Exemption in Approval Mode  for Type I NBFCs

/1 Comment/in , , /by

The RBI’s proposed relief to exempt pure investment companies from exemption from regulation is not a cakewalk but a hurdle race.  It is not an exemption that comes in auto mode; you need to earn the right to be exempt. Some of the important pre-conditions that the RBI has proposed are:

  1. No automatic exemption: It is not that you qualify, and come out of registration. In fact, those proposing to come out have to make an application, based on the financials for the last 3 years. In these financial statements, there must be no direct or “indirect” access to “public funds” (including loans from loans from directors/shareholders), nor should there be any lending within the group or outside. This position shall be supported by auditors’ certificate. It is with these conditions that the RBI may, on being satisfied about the business model, grant exemption.
  2. Customer includes my own group: The meaning of ‘customer interface’ has been clarified to say it includes customer-oriented activity like lending or providing a guarantee, including to ‘entities in the Group’, its shareholders, its directors, or providing any other “product or service” to a customer. “Any other product or service” typically refers to customer-centric financial distribution services like mutual funds, bonds, etc.
  3. Money from director/shareholder will be “public” funds: For the purpose of determining public funds, any amount received from the directors and/or shareholders of the NBFC shall also be treated as public funds. 
  4. Timelimit for making application by existing NBFCs: Type I NBFC registered with RBI as on April 1, 2026, and fulfilling the prescribed criteria for exemption, may make an application to RBI, for deregistration within a period of six months, by September 30, 2026. There is no clarity on what will happen after this date. Also, it is not clear whether existing NBFCs may change their liabilities profiles to meet the exemption conditions, and apply for exemption in future. 
  5. Discretion of RBI: RBI shall consider the requests for deregistration if it is satisfied that NBFC is functioning with a conscious business model to operate without availing public funds and without having customer interface. Hence, the fate of deregistration is in the hands of the regulator.
  6. Exclusion from aggregation: The asset size of unregistered type I NBFCs shall not be consolidated with other entities in the group for determining the classification of such group NBFCs as base/middle layer entities. See details below.
  7. Overseas investment requires registration: Unregistered Type I NBFC, in case it intends to undertake overseas investment in the financial services sector, it shall require registration
  8. Continued Supervision from RBI: Exemption is only from registration requirement; however, they would continue to be subject to the provisions of Chapter IIIB of the RBI Act, 1934 (primarily, transfer to reserve funds). Further, the RBI has reserved the right to issue necessary instructions specifically to ‘Unregistered Type I NBFCs’ in case any concerns/ risks are observed.
  9. Conditions for new entities: New entities intending to claim the exemption must satisfy these conditions- No access to public funds, no customer interface, less than ₹1000 Cr asset size, passing of annual Board resolution to not access PF and CI, disclosure in financial statements. Further, in case of violation of conditions on public funds and/or customer interface, the statutory auditor shall submit an exception report to the RBI. 

Conditions for deregistration application

Analysis of options available to Type 1 NBFCs

Type of NBFCOptions Available
NBFCs holding Type I Registration as on April 1, 2026Option 1: Apply for deregistration

Option 2: Continue to remain as Type I NBFC
Entities that fulfil the conditions for Unregistered Type I NBFC, after April 1, 2026Option 1: Satisfy the conditions under 66A and remain unregistered [see box on Conditions Subsequent]

Option 2: Apply for registration as Type I NBFC
NBFCs not having a customer interface and public funds and having an asset size below ₹1000 crores, but not registered as Type IOption 1: Apply for deregistration

Option 2: Apply for registration as Type I NBFC to avail regulatory exemptionOption 3: Maintain status quo
NBFCs not having a customer interface and public funds and having asset size above ₹1000 crores, but not registered as Type IOption 1: Apply for registration as NBFC Type I

Option 2: Apply for registration as NBFC Type II, in case of changes in business model

What happens to NBFCs not availing public funds and having customer interface but not registered as Type 1?

Several NBFCs that have been registered with the RBI before the concept of Type 1 was introduced in 2016 may not have the CoR as a Type 1 NBFC in spite of the fact that as on date they don’t have access to public funds nor any customer interface. Such an NBFC with an asset size less than ₹1000 crores will still have an option to apply for deregistration, subject to the satisfaction of the conditions prescribed. However, such NBFCs in case they decide to maintain the status quo will not be eligible for the regulatory exemption available to Type 1 NBFCs. 

What about new entities that meet PBC criteria?

If an entity carries investment activity with owned funds, within a limit of ₹1000 crores, does it need RBI registration? The answer seems to be – no. Such a company obviously does not have to go through the rigour of seeking registration first, and then qualifying for an exemption.

The company in question still has to satisfy the exemption conditions; and the auditor will need to give an exception report. The meaning of exception report is that if there is a breach of any of the conditions of exemption, or there is any breach of any other provisions of the law, the auditor shall be required to make an exception report.

Notably, CARO Order also requires auditors to comment on adherence to RBI regulations, which, in future, will include these conditions too.

Whether assets of multiple group entities will be aggregated?

Is the requirement of asset size being within ₹1000 crores based on stand-alone financial statements, or will the assets of companies within the group be aggregated, as is done for the purpose of determination of the middle layer status of companies?

It seems that the aggregation requirement is not there for the Type 1 exemption.

The basis for this is FAQ 13, which states as follows:

Q13. As per regulations of the Reserve Bank, total assets of all the NBFCs in a Group are consolidated to determine the classification of NBFCs in the Middle 11 Layer. What shall be the treatment given to ‘Type I NBFCs’ and ‘Unregistered Type I companies’ in this regard? 

Ans: For aggregation purposes, the asset size of ‘Type I NBFCs’ shall be considered but asset size of ‘Unregistered Type I NBFCs’ shall not be considered. It is emphasized that ‘Type I NBFCs’ shall always be classified in Base Layer regardless of such aggregation. 

What if I have accepted intra-group loans/granted intra-group loans, but resolve not to do so in future

Are the exemption conditions, that there is no access to public funds and no customer interface, merely a statement of intent, or must also be borne out by the conduct in any of the past 3 financial years? Looking at the definition in para 6 (14A), which reads “Not accepting public funds and not intending to accept public funds”, and likewise, “Not having customer interface and not intending to have customer interface”, it appears that the exemption conditions are both a statement of fact as well as intent. If one is negated by the fact, a mere statement of intent may not help.

However, assume there are isolated instances of intra-group loans taken or intra-group loans given. The transactions are not indicating a “business model”, at least the ones on the asset side. Are we saying that the breach of the conditions of  “no public funds” and “no customer interface”, at any time during the last 3 years, will disentitle the exemption?

We do NOT think so. There are two reasons to say this:

  • First, no one can cleanse the past. There is no reason to deny the exemption if the Company has cleaned up the asset side and liability side by 31st March, 2026, and resolves not to make neither of the “two sins” ever in future. Taking any other view will be unreasonable and not keep up to the intent of the regulator.
  • Secondly, the language itself is clear: Para 38A (2) (iii) talks about the status of public funds and customer interface in the last 3 years. Para 38A (2) (iv) and (v) refer to auditors’ certificate and the board resolution, both referring to the position as on date, and not the past. Therefore, if the past has been undone by 31st March, 2026, we see a strong reason to qualify the exemption, except if the level of activity is indicative of “conscious business model”

Three financial years: which years?

In our view, since the deregistration application has to be made within September 30, 2026, the audited financials for FY 25-26 must have been prepared. Hence, the last three financial years that would be considered are FY 23-24, 24-25 and 25-26.

VKC comments:

It is usually hard to get a relief from a regulator, as relief is seen as a prize that you earn. If the idea was based on the premise that what does not matter for the financial system, and is still being regulated, is a burden both for the regulator and for the regulated, there would have been a more welcoming approach to exemption. Specifically:

  • The extension of the definition of “public funds” to include borrowings from shareholders and directors is quite unreasonable. For private companies, deposits from shareholders and directors are exempt by law; in the case of public companies too, loans from directors are exempt. Even if we don’t lean on the law, what is taken from directors and shareholders cannot partake the character of “public”. There cannot be an element of public interest in intra-group transactions, and as a financial regulator, RBI could not have been concerned with intra-group financial accommodations.
  • The definition of “customer” service to include loans to group entities is equally unexplainable. The tested definition of “customer” in case of banks/financial entities is someone who customarily avails the services of such an entity. The only intent of the regulator could have been the conduct of business concerns, primarily customer service. A group entity borrowing from another group entity is not expecting customer service standards.
  • Both the definitions have been related to the historical balance sheets, with no apparent continuing exemption route. This, hopefully, will be made a continuing exemption, so that entities may carry financial and business restructuring to qualify for exemption.

NFRA’s reminder to fill gaps under two-way communication with Statutory Auditors

/0 Comments/in , /by

Watch our video here: https://youtu.be/toXUw96L5jo

NFRADownload