RBI – Vinod Kothari Consultants

A Regulation on Regulations – Rule of law checks by the Reserve Bank of India

May 10, 2025/0 Comments/in Financial Services, RBI /by Team Finserv

– Aditya Iyer, Manager (Legal) | (finserv@vinodkothari.com)

Background

In Rajeev Suri v. Delhi Development Authority, the Supreme Court of India^[1] noted that the ‘Rule of Law’ (RoL) posits four universal tenets, of which two are: (i) The laws must be just, clear, publicized, and stable; (ii) Open Government – the process by which laws are enacted, administered, and enforced are accessible, fair, and efficient. Further, it was noted that an integral part of a participatory democracy is public participation regarding decision-making (to a reasonable extent).

We have written elsewhere about how a strong RoL framework may play a role in improving investor confidence and encouraging investments in a given jurisdiction. Predictability and transparency are verily the lifeblood of the RoL.

Digital Lending Directions, 2025

May 9, 2025/0 Comments/in digital lending, Financial Services /by Team Finserv

Largely a consolidation; New rules on multi-lender platforms and lending apps

– Aditya Iyer, Manager (Legal), Tejasvi Thakkar, Assistant Manager | (finserv@vinodkothari.com)

Background

On May 08 2025, the RBI notified the Digital Lending Directions, 2025 (‘Directions’). At the outset, it is worth noting that the Directions are not a regulatory overhaul of any kind; they are rather a consolidation of the extant regulations (including the FAQs), with certain key additions relating to multiple lender platforms as well as disclosure on DLAs to RBI, along with the certification from CCO. Further, the fact that the FAQs have also been integrated into the regulation signals the RBI’s intent to impart seriousness to its FAQs.

Below, we analyse the key changes, along with the compliance implications they present for REs.

RBI removes short term investment limits and concentration limits in case of FPI

May 8, 2025/0 Comments/in Financial Services /by Neha Malu

– Neha Malu, Associate | finserv@vinodkothari.com

On 8th May, 2025, RBI notified amendments to the Master Direction – Reserve Bank of India (Non-resident Investment in Debt Instruments) Directions, 2025, governing investments by Foreign Portfolio Investors in corporate debt securities. The changes impact both the general investment route and the Voluntary Retention Route (VRR).

What has changed?

A. Removal of short-term investment limit:
In the case of general route, the earlier cap that restricted a FPI investment in corporate debt securities with residual maturity of up to one year to 30% of its total investment in such securities has been repealed.

However, under the general route, a separate provision, clause 4.4(i) continues to allow investment only in securities with original/residual maturity above one year. Therefore, while the 30% threshold is no longer relevant, FPIs under the general route still cannot invest in short-term corporate debt except debt securities provided in para 4.4(viii) which includes SRs and debt instruments issued by ARCs, debt instruments issued under CIRP, default bonds, PTCs and SDIs issued and listed as per SEBI (Issue and Listing of Securitised Debt Instruments and Security Receipts) Regulations, 2008.

Under the VRR scheme, however, pursuant to para 5.4(v), the minimum residual maturity requirement does not apply. This means FPIs opting for the VRR can invest in corporate debt securities with shorter maturities, offering greater flexibility.

B. Withdrawal of concentration limits:
The previous restriction that capped FPI investment (including its related entities) in corporate debt securities to 15% (for long-term FPIs) and 10% (for other FPIs) of the prevailing investment limit has also been withdrawn.

Implications:

The removal of these limits simplifies the regulatory framework and provides FPIs greater flexibility in structuring their debt portfolios. It may also help in improving the depth and liquidity of the corporate bond market, particularly in the short-end of the maturity spectrum.

Our FPI resource centre is available at: https://vinodkothari.com/resources-on-fpi/

Online Authentication of Aadhaar: Exclusive Club, Members Only!

May 6, 2025/0 Comments/in Financial Services, KYC/PMLA, Uncategorized /by Staff

-Archisman Bhattacharjee (finserv@vinodkothari.com)

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016 (‘Aadhaar Act’) was introduced with a clear vision: to ensure efficient, transparent, and targeted delivery of subsidies, benefits, and services, fostering good governance. While its preamble underscores these fundamental objectives, Aadhaar’s role has expanded far beyond its original scope, becoming a cornerstone in the banking and NBFC sectors. As outlined in paragraph 16 of the RBI’s KYC Master Directions, Aadhaar now plays a central role in the Know Your Customer (KYC) process, a critical compliance measure for both prospective and existing borrowers.

A key aspect of KYC is the verification of the authenticity of customer documents, a process governed by specific guidelines.

When it comes to Aadhaar-based KYC, there are two recognized methods:

Online Authentication and
Offline Verification

The Offline Verification process is relatively straightforward (at least on paper), involving the verification of a Digital Signature Certificate (DSC) attached to the downloaded masked Aadhaar document. Importantly, offline verification can be conducted by all RBI-regulated entities for conducting KYC verification.

In contrast, Online Authentication, while offering a more robust and reliable method of KYC verification (refer FAQ 1 of UDIAI), is subject to stricter eligibility conditions and compliance requirements. Not all entities are permitted to perform Online Authentication (discussed in later parts of this article). While lenders may prefer Online Authentication due to its real-time verification capabilities and greater assurance of data authenticity, the regulatory fetters surrounding eligibility must be carefully navigated.

Given the evolving regulatory framework and industry practices, it is critical to develop a clear understanding of how Online Authentication operates and who is permitted to undertake it.

What is Online Authentication

The term authentication has been defined under Section 2(c) of the Aadhaar Act as a process “by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it”. Further The Aadhaar (Authentication and Offline Verification) Regulations, 2021 (‘Aadhaar Rules’) expands upon the process of carrying out online authentication. Rule 4 of the Aadhaar Rules states that:

“ Authentication may be carried out through the following modes:

(a) Demographic authentication: The Aadhaar number and demographic information of the Aadhaar number holder obtained from the Aadhaar number holder is matched with the demographic information of the Aadhaar number holder in the CIDR.

(b) One-time pin based authentication: A One Time Pin (OTP), with limited time validity, is sent to the mobile number and/ or e-mail address of the Aadhaar number holder registered with the Authority, or generated by other appropriate means. The Aadhaar number holder shall provide this OTP along with his Aadhaar number during authentication and the same shall be matched with the OTP generated by the Authority.

(c) Biometric-based authentication: The Aadhaar number and biometric information submitted by an Aadhaar number holder are matched with the biometric information of the said Aadhaar number holder stored in the CIDR. This may be fingerprints-based or iris-based authentication or other biometric modalities based on biometric information stored in the CIDR.

(d) Multi-factor authentication: A combination of two or more of the above modes may be used for authentication.”

The stated modes of how the process of online authentication is required to be carried out is quite descriptive and does not require any further explanation. However one thing is certain that, based on the definition of the term “authentication”, obtaining the Aadhaar number becomes a mandate. The KYC Master Directions under para 17 recognizes one such mode of authentication as OTP based online authentication.

Who can carry out Online Authentication

Considering that the authentication process and the e-KYC data obtained through Aadhaar may include biometric information, such information constitutes “sensitive personal data” under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). While the Digital Personal Data Protection Act, 2023 (DPDPA) does not expressly categorize any particular type of data as “sensitive personal data,” it is important to note that the Supreme Court’s judgment in the Aadhaar judgement recognized biometric data associated with Aadhaar as sensitive in nature. Given that the DPDPA itself has its origins in the principles laid down by the Aadhaar judgment, it is our view that such data should continue to be treated with a higher standard of care.

Without delving into the subject in great detail, it is sufficient to highlight that Aadhaar-based authentication exposes individuals to considerable risks of harm, particularly in the event of a data breach. This risk is exacerbated by the fact that other identifiers such as telephone numbers, PAN cards, and other financial data are often linked to an individual’s Aadhaar number. Consequently, possessing access to an individual’s full Aadhaar number may subject such an entity to considerable risk (including legal and litigation risk) in case proper security safeguards are not taken by such an organization. Usually these heightened data sensitivity concerns would not be present in case KYC verification is conducted through use of masked Aadhaar, i.e via Offline Verification.

Given the heightened sensitivity of Aadhaar information, it is imperative that, beyond compliance with technical security safeguards, the right to carry out Aadhaar authentication be restricted only to entities that have demonstrated robust security frameworks. Imbibing this philosophy, the Aadhaar Act has restricted access to Aadhaar number only to a few entities and these entities are known as “requesting entities” as defined under Section 2(u) of the Aadhar Act. From the context of Financial Sector Entities these requesting entities would be required to be a KUA/Sub-KUA (discussed in later parts of this article).

Online authentication and KYC

Under paragraph 16(a)(ii) of the KYC Master Directions, an Aadhaar number can only be collected by entities that have been notified under Section 11A of the Prevention of Money-laundering Act, 2002 (PML Act). Further, Section 4(4)(b) of the Aadhaar Act stipulates that “authentication” can only be performed by an entity that is:

either permitted to offer authentication services under any other law made by Parliament, or
is seeking authentication for purposes as may be prescribed by the Central Government in consultation with the UIDAI, and in the interest of the State.

Accordingly, a combined reading of Section 11A of the PML Act and the Aadhaar Act makes it evident that for RBI regulated entities [Except for banks, which are permitted to obtain Aadhaar numbers under paragraph 16(a)(i) of the KYC Master Directions and the proviso to Section 11A of the PMLA Act, no other entities may carry out Aadhaar authentication without being specifically notified by the Central Government.] only those entities which have been notified by the Central Government are authorized to carry out Aadhaar-based authentication by collecting Aadhaar numbers.

Under para 17 of the KYC Master Directions , OTP-based e-KYC authentication has been recognized as a valid mode of Aadhaar authentication. This form of authentication is also recognized under the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (“Aadhaar Regulations”), wherein such authentication can be carried out by either a KUA (KYC User Agency) or an AUA (Authentication User Agency).

The Aadhaar Regulations further introduce the concept of a “Sub-KUA”, which is defined under Rule 2(ob) of Aadhaar rules as a requesting entity that utilizes the infrastructure of a licensed KUA to perform online Aadhaar authentication. Under Rule 16, it is stipulated that an e-KYC record obtained by a KUA can only be shared with its Sub-KUAs and cannot be transferred further to any other entity. Additionally, Rule 14(ga) of the Aadhaar Regulations mandates that a KUA must obtain prior approval from UIDAI before onboarding any third-party entity as a Sub-KUA.

Reference is also drawn to UIDAI Circular 2 of 2025 which discusses Sub-AUA and Sub-KUA application form and joint undertaking. The said documents specify that under the head “Category of Sub-KUA and Sub-AUA“, eligible entities include those “permitted to offer authentication services under Section 11A of the Prevention of Money-laundering Act, 2002 by virtue of being a reporting entity.”. A similar requirement has also been provided under the AUA/KUA Application Form.

In view of the above, it becomes clear that for any RBI-regulated entity (i.e., entities to whom the KYC Master Directions apply) wishing to onboard customers through OTP-based Aadhaar e-authentication, the following conditions must be satisfied:

the entity must be registered either as a KUA or as a Sub-KUA with UIDAI;
the entity must be notified by the Central Government under Section 11A of the PML Act, thereby being authorized to collect Aadhaar numbers and conduct authentication.

However, it may be noted that in practice, the recognition processes under Section 11A of the PML Act and by UIDAI typically go hand in hand. For entities seeking notification under Section 11A of the PML Act, prior recognition by UIDAI, confirming the entity’s capability to carry out Aadhaar authentication is generally a prerequisite. This position is supported by Circular No. F.No.P-12011/7/2019-ES Cell-DOR issued by the Government of India, Ministry of Finance, Department of Revenue.

Conclusion

In today’s dynamic financial landscape, Aadhaar-based KYC—whether through online authentication or offline verification has become an indispensable tool for streamlining customer onboarding and ensuring regulatory compliance. However, the regulatory framework surrounding Aadhaar authentication remains stringent for good reason: it seeks to strike a delicate balance between enabling ease of business and safeguarding the sensitive personal information of individuals.

While offline verification using masked Aadhaar offers a universally accessible and relatively lower-risk method for KYC compliance by RBI-regulated entities, online authentication—though more robust and efficient—comes with heightened obligations. Only entities meeting the twin conditions of being recognized under Section 11A of the PML Act and being duly registered as a KUA or Sub-KUA with UIDAI are permitted to undertake online Aadhaar authentication. This dual-layered recognition ensures that only entities with demonstrably strong security practices are entrusted with the collection, storage, and processing of Aadhaar-related sensitive data.

As technology evolves and customer expectations shift toward faster, seamless digital experiences, regulated entities must not only prioritize compliance but also cultivate a strong internal culture of data protection and risk mitigation. Institutions seeking to leverage Aadhaar-based online authentication must therefore invest in robust data security frameworks, maintain strict internal governance standards, and ensure that their authentication practices align with both the letter and spirit of the law.

SEBI Securitisation Regulations: Track Record, Risk retention and Investment size among several new requirements

May 6, 2025/0 Comments/in Financial Services, RBI, SEBI, Securitisation, Uncategorized /by Staff

– Dayita Kanodia (finserv@vinodkothari.com)

Requirements to apply to all listed issuances, from financial and non-financial issuers

Below are the major highlights of the SDI amendment regulations:

SEBI on May 5, 2025 has issued the SEBI (Issue and Listing of Securitised Debt Instruments and Security Receipts) (Amendment) Regulations. 2025. It may be noted that the SDI Regulations, was first notified on 26th May, 2008, after public consultation on the proposed regulatory structure with respect to public offer and listing of SDIs, following the amendments made in the SCRA. The Regulations, originally referred to as the SEBI (Public Offer and Listing of Securitised Debt Instruments) Regulations, 2008, were subsequently renamed as SEBI (Issue and Listing of Securitised Debt Instruments and Security Receipts) Regulations, 2008, w.e.f. 26th June, 2018.

In order to ensure that the regulatory framework remains in accordance with the recent developments in the securitisation market, a working group chaired by Mr. Vinod Kothari was formed to suggest changes to the 2008 SDI regulations. Based on the suggestions of the working group and deliberations of SEBI with RBI, the amendment has been issued. The amendment primarily aims to align the SEBI norms for Securitised Debt Instruments (SDIs) with that of the RBI SSA Directions which only applies in case of securitisations undertaken by RBI regulated entities.

It can be said that these amendments are not in conflict with the SSA Directions and therefore for financial sector entities while there may be some additional compliance requirements if the securitisation notes are listed, there are as such no pain points which discourages such entities to go for listing. Further, certain requirements such as MRR, MHP, minimum ticket size have only been mandated for public issue of SDIs and therefore are not applicable in case of privately placed SDIs.

This article discusses the major amendments in the SDI Framework.

Major Changes

Definition of debt

The amendment makes the following changes to the definition of debt:

All financial assets now covered – In order to align the SDI Regulations with the RBI SSA Directions, the definition of ‘debt’ has been amended to cover all financial assets as permitted to be originated by an RBI regulated originator. Further, this is subject to the such classes of assets and receivables as are permissible under the RBI Directions. Note that the RBI SSA Directions does not provide a definition of ‘debt’ or ‘receivables’, however, provides a negative list of assets that cannot be securitised under Para 6(d) of the RBI SSA Directions.
Equipment leasing receivables, rental receivables now covered under the definition of debt.
Listed debt securities – The explicit mention of ‘listed’ debt securities may remove the ambiguity with regard to whether SDIs can be issued backed by underlying unlisted debt securities, and limits the same to only listed debt securities. The second proviso to the definition further clarifies that unlisted debt securities are not permitted as an underlying for the SDIs.
Trade receivables (arising from bills or invoices duly accepted by the obligors) – As regards securitisation of trade receivables, acceptance of bills or invoices is a pre-condition for eligibility of the same as a debt under the SDI Regulations.

‘Acceptance’, in literal terms, would mean acknowledgement of the existence of receivables. Under the Negotiable Instruments Act, 1881, ‘acceptance’ is not defined, however, ‘acceptor’ is defined to mean the drawee of a bill having signed his assent upon the bill, and delivered the same, or given notice of such signing to the holder or to some person on his behalf.

Note that a bill or invoice may either be a hard copy or in digital form. In the context of digital bill, acceptance through signature is not possible; therefore, existence of no disputes indicating a non-acceptance, should be considered as a valid acceptance.

Such Debt/ receivable including sustainable SDIs as may be notified by SEBI – In addition to the forms of debts covered under the SDI Regulations, powers have been reserved with SEBI to specify other forms or nature of debt/ receivable as may be covered under the aforesaid definition. Further, the clause explicitly refers to sustainable SDIs, for which a consultation had been initiated by SEBI in August 2024^[1].

Conditions governing securitisation

SEBI has mandated the following conditions to be met for securitisation under the SDI Framework:

No single obligor to constitute more than 25% of the asset pool – This condition has been mandated with a view to ensure appropriate diversification of the asset pool so that risk is not concentrated with only a few obligors. However, it may be noted here that the RBI regulations does not currently prescribe any such obligor concentration condition. Only in case of Simple, Transparent and Comparable securitisation transactions, there is a mandate requiring a maximum concentration of 2% of the pool for each obligor.

However, SEBI has retained the power to relax this condition. In our view, this may be relaxed by SEBI for RBI regulated entities considering that RBI does not prescribe for any such condition.

All assets to be homogenous – This is yet another provision which is only required by RBI in case of STC transactions. However, even in the context of RBI regulations, what exactly constitutes a homogenous asset is mostly a subjective test. SEBI has defined homogenous to mean same or similar risk or return profile arising from the proposed underlying for a securitised debt instrument. This has made the test of homogeneity even more subjective. For the purpose of determining homogeneity, reference can be made to the homogeneity parameters laid out by RBI in case of Simple, Transparent and Comparable securitization transactions.
SDIs will need to be fully paid up- The SDIs will need to be fully paid up, i.e., partly paid up SDIs cannot be securitised.
Originators to have a track record of 3 financial years: Originators should be in the same business of originating the receivables being securitised for a period of at least three financial years. This restricts new entities from securitising their receivables. However, this condition in our view should only apply to business entities other than business entities, complying with this condition does not seem feasible.
Obligors to have a track record of 3 financial years– The intent behind this seems to to reduce the risk associated with the transaction as the obligors having a track record in the same operations which resulted in the creation of receivables being securitized. However, this condition cannot be met in most types of future flow securitisation transactions such as toll road receivables and receivables from music royalties.

SEBI has made it clear that the last two conditions of maintenance of track record of 3 years for originators and obligors will not apply in case of transactions where the originators is an RBI regulated entity.

Amendments only applicable in case of public issue of SDIs

The following amendments will only be applicable if the SDIs are issued to the public. Here, it may be noted that the maximum number of investors in case of private placement of SDIs is limited to 50.

Minimum Ticket Size

The Erstwhile SDI Regulations did not provide for any minimum ticket size. However, with a view to align the SDI regulations with that of RBI’s SSA Direction, a minimum ticket size of Rs. 1 crore has been mandated in case of originators which are RBI regulated as well as of non-RBI regulated entities. It may however be noted that the minimum ticket size requirement has only been introduced in case of public offer of SDIs. Further, in cases with SDIs having listed securities as underlying, the minimum ticket size shall be the face value of such listed security.

Securitisation is generally perceived as a sophisticated and complex structure and therefore the regulators are not comfortable in making the same available to the retail investors. Accordingly, a minimum ticket size of Rs. 1 Crore has been mandated for public issue of SDIs. In case of privately placed SDIs, the issuer will therefore have the discretion to decide on the minimum ticket size. However, since the RBI also mandates a minimum ticket size of Rs. 1 Crore, financial sector entities will need to adhere to the same.

Here, it is also important to note that in case of public issue of SDIs with respect to originators not regulated by RBI, SEBI has made it clear that the minimum ticket size of Rs. 1 Crore should be seen both at initial subscription as well as at the time of subsequent transfers of SDIs. However, nothing has been said for subsequent transfers in cases where the originator is a RBI regulated entity. The RBI SSA Directions also requires such minimum ticket size of Rs. 1 Crore to be seen only at the time of initial subscription. This in many cases led to the securitisation notes being broken down into smaller amounts in the secondary market.

In the absence of anything mentioned for RBI regulated entities, it can be said that there is no change with respect to the ticket size for RBI regulated entities even in the case of publicly issued SDIs which should be seen only at the time of initial subscription.

It is worth mentioning that under the SSA Directions of RBI requires that in case of transactions carried out outside of the SSA Directions (the transactions undertaken by non-RBI regulated entities), the investors which are regulated by RBI have to maintain full capital charge. This therefore discourages Banks from investing in securitisation transactions which are carried out outside the ambit of the SSA Directions. Therefore, both retail investors as well RBI regulated entities will not be the investors which will hinder liquidity and overall growth of the SDI market.

Minimum Risk Retention

Aligning with RBI’s SSA Direction, a Minimum Risk Retention (MRR) requirement for public issue of SDIs has been mandated requiring retention by the originator of a minimum of

5% in case the residual maturity of the underlying loans is upto 24 months and
10% in case residual maturity is more than 24 months

Further, in case of RMBS transactions, the MRR has been kept at 5% irrespective of the original tenure.

SEBI has aligned the entire MRR conditions with that of the RBI SSA Directions, including the quantum and form of maintenance of MRR. Accordingly, for financial sector entities, there is no change with respect to MRR.

By introducing MRR in the SDI Regulations, non-financial sector entities will be held to similar standards of accountability, skin-in-the-game, reducing the risks associated with the originate-to-sell model and aligning their practices with those of financial sector originators. This will strengthen investor confidence across the board and mitigate risks of moral hazard or lax underwriting standards.

It may however be noted here that in case of non financial originators, there could be situations where retention is being maintained in some form (for example in leasing transactions, the residual value of the leased assets continues to be held by the originator) and therefore such originators will be required to hold MRR in addition to the retention maintained.

Minimum Holding Period

SEBI has aligned the MHP conditions as prescribed under the SSA directions for all RBI regulated entities. Accordingly, there is no additional compliance requirement for RBI regulated entities. For receivables other than loans, the MHP condition will be specified by SEBI.

Exercise of Clean up Call option by the originator

The provisions for the exercise of the clean up call option has been aligned with those prescribed under the SSA Directions. These provisions have been introduced under the chapter applicable in case of public offer of SDIs. However, the SDI Regulations always provided for the exercise of clean up call option and what has been now introduced in simply the manner in which such an option has to be exercised.

In case of private placement of SDIs, can the clean up call option be exercised at a threshold exceeding 10% ?

Although the provisions for the exercise of clean up call options has been made a part of chapter applicable in case of public offers, it should however be noted that these provisions are also a part of the RBI SSA Directions. Accordingly, financial sector originators are bound by such conditions even if they go for private placement of SDIs. Further, even in the case of the non-financial sector originator, clean up call is simply the clean up of the leftovers when they serve no economic purpose. Therefore, in our view, exercising clean up calls at a higher threshold should not arise.

Other Amendments

Norms for liquidity facility aligned with that of RBI regulations
All references to the Companies Act 1956 has been changed to Companies Act 2013
Chapter on registration of trustees has been removed and reference has been made to SEBI (Debenture Trustees) Regulations, 1993
Disclosure requirements for the originator and the SPDE have been prescribed; however the disclosure formats are yet to be issued by SEBI.
Public offer of SDIs to remain open for a minimum period of 2 working days and upto a maximum of 10 working days.

Amendments proposed in the SEBI(LODR) Regulations

There are primarily two regulations which govern the listing of SDIs:

SEBI SDI Regulations
SEBI LODR Regulations

The following amendments have been proposed in the LODR regulations:

SCORES registration to be taken at the trustee level
Outstanding litigations, any material developments in relation to the originator or servicer or any other party to the transaction which could be prejudicial to the interests of the investors to be disclosed on an annual basis.
Servicing related defaults to be disclosed on an annual basis.

^[1] Read an article on the concept of sustainable SDIs at – https://vinodkothari.com/2024/09/sustainable-securitisation-the-next-in-filling-sustainable-finance-gap-in-india