The key regulatory developments in the FinTech space in the month of August 2024 are discussed below.
Reporting Frequency for Credit Information
The Reserve Bank of India (RBI) has issued instructions to Credit Information Companies (CICs) and credit institutions (CIs) on August 8, 2024 (Credit Info Instructions), regarding reporting of credit information. Credit Info Instructions will come into effect from January 1, 2025.
The CIs are required to share credit information to the CICs at a fortnightly frequency, which currently is required to be reported on a monthly basis. Further, based on the credit information received from CIs, the CICs are now need to ingest credit information in accordance with their data acceptance rules in 5 calendar days.
The Credit Info Instructions also require CICs to furnish details of CIs that do not adhere or comply with the requirements, to the RBI at half yearly intervals.
Amendment to Master Direction on Peer-to-Peer Lending
Through the circular dated August 16, 2024, the RBI has proposed amendments to the Master Directions on Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017 (P2P Directions), to provide clarifications to the regulatory framework applicable to Non-Banking Financial Company – Peer to Peer (P2P NBFCs).
The key amendments and clarifications to the P2P Directions are mentioned below:
- P2P NBFC must not directly or indirectly assume credit risk in respect of transactions on its platform.
- P2P NBFC must not cross-sell an insurance product that is in the nature of credit enhancement or credit guarantee.
- Loans must only be disbursed between lenders and borrowers that have been matched or mapped, in accordance with the P2P NBFC’s board approved policy. Also, it must be ensured that the individual lenders approve the individual recipients of the loan, and all participants have agreed to the loan contract.
- The funds from lenders’ escrow account must not be utilised for repayment of loans. Similarly, the funds from borrowers’ escrow account must not be utilised for disbursement of loans.
- All fund transfers must be from bank accounts, and cash transactions are prohibited.
- P2P NBFC must disclose its fees at the time of lending itself. Also, it must ensure that fee is charged as a fixed amount or fixed proportion of principal amount involved and must not be dependent upon repayment.
- P2P NBFC is required to disclose details of borrowers, including the borrower’s consent, to lenders.
- P2P NBFC must not promote the P2P lending as an investment product, including based on features like tenure-linked or assured minimum returns or liquidity options, etc.
Draft Framework for Management of Credit Models and Risks
With a view to address potential risks associated with models for credit management, including credit appraisal, borrower scoring, pricing and risk management, that are used by Regulated Entities (REs), the RBI issued a draft framework ‘Regulatory Principles for Management of Model Risks in Credit’ (Draft Circular – Credit Models) on August 5, 2024.
REs may either develop the models internally or source from third-party suppliers, including under collaborative lending arrangements, or both approaches. Key principles that need to be followed include:
- the problem statement and solutions must be clearly defined,
- inputs and assumption considered of the model must lead toward robustness,
- detailed documentation must be implemented,
- model must have necessary scalability and flexibility, and
- RE must ensure necessary interface with core banking and financial system, liquidity management, asset liability management and risk management systems.
REs are required to implement a model vetting and validation process to assess the robustness of models, which must involve comprehensive review of limitations and weaknesses, including instances of bias or discrimination.
REs need to put in place a Board approved policy with regard to model risk management framework for models deployed by it and constitute a risk management committee of the board responsible for deployment of credit models. The policy must deal with governance measures commensurate with the models’ materiality as well as processes around development or selection of models.
Expansion of the E-mandate Framework to FASTag and Mobility Card Payment
The RBI has expressly included payments for auto-replenishment of FASTag and National Common Mobility Card (NCMC) within the purview of the extant regulatory framework for processing of e-mandates for recurring transactions, through its circular dated August 22, 2024. Such payment can be triggered when the balance falls below a prescribed threshold. However, RBI has exempted such payments from the pre-debit notification requirement.
UPI Circle and Delegated Payments
The RBI introduced a functionality to enable a primary individual user, to allow secondary individual users, to make UPI payments using the bank account of the primary user. This facility has been termed as “UPI Circle” and the payments as “Delegated Payments”. In this regard, the National Payments Corporation of India (NPCI) issued a circular dated August 13, 2024, prescribing the conditionalities for the delegated payments.
Some of the important operational conditions introduced by the NPCI are:
- A primary user can delegate payment tasks to a maximum of 5 secondary users and a secondary user can accept delegation from only 1 primary user.
- UPI applications must have mandatory application passcode or biometrics for all secondary users.
- The primary user is permitted to set usage control for secondary users, within the maximum limits of INR 15,000 per delegation and per transaction of INR 5,000.
- The primary user should have visibility of transactions performed by the secondary users.
Enhancement of Tax Payments Limit, via UPI
Through circular dated August 24, 2024, the NPCI has enhanced the transaction limit for payments towards tax through UPI, from INR 1,00,000 to INR 5,00,000 per transaction. For this purpose, banks, PSPs, and UPI apps must ensure the enhanced limit is applied to verified merchants only.
Expansion of Scope for Cross-Border Bill Payment Transactions
NPCI Bharat BillPay Limited (NPCI BillPay), through a communication issued to the Bharat Bill Payment Operating Units (BBPOUs) on August 6, 2024, has expanded the scope of cross-border bill payment transactions to permit foreign outward remittances, potentially enabling payments to overseas billers. Presently, cross-border bill payment transactions for foreign inward remittances are operational.
Such remittances need to be undertaken in accordance with the exchange control laws and regulations as well as the Master Direction – Know Your Customer (KYC) Direction, 2016.
Data Security and Privacy Standards for Credit Card Bill Payment Transactions
As a measure to safeguard critical, personal and sensitive data of customers, NPCI BillPay has prescribed Data Security and Privacy Standards Framework for credit card bill payments under the BBPS (Data Framework), through a communication issued to the BBPOUs on August 15, 2024. While the Data Framework has been issued to BBPOUs, the BBPOUs have been obligated to ensure compliance by its agent institutions, agents and service providers.
The Data Framework has classified customer data into: (a) customer-consented data, which will include customer name, last 4 digits of the credit card, etc.; (b) customer sensitive data, which will include PINs, passwords / OTPs, complete credit card number and details, etc.; and (c) non-personal data, which will include transaction number, transaction amount etc.
The key obligations introduced under the Data Framework are:
- BBPOUs must process ‘customer initiated’ fetch transactions for credit card bill payments only. Such transactions must be authenticated to ensure accuracy of combination of mobile number and card number.
- The fetch as well as reminders must be processed based on explicit and time-bound customer consent. Also, customers must be provided an opt out option.
- Details of the credit card bill returned by BBPS systems from credit card issuer must only be used to display to the concerned customer on the mobile app or the website. Also, the details need to be purged upon expiry of the time-bound consent.
- The payment data for these transactions must be stored within India.
- The customer data must only be stored within systems of the BBPOUs or its agent institutions, agents and service providers, along with access control.
- BBPOUs must implement data security, privacy and access management controls, including data encryption, masking, data leakage prevention and data access monitoring, in accordance with all extant laws and regulations (including Digital Personal Data Protection Act, 2023).
Other Policy Measures
The RBI announced policy measures under the speech of the Governor “FinTech Innovations for India @ 100: Shaping the Future of India’s Financial Landscape”, at the Global Fintech Fest, 2024, which include:
- The RBI proposes to implement a pilot on Unified Lending Interface (ULI) to enable lending institutions to offer frictionless and end-to-end digital credit, by leveraging consent-based data. Lenders besides from Banks and NBFCs, such as cooperative credit institutions, are also proposed to be permitted to lend.
- The Digital Public Infrastructure (DPI) that encompasses frameworks like Digital Identity (i.e., Aadhaar), universal fast retail payments (i.e., UPI) and targeted payment solutions for bill payments, are proposed to be strengthened to promote interoperability, transparency and cost effectiveness.
- The UPI and RuPay networks are proposed to fully globalise with cross-border payment system enhancements. In this regard, the RBI has recognised notable coordination with countries like France, Singapore, UAE, Bhutan, Nepal, Sri Lanka, Namibia and Peru.