INDIA Law and Practice Contributed by: Shilpa Mankar Ahluwalia, Purva Anand and Ansh Jain, Shardul Amarchand Mangaldas & Co
There is active development in this sector, with prod - ucts being developed using stablecoins, and a grow - ing number of entities using the PA–Cross-Border route to offer efficient cross-border payment solutions. 2.2 Regulatory Regime The regulatory framework governing the key verticals (see 2.1 Predominant Business Models ) of the Indian fintech sector is fragmented across several pieces of legislation and regulations. There are no state-specific variations in terms of the regulatory framework. The 2007 Payment and Settlement Systems Act (the “PSS Act”) This is the principal legislation regulating payments in India. The PSS Act prohibits the commencement and operation of a payment system without prior authori - sation of the RBI. Here, a “payments system” is any system that enables payment to be effected between a payer and a beneficiary, utilising clearing, payment or settlement services, and excluding stock exchang - es. This includes card network operations, PPIs, UPI payments and other digital payment services. The 2002 Prevention of Money Laundering Act (PMLA) This is the primary anti-money laundering regulation governing entities offering financial products. The PMLA is supplemented by the 2005 Prevention of Money Laundering (Maintenance of Records) Rules (the “PML Rules”). Together, they provide detailed pro - cedures for financial sector entities to follow in order to conduct KYC and AML verifications, as well as to As the principal financial regulator, the RBI periodically issues “Master Directions” and circulars governing and regulating specific offerings in the fintech space. The RBI has issued subject-specific Master Directions regulating: • PPIs; • NBFCs; • P2P lending; • PAs and PGs (including PA-CBs); report suspicious transactions. RBI Master Directions/Circulars
• other market participants and offerings. The RBI’s directions on KYC (“KYC Master Direc - tions”) draw from the PMLA and the PML Rules and further prescribe that all REs must undertake identity verification of their customers before commencing any account-based relationship or other prescribed transactions with such customers. REs such as NBFCs and payment systems operators/ system participants can obtain authorisation from the RBI to conduct Aadhaar-based E-KYC authentication of their customers. Aadhaar is a 12-digit unique iden - tification number issued by the GOI to its citizens. NPCI Circulars UPI payments in India are governed by the proce - dural guidelines issued by the NPCI. The NPCI also issues more specific operational circulars to the UPI payment system participants from time to time. They collectively govern transaction volumes, transaction caps, technical standards, data privacy and security measures, usage of UPI API, manner of settlement of transactions, etc. Data Protection Framework Currently, the IT Act and the 2011 Information Technol - ogy (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Current Data Privacy Framework”) govern protection of personal data in India. However, given the increas - ing collection and use of customer data, these have widely been recognised as outdated and insufficient – and, once fully implemented, the DPDP Act will over - haul the existing data protection framework (see 1.1 Evolution of the Fintech Market ). Separately, the RBI also issued a circular in April 2018 (the “Data Localisation Circular”), which mandates that all payment data be stored on servers located in India. While such data can be transferred outside India for processing, it must be returned to India within 24 hours. Note that the Data Localisation Circular only pertains to payment data. There are no generalised data localisation requirements under the Current Data Privacy Framework or under the DPDP Act.
• account aggregators; • KYC for all REs; and
361 CHAMBERS.COM
Powered by FlippingBook