INDIA Law and Practice Contributed by: Shilpa Mankar Ahluwalia, Himanshu Malhotra and Purva Anand, Shardul Amarchand Mangaldas & Co
with KYC requirements, etc. The RBI imposes a geographical limitation in connection with even the outsourcing of non-core functions – the ser - vice provider must not, even in such permissi - ble cases, be situated outside of India. Moreo - ver, any outsourced functions have to be duly supervised by the RE outsourcing the activities. The RBI also prescribes mandatory contractual terms for such outsourcing contracts. 2.9 Gatekeeper Liability The RBI imposes all gatekeeping obligations on the entities directly regulated and supervised by it (the REs) – and in connection with whom suit - able corrective and/or enforcement action can be undertaken by the RBI. Illustratively: • Banks, NBFCs and PSOs are required to retain ultimate control over any outsourced activities and cannot pass on customer accountability to the service provider. • PAs are responsible for checking the techni - cal and security infrastructure of the mer - chants onboarded by them, and for assess - ing compliance with regulatory and industry security standards. • Banks and NBFCs that lend through part - ner digital lending platforms are required to ensure that their names are disclosed on such lending platforms and have the primary responsibility to comply with the DL Guide - lines. A standard industry practice is that the risks borne by REs as gatekeepers are contractually passed on to unregulated entities, backed by suitable indemnity and termination of access provisions. However, while the costs associated with non-compliance can be passed on contrac - tually, the reputational risks continue to rest with the RE. In some cases, the RBI even specifies the contractual safeguards that an RE must build
in, to ensure the regulatory compliance of the unregulated partner or service provider. 2.10 Significant Enforcement Actions In the case of non-compliance with the regu - latory framework (see 2.2 Regulatory Regime ), the RBI may undertake enforcement actions under the provisions of the 1934 Reserve Bank of India Act, the 1949 Banking Regulation Act, or the PSS Act. The RBI has taken several stringent enforcement actions in the last year. (see 1.1 Evolution of the Fintech Market ). 2.11 Implications of Additional, Non- Financial Services Regulations Certain non-financial services regulations (such as those relating to privacy/data protection, social media content, and access to Aadhaar for customer verification) are governed by inde - pendent regulatory frameworks, which indirectly impact delivery of financial services: • the Current Data Privacy Framework requires certain REs (including banks, NBFCs, PPI issuers) to maintain a publicly available privacy policy and handle customer data in accordance with the framework and such policy; • the Data Localisation Circular (see 2.2 Regu- latory Regime ); • the Aadhaar framework (see 2.4 Variations between the Regulation of Fintech and Legacy Players ); and • the intermediary guidelines/rules under the IT Act, require intermediaries to monitor the display and sharing of data on their platforms and to ensure that such data is not appropri - ated from someone else, does not infringe on intellectual property, and does not violate any other prevailing laws.
307 CHAMBERS.COM
Powered by FlippingBook