Despite the sobering effects of this no longer novel Coronavirus, investor appetite in India’s thriving fin-tech companies is booming. Investments (and acquisitions) in this space give rise to risks that are particular to this sector and a thorough assessment of such risks prior to making an investment might well be appropriate.
Below is a brief overview of the regulatory risk incidents on various kinds of fintech companies:
- Digital Lending
- Blockchain / Crypto
- Wealth Management
- Money Transfer / Remittances
- Cards as a service (Credit or Prepaid)
- Identity Verification
Digital Lenders in India tend to be of two kinds: (a) those with a lending license (an NBFC license, to be exact) and (b) those partnering with lenders.
For those operating with an NBFC license, the RBI prescribes detailed compliance obligations, data protection obligations (although, perhaps not as detailed) and change of control requirements. Given that fines can be potentially debilitating, any investor investing in a regulated entity should conduct a detailed assessment of the compliance record of NBFCs.
For those companies partnering with NBFCs (or banks), the long arm of the RBI may not reach them. Unfortunately, the RBI requires the NBFC’s and the banks that partner with these digital lenders to impose fairly onerous requirements on them – and so while there may be some regulatory respite, it is not as light touch as imagined.
Fairly strict, slightly strange data laws apply. Not referring to the Personal Data Protection Bill – that continues to be pending the but Information Technology Act 2000, the Consumer Protection Act 2019, and the RBI regulations will apply.
Players In the payments space, unlike the ones in the digital lending space, do not have the regulatory manoeuvrability to pretend like they are not regulated. Couple of quick points.
The term “Payment Gateway” is colloquially used to refer to aggregators. The RBI may not be using it in the same vein. Payment Gateways are currently not regulated.
Payment Aggregators are heavily regulated – including owned funds requirements, compliance with strict data laws, KYC guidelines, complaints mechanisms, escrow accounts, fraud prevention etc.
Payment Systems are heavily regulated and the system provider that operate a payment system, as well as the system participants that participate in a payment system, are indirectly regulated through the Payment and Settlement Systems Act, 2007.
Pre-paid Payment Issuers are regulated by a separate set of regulations based on the characteristics of the prepaid instrument operated. While some type of instruments (closed prepaid instruments) are not subject to regulations, the semi-closed and open prepaid instruments are heavily regulated, with the latter being allowed to be operated only by banks.
All entities that handle money and data within the payments and settlements systems have fairly onerous regulatory requirements.
The regulation of insure-tech companies is slightly less onerous than those in the lending, payments and settlements space. However, it is a licensed sector -and therefore, each entity whether a corporate agent, insurance broker, third party administers, web aggregators all are regulated by the Insurance Regulatory and Development Authority.
Blockchain & Crypto assets
Blockchain companies focusing on digital security, reg-tech, gaming, trade finance, shipping, property-tech, and Logistics are all the rage. The Government of India, the Reserve Bank of India and the Supreme Court have all embraced blockchain. Most B2B blockchain companies are not regulated – many B2C companies are also not regulated. As traditional companies embrace immutability, blockchain-based developers and services companies are an attractive investment proposition.
However, companies that offer or trade crypto assets continue to be under a cloud, despite the Supreme Court’s decision in Internet & Mobile Association of India v. Reserve Bank of India. India’s regulation of Collective Investment Schemes, rules on a public offer of securities, the Securities Contract Regulation Act and India’s money laundering laws all pose significant day to day challenges to a crypto company.
With the significant democratization of access to wealth advisory services, there has been a significant rise in the numbers of players operating in the wealth tech sector. The Securities Exchange Board of India has been fairly supportive of the growth spurt in this sector and has introduced regulations to further encourage, democratise and digitise access to investment avenues. Enabling e-commerce companies to offer mutual fund products, allowing investments using prepaid instruments and the UPI framework has only led to further growth.
However, since these companies handle significant sensitive data and partner with various players in the ecosystem to facilitate investments through digital platforms, these entities while not heavily regulated are subject to regulations and compliance requirements that cannot be ignored.
Indian neo-banks operate exclusively by partnering banks. Truly digital banking is not yet permitted in India. Neo-banks remain unregulated, except to the extent that they are contractually obliged to adhere to KYC regulations, enhanced data protection requirements and compliance obligations apply. In addition, if they are structured as a payment aggregator, then the rigours of the RBI’s potentially debilitating requirements would also apply. While Neo-banks are not regulated, the banks they tend to partner with are heavily regulated. And structuring a neo-bank solution involves manoeuvring around a host of regulations.
The potential commercial of any non-compliance of contractual or regulatory requirements on the part of a neo-bank is particularly high.
Money Transfer/Remittances/Bill Recharges
Various existing fintech players with the intent to serve tier 3 and tier 4 cities and cater to the MSMEs sector have expanded their reach by offering additional products such as enabling money transfer services, facilitating bill payments, offering Aadhaar enabled payment services for cash deposits and withdrawals. These entities essentially partner with banks and operate as a banking correspondent or partner with business correspondents as their agents in order to render these services.
While such entities may not directly come under the purview of the Reserve Bank of India, they are bound by several stringent requirements pertaining to data, transaction details, handling of cash, etc. imposed by the respective banks they partner with.
Companies offering card services operate at a challenging intersection of banking and credit cards regulations, or prepaid payment instrument regulations, subject to the type of card being issued. Each of these regulations are onerous and may be significantly impacted by a change of control. Given the spate of investments and acquisitions in this space that have come under regulatory scrutiny, investors may well be cautious.
Identity Verification and Data Aggregation Companies
The digital evolution in the fintech industry has led to an increased number of players offering online identification services. This has been further promulgated by the Reserve Bank of India, by introducing online KYC processes for customer identification. Each fintech company directly or indirectly ends up availing these services to verify the identity of its customers and enable access to a wider range of financial and non-financial products. These companies are not only subject to significant financial sector regulations based on the data aggregated, but also information technology laws, scrapping regulations, data protection laws – more specifically data processing and storage norms etc. While such entities continue to operate with limited compliance at this stage, the pending Personal Data Protection Bill, 2019 would affect their operations significantly.
Illustrative of the feeding frenzy that is enveloping fintech in India is the story of a client of ours – incorporated in February 2020, the company received seed funding in March. In an ambitious move, the company acquired a competitor in April and was then acquired by a leader in payments in India in May. And while consolidation is inevitable, a thorough evaluation of regulatory risks may be called for. And on the other hand, investee companies may also have reason to be cautious. The RBI has been particularly unforgiving of investee companies with investors based in countries whose laws are deemed inadequate. Since that list includes Mauritius and affects many of India’s largest funds, investee companies would be well advised to evaluate whether any investment is worth the consequences? Increased RBI scrutiny, refusal of regulatory approvals and suspicious glances from others in the eco-system.