Online payment industry of India is not only unorganised but is also largely unregulated. Even the traditional banks of India are not scrutinised for their business and banking activities. For instance, a majority of banks that have extended their online payment portal services to online gambling, online pharmacy and similar such high risk ventures have not done any sort of cyber law due diligence (pdf) at all. They have simply extended their services to many apparently illegal business activities. Indian government in general and Reserve Bank of India (RBI) in particular are responsible for this lapse of regulatory compliance on the part of Indian banks and e-commerce entrepreneurs.
Recently InMobi paid a fine of $950,000 by a US regulatory body for tracking consumers’ locations without their consent. This is not a case with InMobi alone as almost all the e-commerce ventures in India are not complying with techno legal requirements of Indian and foreign laws. They consider legal compliance as a redundant exercise till some regulatory authority shows them the truth. Mobile application developers are also following this practice of non compliance and they may be prosecuted very soon. In fact, the Supreme Court of India will hear next Wednesday a petition seeking a ban on WhatsApp on the ground that the messaging platform’s end-to-end encryption gives terrorists a means of communication that is impossible to intercept. Maharashtra’s FDA has already ordered filing of FIRs against Snapdeal, its CEO Kunal Bahl, directors and distributors for online sale of prescription drugs. Bitcoin ventures of India are also required to comply with techno legal compliance that they rae presently not doing. This makes their Bitcoin busines sin India illegal and unauthorised. These are just few of the examples of e-commerce and business ventures not complying with techno legal requirements of Indian laws.
Online payment market of India is passing through a turbulent phase. As on date the e-commerce and online business legal compliances are not followed by the online payment industry of India. Even the foreign investors were not very serious about cyber law due diligence in India and they invested blindly in Indian ventures. Now they have realised their mistake and they have already squeezed their funding for Indian ventures. Indian entrepreneurs and e-commerce business houses must understand that techno legal compliance is a long term insurance that they cannot ignore just like cyber insurance and cyber security of their businesses.
As far as mobile payment market is concerned, it is booming but legal compliances are still missing from their agenda. Mobile banking cyber security is another area of concern especially with mass usage of smart phones in India. RBI has been streamlining the financial and banking Sector of India. It constituted the RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Working Group). The Working Group issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (pdf) to be followed by banks of India. The guidelines have also directed that all banks would have to create a position of Chief Information Officers (CIOs) as well as Steering Committees on Information Security at the board level at the earliest. However, due to lack of enforcement of these guidelines, banks have done little towards cyber security of their business activities.
Reacting to this reality, RBI decided to set up an IT subsidiary that would look into the cyber security matters of banks of India and RBI. As per media reports, a CEO has also been appointed for managing the affairs of the IT subsidiary of RBI. Further, RBI has also issued a cyber security framework for Indian banks and many of the techno legal suggestions of Perry4Law Organisation (P4LO) have been incorporated into the same. Now RBI has released a policy document titled Payment and Settlement Systems in India: Vision-2018 for streamlining the online payment infrastructure of India. The vision document has suggested formulation of a responsive regulatory framework for online payment industry of India. Some of the salient features of the vision document pertaining to techno legal regulatory framework are as follows:
(1) RBI, in consultation with all the stakeholders, will continue its efforts to create a regulatory framework to promote twin objectives of enhanced coverage with interoperability of the payments system and convenience with security for the end-users in sync with emerging developments and innovations.
(2) The legal framework for payment and settlement systems in the country is provided under the Payment and Settlement Systems Act (the PSS Act), 2007. The PSS Act empowers the Bank to regulate and supervise the payment and settlement systems in the country. In discharging its roles and responsibilities under the Act, the Bank has been putting in place policy framework, issuing guidelines and instructions to banks and authorised payment system operators relating to safety, security and efficiency of payment systems. Besides formulation of new policies and guidelines, existing policies and instructions are all continually reviewed, taking into account the feedback received from the stakeholders.
(3) Taking into account the rapid developments and innovations in the area of payment systems, the Vision-2018 envisages a more responsive regulatory framework based on consultations with stakeholders. The policy framework will support payment system initiatives that enhance access to payment services. The principle of “similar business, similar risk, similar rules” will invariably be applied.
(4) The key focus areas for responsive regulation would be:
(a) New Issues / Areas For Policy Framework
(i) Policy Framework For Central Counter Parties (CCPs): The CCPs are the critical financial market infrastructure (FMI) and the efficient of the same is important. RBI has already declared the policy framework for regulation and supervision of FMIs under the regulatory jurisdiction of the RBI. The PFMIs against which FMIs are assessed lay emphasis on having effective governance framework and management of various risks, including legal, credit and liquidity risks against which FMIs are assessed. To begin with, the RBI would come out with regulations on Governance, Capital/ net worth requirement, registration/authorisation of foreign CCPS. At a later date, RBI may come out with regulations on risk management, if required. This will also serve as effective criterion to measure the equivalence standards of third country regulatory framework for the purpose of recognizing foreign CCPs operating outside and desirous of applying for recognition in India under these regulations.
(ii) Regulation Of Payment Gateway Service Providers And Payment Aggregators: The increasing growth of electronic payments, especially online payments, riding the growth of e-commerce and m-commerce transactions, has brought to the fore the increasing role and importance of entities that facilitate such online payments such as payment gateway providers and payment aggregators. The current guidelines on maintenance of nodal accounts for such intermediaries (monitored through banks) are indirect and address only a few specific aspects of their functioning. Given their increasing role, the guidelines will be revised for the payments related activities of these entities.
(iii) Exit Policy: Co-existence of an exit policy along with the policy on authorisation of entities which participate in the payment and settlement system is essential for the overall hygiene of the ecosystem. The exit policy would lay down the parameters and processes for voluntary exit of a payment system operator (PSO) authorised to operate a retail payment system. Such a policy would ensure that the interests of the consumers and other stakeholders are protected.
(iv) Framework For Imposition Of Penalty: Guidelines and standards for various payment and settlement systems are issued under the provisions of the PSS Act. Non-adherence to these guidelines and standards by participants and operators attract the penal provisions under the PSS Act. A framework for imposition of such penalties under the PSS Act would be put in place.
(v) Monitoring Framework For New Technologies / Innovations: In order to ensure that regulations keep pace with the developments in technology impacting the payment space, the global level developments in technology such as distributed ledgers, blockchain etc. will be monitored, and regulatory framework, as required, will be put in place. Further, the payments eco-system is dynamically evolving with the advancements and innovations taking place, particularly in the area of FinTechs. In order to provide a platform for innovators to showcase their models to the industry, particularly in the areas of interest to payment systems and services, the Reserve Bank has organised an innovation contest through the Institute for Development and Research in Banking Technology (IDRBT). Learnings from such interfaces will also be used as inputs for policy adaptations.
(b) Review Of Existing Policies:
(i) Prepaid Payment Instruments (PPIs): With increase in number of entities authorised to issue PPIs in the country, their usage for purchase of goods and services as well as funds transfer has also been growing. Over the years, the guidelines have been expanded to include several types of PPIs, some of which are not really being issued / used actively. Similarly, with growing use of PPIs, the initial forbearance given on KYC requirements, customer-facing aspects such as safety and security, risk mitigation measures, complaint redressal mechanism, forfeiture of unutilised balances, fraud monitoring and reporting requirements, etc. merit a review. A comprehensive review of the PPI guidelines will be undertaken keeping in view the changing scenario.
(ii) Mobile Banking Guidelines: To promote mobile phones as access channel to payment and banking services, the guidelines will be reviewed to address issues related to customer registration for mobile banking, safety and security of transactions, risk mitigation and customer grievance redressal measures.
(iii) White Label ATM (WLA) Guidelines: These Guidelines, formed with the objective of ensuring expansion of ATM infrastructure in rural and semi-urban areas, have not resulted in the much needed growth in ATM infrastructure in the desired geographical segments of the country due to multiple factors. The WLA Guidelines will accordingly be examined holistically and targets realigned to meet present conditions.
(5) Payment System Advisory Council (PSAC): The Board for Regulation and Supervision of Payment and Settlement Systems (BPSS), set up under the PSS Act, is the apex body for regulating and supervising the payment system related developments and policies in the country. Vision-2018 envisages setting up of a Payments System Advisory Council (PSAC) to assist the BPSS in formulation of new policies, assessing the impact of new technological developments by providing necessary insights about futuristic developments and innovations in the area. The PSAC could have representations from diverse fields such as technology, telecommunication, FinTech, security solution providers, academia, Government, etc. and strive to provide to the BPSS the necessary consultative feedback from stakeholders for making strategic decisions in the area of payment systems.
(6) Amendments To PSS Act: Sound legal basis, including good governance, is the cornerstone for building a safe and efficient payments eco-system. Keeping this in view, amendments relating to settlement finality in the event of Central Counter Party (CCP) being declared insolvent or dissolved or wound down, and statutory charge on escrow account, have been made to the PSS Act which have come into effect from June 01, 2015.The Reserve Bank, as a member of the international Standard Setting Bodies (SSBs), is committed to adopting the international standards including those relating to recovery and resolution of FMIs. Efforts would, therefore, be made to bring in further amendments to the legal framework for addressing issues, such as:
(a) Resolution / insolvency of Central Counter Party (CCP) / Financial Market Infrastructure (FMI).
(b) Non-registration of charge on collateral with CCP: The Companies Act, 2013 has enlarged the meaning of “charge” under that Act, covering the right of system provider to appropriate collateral. In a dynamic market scenario, where the market participants constantly move in and move out the collaterals from the control of the CCP, it is practically impossible to continuously register or modify the charge. Non registration of charge under the Companies Act should not in any manner affect the right of the CCP to appropriate the collaterals and the settlement finality. As legal certainty is extremely crucial in this market, for avoiding litigation, necessary amendment to clarify this position would be taken up.
(c) Better governance in critical payment systems operators both in retail and large value payment systems by appointing observers on the board of the service providers or by appointing additional directors, as required.
(7) Strengthening Reporting Framework Including Fraud Monitoring: This includes:
(a) Reporting Framework: As part of off-site surveillance process, payment system operators (PSOs) are directed to adhere to periodic reporting requirements. The periodic returns would be moved to XBRL system. This would offer major benefits at all stages of business reporting and analysis, aiding in better quality of information and decision-making. In addition, a structured reporting framework for PSOs to communicate the findings of the audit of their IT systems along with their compliance would also be put in place.
(b) Fraud Monitoring: To further strengthen the confidence in the payment systems and minimise instances of frauds, there is a need to monitor the types of frauds that may be taking place in various payment systems. Accordingly, to begin with, a framework for collection of data on frauds in payment systems would be drawn up in consultation with the industry.
Perry4Law Organisation (P4LO) hopes that our readers would find this summary useful.