Knowledge Repository
All Issues

Fintech

In this update +

Jyotsna JayaramPartner

Akshaya ParthasarathySenior Associate

Karthik RaiAssociate

Key Developments

  • Reserve Bank of India introduces an omnibus regulatory framework for cross-border payment processors

    The Reserve Bank of India (RBI) had separate, light-touch regulatory schemes in place for various types of cross-border payment processors such as online payment gateway service providers and collection agents. With an intent to streamline these disparate regimes, the RBI introduced a circular on the Regulation of Payment Aggregator – Cross Border (Circular), which consolidates these processing activities into one unified regulatory framework. Pursuant to the Circular, only entities authorised by the RBI as Payment Aggregator – Cross Border may facilitate cross-border payments. The Circular introduces stringent requirements for authorisation, including maintaining a minimum net worth requirement and registering with the Financial Intelligence Unit – India. Therefore, entities facilitating or looking to facilitate import or export transactions should assess whether their operations would be governed by the new framework.

    (To read our detailed update on the Circular, click here.)

  • Reserve Bank of India mandates reciprocity in data sharing in the account aggregator ecosystem

    To promote efficient utilisation of the account aggregator ecosystem, the RBI amended the Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 (AA Master Directions) to require all regulated entities that have joined the account aggregator ecosystem as Financial Information Users (FIU) to access financial information, to also join as Financial Information Providers (FIP) and contribute financial information to the ecosystem if they (a) hold such specified financial information and (b) fall within the definition of FIPs under the AA Master Directions.

    This reciprocity mandate is an attempt to strengthen the account aggregator framework by increasing the pool of financial information available to the participants. This is likely to have a cross-sectoral impact as regulated entities operating in various sectors, including the insurance and financial services space, seeking to participate as FIUs will also need to register as FIPs to contribute relevant data to the ecosystem.

  • Reserve Bank of India requires regulated entities to implement processes and policies for information technology governance and risk management

    Promoting robust internal information technology (IT) governance and risk management in regulated entities such as banks, non-banking financial companies, and credit information companies (Regulated Entities), the RBI issued the Master Directions on Information Technology Governance, Risk, Controls and Assurance Practices, 2023 (IT Master Directions) consolidating and updating prevalent guidelines.

    Regulated Entities should review their internal IT and information security (IS) policies to assess compliance with the IT Master Directions. This will include ensuring that they have in place:

    • an IT governance framework, including strategies and policies approved and periodically reviewed by the Board of Directors (Board). Regulated Entities should also establish an IT Strategy Committee (ITSC) of the Board and appoint a Head of IT Function to ensure effective execution of IT projects in alignment with internal policies and strategies;
    • an IT services management framework to maintain the operational resilience of the IT infrastructure, which includes technology refreshment plans, capacity planning, vendor risk assessment processes, data migration policies, access controls for critical or sensitive data, and controls for remote working;
    • an IT and IS risk management framework to periodically review IT risks, conduct vulnerability assessments, identify and secure critical information systems, etc. Regulated Entities should also appoint a Chief Information Security Officer (CISO) and have a cyber incident response policy; and
    • business continuity and disaster recovery measures, and also have an information systems audit policy.

It is anticipated that the government will continue to make further regulatory strides in the fintech and banking sectors in the coming months. Based on the RBI’s 2023 Statement on Developmental and Regulatory Policies, regulations on connected lending and web aggregation of loan products appear to be in the works.

More in this issue

More Quarterly Milestones

Technology

Consumer Protection and Advertising

Telecommunication and Broadcasting

Asset Management and Funds

Direct Tax

Indirect Tax

Intellectual Property

Corporate

Dispute Resolution

Labour and Employment

Financial Regulatory Regime

Capital Markets

In this update

Reserve Bank of India:

  • Introduces an omnibus regulatory framework for cross-border payment processors
  • Mandates reciprocity in data sharing in the account aggregator ecosystem
  • Requires regulated entities to implement processes and policies for information technology governance and risk management.