This article is written by M Arjun, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.com. Here he discusses “Unique Legal Structuring, Contracts and Compliance for Fintech Business”.

Introduction

India has the second-largest number of internet users across the world. It also has the second-largest smartphone users with around one-third of the population using smartphones for various activities. Despite all the claims  India still has a chunk of its population unbanked. Even in 2019, Cash is still the King of Indian Economy by a huge margin. The Government is trying hard to push India to a digital revolution through schemes like ‘Digital India’. All of these facts had practically contributed to a widespread fintech adoption in the country which is only next to China. The Reserve Bank of India has been working for Financial Inclusion ever since 2005 to bring a large number of population to the forefront of the Economy. The unification of traditional finance and 21st-century technologies through the buzzword ‘fintech’ has contributed greatly to the financial inclusion in the country.

Eyeing the massive opportunity in India, the number of fintech startups has been proliferating in the past 5 years. The innovative and problem-solving attitude of these startups helped them achieve huge success in India, even attracting foreign investments from firms like Berkshire Hathaway, SoftBank and so on. This has forced the traditional financial institutions such as banks to play catchup game. Fintech businesses were treated no different from the rest of the financial businesses ever since its development. However, this approach of the regulators is gradually changing as they started driving deep into the operational differences of fintech firms when compared to conventional financial institutions. Fintech companies have a focus area and do not deal with all aspects of finance like traditional institutions. The ease of use/access nature, automation of activities and the potential to leverage next-gen technologies like blockchain, artificial intelligence and machine learning have made these entities tougher to be regulated. Right from incorporation to requirements like GST, regulations and compliance requirements of these businesses have become more complex when compared to its inception. Most of the fintech companies in India are regulated by RBI, SEBI, IRDA and TRAI.

Business Structure

Various methods of incorporating a business in India include Sole proprietorship, Partnership firm, One Person Company, Limited Liability Partnership, Private Limited Company and Public Limited Company. Private Limited company had been the go-to option for fintech firms as they offer more flexibility and room for the future growth of the company. A Private Limited Company is considered to be more credible when compared to other options. Funding and investments are the lifeblood for fintech startups. According to the India Fintech Report 2019, Venture and Private Equity funding for fintech startups in 2018 were estimated to be around $1.83 billion. Registering the startups as a Pvt Ltd company attracts Foreign Direct Investments and investments from VCs and other Investors. The fintech industry often comes across several partnership deals, collaborations, mergers and acquisitions. Most of the businesses prefer Private Limited Companies for such deals. Besides, it helps fintech firms to launch new tech-based products and expand their business to other jurisdictions in the future. However, an LLP may be preferred if the business doesn’t want to raise funds and focus just on providing services to its customers. Fintech startups preferring other methods over Private Limited Company is almost non-existent.

Compliances

The core fintech businesses started as startups while others have just extended their services online. There has been a lot of classifications of fintech firms. Some of these include payments and remittance, lending platforms, personal finance, blockchain and cryptocurrency, insuretech, enterprise solutions and investment platforms. It has become a cumbersome task to classify a startup into any of the categories. Most of them have started offering multiple services which make the nature of classification complicated. Regulations and investments differ according to segments in the industry. A segment-wise overview of various regulations and compliances:-

Payments and Remittance:- The Payments sector is the foremost member of the fintech industry. This sector has seen huge growth, inviting a huge number of investments ever since its inception. Demonetization led to widespread adoption of the payments sector. An ASSOCHAM – PWC India study predicts that digital payments in India will double to around 135.8 billion dollars in 2023. Mobile/digital wallets, PoS systems, payment gateways account for around 50% of startups from the payment sector. Earlier this year the Reserve Bank of India formed a ‘High-level Committee on Deepening Digital Payments’. 

From digital wallets to Payments Bank and UPIs, the Payments sector witnessed a series of changes in previous years. Digital/Mobile wallets were the go-to option for digital payments. They were closed/semi-closed prepaid payment instruments used for payments between the same platform along with uses such as for recharge, e-commerce and shopping. RBI in its “guidelines for prepaid payment instruments” has come up with KYC requirements for various prepaid payment instruments. KYC compliance has become mandatory for usage of mobile/digital wallets which are mostly semi-closed PPIs. RBI has classified semi-closed PPIs into two categories- (i) PPIs up to Rs 10,000 where only the minimum details of the PPI holder is required (ii) PPIs up to Rs 1 lakh where a full-fledged KYC is mandatory. Customers of these wallets have to do at least a minimum KYC to use the wallet and avail some of its benefits. However, RBI has extended its deadline for KYC compliance to February 29, 2020. RBI has also directed the PPIs to maintain adequate data and security control systems to safeguard payment-related data for preventing fraudulent activities during online transactions.

The Payments sector in recent times went through a paradigm shift when the Unified Payments Interface (UPI) was introduced by the National Payment Corporation Of India (NPCI). The NPCI was formed as an independent organisation under the provisions of Payments and Settlements Act 2007. It was formed for operating the payments and settlement systems under the guidance of RBI and IBA. UPI turned out to be a great rival for e-wallets. As of now, there are no KYC requirements for UPI applications. The RBI’s annual report indicated that the transactions in UPI surpassed that of debit cards in 2018-19. The UPI infrastructure developed by the RBI guided NPCI, was the perfect answer from banks against the popularity of digital wallets. UPI is a cross banking transfer medium backed by a consortium of banks. Mobile wallets cannot access UPI technology on their own for which they have to depend on banks. NPCI provides guidelines for  UPI, Bharat QR code and BBPS related payments.

The advent of UPI, lack of interoperability, and KYC requirements drastically affected the digital wallets. For countering the problem, e-wallet giants like Paytm launched a new system of banking called the ‘ Payments Bank’. RBI has launched its guidelines for Payments bank in 2017. According to which Payments Bank are to be registered as Public Limited Companies under the Companies Act and shall be licensed under section 22 of the Banking Regulations Act. The minimum capital required is 100 crore. The foreign shareholding requirements are as per the FDI policy for private banks. The concept of Payment Banks was conceptualised by RBI to tackle financial inclusion. Payment Banks supports paperless banking and has no right to accept deposits of above Rs 1 lakh. RBI doesn’t permit Payment Banks to lend money or issue credit cards. A full KYC is required to be done for opening savings bank accounts with Payment Banks. Payment Banks had lots of similarities with ordinary banks and were seen as a major movement for financial inclusion. Platforms like Paytm has integrated their wallets to the Payment bank. 

As a result of the increase in digital transactions, payment gateways and aggregators are playing a crucial role in the payments sector. These entities do not come directly under the Reserve Bank Of India. All the interactions between payment gateways and RBI are made through the banks. RBI in a press release in 2017 directed the payment gateways to route their transactions to a nodal account opened with a bank. Those accounts will be considered as an internal account of the bank and payment gateways cannot operate on such account. But still, they are largely self-regulated and is not authorised directly by the RBI. Payment gateways maintain themselves certain standards such as the Payment Card Industry Data Security Standard (PCI DSS) to protect and secure digital payments. Recently the Central Bank has come up with a proposal to directly regulate these payment operators considering the growing number of digital transactions. 

Financial Lending:- In recent times digital lending platforms thrived in the Indian fintech industry. P2P Lending and SME lending startups have increased exponentially revolutionising the lending landscape in India which was largely dominated by banks. Lending platforms provide hassle-free loans with very less documentation in very less time. MSME enterprises in India greatly benefited from these services, especially when applying for loans in banks involved complicated procedures with a less chance for approval. These platforms used technologies like Machine learning and AI to replace the older systems of analysing the creditworthiness of the loan seeker.  Integration of various APIs through platforms like Indiastack largely helped the lending space in India.

Until 2017 there were no specific regulations applicable for lending platforms. RBI in September 2017 published a circular for the regulation of P2P lending companies. P2P lending platforms are the place where lenders meet borrowers directly through the platform. Fintech Businesses in India are required to obtain an NBFC license from the RBI. RBI in its guidelines mandated P2P platforms to be registered as P2P lending NBFCs. Companies that have received P2P NBFC license from RBI are required to publish the default rates of the platform on their website. They are also directed to share the information regarding grievance redressal mechanisms, portfolio performance etc. Besides, NBFC P2Ps should provide sufficient details to the borrowers and lenders to facilitate transparent decision making. RBI has classified these platforms as NBFC P2Ps for shielding them against the stricter regulations followed by traditional NBFCs.

Personal Finance and Investment Platforms:- The increased adoption of internet and smartphones helped personal finance and asset management companies to penetrate deeper sections in the market. The ease and convenience of making investments and managing personal finance have attracted a larger audience like women and youth. These platforms utilise modern technologies to make the whole process of investing and wealth management easier especially when compared to traditional institutions.

SEBI is the chief policymaker for this segment of the fintech industry. Several traditional players have already extended their services online. There are stockbrokers like Zerodha who are registered with SEBI and are members to NSE and BSE. Companies providing online trading are required to follow trading member guidelines of NSE, BSE and MCX. There are other companies dealing with advisory functions concerning personal finance and wealth management. These businesses are mandated to obtain Registered Investment Advisor certificate (RIA) from SEBI. SEBI has come up with SEBI(Investment Advisers) Regulations in 2013 to regulate these entities. As per the guidelines RIAs are directed to make certain disclosures such as its remuneration and other key features of the products/securities to its clients. They are also required to maintain copies of documents like risk profiles, KYC records, client agreements, investment advice provided and so on. A compliance officer should be appointed for monitoring the compliance requirements mandated by the regulations. Asset management companies dealing with mutual funds are registered as a distributor with ‘Association Of Mutual Funds In India’ ( AMFI). AMFI is an association of SEBI registered mutual funds which prescribes guidelines for mutual fund distributors.

Click Above

Insurtech:- Online Insurance services are still in its nascent stage in India. This segment has not gained significant trust from the consumers. These platforms use IoT enabled services to track the individual needs of the customers. IRDAI is the chief policymaker for this segment. Businesses functioning in this segment of the industry are mostly insurance brokers or web aggregators. Insurance brokers exist both online and offline and act as an intermediary on behalf of their clients to help them choose the best product. Insurance brokers receive a brokerage from the insurance company. Apart from the remuneration, they can also receive a fee from the client for their expert services like risk assessment which shall not be a percentage of premium or claim amount.  IRDAI has prescribed a code of conduct which should be followed by these brokers. They are bound to act as per the IRDAI (Insurance Brokers) Regulations 2018.

Insurance Web Aggregators are platforms in which customers can get knowledge of various insurance products. They act as an online shopping interface for insurance products. Web aggregators display all the relevant information about the policies listed and help the users to compare their benefits and take a decision accordingly. They operate as a website helping in comparison of policies offered by several insurers. They are guided by the IRDAI (Insurance Web Aggregators Regulations) 2017. IRDAI has clearly defined and given a structure to some of the important activities and functions of the Web Aggregators. They include – Display of product comparisons on the web-site and their conditions, transmission of leads by web aggregator to the insurer in a specified manner, the manner and process of sale of insurance online by web aggregators, sale of insurance by telemarketing mode and other distance marketing for solicitation of insurance based on the leads generated from its designated website. The web aggregators are not allowed to push or promote a particular company. They are required to provide necessary details to the consumers such as the term of the insurance policy, the premium payable etc to allow consumers to make their own decision.

IRDAI has also come up with ‘’Guidelines on Insurance e-commerce’’ for providing directions to all the functioning ISNPs. Insurance Self-Network Platform(ISNP) means an electronic platform set-up by any applicant with the permission of the Authority. All the insurance brokers are mandated to follow the e-commerce guidelines and web aggregator regulations in their operation. IRDAI has also come up with “Guidelines for Information And Cyber Security for insurers” to prevent cyberattacks, data and information leakage. All the insurance companies are directed to follow the guidelines and take measures for improving cybersecurity. 

Cryptocurrencies/Blockchain-Based Business:- In India, businesses functioning in this segment are diminishing. India has the second-largest number of blockchain developers which is only next to the US. The regulatory environment in India is not so conducive for crypto-related businesses. RBI in its circular in 2018 prohibited banks in the country from dealing with crypto-related exchanges and businesses. A lot of Indian startups in this space had migrated to other jurisdictions from then. Recently a committee formulated under the Finance Secretary recommended a complete ban on trading, holding, mining and using cryptocurrencies. As per the recommendation, the penalties for violation can be heavy fines or imprisonment or both. The strict and uncertain regulations in the country make it an unfavourable environment for startups in this sector. A few of them are still surviving hoping for positive regulations. However, the Indian Government has expressed its willingness to encourage the use of blockchain technology i.e the underlying technology behind cryptocurrencies. Without clear regulations, blockchain/crypto-related businesses may not come to light in India.

The Adhaar Ruling 

The Supreme Court in 2018 struck down section 57 of the Aadhaar Act. Section 57 allowed any state, corporate or person to use the 12 digit Aadhaar number to establish the identity of an individual. This ruling prevented private entities from accessing the Aadhaar data of individuals. The decision had a substantial impact on the fintech industry which was relying on Aadhaar for e-KYC. It was a major blow for payments and lending platforms in particular. This means that the fintech companies will have to go back towards the old paper-based KYC. However, the Reserve Bank of India later amended its ‘Master Direction on KYC Norms’.The direction was a result of the ordinance passed by the Government by amending the Prevention of Money Laundering (Maintenance of Records) Rules 2005 and certain provisions of Aadhaar Act 2016.

The ordinance allowed voluntary use of Aadhaar in physical (QR code) or electronic form for offline verification and eKYC, with the consent of the customer. However, only banks were allowed to use eKYC based on Aadhaar. Fintech firms still had to go with offline verification of Aadhar based on QR codes or XML files. XML files are downloadable for users from UIDAI’s website. They contain necessary details which can be shared offline for KYC purposes without revealing the Aadhaar number. This system could never replace the ease and effectiveness provided by the older eKYC methods. Fintech firms, especially from the payments sector, lost a lot of customers due to the sophisticated KYC requirements. Lately, the “Steering Committee on Fintech” submitted its report to the finance ministry for easing KYC norms through methods like video-based KYC and Digilocker facility. Digilocker is a platform for issuance and verification of documents/certificates online. Users who sign up on the platform receives a cloud storage space linked with the Aadhaar number. Positive changes in the KYC regulations can help the industry to soar new highs.

Compliance with the Information Technology Act 2000

Fintech companies are platforms existing on the internet. Hence, they are mandated to follow the directions laid down by the IT Act. Section 43A describes the liability of the body corporates to pay damages when there is negligence in maintaining reasonable security procedures for protecting the sensitive personal data of its users. Section 72A prescribes punishment for disclosure of information in breach of a lawful contract. Fintech businesses rely a lot on the personal data of individuals. Following the prescribed data protection norms are vital for avoiding legal complications. 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. It explains personal information as any information which relates to a natural person directly or indirectly, information when combined with another information is capable of identifying a person. Sensitive personal data includes data or information such as passwords, biometric data, financial data, sexual orientation etc. The rules regulate how personal data is stored, used, processed and transferred. It also mandates body corporates to prepare a privacy policy and make it available to the information providers in a clear and accessible manner. Body corporates have to obtain the permission of the information provider before any disclosure of any sensitive personal data. In addition, body corporates have to maintain security control systems and procedures for information security. The includes certifications like IS, ISO, IEC 27001.

Contracts and Intellectual Property

Although the fintech startups caused a major disruption in the financial sector, there has been a switch in the relation between traditional financial institutions and fintech businesses. They have deviated from competition to collaboration. Hence fintech firms are always subjected to partnership deals, collaborations, mergers and acquisitions. They constantly deal with contracts relating to technology and financial aspects. These include common agreements like Partnership deeds, vendor agreements, product development agreements, investor agreements, outsourcing contracts, shareholder agreements, co-founder agreements and so on. Considering the nature of the fintech industry, investment agreements and partnership deeds are the most critical agreements as fintech startups depend on a lot of investments and partnerships. For offering digital services, fintech businesses should have a well-structured privacy policy and terms of use. Terms of use are the most crucial agreement that a fintech business enters with the customers. Well drafted loan agreements are vital for the functioning of lending platforms. In the case of insurtechs, the insurance policy itself is a specialised type of contract, based on good faith, which serves as an agreement between the policyholder and the insurer. In the personal finance segment, the trustees of mutual funds enter into an investment management agreement with the asset management company.

As for any industry, intellectual property of the fintech operators should be safeguarded with the highest level of protection. Players in the fintech sector often find situations where they partner with other financial institutions and third parties. They should have adequate protection of their IP rights in various licensing and collaborative agreements. Trademarks protect the brand name and logo of the entity, copyrights protect its source code, trade secret protects the crucial business information, industrial designs protect the look and feel of things like computer interfaces and patent offers protection to the innovative business models in the fintech space.

Conclusion

It is no brainer that the fintech industries disrupted the traditional financial markets. The use of modern technologies for providing financial services greatly contributed to financial inclusion. However, uncertain regulations, consumer mistrust and lack of large customer base especially when compared to traditional financial institutions are causing complications for this sector. Traditional financial institutions have the trust of customers. Whereas it is slow to adopt modern technologies in providing its services. Each fintech firm has a unique character and it may not be a good idea to integrate policies for fintech industries and other financial institutions. Fintech businesses are constantly driven by innovation and change in technologies. Hence, the need for regulations from financial as well as technological aspects arise. Conventional players like banks have started to develop their own initiatives or engage in partnership deals with fintech firms for drawing technology into its services. 

In addition to the existing regulations, future laws like “Personal Data Protection Bill” can have a major impact on the data-driven fintech industry. Data is a lifeline for fintech startups. Modern technologies need data for launching innovative products and services. The irregularity in existing regulations led to various operational difficulties for the fintech firms. Fintech businesses selling different services are often subjected to multiple regulations from different regulators. They are forced to follow the directives of the regulators that keep on changing from time to time. A large amount of time and money is spent on complying with the changes in regulations. Regulators like RBI has been blamed for not ensuring a level playing field for these companies.  Fintech institutions are generally forced to comply with regulations designed for traditional financial institutions. The attitude of the regulators towards the fintech industry is gradually changing. They have already started considering the uniqueness of the industry. RBI, SEBI and IRDAI have started enabling frameworks for developing regulatory sandboxes for testing emerging technologies and their implications. Regulatory Sandbox has been a long-standing demand of the fintech sector. The industry hopes that the sandbox and supportive approach from the government will ensure them a level playing field along with other financial institutions. Growth of fintech companies can contribute to “Industry 4.0” and a wide-scale financial inclusion.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.