RBI’s decision to defer private umbrella entity licenses in light of data security concerns came much to sheer dismay of Tata & Reliance consortiums among other applicants, eager to venture into retail payments sector .
By Trisha Shreyashi
In a bid to boost the Retail Payment System (‘RPS’), Reserve Bank of India (‘RBI’) had come up with the proposal of “New Umbrella Entities” (‘NUE’), similar to Unified Payments Interface (UPI). While NUEs promote private participation, it became pertinent to ensure that consumer data is secured. Further, it is essential that sustainable financial principles are followed so that the motto of de-risking payments ecosystem is achieved in essence. NUE is seen as an alternative mechanism to India’s flagship processor, the National Payments Corporation of India (NPCI).
The NUE license shall be granted by RBI according to the power of authorization of payment operations conferred under Section 4 of the Payment & Settlement Systems Act (‘PSSA’), 2007. In consonance, RBI announced a draft framework to authorise pan-India NUE for RPSs. It mandates a minimum of INR 300Cr. be maintained as reserves at all times. These NUEs shall be duly registered under the Companies Act, 2013. Further, only entities owned and controlled by Indian residents staying in India in preceding financial year for more than 182 days, shall be eligible to apply as promoter/promoter group. This indicates the intention to limit the role of foreign entities, while allowing foreign investment under diktat. It is also subject to corporate governance norms and RBI retains the right to approve/appoint Directors to the Board.
These NUEs would be primarily responsible in developing new payment systems, standards and technologies, clearing and settlement mechanisms, while monitoring, addressing and preventing relevant risks and frauds. It would diversify easy payment options beside boosting transaction volumes with tremendous expansion of e-commerce. Thus, NUE could also become instrumental in furthering financial inclusion and promotion of fintech.
However, the NUE authorization has been shelved citing data storage and localization issues despite being proposed with a view to minimize concentration risks in RPS. A five member committee under the chairmanship of P. Vasudevan, Chief General Manager, RBI has been directed to review license applications, analyse macroeconomic impact and security risks in light of the proposed framework. Announced about a week ago, it shall also put forth recommendations to address the concerns thus arising.
Other impediments must also be considered to evaluate the adverse impact, if any, on the banking ecosystem. For instance: Capital, infrastructural costs, technology requirements in deploying products, settlement management & operations, rise in risks due to reconciliation & security issues, liquidity costs to support free flow of funds by customers etc. It also seems prudent to examine the impact on smaller banks. Forced to deploy additional payment instruments modeled on zero pricing strategy, they’d end up bleeding more.
Commercial banks had vehemently opposed the NUE proposal. They had urged rather to strengthen the domestic NPCI. While the idea of NUE is to expand the competitive landscape of RPS, the issue of data transfer and security involving foreign entities is indeed a bonafide objection. Moreover, the array of events that unfolded in the recent past make it prudent to notice that the concerns are not unfounded. For instance:- Failure by Mastercard, Amex & Diners Club in furnishing audit reports certifying compliance with Indian norms in regard to data storage rules.
To address the concerns, RBI announced extensive guidelines that are mandatory for all entities involved in payments & settlements to follow, to protect and prevent breach or misuse of the customer details in their database. The Personal Data Protection (PDP) Bill, under review before the Joint Parliamentary Committee, might prove to be a game changer in building a robust data storage & processing system. For the time being, India could subscribe to Global Data Protection Regulation (GDPR) to strike a balance between consumer woes and commercial interests, until a germane data protection framework for fintech is enacted.
Disclaimer: The author is a legal professional. Views expressed are personal and not necessarily that of Financial Express Online