India has been devastated by the COVID-19 pandemic, which has led to an enormous loss of life, strained the financial sector and crippled health infrastructure in the developing country. May 2021 official statistics report a total death toll of over 300,000 people, with estimates from The New York Times as high as 1.6 – 4.2 million.1 Restrictions have disrupted supply chains and driven labor shortages, hurting small businesses and macroeconomic activity,2 and the second wave of infections could delay India’s fragile economic recovery as consumer confidence shrinks, unemployment rises and medical expenses mount.3
The overall growth outlook for 2021 remains optimistic, however. India’s economy shrunk by 7.7% in 2020, but the Organisation for Economic Co-operation and Development predicts it will be the fastest-growing G20 economy in 2021, with a GDP growth of 9.9%.4 Assuming there is no third wave of COVID-19, Deloitte economist Rumki Majumdar forecasts strong economic activity in the second half of the financial year as consumer and investment spending increase, case numbers drop and vaccinations accelerate.5
Digital transformation, which sped up in response to the pandemic, will shape India’s recovery. Indeed, India ranked #4 in the “Break Out Economies” category of the Digital Evolution Scorecard 2020, developed by Tufts University’s Fletcher School in partnership with Mastercard. Banks are increasingly digitalizing their operations, digital payments have soared and e-commerce is expected to grow 84% over the next four years.6 The fintech ecosystem rapidly expanded in 2020, bringing in $2.7 billion USD in investments, and India is poised to be a global hotspot for the development of artificial intelligence-based solutions.
India’s 2021 digital agenda focuses on strengthening the payments system, exploring blockchain-based innovations and encouraging digital financial inclusion. Promoting digital financial inclusion will be instrumental in ensuring that India’s rapid digitalization does not further widen socioeconomic disparities, especially between urban and rural areas. The Ministry of Finance is also developing the “The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021,” which will provide a framework for the regulation of digital currencies, and the central bank is discussing the possibility of developing a central bank digital currency. A national cybersecurity framework would further solidify India’s ambitious goals in developing a globally competitive fintech ecosystem and digital economy.
Financial Regulatory Authorities
The Reserve Bank of India (RBI) is the central bank of India in charge of issuing and supplying the Indian rupee. The bank is the primary regulator for the commercial banking industry, as well as nonbanking finance companies.
The Insurance Regulatory and Development Authority of India (IRDAI) is an independent statutory body tasked with regulating and promoting the insurance and reinsurance industries in India.
The Central Registry of Securitization Asset Reconstruction and Security Interest of India (CERSAI) is an independent government-mandated business that facilitates operations for the country’s Registration System for the securities market.
The Securities Exchange Board of India (SEBI) regulates business on stock exchanges and protects the interests of investors.
Policy, Laws and Regulations
Central Bank Considers Possible CBDC, 22 July 2021
Reserve Bank of India Deputy Governor T Rabi Sankar addressed the possibility of an investigation into a central bank digital currency (CBDC). Speaking at a webinar, Sankar stated that the central bank might soon begin pilot tests on a CBDC, with both wholesale and retail use cases. Sankar also noted that a digital rupee could undermine the popularity of virtual currencies and protect consumers from their volatility.7
Published 26 February 2021, the Reserve Bank of India’s Report on Currency and Finance 2020-21 briefly addresses the opportunities and risks presented by CBDCs, alongside potential regulatory updates. A CBDC can encourage financial inclusion, aid in monitoring transactions and act as an instrument of sterilization in emerging markets, all of which could strengthen India’s digital economy and help it to compete with digital powerhouses like Germany and China. On the other hand, a CBDC can disintermediate the banking system, thus threatening growth and financial stability, though the report notes that a two-tier renumeration system would be an effective solution in safeguarding against this possibility. Furthermore, a CBDC and its accompanying regulations must take into account the risks of money laundering and terrorist financing. A CBDC designed to allow for anonymity at the individual level could facilitate ML/TF, so appropriate AML/CFT controls must be instituted.
The Reserve Bank of India issued a circular announcing an amendment to the Master Direction (MD) on KYC, which seeks to facilitate the use of video-based customer identification and simplify the periodic updating of KYC. The circular expands the definition of the video-based customer identification process (V-CIP) and outlines requirements on records and data management, operating procedure, and cybersecurity and resilience frameworks for regulated entities (REs).
Per the circular, “Video based Customer Identification Process (V-CIP) is an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the RE by undertaking seamless, secure, live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face-to face CIP for the purpose of this Master Direction.”
Regulated entities may utilize V-CIP to conduct customer due diligence for the onboarding of individual customers, proprietors per proprietorship firms, authorized signatories and beneficial owners per legal entity customers; the conversion of accounts opened by one-time passcode (OTP)-based eKYC; and the periodic updating of KYC for eligible customers. The data and recordings obtained from V-CIP must be stored within India, and accounts opened utilizing OTP-based eKYC may not be active for more than a year unless V-CIP is conducted. Regulated entities (REs) must take a risk-based approach to periodic updating of KYC. The updated regulation went into immediate effect.
The National Institution for Transformation India (NITI Aayog) published the report Connected Commerce: Creating a Roadmap for a Digitally Inclusive Bharat, based on a discussion series hosted by NITI Aayog and Mastercard. The report addresses digital financial inclusion, cybersecurity and the fintech ecosystem in a post-pandemic India, and outlines policy recommendations. Digital payments will be especially crucial in promoting digital financial inclusion, and regulators must enable non-banking financial companies (NBFC) to issue cards and conduct e-KYC. The report notes that the partnership between banks and non-banks is a “best of both worlds” approach that “should be allowed to flourish.”
In order to strengthen the e-commerce and digital transactions landscapes for both consumers and merchants, regulators must allow for the entry of non-banks into payment schemes, enable the increased adoption of automated infrastructure developments like interoperable QRs, encourage innovation and investment in the acquisition space and promote the development of solutions like offline payments and cloud tokenization. Cyberattacks have risen in tandem with an increase in digital transactions, and the COVID-19 pandemic drove a surge in phishing and identity thefts. The central bank must work to bolster cyber resilience while minimizing friction to user experience, and the government is currently examining a new National Cyber Security Strategy. Enabling improved information-sharing will be key in detecting and deterring attacks.
Discussion Paper on Blockchain Technology and Competition, 12 April 2021
The Discussion paper on blockchain technology and competition, published by the Competition Commission of India, addresses regulatory and policy issues that could arise from the adoption of blockchain-based technologies, amongst other matters. A key challenge will be to maintain the appropriate balance between security concerns and fostering innovation. Primary concerns include jurisdictional issues and anonymity, ambiguity about legal status and classification of organizational structure of blockchains, compliance with data privacy and protection laws, localized data processing, issues related to smart contracts and lack of a medium of exchange for executing transactions through permission-less blockchains. India’s draft Data Protection Bill 2019 poses numerous challenges to blockchain-based applications, which could prohibit their development if the bill is not harmonized. As blockchain does not allow for the erasure of data, it violates the bill’s “right to restrict or prevent continuing disclosure of personal data,” or the “right to be forgotten.” Blockchain can also operate across multiple jurisdictions, thus violating the Data Protection Bill’s requirement that personal data be processed within India. At the time of writing, the Data Protection Bill is being examined by a Joint Parliamentary Committee.
In January, the Ministry of Electronics and Information Technology (MEITY) published a draft of the National Blockchain Strategy, which overviews architecture options, the value of blockchain in e-governance, challenges to its adoption and a possible National Level Blockchain Framework. The National Level Blockchain Framework “can aid in scaling deployments for developed applications, emerge shared infrastructure and also enable cross domain application development,” and could be accessed through a National Blockchain API. National services like eSign, ePramaan (an e-authentication framework) and DigiLocker (which provides access to documents) could be integrated with the National Level Blockchain Framework.
The Reserve Bank of India issued its Governor’s Statement, which addresses future initiatives on improving the domestic payment and settlement systems. The statement proposes that the RBI-operated Centralised Payment Systems (CPSs), from which banks are currently excluded, be opened to membership for “non-bank payment system operators Prepaid Payment Instrument (PPI) issuers, card networks, White label ATM operators and Trade Receivables Discounting System (TReDS) platforms regulated by the Reserve Bank.” The statement further outlines a proposal to allow cash withdrawals for full-KYC prepaid PPIs of non-bank PPI issuers and “to make interoperability mandatory for full-KYC PPIs and for all payment acceptance infrastructure.”
The statement comes on the heels of a 05 February 2021 RBI statement that addresses initiatives to improve the domestic payment and settlement systems. The statement lays out several regulatory measures in the works, including the establishment of a 24/7 helpline for digital payment services and guidelines for operators and participants of authorized payment systems regarding cybersecurity risks in outsourcing.
Central Bank Extends Deadline for Mandatory Additional Factor of Authentication for Automatic Recurring Debit Payments, 31 March 2021
The Reserve Bank of India announced in December 2020 that it would mandate an additional factor of authentication (AFA) in the case of automatic recurring debit payments, to be instituted 31 March 2021. In response to pressure from banks, the RBI extended the deadline by six months, to 30 September 2021. Once the new requirement is in effect, banks must inform customers as to auto-debit recurring payments below INR 5000 (approximately USD $67) by card, wallet and Unified Payments Interface (UPI). Customers must approve the transaction, which will be debited automatically from then on. Transactions above the INR 5000 threshold will require the use of a one-time password (OTP). Banks will be fined 5 lakh (approximately USD $.07) for every lapse. The move comes as part of the RBI’s endeavor to bolster security of digital payments, alongside its increased adoption. In January 2021, the RBI raised the threshold for contactless recurring transactions from INR 2000 to INR 5000 (approximately USD $26.76 to $67).
Circular on IT Security for Digital Payment Products and Services, 18 February 2021
The Reserve Bank of India issued a circular entitled “Master Direction on Digital Payment Security Controls,” which lays out guidelines to strengthen IT security for digital payment products and services. Key guidelines address fraud and risk management, authentication framework, customer protection, mobile payments application security controls and card payments security standards. Regulated entities must establish a policy for digital payment products and services that addresses risk management and mitigation measures, the product or service’s inherent risk, customer experience and payment security requirements with regard to Functionality, Security and Performance (FSP), and regulated entities must appropriately identify, analyze, monitor and manage the specified risks, including compliance and fraud risks. Risk assessments must address interoperability aspects, the reconciliation process, outsourcing, customer experience, fraud risks, risks stemming from the integration of the digital platform with other systems, compliance with cybersecurity requirements, business continuity and service availability, amongst other matters. Regulated entities must also safeguard the robustness and scalability of the digital payment architecture “commensurate with the transaction volumes and customer growth.”
1. Gamio, Lazaro and James Glanz. “Just How Big Could India’s True Covid Toll Be?” The New York Times, 25 May 2021. https://www.nytimes.com/interactive/2021/05/25/world/asia/india-covid-death-estimates.html.
2. Kumar, Manoj. “Coronavirus curbs in India disrupt supply chains, stoke economy worries.” Reuters, 15 April 2021. https://www.reuters.com/world/india/coronavirus-curbs-india-disrupt-supply-chains-stoke-economy-worries-2021-04-15/.
3. Li, Shan and Vibhuti Agarwal. “India’s Covid-19 Surge to Hamper Economic Recovery.”
4. Mishra, Ankit. “Leading Experts Weigh In On Growing India’s Economy From Covid-19.” Forbes, 15 June 2021. https://www.forbes.com/sites/ankitmishra/2021/06/15/leading-experts-weigh-in-on-growing-indias-economy-from-covid-19/?sh=685047d53929.
5. Mukherji, Biman. “When will India’s economy recover from its second COVID wave? Economists are split.” Fortune, 01 June 2021. https://fortune.com/2021/06/01/india-economy-gdp-recovery-covid-second-wave/.
6. “Indian e-commerce to grow 84% in 4 years, helped by Covid-19 impact: Study.” Business Standard, 10 March 2021. https://www.business-standard.com/article/economy-policy/indian-e-commerce-to-grow-84-in-4-years-helped-by-covid-19-impact-study-121031000846_1.html.
7. “It’s time for digital currency to counter crypto, says RBI.” The Times of India, 23 July 2021. https://timesofindia.indiatimes.com/business/india-business/its-time-for-digital-currency-to-counter-crypto-says-rbi/articleshow/84662839.cms.
*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.
Last updated: November 2021