In a bid to contain the Covid-19 pandemic, governments across the world are using means and measures that would otherwise be considered invasive and illegitimate. In some countries—China and Israel, among others—the State has used phone tracking devices to monitor the movements of persons who have either contracted the virus or have come into contact with someone who might have done so. Even the European Union has relaxed some of its existing regulations governing the sharing of location data. On 23 March, the European Commission wrote to a number of the continent’s telecom operators, urging them to share anonymized and aggregated mobile phone data. This information, the commission said, was necessary for it to track how the virus was spreading and to determine where and in what areas people’s medical needs were most necessary. Indeed, as a Financial Times report pointed…
As I view things and events around the world from the comfort of my home, this blog is my take on how regulations related to technology will get impacted due to the COVID-19 pandemic. As they say, sudden and unexpected events often lead to systematic and permanent changes. Work from home is a mandate now, as the fear of personal contact and surface contact is prevalent, everyone has uncertainty about the impact of infection. There are even doubts on the globalization given the infection is spreading from one corner of the world to another.
Given the fact that COVID-19 is a pandemic, the authorities have commanded us to practice ‘social distancing’ (trending buzz word on social media) under the twenty-one days lockdown. Hence, there is an unwillingness to engage socially among masses now. As there are shifts in perceiving the world now, there is a shift in the understanding of technology as well. Governments around the world are now valuing its role more than ever and understanding the need for the well-drafted technology policy, as they rush to contain the spread of COVID-19.
Following are the potential changes that we can see in the technology policy of India during and after the COVID-19 crisis.
Increase in the adoption of internet services
With the reach of the internet increasing up to 500 million users and over 660 million broadband subscriptions, internet penetration in India is much evident. However, the present situation is proof that it has been a boon for us that Jio entered the market and made the internet more accessible than ever. The internet is an essential service and something that has kept the masses engaged and sane in their homes during the nationwide lockdown. India has the cheapest internet access in the world, but still, as the crisis gets over, the government will definitely consider more options of making internet services more accessible to the poor of the country which is largely suffering in this crisis. In the present lockdown state, it is important to mention the situation that exists in Kashmir where just the 2G internet is available with the speed which is good for nothing.
India has the cheapest mobile data in the world with 1GB costing just Rs 18.5 (USD 0.26) as compared to the global average of about Rs 600, research by price comparison site Cable.co.uk showed. Average Wireless Data Usage per wireless data subscriber per month is 10.37 GB.
The Ministry of Labour & Employment has extended the deadline for filing the Unified Annual Return for 2019 under eight laws that were filed on the Shram Suvidha Portal to April 30, 2020 (the previous deadline was February 1, 2020). The notification further states that authorities are not to take action against any entity that did not meet the earlier deadline.
The Employees’ State Insurance Corporation (ESIC), through its communication dated March 16, 2020, has extended the dates for filing of ESI contribution and payment. Accordingly, all contributions for the months of February 2020 and March 2020 can be filed and paid up to April 15, 2020 and May 15, 2020, instead of March 15, 2020 and April 15, 2020, respectively.
The Government of India will contribute the employer contribution (on behalf of companies) and employee contribution (on behalf of employees of those companies) towards the Employee Provident Fund Organization (EPFO) for the next three months for establishments with up to 100 employees meeting certain base salary thresholds.
All EPFO members (employees) will now be able to withdraw up to 75 percent of their total EPFO fund or an amount equivalent to three months of their salary, whichever is lower. The amount withdrawn from EPFO shall be non-refundable, and the employees do not need to return the same to their EPFO account.
Streaming services and regulations
In the process of home quarantine, the dependence on the streaming services is so much that the internet service providers have asked streaming platforms like Netflix and Amazon Prime to reduce the bits rate, in order to lower the stress on networks. The streaming platforms have duly conceded to this demand considering the continuous requirement of providing services to consumers. Consumers are realizing the benefits of streaming platforms and hence there is going to be a potential increase in subscriptions going forward, converting to paying users. In terms of policy-making, if streaming services have the potential to displace traditional entertainment services, the Indian government will look for regulating the content more than ever. Government is already in consultation with the stakeholders regarding options of self-regulation or government regulation.
Increase in demand for spectrum to meet the consumer demand
The percentage of connections that are based on a wireless medium is a staggering 96% approx. Therefore, in the light of increased adoption of the internet for continuous entertainment and work at home has led to increased stress on telecom operators. Therefore, with the 20% sudden increase in demand, telecom operators have sought more spectrum allotment from the government.
A new perspective for e-commerce
The government has rightly considered E-commerce as the provider of essential services during the present situation. Their adequate performance under the lockdown can provide them with a deep sigh of relief, as for the past few months, their food and grocery delivery services have been under the strict supervision of the government. There are several lobbies representing the brick and mortar retailers of groceries and food that have targeted e-commerce market and posed it as a threat to the business of offline retailers across the country. The opportunity for them to legitimize the need for online service during the lockdown has done what demonetisation did for digital payments.
Offline print becomes the victim
Online media channels are also opportunists that are gaining certain traction in terms of consumers. The newspaper industry seems to have been hurt by contact to contact the spreading nature of the COVID-19. Various online posts and WhatsApp threads are flowing in the online media that newspapers are potential vectors of COVID-19. In one of the cases, the Times Group has sent a legal notice to The Print for an article which suggested that COVID-19 can potentially spread through newspapers as well. Therefore, there could be a rise in online media usage and could lead to a rift between offline and online media.
A struggle to contain fake news or misinformation
The sensational way in which COVID-19 crisis has led to the nationwide lockdown is much due to the sensationalized content related to COVID-19 which is spreading through the social media across the country faster than the virus itself. The amount of misinformation spreading about COVID-19 is at large scale, and platforms are struggling to deal with it, especially given the lack of continuous moderation by social media platforms which are not warranted legally. This has given several blows to the effectiveness of lockdown given the people believed on certain misinformation such as cow urine is the cure of COVID-19, the religious congregation will protect from the disease etc, which led to people not take lockdown seriously. Understanding the struggles with automatic moderation of the content on the internet, the government can sooner than before enforcing its strict moderation policy which undermines the right to free speech.
The twenty-one days lockdown recently faltered when an exodus of the large number of migrant workers from urban cities like Delhi and Jaipur came in light. The Supreme Court’s division bench in a hearing on Tuesday, while reviewing the steps that the central government has taken to provide relief to the poor migrant workers during the lockdown, expressed serious concern over spread of fake news or misinformation regarding lockdown’s duration on social, electronic and print media causing the mass exodus of migrant worker from cities to their homes in villages. Read the SC’s order here. Centre in this light has sought direction from SC that no media stakeholders should publish COVID-19 news without ascertaining facts with government. Although, The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.
Privacy, necessity and proportionality
While the right to free speech could be threatened in the future due to the present crisis, the right to privacy has already dealt with several blows. Considering the situation of emergency and lack of any comprehensive law protecting the privacy, the privacy of a number of citizens have been compromised. The health status of quarantined/ or infected is open to all as their homes are being marked and personal details are being made public on social media. Governments are openly surveilling quarantined people for ensuring the enforcement of quarantine and inviting bids from technology companies to procure technology that can make continuous surveillance more effective. In India, several governments are already tracking citizens by keeping a tab on their phones or utilizing geofencing. The crisis has legitimized much longing plans of the government to create an infrastructure which can assist in surveilling its citizens whenever the need arises. Given the opportunity, the Department of Science and Technology has invited proposals and has set up a task force for building surveillance, AI and IoT tools.
As several privacy activists have opinions against the government’s plan to keep track of infected persons. If litigation arises, the question is whether the present circumstances will meet the necessity and proportionality test in order to justify the violations of privacy?
Drones as part of law enforcement
Drones, in some cities, are being used for surveillance to ensure that the current curfew is not violated. Drones allow the police to surveill and document, in a low risk manner. In cities like Chennai, they are being used to disinfect areas. If all goes well in these difficult times of crisis, then expect that police will place more orders for drones going forward, and many tasks will be automated.
One of the prime examples of the proposition that experience of COVID-19 crisis will pace up the policy-making with respect to regulate technology is the rollout of a set of guidelines for telemedicine or remote delivery of medical services. Telemedicine practice means that doctors will now be allowed to use information and communication technologies as per guidelines for the exchange of valid information for diagnosis and treatment of ailments with patients. In order to assure steady and quick medical services during the nationwide lockdown, Ministry of Health and Family Welfare finally sanctioned the guidelines that have been proposed ten years ago. Globally, telemedicine has emerged as a front-line weapon against the COVID 19 pandemic. The situation under present crisis motivated the government to provide the concept of telemedicine among masses explaining that the unnecessary exposure of people involved in the delivery of healthcare can be avoided using telemedicine, as patients can be screened remotely.
On the same lines, the Ministry of Electronics and Information Technology (MeITY) through an advisory has directed all state governments to permit IT/ITeS industries to carry out essential functions which include delivery, warehouse operations, shipping and logistics. There are cases and videos reported from several parts of countries of police officials halting and beating delivery executives in order to enforce the implementation of the lockdown. Therefore, the advisory by MeITY will help in ensuring that delivery executives and other associated employees carry out these functions. The Ministry advised the state governments to treat “copy of orders, waybills, invoices” as evidence.
Reuters had reported that e-commerce and online grocery delivery services were being disrupted across the country as multiple states have locked down to contain the COVID-19 pandemic. Section 144 has also been imposed in multiple parts of the country, making it harder for delivery personnel to operate, and for warehouse employees to get to work. Flipkart and Amazon temporarily suspended logistics services for sellers across regions, according to an Economic Times report. The problem that e-commerce companies are facing right now is that different states have come out with different guidelines on their operations during the pandemic. For instance, the Tamil Nadu government has banned home delivery services such as Zomato and Swiggy as the state goes into lockdown, but the Maharashtra government exempted food delivery as the delivery of an “essentially good”.
Therefore, the MeITY advisory will assist in providing a uniform direction to all the state governments in order to allow the operation of e-commerce deliveries of essential services across the country.
Other important things to know
Further, for the general information of the reader:
As per guidelines,
Commercial and private establishments will be closed. (such as shopping malls, private outlets etc.)
Shops, including ration shops (under PDS), dealing with food, groceries, fruits and vegetables, dairy and milk booths, meat and fish, animal fodder/ district authorities may encourage and facilitate home delivery to minimize the movement of individuals outside their homes/ Banks, insurance offices, and ATMs/ Print and electronic media Telecommunications, internet services, broadcasting and cable services/ Delivery of all essential goods including food, pharmaceuticals, medical equipment through E-commerce.
Offices of the Government of India, its Autonomous/ Subordinate Offices and Public Corporations shall remain closed.
Police, home guards, civil defence, fire and emergency services, disaster management, and prisons/ District administration, Electricity department, water, sanitation Municipal bodies (Only staff required for essential services like sanitation, personnel related to water supply etc)/ Hospitals and all related medical establishments, including their manufacturing and distribution units, both in public and private sector, such as dispensaries, chemist and medical equipment shops, laboratories, clinics, nursing homes, ambulance etc. will continue to remain functional/ Transportation services for medical purposed will be permitted.
The Ministry of Home Affair issued an addendum to the guidelines to include more services/activities that have been exempted from the 21-day nationwide lockdown. Following additional services have been exempted: [The post has been updated on 26.03.2020]
The Government “Treasury” has already been exempted vide the guidelines issued yesterday. It is now clarified that the term “Treasury” would include Pay & Accounts Officers, Financial Advisors, field offices of the Controller General of Accounts;
Further, it has been added that the RBI, RBI Regulated financial markets, entities such as NPCI and CCIL, payment system operators and standalone primary dealers would also stand exempted;
IT Vendor for banking operations, Banking Correspondent and ATM operation and cash management agencies;
Shops for seeds and pesticides;
Data and call centres for Government activities only;
Operation of Railways, Airports and Seaports for cargo movement, relief and evacuation and their related operational organisations;
Inter-state movement of goods/cargo for inland and exports;
Cross land border movement of essential goods including petroleum products and LPG, food products, medical supplies; and
Veterinary hospitals, pharmacies (including Jan Aushadhi Kendra), Pharmaceutical research labs stand exempted.
Punishment for violating the lockdown order
The guidelines strictly note that-
“Any person violating these containment measures will be liable to be proceeded against as per the provisions of Section 51-60 of the Disaster Management Act, 2005, besides legal action under Section 188 of the IPC.”
Section 188 of the Indian Penal Code provides two offences and their punishments as follows:
Disobedience to an order lawfully issued by a public servant, if such disobedience causes obstruction, annoyance or injury to persons lawfully employed. Punishment: Simple Imprisonment for 1 month or fine of Rs 200 or both.
If such disobedience causes danger to human life, health or safety, etc. Punishment: Simple Imprisonment for 6 months or fine of Rs 1000 or both.
The Section 3 of the Epidemic Diseases Act talks of penalty on any person found to be disobeying any regulation or order made under the law and would be deemed to have committed the offence under the Section 188 of IPC. Therefore, those violating the lockdown orders can face legal action under the Epidemic Diseases Act, 1897, which lays down punishment as per Section 188 of the Indian Penal Code, 1860, for flouting such orders.
Note from the author: The blog started with the aim of simplifying and compiling laws related to technologies for the understanding of everyone. The keyword that motivated the author to write on such topics is the uncertainty behind the laws that regulate technology. However, this post has been different and dealt with the simplification of certain other issues as well. It is again the uncertainty behind the present times that has motivated the author to write this blog piece. The uncertainty related to the magnitude of the damage due to the corona outbreak may result in more such unprecedented laws and guidelines from the government. The author will continue to simplify them for the understanding of everyone. A very little contribution to society in these difficult times. Let us fight this together. Stay home, stay healthy.
The significant advancements in Fintech are directly impacting on the traditional financial sector. The regulators had to be cautious in order to not miss the train and should jump on the wagon of promoting financial innovation and stiff competition in the sector. The newcomers in the sector should be provided certain leniency in form of exemptions from a number of strict compliances which are used to curb the malpractices of the big corporations, for the sake of promoting competition in the market. This post is dealing with key takeaways from reports of different regulators’ committees in India. This is the last post in the series of ‘Simplifying FinTech and FinTech Laws’.
Fintech charged firms and businesses must work in tandem with the regulated entities, e.g. banks and regulated finance providers. The businesses that a bank can undertake are provided under Section 6 of the Banking Regulation Act, 1949 and there is no business outside Section 6 that can operate as the bank. Such provisions, therefore, incentivize banking companies to make fintech innovations in a narrower scope relevant to their operations. The archaic laws make it difficult for banks to undertake fintech innovations that can be of significant utility but are beyond the scope of financial regulation.
The Watal Committee Report noted this, that:
“The current law does not impose any obligation on authorised payment systems to provide open access to all PSPs. This has led to a situation where access to payment systems by new non-bank payments service providers, including FinTech firms, is restricted. Most of them can access payment systems only through the banks, which are also their competitors in the payments service industry. This, according to the Committee, has restricted the fast-paced expansion of digital payments in India by hindering competition from technology firms.”
Forming a comprehensive and non-discriminatory regulatory approach
Regulators and legislators are required to realign their legal approach to the Fintech services. There is a requirement of developing a deeper understanding of various Fintech services and their interaction in a financial environment with other fintech services. To provide the fintech space to work utmost to its potential, it is needed that it gets a level playing field in relation to the traditional banking and non-banking players. The practise of restricting the access of non-bank institutions to payment infrastructure, such as AEPS, has to be reevaluated and the proper steps to be taken. It is required from the end of Government and Regulatory bodies that they should adopt necessary measures in order to provide accessibility to national payment infrastructure and facilities to all fintech firms without any discrimination.
Providing Standards for Data Protection and Privacy
All the fintech companies are required to invest significantly in self-regulating policies to prevent privacy risks. Fintech companies should be provided with the standards of data protection as soon as possible by government and regulators. It is evident that the provisions of the Personal Data Protection Bill, 2019 can significantly affect the growth of Fintech companies. Therefore, the standards adopted for fintech companies by regulators should be reviewed with respect to data protection and privacy concerns. The government and regulators specific to finance of the country should start focusing on the valuation of data that is processed by banking companies and recommend practices to safeguard consumer interests.
Open Data principles should govern the financial sector in order to enhance Competition
The regulators should pay heed to the open data policy among participants of a fintech sector. The regulators should begin with the mandatory norms directing financial service companies to encourage banking institutions to enable participants to access the databases of their rejected credit applications on a specific platform on a consensual basis. The practice of the UK with respect to Open Data Regulations in Banking can be adopted, where banking institutions on the basis of consent framework allow data to be available to banking partners in order to foster competition. Even the RBI Steering Committee on Fintech recommended:
“It also recommends that all financial sector regulators study the potential of open data access among their respective regulated entities, for enhancing competition in the provision of financial services.”
The KYC process should be reformed with respect to the Supreme Court’s Judgment on Aadhaar’s validity
Fintech businesses are the most affected entities due to the striking down of Section 57 of the Aadhaar Act as it invalidated the online KYC process. The online KYC and authentication provided the required efficiency and convenience to fintech firms with respect to their endeavours of on-boarding as many as consumers on their digital platform. It is recommended that alternatives to the mandatory linking to Aadhaar should be adopted in the form of possible video-based KYC, such that the documents as verified must be protected and processed with the prior consent of the consumer.
Other key recommendations
1. It is recommended that the adequate cybersecurity, anti-money laundering and fraud control measures should be adopted by investing in technologies and guidelines that can prevent fraud.
2. Technical innovations should be monitored with respect to the potential risk that innovation carries in operation under the contemporaneous legal landscape of the country.
3. A self-regulatory body to facilitate the needs of fintech is much needed as for the RBI it is still turning out to be difficult to replace the existing regulatory structure. A regulatory mechanism allowing the broader participative consultation approach should be adopted.
4. Regulators should invest in Reg-Tech (“Reg Tech is a sub-set of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities. In July 2015 the FCA issued a call for input entitled ‘Supporting the development and adoption of Reg Tech’.”)
5. The majority of economies have adopted the practice of setting up of the regulatory sandboxes catalyzing the fintech innovations. It is recommended that RBI should continue with the introduction of the mechanisms, like regulatory sandboxes, enabling the adaptation of regulatory initiatives which will play a key role in maintaining India’s competitive edge.
No industry in the economy can boom unless it is supported by the Government in the country it wishes to further expand in. A fine line exists between regulation and obstacles for the industry to boom. In light of this, the Government of India has begun to take initiatives and steps toward the stronger building of fintech in the country, paving the path for this industry to a brighter future. This post will give you a brief overview of all the regulatory initiatives that the Government and Regulators have taken to promote the FinTech in India. This is the fourth post in the series of ‘Simplifying FinTech and FinTech Laws’.
Fintech in the past decade has expanded rapidly. What once emerged as merely as an intersection point of financial services and technology, has now become an important aspect of India’s economy. With the vision of the country towards a digitized and less dependent economy with ‘make in India’, fintech has gained a larger space to expand in and function smoothly. According to the NASSCOM Report ‘Fintech Landing- Unlocking Untapped Potential’, it is because of initiatives in India that have led India to emerge as a leader for the fintech industry worldwide. According to this research by NASSCOM, India alone harbours 2% of the largest start-up base for fintech in the world and also leads in the rate of adoption of fintech at 87% adoption rate.
Not only the initiatives by the Government adversely affect the success of the fintech industry in the country, but the allied regulators of financial institutions play a role as well. These include regulators such as SEBI, RBI, Insurance Sector, etc. Such an encouraging atmosphere for the development of fintech in the country has increased faith in fintech among the consumers in the country, for easier and grass-root adoption and acceptance of fintech.
Initiatives by the Central Government
Encouragement for the Start-Ups
With the policies such as that of make in India and to boost the Indian economy, the start-ups are increasingly supported by the Government. In 2015 itself, over 12,000 start-ups in the area of fintech emerged across the world. In India, the initiative to support the start-ups was launched by the Central Government in 2016, reserving USD 1.5 billion funds to support the start-ups. Under the increased support, he start-ups began to receive in the country, there are more than 600 startups in fintech at present in India. It is in light of such an initiative begun by the Government and supported by the allied stakeholders that India progresses towards the vision of a completely digitalised economy, promoted innovation and leading economy with sustainable growth.
In further aid of this initiative that the Government has now introduced tax reliefs such as 3-year exemption from paying tax for the start-ups along with other exemptions, credit guarantee, etc.
Digitization of the Economy
The current Government fiercely promotes the digitization of the economy. Whether intended or not, the unprecedented demonetization has acted nothing less than a catalyst in increasing the digital payments in the country. Having scaled the benefits of digital payments, it is now increasingly used by the country than retreating back to the physical currency. Such an environment is an ideal environment for the fintech ecosystem to thrive in.
Apart from the policies of the Government to support the fintech, taxing regime plays a major role in the growth of the fintech industry in the country. The 2016 Budget introduced tax rebates for those traders who transacted more than 50% of their bill digitally. The Ministry of Finance further proposed withdrawal of surcharge on digital payments of cards and online used to avail government services. The surcharges as of now stay relaxed.
Protection of Intellectual Property
The fintech start-ups are supported with ease in the procurement of intellectual property (IP) acquirement. The facilitation in the acquirement of trademarks, patents, designs, etc. has led to an increase in the start-ups under the fintech industry in the country. Moreover, under the start-ups initiative, the Government offers 80% rebates for the patent costs required for the start-ups.
The Government’s plans to accelerate the economy of the country with digital India and Smart Cities have led to an increase in reliance upon fintech in the country more than ever. Not only the local fintech industry is expected to benefit out of his but the outsourcing and foreign investment are also expected to be increased to further the advancement of the fintech industry in the country.
National Payments Council of India
It is the umbrella organisation for all retail payments in India, under the guidance of RBI and Indian Banks Association. With the increase of multiple usages of mobiles in India and increased acceptance of Unified Payment Interface (UPI), there was a paved way for the National Payments Council in India (NPCI). The expected userbase of smartphones is by 2020 is 500 million. Thus, the digital footprint is expected to rise as well. Initiatives by the NPCI such as that of Rupay Cards have led to fintech adopting such technologies, penetrating further into the traditional banking system in the country.
India Stack is a set of Application Program Interfaces that allow entities such as businesses, start-ups, governments and developers to engage in the utilisation of the digital infrastructure. This unique feature of India Stack helps to solve problems in ground level in India and promote the paperless, cashless and presence-less delivery system in India. India Stack mirrors the support system offered to the telecom industry back in the 1990s for the fintech industry in the country. This has enabled the manifold increase in fintech in the country and has facilitated easy adoption of fintech by the innovators, entrepreneurs, other industries and companies. However, after the Aadhaar judgment, the India Stack programme has stopped.
Initiatives by Financial Market Regulators
The financial market regulators (FMRs) role has gravely impacted the fate of the fintech industry in the country. Some of the primary FMRs are discussed herein:
Reserve Bank of India (RBI)
One of the most recent initiative by RBI for the adoption of fintech in the financial market is allowance to set up the regulatory sandbox. This refers to the controlled environment in which live testing of digitally innovative techniques may be conducted in the arenas of e-KYC, retail payments, management of wealth, etc. RBI has also acknowledged the possibility of fintech disruptions in the financial market, in light of which certain regulatory norms have been introduced. However, it is to be noted that these are purely regulatory in nature in benefit of the consumers and fintech industries, without creating a hurdle for the boom of the fintech industry. Moreover, to better understand the nitty-gritty of fintech in influencing the traditional financial market, RBI set up an inter regulatory working group to come up with an appropriate framework for fintech without disrupting its functions. RBI in 2017 released a ‘Report on Working Group on Fintech and Digital Banking’ acknowledging fintech to be a point of attention in today’s era and uncertain regulatory regime to stunt its growth. Thus, RBI persuades other sectors to be better apprised with fintech to come up with better and definable regulatory regime so as to not cause unprecedented or unforeseen loss to this industry and continue with its growth.
However, with no uniform set of guidelines and no particular authority to govern fintech, fintech at present faces loss in this area. The aforementioned market regulators have their own policies for fintech which often overlap and defeat the purpose of facilitating policies to obstacles fintech needs to overpower to ensure its smooth functioning. The grey areas of fintech require to be urgently addressed so that the booming growth does not reduce to stunted growth of the industry India expected to lead in future. It is expected with RBI’s report and acknowledged lacuna in the current fintech ecosystem, changes are soon to begun to take place across all sectors in the financial market to ease the functioning of fintech for greater benefits.
The RBI has also introduced several small fintech spaces in order to invite comments from general stakeholders before issuing any regulation governing new technologically innovative financial products. The RBI has released a ‘Draft enabling Framework for Regulatory Sandboxes’ which proposes guidelines on governing regulatory sandboxes to be established by RBI to check on the R&D of new fintech products and services.
The RBI, as well, has recognized the need for confidentiality and data protection. The RBI’s “Master Circular on Mobile Banking Transactions in India” states that “technology used for mobile banking must be secure and should ensure confidentiality”.
Below is the table that represents how well are such fin-tech regulatory sandboxes faring. This is an independent research initiative by the author.
Name of the Regulator
Date of Starting
Sandbox Name/ Project Name
Number of Participants
The United Kingdom
Financial Conduct Authority (FCA)
Launched in October 2014- First cohort of applications opened on May 2016
The regulatory sandbox is a part of the project called Innovate by FCA
The Treasury Laws Amendment (2018 Measures No. 2) Bill 2019 (Bill) could provide an example of ideal specific legislative framework related to Fintech Sandboxes given the number of benefits it proposes. The Bill aims to enhance the existing regime by enabling more businesses to test a wider range of financial products and services, for a longer period of time. The Federal Government anticipates that this will help drive competition in the financial services industry, incentivising financial providers to be more responsive to the needs of consumers. While the Bill broadens the types of credit products and services which are eligible for the regime, it simultaneously imposes stricter requirements on credit services which are already subject to the regime. Sources referred: ASIC expands Sandbox Regime https://www.lexology.com/library/detail.aspx?g=825aafdb-0cf4-4dfd-b6b0-be411bb5f957;
Bank Negara Malaysia (BNM) through its cross-functional group the Financial Technology Enabler Group (FTEG)
De Nederlandsche Bank (DNB) Aand Dutch Authority for the Financial Markets (AFM) as per their MoC (Memorandum of Cooperation)
Launched in January 2017
Regulatory Sandbox’ under the Innovation Hub
There is no specifc register or data that is available for the number of entities that are strictly part of the Regulatory Sandbox (Even in their guiding paper released in December 2016, they specifically stated in Section 4, at Pg.5, that “such requests are confidential and will be treated as such”.) Although, the regulators have shared that total 650 queries has been received by the Innovation Hub and Sandbox together till 28th August 2019 (Source: Report DNB-AFM, Continuing Dialogue, InnHub and RegSandbox: lessons learned after three years, https://www.dnb.nl/en/binaries/Continuing%20dialogue_tcm47-385301.pdf)
The presence of SEBI has largely affected the financial market for over two and a half decades now. The interface of technology in the financial market has only led to a rise in the financial sector. It has led to efficiency in the system of trading, reduced costs of transactions and an increase in consumer base. Not only this, technology has played a significant role in democratising the financial market. While these remain the immediate effect felt of technology as it entered the financial market, more recent are the machine-based and algorithmic trading. SEBI has warmly welcomed technology in the market with screen-based trading, dematerialisation of shares and using it as a platform to offer nationwide trading. The capital market in India with such innovations backed by SEBI has witnessed the transformation in recent years.
The innovation in the insurance sector has always been thought about twice, such that its adoption has remained the slowest in this sector in the financial market. However, the past decade with the rise of fintech has seen the regime of insurance sector change, especially with the digital channels and process automation. Technology has further led to the addition of personal touch and customised services for consumers. The fintech had led to increasing common conscience of the society to repose faith in the insurance sector due to customised services and cost-effective functions. Fintech has ensured that the start-ups in the insurance sector do not act as a tool of disruption in the insurance sector and spread a sense of insecurity amongst the existing companies but act as a collaborator, collate the efforts of all and direct services for the benefit of the consumers.
Over the years, the financial services industry has become increasingly regulated in terms of adoption of technologies for facilitation and disintermediation of transactions. The extensively fragmented laws and regulations certainly make it difficult for any person and entity to objectively find the mandatory requirements that a law imposes upon them. This post will give you a brief overview of fintech laws and the various ways in which they govern our digital transactions. This post is the third one in the series of ‘Simplifying FinTech and FinTech Laws’.
The legal topography that regulates the Fintech services in India is majorly distributed, and there is not a single comprehensive regulation or legislation that governs the Fintech industry in the country. The lack of a complete and comprehensive single set of guidelines or regulations makes it hard to refer to actual authorities that are supposed to govern the Fintech in India. The legislative or regulatory, whichever it is, primarily comprises of:
The Payment and Settlements Act, 2007
The sources of law that actually governs payment in Indian jurisdiction are the Payment and Settlement Systems Act, 2007 (PSS Act) and the Payment and Settlement Systems Regulations, 2008 and rules as issued thereunder. Basically, these are the statutes from which India’s central bank, the Reserve Bank of India, derives power to function and regulate payment and settlement system in India. In accordance with the PSS Act, the RBI has wide discretionary powers to issue orders, directions and rules to financial systems established in India. There are several recommendations (pending), to change the PSS Act and form a new regulatory board named as the Payments Regulatory Board (PRB), while the necessary amendments to the PSS Act still await.
As per the PSS Act, any person inclusive of the non-banking financial companies (NBFCs) which want to undertake the operation of a payment system, may do so as upon taking the authorization by the RBI. The Act provides several eligibility criteria that are required to be fulfilled by that person or company wishing to operate as a payment system. Further, technology facilitators between merchants and banking institutions (that process and settle the transactions), are known as ‘Gateway Service Providers’, doesn’t have to acquire any authorization from RBI. For instance, common gateway service providers are BillDesk, RazorPay, InstaMojo etc.
The PSS Act is the primary legislation that governs the regulation pf [ayments in India. The PSS Act provides the definition of the “payment system” such that:
“a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service of all of them, but does not include a stock exchange”.
Master Direction on Issuance and Operation of Prepaid Payment Instruments
Prepaid Payment Instruments (PPIs) that are pre-loaded values (basically your PayTM or Freecharge wallets) and in some cases that value can be utilized for a specified purpose only as payment (basically Ola Money). PPIs provide the value to existing in a specified form which facilitates the payment for goods and services also in certain cases person to person remittance transactions of money for eg. sending money to your friends or family members. As defined in Rule 2.3 of the Master Directions:
“PPIs are payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. PPIs that can be issued in the country are classified under three types viz. (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs.”
The Master Directions were issued by the RBI on October 11, 2017, and amended from time to time. It provides the eligibility criteria that is required to be followed by the PPI issuers, provides the thresholds for debits and credits that can be done using PPIs, and also provides the other operational obligations that are required to be fulfilled by a PPI issuer at the time of issuing such instruments to its customers in India. PPIs come into the ambit of the term ‘payment system’ as provided under the PSS Act and henceforth have to comply with the PSS Act and the Master Directions, both. PPIs include brand-specific gift cards, e-wallets like PayTM wallet, Freecharge, Mobikwik, shopping or travelling cards as issued by the Banks themselves, etc.
NPCI Guidelines governing the UPI Payments
UPI payments are governed through the Procedural Guidelines related to UPI and Operating and Settlement Guidelines related to UPI, as issued by the NPCI. As per the contemporary governing framework, the Banks only have the scope to provide UPI payment services to consumers. Banks are authorized to integrate the UPI platform into their payment systems. They operate over the UPI platforms by engaging the services of a technology provider, in such circumstances the Guidelines subject such technology providers and the Banks to strict compliance with certain norms as prescribed by the NPCI.
“The Unified Payment Interface enables architecture and a set of standard Application Programming Interface (API) specifications to facilitate digital payments using a mobile phone.”
Regulations related to Non-Banking Financial Companies (NBFCs)
The primary document of legislation that governs the NBFCs is the Reserve Bank of India Act, 1934 and subsequent to other secondary master directions and rules and guidelines and circulars which regulates the licensing and operation of such companies in India. The RBI has formed a set of thresholds that are required to be fulfilled in order to determine whether a business entity is to classified as a “financial services company” which also requires a license. Majority of lenders that operate digitally fall under the ambit of the term ‘NBFCs’. The most important regulation that holistically governs NBFCs is the Master Direction – Non-Banking Financial Company – Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016, Master Direction – Non-Banking Financial Company –Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016, and Master Direction – NBFC – Acceptance of Public Deposits (Reserve Bank) Directions, 2016.
Master Directions related to P2P lending platforms
The Master Directions- NBFC- Peer to Peer Lending Platform Directions 2017 incentivized a whole lot of activities for P2P platforms. It provided the P2P platforms to act as an intermediary, such that it has to comply with certain strict legal requirements and has to conduct proper due diligence of participants that are using the platform to finance or borrow. The Master Directions make it mandatory for P2P portals to check the creditworthiness in a form of an assessment and perform risk profiling of the borrower’s business or project, and actively share the disclosures with the potential investors or lenders. Further, RBI regulations bar the P2P platforms from lending or raising deposits or cross-sell any product over the portal. They are not required to facilitate any credit guarantee or secured loans. Cross-jurisdictional flows of funds are barred as per the Master Directions. Therefore, in toto, the Directions prescribe the norms that govern lender exposure and aggregate borrowing thresholds in the context of workings of P2P lending platforms in the country.
Guidelines to govern Payment Aggregators/Intermediaries
The RBI’s circular related to“Directions on opening and operation of Accounts and Settlement of Payments for Electronic Payment Transactions involving Intermediaries” as on November 24, 2009, (“Payment Intermediary Circular”), which lays down the legal framework that applies to the operation of payment gateways and intermediaries in India. Such intermediaries are strictly subjected to be in compliance with guidelines related to the operation of intermediary systems in Inda as provided under the Payment Intermediary Circular.
According to the RB I’s recent discussion papers, it has been suggested that the payment gateways and aggregators form a significantly critical link in the transaction flow, and henceforth it is required to regulate the activities as fall under the ambit of the PSS Act, 2007. The RBI has provided that the established contemporary guidelines governing payment intermediaries and gateway providers have to be reviewed in its Monetary Policy Statement for 2018-19.
RBI Guidelines on Payment Banks
The Guidelines on operation of Payment Banks and Guidelines for Licensing of Payment Banks as provided under the RBI’s governing framework elucidates that the governing regulations and measures related to licensing and operation of payments banks in India. The guidelines, among others, lays down the criteria for eligibility for registration or permissible operation and further other such guidelines that govern the working of payment banks. The Reserve Bank of India provides the purpose of setting-up Payment Banks such that:
“Reserve Bank of India says ―The objectives of setting up of payments banks will be to further financial inclusion by providing (i) small savings accounts and (ii) payments/remittance services to migrant labour workforce, low income households, small businesses, other unorganised sector entities and other users.”
Anti-Money Laundering (AML) Regulations and Know Your Customer (KYC) Regulations
Know Your Customer (“KYC”) is a term that indicates the customer identification process. The KYC norms include the prudential efforts made to ascertain the identity and ownership source of accounts, source of funds, the nature of customer’s business, and accountability of operations in the account in connection to the customer’s businesses etc which further assists banking institutions to manage the risks reasonably. The purpose of the KYC guidelines is to avoid and prohibit banks from being used, specifically as criminal essential of money laundering.
The Reserve Bank of India issued the guidelines to banks under Section 35A of the Banking Regulation Act 1949 and Rule 7 of Prevention of Money-Laundering (Maintenance of Records of the Nature and Value of Transactions, the Procedure and Manner of Maintaining and Time for Furnishing Information and Verification and Maintenance of Records of the Identity of the Clients of the Banking Companies, Financial Institutions and Intermediaries) Rules, 2005.
The key takeaway regulatory guidelines that prescribe anti-money laundering (AML) norms for fintech services in India are part of the PMLA, the PML Rule and the KYC norms included in the Master Directions.
Data Protection Regulations and Rules
Fintech is a data-driven industry due to which it faces a challenge or risk related to the data ownership and its security. Such a risk can be superseded by taking certain legal and technical measures only. There are choices of cybersecurity measures that data labelling, optional information sharing and identified data shareholding, which can be the response to various data-driven challenges that the fintech space is facing.
Unauthorized access to customers’ data is a threat to data privacy, which actually violates the fundamental right to privacy, and therefore a significant challenge to the Fintech platforms engage in gathering and storing several forms of financial and behavioural data. India, right now, doesn’t have any comprehensive legislative or regulatory framework that governs data protection. The Information Technology Act 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, contemporarily provide for the obligations of corporations or businesses to take reasonable measure in order to protect the personal data of consumers.
Further, the draft Personal Data Protection Bill, 2018, that is in pipeline can be best described such that:
“The draft Personal Data Protection Bill (2018) contains provisions that go beyond just the requirements of the IT Rules. The Bill specifies a notice and consent framework with explicit consent in the case of sensitive personal data. Explicit consent is understood as consent that is informed, clear, and specific along with being free and capable of being withdrawn.”
On 23rd October 2019, the Delhi HC has delivered an impactful judgment authorizing Indian courts to issue “global takedown” orders to Internet intermediary platforms like Facebook, Google and Twitter against illegal content as uploaded, published and shared by their users. The Delhi HC delivered the judgment on the plea filed by Baba Ramdev and Patanjali Ayurved Ltd. requesting the global takedown of certain videos which are defamatory in nature.
The Court passed the order in the context of its observation that there is a ‘hare and tortoise race’ between technology and law such that the ‘technology gallops, the law tries to keep pace’. Such observation reflects that the Court’s intention is to interpret IT law in the manner which will ensure the effective implementation of the judicial orders throughout the internet jurisdiction and mitigate the circumvention of such orders by use of the advanced technology.
However, the Court’s order is attracting criticism globally from several internet-freedom activists. It seems that the Court has made a hasty attempt to win the ‘hare and tortoise race’ and has missed on considering the far-reaching implications of it on the IT law jurisprudence and conflict of law provisions. This article aims to analyze and indicate the significant points in the Delhi HC’s judgment, which the Court lacked in considering while relying on the unsettled jurisprudence of global injunction orders.
Background- The case of Swami Ramdev v. Facebook
In Swami Ramdev v. Facebook [CS (OS) 27/2019 – Delhi HC], Swami Ramdev (a prominent yoga guru and public figure) filed a case before the Court against Facebook, Google, YouTube and Twitter, inter-alia, praying for the global take down of defamatory contents (videos) as uploaded, published and shared by users of these intermediary platforms.
The given case stems out of the publication of videos on defendants’ platforms, which are based on those particular offending portions of the book titled “Godman to Tycoon: The Untold Story of Baba Ramdev’ by Priyanka Pathak Narain, which are already undergoing an ad-interim injunction as granted by the Court in Swami Ramdev v. Juggernaut Books [CM (M) 556/2018] in May 2018.
Subsequently, in January 2019, the Court passed an interim injunction against the defendants’ platforms to disable access to the offending URLs and weblinks for the Indian domain as per Section 79 of the Information Technology Act, 2000, [hereinafter referred as IT Act 2000] i.e. ordered geo-blocking.
However, the plaintiff argued that the geo-blocking is an ineffective solution as the objectionable content is widely available on the global internet and internet users in India can still access such content using VPNs and other such mechanisms. Therefore, the only effective remedy, according to the submission of plaintiff, is to issue a global blocking order.
Internet intermediaries have contended against such a global take down mechanism as it poses a number of technical and legal difficulties for them. Firstly, cross-jurisdictional laws vary in standards for determining defamation, and hence disabling access globally will breach the principles of international comity. Secondly, in order to globally disable access to the content, the intermediary platforms have to monitor every upload on their platforms which is technically difficult and legally wrong.
The Delhi HC’s Judgment
The Court agreeing with the plaintiffs’ submission went on to held that the online intermediary platforms can be ordered to take down content globally by a competent court in India, as the content is published on their global services. It observed that the complete removal is needed because there are easy –to-use technology applications available widely that helps local users in circumventing the geo-blocking and render the take-down order useless. Therefore, an absolute removal globally is an absolute remedy, as per the Court’s observations.
Further, the following directions, hereby in brief, have been put forth by the Court to support its order:
The Court broadened the interpretation of Shreya Singhal v. Union of India: As per the Court, Section 79 of the IT Act 2000 provides that in order to avail the safe-harbor immunity, “intermediaries have to take down and disable access to the offending material residing in or connected to a computer resource in India”. It interpreted the definition of ‘Computer Resource’ as given in the IT Act, such that the “Computer Resource” as per the judgment “encompasses within itself a computer network, which would include a maze or a network of computers. Such a computer network could be a global computer network”.
Global take downs are technologically possible: The Court held that whenever any content violates the community standards of the internet intermediary platforms, such content is taken down globally by the platform on its own. Therefore, it observed that it is technologically possible for the platforms to take down content globally on the orders of the competent courts as well.
Application of IT Act in extra-territorial jurisdiction: In order to justify the global take down, the Court explained that, “a perusal of Section 75 of the Act shows that the IT Act does have extra territorial application to offences or contraventions committed outside India, so long as the computer system or network is located in India”. Therefore, the Court held that as long as the content has been uploaded from the Computer Resource located in India, Indian courts will be competent to pass the global injunction/ take down orders.
Allowing the direct ‘Notice-and-Takedown’ mechanism for the future uploads of the objectionable content: The Court has held that the plaintiffs can approach the intermediaries directly if it finds the publication of the questionable content again on their online platforms in future. However, the Court has provided an option of the counter-notice system for intermediaries, by opting which the intermediaries can refute claims of illegality and shift the onus of proof back on plaintiffs, such that after which the plaintiffs will have to approach the Courts for an appropriate remedy.
Observations: the Loopholes, Unsettled Jurisprudence and the Comment
It is completely understandable that the Court is favouring the global take-down order to make its injunction orders against global services more effective. Unfortunately, in its broad evaluation of legal feasibility of the global injunction order and technological capabilities of intermediaries to obey the same, the Court missed on considering certain very significant arguments:
Use of VPNs another way around: The Court agreed to the plaintiffs’ argument that due to the wide availability of the easy-to-use applications like VPN, the geo-blocking is circumvented. However, it didn’t consider the circumvention in the case other way around, in which the user can upload the content using VPN and other web proxy services, and can further easily fake the IP address to make it look like as if the content is being uploaded from outside India, negating the Court’s jurisdiction. Therefore, global takedown order, even at prima facie, doesn’t seem to be the appropriate remedy.
In denial of the principle of international comity and right to information: The cross-jurisdictional defamation laws vary on a large scale. If global takedown was mandated, the platforms will be wary of falling foul of the law in other countries. For eg., if Indian courts mandate the global takedown of the content which is not at all questionable as per the laws of certain countries, the takedown order will be in contravention of the right to information of citizens of that country. Not respecting the laws of other country amounts to the breach of the principle of international comity and conflict of laws.
Without due consideration to the rights to free speech and privacy: The Court failed to understand the technicalities that involved in the operation of global take down orders, the intermediary platforms have to start monitoring each and every content that is being uploaded in order to stop the dissemination globally. This will further impose the risk of private censorship on the Internet and affect the right to free speech and privacy of users. The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.
Shifting away from the law established by the Manila Principles on Intermediary Liability and Shreya Singhal case: The Court has allowed plaintiffs to directly approach the intermediary platforms in case of re-uploading of the objectionable content in future. This is a great shift away from the existing process under Section 79 of the IT Act, 2000 as established by the Supreme Court’s landmark judgment in the Shreya Singhal case, which requires intermediaries to take down or disable the access to the content only in cases of receiving an order from either the government or the Court to do so. The same is considered global best practice according to the Manila Principles on Intermediary Liability.
The question of extraterritorial application of the IT Act in the present case: As per the Section 75 of the IT Act 2000, it is clear that the Act applies extra-territorially to certain offences or contraventions committed outside of India if the same is committed using “a computer, computer system or computer network located in India, the contraventions as contemplated under the Act are provided for in Sections 43, 43A, 66A, 66B, 66 66E and Section 66F.” Defamation is not covered in any of these provisions.
Heavy reliance on the unsettled jurisprudence
The Court has heavily relied on certain foreign judgments while reaching the conclusion in its own judgment. The issue with the same is that the jurisprudence around geo-blocking and global injunctions is unsettled and still developing; with the Delhi HC’s order adding more confusion to the same.
The Court has relied on the case of Google Inc. v. Equustek Solutions Inc., which is the living proof of the unsettled jurisprudence. The Supreme Court of Canada ordered Google to de-index listings from its search results in order to provide protection to trade secrets of a subject from Google globally. While, the Supreme Court of Canada upheld a global injunction against Google, the US Court sided with Google ruling that the Canadian order “threatens free speech on the global internet”.
The Court also relied on the case of Eva Glawischnig-Piesczek v. Facebook Ireland Limited– in which the CJEU ordered Facebook and other platforms to remove questionable content, copies of the same and block the access to the same, globally. While emphasizing on the case, the Delhi HC didn’t consider at all the CJEU decision in the case of Google v. CNIL, in which it was held that the Google is not required to de-reference listings from its global service, just because the content has been declared to be illegal by an EU member state.
It is clear that the Delhi HC left a lot to consider before delivering the judgment such that from the complexities of territorial jurisdiction to the difference in nature of cross-jurisdictional laws. In the present case, the Court mainly failed to understand the varying nature of defamation laws across jurisdictions— such that in the UK, the burden of proof is on the defendants to prove that the content is not defamatory, while in the US, a heavy onus of proof is placed on the plaintiff.
The Court also failed to consider certain very important foreign judgments which have specifically highlighted the issue of difference in the nature of law. In Google v. CNIL, CJEU held that the ‘right to be forgotten’ (which was the main issue in the case) has differences in standards for its application and interpretation around the world. Therefore, it agreed that it is enough for Google to block access to the questionable content from the EU domain only. Further, in Bachchan v. India Abroad Publications Inc., the Supreme Court of New York County refused to enforce a defamation judgment awarded by the High Court of Justice in London, England, ruling that it will be a threat to the free speech protections as offered by the First Amendment to the US Constitution.
Unarguably, internet jurisdictions have always been a challenge for the courts and governments. Courts have always been behind the technology in the race and unable to assert absolute jurisdiction. This makes the internet risks become a proverbial ‘wild west’ with no single comprehensive applicable law. The fact that injunction against an intermediary, on a global scale, doesn’t make it necessarily invalid and aggressive. After all, the limited denial of access in the local domain is not protecting the underlying rights at stake; global takedown seems the right method to ensure effectiveness. But all of this is required to be done while mediating the conflicting interests as well as recognizing the protection to certain forms of speech.
As Gautam Bhatia said in the context of Swami Ramdev v. Juggernaut Books last year, “Indian courts seem to increasingly view freedom of speech as a mere annoyance to be brushed aside when confronted with competing claims”. If global take-down orders will become mainstream, the regressive laws on freedom of speech and expression online will become a norm. The Courts and governments, in order to win this ‘hare and tortoise race’, shall not ignore the countervailing arguments in relation to freedom of speech and right to privacy. These rights shall not be considered under-weighed against the values like national integrity, security interests, etc., rather an effort shall be made to strike the balance between both the sides.
The judgment is under challenge now by Facebook before a Division Bench, and the matter is listed for final hearing on January 31, 2020. The Court must set a precedent in the unsettled jurisprudence that will consider the free speech and privacy rights in the world of internet at the intersection of technology and laws such as defamation law.
The FinTech sector in India is thriving and growing expansively, enabled by a large consumer base, innovatively boosted startups and balanced regulatory policies in the form of ‘Digital India’ programme. The Indian Fintech industry has grown by 282% in the last decade and has reached the valuation of USD 450 million in 2015. Currently, there are more than 400 fintech companies that are working in India and the investments are to be fueled with 170% by 2020. The Indian fintech market is expected to grow by USD 2.4 million by 2020 from the present USD 1.2 billion, as per NASSCOM report. The transactional value of Indian fintech sector is evaluated to be USD 33 billion in approx in 2016 and is further forecasted to reach the point of USD 73 billion by 2020.
FinTech facilities in India
The primary facilities offered by companies operating in the space of fintech are:
Pre-paid Payment Instruments
Also known as PPIs, this instrument enables the user to engage in the purchase of products that include products relating to financial services as well. To be able to purchase the products, a value entered into the e-wallets in the PPIs so as to make purchases against that value. There are 3 types of PPIs: Closed, semi-closed and open systems. Depending on the type, one may also have the facility to withdraw cash from the PPIs. Other than the banks, they can only be issued by institutions authorized to function in the arena of e-wallets or pre-paid card services.
Managed by the National Payments Corporation of India, the UPI (Unified Payment Interface) provides a platform for quicker real time-based transactions, facilitating ease for the smartphone users to enter into multiple transactions with a lower cost than what the traditional method demands. Constituting a major part of the consumer behaviour in the market, the UPIs enable universality to the transactions they wish to enter in and engage in the greater number with the traders.
In the traditional financial market, it was only the banks that could lend money. However, with the convergence of technology and financial market, loans nowadays are even dispersed by non-banking financial companies, also known as NBFCs. The NBFCs with their interactive and user-friendly applications have attracted wide userbase in the digital arena to enter into credit purchasing, loan system after verification.
These lending platforms offered are Peer to Peer based. Such platforms bring together willing lenders and borrowers to enter into regulated transactions. As per the guidelines issued by RBI in this regard, the lending platforms can only be offered by the registered non- banking companies in India.
Online Sale and Purchase
The recent trends amongst many have also been that of online sale and purchase. To facilitate the same there requires to be a system whereby an entity collects payments form the purchases and send it across to the sellers. The entities involved in this function are known as payment aggregators or intermediaries. These entities electronically consolidate the payments done and transfer the same to the sellers.
Once begun as a measure to penetrate into the grassroots level of society the banking system and provide ease to the customers, digital banking services by the payment banks have now become a feature of the payment banks. The RBI has allowed payment banks to offer basic services involved in smooth banking by the customers online. This includes facilities such as accepting deposits (though RBI has placed a limit on it), view transactions, transfer funds, etc. However, this arena remains strictly regulated for not all facilities remain digitally available such as issuing credit cards.
Regulatory Challenges to Fin-Tech in India
While in India, digital finance firms are thriving as the government is continuing to issue pro-startup regulations and policies, the central regulatory body for Fintech i.e. the Reserve Bank of India, still suffers due to a traditionally rooted and established infrastructure which cannot be easily replaced with the updated regulatory framework that matches the advancements of technology.
Indian market is already recognized as the conservative and restrictive market and henceforth makes it difficult for Fintech firms to further instil the confidence in adopting the Fintech services in the absence of any concrete regulatory framework.
The commendable steps have been taken by the Indian government and regulatory institutions in a prompt manner, however, policies and regulations have to match the pace with which technological advancements in the finance sector taking place. This is much needed to ensure secure a transparent growth of Fintech in India.
Regulatory Uncertainty in the Fintech Sector
The foremost challenge that the regulator for the fintech sector has to dealt with by it the lack of regulations. Moreover, if there are regulations then to consolidate them is another major challenge. There is a requirement to “to support the formulation of policies that foster the benefits of fintech and mitigate potential risks”. Henceforth, a regulator or policy-maker has to work in the directions of “the modification and adaptation of regulatory frameworks to contain risks of arbitrage, while recognizing that regulation should remain proportionate to the risks.”
Digital On-boarding and Financial Inclusion
The two significant challenges that one can see as the huge mountainous tasks in the Indian context are: firstly, making the fintech platforms accessible to every Indian and secondly, analyzing the risks that are potentially present in trying out a scheme to provide digital onboarding. The Supreme Court recently decided upon the constitutionality of the Aadhaar, the ambitious government project to provide a unified identity. Aadhaar has been held constitutional but Section 57 of the Aadhaar Act was struck off. Section 57 provided the mandatory verification and linking procedure for consumers to avail a company’s service. The judgment is having serious implications on the government’s efforts to provide frictionless onboarding of consumers.
“The judgement impacted the delivery of financial services across verticals including bank account opening, loans, mutual funds and insurance. Though the judgement allows voluntary use of Aadhaar by consumers, there are multiple interpretations of it and the Unique Identification Authority of India (UIDAI) has resorted to safer approaches to avoid any more legal battles and stopped services to private entities altogether.”
Low Credit for Startups
Investors in the market are now hesitant to invest in fintech startups. The investors are baulking as there have been quite a number of bad loan incidents. The big setback to the fintech industry as well as the financial sector came into the form of IL&FS breakdown. The company defaulted against the inter-corporate deposits and commercial papers or borrowings. The incident has affected the whole fintech industry as the crisis included lending businesses that were key to a number of NBFCs as a funding source.
The Apex Court’s judgment brought down to stoppage, another popular mode of financing which is also the foremost mode of debit for lenders, MFs and insurance, as in pulling money from customer’s account. This is yet another judgment that has slowed down the advancement and has promoted the traditional manner of physical registrations.
Both the traditional banking system and the fintech services gather a large number of data records from various of their clients, which contains a profile of behavioural and financial information. Though the utility of such data is positive when it is used for a specific purpose of improving the services, it leads to giving way to a heap of privacy issues as well, especially when the financial service provider engages a third party’s technology services.
The judiciary recognized the risk of data privacy to the banking sector’s consumer in the case of Punjab National Bank v Rupa Mahajan Pahwa, “in which Punjab National Bank had issued a duplicate passbook of a joint savings bank account, held between the petitioner and her husband, to an unauthorized person”.
Other Challenges to the Fintech system in India
In terms of regulatory standards, India lacks in providing a comprehensive cybersecurity framework to reduce the cyber-crime issues. The competition law has also, in some sort of stages, have failed to control the domination of certain advance fintech NBFCs.
Note from Author: This post is the first one in the series of ‘Simplifying FinTech and FinTech Laws’. The evolution of finance started almost a century decades ago when the world saw the establishment of Fedwire in the US in 1918. The actual FinTech application was the first mobile payment in 1997 to buy a Coca-Cola from the vending machine. In India, as well, the FinTech has completed almost one and a half-decade, but still, there seems to be little awareness about what the term ‘FinTech’ actually means and what law governs it. The fact that people are not aware of what ‘FinTech’ is and what daily financing applications constitute it is the inspiration of the series of posts. The author is hopeful that these posts will help in simplifying the understanding of FinTech and related laws.
An individual can realize that something has changed when, in the current scenario, he sees that everyone around him is transacting amounts with a click on their mobile phones. Since the time civilization has seen the increasing use of the mobile payment apps like PaytTM, Google Pay etc., financial technology (hereinafter referred to as “fin-tech”) companies, the financial services industry has been turned on its head. Whether you are doing online shopping or just buying groceries from your local grocers, fintech is surrounding us from all sides in 2019.
Financial technology, basically, means the technology that seeks to assist, improve and automate the facilitation, processing and delivery of transactional and financial services. At the core, fintech is being utilized to facilitate corporations, businessmen and customers process their financial operations by operating through curated software and algorithms as used on computers and significantly on computers, eliminating the manual intermediation in the financial industry. Broadly, as stated, the ‘fin-tech’ term can be applied to the number of technological innovations in the processes of transaction business, such as the invention of digital money to double-entry bookkeeping.
Since the digital boom and the incoming of the recent smartphone generation, financial technology has grown exponentially and expansively, in both the manner. Therefore, the fintechs are attracting the attention of various sectors especially customers of banking facilities and investment funds, which have the impression of fintech as the future of the financial services industry. The offline retailers and telcos are also considerably looking fintech as a better alternative to traditional financial services, as financial technology provides them with the speedier and decentralized mode of handling transactions. The extensively large number of activities are raising a flurry of questions regarding the emerging financial topography.
Some several major fin-tech products and services are currently being utilized in the market, some of them are Peer to Peer lending platforms, crowdfunding platforms, distributed ledger technology, Big Data, Mobile Banking Services etc. These fintech options are in operation to facilitate the services of international finance, bringing together the large lenders and borrowers, “seekers and providers” of data and information, providing the centralized or decentralized mode of transactions.
Traditional financing institutions have understood the need to upgrade their services. In pursuance of this, financial institutions are modifying the services by adding the technological innovation, by the way of both retaining the services technology companies or by themselves investing in technological research and development (“R&D”). However, there still exist wide disparities in the practices of traditional banking facilities in India.
Further, according to the Financial Stability Board (FSB), of the BIS, “FinTech is technologically enabled financial innovation that could result in new business models, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services”.
These definitions focus on encompassing the broader categories of innovations in the financial sector as facilitated by technologies, irrespective of the kind, business scale and regulatory status of the technologically innovative firm. The width of the FSB’s definition can be gauged while “assessing and anticipating” the expansive development of the financial system, and “the associated risks and opportunities”. Therefore, the key take away from the definition is that FinTech refers to “the integration of technology into offerings by financial services companies in order to improve their use and delivery to consumers”.
FinTech developments or innovations have the potential to facilitate a range of beneficial services, specifically efficient processing and cost-minimizing. Technological advancements are also substantially transforming how people have access to financial services. The investments in the Fintech sector is largely increasing through venture capital funds. The same is estimated at around USD 20 billion.
FinTech products and services
There is no defined scope of FinTech innovations, products and services. The broad nature of the technological advancements in the area of financial services includes some of the most prominent fintech innovations that have produced quite a significant effect on financial markets. Mobile and web-based payments are being used in Payments, Clearing and Settlement as an advancement. Similarly, crowdfunding and peer to peer lending have made deposits, lending, and capital raising more advanced than before. E-trading has made Investment management better. It is worth noting that, Data Analytics and Risk Management in delivering financial services are flexible now as the automation of the process is being carried out by using Big Data and Artificial Intelligence.
Payments, Clearing and Settlement
Fintech products and services in this category are the innovations that focus on the expediency and efficiency of the ‘payments, clearing and settlement’. The innovation in terms of improving the speed of transaction, minimizing the cost and flexing the mode of financial transaction, will bring positive changes to the whole financial services system.
Internet-based payment apps
In general terms, payments services work such that there is a user who gets an account opened in a bank and receive “a payment instrument” (Credit Card, Debit Card, etc.), which is, in consequence, is” linked to the account from the issuing bank to pay merchants online or offline”. Bank merchants are intermediaries that request payment and are obliged to reciprocally share the information of payment with the bank i.e. the financial institution. Banks receive funds while facilitating the transactions for various other financial institutions. Today, all the series of aforementioned processes are being assisted by the Internet. In such transactions, the payments are directly made to the service provider through the fintech services and “integrated payment agency”.
There are two kinds of internet-based payment services, such that the services that are based on mobile applications which merely assist the existing payment infrastructure. For eg. Apple Pay, mPay, GPay etc. which operate over the “existing card payment infrastructure” providing the consumer of services with an ability to use their mobile as their credit cards or debit cards. Then there are other mobile applications or internet websites that provide payment facilities through the “new payment infrastructure”, for eg. “Mobile phone money services such as M-Pesa in Kenya and IMPS in India”.
A digital form of currencies, basically “digital representations of value”, is “value stored electronically in a device such as a chip card or a hard drive in a personal computer”. Innovative technology in combination with the proliferation of AI and automation, internet availability, and upgrading consumer choices, has expanded the scope of the need for alternative forms of hard currencies or traditional instruments of payment. Digital currency can be defined, in a broad sense only, as something that represents value such that firstly it is an electronic or digital form of money or “government-issued flat currency”. Then subsequently it also covers the virtual currency- an electronic form of the currency that is not a legal tender. These currencies are the tokens or tenders which are developed, controlled and created by certain private developers, with the value being trusted and appreciated in a specific community.
Distributed ledger technology
Distributed ledger technology (“DLT”) is the innovation that provides a wholly secure and safe transaction record, which connects various users in a network duly updated and verified. Each and every transaction is accessible to all the users and hence allow users to have the track record of a transaction, eliminating the chances of fraud and centralization in the transaction. These transactions following the DLT are, in actual sense, peer-to-peer transactions, offering advantages of efficiency and security. As per the World Bank’s report,
“Distributed Ledger Technology refers to a novel and fast-evolving approach to recording and sharing data across multiple data stores (or ledgers). This technology allows for transactions and data to be recorded, shared, and synchronized across a distributed network of different network participants.”
Blockchain technology is a form of distributed ledger technology which is constituted of transactions (e.g. cryptographed tokens or securities) stored in units of blocks. Blockchain system works on the model of a distributed ledger to record time-stamped digital transactions that are irreversible and may not be unilaterally altered. The process of recording transactions over the ledger is called mining. A blockchain network has as many nodes as much there are participants in the network. The recorded transaction is broadcasted to all the participating nodes and requires consensus over the authenticity of the transaction from each and every node that is part of the distributed ledger. As per the report of the steering committee on fintech related issues:
“Blockchain is a type of DLT which enables a community of users to record transactions in a distributed (without a central repository) and a decentralized (without a central authority) manner. The transaction records are visible to all the participants of the blockchain network, while being immutable at the same time. Blockchains rely heavily on cryptographic primitives”
Deposits, lending and capital raising avenues
As the currency flow has transformed around us, other kinds of the transaction are also transforming to become expedient and flexible and disintermediating the financial transactions. Alternative finance is becoming a prominent mode of capital raising and financing. As the Medium and Small Scale Enterprises are mushrooming across India, the inability to access adequate finance still exists in our lives as one of the major reasons for the constraint to the growth of SMEs. There is lack of access to the adequate sums as the traditional banks don’t provide finance till the time they satisfy their creditworthiness requirements which require strong collaterals, good asset size and perfect credit history on part of the SMEs and businesses.
The new avenues of financing which exempt the lending from being vitiated by the financial intermediation, are data-driven and facilitated by technology. Popular alternative financing avenues are Crowdfunding and Peer to Peer lending.
Crowdfunding is an innovative technology portal which allows its users to connect such that forming the relationship constituting three parties: the entrepreneur or SME firm seeking funds, the contributors looking for investing the project or cause, and the moderator organization that facilitates the engagement between the contributors and initiators. The moderators make it flexible for the contributors to acquire data about the several initiatives at a platform that are seeking the funding opportunities for the development and production of their products and services. Foremost and prominent business models of crowdfunding are rewards-based crowdfunding, donation-based crowdfunding, and equity-based crowdfunding.
Peer-to-Peer (“P2P”) Lending platforms allow individual businesses and, especially, SMEs to finance and borrow amongst themselves. As the credit goes to the updated and developed IT infrastructure, P2P portals provide the options of interest rates lower than the traditional banking institutions. Further, the thin line of distinction between banks and P2P platform providers is that the P2P fintechs are basically “matchmakers”, as the P2P platforms facilitate the networking between lenders and borrowers and in exchange of such a function they charge a fee. As the P2P lenders provide services on a fee based mechanism, they basically doesn’t have to meet the mandatory “capital adequacy requirements”.
In the case of P2P platforms, one cannot expect investor protection through compensation against default as one expects under deposit guarantee schemes in traditional bank deposits. The rising trend of application of P2P platforms in order to secure finance can be gauged from the fact that most of the jurisdictions like Germany and Italy, have already classified P2P portals as banks (as they undertake the task of credit intermediation) and are being regulated as banks.
All these aforementioned technological innovations potentially can bring many opportunities and challenges. Fintech has the capability to substantially improve the efficiency and diversity of the financial market. The load concentration in traditional banking for minor payments will get minimized and may lead to expedient delivery of services to consumers. As technology advances, it finds a way to make a service or product more user-friendly. Similarly, as Fintech advancing, it is providing an incentive for traditional financing institutions to be competitive and focused on their customers.
The Sri Lankan Ministry of Digital Infrastructure and Information Technology introduced the framework for the proposed Personal Data Protection Bill on June 12, 2019. ‘Data Protection Legislation’ is an important public policy consideration for the Sri Lankan government in the context of “digital transformation taking place in Sri Lanka with government agencies, Banks, Telco’s, ISPs and private sector collecting personal data via the Internet,” according to the official press release. It is also important as “the Right to Information Act (2016) is currently being implemented in Sri Lanka, pursuant to Article 14A of the Constitution, where the right to privacy is an exception”.
To draft the legislation, the Drafting Committee looked at international best practices, such as the EU General Data Protection Regulation as well as the laws enacted in other jurisdictions, “such as Australia, Singapore and the Indian Draft Legislation”.
The Framework has been introduced for the stakeholder comments and will now be subjected to an Independent Review Committee.
The objective of the Framework
As per the Preamble, the Framework aims to:
Protect the personal information while ensuring the rights of natural persons with regard to the processing of such information
Improve consumer confidence and ensure the growth of digital democracy and innovation and promote both the protection of personal data and its use in Sri Lanka while respecting domestic laws and regulations and international standards
Enable the Government to regulate the processing of personal data and to ensure confidence in the privacy and security of online transactions and information networks and actively participate in an information-driven global economy
Improve interoperability among privacy frameworks as well as strengthen cross-border co-operation among enforcement authorities and provide clear guidance and direction to entities located or operational in Sri Lanka on generic data protection issues and their impact.
What is ‘Personal Data’?
‘Personal Data’ means any information whether true or not, relating to an identified or identifiable natural person, that is, data subject.
‘Personal Data Breach’ means any act or omission that consequently results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data of the data subject.
What are ‘Special Categories of Data’?
Any personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, financial data, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning natural person’s sex life or sexual orientation, personal data relating to offence, criminal proceedings and convictions, personal data relating to a child” and any other personal data that the Minister may determine upon the recommendation of the Data Protection Authority (DPA) as established from time to time by Regulation in accordance with the proposed Framework.
What is the ‘Data Protection Authority’ (DPA)?
Part VII of the Framework provides for the establishment of the Data Protection Authority (the “Authority”) of Sri Lanka. It will be the apex body for all matters related to data protection and for implementation of the proposed Act. It will be responsible for maintaining the Register of controllers, and giving directions, issuing guidelines and undertaking training for controllers.
Following are certain significant powers vested with the Authority, inter alia:
To enforce its orders or determinations made under this Act against a controller
or processor through prosecution;
Data Protection Authority has power and has a duty to prosecute for the offences
under this Act;
The Authority may carry out periodic audits in relation to any processing activity carried out by a controller or processor to ensure compliance with this Act.
“For the purpose of investigating into a complaint received by the Authority,
holding an inquiry in relation to an appeal or making an order under section 38:
require any person to appear before it;
examine such person under oath or affirmation and require such person where necessary to produce any information related to processing
to inspect any information strictly related to the processing in question that is held or controlled by a controller or processor by an officer authorized on that behalf by the Authority. In any event, such officer shall be a senior staff member of the Authority having relevant expertise to conduct such inspection.
make a determination in accordance with the provisions of this act with due consideration of the information available to it.”
Application of the proposed legislation
Part I says that the proposed legislation applies to the processing of data that will take place:
wholly or partly within Sri Lanka; or
by a controller or processor which is resident, incorporated or subjected under Sri Lankan law, or a controller or processor which is offering “goods/services to data subjects in Sri Lanka”, or “who monitors the behaviour of data subjects in Sri Lanka including profiling in so far as such behaviour takes place in Sri Lanka”.
However, the provisions will not apply to the processing of data that is for “purely personal or household purposes” or when the data is anonymised. Also, it will not apply to the processing of data which is done by any government department, provincial council or any other regulatory body for lawful purposes.
Data Protection Principles
Part II of the proposed legislation provides that processing and controlling of data will be lawful only when it is done in accordance with the following principles:
Personal data shall be processed lawfully, fairly and in a transparent manner;
Personal data shall be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the said purposes;
Processing shall be adequate, relevant, necessary, proportionate to the purposes for which the personal data is processed;
The controller shall ensure that personal data that is processed is accurate and, where necessary, kept up to date with every reasonable step being taken to ensure that any inaccurate personal data are rectified or erased without delay;
Personal data may be kept in a form which permits the identification of data subjects for such period as may be necessary for the purposes for which the personal data is processed; and
Personal data shall be processed in a manner that ensures appropriate security of personal data using appropriate technical or organisational measures.
Rights of Data Subjects
Part III lays out the following rights of Data Subject, inter alia:
Data Subject shall have the right to withdraw its consent for the processing of its personal data. Data Subject can request the controller for the withdrawal of consent in writing.
The Framework entitles Data Subjects to obtain access to their personal data and information at any time they request. Data subjects shall also have the right to request for rectification of any inaccurate personal data that has been processed.
The Data Subject can also request from the controller for erasure/deletion of the personal data which has been unlawfully processed, or processed pursuant to a legal obligation, or processed when such processing is no longer necessary or processed when such processing is no longer legitimate.
The Framework enables Data Subjects to claim their aforementioned rights by way of directly approaching controller of the personal data and in cases in which controller restricts the request of Data Subject, through the appeal to the Authority.
Scope of Controllers and Processors of the Data
Part IV of the Framework obligates controllers and processors to register themselves with the Authority. They have to apply for registration in the prescribed form, which will require complete details related to the processing of the personal data and safeguards adopted by them to protect such personal data, within the prescribed time period. The Authority shall keep and maintain a Register of the registered controllers in such form and manner as may be prescribed.
The Framework also requires the controller and processor to designate a Data Protection Officer. A holding company may appoint a single data protection officer for all its subsidiaries. The Officer will advise on applicable data processing requirements and data protection impact assessment, ensure the compliance with the applicable law, and cooperate with the Authority for controllers and processors.
Duties and obligations
The Framework imposes certain duties and obligations on the controller such that, inter alia:
The controller shall implement appropriate technical and organisational measures such as encryption, pseudonymisation, anonymisation, data minimisation techniques, privacy-by-design techniques, adopt privacy enhancing technologies as applicable, to ensure and to be able to demonstrate that processing is done in accordance with the provisions of this Act;
Conduct privacy impact assessments when required by this Act and in accordance with the provisions of this Act;
Implement internal oversight mechanisms and integrate such mechanisms into its governance structure;
“Where processing is to be carried out by a processor on behalf of a controller:
the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Act and ensure the protection of the rights of the data subject as guaranteed by this Act;
Any processing by a processor on behalf of the controller shall be governed by a contract or any other written law that is binding on the processor that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
The Framework further provides the duties and obligations of processor such that it can only process the personal data in accordance with the documented instructions from the controller.
The Framework obligates the processor, inter alia:
to ensure that its personnel are bound by contractual obligations on confidentiality and secrecy (personnel means any employee, consultant, agent, affiliate or any person who is contracted by the processor to process personal data);
assists the controller by appropriate technical and organisational measures for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in this Act;
assists the controller in ensuring compliance with the obligations under this Act.
allow for and contribute to audits, including inspections upon the controller’s request.
The processor shall remain liable to the controller for the performance at all times even when the processor appoints the ‘sub-processor’.
Data breach notifications
The controller shall without undue delay and in any event of a personal data breach within the prescribed time and in such manner and form as prescribed by the Authority inform the Authority of becoming aware of a personal data breach.
Data protection impact assessments
The Framework makes it mandatory for the controller to carry out a privacy impact assessment whenever a type of processing is likely to result in a high risk to the rights of the Data Subject. The controller shall seek the advice of the data protection officer, where designated when carrying out a data protection impact assessment. Such an impact assessment is mandatory in cases where there is:
a systematic and extensive evaluation of personal data such as profiling;
processing on a large scale of special categories of data;
monitoring of publicly accessible areas or telecommunication networks or any other processing activity as prescribed under the proposed Act.
The Authority will provide the guidelines through official gazette regarding the form and manner in which the privacy impact assessments are to be carried out by the controller.
Part V provides certain exceptions to the protection of personal data as provided by law for “the protection of national security, defence, public safety, economic and financial wellbeing [sic] of Sri Lanka, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest”, and for the protection of “rights and fundamental freedom” of Data Subject and others, “notably freedom of expression and right to information”.
Cross-border flow of personal data
Part VI lays out the rules for the cross-border flow of personal data:
A controller and processor can only process the data at a location outside Sri Lanka if the location has been prescribed by the Minister as a place which ensures an adequate level of protection for personal data in accordance with the provisions of this proposed Act.
Otherwise, the controller and processor have to provide safeguards and ensure the effective remedies for Data Subjects in order to process the data at a location outside Sri Lanka.
DPA will by rules prescribe the conditions under which a controller or processor has to take the prior authorization of the Authority in order to process data outside Sri Lanka.
Use of personal data for direct marketing
Part VIII defines how personal data may be used for direct marketing.
‘Direct marketing communications’ means any form of advertising, directly or indirectly, whether written or oral, sent to one or more identified or identifiable end-users via electronic or digital communication or telecommunication services or any other means including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.
Any natural or legal person who wants to use electronic or digital communication and any other services for sending direct marketing communications to end-users of such services has to ensure “unambiguous consent” of such end-users. However, with each such direct communication, end-user will be provided with the right to object. If an end-user claims the right to object then the natural or legal person has to ensure that they comply with such request.
Imposition of penalty
In Part IX, the Framework prescribes the penalty that will be imposed upon a person who fails to comply with the proposed Act while considering the nature and gravity of relevant non-compliance.
It provides the penalty that will not exceed 2% of its total worldwide turnover or rupees 25 million, whichever is higher. If a person doesn’t conform to the provisions of the proposed Act even after getting penalized once, then he/she will “be liable to the payment of an additional penalty in a sum consisting of double the amount imposed as a penalty on the first occasion”.
Such imposition of penalty will not preclude a supervisory authority from taking any regulatory or disciplinary measures (cancellation of license, suspension, etc.) against such a controller or processor.