Summary: Framework for India’s new retail payments law proposed in report

“Policy objectives of the Payment and Settlement Systems Act, 2007, (PSS Act) do not align with the requirements of a modern retail payments law,” read the latest report by the Vidhi Centre for Legal Policy. The report points out that the law focuses on issues related to supervisory powers of the Reserve Bank of India (RBI) from a systemic point of view but fails to touch upon key enablers for the proliferation of retail digital payments such as consumer protection and promotion of competition and innovation. 

The report, which has been reviewed by MediaNama, contends that India needs to “reassess the PSS Act taking into account the developments in the retail payments sector since its enactment and the future of digital payments in India”. 

[…] argues for a modern retail payment services law in India that is built on the principles of proportionate regulation and balances regulatory flexibility with well-established statutory mandates that can promote competition, innovation and consumer protection. — Vidhi report

The Digital Payments Index launched by the RBI shows an increase in the adoption of digital payments across India in recent years. Thus, the policy objectives governing the future of the retail payments industry have to keep up with the changing times. 

What would the skeletal framework of a new law look like?

Vidhi’s report concurs with the recommendation by the Committee on Digital Payments and the Inter-Ministerial Committee on creating a new regulator for payment systems known as the Payments Regulatory Board (PRB). The PRB will not be a part of the RBI and will be set up as a separate regulator. Other proposed features of a new law include: 

Introduce a definition for payment services: The report suggests that the proposed law should introduce a definition for payment services which covers attributes such as services’ clear payments nexus, service providers process funds or acquire transactions for merchants, and service providers contract or deal with the consumers or the merchants. 

Advertisement. Scroll to continue reading.

• It also said that a list of activities that qualify as payment services may be outlined in the law like they do in Singapore, the UK, and Hong Kong. The RBI should be given the flexibility to recognise other activities as payment services as long as it meets the broad payment service criteria.
• Only infrastructure providers that facilitate the transfer of funds and other clearing and settlement systems but do not interact with the end consumer be defined as a ‘payment system’
• The proposed law should also introduce definitions for clearing services that are currently absent in the PSS Act. 

Outline services exempted from the proposed law: 

• Clarifying exemptions and relaxations that will be provided under the law.
• Services that can be considered for exemption include ones providing technological support without any access to consumer funds, execution of a payment transaction on behalf of the payer or the payee, and payment service providers that process small volume transactions, among others.
• Experimentation on innovative solutions in a regulatory sandbox must also be considered for relaxation from the new law by the RBI.

Risk-based framework: A risk-based regulatory framework involves regulation of payment service providers, and clearing and settlement systems commensurate to the level of risk posed by them. The framework must consider the following: 

• A two-tiered regulatory structure that includes an authorisation framework for payment service providers and a designation framework for SIPS and SWIPS.
• Authorisation framework must provide different types of authorisation for different payment services. 
• Designation framework should be applicable to payment systems whose disruption may trigger systemic implications on the financial system, affect public confidence in payment systems, or where such designation is necessary to ensure better efficiency and competition in the financial system. 
• Objective criteria for the designation framework should also be spelt out in the proposed law.
• RBI should be empowered to exercise specific powers against such designated payment systems.

Principles to manage operational risks: RBI issues circulars to regulate different aspects of operational risks. However, the PSS Act does not recognise the obligation of payment service providers to have such risk management policies and procedures. The establishment of these principles in the primary statute will provide legal certainty to regulated entities and also inform subordinate legislation on this issue. 

• A payment service provider should establish a robust operational risk-management framework, including technology risk management policies, with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.
• The company’s management should clearly identify and define the roles and responsibilities of officers responsible for addressing operational risks.
• The operational risk management framework must be ratified by the management of the payment service provider while being reviewed, tested, and audited periodically.
• A payment service provider should have a business continuity plan to deal with events posing a significant risk of disrupting the operations of the provider.
• it should identify, monitor, and manage the risks that end consumers, participants, or other third parties may pose to its operations.

Consumer protection provisions: The PSS Act does not say much on the consumer protection mandate for payment service providers. Some provisions may include: 

• The new law should mandate payment service providers to disclose to end consumers key terms and conditions applicable to the usage of the payment service, including the main features, charges, risks associated with the service, rights and liabilities of the consumer, liability in case of unauthorised transactions and grievance redressal mechanism.
• Payment service providers to ensure that the disclosure is (a) provided in a language that is clear, simple and not misleading; (b) easily accessible; and (c) provided in a timely manner. Any change to the key terms and conditions must be specifically brought to the notice of the consumer.
• RBI may encourage payment service providers to adopt standardised key facts documents to disclose key information to users relating to the service concisely and in the local language.
• Payment service providers to reveal all costs, fees, and charges that arise or may arise from a payment service and a breakdown of such charges. 
• The law should mandate payment service providers to have in place an effective and efficient consumer grievance redressal mechanism.

Provisions for open access requirements:  Provisions in the primary statute requiring payment systems to provide open access to their systems can be instrumental to promote competition and innovation, which in turn could enhance efficiency. 

• The law should mandate payment service providers and designated payment systems to provide access to its systems on objective and non-discriminatory criteria.
• The framework must be ownership neutral, technology neutral and proportionate to the risk posed by such access.
• Consider a mechanism to allow any person to approach the RBI for access to designated payment systems who is aggrieved by non-compliance by such designated payment systems.

Interoperability: The proposed law should have provisions on interoperability for payment service providers and designated payment systems. The standards of interoperability must be laid down by the RBI for designated payment systems. 

Recognise role of third-party service providers: The proposed law may recognise the concept and the role of third-party service providers that are engaged by a payment service provider and PSOs to facilitate payment services.

• The liability of a payment service provider for activities of the third-party service provider has to be outlined.
• The law should specify the payment service provider’s obligations, including the need to conduct due diligence and to ensure that third-party service providers have an adequate risk management strategy commensurate with the role of such providers.
• A risk-assessment framework should be considered by the payment service provider and it must inform the RBI in case a third-party provider is critical to its operations.

Limit the types of subordinate legislation: The report suggested that new law must rationalise/ streamline subordinate legislation as the issuance of multiple instruments often creates uncertainty regarding the enforceability of the directions. 

What are the gaps in the existing legal framework? 

The report suggests that there are gaps in the PSS Act which have not kept up with the changing payments landscape due to the emergence of disruptive technologies. 

Missing risk-based framework: A risk-based approach is conspicuously absent from the PSS Act. It does not make any distinction between the different types of payment service providers, and clearing and settlement systems. The report states that the RBI relies on the existing provisions of the PSS Act that broadly outlines the general powers of a regulator to regulate all payment systems, irrespective of the risk posed by it.

Definitions not up to pace with the evolving payments sector:  New players like non-bank entities with new business models such as PPI issuers, retail payment organisations (like NPCI), merchant acquirers, payment gateways, payment aggregators, and other overlay systems built using UPI have emerged over the years. The PSS Act has defined the term ‘settlement’ but definitions for ‘payment’ and ‘clearing’ are missing. The absence of a definition of ‘payment service’ is an important regulatory gap that must be addressed, as per the report as it is likely to cause uncertainty for businesses regarding the applicability of the PSS Act. 

Lack of recognition for SIPS: Systemically important payment systems  (SIPS) are subject to a strict regulatory framework because they can trigger systemic disruptions. The PSS Act does not recognise the concept of SIPS or SWIPS (System Wide Important Payment System) as compared to the laws in other countries, Vidhi’s report said. 

Promoting competition in the payments space: The report said that the PSS Act does not impose any obligations on payment service operators to provide access to the participants on a fair and transparent basis or ensure interoperability. It is important because market concentration may cause a high dependency on select payment and settlement system operators, without alternatives. Market concentration might lead to operators providing poor quality of services at higher prices, lowering investment in risk reduction and level of innovation. A legal framework must discourage entry barriers for players. 

Advertisement. Scroll to continue reading.

Provisions on consumer protection: “The PSS Act does not envisage any positive obligation on PSOs for protecting the interests of the end users,” the report said. It added that it is of paramount importance to accord recognition such as consumer protection safeguards in the law to not only inspire public confidence in the payment systems but also for business certainty.

Dispute Redressal Mechanism: The PSS Act is silent on consumer grievance redressal mechanism necessitating the RBI to issue circulars requiring some consumer-facing payment service providers to include one. The report said that the legal recognition of the grievance redressal mechanism is significant so that the recourse is available for consumers in case of a failure of a payment service provider to resolve grievances.

Excessive reliance on subordinate legislation: The PSS Act only provides a skeletal framework that sets out the basic regulatory powers of the RBI. The report reveals that the RBI has been issuing guidelines from time to time to deal with the gaps in the PSS Act, covering various obligations that should be baked into a statutory framework. It concludes that subordinate legislation may be an overreach that will expose it to legal risks.

Multiple regulatory instruments: “It has often been pointed out that the practice of issuing several regulatory instruments is complex and may be confusing in relation to the scope and enforceability of such instruments,” the report declared. It said that deficiencies in the existing regulatory framework for digital payments has resulted in poor services for the consumers, lack of choice of means of payment, continued reliance on cash with its high costs and the consequent possibility of money laundering and tax evasion. 

Will NUEs address the lacunae?

The report said that regulating new umbrella entities will come with its set of challenges: 

• It said that multiple operators may add to the complexity and administrative costs for payment service providers who have to navigate through the rules of different operators, impacting the end consumer.
• The authors contended that the governance of multiple NPCI-type entities will be challenging for the RBI from an enforcement perspective.
• They said it will require investment in institutional resources along with the creation of suitable institutional infrastructure. 

It is worthwhile to deliberate if introduction of NUEs is the optimal solution for addressing the challenges identified by the RBI in the absence of any cost-benefit analysis in favour of introducing NUEs. — Vidhi report

The report also said that one must explore if the policy focus should be moved from creating NUEs to encouraging more competition at the payment service provider level and designing a framework that takes into account principles that promote competition. 

Advertisement. Scroll to continue reading.

Governance of NPCI

They also suggested that one can also undertake measures to improve the governance of NPCI. Some of them are listed below:

• Separation of standard-setting powers of NPCI from its operational functions by establishing a separate standard-setting body backed by law. 
• The body must have representatives from all stakeholders, including non-banks and domain experts. 
• Decision-making at NPCI should be broad-based to ensure equal representation of all stakeholders. 

Also read:

• Retail payments transactions grow by 7% in 2020-21: RBI Annual Report
• Interview: Ezetap aims to capture retail payments market by targeting Kirana stores
• Two entities begin testing new retail payments products under RBI sandbox
• RBI to take cues on issuing NUE licences from a committee after hitting pause on programme

Have something to add? Post your comment and gift someone a MediaNama subscription.