Open Questions on RBI’s Enforcement Actions in Indian Fintech

“God may be in the details, but the goddess is in the questions. Once we begin to ask them, there’s no turning back.”

– Gloria Steinem

Over the last month and a half, the enforcement actions of the Reserve Bank of India (RBI) with respect to Paytm and in relation to certain payment arrangements through corporate cards have raised substantive questions of law, facts and due process. This post will lay these questions out without attempting to answer any of them. This is because one of them is rhetorical perhaps, and the other two have no clear answers yet.

The objective of this post is to pose these questions as a mini research agenda for legal scholars interested in engaging with this regulatory (mine)field in India, and as open questions for policymakers and practitioners to consider in their policy and decision making processes. Given the fast paced nature of this field, this is by no means an exhaustive list of questions, but they seem fundamental enough to address at the outset. I begin with the due process questions as they underpin the other two. I then explain the substantive question of law arising from the RBI’s enforcement action on commercial credit cards and conclude with the RBI’s enforcement action on Paytm which leaves open several factual puzzles.

Due Process Questions

The RBI’s abovementioned actions were akin to enforcement actions that the Securities and Exchange Board of India (SEBI) takes under section 11D (cease and desist) of the SEBI Act against securities markets intermediaries. Cease and desist directions refer to a direction issued by a state agency prohibiting a private party from engaging in certain conduct. These are actions in personam and materially affect the businesses towards which they are directed. While cease and desist directions are generally designed to pre-empt potentially violative conduct, such directions also have a punitive effect in the form of business and reputational loss, temporary and permanent. This is precisely why the legislature built into section 11D of the SEBI Act a higher standard for issuing cease and desist directions to listed or to-be listed companies, namely, that such directions can be issued to such companies only where the violation suspected is that of insider trading or market manipulation.

On the other hand, as explained by some and argued by others in the media, the law governing the RBI’s enforcement actions do not require it to follow the due process envisaged for such actions under the SEBI Act. For instance, neither the Banking Regulation Act, 1949 nor the Payments and Settlement Systems Act, 2007 (PSS Act) require the RBI to offer a hearing, issue a written reasoned order or publish it before issuing such directions. The cease and desist direction issued to Paytm affects a listed company. Finally, unlike SEBI’s cease and desist directions, the RBI’s “press releases” disseminating information about such actions are not appealable to a statutory tribunal and can only be challenged in a constitutional court. The likelihood that any of the affected parties will approach a High Court or the Supreme Court to challenge the constitutional validity of the RBI’s press releases seems low. Paytm, for instance, rallied support in its favour to appeal to the government against the enforcement action taken by the RBI against it. The absence of detailed orders from the RBI makes it harder to decipher the contours of these actions and the rationale underlying them. The low probability of a constitutional challenge exacerbates the problem.

In this context, the following questions arise on due process:

1. Is there a difference between cease and desist directions issued by a banking regulator and a securities markets regulator?
2. If yes, is this difference so vast that it warrants a suspension of due process and an appellate forum?
3. Does the lack of an appellate process make the banking regulator less independent?
4. How do the absence of published orders and an appellate process affect the development of jurisprudence and precedent-making believed to be fundamental to the development of the law?

Substantive Questions of Law

On 14 February 2024, some newspapers reported that the RBI had, on 8 February, directed a card network operator and some financial technology firms to stop commercial card-based transactions. These transactions are made on corporate cards issued by companies for B2B payments by their employees. On 15 February, the RBI disseminated this direction in the form of a press release. The press release stated that one of the card networks had an arrangement under which it allowed an intermediary to accept “payments from corporates for their commercial payments and then remits the funds via IMPS/RTGS/NEFT to non-card accepting recipients”. The RBI interpreted this arrangement to be a “payment system” that was operating without a license under the PSS Act. However, from the bare description of this arrangement in the press release, this unnamed intermediary seems like a “payment aggregator”, which was aggregating the payments due from the corporate for disbursement to beneficiary merchants who were not on the card payment’s network. In some ways, this is a good thing from a financial inclusion perspective in that it brings non-card accepting merchants within formal payment systems. To be sure, the categorization of this unnamed intermediary as a “payment aggregator” will not do away with the requirement for RBI’s authorisation. However, the requirements for an authorisation as a payment aggregator are significantly lighter than those for a payment system.

This enforcement action, therefore, raises a substantive question of law on what kinds of arrangements  qualify as a “payment system” under the PSS Act. This question is likely to come up frequently because of the manner in which the PSS Act defines a payment system:

“‘[p]ayment system’ means a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange;

Explanation. – For the purposes of this clause, ‘payment system’ includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations.”

A bare reading of this definition might lead one to conclude that the unnamed intermediary was, in fact, enabling money transfer or card operations. However, this is true of even payment aggregators and gateways which do “enable” such operations as well, although the RBI has only classified them as payment intermediaries (or participants in a payment system). Similarly, third party payment applications, such as PhonePe and GooglePay, also enable money transfer operations, but are classified as participants in a payment system, and not a payment system in and of themselves. This enforcement action, therefore, raises the following questions:

1. Does a business model that aggregates payments for disbursement “enable” a payment to be effected between a payer and a beneficiary?
2. Given the broad definition of a “payment system” under the PSS Act, when do intermediaries in a payment arrangement stop being mere intermediaries and qualify as payment systems by themselves?

 Questions of Fact

On 31 January, 2024, the RBI issued a press release prohibiting Paytm Payments Bank from accepting deposits or making credit transactions in existing customer accounts after 29 February, subsequently extended to 15 March. This order is sparse in the details of the violation conducted. Hence, we must derive the violation from previous enforcement actions against the Bank. In October 2023, the RBI had imposed a penalty of Rs. 5.39 crores on Paytm Payments Bank for failing to “identify the beneficial owner in respect of entities onboarded by it for providing payout services” and “monitor payout transactions and carry out risk profiling of entities availing payout services”. These are KYC violations, as several press reports have also suggested. The second set of violations pertain to a breach of the regulatory ceiling of “end of the day balance in certain customer advance accounts availing payout services”. This is a peculiar feature of payment banks, which under their licensing conditions cannot hold more than Rs. 2,00,000 in a single account at the end of the day. The third set of violations seem like operational failures, such as delayed reporting of a cyber security incident and the Bank’s video-based KYC infrastructure failing to prevent connections from IP addresses outside India.

The opacity of the enforcement action with respect to Paytm Payments Bank raises questions of fact on the nature and severity of the violation, although most bankers we speak to, much to the discomfort of classic constitutional lawyers, ask us to presume it to be severe enough to trigger a cease and desist direction from the RBI. Apart from the due process questions outlined earlier, these questions are important to understand the treatment of non-KYC-ed customer accounts in future. Given the severity of the cease and desist direction, presumably, these accounts run into several hundreds of them. This enforcement action raises the following questions on the proportionality of the action and the treatment of non-KYC-ed accounts:

1. Why did the banking regulator not replace the management instead of issuing the cease and desist directions, as is usually done for other banks under the Banking Regulation Act?
2. Why did RBI allow Paytm Payments Bank to issue other products, such as the National Common Mobility Card after having imposed the penalty in October 2023?
3. What happens to the purported non-KYC-ed accounts? Are the users of those accounts barred from operating their accounts and withdrawing their monies, as an earlier direction of the RBI mandates?
4. What is the size of the violation? That is, how many such accounts are affected by the KYC breaches? Do they get transitioned out to a potential acquirer of Paytm Payments Bank? If yes, who bears the cost of completing the KYC for these accounts, and if not, what happens to the balances standing in these accounts?
5. What is the customer profile for these accounts? The RBI’s press release of October 2023 states that the KYC breaches occurred in respect of accounts availing “pay-out services”, suggesting that the breaches occurred in respect of accounts operated by merchants. If these are indeed merchant accounts, they were likely the nodal accounts for the payment gateway provided by the Bank. From the press reports, it seems that the nodal accounts are, in any event, getting transitioned out to other banks. If this is indeed the case, was the enforcement action much ado about nothing?