The Ken ran a story titled ‘Inside the Paytm Payments Bank Fiasco’ that highlighted the challenging journey of Payments Banks (PB) since licensing. It also captured instances of abuse of the sale and consent process by agents of Paytm to whom the account opening process was outsourced. The article conflates a few issues that we attempt to address here while flagging the issues that need regulatory clarification.
Do we need Payments Banks now that UPI exists?
PBs were envisaged to address the needs of unbanked regions that require transaction points to cash-in and cash-out. Both, traditional bank branches and pure digital interfaces are proving either very expensive or inadequate to address this gap. Consider for example, the Jharkhand Government’s failed experiment to replace the cash-based PDS system with Aadhaar-enabled DBT. The experiment exposed the limitations of a cash-out system designed to operate on a combination of both traditional bank branches and the digital interface. It was discontinued due to widespread dissatisfaction because of how a simple cash transaction became needlessly complicated when a bank account had to be accessed in remote locations. PBs are designed to respond to these policy imperatives to enable non-branch, transaction points to significantly expand access and usage of bank accounts. PBs were envisaged to ride on ‘adjacencies’ from having a vast network of merchant touch points that can become transaction points. While the focus recently has been on account opening, the real value from the PB model is in enabling cash-in cash-out (CICO) services in unbanked locations where cash will continue to dominate for a reasonable time. This cash-out feature sets them apart from the prepaid instrument/wallet licenses which by design cannot provide the CICO service[1].
Are RBI’s KYC rules onerous on Regulated Entities including Payments Banks?
That depends. Below we flag certain issues where clarifications from the RBI can provide greater clarity on permissible business models and help regulated entities design efficient business operations.
- Currently, it is unclear if agents can undertake KYC on behalf of entities regulated by the RBI. The PML Act when read in conjunction with the RBI’s KYC Master Direction raises some questions around the validity of KYC processed by them. Agents[2] (if not already regulated by RBI) are not Reporting Entities under the PML Act. However, for the purposes of conducting Customer Due Diligence (CDD), would they be considered compliant under the RBI’s KYC Master Direction?
While the PML Act 2002 ‘extends to whole of India’ (Chapter 1 (2)), not all entities to which it applies are required to be Reporting Entities under the Act. The Act defines Reporting Entities as ‘a banking company, financial institution, intermediary or a person carrying on a designated business or profession’. RBI’s KYC Master Direction permits, ‘for the purpose of verifying the identity of customers at the time of commencement of an account-based relationship’, RBI-regulated entities to, at their option, rely on Customer Due Diligence done by a third party. This is subject to such a third party being ‘regulated, supervised or monitored for, and has measures in place for, compliance with customer due diligence and record-keeping requirements in line with the requirements and obligations under the PML Act’ (Section 14 (c)). This language therefore does not specifically require the third party to be a Reporting Entity under the PML Act. Given that Telecom companies, business correspondents (that are not regulated by the RBI, such as corporate BCs, kirana stores, individual agents) and business facilitators are not reporting entities under the PML Act, the confusion then arises on whether CDD done by these entities is valid under the KYC Master Direction.
- It is unclear if agents are permitted to undertake instantaneous CDD processes on behalf of Regulated Entities, such as those based on biometric e-KYC.
RBI’s Notification on the Extension of Financial Inclusion- Use of Business Correspondent Model states that ‘The banks may.. use the services of the BC for preliminary work relating to account opening formalities. However, ensuring compliance with KYC and AML norms under the BC model continues to be the responsibility of banks.’ (Clause 5, Annex). RBI’s Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks states that ‘Banks .. should however not outsource core management functions including Internal Audit, Compliance function and decision-making functions like determining compliance with KYC norms for opening deposit accounts, according sanction for loans (including retail loans) and management of investment portfolio.’ (Clause 2, Annex).
Both of these references imply that while agents can facilitate the authentication process, they may not be permitted to decide if the person complies with the KYC norms and whether an account can be opened by them. Both these references also pre-date the introduction of Aadhaar enabled biometric e-KYC. The KYC Master Direction permits ‘Bank officials/BCs/BFs/Biometric enabled ATMs to carry out biometric-based e-KYC authentication’ (Clause 15 (v)). Unlike in paper-based KYC processes where the bank employee verifies KYC documents collected/facilitated by agents and approves the opening of accounts, the use of biometrics is a non-paper-based process that is digital and instantaneous. Does this imply that biometric e-KYC authentication would constitute valid CDD, irrespective of whether it is carried out by the bank’s employee or its agent?
- In the case of biometric e-KYC authentication carried out by an agent, is there a need for the bank’s employee to manually verify the completed CDD for it to be valid for the purposes of opening an account?
While the need for such a verification in the case of document-based KYC may be justified, it is unclear whether this additional step may be redundant with biometric e-KYC. One argument that can be made for the need to complete verification by the bank’s employee pertains to the risk management aspects of KYC processes. The RBI KYC Master Direction clarifies that Regulated Entities must categorise customers into low, medium and high-risk categories based on perceived risk which in turn can be based ‘on customer’s identity, social/financial status, nature of business activity, and information about the clients’ business and their location etc’ (Clause 12 a & b). However, one can imagine a process where an agent can complete this step in a digitised manner without the intervention by the bank employee. If Paytm’s agent were to ask the required information from the customer and enter it into the Golden Gate app (Paytm’s KYC app), and such information was then used by the CBS to automatically categorise the customer for risk management, would this be permitted by the RBI? It is unclear whether there is a need for such risk categorisation to be carried out manually by a bank employee and if so, whether such manual intervention is indeed required for meeting objectives of KYC given the levels of risk involved.
Clarifications by RBI on the above questions can ease the adoption of the agent network for account opening for all banks including PBs.
Are agents a problem specific to Payments Banks?
The use of Business Correspondents and Direct Sales Agents by banks pre-date the existence of PBs. Agents have been serving an important link for last-mile access across the country. They are certainly here to stay until most Indians get comfortable with unmanned digital banking. Accountability for how such agents conduct their business and behave with their customers is placed fully in their principal banks.
The case in the Ken article is one of misleading conduct by agents, where agents did not share correct information with customers, where the mechanism of obtaining consent (to open a Paytm bank account) was rendered meaningless, and where there was subsequent denial of service (of wanting a wallet) because a bundled product was not taken up by the customer (whether Paytm truly intended the wallet and the bank account to be bundled is a business decision by Paytm, but which was not communicated to the customer prior to sale). All these instances relate to a violation of codes of conduct/ fair practice rules and outsourcing guidelines[3] applicable on scheduled commercial banks, applicable on their employees and agents, without distinction[4].
Are RBI’s conduct regulations/codes adequate to provide clarity to regulated entities? If regulations were adequate, why did malpractice happen anyway?
Regulated entities must take care of having well-trained agents who have clarity on how the sale process should run (which is easily achievable in this case, as bank account opening is a fairly low-risk process and does not have additional requirements applicable to more complex products that have an element of personal advice embedded in sale). This includes how to get consent without coercion and without pre-filling consent on behalf of the customer, and how to talk about product features in an honest and transparent manner before sale. Paytm seems to have fallen short in this important aspect of agent conduct. Skewed incentive structures might have contributed to the level of misconduct, chiefly through pressure on Paytm employees to meet their pincode level targets and subsequent pressure on agents to hard sell. While incentives in itself are not bad, a casual treatment of conduct obligations being placed on agents can result in negative outcomes.
It seems that while some supportive language is available in the form of both binding and non-binding codes of conduct, there is evidence to suggest that conduct regulation is not homogenous or universal across institutions or channel of delivery. Consequently, customers often face differential treatment, even in transactions beyond account opening. For instance, low-income borrowers interact with NBFC-MFIs who follow the MFIN code of conduct. However, the same customer is covered by the BCSBI/IBA codes when taking a bank loan. Different codes for different channels and institutions ultimately affect conduct towards the end-customer who is free to move between these. This differential treatment of customers is likely getting exacerbated with many more and newer types of business models entering the fray, such as third-party products by PBs, NBFCs as BCs, fintech-NBFCs, P2P lenders, online e-commerce platforms and marketplaces. Unlike traditional branch-based sales, much of such new intermediation will likely be online, on the mobile or other digital, unmanned interfaces, besides through offline agents.
The need of the hour is therefore universally applicable conduct regulations that specify conduct of business standards in relation to a retail customer for different types of broad product categories, namely credit, savings and payments, investments and pensions, and insurance.
However, the second leg of the problem is a potentially weak internal monitoring system within Paytm and an external supervisory framework of the RBI that captures the conduct-related performance of institutions.
With respect to Paytm, one, it is unclear if and whether the first line of defence, namely the internal control mechanism, detected these conduct violations, and if it did, whether it had enough power to push back on its sales department. This will shed light on governance mechanisms around the conduct of business. Two, while we know RBI stopped Paytm from opening new accounts due to KYC-related violations, it is unclear what kinds of violations led to this decision. There is no information from RBI about the nature of these violations. There is in general, no public naming and shaming of institutions that carry out systematic violations despite repeated private strictures from the RBI, except very cursorily in reports of the Banking Ombudsman. The Banking Ombudsman is also unlikely to pick up such mis-sale due to fraudulent consent-taking or even unsuitable advice and sale for that matter.
Conduct regulations and the supervision of regulated entities must be such that it helps to instil a culture of responsible conduct, failing which there must be material reputational and penal consequences. This can be done by a supervisor actively engaged in supervising its regulated entities and employing supervisory frameworks to capture performance in conduct. The RBI had back in 2014, asked for institutions to have board-approved Customer Rights Policies that must uphold rights prescribed in the Charter of Customer Rights. However, there has been no information on which institutions have better quality policies and processes, how institutions are upholding these through culture-setting from the board and senior management, and whether active feedback loops from such supervision is feeding into regulation.
As appalling as the violations are, the kind of mis-behaviour showcased in the Ken article is not entirely new or specific to PBs. The Jan Dhan account opening drive saw many instances of multiple accounts being opened for already ‘banked’ individuals too. Universal Banks, as agents of insurance companies and Fund houses, continue to mis-sell these products, something that RBI has acknowledged before. These are very serious customer-facing violations where customer financial well-being is at stake. It is better now than never to get this right.
—
[1] Master Direction on Issuance and Operation of Prepaid Payment Instruments, Oct 2017 defines Semi-closed System PPIs: These PPIs are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations / establishments which have a specific contract with the issuer (or contract through a payment aggregator / payment gateway) to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks.
[2] Agents here include all types of agents, including Business Correspondents, Business Facilitators and Direct Sales Agents
[3] RBI’s Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks is applicable to PBs
[4] For instance, RBI’s Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks must ensure that the Direct Sales Agents / Direct Marketing Agents/ Recovery Agents are properly trained to handle with care and sensitivity, their responsibilities particularly aspects like soliciting customers, hours of calling, privacy of customer information and conveying the correct terms and conditions of the products on offer etc. IBA’s Model Code of Conduct for DSAs requires Telemarketers and Field Sales Personnel should not mislead the prospect on any service / product offered. BCSBI’s Code of Commitment to Customers requires banks to ensure that customers are not subjected to unfair business or marketing practices, coercive contractual terms, negative confirmations or misleading representations.
