Comments on the Ministry of Electronics & Information Technology’s Draft Rules for Security of Prepaid Payment Instruments

By Malavika Raghavan, IFMR Finance Foundation

On 8 March 2017, the Ministry of Electronics & Information Technology (MeitY) released a set of draft rules for security of prepaid payment instruments (Draft Rules), inviting comments by 20 March 2017.[1] The IFMR Finance Foundation’s Future of Finance Initiative has provided its response to the Draft Rules.

The Draft Rules propose new requirements for pre-paid payment instrument (PPI) issuers, requiring them to:

  • put in place information security policy and privacy policies, and undertake risk assessments to assess risks associated with the security of their payment systems, and
  • institute a range of measures on customer identification, authentication, awareness, and education, and separately, a set of security practices.

The Draft Rules seek to broaden the category of customer information that is considered “personal information” for the purposes of the Information Technology Act, 2000 (IT Act), improper disclosure of which can be penalised by a fine up to Rs. 5 lakhs or imprisonment up to 3 years (or both). It also seeks to give transaction history data held by PPI issuers a higher degree of protection as “sensitive personal data and information” under the IT Act.[2]

The Draft Rules are an important and progressive step towards highlighting customer data protection and privacy concerns of customers using PPIs. However, MeitY has taken the interesting position of making rules for a particular institution type (PPIs here), which makes it akin to a sectoral regulator. It is also interesting to note that the Draft Rules traverse areas in which Reserve Bank of India (RBI) regulation already exists. In this regard we note that on 20 March 2017, the RBI released its updated “Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India”, inviting comments by 31 March 2017.

In our comments to MeitY we have sought to highlight that the Draft Rules:

  • dealing with privacy and data protection, while incorporating some of the key (and internationally recognised) data protection principles can benefit from a more complete coverage of these principles,
  • while certainly taking the lead in customer data protection, should, keeping in tune with several other jurisdictions, go a step further and consider a broadening of the scope of Sensitive Personal Data and Information (SPDI) by covering any “personally identifiable financial information that any institution collects about an individual in connection with providing a financial product or service (unless that information is otherwise publicly available) – We characterise this as “Non-Public Personal Information (NPI), and make a case for treating NPI as SPDI for the purposes of the Information Technology Act, 2000
  • should attempt consistency with the existing framework of the Information Technology Act, 2000 (particularly the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011) so as to avoid multiplicity of legal standards.

We consider MeitY to be best placed to continue its role as the overarching standards setting body for issues relating to security and integrity of electronic transactions, and we see the actual monitoring and enforcement of such standards to be delegated to sector specific and specialised regulators (such as RBI, SEBI, IRDA, PFRDA, TRAI, Airports Authority of India, Registrar of Companies, All India Council for Technical Education, others. Therefore, in the context of PPIs, it would be wise to take note of existing regulations and monitoring systems already present within the RBI, as further described in our response document.

Our response to MeitY’s public consultation is available here.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.

[1] The deadline has since been extended to 5 April 2017.

[2] For an explanation of these categories, see our blog on Electronic Financial Data and Privacy in India (published December 2016).


Monetary Policy Transmission in India – Part 2

By Madhu Srinivas, IFMR Finance Foundation

In the second post of our two-part series on Monetary Policy Transmission, we take a closer look at the impediments to policy transmission in India and also list the recent measures taken by RBI/Government to overcome these impediments. In addition we look at what recent empirical evidence has to say on effectiveness of policy transmission in India 

Impediments to Transmission in India

  1. Sustained fiscal dominance – RBI, being the merchant banker for the Government, has the responsibility to raise money, in this case through Government bonds, as and when needed by the Government. These Government borrowings tend to crowd out non-food credit in bank finance[1] and thereby reduce policy transmission. Though it is to be noted that steps have been taken to separate RBI from its public debt management responsibilities.[2] How effective these measures are and when they will reach their logical conclusion, however, remain uncertain. In contrast, many Emerging Market Economies (EME) such as Brazil, Poland, Hungary and South Africa have a separate debt management office to management government debt. Also, even among those EMEs where the central bank is involved in public debt management, their role is quite limited and they only act as a facilitator[3].
  2. Statutory pre-emption through Statutory Liquidity Ratio (SLR) – The SLR prescription provides a captive market for government securities and helps to artificially suppress the cost of borrowing for the Government, dampening the transmission of interest rate changes across the term structure. It was also observed that till 2014, the Government was borrowing at a negative real interest rate[4]. This was because the estimated average cost of public debt was above the average CPI inflation.
  3. Small savings scheme – Besides market borrowings, the other main source of funding government deficits in India is small savings mobilised through, inter alia, post office deposits, saving certificates and the public provident fund, such channels are characterised by administered interest rates and tax concessions. The substitution from bank deposits (both time and demand deposits) to small savings erodes the effectiveness of the monetary transmission mechanism, especially through the bank lending channel.

Source: Indian Budget 2017-18 and RBI’s Statistical tables relating to Banks of India : Table No. 10

As can be seen from the above graph, the funds in the small savings scheme are substantial compared to the bank deposits in the Scheduled Commercial Banks (SCB).

  1. Subventions – The Government also influences monetary transmission through its directives to banks. Keeping some economically and socially important objectives in mind, both the Central and State Governments offer interest rate subventions to certain sectors including agriculture[5] instead of considering direct subsidies, distorting the transmission mechanism.
  2. Informal Economy – India has a large informal sector workforce[6] and significant presence of informal finance as a significant source of credit for the real economy[7]. These are outside the influence of transmission measures.
  3. Liability Profile – The policy repo rate does not directly affect the determination of base rate of banks. The pass-through mainly hinges on the policy rate influencing the interbank rate, which in turn, influences the deposit and lending rates[8]. This pass-through is greatly diminished, since wholesale borrowings (including borrowing from the RBI and interbank borrowings) constitute barely 10 per cent of the total funds raised by banks[9].

Source: RBI’s Statistical tables relating to Banks of India : Table No. 2 ; As of March 2016

As can be seen from the above graph, the non-deposit borrowings of banks (which include borrowings from RBI and other wholesale funding) though significant, are quite small when compared to deposit liabilities. Thus their power to influence the lending rates is low. Added to this is the limited ability of banks to reduce their deposit rates in response to lowering of the policy rate. It is quite hard for banks to lower their term deposit rates (term deposits form almost 60% of all funds) in response to lowering of the policy rate by RBI. This constraint in lowering of deposit rates imparts rigidity to the liability term structure and to that extent impedes policy transmission.

Recent measures taken by RBI/Government that helps to overcome impediments to transmission 

  1. The Government, through an executive order, has set up a Public Debt Management Cell (PDMC) under the Ministry of Finance. The PDMC takes over the front office and the middle office functions of public debt management from RBI, while RBI will continue to handle the back office operations. The PDMC is to become a full-fledged body and completely take over the debt management functions from RBI in about 2 years[10].
  2. Effective from 1st April 2016, RBI has mandated all banks to move to a Marginal Cost of Lending Rate (MCLR) based regime. This rate is to be calculated taking into account –
    1. Marginal cost of funds
    2. Negative carry on account of Cash Reserve Ratio CRR
    3. Operating Costs
    4. Tenor Premium

This is set to improve the monetary policy transmission on the lending side. While early signals from the market suggest that this move would indeed increase the effectiveness of policy transmission[11], it is still too early (less than 4 quarters since the measure came into effect) to comment on the impact of this change with any certainty. Most empirical studies suggest that monetary policy transmission happens with a lag, and depending on the variable to influence, of about 2-3 quarters.

  1. With the Government resetting the interest rates for Small Saving Schemes every quarter[12], there is some scope for these interest rates to be aligned with the policy rate and thereby help transmission.
  2. There is some indication from the Finance Ministry (April 2016)[13] that it may consider replacing interest rate subvention schemes with interest subsidies paid directly into borrower accounts. However action on this is still awaited.

Effectiveness of Policy Transmission

Recent empirical research in the Indian context suggests that the bank lending rates respond asymmetrically to monetary policy, i.e lending rates respond more quickly and positively to monetary tightening than to monetary loosening[14][15][16]. Also there seems to be some evidence of pass-through in the first leg of policy transmission – Policy rates to Bank Lending rates. However, with regard to the second leg of policy transmission – Bank Lending/Financial Market rates to economic output/demand, the evidence seems to suggest little or no pass-through[17]. One reason for this could be the low level of penetration of formal financial intermediation in our economy. Put differently what it means is that the interest rate decided by RBI seems to significantly influence the bank lending rates in the right direction, especially when RBI raises the rate. But this does not seem to impact the output or price of goods and services in any substantial way. One reason for this is that large sections of our population still do not save in or borrow from banks or other formal financial institutions. However, with the current thrust on financial inclusion and the consequent spread of the formal financial system, the transmission in this leg is likely to get strengthened over time.

[1] Urjit Patel Committee Report (2014), Chart IV.2

[2] The Hindu Businessline – Debt management office to gradually-end; Oct 2016

[3] Report of the Expert Committee to Revise and Strengthen the Monetary Policy Framework (Chair: Dr. Urijit Patel, 2014)

[4] Ibid, Chart IV.3

[5] https://rbi.org.in/Scripts/NotificationUser.aspx?Id=10540&Mode=0

[6] http://www.ilo.org/wcmsp5/groups/public/—asia/—ro-bangkok/—sro-new_delhi/documents/publication/wcms_496510.pdf

[7] http://www.mospi.gov.in/sites/default/files/publication_reports/KI_70_18.2_19dec14.pdf

[8]Sonali Das , IMF working paper WP/15/129 – Monetary Policy in India : Transmission to Bank Interest Rates

[9] Urjit Patel Committee Report (2014)

[10] The Hindu Businessline – Debt management office to gradually-end ; Oct 2016

[11] Indian Express – Private Sector capex ; Oct 2016

[12] Press Information Bureau release ; March 2016

[13] The Hindu Businessline – Govt. to pay interest subsidy directly to borrowers ; April 2016

[14] Mishra, Montiel and Sengupta (2016) , “Monetary Transmission in Developing Countries – Evidence from India”

[15]Bhupal Singh (RBI 2011) , “ How asymmetric is the monetary policy transmission to Financial markets in India”

[16]Sonali Das , IMF working paper WP/15/129 – Monetary Policy in India : Transmission to Bank Interest Rates

[17]Mishra, Montiel and Sengupta (2016), “Monetary Transmission in Developing Countries – Evidence from India”


Monetary Policy Transmission in India – Part 1

By Madhu Srinivas, IFMR Finance Foundation

Monetary policy plays a significant role in determining the trajectory of a country’s economy. While not directly affecting the structure of a financial system, the policy significantly influences the actions of economic agents of the financial system, including financial institutions. In that respect, the mechanics and effectiveness of transmission is of considerable interest to us. In this post, which is the first in a two-part series, we take a brief look at the mechanics of Monetary Policy Transmission in general and how it operates in India.


Dr. Raghuram.G. Rajan, former RBI Governor, in a statement after assuming office on September 4, 2013 observed that:

The primary role of the central bank, as the RBI Act suggests, is monetary stability, that is, to sustain confidence in the value of the country’s money. Ultimately, this means low and stable expectations of inflation, whether that inflation stems from domestic sources or from changes in the value of the currency, from supply constraints or demand pressures.” While there are many views on the objectives of monetary policy, the above statement captures the broad commonalities among the various views and could be taken as the official stance of RBI. This is further strengthened with the RBI formally adopting Inflation Targeting Framework.

It is generally accepted in literature that monetary policy has limited effects on aggregate supply or productive capacity. However, in the presence of credit constraints, the ability of firms to expand capacities is impacted, thus affecting aggregate supply[1]. Following the financial crisis of 2008-09 overall monetary policy transmission seems to have weakened in most Advanced Economies (AE)[2]. In contrast, recent evidence suggests that the interest rate channel, one of the many channels for monetary policy transmission, is strengthening in many Emerging Market Economies (EMEs), including India[3]. This can be attributed, among other things, to reduced fiscal dominance, more flexible exchange rates and development of market segments[4].

Prior to the recommendations of the Expert Committee to Revise and Strengthen the Monetary Policy Framework (Chair: Dr.Urjit Patel, 2014), India was following reserve targeting as the mechanism for monetary policy transmission – i.e., base money, borrowed reserves, and non-borrowed reserves. However, we have moved towards a formal, interest rate targeting regime (based on CPI) and away from the earlier reserve money system. One of the main reasons for moving from a money aggregate system to an interest rate regime is the erosion in stability and predictability of the relationship between money aggregates, output and prices. This erosion was further exacerbated with the proliferation of financial innovations, advances in technology and progressive global integration.

Mechanics of Transmission

The transmission mechanism can be characterised by the Taylor’s rule of thumb[5] (a simplified version of one of the main quantitative tools used by central bankers to arrive at a nominal policy interest rate) –

i =π + r* + 0.5(π –π*) + 0.5 (y – y*)], or [ i =π* + r* + 1.5(π –π*) + 0.5 (y – y*)]


i = nominal interest rate

π = rate of inflation

π* = inflation target

r*= neutral real rate

(y-y*) = output gap

The policy transmission mechanism broadly involves two steps –

  1. Transmission from the policy rate to key rates in the financial markets
  2. Transmission from the financial markets to final objectives like inflation, employment and output

The effectiveness of transmission in both steps depends to a large extent on the structure of the financial system. The three main components of the system which determine effectiveness are[6] –

  1. The size and reach of the system – given that the formal financial system does not intermediate for most economic agents in India, this weakens transmission
  2. The magnitude of financial frictions – a recent empirical study[7] suggests that the relative scarcity, or impediments, in the provision of public goods in India, such as – enforcement of property rights, efficiency and impartiality of the legal system, adequacy of accounting and disclosure standards –  tend to enhance the frictions in the financial sector and, to that extent, impede policy transmission
  3. The degree of competition in the financial sector – there is evidence[8] that the banking sector is highly concentrated in India, suggesting a low degree of competition in the sector

In sum, it can be said that the structure of the financial sector in India tends to weaken the monetary policy transmission.

Channels of Transmission

Monetary policy transmission in India happens through the following channels –

  1. Interest Rate channel – Empirical studies show that there exists bi-directional causality between call money rates and interest rates in other segments such as the government debt market, credit market or equities market and the forex market[9]. Also studies have shown that the transmission through this channel is asymmetric, i.e the extent of policy rate transmission is different between liquidity surplus and liquidity deficit conditions, with the transmission being more effective during liquidity deficit conditions[10]. One reason could be that banks would be more dependent on liquidity provided by RBI during tight liquidity conditions and hence more sensitive to the short term interest rate influenced by RBI.
  2. Credit channel – India is banking-dominated economy, even though the role of equity and debt markets has been rising the past few years[11]. High-dependence on bank finance makes the bank lending and the balance sheet channels particularly important for monetary transmission, which is also seen through Granger causality tests[12]. In terms of balance sheet effects, credit growth is seen to have an inverse relationship with movements in the policy rate. A 100 basis points increase in policy rate reduced the annualised growth in nominal and real bank credit by 2.78 per cent and 2.17 per cent, respectively[13].
  3. Exchange Rate channel – The exchange rate channel works primarily through consumption switching between domestic and foreign goods. This channel is weak in India with some evidence of weak exogeneity[14]. This is mainly because of India’s limited integration with world financial markets and RBI’s intervention in forex markets[15]. Despite all this, it is found that exchange rate depreciation is a key source of risk to inflation[16].
  4. Asset Price channel – Empirical evidence for India indicates that asset prices, especially stock prices, react to interest rate changes, but the magnitude of the impact is small[17]. With the increasing use of formal finance for acquisition of real estate, the asset price channel of transmission has improved. However, during periods of high inflation, there is a tendency for households to shift away from financial savings to other forms of savings such as gold and real estate that tend to provide a better hedge against inflation. To the extent that these acquisitions are funded from informal sources, they may respond less to contractionary monetary policy, thus weakening the asset price channel in India[18].

In all this, it should be borne in mind that there is considerable lag in the transmission of monetary policy. In India, monetary policy impacts output with a lag of 2-3 quarters and WPI inflation with lag of 3-4 quarters, with the impact persisting for 8-12 quarters. Also as can be seen from the above summary of channels, the interest rate channel is the strongest[19].

In the next post, we will take a closer look at the impediments to policy transmission in India and also list the recent measures taken by RBI/Government to overcome these impediments. Finally we will look at what recent empirical evidence has to say on effectiveness of policy transmission in India.

[1] Report of the Expert Committee to Revise and Strengthen the Monetary Policy Framework (Chair: Dr. Urijit Patel, 2014)

[2] Bouis (2013) et al, OECD Working Paper No. 1081

[3] Mohanty, M.S. and P. Turner (2008): “Monetary Policy Transmission in Emerging Market Economies: What is New?”, BIS Policy Paper No.3, January

[4] Gumata, N., A Kabundi and E. Ndou (2013): “Important channels of transmission of monetary policy shock in South Africa”, ERSA Working Paper No. 375, Cape Town

[5] Urjit Patel Committee Report (2014)

[6] Mishra, Montiel and Sengupta (2016) :“Monetary Transmission in Developing Countries – Evidence from India”

[7] Ibid

[8] Ibid

[9] Urjit Patel Committee Report (2014)

[10] Bhupal Singh (RBI 2011) :“ How asymmetric is the monetary policy transmission to Financial markets in India”

[11] Ibid , Chart IV.1

[12] ibid

[13] Pandit, B.L. and P. Vashisht (2011), “Monetary Policy and Credit Demand in India and Some EMEs”, Indian Council for Research on International Economic Relations, Working Paper No.256, Khundrakpam (2011) and Khundrakpam and Jain (2012)

[14] Ray, P., H. Joshi and M. Saggar (1998): “New Monetary Transmission Channels: Role of Interest Rate and Exchange Rate in the Conduct of Monetary Policy”, Economic and Political Weekly, 33(44), 2787-94

[15] Mishra, Montiel and Sengupta (2016): “Monetary Transmission in Developing Countries – Evidence from India”

[16] Urjit Patel Committee Report (2014), Table IV.1

[17] Singh, B. and S. Pattanaik (2012): “Monetary Policy and Asset Price Interactions in India: Should Financial Stability Concerns from Asset Prices be Addressed Through Monetary Policy?”, Journal of Economic Integration, Vol. 27,167-194

[18] Urjit Patel Committee Report (2014)

[19] ibid


Comments on the Report of Watal Committee on Digital Payments

By Malavika Raghavan, IFMR Finance Foundation

Shortly after Christmas last month, a press release from the Ministry of Finance on 28th December announced that the Committee on Digital Payments (chaired by Ratan P. Watal) had submitted its Report. IFMR Finance Foundation’s Future of Finance Initiative has provided its response to the Report.

The Committee had been constituted in August 2016 with a term of 1 year to review the payments system in the country and to recommend appropriate measures for encouraging digital payments. It’s recommendations were however delivered in 4 months. The Report notes that the Committee calibrated its recommendations to fast track the attainment of its ‘Vision’: to significantly reduce cash usage in the economy and facilitate the provision of ubiquitous digital payment services and infrastructure in the country (page 21 of the Report).

The Report contains recommendations which could have far-reaching impacts on Indian financial systems design, particularly for the regulatory architecture and the operation of payment systems in the country. It recommends:

  • the set-up of an independent “Payments Regulatory Board” within the RBI, which is unprecedented,
  • large scale amendments to the main Payments legislation, the Payment and Settlement Systems Act 2007, and
  • several measures to Government around incentivising digital payments by absorbing costs into the system.

We welcome the Report’s recommendation to include a section on customer protection explicitly in primary legislation dealing with payment systems. In the course of setting out its 13 headline recommendation, the Report shows a strong preference for supporting the use of Aadhar (and related payment systems) to verify and authenticate transactions. It supports the development of new innovations which are still in the regulatory “grey area” such as Direct Carrier Billing. The Report appears to recommend action on matters around the edges of digital payments for e.g. recommending disincentives on customers and merchants for using of cash, the use of Aadhaar where PAN numbers are not available and on income tax filings. In our response, we have also sought to highlight significant concerns that we have with some of these recommendations given the implications for customer protection and systemic risk.

Our submission to the Committee is available here.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.


Electronic Financial Data and Privacy in India

By Bhusan Jatania, IFMR Finance Foundation

Earlier this week, the Secretary for the Ministry of Electronics and Information Technology (MeitY) confirmed that MeitY is set to review the legal framework for digital payments and cybersecurity[1]. This is an important move, and one that needs to take note of important blind spots in a key legislation that governs the handling of personal financial information – the Information and Technology Act, 2000 (IT Act). This post draws from our work as part of the Future of Finance Initiative and flags some blind spots in the IT Act that must be addressed in an environment where retail finance is seeing increasing digitisation.

Looking back at 2016, the push towards the digitisation of financial services has been one of defining themes of the year. As more and more Indians make digital payments, we are creating digital footprints of our financial behaviour on a scale the country has never seen before. Meanwhile, India remains one of the world’s largest economies without a law on privacy rights of citizens. This has prompted the Supreme Court to consider – in the context of making Aadhar mandatory for availing governmental benefits[2] – if our Constitution provides for a fundamental right to privacy, although there is no express mention in this regard. As it currently stands, we have retrofitted the Information Technology Act, 2000 (IT Act), originally enacted to give legal sanctity to electronic governance, to provide minimum safeguards in this regard.

This begs the question: who collects the data from this trail, and what are the general obligations that bind them to keep this confidential?

Part of the answer to this question lies in the IT Act – the overarching law governing the collection and use of personal information in electronic form.[3]

1. Requirements

The IT Act applies to these types of entities set-up in India and engaging in commercial/ professional activities (Body Corporates):

(a) company,
(b) firm,
(c) sole proprietorship, or
(d) other association of individuals.

A Body Corporate which either collects, processes, stores, transfers or accesses any sensitive personal data or information (Sensitive Data) in a computer resource has certain compliance requirements[4]. Financial information, defined as “bank account or credit card or debit card or other payment instrument details”, is classified as Sensitive Data.

The Body Corporate must take prior written consent of the data subject for collecting Sensitive Data, adopt a privacy policy and appoint a grievance officer for resolving complaints within 30 days. The Body Corporate must also inform the data subject (i.e. the person whose data is being collected) of:

(a) the fact that Sensitive Data is being collected,
(b) the purpose for which Sensitive Data is collected,
(c) the intended recipients of Sensitive Data,
(d) the name and address of the entity collecting Sensitive Data, and
(e) the entity retaining Sensitive Data.

The Body Corporate must also:

  • provide options to the data subject to decline providing Sensitive Data for availing a service and to withdraw consent which has been given already,
  • allow data subjects to review their Sensitive Data and modify/ update/ correct it (if found outdated/ incorrect), and
  • ensure that Sensitive Data is used as per specified purpose and not retained for a period longer than required for its lawful use (or as required by any other law).

2. What are the blind-spots?

Transaction records: For starters, it remains unclear if ‘financial information’ includes transaction records of the individuals as well, such as say credit card spending patterns or utility bill payments.

Newer forms of data: Newer forms of personal data that may be of a sensitive nature, such as browsing history, call records, social media behaviour, and so on, that are recently finding use in underwriting in financial services, do not have protections that sensitive personal data or information has.

Data retention and collection: Moreover, while a Body Corporate cannot hold Sensitive Data beyond the purpose for which the information was collected, there are no bright-line rules (such as purging the information within 30 days of purpose expiry). Market practice has also evolved in the direction of taking all-encompassing consents, making purpose limitation difficult to enforce.

Foreign banks, government departments and non-Body Corporates: The IT Act will likely not apply to foreign banks branches operating in India (of which there were 325 as of 31 December 2015 [5]) where they have not set-up Indian subsidiaries. The IT Act will also not apply to non-profit organisations, banking business correspondents, individual chartered accountants/ mutual fund distributors/ investment advisors/ insurance brokers etc. Significantly, there is no right to privacy under the IT Act for data collected by a government department, authority, commission or board as these will not be regarded as Body Corporates.

3. What happens if the IT Act is violated?

In India, we lack a dedicated data protection authority to supervise breaches of the IT Act, which are generally dealt with by the Secretary of Department of Information Technology at the state-level, who can impose up to 3 years of imprisonment or fine up to Rs. 500,000. Appeals from such decisions are heard by the country’s only Cyber Appellate Tribunal in New Delhi, which has decided a total of 17 matters since inception and had 66 appeals pending as of March 2016 (due to the continuing absence of a Chairperson since mid-2011). There has also been a long-standing proposal to have a bench of the Cyber Appellate Tribunal in Bengaluru[6].

In theory, an individual whose data has been mishandled under the IT Act can get up to Rs. 5 crore as compensation for negligent handling of his Sensitive Data by a Body Corporate, if he suffers a wrongful loss or a third party makes a wrongful gain.

4. Way Forward

While India deserves a stand-alone privacy statute, the IT Act framework can be extended to all non-public personal information[7] handled by a financial service provider in the interim.

To strengthen the current regime, financial service providers could be required to have nodal privacy officers for overseeing compliance with privacy requirements and to act as single point of contact for addressing customer complaints. Filings with financial regulators could also include a section on the status of such compliances with built-in consequences for violation.

Financial service providers should also be required to provide privacy notice (in model form) to each customer at the point of first engagement and on an annual basis subsequently. The notice can have the provider’s privacy policy in plain language, details of customer information collected, entities with which it can share the information and an accessible opt-out option to prevent information sharing (other than for compulsory purposes such as credit reporting).

Overall, electronic financial data protection in India is based on rudimentary regulations with limited enforcement and lack of distinct treatment by financial sector regulators. It is essential to make major upgrades to the data protection regime given the size, scale and detail of electronic data collection in the financial space.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.

1 – See: http://www.thehindu.com/business/Economy/Reviewing-legal-framework-for-securing-digital-payments/article16896971.ece and http://www.livemint.com/Industry/VcLcVc6huMHGloWSSfe2EK/Govt-plans-tighter-privacy-rules-for-electronic-payments.html. Note that the The Information Technology Act, 2000 is administered by MeitY.
2 – In the matter of Justice K.S. Puttaswamy v. Union of India, order dated 11 August 2015.
3 – While we focus on the IT Act, we do note that codes of conduct have been developed by sector-specific regulators which impose an obligation of customer data confidentiality. However there is currently no clear mechanism for tracking/ reporting of privacy violations (under say Reserve Bank of India’s banking ombudsman scheme or Securities and Exchange Board of India’s SCORES system) and also no specific penalty implications for such conduct.
4 – There is a safe harbour provision for Body Corporates handling customer data under outsourcing contracts and not dealing directly with data subjects.
5 – See: https://www.rbi.org.in/commonman/upload/english/content/pdfs/71207.pdf.
6 – See: http://www.thehindu.com/news/cities/bangalore/Proposal-to-set-up-Bangalore-bench-of-Cyber-Appellate-Tribunal/article14948497.ece.
7 – The IT Act defines ‘personal information’ as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”