25
Aug

The Right to Privacy Judgment: Initial Reflections on Implications for Digital Financial Services

By Malavika Raghavan, IFMR Finance Foundation

The Supreme Court of India’s judgment on the fundamental right to privacy yesterday, 24 August 2017, speaks directly to the sweeping changes we are witnessing in the way that the State and private companies use citizens’ personal data. The collection and aggregation of individuals’ data to inform the entire chain of any welfare or commercial service provision is now de rigueur. In recent years, finance has become the poster child of this opportunity to use data: for first-time users of formal finance to be identified and diligenced; for products to be designed around their needs; for their digital and social information to stand-in where they have no assets to back their promises to re-pay credit. No where is this trend more alive than in India, and no where are the risks also writ as large. In the last 2 years we have seen a billion Indian mobile subscriptions, a billion Aadhaar numbers with over 67 crore bank accounts linked to Aadhaar numbers for direct DBT transfer among other services. We have also witnessed over 3.2 million individuals financial information being compromised by PoS/ ATM malware; the potential for stored biometrics to be used in unauthorised authentications, and for unauthorised entities to access citizen’s personal data for eKYC purposes.

If the direction of travel is towards a more digital world, what are our protections and how should we think about regulating data in our country? The judgements in Justice K S Puttaswamy & Anr v. Union of India & Ors have laid down some touchstones to anchor how we navigate these questions in the years ahead. This post first picks out some key messages from the judgment (especially around informational privacy which has special relevance for the use of personal data in retail finance) and then presents initial reflections on implications for financial services.

Privacy is recognised as an inalienable, natural right situated across our fundamental rights

This judgement—coming to the Court as it does, as a result of cases filed on the legality of the Aadhaar project—grounds its reasoning within the context of the world we find ourselves in today. Technology is now part of our lives in a way that could not have been imagined when the Indian republic was formed 67 years ago. However, the principles on which we have founded our republic have continued relevance precisely because they guide us towards solutions for the intractable problems of our time.[1] Taking stock of this, the Supreme Court has confirmed that privacy is a constitutionally protected right that emerges primarily from the guarantee of life and personal liberty in Article 21 of the Indian Constitution, and also arising across a whole raft of fundamental rights contained in Part III of the Indian constitution.[2]

The Court has tied back the right to privacy to the basic values that the Constitution and Indian society aspire to. These are given voice to in the preamble, among other parts of the Constitution. Across all six judgement texts delivered by the nine judges of the bench, certain values have been seen as inherent and intertwined with individual privacy.

Privacy is seen as a postulate of human dignity, and an essential part of individual liberty. Privacy enables individual autonomy. Indeed it is seen as lying across the spectrum of protections—for instance, its existence is needed to prevent the state from discriminating between citizens (and infringing the right to equality) by keeping certain aspects private. The Court has also noted that privacy has both subjective and objective elements i.e. subjectively, the expectation of individuals (where they desire) to be left alone AND objectively, those constitutional values that shape a protected zone where the individual ought to be left alone.[3]

In Puttaswamy, the Court has made several important observations about the nature and content of privacy protections which will no doubt be the subject of scholarship and interpretation for years to come. But two observations in particular merit the attention of those working to improve access to finance for the underserved. Firstly, the Court refuses any notion of a trade-off between individual freedoms and development. The Kesavananda Bharati[4] judgment’s view is re-iterated, that Parliament cannot abrogate the essential features of the individual freedoms secured to citizens in India. Our Constitution does not take the perspective that in order to build a welfare State, it is necessary to destroy some human freedoms. Indeed, to quote “Our constitutional plan is to eradicate poverty without destruction of individual freedoms.”[5]

Secondly, and crucially for those of us tracking the use of personal data in financial services, individuals’ informational privacy is now firmly within the protection of fundamental rights.

Informational privacy is part of our expectation of privacy as Indians

Informational privacy i.e. the interest in limiting or controlling the access to information about ourselves, is dealt with in the lead Puttaswamy judgement by Chandrachud, J which devotes an entire section to it.[6] The Court takes note of the way in which technology has changed our lives, the digital trails we leave behind as we transact online, and the aggregation of these data points to reveal things about us that we may not expressly disclose. It notes the use of cookies to track online behaviour, the collection of users’ browsing histories, and other tools like automated content analysis of emails which can be analysed with algorithms to profile individual users. The Court notes that the use of data mining techniques, Big Data and the possibility of database linking essentially allow for aggregation of data about every single person in a manner previously not encountered.

Given this context, the Court notes the important role of data protection laws in safeguarding the privacy and autonomy of an individual, and ensuring non-discrimination on the basis of racial or ethnic origin, political or religious beliefs, genetic or health status or sexual orientation. The Court has recognised that a good data protection law will need to delicately balance the complex issues between individuals’ privacy interests and legitimate concerns of the state.

Para 180 of the leading judgment by Chandrachud, J contains a three-fold prescription to act as important guidance when considering how privacy might be safeguarded by ensuring:

  • that there must be a law: A law is needed to justify any encroachment on privacy, to fulfil the requirement in Article 21 of our Constitution that no deprivation of liberty can be undertaken except by a procedure established by law;
  • that law must be reasonable: Such a law must fall within the zone of reasonableness as required by Article 14 as a guarantee against arbitrary state action;
  • the law must be proportional: Any encroachment on individual privacy must be proportionate to the object and needs sought to be fulfilled by such a law.

Kaul J in his remarks presents the test of proportionality and legitimacy for limiting the state’s discretion, which requires an action to be sanctioned by law, necessary for a legitimate aim, proportionate to the need for such interference and with procedural guarantees against abuse of such interference.[7]

Reiterating the principles set out by the Government of India Group of Expert of Privacy in 2012, the Court takes note of the Committee of Experts chaired by Justice B N Srikrishna that has been constituted and will suggest a new data protection regime for the country. The work of ensuring balance is achieved in law and is manifested in practice lies ahead for all of us.

On the regulation of personal data and implications for financial services

The observations of the Court in Puttaswamy have direct implications for operational aspects of retail finance and for newer digital financial services provision. The use of new and alternative forms of data about consumers to target advertising and communication, and to appraise individuals is now a reality, as is the use of algorithms to mine data for use in processes like credit scoring. Negative outcomes from such processes that affect individuals’ privacy or cause discrimination will now be seen as infringements of fundamental rights, where state entities are involved. A horizontal data protection regime (applying to state and non-state actors) based on the same understanding of privacy would extend privacy protections for users against all types of entities.[8] As we debate the contours of privacy for our new data protection regulation and in existing financial sector regulations, we have an opportunity to shine a spotlight on existing data practices around consumers’ personal and financial information in financial institutions.

For those involved in the chain of financial services provision that is increasingly becoming more “digital”, this judgment has flagged up a new understanding of core issues. In particular, it forces more granular reflection on:

  • the kinds of data that can and should be collected, keeping in mind values of privacy and dignity of the individual;
  • the kind of data mining and algorithmic techniques that can be used, keeping in mind that such techniques cannot infringe privacy and liberty, autonomy and free choice, and equality of all individuals;
  • whether individuals’ reasonable expectations of privacy can vary based on categories and context of data; and
  • how a fair, just and reasonable law can help us find a way to ensure that the use of personal data is tied to legitimate proportionate objectives and interests.

This judgement has moved the gears for privacy and data protection in the country, ushering us into an era of change where we are seeing data protection laws globally being re-purposed for rapidly evolving technological advancements. All this will require a shift in our understanding of liability, and for our practices around accountability and reporting. All of this will need to be tackled by new data protection regulation and updating appropriate financial sector regulation – and ultimately, in the way in which our day-to-day data practices evolve within government, industry and between citizens of India.

—-

[1] Justice Puttaswamy & Anr v. Union of India & Ors, ALL WP(C) No.494 of 2012, DY Chandrachud, J at page 213. (Puttaswamy).

[2] ibid, page 262.

[3] supra n 1, para 169, page 246.

[4] Kesavananda Bharati v. State of Kerala, (1973) 4 SCC 225.

[5] Ibid, para 666, pages 486-487 cited in Puttaswamy, para 108, page 105.

[6] supra n.1, para 170 – 185, pages 246 – 260.

[7] supra n.1, Kaul J at para 71, page 27.

[8] The argument of some respondents (including the UIDAI) was that the right to privacy is a common law right. This would mean it was applicable to state and non-state actors. As noted by Bobde, J in Puttaswamy, a right can be simultaneously recognised as a common law and constitutional law right. Bobde, J also noted that the content of privacy in both forms (common and constitutional) is identical, which gives rise for the potential for similar considerations to apply across state and non-state actors. See Puttaswamy, Bobde, J at para 17-18, page 15-16.

10
Aug

Insights from the “Digital Investments Roundtable” hosted by the Future of Finance Initiative

(This post is authored by the Future of Finance Team at the IFMR Finance Foundation).

In the first and second posts of this series on the three Future of Finance Initiative (FFI) workshops hosted in April, we focused on digital payments and digital credit respectively. This blog summarises the key insights from the third workshop on digital investments. The workshop was attended by providers with a strong digital interface from across the investments ecosystem in India. We thank the participants for their frank and open views presented at the discussions.

The retail investments landscape in India is currently in the process of being disintermediated with the operating model of traditional providers and associated intermediaries being relooked at by fintech players in this space. Given this background and realising the continuing need for high-quality investment products for rural low-income households, we wanted to understand:

  • How are providers providing solutions relevant to new market segments?
  • Where are the risks and vulnerabilities across the chain of the players and processes associated with making digital investments?

In doing so, we found ourselves asking the following questions of the curated group of participants:

  • How are providers dealing with any issues around (a) segregation of investments advice and product sale, and (b) customer data protection?
  • What are the operational pain points for providers which are either created by or can be solved by policy and regulation intervention?

The first session at the workshop focussed on the current state of digital investments in India and was used to frame the discussion. An interesting visual from this discussion (reproduced below) was the geographic distribution of mutual funds sales in the country, which reveals that Western and Southern states have generated the majority of such investments. It was pointed out that in contrast, the penetration of life insurance is better in eastern parts of India. However, despite the growth of the mutual fund industry being significant in terms of absolute numbers, as a percentage of GDP, it is still estimated to be very low at 8.4% (as of 2016).[1]

Graphic: Geographic spread of mutual fund products (Source: Association of Mutual Funds in India) (Note: Legend in the graphic pertains to the average assets under management in Rs. crore)

Views on the future trends in the investments space and the role of regulation

Both offline and online consumer interfaces will continue to be critical: There was consensus among the participants that hybrid business models, incorporating both online and offline product distribution channels would prevail in the near future. It was however noted that there is a supporting environment in the form of digital public infrastructure (such as Aadhaar and India Stack) which has provided impetus for digital transactions in this space and that technology has enabled almost real time access to investments which was previously not the case.

The need for differentiated KYC processes: Some of the participants questioned the need for completing the full ‘know your customer’ process (including ‘in-person verification’) as a pre-requisite for investments in mutual funds since investor funds were moved from a KYC compliant bank account of the investor to the asset management company. One of the suggestions in this regard was to make full KYC a pre-requisite to redeem mutual fund investments and also put in place risk based KYC processes instead of uniform KYC processes irrespective of the nature and amount of investments.

On the role of industry standards and sector practices: The participants noted that there are currently no regulations regarding protection and security of an investor’s personal data which apply to entities operating in this sector. Some of the participants highlighted their internal best practices such as conducting vendor due diligence before sharing personal data and having robust data security protocols driven in part by shareholder requirements (especially for companies which have received venture capital funding).

On complaints mechanisms: The participants agreed on the need to strengthen grievance redressal mechanism to ensure better investor outcomes and suggested that investor awareness programmes (which are applicable to product manufacturers) be made outcome based, for instance by measuring the number of retail investors which take up mutual fund investments as a result of participating in or being exposed to awareness programmes. It should be noted in this regard that the Securities and Exchange Board of India (SEBI) currently requires depositories and asset management companies/registrar and transfer agencies to put in place ‘proper grievance redressal mechanism’ that is required to be communicated to the investors through the consolidated account statements.[2]

Role of agents and robo-advisory in the context of investment products

On treatment of advice and sale: Participants were keen to discuss the policy focus on separating advice and sale of investment products and commented that SEBI should consider regulating the quality of advice provided by agents. It should be noted that SEBI had recently put out a Consultation Paper on Amendments/Clarifications to the SEBI (Investment Advisers) Regulations, 2013 (available here) in this regard.

Some of the participants took a view that the current Indian market for portfolio advice is not at all data driven and potentially harmful advice is being provided to investors. It was also pointed out that the pass-through of commissions (received by insurance and mutual fund distributors) to investors is a rampant practice in India.

The promise of some of the new developments and digital investments is that more data flows can improve the range and quality of service in this space.

On considerations for robo-advisory services: The role of robo-advisory, i.e., providing financial advice with minimal human intervention, in investment advisory was also discussed. These advice algorithms could add value in terms of customising advice for consumers. There was recognition that training algorithm based investment advisory could retain the biases of human advisors which needed to be addressed in the long term and there were questions around the manner of selection of funds recommended by robo-advisors.

On disclosure: There was general consensus in the room that the onus should be on advisors to read offer documents and other disclosures and give informed advice to investors, instead of expecting potential investors to do so themselves.


About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.



[1] Attributed to Mr. NK Prasad, President and CEO at Computer Age Management Services Private Limited. Please see MF investments rising in smaller towns: CAMS, The Tribune, 28 December 2016. Available at: http://www.tribuneindia.com/news/business/mf-investments-rising-in-smaller-towns-cams/342616.html.
[2] As per paragraph 14.3.2.8 of the SEBI Master Circular for Mutual Funds, 2016.

3
Jul

Insights from the “Digital Credit Roundtable” hosted by the Future of Finance Initiative

(This post is authored by the Future of Finance Team at the IFMR Finance Foundation).

In the first post of this series on the three Future of Finance Initiative (FFI) workshops hosted in April, we focused on the workshop on digital payments. This blog summarises the key insights from the second workshop on digital credit. The workshop was attended by  providers  from across the credit ecosystem in India. We thank the participants for their frank and open views presented at the discussions.

India is one of the most underserved credit markets in the world, with only 15% of the households borrowing from formal channels.[1] Emerging digital lending models have the potential to address this gap. These models range from online marketplaces and online lenders (originating loans on behalf of traditional institutions or lending themselves) to P2P players (connecting individual lenders to borrowers via a platform). Given the entry of all these new technology oriented providers and intermediaries, we wanted to understand responses to our core questions to players across the digital credit space:

  • How are providers providing solutions relevant to new market segments?
  • Where are the risks and vulnerabilities across the chain of the players and processes in the digital credit ecosystem?

The Growing Role of Non-bank Entities in Digital Credit

An early insight that participants shared at the workshop was that there is no shortage of demand or supply for credit in India today, rather that we lack mechanisms in the market for the appropriate deployment of supply. It was also emphasised that role of fintech providers in India is fundamentally different from markets like the US: while fintechs in US focus on a generally well-banked population often in competition with established banks, Indian fintech firms are also trying to expand the market and provide services to the underserved.

The key question facing the Indian market is whether providers dis-intermediating the chain of credit will partner with banks or compete with them in order to provide services to customers. Two market trends described within this context:

a) P2P lending platforms partnering with banks

Participants reflected that traditional banking is limited by legacy systems and regulations. Some banks have taken a progressive view of the developments, with early trends emerging of P2P platforms tying up with banks to source customers and help with the early stages of the customer verification process. These partnerships are making certain assets classes—such as consumer and SME loans through e-commerce platforms—more accessible to traditional banks.

b) New strategies by digital lenders and P2P platforms to reach customers not previously accessed by traditional lenders

Providers in the digital credit market are also using new strategies to diversify the base of customers to whom they lend such as building partnerships with e-commerce platforms to use their data and advertising and targeting new customers. For instance, some P2P platforms have tie-ups with travel and holiday planning sites to offer loans to vendors listed on the site.[2] These partnerships have opened up access to new customers for SME and consumer loans who may not have been previously accessible to lenders.[3]

New Service Providers in the Chain of Digital Credit

Next the discussion moved on to the range of players in the digital credit scene. To frame the discussion, we presented a list of all the stakeholders involved in the provisions of digital credit to the participants (Table 1) – based on our understanding of the credit ecosystem.

Table 1: Digital Credit Stakeholders

Source: FFI (2017)

The participants observed that the above list is likely to evolve as emerging players involved in providing digital credit and related services are currently discovering and experimenting with different business models.

Despite the changing nature of the industry, participants agreed that the majority of digital credit operations are the same as those in traditional lending. However, certain processes such as risk origination and risk assessment have evolved because of increased access and use of customer data.

Emerging Pain Points for Digital Credit

The discussion moved on to the operational pain points faced by providers and their intermediaries.

Low awareness of data-related risks: The chief concerns of the attendees centred on data protection and privacy. The participants felt that the average Indian consumer’s awareness of data related risks is minimal. Educating customers about privacy and data protection issues is crucial. The providers at our workshop took their own roles in this process very seriously. Participants also believed that customer data should not be shared without explicit consent. However at the same time, they conceded that it is often unclear for consumers to know what they are giving consent for.

Participants also highlighted that risky customer data practices already exist and are not unique to the digital credit space. For instance, participants discussed the large role that Direct Selling Agents (DSAs) have traditionally played in the selling of financial products by contacting potential customers. Currently, DSAs are a weak link when it comes to securing customer data, since there is no clear procedure to monitor and sanction these agents.

New data for credit assessments: Next the participants discussed the use of alternative data based assessment for lower income customers – to widen the potential to offer credit products to them since they often do not have more traditional credit scores to support assessments of credit worthiness. It was emphasised that standardised credit products can lead to financial exclusion due to exclusionary eligibility criteria.

In this context, the question of privacy arose – specifically, whether certain types of alternative data could compromise the privacy of individuals and whether this was a valid consideration. Participants’ views were divided on the importance of this question to the end customer – with some musing that privacy could be a “luxury” problem and others priding themselves on placing strong value on their data privacy practice.

Need for standardised borrower assessment, fair lending requirements and front end provider liability: Typically, assessing a borrower’s credit worthiness involves gauging the ability to repay, intent to repay and identity. This process is standardised in countries like the US and the UK. However, in India there is no standardisation of the borrower assessment process. This exacerbates the challenges of evaluating customers.

In the US, the fair lending requirements practised by foreign banks prevent discrimination based on pincode, race etc. Equivalent provisions do not currently exist in India. However, in the US, discrimination is implicit within lending practices — in a black box form. As a result, American lenders do not share their assessment processes.

All the participants agreed that in the case of any customer harm arising, the customer-facing institution must take responsibility and liability — irrespective of the dis-intermediation of the chain of credit in the digital context. There cannot be a situation where the customer’s rights are spread across multiple entities.

Regulators need to factor in market development and stakeholder perspectives: Participants highlighted the need for regulators to let the industry take a meaningful size and shape before introducing guidelines. If regulations supersede the industry’s development, they can shape the formation of industry (instead of market forces).

The attendees also remarked that digital lenders have no formal forum for engagements with key regulators, making it tough for them to feedback ex ante about the possible impact of proposed regulation on the market and on customers. One recent initiative that participants discussed was the Digital Lenders Association of India (DLAI), which seeks to work closely with the government, regulators and policymakers on behalf of those involved in core lending business and facilitators in digital lending.

Overall, the workshop helped us get an insight into the role of the various actors who participate in the digital credit ecosystem in India, and their perceptions on managing risks to customers.


About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.


[1]See: All-India Debt and. Investment survey (2014) http://mospi.nic.in/sites/default/files/publication_reports/nss_577.pdf
[2]See: http://www.business-standard.com/article/companies/alok-mittal-returns-as-entrepreneur-launches-platform-for-smb-lending-115100100047_1.html
[3]See: http://www.amazon.in/b?ie=UTF8&node=8520691031

30
May

Insights from the “Digital Payments Roundtable” hosted by the Future of Finance Initiative

(This post is authored by the Future of Finance Team at the IFMR Finance Foundation).

In April, the Future of Finance Initiative (FFI) hosted a series of closed door workshops with a small set of digital financial service providers focusing on payments, credit and investments. The primary goal of the workshops was to map the “transaction journeys” of individuals using digital financial services in India and identify points of weakness from a supply side perspective. This helped us get a clearer understanding of the emerging customer level vulnerabilities in the Indian digital financial landscape. This blog summarises key insights from the first workshop that we hosted on digital payments. The discussions were held under the Chatham House Rule, so this post is limited to overall themes without attributing comments to participants. We thank the participants for their frank and open views presented at the discussions.

The payments ecosystem in India has undergone rapid evolution in the recent past. Post demonetisation, the big push from Government to scale up digital payments has been front-and-centre on the policy and industry agenda. Given all of this, we wanted to understand:

  • How are providers providing solutions relevant to new market segments?
  • Where are the risks and vulnerabilities across the chain of the players and processes associated with making a digital payment?

We posed some of these questions to the carefully curated set of participants of the digital payments workshop. They reflected players across the payments ecosystem in India including wallets, payment system operators, payment gateways, card payment processors and software developers.

New customer segments need new products tailored to their needs

The workshop kicked off with a discussion on broad trends and considerations emerging for those working in the payments industry in India. A key observation was that new segments of customers are being brought into the digital payments ecosystem who are different in their capacity to absorb any losses, compared to existing customers. This opens up new opportunities and responsibilities for providers, including on product design and innovation.

Specifically, financial services tailored for low income consumers, have not evolved in the Indian financial market — unlike other sectors such as telecommunications (where for e.g. different levels and durations for phone recharges are available). As an illustration, most credit cards are set up for 45 days cycles as they are aimed to cater to “salaried’ employees who earn once a month. However, there are no cards with 20 days cycles for people earning twice a month or at more frequent intervals (such as those in part-time work or the informal sector). In the future, such a segment could be served by small finance banks and payment banks, potentially in partnership. Some participants felt that this approach to banking could be a more effective for fostering financial inclusion than recent government schemes which scale-up inflexible products (such as no-frills bank accounts).

Services providers in the chain of payments

The FFI’s focus to date has been understanding customer-level risks in digital finance. We wanted to use this opportunity to test our concerns with providers involved in payments transactions. To frame the discussion, and locate the various parties in the chain of a payments transaction, we presented a simplified schematic of our understanding of the payments ecosystem to the participants.

Figure 1: Card Not Present[1]: Online Payment Schematic


Source: The Future of Finance Initiative (2017)

The black arrows track transaction data flows and the green arrows tracking funds flows in the back end of a typical payments transaction. Participants agreed that this reflected the flows of a standard payments transaction. This schematic has remained broadly the same at the back-end for most forms of payments, but the challenges from the push towards newer forms of digital payment methods arise mainly due from (1) the variance among front-end customer-facing applications (2) increases in volumes of transactions and (3) the related data. 

Pain Points include security, transaction failures and policy uncertainty  

Discussions then followed through the afternoon about the operational aspects of completing payment transactions and pain points in the current scenario.

Data protection and data security: Payment services providers generally include clauses in their terms and conditions regarding customer data use. However the practices around this vary vastly. A key concern with direct impact on customers relates to data security, given the amount of data collected, stored and transmitted digitally in the payments process. ISO 27001 is the key global standard to which players in the payments industry generally aspire to. It was observed that full compliance with the standard was unaffordable for most providers, though the majority of them complied to the best extent possible.

Issues with the Payment Card Industry Data Security Standard (PCI DSS) — the industry standard for policies and procedures aimed at protecting data in card and payment transactions –- were also discussed. Adherence to all aspects of the PCI–DSS was patchy across industry participants. The standard does not have an enforcement body (being an industry standard with compliance driven by the requirements of other payment brands and acquirers). Concerns were raised that certain payment gateways and services were falling foul of the requirements without being censured –for example, by storing CVV for extensive periods of time in contravention of PCI-DSS.[2] It was pointed out that the PCI DSS provisions are from a pre-mobile era, and tend to be web-focussed. This results in gaps arising even in these standards with respect to data security for mobile transactions.

With regard to future regulation, participants stressed the need to balance the costs of compliance to be measured against evaluations of risk carefully when regulations are being formulated.

Hardware security: Hardware security is often overlooked in discussions around payments security. Participants discussed the absence of hardware checks for mobile phone handsets or regulations limiting pre-installed applications on mobile phones. This opens up the possibility of phones manufactured in other countries being sources of data theft and spyware. For instance, in 2016 firmware was found on Chinese manufactured smartphones being sold in the US which transmitted personally identifiable information (PII) to servers in China via a back door.[3]

To raise consumer awareness of security vulnerabilities and to drive providers to adopt better security practices, one idea suggested was to develop standardised indicators on apps and webpages to give usersSource: hostcats.com (2016) an immediate indication of the level of security. An existing example of this is the green lock HTTPS URL marker (right) currently used to indicate that a web browser holds a Secure Socket Layer (SSL) certification.

Transaction failures and frauds: Participants noted that the payments industry needs to improve on the failure rates for transactions to avoid affecting consumer confidence and usage. There was consensus that the regulator could play a constructive role in publishing aggregated information about transaction failure rates to incentivise higher data security standards. Providers themselves would shy away from publishing this kind of data individually. However, aggregated data published by a neutral third party or regulator could drive the providers to measure themselves against this benchmark and aspire to better rates.

Regulatory uncertainty and intervention: Participants discussed concerns about the impact of regulatory uncertainty along with how prescriptive regulatory standards had the potential to stifle innovation. Providers were concerned about competing with Government sponsored payments products and services and were anxious about Government subsidies and price caps that could put pressure on market prices, and introduce uncertainty for providers who were seeking to be commercially viable. There was also discussion on the need for having a level-playing field for new payment service providers as against established providers like banks.

Overall, the workshop was a fascinating deep dive into the perspective of the various actors who participate in making a payment transaction possible – while keeping the customer’s experience and concerns at the heart of the discussions.

—-

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.


[1] Card not present (CNP) refers to a purchase a consumer makes without physically being present or presenting his or her credit or debit card at the time of purchase.  CNP transactions often occur online and are conducted by consumers without the actual in-store credit card swipe – which is likely the major direction of travel, as more digital payments are made over mobile/internet to pay for goods and services.

[2] For more see: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

[3] For more see: http://gadgets.ndtv.com/mobiles/news/chinese-firm-installed-back-door-on-thousands-of-smartphones-says-it-was-a-mistake-1626136

26
Apr

Comments on the RBI Draft Master Directions on Issuance and Operation of Prepaid Payment Instruments in India

By Bhusan Jatania, IFMR Finance Foundation

The Reserve Bank of India (RBI) released the Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India (Draft Circular) on 20 March 2017. The IFMR Finance Foundation’s Future of Finance Initiative has provided its response to the Draft Circular.

While the Draft Circular builds upon a series of PPI related circulars issued by the RBI, it proposes significant changes such as:

  • increasing a PPI issuer’s net-worth requirement to Rs. 25 crores (from the existing Rs. 1 crore),
  • allowing PPI issuers to access payment systems in the future (without providing details),
  • requiring comprehensive system audit of PPI issuers on an annual basis (and before granting licenses to new applicants), and
  • compulsory conversion of existing PPIs (which hold minimum information about the user) to full KYC PPIs (this has to be achieved within 60 days of the Draft Circular coming into force).

In our comments to RBI we have recommended that the Draft Circular:

  • provide a higher standard of customer data protection,
  • create a more level-playing field for bank-led and non-bank led PPI issuers, and
  • clarify customer liability for unauthorised / fraudulent transactions involving PPIs.

In our response we have also compared the Draft Circular to the recent draft rules for security of prepaid payment instruments released by the Ministry of Electronics & Information Technology on 8 March 2017 (to which we also provided a response, available here).

We believe that the proposed regulatory revamp of wallet providers is driven by the principle that emergence of dominance should lead to greater supervision. The RBI appears to have taken a view that the digital payments sector, characterised by significant user expansion, has emerging customer abuse, data security and systemic risk considerations. And while the industry has raised some concerns of regulatory extravagance around the Draft Circular, it should largely be seen as a step in the right direction.

Our response to RBI’s public consultation is available here.


About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.