27
Mar

Comments on the Ministry of Electronics & Information Technology’s Draft Rules for Security of Prepaid Payment Instruments

By Malavika Raghavan, IFMR Finance Foundation

On 8 March 2017, the Ministry of Electronics & Information Technology (MeitY) released a set of draft rules for security of prepaid payment instruments (Draft Rules), inviting comments by 20 March 2017.[1] The IFMR Finance Foundation’s Future of Finance Initiative has provided its response to the Draft Rules.

The Draft Rules propose new requirements for pre-paid payment instrument (PPI) issuers, requiring them to:

  • put in place information security policy and privacy policies, and undertake risk assessments to assess risks associated with the security of their payment systems, and
  • institute a range of measures on customer identification, authentication, awareness, and education, and separately, a set of security practices.

The Draft Rules seek to broaden the category of customer information that is considered “personal information” for the purposes of the Information Technology Act, 2000 (IT Act), improper disclosure of which can be penalised by a fine up to Rs. 5 lakhs or imprisonment up to 3 years (or both). It also seeks to give transaction history data held by PPI issuers a higher degree of protection as “sensitive personal data and information” under the IT Act.[2]

The Draft Rules are an important and progressive step towards highlighting customer data protection and privacy concerns of customers using PPIs. However, MeitY has taken the interesting position of making rules for a particular institution type (PPIs here), which makes it akin to a sectoral regulator. It is also interesting to note that the Draft Rules traverse areas in which Reserve Bank of India (RBI) regulation already exists. In this regard we note that on 20 March 2017, the RBI released its updated “Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India”, inviting comments by 31 March 2017.

In our comments to MeitY we have sought to highlight that the Draft Rules:

  • dealing with privacy and data protection, while incorporating some of the key (and internationally recognised) data protection principles can benefit from a more complete coverage of these principles,
  • while certainly taking the lead in customer data protection, should, keeping in tune with several other jurisdictions, go a step further and consider a broadening of the scope of Sensitive Personal Data and Information (SPDI) by covering any “personally identifiable financial information that any institution collects about an individual in connection with providing a financial product or service (unless that information is otherwise publicly available) – We characterise this as “Non-Public Personal Information (NPI), and make a case for treating NPI as SPDI for the purposes of the Information Technology Act, 2000
  • should attempt consistency with the existing framework of the Information Technology Act, 2000 (particularly the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011) so as to avoid multiplicity of legal standards.

We consider MeitY to be best placed to continue its role as the overarching standards setting body for issues relating to security and integrity of electronic transactions, and we see the actual monitoring and enforcement of such standards to be delegated to sector specific and specialised regulators (such as RBI, SEBI, IRDA, PFRDA, TRAI, Airports Authority of India, Registrar of Companies, All India Council for Technical Education, others. Therefore, in the context of PPIs, it would be wise to take note of existing regulations and monitoring systems already present within the RBI, as further described in our response document.

Our response to MeitY’s public consultation is available here.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.


[1] The deadline has since been extended to 5 April 2017.

[2] For an explanation of these categories, see our blog on Electronic Financial Data and Privacy in India (published December 2016).

21
Mar

The P2P Lending Market in China: A Parable for Indian Policymakers – Part 2

By Varun Aggarwal, IFMR Finance Foundation

In the first post of this two-part series, we tracked the explosive rise of the P2P lending market in China, which took place in the absence of any regulations. In this post we look at the series of regulatory measures introduced by the Chinese authorities in the wake of high profile platform failures and mounting outstanding debt levels.

Changes in the Regulatory Environment  

The China Banking Regulatory Commission (CBRC) first began addressing the issue of P2P regulation in official speeches in 2014. The speeches marked “red lines” lenders should not cross and outlined principles for the industry.[1] However, it was not until July 2015, with outstanding P2P loans at 200 billion RMB that the first intentions to regulate the industry were articulated. The People’s Bank of China (PBOC) (the Central Bank) along with the China’s State Council and other key financial regulators such as the China Securities Regulatory Commission and China Insurance Regulatory Commission jointly issued the Guiding Opinions on Promoting the Healthy Development of Internet Finance [2] to encourage financial innovation, promote the healthy development of Internet finance, clarify the regulatory responsibilities, and regulate market order. The CBRC was officially made responsible for formulating and administering policies on the behavioural supervision of P2P lending platforms. Some of the key proposals included the following:

  • P2P platforms were to become “information intermediaries” and not financial intermediaries as was the prevalent industry practice.
  • In order to put a stop to fraudulent platform operators stealing funds, all client accounts were to be parked at custodian banks.
  • Platforms were also precluded from offering “credit enhancement” or guaranteed returns by covering losses themselves.

In 2016, a PBOC-led group of regulators began a rectification campaign for the Internet finance sector. Local governments were given orders to survey the online lenders, crowdfunding platforms, private equity funds, and more complex financial firms operating in their jurisdiction to get a clearer picture of what regulation is needed. Major cities stopped registering new firms in this field, stricter rules on advertisements came out, and reports even circulated of internet finance firms being ordered to vacate office buildings in busy districts due to fear that they would become targets for protests staged by defrauded investors if the platforms failed.[3]

Based on the 2015 Principles, on 24 August 2016, the CBRC, the Central Ministry of Industry and Information Technology (MIIT) and the Cyber Administration of China (CAC) jointly released the Interim Measures on Administration of the Business Activities of Peer-to-Peer Lending Information Intermediaries (the “Interim Measures”).[4] The Interim Measures comprise the first comprehensive legal framework specifically regulating peer-to-peer lending activities in China.[5]

Under the new rules, an “internet lending information intermediary” – namely a P2P lending platform – means a validly established company that specialises in acting as an intermediary provider of online lending information – “online lending” means direct lending made amongst individuals through an Internet platform. Individuals include natural persons, legal persons, and other organisations.[6] [7]

Some of the key requirements of the Interim Measures included:

  1. The capping of the total amount that an individual can borrow on a single platform at RMB200,000 (~29,000 USD), and RMB1 million (~143,000 USD) on multiple platforms. The respective caps for a corporate entity are RMB1 million and RMB5 million (~718,000 USD).
  2. P2P lending platforms must now hold borrower and lender funds in custodian accounts with ‘registered financial institutions’ instead of in the platform itself. The custodian account acts as the fund transfer mechanism between lenders and borrowers, and serves as an escrow account for all transactions between both sides.[8]
  3. Other operational obligations on platforms included filing with local financial supervisory authorities[9], obtaining permits from relevant telecommunications authorities and releasing of, for public record, information on direct lending and borrowing transactions.
  4. The scope of operations was demarcated — prohibiting P2P lending platforms from selling asset-backed securities or financial instruments such as insurance, trust products and wealth-management products and the prohibition of conducting offline promotion of financing projects.
  5. Standards for data management were put in place — focusing on proper KYC and data protection.[10]

The Interim Measures provide a 12-month transitional period for existing P2P lending platforms to achieve compliance.

The new rules also set out authority among Chinese regulatory agencies — financial regulators at the provincial and city level will be primarily responsible for registering and overseeing P2P lending platforms. This offers the benefit of more direct supervision; however China experts[11] highlight graft and fraud among mid-level bureaucrats as being still relatively common at the local level.

Other major criticisms of the measures centered on the absence of reporting requirements to a centralised database which records all P2P lending information (or an equivalent credit bureau).[12] This makes enforcing the borrowing cap impractical, as platforms cannot ascertain the aggregate outstanding debt of a borrower across multiple platforms.[13] [14]

Nonetheless, in the long run, regulators believe that the ‘Interim Measures’ should help to ensure a healthier and a more sustainable market. These measures may likely bring about a reshuffling and consolidation of market players.

Lessons for Indian Policymakers

The P2P lending industry in India is tiny compared to China. At the end of 2015, for instance, there were 38 P2P lending platforms operating in India — compared to 2200 in China. But 20 of the new online P2P lending platforms were launched in 2015, suggesting that the market is starting to take off in India. In fact, projections expect India’s P2P lending market to swell to USD 4-5 billion in the next 5-6 years.[15]

On April 28, 2016, The Reserve Bank of India (RBI) issued a public consultation paper on P2P lending regulations in India. Though the paper only states the proposed rules and solicits feedback/comments, it does give an idea about the RBI’s stance towards P2P lending — IFMR Finance Foundation conducted a detailed analysis in their response to the RBI’s consultation paper.

Nonetheless, the risk-ridden rise of the Chinese P2P lending market — characterised by explosive growth and spectacular platform failures — and the consequent attempts to regulate it, are relevant and timely parables for Indian regulators. Some of the key lessons from the Chinese experience are:

  1. Clarifying the definition of a P2P lending platform and demarcating the scope of its business activities. For instance, the China regulations clarify internet finance to include incorporated businesses as lenders, besides individuals. Furthermore, P2P lending platforms were prohibited from taking deposits from members of the public or creating asset pools, selling wealth management products and transferring debts by issuing asset – backed securities.
  2. P2P platforms should not be allowed to promise guaranteed returns to its lenders (as envisaged already in the RBI consultation paper). Chinese regulators have prohibited platform guarantees for borrowers (unless facilitated through a third party, such as a bank).
  3. Proactive supervision of platforms’ lending activities and practices — by utilising mystery shopping and periodic filings with relevant authorities.
  4. Need for implementing public disclosure of characteristics of the assets under management (AUM) such as number of loans, outstanding amounts, NPA ratios. In China, platforms are required to publically disclose information on direct lending and borrowing transactions; although it is unclear whether there is a requirement to disclose asset quality numbers.
  5. Need for prudential requirements (in some form of a backstop) for systemically important platforms proportional to the total volume of lending activity being conducted. Chinese regulations have not incorporated such a requirement while UK has this for its loan-based crowd-funding platforms.[16] The RBI consultation paper considers a leverage ratio but it is unclear how the ratio will be applied since neither liabilities nor assets reside on the platform’s balance sheet.
  6. Retail borrowers and retail lenders need to be provided with additional protections against being missold unsuitable products (loans and debt investments respectively). While the Chinese authorities require platforms to offer financial consulting services, it is unclear what these services involve. The UK’s FCA has taken steps to ensure suitability requirements on P2P platforms:
    • For Borrowers: The FCA’s Handbook on Responsible Lending specifies that “a firm, with respect to operating an electronic system in relation to lending in relation to a prospective borrower under a P2P agreement”, “must undertake an assessment of the credit-worthiness of the prospective borrower[17]. Furthermore, providers have to highlight[18] key risks to the borrower such as the consequences of missing payments or under-paying.
    • For Lenders: FCA specifies that where lenders have the choice to invest in specific P2P agreements, platform providers should provide information regarding the details of the creditworthiness assessment of the borrower carried out.[19] Moreover the FCA has mandated platforms to disclose[20] all relevant information to enable potential investors to make informed decisions on whether or not to invest.
  7. Ensuring that all loan disbursements and loan performance details are reported mandatorily to credit bureaus. This requirement is currently absent in China.
  8. Allowing P2P platforms to have access to credit bureaus records. Chinese P2P platforms have access to records of existing personal or business credit from traditional and non-bank financial institutions, including credit information from the central bank’s national credit-registry system.
  9. In order to facilitate secured lending on platforms, there is a need to provide access to platforms to the CERSAI asset registry, potentially include them under the ambit of SARFAESI Act; Chinese P2P platforms have access to the central bank’s national ‘movable assets’ registry information for accounts receivables.[21]
  10. As Platforms store and handle sensitive datasets there is an urgent need for proper data protection and security standards. Currently China’s regulations are focused solely on the accuracy of data being collected; however more detailed implementing rules are expected to be issued on data privacy and technological standards.[22]
  11. Platforms should be stopped from using misleading promotions of services — UK[23] authorities, for instance, actively monitor financial promotions on platform websites and take action where firms do not meet their standards. The FCA has also released a guide on financial promotions in social media.[24] Chinese regulators have prohibited the offline publicising or recommending of projects that need funding (only electronic channels such as internet, fixed-line telephones, and mobile phones or via entrusting or authorizing a third party, are permitted), although the rationale behind this prohibition is ambiguous.[25]

 —

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect individuals accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.



[1] See:https://piie.com/blogs/china-economic-watch/p2p-series-part-2-regulating-chinas-plethora-p2p-players
[2] See:http://hkmb.hktdc.com/en/1X0A34J5/hktdc-research/China-Issues-Guidelines-on-Development-of-Internet-Finance
[3] See:https://piie.com/blogs/china-economic-watch/p2p-series-part-2-regulating-chinas-plethora-p2p-players
[4] For an English translation of the measures see: http://en.pkulaw.cn/display.aspx?cgid=278756&lib=law
[5] See:www.linklaters.com/pdfs/mkt/shanghai/A32461989.pdf
[6] See: www.linklaters.com/pdfs/mkt/shanghai/A32461989.pdf
[7] See: https://hk.lexiscn.com/law/law-english-1-2917482-T.html
[8] The CBRC recently issued the Guidelines for Online Lending Fund Depository Business; for more see: http://hkmb.hktdc.com/en/1X0A99GT/hktdc-research/CBRC-Issues-Guidelines-for-Online-Lending-Fund-Depository-Business
[9] For the purpose of these Measures, “local financial regulatory authorities” means the departments of all provincial people’s governments which undertake the functions of local financial regulation. See more: http://en.pkulaw.cn/display.aspx?cgid=278756&lib=law
[10] See: https://hk.lexiscn.com/law/law-english-1-2917482-T.html
[11]See: http://www.nasdaq.com/article/new-rules-for-chinese-p2p-lenders-designed-to-minimize-fraud-slow-industry-growth-cm719480
[12] Although there have been suggestions that the CBRC will build a centralised database on the online lending industry. See more: https://www.nri.com/~/media/PDF/global/opinion/lakyara/2016/lkr2016235.pdf
[13] See: www.linklaters.com/pdfs/mkt/shanghai/A32461989.pdf
[14] See: http://www.globaltimes.cn/content/1003315.shtml
[15] See: http://www.business-standard.com/article/pti-stories/startup-sees-peer-to-peer-lending-market-growing-big-in-india-116020700125_1.html
[16] See: https://www.fca.org.uk/publication/policy/ps14-04.pdf
The volume- based financial resources requirement calibration placed by FCA on P2P platforms is the sum of:

  1. 0.2% of the first £50 million of the total value of the total loaned funds outstanding
  2. 0.15% of the next £200 million of the total value of the total loaned funds outstanding
  3. 0.1% of the next £250 million of the total value of the total loaned funds outstanding
  4. 0.05% of any remaining balance of the total value of the total loaned funds outstanding above £500m

[17] See: 5.5, https://www.handbook.fca.org.uk/handbook/CONC/5.pdf
[18] See: https://www.handbook.fca.org.uk/handbook/CONC/4/3.html?date=2016-07-01
[19] See COBS14.3.7A (4) in: https://www.handbook.fca.org.uk/handbook/COBS/14/3.html
[20] See: https://www.fca.org.uk/publication/thematic-reviews/crowdfunding-review.pdf
[21] See: http://www.accaglobal.com/content/dam/ACCA_Global/Technical/manage/ea-china-p2p-lending.pdf
[22] See: www.linklaters.com/pdfs/mkt/shanghai/A32461989.pdf
[23] The FCA highlights concerns regarding promotions that compare P2P lending in equivalence to holding money on deposit –as investors should understand that there are greater risks involved and they may lose some or all of their money. For more see: https://www.fca.org.uk/publication/thematic-reviews/crowdfunding-review.pdf
[24] See: https://www.fca.org.uk/publication/finalised-guidance/fg15-04.pdf
[25]A plausible reason could be the prevalence of offline-online business models in China, where providers would promote their online services to customers through offline means.

16
Mar

The P2P Lending Market in China: A Parable for Indian Policymakers – Part 1

By Varun Aggarwal, IFMR Finance Foundation

Since 2011, China’s P2P lending market has witnessed unprecedented growth. However, numerous high profile platform failures prompted the Chinese authorities to come out with a host of regulations at the end of 2016. This post is the first in a two-part series and takes a brief look at the explosive rise and the subsequent failures in the Chinese P2P lending industry.

China’s peer-to-peer (P2P) lending sector has emerged as the largest digital alternative finance sector in the world. In China, digital financial services, such as P2P lending, are generally referred to within the broad category of Internet Finance. This taxonomy includes both traditional financial institutions that have moved online and non-traditional financial platforms offering online financial products and/or services.

Box 1: Disaggregation of P2P Lending in China[1]

The Initial Boom

The first online P2P lending platform, ppdai.com, was established in China in August 2007. However, 2013 is widely seen as the watershed year for marketplace/peer-to-peer lending[2] in China.[3] Between 2013 and 2014, the market grew, in terms of lending volume, at a rate of 337% per annum, peer-to-peer (P2P) lending topped USD 100bn in China in 2015, soaring 248.3% versus the previous year. The number of active users of P2P also surpassed 9 million in 2016[4].

Box 2: Annual Outstanding Through P2P Platforms

Box 3: Lending Volume of P2P Industry

The number of platforms trading between 2013 and 2016 also increased rapidly: 800 platforms were trading at the end of 2013, 1575 by the end of 2014, and 2,364 as of March 2016.[5] [6] In comparison the P2P Lending market has developed much more slowly in UK and US, despite the first platforms in these countries predating China.

The Subsequent Busts and Consolidation  

However this explosive growth led to a large number of “incidents” and platform collapses involving cash shortages, defaults, fraud and closures. These incidents have inflicted huge financial losses on lenders and the wider public, and led to instances of social unrest in certain areas of China. For instance Anhui province-based Ezubao, which until January 2016 was one of the top 10 largest P2P lending platforms in China, was shut down in early 2016 and 21 of its executives arrested for scamming 900,000 individual investors out of USD 6.7 billion. An estimated 95% of all borrower listings on Ezubao were fraudulent and the top executives used investor money to enrich themselves.[7] Other cases of fraud saw company bosses launching P2P platforms to fund their own businesses.

Box 4: Number of Operational Platforms vs ‘In Trouble’ Platforms[8]

During the first half of 2016, 515 P2P platforms were shut down.[9] By the end June 2016, there were 1,778 troubled P2P platforms, accounting for 43.1% of the total, according to the China Banking Regulatory Commission (CBRC).[10] Furthermore the number of newly created P2P lending platforms in China had declined at a rate of over 50% in April, compared to a growth rate of nearly 80% back in May 2015.[11] The number of platforms experienced a year-on-year decrease for the first time in the short history of P2P lending in China.

China’s financial authorities had initially enabled the P2P Lending Industry’s growth, and were content to let things develop without any government intervention. However, the increasing number of platform failures forced their hand and 2016 saw the introduction of a whole host of measures to regulate and guide the market. These measures — called the ‘Interim Measures’ — put a stop to some of the predatory and cavalier practices of P2P platforms and introduced provisions to control risks.

Some Determinants of the Chinese P2P Market: 2007 -2016

Four factors were instrumental in driving the growth of China’s Online P2P Lending Industry at an unparalleled speed: an open and supportive regulatory environment, enormous demands for inclusive finance from under-served segments, innovative business models and the entry of mainstream financial institutions in the market. But many of these factors also contributed to the building of customer and systemic risk in the sector which culminated in the series of platform failures.

  1. The regulatory environment

The Chinese government has been extremely forthcoming in its support for P2P platforms and internet finance in general. In recent years Chinese Premier Li Keqiang made multiple calls of support in the Report on the Work of the Government over 2014/15, stating that “Internet-based finance has swiftly risen to prominence”, with the imperative “to encourage the healthy development of … Internet banking”.[12]

Chinese platforms operated in a regulatory vacuum until 2016. They registered themselves as some variant of “information services” companies with the local Industry and Commerce office, then opened up their websites soliciting borrowers and investors with no official standards for disclosure and no formal regulation from the central bank or banking regulator.[13] It was unclear which watchdog agency should regulate the industry. Consequently, due to the fact that P2P platforms are not subject to any market entry rules, industrial criteria or regulatory monitoring, they had grown extremely fast.

But this loose environment was a double edged sword. While it created room for companies to build new financial products in traditionally underserved areas like consumer finance and small business loans despite the lack of reporting to credit reporting agencies, it made it easy for bad actors to defraud unwary investors. Interest rates were higher than those offered by banks, and returns to retail investors were high too — averaging around 13.29% in 2015.

  1. Limited financial services available for low income customers

Since the start of the policy era of market ‘reform and opening’ in the 1980s, a few massive State-Owned Commercial Banks (SOCBs) have dominated China’s financial system. These large banks have predominately financed large state-owned enterprises and government-related borrowers. Furthermore, the traditional credit market in China is subject to various restrictions such as interest rate caps and exchange rate caps.[14]

In order to increase the supply of credit SOCBs had initiated many schemes, however there remains a large ‘institutional gap’ when funding smaller enterprises, poorer individuals and household. According to data from People’s Bank of China, only 25.1% of individuals have got personal loan approvals from traditional banking institutions in 2014.[15] This has been largely attributed to the difficulty in accessing traditional banking institutions, complex and cumbersome application process and overtly strict eligibility criteria for wealth management products.

These under-served customers had an eager appetite for online P2P lending to fulfil their needs. Many P2P lending providers had also moved into consumer financing by offering a diversified range of lending services in areas where traditional banks have been too slow to operate – such as car financing, education and training, as well as mortgage financing.[16]

  1. Entry of mainstream financial institutions and other large enterprises in the market

Since 2014, state owned enterprises, private equity and mainstream financial institutions such as SOCBs gradually became involved in the P2P lending sector by buying equity stakes in the platforms. This swelled the average registered capital of P2P platforms to RMB 27.84 million (~ USD 4 million) in 2014, almost double the 2013 average. This enabled many platforms to take a trial and error approach to expand their customer base by offering low-price or even free services.[17]

  1. Innovative Business Models

In order to attract enough investors, P2P companies offered various investor-protection plans, and security schemes to guarantee the repayment of the principal and interest. And thus, platforms in China devoted a large pool of money and resources to building up offline risk control teams, thereby forming a so-called online to offline (O2O) business model.

While the Internet was used to obtain funding, offline processes were used to educate and consult with individual investors. Due to the relative lack of comprehensive credit information about borrowers, providers relied on offline modes for soliciting them and for carrying out credit investigations. However, many P2P platforms did not have specialised risk controls and credit check teams.[18]

A survey done by the Association of Chartered Certified Accountants (ACCA) captures the following distinctions amongst P2P lending provider business models in China, explained below[19] :

Box 5: Different P2P Lending Provider Models in China

These measures drastically increase the operational costs of P2P lending, contributing to the relatively higher interest rates compared to the commercial lenders in China.[20]

Box 6: P2P Loans for Home Mortgage Down Payments[21]

The P2P lending industry has been a source for loans for down payments on homes. These P2P loans typically mature in 90 days and carry interest rates of up to 12%. Speculators applied for multiple mortgages from banks, increasing the overall systemic risks to the Chinese financial system. Many experts are worried that property speculation in China’s four biggest cities — Beijing, Shanghai, Guangzhou and Shenzhen — has reached new highs, largely due to unregulated P2P financing.[21] For instance, Lianjia.com, a Beijing-based real estate company and P2P lender which shut down in mid 2016, had lent up to RMB 3 billion (USD 430 million) alone.


In the aftermath of these developments, the “Interim Measures” from Chinese authorities were aimed at the controlling the damage from platform failures. In the next post, we will analyse these measures and look at the subsequent lessons for Indian policymakers.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect individuals accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.



[1] Source: https://home.kpmg.com/au/en/home/insights/2016/03/harnessing-potential-asia-pacific-alternative-finance-benchmarking-report.html
[2] Debt crowdfunding is more commonly known as peer-to-peer lending (P2P lending). It is the practice of matching borrowers and lenders through online platforms. The online lending company provides the platform for lending transactions. The borrower’s need for funding is published on the platform after a vetting process, and lenders provide funding. Another commonly used term for debt crowdfunding is market place lending, this is to allay confusion caused due to the increasing presence of institutional lenders on peer-to-peer lending platforms.
[3] See: https://www.jbs.cam.ac.uk/fileadmin/user_upload/research/centres/alternative-finance/downloads/harnessing-potential.pdf
[4] See: http://www.iresearchchina.com/content/details7_26454.html
[5] See:http://www.globaltimes.cn/content/1003315.shtml
[6] As until recently there was no explicit requirement for P2P lending platforms to make regulatory filings or register with a regulator, the numbers and scale of P2P lending companies in China can only be calculated on the basis of some incomplete data.
[7] See: http://www.lendacademy.com/massive-7-6-billion-fraud-large-chinese-p2p-lending-platform/
[8] Source: WDZJ.com
[9] See: http://www.globaltimes.cn/content/1003315.shtml
[10] See: http://www.globaltimes.cn/content/1003315.shtml
[11] See: https://www.chinamoneynetwork.com/2016/05/26/chinas-p2p-lending-market-is-a-scammers-paradise
[12] See: http://www.mckinsey.com/industries/financial-services/our-insights/whats-next-for-chinas-booming-fintech-sector
[13] See: https://piie.com/blogs/china-economic-watch/p2p-series-part-1-peering-chinas-growing-peer-peer-lending-market#_ftn1
[14] See: https://www.brookings.edu/wp-content/uploads/2016/06/shadow_banking_china_elliott_kroeber_yu.pdf
[15] See: http://www.iresearchchina.com/content/details7_26454.html
[16] See: http://www.accaglobal.com/content/dam/ACCA_Global/Technical/manage/ea-china-p2p-lending.pdf
[17] See: http://www.mckinsey.com/industries/financial-services/our-insights/whats-next-for-chinas-booming-fintech-sector
[18] See: http://blog.lendit.com/wp-content/uploads/2015/04/Lufax-white-paper-Chinese-P2P-Market.pdf
[19] See: http://www.accaglobal.com/content/dam/ACCA_Global/Technical/manage/ea-china-p2p-lending.pdf
[20] See: https://ssrn.com/abstract=2827356
[21] See: https://www.ft.com/content/2cd149d0-e999-11e5-bb79-2303682345c8

12
Jan

Comments on the Report of Watal Committee on Digital Payments

By Malavika Raghavan, IFMR Finance Foundation

Shortly after Christmas last month, a press release from the Ministry of Finance on 28th December announced that the Committee on Digital Payments (chaired by Ratan P. Watal) had submitted its Report. IFMR Finance Foundation’s Future of Finance Initiative has provided its response to the Report.

The Committee had been constituted in August 2016 with a term of 1 year to review the payments system in the country and to recommend appropriate measures for encouraging digital payments. It’s recommendations were however delivered in 4 months. The Report notes that the Committee calibrated its recommendations to fast track the attainment of its ‘Vision’: to significantly reduce cash usage in the economy and facilitate the provision of ubiquitous digital payment services and infrastructure in the country (page 21 of the Report).

The Report contains recommendations which could have far-reaching impacts on Indian financial systems design, particularly for the regulatory architecture and the operation of payment systems in the country. It recommends:

  • the set-up of an independent “Payments Regulatory Board” within the RBI, which is unprecedented,
  • large scale amendments to the main Payments legislation, the Payment and Settlement Systems Act 2007, and
  • several measures to Government around incentivising digital payments by absorbing costs into the system.

We welcome the Report’s recommendation to include a section on customer protection explicitly in primary legislation dealing with payment systems. In the course of setting out its 13 headline recommendation, the Report shows a strong preference for supporting the use of Aadhar (and related payment systems) to verify and authenticate transactions. It supports the development of new innovations which are still in the regulatory “grey area” such as Direct Carrier Billing. The Report appears to recommend action on matters around the edges of digital payments for e.g. recommending disincentives on customers and merchants for using of cash, the use of Aadhaar where PAN numbers are not available and on income tax filings. In our response, we have also sought to highlight significant concerns that we have with some of these recommendations given the implications for customer protection and systemic risk.

Our submission to the Committee is available here.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.

23
Dec

Electronic Financial Data and Privacy in India

By Bhusan Jatania, IFMR Finance Foundation

Earlier this week, the Secretary for the Ministry of Electronics and Information Technology (MeitY) confirmed that MeitY is set to review the legal framework for digital payments and cybersecurity[1]. This is an important move, and one that needs to take note of important blind spots in a key legislation that governs the handling of personal financial information – the Information and Technology Act, 2000 (IT Act). This post draws from our work as part of the Future of Finance Initiative and flags some blind spots in the IT Act that must be addressed in an environment where retail finance is seeing increasing digitisation.

Looking back at 2016, the push towards the digitisation of financial services has been one of defining themes of the year. As more and more Indians make digital payments, we are creating digital footprints of our financial behaviour on a scale the country has never seen before. Meanwhile, India remains one of the world’s largest economies without a law on privacy rights of citizens. This has prompted the Supreme Court to consider – in the context of making Aadhar mandatory for availing governmental benefits[2] – if our Constitution provides for a fundamental right to privacy, although there is no express mention in this regard. As it currently stands, we have retrofitted the Information Technology Act, 2000 (IT Act), originally enacted to give legal sanctity to electronic governance, to provide minimum safeguards in this regard.

This begs the question: who collects the data from this trail, and what are the general obligations that bind them to keep this confidential?

Part of the answer to this question lies in the IT Act – the overarching law governing the collection and use of personal information in electronic form.[3]

1. Requirements

The IT Act applies to these types of entities set-up in India and engaging in commercial/ professional activities (Body Corporates):

(a) company,
(b) firm,
(c) sole proprietorship, or
(d) other association of individuals.

A Body Corporate which either collects, processes, stores, transfers or accesses any sensitive personal data or information (Sensitive Data) in a computer resource has certain compliance requirements[4]. Financial information, defined as “bank account or credit card or debit card or other payment instrument details”, is classified as Sensitive Data.

The Body Corporate must take prior written consent of the data subject for collecting Sensitive Data, adopt a privacy policy and appoint a grievance officer for resolving complaints within 30 days. The Body Corporate must also inform the data subject (i.e. the person whose data is being collected) of:

(a) the fact that Sensitive Data is being collected,
(b) the purpose for which Sensitive Data is collected,
(c) the intended recipients of Sensitive Data,
(d) the name and address of the entity collecting Sensitive Data, and
(e) the entity retaining Sensitive Data.

The Body Corporate must also:

  • provide options to the data subject to decline providing Sensitive Data for availing a service and to withdraw consent which has been given already,
  • allow data subjects to review their Sensitive Data and modify/ update/ correct it (if found outdated/ incorrect), and
  • ensure that Sensitive Data is used as per specified purpose and not retained for a period longer than required for its lawful use (or as required by any other law).

2. What are the blind-spots?

Transaction records: For starters, it remains unclear if ‘financial information’ includes transaction records of the individuals as well, such as say credit card spending patterns or utility bill payments.

Newer forms of data: Newer forms of personal data that may be of a sensitive nature, such as browsing history, call records, social media behaviour, and so on, that are recently finding use in underwriting in financial services, do not have protections that sensitive personal data or information has.

Data retention and collection: Moreover, while a Body Corporate cannot hold Sensitive Data beyond the purpose for which the information was collected, there are no bright-line rules (such as purging the information within 30 days of purpose expiry). Market practice has also evolved in the direction of taking all-encompassing consents, making purpose limitation difficult to enforce.

Foreign banks, government departments and non-Body Corporates: The IT Act will likely not apply to foreign banks branches operating in India (of which there were 325 as of 31 December 2015 [5]) where they have not set-up Indian subsidiaries. The IT Act will also not apply to non-profit organisations, banking business correspondents, individual chartered accountants/ mutual fund distributors/ investment advisors/ insurance brokers etc. Significantly, there is no right to privacy under the IT Act for data collected by a government department, authority, commission or board as these will not be regarded as Body Corporates.

3. What happens if the IT Act is violated?

In India, we lack a dedicated data protection authority to supervise breaches of the IT Act, which are generally dealt with by the Secretary of Department of Information Technology at the state-level, who can impose up to 3 years of imprisonment or fine up to Rs. 500,000. Appeals from such decisions are heard by the country’s only Cyber Appellate Tribunal in New Delhi, which has decided a total of 17 matters since inception and had 66 appeals pending as of March 2016 (due to the continuing absence of a Chairperson since mid-2011). There has also been a long-standing proposal to have a bench of the Cyber Appellate Tribunal in Bengaluru[6].

In theory, an individual whose data has been mishandled under the IT Act can get up to Rs. 5 crore as compensation for negligent handling of his Sensitive Data by a Body Corporate, if he suffers a wrongful loss or a third party makes a wrongful gain.

4. Way Forward

While India deserves a stand-alone privacy statute, the IT Act framework can be extended to all non-public personal information[7] handled by a financial service provider in the interim.

To strengthen the current regime, financial service providers could be required to have nodal privacy officers for overseeing compliance with privacy requirements and to act as single point of contact for addressing customer complaints. Filings with financial regulators could also include a section on the status of such compliances with built-in consequences for violation.

Financial service providers should also be required to provide privacy notice (in model form) to each customer at the point of first engagement and on an annual basis subsequently. The notice can have the provider’s privacy policy in plain language, details of customer information collected, entities with which it can share the information and an accessible opt-out option to prevent information sharing (other than for compulsory purposes such as credit reporting).

Overall, electronic financial data protection in India is based on rudimentary regulations with limited enforcement and lack of distinct treatment by financial sector regulators. It is essential to make major upgrades to the data protection regime given the size, scale and detail of electronic data collection in the financial space.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.



1 – See: http://www.thehindu.com/business/Economy/Reviewing-legal-framework-for-securing-digital-payments/article16896971.ece and http://www.livemint.com/Industry/VcLcVc6huMHGloWSSfe2EK/Govt-plans-tighter-privacy-rules-for-electronic-payments.html. Note that the The Information Technology Act, 2000 is administered by MeitY.
2 – In the matter of Justice K.S. Puttaswamy v. Union of India, order dated 11 August 2015.
3 – While we focus on the IT Act, we do note that codes of conduct have been developed by sector-specific regulators which impose an obligation of customer data confidentiality. However there is currently no clear mechanism for tracking/ reporting of privacy violations (under say Reserve Bank of India’s banking ombudsman scheme or Securities and Exchange Board of India’s SCORES system) and also no specific penalty implications for such conduct.
4 – There is a safe harbour provision for Body Corporates handling customer data under outsourcing contracts and not dealing directly with data subjects.
5 – See: https://www.rbi.org.in/commonman/upload/english/content/pdfs/71207.pdf.
6 – See: http://www.thehindu.com/news/cities/bangalore/Proposal-to-set-up-Bangalore-bench-of-Cyber-Appellate-Tribunal/article14948497.ece.
7 – The IT Act defines ‘personal information’ as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”