Digitisation is changing our experience of finance. On one level, digitisation is creating a convergence: of processes, platforms and financial infrastructure. Simultaneously, it is also driving divergence in the form of the “unbundling”—of financial products, and of traditional financial institutions themselves. In India, these changes are taking place within the context of a “digital divide”, where many low-income consumers
We convene the 4th Dvara Research Conference for deeper reflection on the optimal regulatory stance on data-driven finance. The conference will deliberate three themes, i.e. (i) consumer data infrastructure, (ii) consumer data regulation and (iii) harnessing consumer data for product suitability. Together we believe, these themes trace the broad contours of data-driven finance in India and the flashpoints for policy & regulation that accompany it.
The increased generation of personal data is presenting a unique opportunity for the expansion of financial services. Analysis of personal data is enabling financial service providers to make real-time decisions about the creditworthiness of borrowers, better understand the needs of existing customers, offer them personalised financial solutions while also serve new customers. Consequently, the creation of a coherent data protection framework for India has been an especially relevant question for the financial sector in recent years.
This issue has also been the subject of the intense national policy debate over the last two years. The debate has called attention to diverse questions from how data should be aggregated, localised or shared, to more fundamental questions like what kinds of data should be collected and used. For the individuals whose personal information form the “data points” that companies (including financial firms) and the State use and analyse while providing services, the ubiquitous nature of data processing has raised concerns on privacy exclusion due to digital service failure and related harms. Financial service providers can not only collect information from their consumers directly on digital interfaces but also trade in data collected by third parties. Such information can include geo-location data from consumer mobile phones, online browsing histories and purchase histories to name a few alternative data sources. While this allows providers to expand their consumer base and know them better, it can also expose consumers to obvious harms such as identity theft and fraud or more insidious harms such as “weblining”, or predatory sales.
These issues also became the subject of national policy debates in India over the last two years. In 2017, the recognition of privacy (including informational privacy) as a fundamental right has provided an impetus to the creation of a coherent data protection regime in the country. Consequently, the Ministry of Electronics and Information Technology (MeitY) has released a draft Personal Data Protection Bill 2018 (PDP Bill) in the public domain. Another immediate effect of recognition of privacy as a fundamental right has been the curtailment of private sector use of the Aadhaar system and Indiastack APIs, and restrictions on certain forms of State use of Aadhaar. Subsequently, in March 2019, the Government promulgated an ordinance to allow certain private sector companies to continue to use e-KYC and Aadhaar authentication services. However, there remains uncertainty regarding the breadth of this ordinance and its applicability across different types of financial service providers. This is one example of how these developments directly affect digital financial services in India by affecting the way service providers can use personal data.
A related development is the rise in the number of providers accessing personal data, and multiple regulators claiming authority to regulate digital services. While the draft Personal Data Protection Bill has been developed by MeitY, other regulatory and state agencies have also released policies that impact the regulation of personal data such as the Telecom Regulatory Authority of India (TRAI), the Department of Industrial Policy and Promotion (DIPP) under the Ministry of Corporate Affairs among others. These overlapping regulatory jurisdictions can lead to clashes in regulatory mandates and introduce regulatory uncertainty in business models. It can also create gaps in consumer protection. Consumers are often ill-equipped to seek redress when transactions are mediated through multiple entities. The Indian consumer, for whom digital migration is still recent and incomplete, is vulnerable when seeking redress from potential misuse of their data.
India needs a robust regulatory framework which is attentive to the existence of numerous-data related entities and their participation in digital financial space. The regulatory framework will have to be sensitive to the overlap between the existing regulatory framework and grapple with some important questions including:
• What should the appropriate arrangement of regulation and regulatory mandates for the use of personal data be?
• What is the appropriate framework for data collection, processing and sharing following collection and consent from an individual?
• Can data aggregation exist alongside features seeking to safeguard privacy (e.g. differential privacy techniques)?
• What are the effects on the market structure when different types of providers (like ICT providers and financial services providers) begin to integrate?
• How should a future data protection authority evolve and engage with existing financial sector regulators?
The Indian government and various regulators are enabling the creation of information infrastructure to facilitate the growth of data-driven financial services. By allowing real-time exchange of information across various entities, often through APIs, public information infrastructure is ostensibly creating an environment that drives down costs and overcomes information asymmetries that have traditionally limited financial inclusion.
The creation of large public databases also appears to be an integral component of such information infrastructure. In 2018, the RBI issued a blueprint for a Public Credit Registry to consolidate financial and non-financial data about the individuals to inform the decisions on their creditworthiness. Earlier in 2016, the RBI recognised a new class of Non-Banking Financial Companies Account ‘Aggregators’, exclusively dedicated to collecting, retrieving and sharing users’ financial information with other financial entities with the users’ consent. The “digital locker” of Indiastack offers a similar, cloud-based platform for citizens to share frequently used identity and legacy documents.
Apart from enabling retail finance, information infrastructure can also address pressing concerns of financial policy by filling the information gaps in the ecosystem. The Information Utilities (IUs) envisioned in the Insolvency and Bankruptcy Code, 2016 form an important policy initiative in this regard. IUs are specialised, public companies, created to provide high-quality, authenticated and verifiable financial information to relevant stakeholders in the ecosystem. The National E-Governance Services Limited formed in 2016, is India’s first IU.
The Indian information infrastructure is a melting pot of regulatory action and private tech firms, now evolving into financial service providers. Big tech firms are leveraging their legacy databases of consumer data to offer data-driven financial services. How big-tech firms endowed with large user-datasets interact with regulation and emerging players will be crucial in determining competitiveness in the fintech space, another policy issue of great relevance.
These rapid developments raise important questions for financial and data regulation. They include:
• What are the benefits and the risks of data aggregation for individuals and financial ecosystem?
• What are the design principles that should guide the regulation of public data utilities?
• Does the current landscape risk creating vast silos of information? What existing lessons are there which could allow utilities to connect with each other safely?
• What are the medium-term implications from these developments for financial regulation and competition regulation?
Finance has the power to help households in India manage risks, maximise their growth potential and offer protection against unexpected shocksi. However, the failure of the current financial system in providing meaningful solutions to their problems points to the need for greater innovation and customisation in financial service delivery. The opportunity for technology and innovation to assist in tailoring financial services to the needs of consumers is, therefore, immense. The granular segmentation of consumers can make way for practising suitability in finance more efficiently than ever. In the era of data mining and big data, financial products can be tailor-made to best benefit an individual consumer or a group of consumers.
In recent years, there has also been a rapid expansion of the “front-end” options for consumers to make digital payments. This has crowded in diverse entities and business models in the space. Prepaid instruments (PPIs) or “e-wallets”, Payments Bank accounts and Unique Payments Interface (UPI) based products have added to pre-existing modes of electronic payments. This is evident in the three-fold rise of digital payments volumes between October 2016 and August 2018. Partnerships between financial entities (such as Payments Banks) and non-financial entities (such as telecom providers) are also becoming commonplace. The value-chains of digital financial transactions are evolving to a point where a single transaction can include entities under different sectoral regulators.
Consumers may now be interacting with digital interfaces operated by disintermediating entities that may neither be the provider of financial services nor a designated “agent” of a regulated financial services provider. Many of these interfaces may also rank or recommend products based on algorithms, which frame choices for the consumer. In this discourse, the old debate between the current “caveat emptor” approach in finance—that places the burden of the optimal choice on the consumer based on complex and lengthy disclosure—and a more enlightened paradigm based on suitability comes alive once again. Suitability envisions a world where the onus is on the financial service provider to ensure that appropriate advice or product has been provided to their consumers. This has been recognised by the RBI in the Charter of Customer Rights and is gaining ground around the world.
Ultimately in the context of data-driven finance, regulators will have to be attentive to the distinction between personalised, suitable financial solutions and discriminatory financial products that can now be offered with greater ease due to financial service providers’ access to consumers’ personal data. In a world of big-data-led financial services, some important questions for consumer protection emerge:
• How should the boundary between “sale” and “advice” of a financial product be interpreted?
• How should regulation of conduct be structured in the financial sector in a world of banks, fintechs and third-party outsourced providers?
• Does the digital medium call for conduct regulation distinct from traditional channels, considering peoples’ limitations in dealing with technology and other behavioural biases that can be tapped into on the digital platform?
• Where does personalisation end and discrimination begin? Are there certain consumer outcomes that should be discouraged by regulation?
• What are some new or emerging consumer level and system level risks associated with the use of personal data in finance?
iMor, N (2013), Foreword to Financial Engineering for Low-income Households (eds. Ananth, B & Shah, A), Sage Publications, New Delhi.