This post, authored by Mr. Srikanth Lakshmanan, is part of TLF’s blog series on Account Aggregators. Other posts can be found here
Mr. Srikanth Lakshmanan is the founder of CashlessConsumer, a consumer collective working on digital payments to increase awareness, understand technology, represent consumers in digital payments ecosystem to voice perspectives, concerns with a goal of moving towards a fair cashless society with equitable rights.
On July 25, Nandan Nilekani launched Sahamati (सहमति, consent), a private not for profit company, that aims to be the self-regulatory organisation for the Account Aggregator (AA) ecosystem. The AA ecosystem aims to facilitate financial data sharing among financial institutions with “user consent”. Data Empowerment & Protection Architecture (DEPA) as iSpirt, the software products’ lobby behind Aadhaar and IndiaStack, calls it, will enable consumers to share data to enable further financial access to financial services. Sahamati is tasked to increase the adoption of the AA technology framework via awareness programmes and workshops with potential account aggregators (AAs), Financial Information Providers (FIPs) and Financial Information Users (FIUs). It will also evangelise the use of AA among financial institutions and users for ‘consented’ financial data sharing.
To know more about the Account Aggregator Framework, read:
BQ Explains: How ‘Sahamati’ Hopes To Make Your Financial Transactions Simpler
Exclusive: RBI issues in-principle licenses to 5 Account Aggregators
India still does not have a Privacy Law (Even the proposed law, draft of which is hard kept secret and most protected data in India today — is still only data protection law and not a privacy law). While there are other concerns around AA framework for financial data sharing such as
- Technical soundness of AA being “data blind” claim, aggregation, metadata exposure from consent data (Can metadata tell more than the data itself?)
- Business model tensions, tension between stakeholders in running the AA ecosystem in competitive environments and safeguards needed.
- What AA means to information self determination, privacy, betting on data futures?
This article will attempt to flag dangers of having a Self Regulatory Organisation in the digital financial consumer-space, particularly in under-regulated digital ecosystems.
The fin-tech ecosystem has been pitching for an industry friendly regulatory environment for a while now. Despite there being a general conducive environment due to the extreme push towards digitization / government promotion of digital payments, there are significant regulatory barriers that make it hard for fin-tech startups to enter financial services. Report of the Inter-Regulatory Working Group on Fin-tech and Digital Banking constituted by RBI preferred a disclosure based / light touch regulatory approach as opposed to full-fledged regulation for most areas of digital banking. The lack of regulatory capacity, especially in increasingly digital tech platforms coupled with industry friendly posturing of being a light touch regulatory environment is favoring towards no/self-regulatory mechanisms can often jeopardize not just consumer interest, but overall sustainable growth of the sector as they will prioritize incentives of industry participants who are members of SROs.
A self-regulatory organisation (SRO) is an organisation that exercises some degree of regulatory authority over an industry or a profession. The regulatory authority could exist in place of government regulation, or applied in addition to government regulation. The ability of an SRO to exercise regulatory authority does not necessarily derive from a grant of authority from the government. (Wikipedia)
SRO is often seen as a ‘sub-regulator’ that reduces the burden of the regulator by performing certain regulatory roles in a limited context. It often exists as a formal/informal body consisting of industry players and sometimes also includes multi-dimensional stakeholders.
SROs in Financial Sector
SROs are not new to the financial sector in India. Despite the popular notion that financial sector is a tightly regulated sector in India, there has been a steady move towards enabling more SROs to self-regulate certain sectors/areas. There are industry bodies, associations and other bodies that are blessed by statutory, regulatory, industry and semi-regulatory powers that flow from the regulator. Here is an incomplete list of SROs/SRO-like bodies that are present in India. SROs/industry associations open a channel with regulators/policy makers to further the collective interest of members of SROs aka industry.
A common objective of industry associations that are SROs/SRO-like is to represent the voice of the industry in matters relating to regulation and having an open channel with regulator on an ongoing basis. They have a say in long-term industry policymaking, code of conduct, pricing and a range of things that impact the consumer. When the regulatory regime had started, it gave away large responsibility of supervision, governance, even policy framework to regulators taking it away from legislators. What we are seeing with increasing role of SROs is an environment where regulation is light touch, self-regulated by industry itself.
Sahamati’s role to ‘ensure success like UPI’
Sahamati aspires to be an SRO for NBFC-Account Aggregator ecosystem. The AA ecosystem consists of multiple industry players with diverse interests such as banks who will be both FIUs and FIPs, some entities (Ex:- GSTN) being only a FIP, while some other class of entities that act as only FIUs, and intermediaries that connect FIP, FIU and users — AA themselves. All of them have various interests in the ecosystem and sometimes could be contradictory/ rivalrous. As an SRO, Sahamati’s primary aim would be to make the multi-sided ecosystem successful.
If one considers data as currency, NBFC-AA ecosystem is to be viewed as a digital data payment system, where users pay personal data (which is housed by some financial entities) to other entities they would like to transact to get access to digital financial services and NBFC-AA will act as payment gateway enabling the same. Viewed in this context, Sahamati follows the Recommendation for SRO in payments sector as mentioned in RBI’s Payment and Settlement Systems Vision 2021.
5.2.1 SELF-REGULATORY ORGANISATION (SRO)
Industry self-governance is an important feature in modern economies which is also useful for industry wide smooth operations and development. With time, bodies representing interests of certain segments of PSOs have evolved and have been engaging with the regulator. There is a need for self-regulatory governance framework to foster best practices on important aspects like security, customer protection, pricing, etc. Such an organisation can be constituted to cover the entire gamut of digital PSOs, including retail products of National Payments Corporation of India (NPCI). The SRO will serve as a two-way communication channel between the players and the regulator / supervisor. The SRO will of course work towards establishing minimum benchmarks, standards and help discipline rogue behavior.
There is also reference to SRO for NBFC-AA in the Deepening Digital Payments Committee chaired by Nandan Nilekani.
Recommendation 51: Facilitate first level regulators/self-regulatory organizations. The regulator must facilitate the creation of a Self-Regulatory Organization for the recently licensed NBFC Account Aggregators. This can serve as a blueprint for more SROs that may be created later.
Besides the conflict of interest in making the proposal for an SRO in a committee on digital payments and going towards launching one, it is grossly incorrect to say NBFC-AA is regulated by FSDC.
Regulation (Lack of) in UPI/Payments, Broadly Tech
A lot of parallels were made to UPI and even the technology design does take some inspiration from the UPI ecosystem. NPCI did play an ecosystem builder role in bringing together banks, non-bank PSPs, large merchants and technology companies to make the UPI ecosystem travel. Although RBI is said to regulate payments, NPCI is largely the forum for drawing finer regulatory decisions for not just UPI, but a large section of retail payments. It is useful to know how NPCI self-regulates a large section of digital payments and RBI rarely acts beyond providing larger directions.
NPCI is a state friendly, multi payment systems operator and retail payments organization (duly captured/disproportionately influenced by some lobbies) that is jointly owned by several banks. It is primarily tasked with settlements and with operating authorized (and unauthorized) payment systems and infrastructure, which are (supposed to be) regulated by (a friendly payments regulator) RBI under the Payments and Settlements Act, 2007 (PSS2007) and Payments and Settlement Systems Regulations, 2008.
Cancellation of eSign based Mandates (Is Aadhaar the only reason ?)
The harms of this industry led regulation meant, UPI/broadly digital payments have a range of issues that include transaction failures, fraud, privacy issues that impact consumers which have not addressed as these don’t affect industry participants. The average consumer either has no recourse, or recourse mechanisms are too costly for one to undertake. It is important to note that open data too is hard to come by and only milestones with words like billions/trillions will be published and there won’t be any other quality metric that reflects the state of the system.
At its core, the AA ecosystem is a multi-player technology platform that enables data transfer between financial institutions with consent of the user. Technology platforms have been under-regulated/unregulated. UIDAI is a classic case of the operator of platform self-regulating and lesser the regulatory failures are said, the better.
When Sahamati tries to be the SRO for AA ecosystem, it might solve for the problems of industry, but issues that matter to consumers like privacy, E2E encryption, over-consenting, identity theft — will be less likely to be in focus. One must therefore supplement SROs with active, responsive regulatory mechanisms such as public consultations, grievance redress mechanisms, stronger transparency, reporting mandates for ecosystem, for an overall, fair development of ecosystem.
SROs role in policy formulation must be clearly defined and transparency and accountability provisions for SROs must be proportionally defined to create adequate checks and balances to ensure (privately funded organization of) industry solely doesn’t determine public policy. In 2009 Advisory panel on Transparency Standards did study transparency of one of the SROs, FEDAI. We need a detailed study on increasing role of SROs, particularly when SROs operate in areas of regulation that have direct consumer impact.
To quote a former Executive director, RBI
“industry organizations … can play a useful role if they increasingly assume the role of a SRO rather than a mere lobbying body for its members.”
Incomplete list of industry bodies that are lobbying groups / SROs in the financial sector in India
Indian Banks’ Association (IBA) — Voluntary Association of banks having dubious legal stature interpreting sub-ordinate legislation/regulations for banks.
Banking Codes and Standards Board of India (BCSBI) — Society for establishing banking codes and standards for fair treatment of customers.
Micro Finance Institutions Network (MFIN) and Sa-Dhan are officially recognised as SROs by the RBI. It is to be noted that their genesis came after Y.H. Malegam committee report that was formed to study Micro finance sector after a massive regulatory failure in the sector which led to suicides in Andhra Pradesh
Confederation of ATM Industry (CATMi) — Non-profit trade association representing ATM Manufacturing & Outsourcing Companies, White Label ATM Operators, Payment Services Companies, Cash Replenishment & Cash in Transit Agencies, ATM Security Services & Solutions Companies etc. in India
Foreign Exchange Dealer’s Association of India (FEDAI) — Association of banks dealing in foreign exchange in India which had previously performed SRO like function prior to deregulation.
Fixed Income MoneyMarket and Derivatives Association of India (FIMMDA), Primary Dealers association of India (PDAI) as industry associations that deal with money market and government securities respectively.
Currency Cycle Association (CCA) — SRO of Cash Logistics Companies
Finance Industry Development Council (FIDC) — SRO for RBI registered NBFC
Business Correspondent Federation of Indis (BCFI) — SRO-like body for Business Correspondent Network Managers (aka Corporate BCs)
Insurance Information Bureau of India (IIB) — IRDA, the insurance regulator, promoted independent non-profit earning society responsible for sector–level data repository and analytics.
General Insurance Council — Legally mandated industry body of all non-life insurers that serves a link between the regulator IRDA and members of industry
Life Insurance Council — Legally mandated industry body of all life insurers that serves a link between the regulator IRDA and members of industry
Insurance brokers association of India — A non-profit company for insurance brokers that is IRDA recognised apex body of licensed Insurance Brokers
Association of Mutual Funds in India (AMFI) — Industry body of mutual funds that represents MF industry to regulator SEBI as well as government on all matters concerning the industry. Also performs SRO like role defining code of ethics, conduct of industry.
Association of National Exchanges Members of India (ANMI) — A non-profit Association of stock brokers aspiring to be an SRO.