In our concluding blog post in the series on the conference we recently hosted, we attempt a synthesis of the big pertinent questions that emerged from the discussions.
The Conference noted that in financial regulation, there are certain non-negotiable principles from a regulator’s point of view namely: financial stability, AML (Anti-Money Laundering) requirements, customer fair practices, depositor protection, and institutional neutrality. However, flexibility is afforded for aspects such as micro-prudential regulations, activities undertaken, product types, ownership rules and customer interfaces. These would apply to the modular world just as it did for the non-modular world even while there was acknowledgement that the former is exposed to a whole new set of risks as elucidated in the previous posts. Currently, in context of financial products, Indian regulations employ a range of tools designed to protect consumers ex-ante, such as product design regulations, disclosure and incentives regulations and codes of conduct. However, with respect to consumer data, limited and ineffective regulations exist, driven by the Information Technology Act 2000 and with additional limited data protection regulations prescribed by each financial sector regulator.
We discuss below the broad themes that emerged from the Conference and which would benefit from further exploration both in terms of research and policy priorities:
1. How do we design strong data protection regulations in financial services?
The protection of individuals’ privacy is a policy goal as important as financial inclusion. It was noted that privacy harms tend to be of a permanent nature and cannot be undone, therefore deferring them to later may not be the best policy response.
The sessions discussed regulatory mechanisms to protect consumers from data harm. While India’s data protection legislation is still in the making, most of the principles of existing data protection regulation are founded on the “notice” and “choice” model. They were created for the use case where the data subject was physically handing her data over to the processor, with complete awareness of the content of data and the purpose of its collection, and she could exercise control over how much information she shared with the processor. However, there is growing consensus this model has become ineffective due to various reasons. In order to improve the data protection regime, there needs to be more research conducted to understand how individuals’ valuation of privacy needs to inform policy discourse. Unfortunately quite often this involves presenting dire trade-offs to consumers.
Therefore, more nuanced ways of framing questions around the value of personal information need to be designed.
- How should the regulator design incentives for markets to adopt privacy enhancing techniques like privacy-by-design or privacy-by-default?
- How does the financial regulator create greater standards for transparency and accountability in a modular financial system?
- What are categories of data that firms engaging in financial services should not be allowed to collect or use for the design and delivery of products?
The Conference discussion predates the Supreme Court of India’s judgment recognising a fundamental right to privacy guaranteed to all Indians, as well as the Report of the RBI Committee on Household Finance and the White Paper of the Committee of Experts of Data Protection, both of which underscore the importance of a robust framework for data protection.
2. How do we strengthen market conduct regulations in a modular financial system?
Conduct regulations have focussed on training, and adequate disclosures at the point of sale. There was broad recognition that current mechanisms have minimal efforts directed towards systematic detection of conduct violations. The use of disclosure was very important as a regulatory tool to achieve a “Do No Harm” outcome for the customer. However, it is perhaps a mediocre or even too low a bar to set for ourselves in terms of what financial services can achieve for the end customer. Even if customers may on average ‘learn’ to choose good products for themselves, those who cannot fend for themselves, ie, the ones at the ‘tails’ in the distribution are important from the point of requiring regulations to be protected. At the other end is ensuring that customers get provided with products that are ‘optimal’ for their financial lives. Aiming for a middle ground between these two extremes would be a good target to work towards for the financial sector. With the proliferation of different mediums and channels to engage and provide financial services, and the emergence of multiple players seated within each product delivery channel, there was a strong sense that the relevance of existing conduct regulations needed to be strengthened significantly.
However, market conduct does not have separate treatment by regulators, with the focus being on supervision of micro-prudential requirements, besides the extensive and wrongful prescription of such requirements to fix consumer protection problems. Existing market conduct regulations are most likely observed in institution-specific or product-specific or distribution channel-specific Fair Practice Codes rather than them being function-specific (such as for credit, insurance, savings and deposits, payments, investments, pensions), leading to regulatory arbitrage opportunities for market participants to tend towards setting up businesses under licenses that afford laxer regulatory treatment. This can be both between regulators as well as between different licensing arrangements or product-level regulations put forward by the same regulator. Therefore, the overarching question would be
- What are conduct regulation tools that can be used in addition to the disclosure and consent model to ensure protection against unsuitable sale for the consumer?
The emergence of a modular financial system further exacerbates misconduct risk, as described in previous sections, and raises questions on assignment and enforcement of liability in the case of misconduct.
- Are liability regimes feasible regulatory responses to the Modularisation in financial services? If so, how can we change the legal infrastructure to support the creation of a meaningful liability regime?
3. How do we design necessary and sufficient micro-prudential regulations for new entrants?
The application of the micro-prudential regulations has to be designed in a way that it minimises regulatory arbitrage between institutions providing similar functions such that it promotes competition between institutions. For example, it is worth questioning whether the micro-prudential tool of licensing in itself is required for all the different types of modular institutions described in the previous section. More efforts need to identify the principles that will further decide the regulatory requirements that will serve as ‘entry barriers’ to ensure viability and orderly development of firms and their ability to keep promises to their customers regarding the levels of business proposed by them when beginning operations.
Most modular entities can be summarised to fall into either of two buckets: Distributors and Manufacturers. Market conduct regulations would have to be applied in the case of any firm in the business of distribution in order to ensure to protect the consumer from the harms defined. Differential application of prudential regulatory tools would have to be applied based on the level and types of risks that are being housed by the firm. Micro-prudential regulations should be designed to maintain a pre-defined target probability of failure of regulated institutions. The smooth functioning of the resolution infrastructure of the country and the success of the IBC and the FRDI Act would be key to achieving this. The introduction of risk-based pricing of deposit insurance, which is yet to become a reality in India, would continue to be a bottleneck to achieving efficient resolution of banking institutions.
4. How do we improve ex-post consumer grievance resolution in a modular financial system?
Current architectures in financial services entail enforcement of customer protection primarily through ex-post grievance redressal mechanisms for each regulator and regulated institution type (case in point being there being no Ombudsman for complaints against NBFCs), and consumer protection forums/ courts. To the extent that systematic mis-selling or unfair contractual treatment of consumers goes undetected by consumers themselves, there are limited supervisory efforts towards information gathering and analysis of conduct of financial services providers that is sufficient to serve as deterrent to institutional conduct malpractices. Depending on whom the duties to take enforcement measures exist, such powers are either not strong enough to have adequate teeth or have not been exercised in a strong manner (as is currently being exercised for prudential regulations).
The unified consumer redress of the Financial Redress Agency (FRA), by design, provides a good solution to these problems above and needs implementation focus. Taking the redress function out of the regulator’s day-to-day focus can help the regulator focus and strengthen core functions using feedback from the FRA. Further,
- How can technology be leveraged effectively to capture, channel and resolve consumer complaints, and be put to use by individual institutions and as supervisors?
The major challenges in order to collect consumer grievances were identified such as limited accessibility provided to grievance collection points, lack of transparency on the actions taken on the grievance and its eventual resolution. Some cases of using technology to resolve these issues were highlighted.
The firm that interfaces with the consumer would play the most important role in ensuring the resolution of the complaint. It would be the responsibility of the platform, for instance such as BankBazaar, to notify the relevant third party firm or manufacturer responsible for the processing of the payment or settlement of the insurance claim. However, there needs to be a lucid framework to assign liability across all the entities involved in the transaction.
5. How do we accurately measure systemic risk in a modular world?
The Conference saw a debate around whether or not Modularisation of financial services would indeed contribute to existing levels of systemic risk. There was broad consensus that, many of the functions that the new entrants are fulfilling do not particularly change the location of risks. Modularisation has enabled multiple access points for access to financial products. Given the increase in the number of firms providing more customised products, especially credit, there was a discussion around whether the increased number of originators would increase or decrease the concentration risk to particular customer segments. The larger question is on how the supervisory authority would effectively identify the sources of contagion risk and be able to measure systemic risk in a modular world.
The full Conference Proceeds can be accessed here.
 For a discussion on the efficacy of the Information Technology Act in the context of financial data, please see Electronic Financial Data and Privacy in India, IFMR Blog, December 23, 2016 (https://dvararesearch.com/2016/12/23/electronic-financial-data-and-privacy-in-india/)
 Justice Puttaswamy & Anr v. Union of India & Ors, ALL WP(C) No.494 of 2012 (http://supremecourtofindia.nic.in/pdf/LU/ALL%20WP(C)%20No.494%20of%202012%20Right%20to%20Privacy.pdf)
 A summary of the judgement and its relevance can be found at The Right to Privacy Judgment: Initial Reflections on Implications for Digital Financial Services, IFMR Blog, August 25, 2017 (https://dvararesearch.com/2017/08/25/the-right-to-privacy-judgment-initial-reflections-on-implications-for-digital-financial-services/)
 A Brief Comparison of Ombudsman Frameworks, IFMR Blog, April 10, 2017 (http://192.168.1.1/html/home.html?url&address=https://dvararesearch.com/2017/04/10/a-brief-comparison-of-ombudsmen-frameworks-part-1/)
 Report of the Task Force on Financial Redress Agency, Government of India (http://dea.gov.in/sites/default/files/Report_TaskForce_FRA_26122016.pdf)