India’s central bank, Reserve Bank, cites antitrust, cybersecurity, and data privacy concerns.
Rising Participation Of Big Tech Firms In Financial Services Worries India’s Central Bank
MUMBAI, India — India’s fintech industry comprises over 2,000 start-ups, of which around 67 percent were set up in the past five years. The Indian fintech market, currently valued at $31 billion, is expected to grow to $84 billion by 2025, according to a report by investment promotion agency Invest India.
One of the major success stories has been the Unified Payments Interface (UPI), which lets one send and receive money using just a mobile phone. As of June 2021, UPI has recorded close to 2.8 billion transactions amounting to over $70 billion.
But when you look at the top five apps that enable this service, you come across names like Google Pay, PhonePe, Paytm, and Amazon Pay. None of these are traditional banks but big technology companies which provide financial services. UPI is just one aspect of the larger fintech pie.
But India’s central bank, the Reserve Bank of India, only controls the banks. Big tech firms remain unregulated as far as banking operations are concerned. And this is making the Reserve Bank sit up and take notice.
In its latest Financial Stability Report, a biannual document that assesses the health of India’s financial system and traditionally weighs in on the possible stressors, the Reserve Bank had a few things to say about the popularity of big tech firms.
While it acknowledged the scale of financial services, payment systems, crowdfunding, and asset management services offered by big tech firms, it also said that this footprint could lead to many policy issues and governance challenges for regulators.
“Specifically, concerns have intensified around a level-playing field, with banks, operational risk, too-big-to-fail issues, challenges for antitrust rules, cybersecurity and data privacy,” the report states.
While the Reserve Bank hasn’t named any firm, the report lays out three issues the central bank has with big tech companies in financial services.
First is that big tech firms have a lot of non-financial business interests that have opaque governance structures. The second is the possibility of these players becoming dominant in the financial services sector to the extent that traditional banks face the heat. Finally, the Reserve Bank is concerned about the massive scaling big tech companies can realize by exploiting their network effects.
“The Reserve Bank is just being cautious of the dangers posed by big tech firms and ensuring more regulations and security,” Mandar Agashe, founder, managing director, and vice-chairman of Sarvatra, a tech platform for financial services, told Zenger News.
Agashe spoke about how UPI has shown the capability of big tech by easing the onboarding of customers.
“If you notice, Google Pay, PhonePe, Paytm — all backed by large technology firms — jointly control more than 75 percent of all transactions on UPI. The Reserve Bank does not regulate them, and that could be the reason behind its worries,” said Agashe.
Asheeta Regidi, cyberlaw expert and head of fintech policy at full-stack payments solutions firm Cashfree, believes Reserve Bank’s concerns reflect the increasing avenues for big tech involvement in financial services.
“These range from direct licenses [such as Prepaid Payments Instrument license by Amazon Pay], open banking arrangements [such as the UPI tools offered by Google Pay, PhonePe], and other services or outsourcing arrangements that allow entry in this space even without a license, as these entities can ride on the licenses of regulated entities,” Regidi told Zenger News while noting that the landscape is already changing with things such as New Umbrella Entities, a change that RBI itself is bringing in.
New Umbrella Entities
Earlier this year, the Reserve Bank had invited applications for a New Umbrella Entity license. This was to help create a pan-India, for-profit entity for retail payments to rival the not-for-profit National Payments Corporation of India, the umbrella organization for operating retail payments and settlement systems.
Among the players who applied for the licenses were consortia that included big tech players such as Amazon, Facebook, Google on one side, and traditional banks on the other.
Amazon partnered with India’s third-largest private sector bank Axis Bank whereas Facebook and Google partnered with Reliance Jio and So Hum Bharat Digital Payments. The other top contenders were Paytm and Ola with IndusInd Bank, Tata Group, along with Bharti Airtel, India’s largest private bank HDFC Bank, and fourth-largest private bank Kotak Mahindra Bank.
In this scenario, the Reserve Bank expressing concerns about big tech firms may come across as a mixed signal.
“Concerns raised by the Reserve Bank are genuine,” Arjun Vijay, the co-founder and chief operating officer of cryptocurrency exchange Giottus Technologies, told Zenger News.
Vijay believes that while big tech firms help more Indians enter the financial system thanks to their scale and last-mile connectivity, it’s a double-edged sword.
“The frequent outages that happen in mainstream banks, those don’t happen with big tech companies. But, they have access to large amounts of data, which they can use to manipulate you to do what they want — so they can increase their revenues.”
On the aspect of being able to scale their operations, Agashe said that big tech companies are willing to lose money when it comes to customer acquisition.
“It is not just about product quality. A bank has to go through traditional means to acquire customers, which is costly. Big tech firms can offer cashback to get more customers on board. A bank cannot do cashback after a point, as it will hit its balance sheet,” said Agashe.
Some solutions the Reserve Bank has spoken of in the report, such as adopting a mix of activity-based and entity-based regulations, are things that have been discussed globally, according to Regidi. This can be seen in the Bank of International Settlements Paper (March 2021) and an International Monetary Fund article from June 2021.
“The current Reserve Bank regulation is ‘activity-based’, meaning any entity which wants to do a specific activity [lending, payments] will need to comply with the regulations for that specific activity, and obtain the authorizations which the central bank prescribes,” Regidi said.
As these regulations apply to a specific activity, it leaves a lot of scope for grey areas or loopholes that could be exploited.
“Entity-based regulations will allow regulation and supervision of big tech companies as a whole for any activity they undertake,” she said.
The Reserve Bank talks about rising cybersecurity incidents pertaining to the financial data of Indian citizens. It claims that the Computer Security Incident Response Team for the Financial Sector (CSIRT-Fin) under India’s cybersecurity watchdog, Indian Computer Emergency Response Team (CERT-In), “has issued various early warning threat intelligence alerts in near real-time to enable mitigation of attacks by the financial sector organizations.”
“A part of the issue is the lack of proper data regulation, with the Personal Data Protection Bill still on hold and Information Technology Act and IT Sensitive Personal Data and Information Rules having limited teeth for actual enforcement. While the CERT-Fin was proposed sometime back, there is little known progress with it,” said Regidi.
The Reserve Bank has strict financial data norms, including imposing data localization requirements, restrictions on card data storage by merchants, and payment aggregators. But CERT-In has been ineffective in tackling data breaches, and cybersecurity activists have taken the body to court.
Yet, when it came to an international entity like MasterCard, which did not comply with the rules of storing data locally, the Reserve Bank banned the company from onboarding Indian users from July 22, 2021.
Fintech start-up MobiKwik and food service company Domino’s India’s data breaches exposed the financial transaction data of millions of Indian citizens. Yet, no action has been initiated against these entities until now.
“In the case of data breaches of e-commerce companies or payment wallets, which store card details, the most the Reserve Bank can do is direct these entities to store financial details in encrypted form,” said Agashe.
Is decentralization the answer?
While the Reserve Bank has sounded warnings regarding big tech firms, it also has a hands-off approach to cryptocurrency trading.
It went to the extent of banning cryptocurrency trading in 2018. It only rescinded that order after the Internet and Mobile Association of India objected to the ban and challenged it in court. Since March 2020, cryptocurrency trading has resumed, and trading volumes have soared.
Vijay believes the only way to combat concerns around big tech companies is by adapting a decentralized philosophy.
“Amazon, Google, or Facebook have a centralized system of working,” Vijay said.
“It is tough for a small player to come up with a product that competes with them. More than the ‘too-big-to-fail’, the larger concern seems to be ‘too-big-to-fight’. As an entrepreneur, you cannot fight against big tech. Venture capitalists don’t touch startups that compete against the big tech companies as they are potential acquisition targets.”
Vijay said the Reserve Bank should not fight cryptocurrency adoption and view it as a threat to the Indian National Rupee (INR).
The current financial networks have been force-fitted to existing internet infrastructure, whereas decentralized networks have the architecture to allow micropayments even in Paise (100 Paise = 1 INR, or $0.013), according to Vijay.
The regulations expected for big tech firms offering financial services could lead to threat perceptions in how they operate.
“These Reserve Bank measures should not be seen as threats by big tech companies. It’s the opposite of that. A lot of people may think it’s adding friction. But remember, India was one of the few countries to mandate entering a PIN for every debit and credit card transaction — now that’s a global trend, and it also builds in user safety,” said Agashe.
He believes more regulation will result in more security, which would drive more customers to use the products offered by these big tech companies.
Regidi believes that if there are issues, then there is the option of challenging them before the courts on grounds like unreasonableness, disproportionality, etc.
“It should be noted, however, that the courts have previously shown reluctance in interfering with Reserve Bank’s authority beyond a point.”
(Edited by Abinaya Vijayaraghavan and Amrita Das)