When you finish a taxi ride, between two to ten minutes are wasted in dealing with the payment. You could pay cash, he might fumble on change, you could swipe a credit card, after an interminable delay the device does not work, and so on.
A few years ago, there was an important innovation in this business by a firm named Uber. Their process flow works like this. The customer goes to the Uber website (or app) and submits credit card details (as is done with any E-commerce website). Now he undertakes a ride in a taxi. At the destination, the customer steps out of the taxi and walks away without doing anything on the question of payment. The payment is effected using the pre-stored credit card details. A bill is sent to the customer by email. This saves two to ten minutes for customer(s) and the taxi drivers.
If you multiply millions of taxi rides per year by a saving of two to ten minutes, it adds up to GDP growth. It is estimated that there are 5 million taxi rides per day in India. Assuming that we’re dealing with 3 persons per taxi ride, then the new technology will potentially save 91 million man-hours of time for each one minute that is shaved off the payment step. This sort of process innovation is how, one small step at a time, the world achieves productivity growth.
Two days ago, RBI released an order which effectively requires Uber to shut down in India by 31 October.
RBI has issued multiple regulations imposing specific restrictions on card-based and ‘card-not-present’ transactions. Instead of a signature, consumers are required to enter a PIN at merchant outlets. For online, ‘card-not-present’ transactions, we are required to enter one time passwords or other authentication information. Uber was using a loophole in the RBI regulations, which allowed payment transactions with foreign exchange outflow to be exempt from the authentication requirement. The payment was flowing to Uber’s bank outside India, and then Uber was sending payment to the taxi driver in India, even though the receipt was issued on behalf of the taxi driver in India. Competing taxi services were also considering such a method of routing payment through a gateway abroad, but it was harder for them to overcome India’s capital controls, as they are based in India, unlike Uber which is a foreign company.
RBI’s decision creates a level playing field between Uber and Indian taxi companies—one in which all taxi companies are equally bad in their dealing with consumers, forcing two to ten minutes of time wasted with every ride.
The reason behind this and many other such steps can be found in RBI’s overall approach towards regulation. It prefers paternalistic micro-management to market-based solutions.
Need for a composite strategy
Every month India is clocking about 100 million debit and credit card transactions on Point of Sale (POS) devices, with total value of about Rs20,000 crore. This means an annual card-based transaction volume of 1.2 billion, with a value of Rs240,000 crore, and growing fast. Over and above this, there are “card-not-present” or online transactions. In calendar year 2012, the total money lost due to frauds relating to ATMs/Debit Cards/Internet Banking and Credit Card, amounted to about Rs52 crore. This may seem like a very small number compared to the total value of payments, but each instance of fraud is a crime and must be dealt with. This raises questions about consumer protection and law enforcement.
The consumer protection objective in this context is: consumers’ funds must be protected from fraud. The question is: how should this be done? There are basically two approaches to this: prevention and enforcement. Both are important in an overall anti-fraud strategy. The regulator can impose security requirements that make it difficult to defraud customers, but each requirement has costs. Law enforcement can also help the consumer recover the money lost to fraud, but this also has costs and the consumers may get their money with a time lag or not at all.RBI’s decision creates a level playing field between Uber and Indian taxi companies—one in which all taxi companies are equally bad in their dealing with consumers, forcing two to ten minutes of time wasted with every ride.
When it comes to prevention, it is important to consider who is best placed to develop and implement preventive steps. This responsibility can be substantially shared by service providers, who are often better placed to make the right preventive choices, as long as they are held accountable. Service providers, in any case, have an interest in maintaining trust in their systems, and in addition to that, they could be held accountable by the regulator.
India’s approach so far
RBI has been writing ‘regulations’ to address this problem which have largely been paternalistic, micro-managing, and technology-specific. Earlier, one could make a card-based transaction by simply swiping a card and signing on the slip, but now one must enter PIN in the POS device. This has made every transaction more cumbersome, especially where the POS device is not present in the immediate vicinity of the transaction (e.g. at restaurants). Earlier, one could transact online (called “card not present” transactions), with one factor of authentication, but now two factors are required, one of which is often a one-time password, generated and sent over the mobile network or on email. Given the relatively low reliability of SMS in India, this often leads to delays and failed transactions. In the world of E-commerce, all over the world, customers link a credit card to a merchant website once, and transact at wish. This is not allowed in India. In addition, RBI has imposed several requirements on technological specifications for cards, POS devices, etc.
These measures have improved security of transactions. But were they optimal? Do they pass the test of cost-benefit analysis? Effectiveness of a measure is not the only consideration. Excessive regulation can be effective but not efficient. Regulators such as RBI have enormous powers, and they must always be asked to defend the use of these powers—on effectiveness, efficiency, and jurisdiction. This is essential to ensure accountability of these agencies.
All preventive measures impose costs on consumers, and, on the margins, create a preference for cash payments and contribute to the tendency to avoid online transactions and the white economy. On the other hand, they also increase robustness of transactions, thus increasing the trust in these systems, and encouraging greater participation in these systems. When we look closely we find that all payment transactions do not pose the same level of security risk. Systems can enable small-value transactions with minimal friction, and require significant authentication processes for higher value transactions. Some transactions might justify three factors of authentication, but some other transactions may require just one factor. Regulatory intervention at system level takes a one-size-fit-all approach, which is costly. So, preventive measures are crucial, but they need to be proportionate to risks. This proportionality cannot be achieved by regulatory diktat. It must come from innovative market practices. The incentive for such innovation is destroyed by RBI’s paternalistic approach. The counter-factual world that we do not see is one where innovative firms in the business of payments invent improved methods of risk management.
What about law enforcement?
Payment fraud is a crime, and it should be looked at from that lens. When it comes to crime, it is often easy to prevent it by imposing excessive restrictions on potential victims. It would be easier to prevent pickpocketing, if people are mandated to carry wallets attached with chains to their clothes. Does that mean we should mandate such costs to be incurred by the people? Most would laugh at the very suggestion. And yet, for crime prevention in electronic payments, we easily accept the entire country to spend a few extra minutes on every transaction, or to give up the enormous convenience of automatic transactions on linked cards.
Public choice theory teaches us that bureaucrats and politicians are self-interested actors, and work for themselves — not for the people of India. It is always convenient for government agencies to ratchet up prevention because they then have to do less work on enforcement. As citizens, we must push back against such behaviour. Better enforcement generates deterrence and is hence an important tool for prevention. But it requires more work on the government, and all too often government agencies prefer the laziness of shutting down activities.
How to do better
- The government must not hinder innovation in business models and technology. As Percy Mistry says: Elsewhere in the world, the government fits the needs of the economy, but in India, the economy is forced to fit the needs of the government. This must be turned upside down. In the long run, nothing matters as much to India as achieving higher productivity, which requires that organisations such as RBI need to stop blocking progress. The right attitude at RBI should have been: “Uber has come up with an interesting innovation, how do we modify our rules and procedures so that everyone in India can utilise such innovative business models?”.
- The foundation of the regulatory strategy should be principles of responsibility: who will be held responsible under what circumstances. If the consumer has been excessively lax, then he should take responsibility for the failure, and if the payment service provider has not implemented adequate security measures, then it should be held accountable. Once Uber or Paypal know they are responsible, they have the best incentive to innovate on technologies of security. Clarity on consumer protection, as is done in the draft Indian Financial Code, should shape these principles of responsibility. This is the business of financial regulation.
- Employees of the government almost always do not know enough to interfere in technology. ‘How to produce’ should be the exclusive preserve of the private sector. See Hrush Bhatt of Cleartrip responding to RBI’s rules about two-factor authentication.
- The regulator should define a proportionality principle for security of payment transactions, and then leave it to the payment service providers to choose and implement risk-based security approaches. This will lead to innovation in payment security. For example, a payment service provider may choose to implement a minimal authentication process for low value transactions. Or, they could link it to the credit limit or available balance, so that the poor consumers are disproportionately protected.
- Enforcement is hard work, and prevention is easy by shutting down complexity in the economy. Regulators must almost always avoid banning things, and work harder on developing State capacity in enforcement. In many instances, neither the consumer nor the provider would be responsible, and it would be a crime that could not have been reasonably prevented. In such instances, enforcement is the only option.
- Two laws gave RBI the raw material to shut down Uber: the Foreign Exchange Management Act (which gives power to hamper all cross-border transactions) and the Payment and Settlement Systems Act (which gives power to hamper innovation in payments). These laws are incompatible with progress, as has been argued by the Financial Sector Legislative Reforms Commission (FSLRC).
- The regulator should supply the public goods of data and foster research on payments and security and the performance of alternative authentication mechanisms.
The most important ingredient required for progress is humility. These are complex problems. The simplistic, overly prescriptive and paternalistic approach is harmful. In India, the costs of such an approach could keep people away from the financial system. The use of cash is even riskier than a relatively less secure electronic payment system. Cash is friendlier to money laundering, terrorism financing and fraud. That is the continuum of choices. A costly, one-size-fit-all, prescriptive approach may lead to high security for those in the electronic payment system, but may be leaving a large number of people out.
What Phil Libin, the CEO of Evernote, says about decision making in corporations is equally true of the world of public policy:
“We always try to ask whether a particular policy exists because it’s a default piece of corporate stupidity that everyone expects you to have, or does it actually help you accomplish something? And very often you realise that you don’t really know why you’re doing it this way, so we just stop doing it.”
How to make RBI serve the needs of India?
RBI’s intervention is problematic from a legal process perspective. Regulators are mini-states with legislative, executive and judicial powers. Such powers are easily misused, especially in name of doing good. Payments is just one area where productivity-enhancing innovations are being hampered in the name of security. In fact, many bad things are done with some noble objective serving as justification. Bad behaviour need not mean stereotypical corrupt behaviour. It could also mean other things, such as taking excessively restrictive steps, because the regulator wants to make its life easy. For example, giving two bank licenses per decade, just to reduce the amount of work required in supervision, is also bad behaviour. So, we must be a little more circumspect with agencies like RBI. They need to be held accountable. One good way of ensuring good behaviour is to mandate them to follow certain process of making and enforcing regulations.
The principle of proportionality, market-based innovations on security, and strong enforcement, are the magic ingredients for achieving optimal security in payment. Only careful analysis, and continuous review can reveal the right mix. Cost-benefit analysis of regulations will help choose the most efficient regulatory pathway to an objective. This analysis requires the regulator to list a few plausible regulatory alternatives, compute their costs and benefits for the entire economy, and choose the most efficient alternative. In case of payment security, at least two types of stylised choices are possible: those making specific prescriptions that payment services providers must follow, and those holding the service providers accountable for ensuring proportional security. Analysis would reveal which approach would work in what context. The world is changing rapidly, and the regulator must keep on learning. Hence, each such regulation must be subjected to periodic reviews, to understand what effect it had on the economy, and to make course corrections.
Such cost-benefit analysis and ex-post review are parts of the regulation making process in many good countries. They have also been recommended in the draft Indian Financial Code formulated by the Financial Sector Legislative Reforms Commission (FSLRC). Indeed, decades of observation of the blunders of financial agencies in India, of the sort being discussed here, is what has given the subtleties of the draft Indian Financial Code. You may like to see this talk on how to obtain progress on payments.
This post first appeared on Ajay Shah’s blog.