On 22 August 2014, the Reserve Bank of India (RBI) came out with an order which effectively forces firms such as Uber to either shut down, or switch to cumbersome payments mechanisms.
On 24 August, we wrote an article Shutting down Uber in India was unwise about the economic thinking in payments regulation.
On 15 September, RBI governor Raghuram Rajan responded to this criticism in a talk, saying: If there is a rule on the book, we don’t allow it to be violated simply because the innovation is cool.
We think that RBI’s action does not even constitute proper enforcement of ‘a rule on the book’. We think that regulators like RBI cannot pass the buck for bad consequences of rules that are fully under their control. We think that if RBI was wise and accountable, it would have behaved differently. Let’s work through the steps of this logic.
Let us first examine what Rajan claims RBI has done – enforcement of current laws and regulations. The RBI’s notification states that the routing of payments through offshore payment systems was violating the Payment and Settlement Systems Act, 2007 and the Foreign Exchange Management Act, 1999, and must be immediately stopped. It then allows the firms to make the necessary changes by October 31, 2014. This is unsound enforcement, for the following reasons:
- The notification just states that the activity is in violation of two Acts, without actually citing the specific provisions or regulations of the Acts, and providing grounds for determining that the activity is violating these laws. For an analogy, this notification is like the police arresting a person saying that he has violated the Indian Penal Code, without citing the specific sections and without providing the reasons for such an assessment.
- Instead of taking proper enforcement action – starting with a show cause notice and perhaps ending with a penalty – the RBI has simply allowed the firms to “adjust” by the given date. Unlike what Rajan claims, this is not enforcement by any stretch of imagination. An enforcement action by a regulator has to first establish that the enforcement action is necessary, and in a case such as this (assuming the RBI is correct regarding Uber’s activities), result in a punishment.
- The notification, which claims to be a clarification, is vague. It does not describe instances or specific actions that would be deemed to be in violation, so that market participants can understand where they stand. As a result, it has created significant confusion in the market.
If you were the police, you merely enforce the Indian Penal Code (IPC). When a situation arises in front of you like marital rape, you have to be mindless and say, `Sorry, the IPC is clear that rape in marriage is not a crime, and my hands are tied’. The police does not make the law, it simply enforces it. If the police finds someone violating the IPC, it is its duty to take necessary actions as per the Law.
On the other hand, Rajan’s stance—that clamping down on the routing of payment transactions is simply enforcement—is inappropriate. Unlike the police, RBI is not just an enforcement agency. RBI is a regulator. It writes the regulations that it enforces. The regulation for payment security was made by RBI, not Parliament, and therefore can be changed by RBI. Regulators exist because there is value in merging legislative, executive, and quasi-judicial powers within a single organisation.
Once RBI found that some real economy firms with efficient solutions are feeling compelled to find loopholes to give convenience to consumers on services such as taxi rides (which are usually small value transactions), this should have triggered a process of review of relevant regulation. Instead, Rajan simply brushed off the criticism of RBI on this matter, claiming that the critics are calling for suspending enforcement for a “cool” innovation. The critics are calling for no such thing.
Regulations must be enforced, otherwise they are meaningless, but if the regulations are wrong, they must also be reviewed and optimised. What Rajan is dismissing as “cool” is a small but non-trivial improvement in convenience (and productivity) that many consumers were choosing before RBI stepped in. India’s future relies on the ability of innovators to come up with myriad small process improvements like this one. So, in addition to enforcing the regulation, it would have been wise of RBI to rectify the problems in regulation that compelled firms to take such a strange and risky route to receive payments.
There are at least four major problems with the regulation that RBI has drafted on two-factor authentication:
- It lacks proportionality: it requires the same level of protection for small value transactions as it does for large value ones.
- It unreasonably restricts economic freedom of consumers: we do not even have the right to waive the requirement for second factor authentication for small value payments (eg. up to Rs. 1000) on own money, even if we are willing to take that risk.
- It focuses too much on prevention and not on enforcement: the approach is to eliminate the possibility of fraud by imposing costs on consumers. You face no risk of a motor accident if you live in the stone age.
- It takes initiative away from payment service providers: service providers are supposed to blindly follow RBI’s dictum. They do not have the right to relax authentication requirements for some transactions, with the understanding that they would manage risks and make good on losses that occur due to their mistakes.
To ignore these problems, to insist on enforcing a badly drafted regulation, no matter what the consequences are for the economy: this is the hallmark of an unaccountable agency.
Once RBI noted the route firms were using to get around the two-factor requirement, and that many consumers were willingly using the service with lesser security (signalling a preference for convenience over security for small value transactions), it should have embarked on a comprehensive review. While initiating proper enforcement action against firms allegedly violating the laws, on 22 August 2014, RBI should have issued a statement (perhaps through a press release) saying the following:
“We have a legal framework comprising Foreign Exchange Management Act (FEMA) about cross-border activities, and two-factor authentication about payments. Some companies, such as Uber, are in a grey zone when it comes to FEMA. They are using this mechanism to avoid our rule that requires two-factor authentication. We recognise that these are important mechanisms through which the market economy, comprising of service providers and consumers, is choosing to operate. The emergence of these mechanisms raises questions about the soundness of our two-factor authentication rules. The tradeoff between security and convenience, and between prevention and enforcement, embedded in our authentication rules is questionable. We need new regulations, which impose some burden of liability upon financial service providers, and empower consumers to make a choice to waive second factor requirement on small value transactions. The default condition may continue to be two factor authentication, unless a consumer opts out for small value transactions, or a service provider takes it upon itself to manage the risk and take liability for failures. It is important for regulators to not disrupt organisational capital of firms. Hence, the loopholes which are presently being used will be closed down on October 1 and the new rules will simultaneously kick in. Through this, it would be possible for firms such as Uber to experience no breakdown of operations. Enforcement actions will proceed against violators of FEMA who may have to pay fines for the offences. This process will begin with a show cause notice, and may end with a penalty order by an adjudicating officer, if sufficient evidence is found on violation.”
This would have been a wise and mature approach to financial regulation, one that fully takes into account the mandate of an accountable financial regulator and its responsibilities to the economy.
Rajan’s defense of the current system is that two-factor authentication has enhanced peace of mind for people, who were earlier at risk of losing money. But nobody is suggesting unconditionally removing all authentication requirements or consumer protection provisions. The choice should not be posed as existing RBI regulation vs. zero regulation. Instead, the argument is for applying proportionality in security, giving consumers the freedom to waive the second factor for small value transactions, and holding service providers liable for risks they agree to manage.
Overall, the criticism has far more nuance than Rajan has acknowledged.
He also says, as people too often do in India, that innovations from the West do not directly apply in India. This is a particularly harmful argument, because it works as a broad excuse for prohibiting or delaying all kinds of innovations. Rajan should be more precise about what safeguards are required for specific risks that accompany the innovation being discussed, and what his agency will do to address them efficiently. This precision is required, not vague pronouncements on the harm from importing innovations.
Rajan did say that RBI is considering some changes to the system, but it is not clear what these changes will be and when are they likely to be implemented. Till the time he decides to give greater clarity on the issue, affected parties must wait. This sort of waiting, and legal uncertainty surrounding new thinking about business models, is incompatible with high GDP growth. In this process, we have lost sight of the purpose for which a regulatory agency is established, and that it exists for the purpose of serving the people of India.
Millions of people understand in their bones that forcing a firm like Uber to shut down is a bad idea. In this one case, we have got a careful discussion about RBI regulation in public domain. The real issue runs deeper: an unaccountable agency has written myriad unwise regulations, that are holding India back. Greater humility, and an interest in reform, is the need of the hour.
This post first appeared on Ajay Shah’s blog.