## Thursday, September 18, 2014

### RBI vs. Uber, continued

by Suyash Rai and Ajay Shah.

On 22 August 2014, RBI came out with an order which effectively forces firms such as Uber to either shut down, or switch to cumbersome payments mechanisms.

On 24 August, we wrote an article Shutting down Uber in India was unwise about the economic thinking in payments regulation.

On 15 September, Raghuram Rajan responded to this criticism in a talk, saying:

If there is a rule on the book, we don't allow it to be violated simply because the innovation is cool.

We think that RBI's action does not even constitute proper enforcement of a rule on the book'. We think that regulators like RBI cannot pass the buck for bad consequences of rules that are fully under their control. We think that if RBI was wise and accountable, it would have behaved differently. Let's work through the steps of this logic.

### Does the RBI action constitute sound enforcement of existing law?

Let us first examine what Rajan claims RBI has done - enforcement of current laws and regulations. The RBI's notification states that the routing of payments through offshore payment systems was violating the Payment and Settlement Systems Act, 2007 and the Foreign Exchange Management Act, 1999, and must be immediately stopped. It then allows the firms to make the necessary changes by October 31, 2014. This is unsound enforcement, for the following reasons:

• The notification just states that the activity is in violation of two Acts, without actually citing the specific provisions or regulations of the Acts, and providing grounds for determining that the activity is violating these laws. For an analogy, this notification is like the police arresting a person saying that he has violated the Indian Penal Code, without citing the specific sections and without providing the reasons for such an assessment.
• Instead of taking proper enforcement action - starting with a show cause notice and perhaps ending with a penalty - the RBI has simply allowed the firms to "adjust" by the given date. Unlike what Rajan claims, this is not enforcement by any stretch of imagination. An enforcement action by a regulator has to first establish that the enforcement action is necessary, and in a case such as this (assuming the RBI is correct regarding Uber's activities), result in a punishment.
• The notification, which claims to be a clarification, is vague. It does not describe instances or specific actions that would be deemed to be in violation, so that market participants can understand where they stand. As a result, it has created significant confusion in the market.

### RBI cannot be an impassive enforcer of rules that it has drafted

If you were the police, you merely enforce the Indian Penal Code (IPC). When a situation arises in front of you like marital rape, you have to be mindless and say, Sorry, the IPC is clear that rape in marriage is not a crime, and my hands are tied'. The police does not make the law, it simply enforces it. If the police finds someone violating the IPC, it is its duty to take necessary actions as per the Law.

On the other hand, Rajan's stance - that clamping down on the routing of payment transactions is simply enforcement - is inappropriate. Unlike the police, RBI is not just an enforcement agency. RBI is a regulator. It writes the regulations that it enforces. The regulation for payment security was made by RBI, not Parliament, and therefore can be changed by RBI. Regulators exist because there is value in merging legislative, executive, and quasi-judicial powers within a single organisation.

Once RBI found that some real economy firms with efficient solutions are feeling compelled to find loopholes to give convenience to consumers on services such as taxi rides (which are usually small value transactions), this should have triggered a process of review of relevant regulation. Instead, Rajan simply brushed off the criticism of RBI on this matter, claiming that the critics are calling for suspending enforcement for a "cool" innovation. The critics are calling for no such thing.

Regulations must be enforced, otherwise they are meaningless, but if the regulations are wrong, they must also be reviewed and optimised. What Rajan is dismissing as "cool" is a small but non-trivial improvement in convenience (and productivity) that many consumers were choosing before RBI stepped in. India's future relies on the ability of innovators to come up with myriad small process improvements like this one. So, in addition to enforcing the regulation, it would have been wise of RBI to rectify the problems in regulation that compelled firms to take such a strange and risky route to receive payments.

There are at least four major problems with the regulation that RBI has drafted on two-factor authentication:

1. It lacks proportionality: it requires the same level of protection for small value transactions as it does for large value ones.
2. It unreasonably restricts economic freedom of consumers: we do not even have the right to waive the requirement for second factor authentication for small value payments (eg. up to Rs. 1000) on own money, even if we are willing to take that risk.
3. It focuses too much on prevention and not on enforcement: the approach is to eliminate the possibility of fraud by imposing costs on consumers. You face no risk of a motor accident if you live in the stone age.
4. It takes initiative away from payment service providers: service providers are supposed to blindly follow RBI's dictum. They do not have the right to relax authentication requirements for some transactions, with the understanding that they would manage risks and make good on losses that occur due to their mistakes.

To ignore these problems, to insist on enforcing a badly drafted regulation, no matter what the consequences are for the economy: this is the hallmark of an unaccountable agency.

### If RBI were wise and accountable, what would they have done?

Once RBI noted the route firms were using to get around the two-factor requirement, and that many consumers were willingly using the service with lesser security (signalling a preference for convenience over security for small value transactions), it should have embarked on a comprehensive review. While initiating proper enforcement action against firms allegedly violating the laws, on 22 August 2014, RBI should have issued a statement (perhaps through a press release) saying the following:

1. "We have a legal framework comprising FEMA about cross-border activities, and two-factor authentication about payments.
2. "Some companies, such as Uber, are in a grey zone when it comes to FEMA. They are using this mechanism to avoid our rule that requires two-factor authentication.
3. "We recognise that these are important mechanisms through which the market economy, comprising of service providers and consumers, is choosing to operate. The emergence of these mechanisms raises questions about the soundness of our two-factor authentication rules.
4. "The tradeoff between security and convenience, and between prevention and enforcement, embedded in our authentication rules is questionable. We need new regulations, which impose some burden of liability upon financial service providers, and empower consumers to make a choice to waive second factor requirement on small value transactions. The default condition may continue to be two factor authentication, unless a consumer opts out for small value transactions, or a service provider takes it upon itself to manage the risk and take liability for failures.
5. "It is important for regulators to not disrupt organisational capital of firms. Hence, the loopholes which are presently being used will be closed down on October 1 and the new rules will simultaneously kick in. Through this, it would be possible for firms such as Uber to experience no breakdown of operations.
6. "Enforcement actions will proceed against violators of FEMA who may have to pay fines for the offences. This process will begin with a show cause notice, and may end with a penalty order by an adjudicating officer, if sufficient evidence is found on violation."

This would have been a wise and mature approach to financial regulation, one that fully takes into account the mandate of an accountable financial regulator and its responsibilities to the economy.

Rajan's defense of the current system is that two-factor authentication has enhanced peace of mind for people, who were earlier at risk of losing money. But nobody is suggesting unconditionally removing all authentication requirements or consumer protection provisions. The choice should not be posed as existing RBI regulation vs. zero regulation. Instead, the argument is for applying proportionality in security, giving consumers the freedom to waive the second factor for small value transactions, and holding service providers liable for risks they agree to manage.

Overall, the criticism has far more nuance than Rajan has acknowledged.

He also says, as people too often do in India, that innovations from the West do not directly apply in India. This is a particularly harmful argument, because it works as a broad excuse for prohibiting or delaying all kinds of innovations. Rajan should be more precise about what safeguards are required for specific risks that accompany the innovation being discussed, and what his agency will do to address them efficiently. This precision is required, not vague pronouncements on the harm from importing innovations.

Rajan did say that RBI is considering some changes to the system, but it is not clear what these changes will be and when are they likely to be implemented. Till the time he decides to give greater clarity on the issue, affected parties must wait. This sort of waiting, and legal uncertainty surrounding new thinking about business models, is incompatible with high GDP growth. In this process, we have lost sight of the purpose for which a regulatory agency is established, and that it exists for the purpose of serving the people of India.

### This is just the tip of the iceberg

Millions of people understand in their bones that forcing a firm like Uber to shut down is a bad idea. In this one case, we have got a careful discussion about RBI regulation in public domain. The real issue runs deeper : an unaccountable agency has written myriad unwise regulations, that are holding India back. Greater humility, and an interest in reform, is the need of the hour.

1. There were two issues:
1. Not using two-factor authentication.
2. Routing transactions through a foreign gateway for transactions between people in India.

Uber could have got clarifications from the RBI before doing this. Instead, they just went ahead and clearly violated the law in letter and spirit. You could argue about the two-factor authentication but did Uber really ever reveal to even it's customers that they are sending out financial information out of the country?

The fact that Uber just violated the law shows that they never really feared an action from the RBI. RBI proved them right by not taking an enforcement action as you correctly pointed out.

Overall, I don't think anybody in India really believes in the rule of law. Not the people, not corporations, not the government. It's a 'chalta hai' world we live in.

2. Risk versus convenience is balanced in many parts of the world and waiving PIN at merchant outlets or 2nd factor authentication for transctions below INR 2500 can lead to massive conversion from cash to electronic payments increasing efficiency and transparency in the economy. If there is concern about consumer protection we must mandate zero liability for the consumer in the situation of a fraud.

3. 1) settling transactions between domestic entities in foreign exchange is a straight problem - and has to be restricted, whether in online or offline transactions. - [We don't even need to get into Uber not opening Branch Office/Project Office in india question, for the same.]

2) on two factor authentication - so far its that regulation has been lagging behind technology, rather technology (in respect of security/fraud prevention) has been lagging behind the ideas (cashless payments) and regulation is filling in for where technology is failing.

3) Uber could have easily applied for a mobile wallet license, or tied up with someone who had a mobile wallet license, and done cashless transactions without authentication. But no, they wanted to save money.

4. The comments this blog attracted are laughable to say the least.. The authors are spot on when analysing the approach taken by regulator. Rajan's comments which appeared in the times group newspapers were obviously written by someone in the DPSS who think they are kings of the world!! Rajan simply chose to not apply his mind to the concerns and answers and blindly went with what his colleagues drafted.
I am not sure what the current status is but I have already seen that Meru and Ola have come out with some sub optimal solutions and would likely announce that thousands of customers have opted for their wallet solution for making cashless payments conveniently. Fact is that these would remain less preferred routes for payments. RBI uncles work on their whims and fancies.. They dread anything appearing in print which might be deemed as damning to the regulator in any angle. Or they get swayed by anecdotes their relatives or friends would mention to them as dinner time chatter. Yes, that's how they make these regulations.

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticising me is perfectly okay; uncivilised language is not. I delete any comment which is spam, has personal attacks against anyone, or uses foul language. I delete any comment which does not contribute to the intellectual discussion about the blog article in question.

Please note: LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.