## Monday, May 01, 2017

### A critique of RBI's proposal to regulate pre-paid payment instruments in India

by Chetna Batra, Gausia Shaikh and Bhargavi Zaveri.

Demonetisation has reportedly given a fillip to the use of digital pre-paid payment instruments (PPIs) in India. PPIs are stores of value which can be used for the purchase of goods and services. Some PPIs are akin to zero-interest deposits as they allow users to withdraw the money lying in their PPI accounts at any time. Since a bank account can do everything that a wallet can plus earn the consumer some interest, keeping money in a PPI has costs for consumers. However, owing to the demonetisation decision, PPIs' early tie-ups with vendors, the slow penetration of the Unified Payments Interface and a smooth phone-enabled interface, PPIs have seen significant growth over the last few months. Table 1 shows the growth in the usage of PPIs during the three months pre and post demonetisation.

Table 1: M-o-M growth of usage of PPIs in India
Time-period August 2016-October 2016 November 2016-January 2017
Transaction value 2.1% 30%
Transaction volume 9.6% 20.5%
Source: Reserve Bank of India

Until now, the issuers of PPIs were regulated by RBI as payment system providers under the Payment and Settlement Systems Act, 2007 (PSS Act) and delegated legislation issued by RBI under it. On March 20, 2017, the RBI published a draft Master Direction (DMD), announcing a revised regulatory framework governing the issuance and operation of PPIs in India.

Our analysis shows that the framework proposed in the DMD is out of tune with the broader public discourse and RBI's own objective of moving towards a less-cash economy. It perpetuates bank dominance in the payments eco-system and imposes entry barriers disproportionate to the risks that a PPI business entails. It attempts to protect consumer interests by over-prescribing operational requirements. However, in doing so, it destroys the efficiencies of transacting digitally. More importantly, it defeats the objective of financial inclusion that easy digital platforms were supposed to underpin. It prescribes a new licensing framework that is vague and vests excessive discretion in the hands of the regulator, leading to potential rule of law problems of the kind seen previously in the payments eco-system. We, at the Finance Research Group at IGIDR, submitted written comments on the DMD. The key points of our critique are summarised in this article.

### Lack of competitive neutrality

Payment services are different from banking. The former is about clearing and settlement, the latter about accepting deposits and lending (Shah (2016)). World over, payment eco-systems were conventionally dominated by banks. Several jurisdictions have, a while ago, disintermediated payments from banking by mandating an equal playing field between banks and non-bank payment service providers (Watal Committee Report (2016)). The DMD, however, perpetuates the approach of differentiating between banks and non-banks, by allowing the former several advantages over the latter. For instance:

1. Product design: Bank PPI issuers are allowed to issue open-system PPIs, which can be virtually used as debit cards (including for withdrawing money). Non-bank PPI issuers are, however, not so allowed. Jurisdictions such as the UK, USA and South Korea, do not segregate or limit the purposes for which a consumer may use her PPI account. As long as an entity fulfills the uniform eligibility criteria prescribed by the regulator, the product design is left to the PPI issuer.
2. Deployment of funds: Non-bank PPI issuers are required to lock the entire amount deposited with them by PPI account users, in an escrow account with a commercial bank. On the other hand, bank PPI-issuers are not subjected to this requirement and they may lend the money deposited with them by consumers. Thus, while non-bank PPI issuers are subjected to a virtually 100% cash reserve ratio requirement, despite not undertaking lending activity, bank PPI-issuers are allowed to lend the consumers' deposits after accounting for a cash reserve ratio of 4%. Given that both bank and non-banks issuing PPIs undertake the same kind of liabilities to the consumers of their PPIs, and that non-bank PPIs do not lend the deposits made with them, subjecting bank and non-bank PPI issuers to differential cash ratio requirements is discriminatory.
3. Cross border payments: Non-bank PPI issuers are not allowed to undertake full-fledged cross-border payments, which most bank PPI issuers will be able to undertake under their authorised dealership licence.
4. Access to RTGS, NEFT and IMPS: Currently, all payment service providers are not granted access to the central bank's payment systems. Contrast this with clearing corporations in the securities markets, which do not distinguish between applicants for clearing membership, as long as they meet margin requirements. Granting access to payment system providers to the central bank's payments systems would permit them to function seamlessly and innovate to develop cheaper products.

The DMD also discriminates between existing players and new entrants by allowing existing PPI issuers three years to meet the new minimum networth requirements. This tantamounts to giving a head-start to the existing players, and heightens the overall regulatory uncertainty with respect to the entry of new applicants for PPI licenses.

### Disproportionate networth requirements and restrictions on use of funds

Under the existing regulatory framework, PPIs are required to have a minimum paid-up capital of Rs. 5 crores and a positive networth of Rs. 1 crore. The DMD has dispensed with the specific capital requirement, but has increased the minimum positive net worth requirement to Rs. 25 crores. The DMD does not offer any rationale underlying such a five-fold increase. An ongoing minimum networth requirement of Rs. 25 crore is unjustified for the following reasons:

1. Disproportionate to risk: The minimum capital adequacy requirement for a business must cover the risks arising from the failure of the operations of the entity (a) to its consumers; and (b) where an entity is systemically important, to the financial system. PPIs are in the business of accepting money that is callable at par. They neither engage in lending activity nor do they pay interest to their consumers. They are not systemically important. Under the DMD, they are mandated to keep the funds received from consumers locked in an escrow account. Hence, there is virtually no settlement risk arising from the PPI itself. The two other risks that arise from PPI operations are operational failure and fraud. A five-fold increase in networth requirements without computing the risks and costs associated with these two failures, is arbitrary. It also does not take into account alternative methods for risk mitigation. For instance, the fraud-risk can be covered by insurance.
2. Inconsistent with global best practices: Several jurisdictions, such as the UK and Australia, specify a minimum initial capital and an ongoing risk based capital which is proportionate to the outstanding amounts deposited by consumers with the PPIs. Some jurisdictions, such as the UK, create a differentiated category of PPIs with lower or no minimum networth requirements, to foster innovation and competition in the payments space.
3. Restrictions on use of funds: As mentioned above, the DMD mandates non-bank PPI issuers to lock the deposits received by them from their customers in escrow accounts maintained with banks. This tantamounts to a 100% cash reserve requirement for entities which are not in the business of lending. Other countries have mitigated the settlement risk by permitting issuers to invest the funds in liquid and safe securities. For example, Australia mandates that such funds be invested in high quality liquid assets which are free from encumbrances. UK allows PPI issuers to safeguard the customers' money by obtaining insurance.

Mandating an excessive and risk-agnostic minimum networth requirement makes monitoring easy for the regulator, as it provides a 100% protection against failure. However, risk-agnostic capital requirements have the potential to create entry barriers for smaller players and stifle innovation. They increase the costs of services to consumers. The minimum networth requirements for PPI issuers must be proportionate to their operational risk. The 100% cash reserve ratio for PPIs must be dispensed with and they must be permitted to invest the outstanding amounts in safe and liquid securities, such as securities eligible for the Statutory Liquidity Ratio (SLR).

### Over-prescriptive operational requirements, but weak on overall consumer protection

While the DMD is over-prescriptive on several operational aspects such as mandating technology-specific measures that PPIs must implement, it is weak on certain fundamental aspects of consumer protection. Instances of these flaws are enumerated below:
1. Paper based KYC for digital transactions: The DMD mandates a blanket full-fledged paper-based KYC process for all consumers. This is inconsistent with the risk-based approach towards KYC that is adopted the world over. A KYC mandate, that is agnostic to the risk associated with the person being KYC-ed, adversely affects both the payment service providers and the consumers. For the former, it implies a manifold increase in the costs of acquiring information. For consumers, it increases the cost of digital transactions relative to cash. Both these effects run counter-productive to financial inclusion and the objective of transitioning to a cash-less society. Moreover, a significant percentage of PPI users would have banking access and would have, therefore, undergone a full-KYC with a bank. Hence, for such consumers, applying KYC requirements for using funds lying in a KYC-compliant bank account is repetitious.
2. Over-prescriptive: The DMD mandates technology-specific anti-fraud measures such as an additional factor authentication for every transaction and separate log-in requirements for non-payment related services offered by PPI issuers. Over prescriptive regulatory requirements run the risk of being excessive and easily circumvented, especially in technology-oriented industries. Since consumers attach a premium to safe and secure payment systems, the private sector is incentivised to implement safe and consumer friendly systems. A principle-based approach towards regulating payments services is, therefore, the norm across countries.
3. Restricted interoperability: The DMD allows only restricted interoperability across payment platforms. For instance, monthly limits are placed on how much consumers can transfer back to the source account which was used to fund the PPI account in the first place. The DMD does not lay down a framework for full interoperability, but leaves it to a future date.
4. Limits on use: A PPI is a pre-paid store of value. The DMD seeks to limit the usage of the stored value and the number of beneficiaries that can be added within a given time interval. The regulatory purpose of such limits is unclear.
5. Ambiguity on usage of data: The DMD is ambiguous on the confidentiality obligations of PPI issuers. In this respect, the RBI is perhaps relying on the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (IT Data Security Rules), which require service providers to frame a privacy policy. The Ministry of Electronics and Information Technology has also issued draft data privacy rules for the PPI industry. However, the DMD is silent on the minimum standards of data protection that PPIs must offer their consumers. In the absence of an overarching privacy law, it is also unclear who has the jurisdiction to regulate and monitor the privacy policies of regulated entities.

RBI must substitute the proposed blanket full-KYC process with a tiered risk-based KYC structure. Under such a structure, low-risk consumers, such as those whose monthly transaction volumes do not cross a certain threshold, or consumers who are able to link a bank account with their PPI, must not be subjected to the ordeal of a full-fledged paper based KYC process. Medium risk consumers should be allowed to use the AADHAAR-based e-KYC, and high risk consumers alone may be required to undergo in-person and paper-based KYC. The transition from low to high risk may be done on the basis of transaction history. RBI must also revise the operational norms for PPIs by making them principle-based and technology neutral.

### Vague licensing procedure

The DMD lays down a new licensing procedure for PPI issuers. So far, the licensing of PPI issuers was governed by the PSS Act. The DMD, without amending the PSS Act, mandates a licensing procedure which significantly departs from that under the PSS Act. While the PSS Act allows RBI to issue regulations for the purpose of implementing the provisions of the PSS Act, a "Master Direction" that does not undergo Parliamentary scrutiny is not legally tenable for specifying a completely new licensing framework.

The new licensing process envisages an "in-principle" approval on the basis of the "prima facie eligibility" of the applicant. The criteria for meeting prima facie eligibility, are undefined, except that applicants and their management are required to meet a "fit and proper" criteria. Financial sector legislation around the world generally have a list of what constitutes `fit and proper', to ensure that a licensing process is not discriminatory owing to vague criteria. Further, the DMD requires applicants to satisfy parameters such as efficiency and other related technical requirements. It is unclear how RBI will measure efficiency for first-time entrants. The DMD allows RBI to impose additional conditions if adverse conditions regarding the entity/promoters/ group come to the notice of the RBI. Undefined additional conditions, which may be imposed on the occurence of undefined adverse conditions, adds to the uncertainty of the licensing process. It also creates a perfect setting for rent-seeking and ad-hoc discrimination among similarly-placed applicants.

A licensing process that is significantly different from that under the PSS Act, requires amendments to the PSS Act, and cannot be specified by a mere direction. A licensing process for PPIs must virtually be on-tap. An unambigious and competitively neutral licensing process is imperative for the development of a dynamic digital payments ecosystem in India.

References :

Ajay Shah, How to make digital payments work, Business Standard, 28 November 2016.

Report of the Committee on the Medium term recommendations to strengthen the digital payments ecosystem (2016) or commonly called The Watal Committee report.

The authors are researchers at the Indira Gandhi Institute of Development Research.

Please note: LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.