Search interesting materials

Saturday, October 20, 2018

Response to the Draft Personal Data Protection Bill, 2018

by Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman.

The Ministry of Electronics and Information Technology ("Meity") recently sought public comments on the draft Personal Data Protection Bill, 2018 (the "Bill") drafted by the Justice B.N. Srikrishna Committee of Experts ("Srikrishna Committee"). The Bill contains the Committee's proposals towards the creation of a free and fair digital economy, by setting out the rights and obligations governing the use of personal data and creating a statutory agency, referred to as the Data Protection Authority of India ("DPA"), to implement the law.

We wrote a detailed submission to Meity, which is summarised here. The Bill offers a fairly comprehensive set of data protection principles and rights to data subjects, particularly in relation to data processing by private entities. However, there are several key areas where the positions adopted by the Bill need to be revisited. This includes provisions relating to the structure and design of the DPA, role of adjudication officers, cross border transfer of data and scope of exemptions under the law, particularly in relation to government agencies. In this, we build upon our response to the White Paper, released by the Srikrishna Committee early in their work process.

Definitions and scope


While recognising that many of the terms and phrases used in the Bill will require jurisprudence to develop around them, several defined terms need modifications in order to clarify the scope of the law and ensure its appropriate application. In particular, clarity is needed on terms like "anonymised", "harm", "sensitive personal data", "personal data breach", "disclosure to the public" and "genetic data":

  1. Section 3(3) - "anonymisation": The Bill indicates that anonymisation of data should be "irreversible" in nature and should meet the standards specified by the DPA. A considerable literature has established that perfect anonymisation is hard, if not impossible to achieve (particularly due to new recombination methods that are constantly developing). Therefore, the Bill potentially sets an unachievable standard for anonymisation by using the word "irreversible". The definition needs to be more narrow: data fiduciaries should be required to meet the standard of anonymisation specified by the DPA. A separate provision could be introduced detailing the factors for the DPA to consider in setting the relevant standards and codes of practice on anonymisation.
  2. Section 3(20) - "genetic data": The Bill limits the scope of "genetic data", which is part of sensitive personal information, to genetic characteristics which "give unique information about the behavioural characteristics, physiology or the health of that natural person". This implies that the definition only covers coding DNA. However, a lot of the DNA in the genome do not give any information about a person's behavioural characteristics, physiology or health. Such DNA, known as "non-coding DNA", can nonetheless be used for DNA profiling and is currently not covered under the Bill. To remedy this lacuna, the definition of "genetic data" must be expanded to include DNA profiles which can be used to establish identity, genealogy or kinship.
  3. Section 3(21) - "harm": The definition of "harm" in Section 3(21) is critical as it forms the trigger for various rights/ obligations under the Bill. In the harm of "discriminatory treatment" under Section 3(21)(vi), it is unclear what specifically amounts to discriminatory treatment or the standard to be applied in this regard. For instance, would this bar the use of personal data to charge differential prices for services or offer different services to different individuals? It would be useful to have some standards/ tests that would be applied by different actors responsible for assessing harms in different contexts. The Constitution of India offers the standards for assessment of discrimination by the State under provisions like Article 14 (arbitrariness) and Article 15 (protected grounds include sex, caste, etc). However, we need fresh thinking on how to interpret discrimination, undertaken both by private parties and State agencies, in the context of personal data. Requiring the DPA to offer some clarification around these issues will enable greater certainty in the application of the provisions.
  4. At the same time, the law must also account for harms that may arise in the future, including through new technological innovations allowing the use of personal data in unforeseen ways. Therefore, we suggest that the Bill should also consider including loss of confidentiality of personal data, including in situations where the personal data may be provided under specific professional settings; and the possibility of psychological manipulation or restriction of autonomy of individuals, especially in non-trivial contexts such as voting in elections, as "harms".
  5. Section 3(35) - "sensitive personal data": We recommend that in addition to the list given under the provision, the definition of "sensitive personal data" must also contain scope for a context specific determination (of what constitutes sensitive data) to ensure that information that reasonably reveals sensitive personal data would also be included within the ambit of the phrase. For instance, treating location data as personal data may or may not be problematic as a general rule, but in certain contexts (such as communication surveillance), this data may require higher protection. While the Srikrishna Committee Report notes that there may be a cost in permitting a contextual determination of what constitutes "sensitive personal data", this argument is unconvincing, given that the law does not hesitate to impose costs on entities in areas where the gains as far as privacy protections are concerned are not particularly clear (for instance, the provisions pertaining to localisation/ mirroring of data).

Finally, on the scope of the law, we question whether the data protection law should apply only to the data of living persons or could it also be extended, in certain circumstances, to cover the personal data of either unborn children or deceased individuals. We argue that given the increasing instances of test-tube babies, freezing of embryos, etc., it may be useful to consider extending certain protections to relevant categories of personal data at even this stage. Equally, personal data of the deceased should also be protected in certain circumstances -- for instance, where it may reveal information pertaining to a living person (say a blood relative).

Data breach notification


The draft Bill currently does not define the scope of a "data breach". It also does not mandate notice being provided to the data principal in each and every case of a breach. We believe that this reduces the control that individuals can exercise over their personal data and their choice to discontinue transacting with specific data fiduciaries based on perceived data risks. While certain exemptions must be crafted to ensure that data fiduciaries are not overburdened in terms of their notification obligations, this must not come at the cost of individual autonomy.

Cross border transfer of data


Sections 40 and 41 of the Bill propose a "three-pronged model" for international transfers of personal data. As per this, one live, serving copy of all personal data should be stored in India, in addition to which certain categories of "critical personal data" (to be notified by the government), will be bound by a stricter requirement of being stored and processed only in India. Finally, the government will have the power to exempt particular countries, sectors or international organisation from the restrictions on free flow of data across borders on the grounds of "necessity" or "strategic interests of the state". We disagree with the proposed model, and the absence of any cogent reasons or cost-benefit analysis to justify these decisions.

We recognise that the government may have reasons, in certain situations, to force data localisation, from a strategic, social or economic perspective. However, the present law deals with only privacy and data protection related rights, and as such, should only look to enable localisation where it is demonstrable that the privacy protections afforded by such a step are worth the trade-offs associated with localisation (in terms of restriction of expression and privacy rights, costs to businesses, environmental costs, etc.).

While localisation measures may, in certain situations, enhance privacy protections (assuming that the foreign location where the data is stored has a sub-optimum framework for data protection), they can also negatively impact rights (including those relating to free expression and privacy) and greatly increase the cost to business (Bailey and Parsheera, 2018). These costs have not been adequately justified by commensurate gains in the Srikrishna Committee's recommendations. Given the ability to utilise numerous less intrusive measures to provide Indian data with an equal measure of protection (such as binding contractual rules, need for adequacy decisions prior to transfer, etc.), we believe that the provisions requiring mandatory mirroring of personal data within India/ complete localisation of critical personal data are disproportionate and must be revisited.

This is not to say that localisation can never be a necessary or proportionate response to perceived harms from privacy. However, in order to make this case, specific harms must be identified, and the costs and benefits of imposing the proposed measures must be adequately demonstrated (Bailey and Parsheera, 2018). We suggest, therefore, that the Bill itself should contain no specific mandate pertaining to mirroring or complete localisation. To the extent that it may empower the DPA or the Government to direct the localisation of certain specific types of data or by specific entities, it should mandate a robust cost-benefit analysis and public consultation processes before arriving at such a decision.

Exemptions


According to Sections 42 and 43 of the Bill, processing of personal data in the (a) interests of the security of the state; and (b) for prevention, detection, investigation and prosecution of any offence or any other contravention of law is exempt from most obligations in the Bill, if it is (i) in accordance with the law, (ii) follows the procedure set out by that law (this requirement does not apply to Section 43), and (iii) is necessary and proportionate. While these provisions embed the proportionality standard set out by the majority in the Supreme Court's Puttaswamy decision and confirmed more recently in the Aadhaar case, the Bill fails to address the related structural and procedural elements that are required to operationalise these principles. For instance, while the Bill states that the interception should be necessary and proportionate, it does not address the question of who should make this determination.

The Srikrishna Committee's report acknowledges that the current processes under the Information Technology Act and the Telegraph Act, which provide only executive review for interception requests, are not sufficient and recommends that District Judges should be reviewing the processing of personal information by intelligence agencies in closed door proceedings. Apart from ex-ante judicial scrutiny of interception requests, the report also talks about ensuring accountability through ex-post, periodic reporting and review by a parliamentary committee. However, these requirements do not find mention in the text of the Bill itself. While the Bill may not be the correct site for ensuring a complete overhaul of the intelligence apparatus, not least due to the organisation and structural changes that may be required within intelligence and law enforcement services, nonetheless, the Bill should have proposed these ex-ante and ex-post oversight mechanisms over intelligence activities as amendments to the Telegraph Act and Information Technology Act and the procedural rules made under them.

As highlighted by us in Bailey et al., 2018, the following reforms are needed in the law:

  1. Prior judicial review: The current process of authorisation of surveillance requests by the executive needs to be amended to incorporate an element of prior judicial review. A provision for post-facto judicial scrutiny can be made for situations that require immediate action in cases of emergency. This review may be conducted through specialised courts designated for this purpose or by designated judicial members in an independent body, such as the DPA. Any amendments to the current laws should also lay down a procedure for appeal against the decision of the judicial body. Accordingly, the Bill should propose the adoption of the proposed structure by suggesting corresponding amendments to the Telegraph Act, Information Technology Act and the rules framed under those laws.
  2. Procedural guarantees: It is unclear why Section 43 of the Bill, which exempts the processing of data in connection with any offence or other contravention of a law from most obligations in the Bill, does not mandate that the processing should be done in accordance with the procedure set out under the authorising law (as stated under Section 42). It is imperative that the obligation to follow the procedure set out in law should be introduced in Section 43.
  3. Reporting and transparency: Appropriate ex-ante and ex-post reporting and transparency obligations need to be imposed on LEAs and intelligence agencies in respect of all surveillance activities. In addition, appropriate oversight bodies must be identified and should be required to publish periodic reports of their activities and that of LEAs/ intelligence agencies under their supervision. At the same time, service providers that receive surveillance requests must be permitted to publish aggregated statistics detailing the volume and nature of such requests.
  4. Notice to data subject: There should be an obligation to provide deferred notice of interception to the concerned individual. However, the law can allow the intelligence agency or LEA to seek the approval of the judicial body to delay or avoid the requirement of notice under certain exceptional circumstances. For instance, if it can be established that such a disclosure would defeat the very purpose of surveillance. Circumstances under which this exception can be invoked should be listed clearly.
  5. Right to seek redress: The requirement of notice to the data subject must be accompanied by a right to challenge and seek appropriate redress against surveillance activities. This right should extend to a person who is, or has reasonable apprehension of being, the subject of surveillance. In addition, intermediaries that are under a legal obligation to facilitate access to information by LEAs should also have the legal right to question the scope and purpose of the orders received by them.
  6. Privacy Officers: Intelligence agencies and LEAs should have an obligation to appoint data protection officers. The data protection officer should be required to, inter alia, scrutinise interception requests by the agency (before they are put up to the sanctioning judicial body), and ensure adherence to the relevant laws. Further, their considered opinion pertaining to interception requests must be recorded in writing and available to relevant oversight bodies, if not the public.
  7. General data protection rights: With regard to personal data processed by LEAs and intelligence agencies, we recommend that the Bill must ensure that, as far as possible, data principals are provided with access and rectification rights, and personal data maintained by relevant authorities is up to date and accurate. Further, data retention norms also need to be appropriately designed to ensure that only relevant data is stored by the authorised agencies.

The other exemptions granted under Chapter IX of the Bill also need to be revisited on several counts. This includes: (i) adding categories such as 'academic' and 'artistic' work to the list of exempted activities; (ii) making the existing exemptions more nuanced, thus ensuring a more appropriate balance of privacy with competing rights such as the freedom of expression, right to profession, etc.; (iii) revisiting the pre-conditions for availing the 'journalistic' exemption, which as currently drafted may drastically affect online expression rights; and (iv) ensuring a public purpose limitation on the exemption granted for research purposes.

Structure and powers of the DPA


When it comes to the structure and processes of the Data Protection Authority, we find that the Bill is in need of significant improvements. In this regard, we make the following key recommendations:

  1. Composition: In terms of its composition, the DPA consists of a Chairperson and only whole-time members. We think there is merit in considering the inclusion of part-time, non-executive members on the DPA who can bring in the requisite expertise into the agency while also providing checks and balances against any management issues in the agency.
  2. Selection process: Section 50(3) of the Bill provides that the Government will make rules to prescribe the procedures of the selection committee constituted for recommending names of DPA members. The integrity of the selection procedure needs to be protected by requiring that all short-listing and decision making by the committee is done in a transparent manner. Therefore, we recommend that the primary law should incorporate certain details regarding the processes of the selection committee. For instance, it should require the committee to disclose all the relevant documents considered by it and prepare a report after the completion of the selection procedure. This would include the minutes of the discussion for nominating names, the criteria and process of selection and the reasons why specific persons were selected.
  3. Coordination with other agencies: Section 67 of the Bill provides for coordination between the DPA and other agencies. This is a welcome provision but there is need for certain clarifications in its scope. First, the Bill restricts the coordination requirement only to other statutory agencies but there may be situations where certain regulatory actions fall directly within the domain of a Ministry or Department of the Government. Therefore, the Bill should expand the scope of this provision to include coordination between DPA and other ministries and departments of the Government. Second, it is not clear as to how it will be determined whether the other body has "concurrent jurisdiction" with the DPA. Instead of leaving this determination entirely up to the DPA it would be advisable for the Bill itself to contain a non-exhaustive list of such matters and agencies with corresponding amendments to relevant laws requiring respective agencies to undertake similar co-ordination with the DPA. In addition to this, the Government may prescribe other matters and agencies to be covered in the list. Third, the Bill makes it discretionary for the DPA to enter into memorandums of understanding ("MOUs") with other agencies. We recommend that this requirement should be made mandatory and the Bill should also set out a non-exhaustive list of the matters to be covered in the MoU.
  4. Regulation making process: The Bill does not mandate the DPA to ensure transparency in the discharge of all its functions, a provision that is necessary in such a law given the wide range of powers being conferred upon the DPA. Further, except in case of the codes of practice, the Bill does not lay down provisions for effective public participation in the DPA’s regulation-making processes. We propose that the law should require the DPA to undertake an assessment of the expected costs and benefits of any proposed regulation and seek to adopt measures that minimise the compliance costs while meeting the intended objective. Equally, the law should also mandate the DPA to provide an explanation for the decision finally adopted by it and the broad reasons for acceptance or rejection of the comments raised by stakeholders and the public.
  5. Power of adjudication: The Bill raises the structural issue of housing both regulatory and adjudicatory functions within the DPA, which can lead to the dilution of the Authority's core regulatory functions. It may also result in a conflict on interest by making the same agency responsible for the framing of regulations and providing redress for their breach -- a large number of complaints on an issue reflects non-compliance by data fiduciaries but also that the DPA may have failed to take appropriate regulatory or supervisory actions to curb such malpractices. Accordingly, we reiterate the submission made by us in response to the White Paper, that the redress of individual data protection complaints should be entrusted to a separate redress agency or ombudsman, that will function independently on the DPA. There should, however, be a strong feedback loop between the proposed ombudsman and the DPA using which the DPA can gain information about the type of complaints being raised, the entities to which they relate and the underlying causes.
    However, in case the government proceeds with the Bill's recommendations on locating the complaints redress function within the DPA, there is still a case for making certain improvements in the proposed structure of the process. The current provisions of the Bill provide that any complaint raised by a data principle would directly proceed to determination by an adjudication officer (after the individual has first approached the data fiduciary's internal redress mechanism). We note that instead of directly sending the compliant for adjudication, there is a case for first facilitating an amicable settlement between the individual and the data fiduciary through mediation process. In cases where the parties fail to reach a settlement, the matter could then proceed for adjudication. Creating such a mechanism in the law would reduce the burden on adjudication officers, move to a less adversarial process, and expedite the settlement of grievances.
  6. Committees to advise the DPA: We propose that the law should empower the DPA to appoint various committees as may be necessary to assist it in the discharge of its functions. It would also be useful for the law to put in place a multi-stakeholder committee that can advise the DPA on the framing of standards that may be applicable in different contexts and the interpretation of the data protection principles laid down in the law. In this regard, the "Article 29 Working Party" in the European Union could be a useful example for incorporating such a mechanism in the Indian data protection law.

Offences


We argue that the criminal provisions contained in Sections 90, 91, 92, and 93 of the Bill should be revisited -- being draconian, vague and overly broad. Sections 90 and 91 of the Bill create criminal offences by penalising a person who "knowingly or intentionally or recklessly" deals with personal information with resulting harms or indulges in re-identification and processing of previously de-identified personal data, in contravention to the Bill. The Bill prescribes the stringent punishment of imprisonment for these acts and makes the offences cognisable and non-bailable.

In this regard, the Srikrishna Committee's White Paper had stated that criminal sanction in the form of imprisonment and fines may be prescribed to impose financial and reputation costs on the data controller, thereby serving a deterrent purpose. However, empirical research demonstrates that the threat of imprisonment has only a small general positive deterrent effect (Ritchie, 2011). The use of criminal sanctions in data protection laws is rare (although not unheard of), but even in such cases, the context and scope of criminal provisions is markedly different from the Indian draft law.

For instance, while the U.K's Data Protection Act does include criminal offences, the scope of these offences is narrower compared to the draft Bill. Crucially, the UK's Data Protection Act mainly provides for criminalisation of acts where access and use of personal data is achieved without the consent of the data controller. Further, the law also restricts itself to only prescribing fines and does not prescribe imprisonment as a punishment for contravention.

Finally, we note that the provision as currently drafted also criminalises ethical hacking or other forms of security related research, including into the effectiveness of anonymisation techniques. In other cases, such as the UK's Data Protection Act, the law specifically lists various defences that could be taken against the offence of unlawfully obtaining personal data (Section 170), and against re-identification of personal data (Section 171) - notably on the ground of public interest.

Conclusion


Given the current state of Indian data protection law, virtually any improvement would represent a significant step towards protection of privacy rights of Indians. However, we find that the Bill does provide a reasonably strong framework for the protection of personal data of citizens. That said, the Bill also contains numerous lacunae, implying the need to bring out amendments with a view to inter alia:

  • Revisit the design of the regulatory framework, including by ensuring greater independence and accountability of the DPA. This gains particular importance due to the need to build trust between all the actors in the digital ecosystem;
  • Clarify various terms and phrases to ensure proper application of the law;
  • Provide checks on the State's use of personal data and build stronger provisions pertaining to state surveillance;
  • Create more nuanced exemptions for a wider variety of subject matters (for instance, academic or artistic work) while at the same time including additional checks and balances for all exempted categories; and
  • Reconsider the broad scope of the criminalisation provisions under the law and the classification of offences as non-bailable and non-cognizable.

Certain other provisions, such as the broad latitude granted to employers to process data of employees, and provisions pertaining to the right to object to processing or delete personal data, also need to be reviewed in subsequent versions of the Bill. Given the growing evidence that our personal data is not particularly secure in either private or State hands -- notably both Facebook and Google have recently reported massive data breaches -- it becomes all the more important for a strong, horizontal, principles-based data protection law to be brought into effect at the earliest possible. Reports indicate that the Bill will, subsequent to certain amendments and clarifications, be tabled before Parliament in the winter session. That said, the passage of a data protection law -- in whatever form it may take -- can only be considered (a vital) first step in ensuring greater protection of privacy rights of individuals. Building capacity of the regulator and laying down appropriate sector specific guidelines and principles will be critical in translating the law into practice.

References


Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, 2018.

Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, Personal Data Protection Bill, 2018.

Vrinda Bhandari, Amba Kak, Smriti Parsheera, Faiza Rahman and Renuka Sane, Response to the White Paper on a Data Protection Framework for India, NIPFP MacroFinance, 31 January 2018.

Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman, Placing surveillance reforms in the data protection debate, The Leap Blog, 6 August, 2018.

Rishab Bailey and Smriti Parsheera, Data localisation in India: Questioning the means and ends, NIPFP MacroFinance (forthcoming).

Donald Ritchie, Sentencing matters: Does imprisonment deter? A review of the evidence, Sentencing Advisory Council, State Government of Victoria, April 2011.

Vrinda Bhandari, Data Protection Bill: Missed Opportunity for Surveillance Reform, The Quint, 28 July, 2018.

Smriti Parsheera, Data Protection Bill: Lukewarm Effort Towards Strong DPA", The Quint, 4 September, 2018.


Rishab Bailey, Smriti Parsheera, and Faiza Rahman are researchers in the technology policy team at the National Institute of Public Finance Policy. Vrinda Bhandari is a practicing advocate in Delhi. We thank Devendra Damle for inputs on the issue of genetic data.

Monday, October 15, 2018

The Justice Srikrishna Report and Digital Monopolies

by Jai Vipra.

Much has been said about the recommendations of the Justice Srikrishna Committee Report on Data Protection, particularly with respect to the broad exemptions made for the state on the non-consensual use of people's data. (The Quint, 2018) However, there is little analysis of how a largely consent-based framework affects people's control over data and over the effects arising from the use of their data.

In this article, I make the case that digital monopolies exist and are driven partly by exclusive control over data; that these monopolies can be broken up with free data portability; that the provisions in the Draft Data Protection Bill are strict on consent but lax on portability, and that by being so, they might end up entrenching existing digital monopolies.

The Committee Report takes the approach of fiduciary responsibility of data. In this fiduciary relationship, the generator of data is the 'data principal', and the user or holder of that data is a 'data fiduciary'. The data principle consents to transfer his data to the fiduciary. The data fiduciary then has the responsibility to use the data principal's data in her best interest and in a fair and reasonable manner. This approach was taken because the Committee considers this the best way to protect a person's privacy. (Sengupta, 2018) However, as I will discuss below, privacy is not the sole value to be protected in this case. I also discuss how an exclusive focus on privacy and consent might lead to outcomes inimical to the social good.

Digital monopolies and control over data

To begin with, making the choice to entrust your data to someone with fiduciary responsibility might guarantee privacy. But it does not automatically mean you control the data and the value resulting from the use of that data. One of the harms that can result from massive data collection is the risking of privacy. But another harm is the limiting of competition.

Consider why, while the rest of the market was shrinking, Google and Facebook together captured USD 32.7 billion growth in digital advertising spending (in the first half of 2016). (Holland, 2017) With the large amounts of data being collected by these companies, precision targeting in advertising wins over all other kinds of advertising. Precision targeting means that advertisements are targeted to the individual based on their preferences and activities, rather than to groups of individuals. Companies that are able to offer precision targeting are able to capture the market, while all other companies lose out (Matsakis, 2018).

Coupled with the existence of network economies, only a few large companies are able to offer precision targeting in this manner. The problem here is not that precision targeting is necessarily bad, but that data control with network effects leads to monopolisation of the market. (Hindman, 2009) Hindman's empirical work also shows how the digital economy is more concentrated than traditional media.

The effects of monopolisation are not limited to the advertising market. Some examples might help illustrate the kinds of harms digital monopolies lead to. An entertainment platform like Netflix that controls most of the market can easily refuse content creators a market for their work, or can charge them exorbitantly due to the lack of competition born from the control of viewer data. Proven examples also exist: Google provided Getty Images with a choice of either allowing users to download images directly from search results, or excluding Getty images from search results, both unviable choices for Getty Images. Yelp faced allegations of extorting restaurant owners to purchase ads on the threat of bad reviews.

Due to monopolisation and particularly due to the emergence of Facebook, Amazon and Google, even though more content is being created than ever, less money is flowing to content creators as platforms soak up an ever-increasing share of the returns (Taplin, 2017). It is now mathematically impossible for a small company starting off in a garage to compete with Google. (Hindman, 2009) Network effects in the digital economy are driving predatory pricing and entrenched market power. (Parsheera et al., 2017) A digital monopoly can be as harmful as any other monopoly, and control of data (in addition to network effects) is an important way in which digital monopolies are maintained.

Data portability as a solution

What then are the solutions to monopolisation? One cannot change the fact that network effects exist in two-sided markets. But one can change the other part of the equation, that is, the control of data. If we want to reduce the monopolistic hold that it is possible to have over data, we have to make the data freely portable. This must be contingent on user consent to said portability, given the privacy concerns with data transfer. Thus, we have to create the ability for the user to transfer the data he generates to himself or to another entity, perhaps a competitor of the data fiduciary.

Argenton and Prufer (2012) have proposed something similar in the context of Google biasing its search results to favour its own subsidiaries, such as Google Maps. With a model that analyses indirect network externalities, they establish that search engine data control leads to monopolisation and reduces economic welfare. They propose that search engines should be required to share data on previous searches (with other search engines) to countervail this tendency.

One example of a recent data portability policy is the open banking regulation in the UK. The UK's Competition and Markets Authority found that big banks in the UK had an unfair advantage over other banks and fintech companies because they held valuable data on their customers, for example, transactions data. It also found that consumers would save money by using more suitable financial products if their data was freely portable. Under the Open Banking Regulations, the banks are required to share customer data, with customer consent, with any service provider through open Application Programming Interfaces (APIs). This enables any entity to easily build products that compete with bank products based on that data. It also works to break up the data-driven hegemony of big players in the market.

What might data portability lead to?

However, there are some difficulties here, particularly if we ask who data really belongs to. Consider an example: if I buy a book on Amazon, I create a piece of data. This is not sensitive data, but it is valuable data. Amazon uses this data and derives value from it in multiple ways: with targeted advertising, tailored product pages, by collating it with other pieces of data and observing profiles and trends, etc. To do all this, it processes the data and modifies it. The original data might belong to me, but who does the processed data belong to? What, indeed, is processing? Collection is not a costless activity, and so is collection processing? Even once processed, it is not that straightforward to imagine that the data belongs entirely to Amazon. With respect to personal data, Arghya Sengupta likens processed data to an envelope with a letter in it. The letter still belongs to the user and it is not possible to separate the envelope and the letter, and ownership is made tricky (Sengupta, 2018).

If we decided ownership based on the work put into production, all data (and indeed all property) would be collectively owned. But under current economic and legal arrangements, ownership is decided based on contracts. If I lease my land to you under a year-long contract, legally the land does not automatically belong to you even if you improve the soil quality by cultivating on it. Given these economic and legal arrangements, if I give Amazon my data under a contract that includes portability, Amazon does not own that data even if it processes it.

The Open Banking regulations described above essentially make all contracts conform to this norm of portability. In this way they aim to create a market where the choice of sharing data remains with the user and not the business. In the cases of open banking and search engine data, lack of portability was shown to create monopolies. When this is shown, there is a case for government intervention through mandating contracts with portability in order to fix this market failure.

In our example, this would mean that I can decide to transfer the data I generate by buying a book from Amazon. I could transfer it to an Amazon competitor, who then would also be able to offer targeted advertising. Or I could transfer it to an app that gives me financial advice based on my spending patterns. Amazon would still retain my data and profile for as long as I want it to. It would simply port a copy of that data.

Amazon, given its current business model, loses out in this deal. The extinguishing of potential property rights by outlawing contracts that do not include portability will not be a costless or seamless move. Open banking regulations may make banking as it exists today unviable. In fact, they are widely expected to change the nature of the banking business, turning banking into either a platform or service for other businesses rather than a standalone activity. (Finastra, 2018)

Likewise, free data portability in the overall economy might mean that Google or Facebook are no longer able to provide their services for free. However, the 'free' nature of these services hides costs that already exist. The free service, such as email, is bundled with an ad, and given network effects, this bundling leads to monopolisation. The costs of this bundling are all the costs of digital monopolies listed earlier. Portability does not directly cause unbundling, but it reduces the advantage of the market leader in bundling, and thus makes providing free services in return for ads (and other uses of data) less viable.

The status quo is that platforms are free and make money from the control over data. This status quo includes monopolisation. Free data portability means choosing a model where platforms charge for use and do not make money from control over data. It also means that innovations that require big data can be made by smaller companies, public bodies, or your friendly neighbourhood programmer. Of course, the absence of monopolies is not welfare-enhancing in every context, and likely social costs and benefits of such an intervention need to be examined in much more detail.

The question of what kind of data should fall under free portability is not straightforward to answer. It is clear that some data would need to be portable - for example, ride history in Uber. But many other kinds of data are collected, such as how quickly you book a cab at certain times of day, when you book a shared ride versus an individual cab, how your phone battery level determines your willingness to pay a certain price, etc. Which of these data points is it reasonable to port?

In the UK open banking example, the Competition and Markets Authority (CMA) determined through a careful study the kinds of data that were driving monopoly and were thus important to port. (Competition and Markets Authority, 2016) Then, an Open Bankng Implementation Entity (OBIE) was formed, governed by the CMA and funded by the banks mandated to share data. The OBIE determines API specifications and standards. A model on these lines, where the government and companies arrive at data to be ported through studies, might work. This data would differ from industry to industry.

Data portability in the Justice Srikrishna Report

The Draft Personal Data Protection Bill, released along with the Report, also has provisions on data portability. Data fiduciaries are obliged to provide to users, on request, data generated or provided by the user.

However, the fiduciary can refuse to share data based on some grounds. These include that sharing would reveal a trade secret, would not be technically feasible, processing of data is necessary for the functions of the State, or processing is in compliance of law. It can also charge a fee for providing the data in some cases. The user has legal recourse in the event that an exemption is used unreasonably. But that would likely be a long, costly process to be undertaken by each principal. Unlike the open banking regulations, in the Indian draft bill, data needs to be shared only with the user, and not with any entity with the consent of the user, creating an additional step for the user. This, along with the broad exemptions to sharing, severely restricts the mobility of data and hence consumer choice, and perpetuates monopolisation, as demonstrated above.

The draft Bill gives us extensive rights to say "Do not share my data". It does not give us nearly as many rights to say "Do share my data". More sharing rights would mean that Amazon would be mandated to automatically share my purchase history, with my consent, to anyone who asks, for free. It would also mean that Amazon would not have as many possible reasons to refuse to share this purchase history. There are both costs and benefits to this, but it is not a choice to be made without examining both.

In a way, we have already seen the effects of limiting data sharing (although not strictly free portability with consent) in favour of protection. After the Cambridge Analytica scandal, Facebook shut down third party access to users' friends' data in response to heavy criticism. This has affected researchers who relied on Facebook data, particularly on interactions with friends, for their research. (AEDT, 2018) The lack of an easy portability option has effectively made Facebook the sole owner of that data and will inhibit research.

The Draft Bill also puts in place collection limitations (only data that is necessary for the purposes of processing can be collected) and purpose limitations (personal data can only be processed for clear, specific and lawful purposes that are reasonably expected). Whether the collection and purpose limitations change the monopolistic nature of this market by themselves depends on (a) whether multiple uses of the same data have been driving monopolisation, or whether the sheer volume of data matters more, and (b) whether most people will withdraw consent to multiple uses of their data. It is possible that these questions have different answers in every case, and these effects need to be studied once these limitations are in place.

Consent in a concentrated market

Further, the onerous requirements of consent - different forms, layered notices, etc. - outlined in the Report are likely to lead to more monopolisation in the market. This is due to the high compliance costs which are easier for a large company to bear, but also because of restrictions on sharing data with third parties, there is now an incentive to own the entire value chain. A social network will find it easier to make its own payment platform rather than transfer data to smaller payment platforms. When a business starts doing everything, it reduces choice for consumers as well as workers. The consent framework incentivises entities that already control data to use it for many other purposes - consent, and not competitive forces, being the only barrier.

A million different consent calibrations - I consent to see ads, but not to predictive text in my emails - do not change the business model of digital two-sided markets, which rely on freely generated data for value creation through targeting and prediction. There will exist creative ways of acquiring consent, and there will be a small subset of people who refuse consent - still changing very little about market structure. Besides, consent is not very meaningful in platform economies as they exist today. We consent to WhatsApp terms and conditions because all our friends are on WhatsApp - and opting out means missing out. In such conditions, consent can hardly mean that the larger effects of data use were chosen by the user.

Competition, interoperability and portability

Standards for interoperability function on the same lines of thinking. Telecom operators are mandated to provide interoperability across networks in order to ensure competition. For example, Airtel cannot refuse to connect calls to Vodafone subscribers. Data portability is somewhat like a way of providing interoperabilty so that markets are not captured. Data portability as such falls under the ambit of the Competition Act and is therefore a question separate from data protection. However, the implementation of data protection standards without consideration of competition issues might concentrate market power, and thus both these issues need to be considered together.

Conclusion

There is a growing body of literature on how consumers perform unpaid labour every time they use an AI product or service, as their use, through data generation, provides feedback to algorithms that make the product better. (Crawford and Joler, 2018; Hesmondhalgh, 2010; Arvidsson, 2008) In this context, continued user control of what is done with data merits consideration; control that might not be achieved through consent requirements. User control of data also means user control over the systemic effects of data use. Consent is important and necessary, but stringent consent provisions together with weak portability requirements in a monopolised market only serve to entrench existing monopolies. With this, all the good that can come out of data used in the public interest is also restricted.

Portability will not fix all the ill-effects of market concentration in the digital world, especially those of network effects due to the existence of platforms. But it will reduce one aspect driving market concentration, that is, data control.

While privacy is a valuable goal and stringent consent requirements do help achieve this goal, we must be careful not to conflate all issues related to technology in our times with the single issue of privacy. Privacy and security need to be balanced with opportunities for society to use its own data for its own benefit. The issue of portability needs to be examined in this context.

References

Adam Arvidsson, The Ethical Economy of Customer Coproduction, Journal of Macromarketing, 2008.

AEDT, Cambridge Analytica scandal: legitimate researchers using Facebook data could be collateral damage, The Conversation, 2018.

Arghya Sengupta, Why the Srikrishna Committee Rejected Ownership of Data in Favour of Fiduciary Duty, The Wire, 2018.

Cedric Argenton and Jens Prufer, Search Engine Competition With Network Externalities, Journal of Competition Law and Economics, 2012.

Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, Personal Data Protection Bill, 2018.

Competition and Markets Authority, Retail Banking Market Investigation, 2016.

David Hesmondhalgh, User-generated content, free labour and the cultural industries, Ephemera, 2010.

Finastra, Bank as a Platform - The Essential Tools for Open Banking and PSD2, 2018.

Jonathan Taplin, Move Fast and Break Things: How Facebook, Google and Amazon Cornered Culture and Undermined Democracy, Little, Brown and Company, 2017.

Kate Crawford and Vladan Joler, Anatomy of an AI System, 2018.

Louise Matsakis, Facebook's targeted ads are more complex than it lets on, Wired, 2018.

Matthew Hindman, The Myth of Digital Democracy, Princeton University Press, 2009.

Smriti Parsheera, Ajay Shah and Avirup Bose, Competition Issues in India's Online Economy, NIPFP Working Paper, 2017.

The Quint, Experts React to Data Protection Bill: Key Concerns and Takeaways, 2018.

Travis Holland, How Facebook and Google Changed the Advertising Game, The Conversation, 2017.

 

The author is a researcher at the National Institute of Public Finance and Policy. The author thanks Anirudh Burman and Shivangi Tyagi for useful discussions. The two anonymous reviewers provided very helpful directions for thinking and insights that have been incorporated into this article.

Friday, October 12, 2018

Runs on mutual funds

by Renuka Sane, Ajay Shah, Bhargavi Zaveri.

Runs on banks


Runs on banks are to finance what supernovae are to astronomy. R. K. Narayan's book The financial expert vividly tells the tale of the chaos and misery of a bank run.

Bank runs are not random events. What makes a bank run happen is the fact that each depositor has the incentive to run when faced with a slight chance of a run developing. Robert K. Merton used runs as a motivating example of his introduction of the concept of `self-fulfilling prophecies'. In order to understand runs, we must understand the incentives of each customer.

Suppose a bank is not protected by the government or by the central bank. Suppose you see many depositors running to take their money out of the bank. Now there are two possibilities.

If you believe the bank is unsound, then it is efficient for you to stand in the queue and try to take your money out. If others do this before you, then you may be left with nothing.

Even if you believe the bank is sound, you know that a bank with illiquid assets and liquid liabilities will default when faced with a run. While you will get your money back (as the bank is sound), you will suffer the loss of time value of money and you will suffer the administrative costs of it all working out. Hence, it's efficient for you to stand in the queue and try to take your money out.

Runs on mutual funds


We know a lot about runs on banks. What about runs on mutual funds? At first blush, the simple technology of a mutual fund -- NAV based valuation, full mark-to-market, liquid assets -- seems run-proof. But in September 2018, Rs.2.35 trillion exited Indian mutual funds. Why did such an outsized exit take place? It cannot be just coincidence that many people felt like leaving at the same time.

Large exits have taken place with mutual funds elsewhere in the world also. During the 2008 crisis, the Reserve Primary Fund (with exposure to Lehman Brothers' commercial paper) witnessed a similar run-like situation. The US District Court's order directing the liquidation of the fund records how redemption requests aggregating to two-thirds of the value of the assets of the fund were received in a span of less than 48 hours immediately following Lehman Brothers having declared bankruptcy:

Date Time Value of redemption requests
received (in USD bn)
15th Sep 08:40 am 5
15th Sep 10:30 am 10
15th Sep 01:00 pm 16.5
16th Sep 3:45 pm 40

What are the incentives that shape the behaviour of an investor in a mutual fund? How can a mutual fund industry be susceptible to runs?

Channel 1: Over-valuation can lead to runs


Suppose a mutual fund has 100 bonds that are liquid, where the true price (market price) is Rs.100. In addition, it has 100 bonds that are illiquid. The market does not give a reference price for the illiquid bond. If we tried to find out a prospective sale price, it would be Rs.50. Suppose the mutual fund claims that this bond is worth Rs.75. The true portfolio value is 10000+5000 = 15000, but the mutual fund claims the value is Rs. 17500. Suppose there are 100 units. In this case, the NAV should be Rs.150, but it is shown as Rs.175.

Over-valuation destabilises rational investors. The rational investor knows that each unit is truly worth Rs.150, but if she redeems right away, before the mistake in the NAV calculation is corrected, she will get Rs.175.

When one unit runs at Rs.175, where does the excessive payment of Rs.25 come from? It comes from the investors who did not run. This is unfair, and it creates strong pressure to run.

Channel 2: False promises can lead to large redemptions


Suppose a mutual fund has been sold to investors under the false promise of it being a safe product. In this scenario, investors do not expect fluctuations in the NAV, and believe that their investments will be shielded from turmoil in the markets. If, for any reason, this expectation is belied, then investors may get spooked by sharp falls in the NAV. This may induce large redemptions.

In the US, there was a claim that the NAV of money market mutual funds would not drop below $1. This was termed `breaking the buck'. In 2008, when the NAV did drop below $1, this caused panic and the flight of investors who had been told all along that the scheme would not break the buck.

Channel 3: Runs in an illiquid market


The Indian bond market is extremely illiquid, but even within this landscape, there is heterogeneity in the extent of illiquidity. Fund managers will be sensitive to the transactions costs faced when trading in alternative instruments, and choose the most liquid ones first.

Suppose a mutual fund has some cash in a liquidity buffer, and has 100 bonds that are more liquid, where the true price (market price) is Rs.100. In addition, it has 100 bonds that are illiquid. Suppose fair value accounting is indeed done, and we correctly value the illiquid bonds at Rs.100. The trouble is, the illiquid bonds incur large transactions costs when selling in large quantities. While there is a (bid+offer)/2 of Rs.100, in truth, when a large quantity is sold, the price realised will be Rs.90. This is an `impact cost' of 10%.

Therefore, when the first redemptions come in, the mutual fund will adjust by using cash and then it will adjust by selling the liquid bond. At first, things seem fine. But in time, the mutual fund will have to rebuild its cash buffer. It will have to get back to a more diversified and more liquid portfolio. For this, it is going to have to sell the illiquid bond, and at that time the NAV will go down.

After large redemptions, there is an overhang of selling of illiquid bonds that is coming in the future.  In this situation, investors are better off leaving early as they get the clean exits associated with the early use of cash and the early sale of liquid bonds.

Channel 4: Systemic spillovers in an illiquid market


When large redemptions take place in even one or two schemes, at first they will use cash buffers and sell liquid instruments. But when they start selling illiquid instruments, this changes the price of those illiquid instruments. Now declines in prices hit the NAVs of all schemes that hold those instruments. Through this, large redemptions on a few schemes propagate into reduced NAVs (at future dates) across the entire mutual fund industry. Prediction: In periods of large inflows/redemptions, we will get a pattern of autoregression in the mutual fund NAVs across days, across the multiple funds that hold a pool of illiquid instruments.

Rational investors anticipate this phenomenon, and have an incentive to run when they see large redemptions in even a few mutual fund schemes (and vice versa).

Runs on mutual funds are a complex phenomenon


We have shown four distinct channels through which large redemptions on mutual funds can develop:

  1. Overstatement of NAV; it is efficient to leave at a higher price.
  2. Consumers who thought it was very safe, get spooked, and leave.
  3. Sales of illiquid securities that are pent up; it is efficient to get out before those transactions hit the NAV.
  4. Market impact by a few schemes under stress will ricochet into NAVs of other schemes and the problem will worsen; it is efficient to get out early.

In India, a large proportion of the customers of fixed income funds are institutional (e.g. page 4 of this AMFI document). These customers are likely to be pretty rational in understanding problems 1, 3 and 4. Households are likely to be more vulnerable on account of problem 2.

It is interesting to see the `curse of liquidity'. When redemptions come in, mutual funds will sell their most liquid bonds first. Through this, innocent bystanders -- the issuers of liquid securities -- will suffer from price impact and a higher interest rate.

Thinking about runs on mutual funds thus requires a full view of the problems of consumer protection (if all consumers accurately understood the risks that they were taking, they would be less spooked when events unfold), financial market development (the lack of a liquid bond market) and systemic risk (channels of contagion through which disruption of some parts of finance induces disruption of other parts of finance).

Interesting recent experiences in India


While India has not seen a full blown run on mutual funds as was seen in the US in 2008, a few instances of defaults on bond repayments followed by falls in NAVs and rise in redemption requests offer useful insights.

Amtek Auto (2015): In September 2015, Amtek Auto defaulted on a bond redemption of Rs.800 crore. In the Indian corporate bond market, once a default takes place, the bond tends to become highly illiquid. The Amtek Auto bonds were held by two debt schemes of J. P. Morgan Mutual Fund.

J. P. Morgan did an unusual thing: they put a cap on redemptions. It subsequently used something analogous to a good-bank-bad-bank structure, where the scheme was split into two, and the second part held the Amtek Auto bonds, and could not be redeemed.

This did not go down well with SEBI. SEBI sought to penalise J.P. Morgan for, among other things, not following "principles of fair valuation under mutual fund norms" and for changing fundamental attributes of the scheme without giving an exit option to the investors. Nearly three years after the incident, J.P.Morgan settled the matter by paying a settlement fee of about Rs. 8.07 crore under the provisions of the SEBI Act, 1992 providing for settlement of civil and administrative proceedings.

Ballarpur Industries (2017): In February 2017, Ballarpur Industries defaulted. At the time, Taurus Mutual Fund held their commercial paper. Unlike J P Morgan's response, Taurus Mutual Fund reportedly marked down the value of the paper to zero. This is a sound and conservative strategy as it gives a bad deal to the persons who run.

Other mutual funds reportedly sold such paper to group companies or took it on their own balance sheet to shield the investor from the NAV hit.

ILFS (2018): More recently, ILFS group firms have defaulted on bonds issued by them. These bonds are present in certain mutual fund schemes. Some mutual funds have portrayed this event as a loss of 100%, while others have portrayed a 25% loss. Credit rating agencies were very late in understanding the problems of ILFS, and to the extent that credit ratings are used in computing the NAV of a mutual fund scheme, these NAVs would have been overstated.

Why might NAV be overstated?


The IFRS notion of fair market value came about first in finance, on a global scale, and much later got enshrined into IFRS. For example, in the US, under the Investment Company Act of 1940, the definition of `value' for mutual fund securities holdings is construed in one of two ways. Securities for which `readily available' market quotations exist must be valued at market levels. All other securities must be priced at `fair value' as determined in good faith according to processes approved by the fund's board of directors. Marking a particular security at a fair value requires a determination of what an arm's-length buyer, under the circumstances, would currently pay for that security.

The US SEC's framework recognizes that no single standard exists for determining fair value. By the SEC's interpretation, a board acts in good faith when its fair value determination is the result of a sincere and honest assessment of the amount that the fund might reasonably expect to receive for a security on its current sale. Fund directors must "satisfy themselves that all appropriate factors relevant to the value of securities for which market quotations are not readily available have been considered" and "determine the method of arriving at the fair value of each such security."

Supervisory strategies can be developed, to identify if the management is overstating prices of illiquid securities. As an example, imagine that there are three mutual funds who hold an illiquid bond and have claimed a certain fair value of the bond. Now imagine that one of those three sells the bond on date T. The market price obtained on date T by this fund should not be too far from the internal notion of fair value that was used by the other two funds.

It is ironic that in India, IFRS concepts of valuation have come to the non-financial sector first and the financial sector last. RBI and IRDA have explicitly resisted the adoption of IFRS. The lack of fair value accounting lies at the core of the Indian banking crisis and the concerns about the soundness of LIC.

Currently, the valuation norms prescribed by SEBI ask AMCs to value non-traded and/or thinly traded securities "in good faith" based on detailed criteria. This appears similar to the IFRS principles of fair value accounting. As an example, bonds issued by ILFS should be marked down to the prospective resale value, even if the event of a default has not yet taken place on a particular security.

There are two problems with SEBI's norms on fair value. First, it is not clear that SEBI has the commensurate supervisory strategy, to verify that mutual funds are indeed marking down securities to prospective market values. SEBI does not show supervisory manuals on its website through which we can assess its processes in this regard. When some mutual funds have marked down ILFS bonds by 100%, while others have marked down by 25%, this raises concern about the drafting of the regulation and/or the supervisory process.

Second, the SEBI-prescribed valuation norms entrench the use of credit-rating agencies for valuation by mutual funds. As rating agencies emphasise, their opinion on a security is just an opinion: ratings should not be used in the drafting of regulations. We should be skeptical about using rating agencies to override IFRS principles of valuation. For questions of valuation, the only question should be: What is the prospective price that would be obtained if this security is sold? There should be no role for the opinions of credit ratings.

We recognise that when an active market is lacking, it is very hard for anyone to figure out a notion of fair price. This is a problem ever-present in fair value accounting. E.g. when a non-financial firm has a piece of land, the market value of that land is not clearly visible. What we need to fight is not individual instances of estimation error but estimation bias. By default, the fund managers and the shareholders of the fund are likely to suffer from a bias in favour of over-optimistic portrayal of NAV. It is the job of regulators to fight the bias, not at the level of individual decisions about a benchmark price, but at the level of the expected value of the estimation error.

How can we improve truth in advertising?


When debt mutual fund investors lose money, there is a tendency to force the AMC to make good the loss. This may be driven by regulatory populism, or the temptation to improve the sales of other schemes. This is a dangerous and unviable course.

Getting the micro-prudential framework correct. Let's think about the micro-prudential regulation of a mutual fund. The fund manager is merely an intermediary who pools funds and invests them in a basket of assets, and issues "units" that represent an undivided share in such a basket. The risks in holding these assets are borne by consumers.

The balance sheet of the asset management company is nowhere in the picture, when it comes to the customer. Micro-prudential regulation in a mutual fund, therefore, is restricted to procedures for ensuring that the NAV of the fund is calculated correctly, and does not concern itself with issues of solvency.

SEBI's regulatory framework governing mutual funds, however, entrenches the notion of `safe' funds. This is inconsistent with the concept of agency fund management. For example, the valuation norms for mutual funds specified by SEBI require mutual funds to provision (that is, set aside capital) in respect of defaulted assets as under:

  • Where a debt security in the mutual fund's portfolio has defaulted on an interest payment, the mutual fund must classify it as a NPA at the end of a quarter after the due date of payment. For example, if the due date for interest is 30th June, 2000, it will be classified as NPA from 1st October, 2000.
  • The mutual fund must provision for the principal plus interest accrued upto the date on which the asset is classified as a NPA. SEBI prescribes a schedule for provisioning that mandates the mutual fund to provision upto 100% of the book value of the asset.

This is conceptually flawed. It is perhaps inspired by notions from banking. But mutual funds are not banks. A regulatory framework that mandates such provisioning is inconsistent with the idea that a mutual fund is merely a manager of funds, and entrenches the idea of a promised return in a debt mutual fund scheme.

If we start thinking that the AMC must pay debt mutual fund schemes for losses, then a wholly different problem in micro-prudential regulation will arise. Large AMCs today manage assets worth Rs.1 trillion on a balance sheet of Rs.0.001 trillion. The risk absorption capacity of such a balance sheet is negligible when compared with the magnitude of assets. The entire concept of a mutual fund as an agency mechanism for fund management breaks down, if investors are to have recourse to the balance sheet of the fund manager.

If we go down the route of asking mutual funds to have equity capital on their balance sheets, then this changes the very nature of the fund management business. This sets the stage for confused thinking such as increasing the minimum capital requirements from firms. In 2014, SEBI increased the minimum networth requirements from Rs.10 crore to Rs.50 crore, which has been seen as anti-competitive.

Fix the mismatch of expectations among consumers One more way in which truth in advertising is contaminated is the behaviour of mutual funds themselves.

Suppose some mutual funds dip into their own pockets when faced with a small default like Ballarpur Industries. What kinds of expectations does this setup in the minds of consumers? Do consumers then invest in mutual funds expecting that they will be protected from credit defaults? Such an expectation will inevitably be violated, when a large default such as ILFS comes along. For an analogy, if the central bank smooths the fluctuations of the exchange rate, this contaminates the expectations of the economy about the ex-ante risk embedded in exchange rate exposure, and actually causes greater harm when large exchange rate changes inevitably come along.

The only sound foundation for the mutual industry is one in which customers bear all losses. It is incorrect for AMCs to absorb the loss for small defaults, build an expectation that customers are shielded from such defaults, and not make good the promise when defaults are large. This risk needs to be communicated to the mutual fund investor at the time of investing, and through actions that are "true to label".

One final mechanism through which truth in advertising can be improved is though enhanced disclosures about liquidity. Customers need to know more about the ex-post transactions costs experienced by the fund on various instruments.

How can we reduce systemic risk spillovers?


The root cause of these problems lies in India's failure to build a bond market. We have a large debt mutual fund industry backed by a poor foundation of bond market liquidity. Even the most liquid bonds are fairly illiquid. Hence, when such selling pressure comes about, these bonds will suffer from price impact. Their prices will go down, their yields will go up. When redemptions take place, for whatever reason, yields of the most liquid bonds will shoot up. If the selling pressure is large enough, these markets will stop working.

Critical policy work on building the bond market was begun in 2015, but was rolled back. We need to get back to this important reform.

If the underlying corporate bond market is not adequately liquid, debt schemes should not promise liquidity. This promise is a recipe for trouble.

In the limit, regulators could restrict open-end schemes to very liquid instruments. The right institutional mechanisms to hold illiquid assets are closed-end funds or private equity funds, where the promise of liquidity is not made.

If open-end schemes must be offered to customers, and if they hold illiquid securities, there must be limitations on liquidity. SEBI has allowed restrictions on redemption in "circumstances leading to a systemic crisis". Specifically, it allows a mutual fund to restrict redemptions when the "market at large becomes illiquid affecting almost all securities rather than any issuer of (sic) specific security". Further, the circular provides that a "restriction on redemption due to illiquidity of a specific security in the portfolio of a scheme due to a poor investment decision, shall not be allowed". This creates considerable confusion on the situations in which mutual funds may restrict redemptions. For instance, in the current situation, it is unclear whether a mutual fund having exposure to the defaulted paper of ILFS would be allowed as it has the potential of systemic risk spillovers or whether such a restriction would not be allowed due to the poor investment decision of the mutual fund scheme.

Mutual funds should be allowed to ring fence losses to ensure that 'all investors are treated fairly', that is, when there is a run on the fund, those who choose or are unable to redeem their units do not suffer at the expense of those who do redeem. SEBI was reported to have rejected a proposal from AMFI that specifically allowed mutual funds to adopt such ring-fencing approaches.

Market liquidity is the commons


These episodes are a reminder of the importance of market liquidity. The ultimate foundation of the financial system is liquid asset markets. When asset markets are liquid, marking to market is sound, financial intermediaries work well, firms can raise resources through primary market issuance, etc. All this rests on the edifice of exchanges, instruments, derivatives, arbitrage, algorithmic trading, etc.

Liquid asset markets have the nature of a public good. Once they exist, they are non-rival (your consumption of liquidity or price information does not reduce my access to the same) and non-excludable (it is not possible to exclude a new-born child from living under their benign influence).

The very public goods character of liquid markets implies that nobody will expend effort on building a liquid market. In the political economy of finance, there are always narrow agendas which want to harm liquid markets. A steady stream of regulatory and other actions comes along, seeking to harm liquid markets. There is a tragedy of the commons, when each regulatory action pollutes market liquidity. Private persons will not mobilise to solve the financial economic policy problems that harm market liquidity. This is the role of the leadership in economic policy.



Renuka Sane and Ajay Shah are researchers at NIPFP. Bhargavi Zaveri is a researcher at the Finance Research Group, IGIDR. We thank Harsh Vardhan, Josh Felman, Kayezad Adajania and Susan Thomas for useful discussions.

Wednesday, October 10, 2018

Invoice financing in India: TReDS and way forward

by Sudipto Banerjee and Vishal Trehan.

Introduction


Medium, small and micro enterprises (MSMEs) operate on tight margins and need immediate settlement of invoices to avoid shortage of working capital. However, due to the poor bargaining capacity of MSMEs, their working capital often remains blocked in receivables as they work on an unfavourable credit cycle for goods and services supplied to corporate buyers. This problem is exacerbated due to the existence of a huge funding gap for MSMEs. In order to bridge the gap between invoice date and its due date, invoice discounting emerged as a financing solution for entities which are unable to access funding options such as short term credit and working capital loans. Under invoice discounting, the seller, instead of waiting for the payment to be made by the buyer, gets a certain percentage of the invoice amount from the financier in advance. The seller pays a fee to the financier for this discounting service. Once the invoice amount is received by the seller from the buyer, it repays the amount to the financier.

However, adoption of invoice discounting as a financing mechanism in India has not been as expected. This may be due to several reasons. First, the bargaining capacity is skewed in favour of corporate buyers who express reservations while accepting assignments of receivables made in favour of financiers. Second, it is difficult for financiers to establish the credit rating of MSMEs due to information asymmetry. This, coupled with the absence of pledgable collaterals increases the credit exposure of a financier. Third, the discounting landscape is still dominated by banks and there are very few specialised discounting entities. Finally, there is a lack of awareness among MSMEs about discounting services, especially in non-urban locations. For example, even though many MSMEs are exporters, they lack information about export factoring.


In 2014, the RBI observed that there is a need for institutional setup to boost discounting in India and for this purpose conceptualised an electronic exchange for invoice discounting known as trade receivable electronic discounting system or TReDS. This post looks at the TReDS platform critically in order to assess whether this fintech solution has been able to address specific issues related to invoice discounting in India. Further, we explore the developments around invoice discounting in the context of new technologies and examine whether their adoption holds any merit. It must be noted that the invoice discounting problem space is quite broad and TReDS, a technology based solution, must be seen as a solution for specific problems in the invoice discounting space in India.

Specifically, TReDS seeks to address the problem of information asymmetry and the consequent high rates offered by financiers. Also, it is envisaged to reduce the time taken for sellers to receive payments. TReDS, however, was not conceptualised to address other persistent issues related to invoice financing. For example, although TReDS operates on the concept of 'no rescourse to seller', it is not a solution to the problems arising out of the bargaining power of buyers.

A digital platform to boost invoice discounting


In 2009, SIDBI, in collaboration with NSE set up the first e-discounting platform for MSME receivables. This was based on the lines of the Mexican NAFIN model. However, this was a closed single financier model and therefore, had limited scale of operation. To overcome these limitations, in 2014, RBI released a concept paper to set up a full fledged electronic exchange for invoice discounting. This was followed by TReDS is essentially an online electronic institutional mechanism for facilitating the financing of trade receivables of MSMEs through multiple financiers. The platform enables discounting of invoices of MSME sellers against large corporates including government departments and PSUs, through an auction mechanism, to ensure prompt realization of trade receivables at competitive market rates.

  • In the TReDS ecosystem, sellers, buyers and financiers can come on board by executing a one time agreement with the platform. This reduces the documentation cost for sellers who have to execute a separate agreement everytime there is a discounting transaction with a different financier.
  • After executing the agreement, once the seller provides goods or services to the buyer and after acceptance by the buyer, the invoice is uploaded on the platform. This can be uploaded either by a buyer or a seller. Once the invoice is accepted by the buyer, it is converted into a factoring unit, a nomenclature used for invoices on the platform. Subsequently, an electronic auction involving bidding for the factoring unit takes place on the platform.
  • Once a bid is accepted by the seller, the amount is credited to the account of the seller either on T+1 or T+2 basis depending on the cut-off time. This financier's account is auto-debited through the National Automated Clearing House (NACH) mandate. Instructions are sent electronically by the platform to the parties. On the due date of the invoice, the bank account of the buyer is auto debited and the amount is credited to the account of the financier.

As mentioned previously, the TReDS platform aims to address certain specific aspects of MSME financing. The current invoice financing system is riddled with an asymmetric flow of credit information. Financiers are not always aware of the financial condition of MSME suppliers due to limited publicly available information. Due to this, screening costs incurred by a financier go up for discounting an invoice of a MSME supplier. TReDS ensures easier access to invoice discounting at better rates for MSME suppliers due to the following reasons:

  • Financing on the TReDS platform is done on the credit rating of the corporate buyers, hence, financiers need to define the credit limit of buyers and not sellers. This reduces the due diligence cost for financiers and in turn lowers the cost of discounting for sellers.
  • TReDS operates on the model of without recourse to the seller which means that the financier can recover the invoice amount only from the buyer.
  • Outside TReDS, MSME sellers negotiate with individual banks and NBFCs who may not offer them competitive rates for the reasons discussed above. The average interest rate on working capital loans is 12% as compared to 8-10% on TReDS. TReDS allows multiple financiers to participate and bid for invoices - this is expected to provide better rates to MSME sellers. As described previously, the entire transaction happens digitally on the platform in an efficient and transparent manner.

Establishing the genuineness of an invoice is another challenge that TReDS addresses. Once the seller provides goods or services to the buyer and they are accepted, the invoice is uploaded on the platform. The bidding by financiers start only after the uploaded invoice is accepted by the buyer. However, the issue of double discounting of invoices was not addressed in the original implementation of TReDS. This was addressed through a blockchain implementation recently.

Key issues


The most critical problem in the invoice financing space in India, and consequently in the TReDS setup, is related to the obligation on buyers to repay on time. TReDS too follows the requirement of the Micro, Small And Meduim Enterprises Development Act, 2006 (MSMED Act, 2006) which imposes an obligation on buyers to settle the invoice amount within 45 days. Hence, in the TReDS ecosystem, the buyer has to pay the factored invoice amount to the financier within 45 days from the date of acceptance of bid by the seller. This requirement of adhering to time bound payment, which is otherwise mostly flouted outside TReDS, can cause reluctance on the part of buyeres to sign up. Presently, MSME suppliers facing competition from other players are inclined to accept higher volumes of trade credit on less favourable collection terms.

Interactions with practitioners in the MSME financing segment revealed that at times, sellers also avoid disclosing their MSME status so that the buyer is not deterred by the applicability of MSMED Act in case of delayed payments. Therefore, it is not surprising that buyers have even instructed their vendors not to sign up on the electronic platform to avoid the time bound commitment to pay.

Other related challenges with TReDS


While TReDS is a technology based solution to provide an institutional platform to boost MSME financing, its performance needs to be evaluated against the market's response. The market usually adopts a particular solution for two reasons - it can either be a business need or a legal obligation. Considering that the TReDS platform came about as a result of the practice of delayed payments by buyers, it is important that we examine the incentives for buyers to come on board.

  1. Restriction on raising disputes: It must be noted that presently TReDS is an optional system. Assuming there is a corporate buyer X dealing with several vendors, under TReDS, X has to execute an agreement where it accepts the invoice of the seller (its vendors) and only after such acceptance, an invoice is made available for auction on the exchange. The TReDS Guidelines specifically require that X cannot dispute the goods or services received from the seller at a later stage. This is a major disincentive for buyers. Outside TReDS, X usually does not give acceptance to suppliers but merely records the event that it has received supplies - thereby keeping an option to dispute them in the event of any deficiency.
  2. No recourse to seller: In the non-TReDS setup, if X defaults in paying the financier on the due date, the seller becomes a debtor vis-&agrave-vis the financier for recovery purpose. However, as discussed above, on the TReDS platform discounting is done without recourse to the seller. This means that if X fails to pay the invoice amount on the due date, the financier would have no recourse to the seller. Instead, the financier will have to pursue the buyer. While this mechanism may reduce the financier's risk, it may not attract buyers as they would now have to deal with an institutional lender who replaces the MSMEs.
  3. Enhanced transparency: In case of default or any delay in payment by the buyer to the financier on TReDS, the delay/default gets duly recorded and can feed into the credit rating of the buyer. Outside TReDS, instances of such delay or default are not recorded, unless the MSME seller chooses to pursue action under MSMED Act at the cost of its future business relationship with the buyer. Therefore, the decision of a buyer to join TReDS would most likely depend on a cost-benefit analysis of aspects such as reduced flexibility in cash flow management, more transparency, etc.
  4. Existing arrangements: Experts in the MSME financing area have pointed out during interactions that many big corporate houses have their own discounting business and their suppliers/vendors are required to avail discounting services from their group entities. For instance, Reliance Capital, Mahindra Finance, Tata Capital, Bajaj Finance, Aditya Birla Capital, etc are full fledged NBFCs and have dedicated invoice discounting divisions. Companies not having such an in-house discounting facility usually have pre-existing arrangements with banks or NBFCs. Moreover, these big houses usually consolidate their vendor payments into select groups not falling within the category of MSME who in turn buy products from MSMEs. This may be another reason for big houses to not come on board TReDS.
  5. Cost of integration: Another barrier, especially from the buying corporates, is their reluctance to invest in the cost of integrating into a system like TReDS. Since the buyer bears the costs but the benefits accrue only to vendors, this
    may prove to be a disincentive for the buyers.
  6. Poor awareness: Lastly, the level of awareness about any new solution determines its success. Based on inputs from several stakeholders such as discounting entities and banks, the overall level of awareness about TReDS does not appear to be encouraging. Further, in smaller towns and semi urban setups, banks are the predominant option available to suppliers for their financing needs. These sellers do not easily switch banks with whom they share an established relationship, unless the buyer takes the initiative to migrate their dealings onto TReDS.

Addressing the issues


In order to ensure that the TReDS platform achieves its objectives, broader issues related to invoice financing in India as well as TReDS specific concerns need to be addressed. Extending the timeline of 45 days for settlement of invoice, which presently could be the prime reason for buyers not coming onto the TReDS platform, may be considered. To begin with, the platform should be enabled to give an extension to buyers on a case by case basis. While balancing the conflicting interests of suppliers, buyers and vendors is a challenging task, a middle path can be arrived at by ensuring constant interactions between the regulator and the stakeholders, especially the buyers. Further, it is essential that RBI invests resources to increase the overall level of awareness about TReDS. As discussed previously, the focus of such an awareness programme should be smaller towns and semi-urban setups.

Alternatively, a light-touch approach to regulating the behavior of large buyers could involve doing away with the 45 day payment period for TReDS so as to incentivise big buyers to get onto the TReDS platform. Instead, buyers may be asked to disclose their payment practices. Such reporting is mandatory in the UK where firms are required to disclose payment practices as per the Small Business, Enterprise and Employment Act, 2015. Removing the time-line of 45 days and mandating disclosure of payment practices would require amendment of the MSMED Act, 2006. The disclosures, which can be made public on TReDS, should also form a part of the notes to accounts of financial statements of such firms so that they can be cross verified by statutory auditors. This would require amendment to Schedule III of the Companies Act, 2013.

Further, there could be a mix of other regulatory tools like:

  • A code similar to the Prompt Payment Code in UK can be created and large buyers may be encouraged to sign on to this code. Such a voluntary code can in turn set a maximum payment term.
  • A system for blacklisting companies which violate payment terms repeatedly may also be created based on the payment practices data.
  • The role of MSME associations is important in this context to ensure that big buyers do not abuse market power. As is generally the case, a single MSME will be reluctant to file a complaint against a buyer for fear of losing business as well as the costs involved. Instead, MSME associations can give MSMEs the requisite support and can help MSMEs collectively protest against a buyer to enforce a change in behaviour.

Additional measures for boosting TReDS


RBI may take additional measures after taking stock of bottlenecks currently faced by the TReDS platform to ensure that the platform achieves its intended objectives. These include:

  1. Presently, only banks and NBFCs are allowed to participate on TReDS. These entities lend as per the minimum credit lending rate. TReDS Guidelines do not allow any other entity to participate on this platform as a financier. Considering that the objective of TReDS is to boost MSME financing, RBI may consider lifting this restriction after doing a cost-benefit analysis. More participants such as urban cooperative banks, regional rural banks, high net worth individuals (HNIs), mutual funds, pension funds, etc. may be allowed to ensure the best rates for MSME suppliers. Such participation is allowed in other jurisdictions. For example, UK based MarketInvoice connects businesses with investors, including HNIs through its peer-to-peer invoice finance platform.
  2. On the supplier side, the option of allowing non-MSME entities can also be explored. For example, a corporate buyer on board TReDS presently would have to maintain an additional payment mechanism for non-MSME segment. This leads to operational inefficiencies for the buyer. Allowing both segments on TReDS may ease their way of doing business.
  3. Several MSMEs lack reliable information systems which can generate invoice suitable for discounting. To address this problem, in the Union Budget 2018-19, it was declared that TReDS would be linked to the Goods and Service Tax Network (GSTN). Further, as discussed previously in the post, financing in the TReDS environment is done on the credit worthiness of buyers on 'without recourse to seller' basis. This can potentially create disincentives for buyers to come onboard. If financiers are allowed to access the transactional data of MSME sellers available on GSTN, subject to certain safeguards like privacy of data, this can reduce their information asymmetry in terms of assessing the credit history of sellers. In other words, this measure can enable financiers to discount invoices based on the credit worthiness of sellers.

Technology solutions to address challenges


Some technological solutions are also being explored to address specific challenges with TReDS. The three licensed TReDS exchanges recently got together with MonetaGo, a US based startup, to implement a blockchain based solution for a specific problem - the problem of double invoicing and associated fraud. This permissioned blockchain solution, with each of the exchanges acting as a node, went live recently. This solution has enabled the three exchanges to work together to eliminate instances of double discounting while protecting confidential information of their clients. The system generates a hash which is used by the exchanges for validating whether an invoice has already been discounted or not.

In other parts of the world too, blockchain is being considered to develop end-to-end solutions for invoice financing. Several early implementations already exist - examples being Populous in the UK and the Hive Project in Slovenia. More specifically, blockchain is being used to:

  • Ascertain the legitimacy of an invoice
  • Find out whether the invoice has already been discounted
  • Make available immutable contract information securely to all stakeholders, thus ensuring transparency
  • Create incentives for quicker payments
  • Reduce costs related to the invoice financing process

Need for a cautious approach


In view of the decision by the three exchanges to move the fraud-detection module of the TReDS platform onto a blockchain, going forward, authorities and other stakeholders must follow a cautious approach when considering a blockchain solution for other modules of the invoice discounting process of TReDS. A blockchain based solution is envisaged to reduce costs associated with invoice financing and also incentivise quicker payments by bringing in transparency of transactions through a distributed immutable ledger. However, certain considerations need to be made to come up with the most appropriate design approach in the Indian context:

  1. Will a blockchain solution incentivise buyers? Considering the reluctance of buyers to come onboard TReDS due to
    the lack of a dispute resolution mechanism, it is critical for any future blockchain implementation to tackle this issue. Buyers may want a transparent mechanism on the blockchain which allows them to flag the quality of goods/services sold to them even after accepting the invoice.
  2. Is a blockchain the best design choice?
    Various design choices, including centralised and distributed databases, must be considered and a cost benefit analysis must be done to choose the most efficient solution.
  3. Will the solution help achieve RBI's objectives?
    Depending on RBI's objectives and factors such as trust among stakeholders, a permissioned or permissionless blockchain solution might be more suitable in case a blockchain solution is found to be the right choice.
  4. Issues of security, scalability and governance: Blockchain solutions with public facing data and handling a large number of transactions have been known to struggle with issues of throughput capacity and security. Further, complex questions such as who controls the blockchain, who are the nodes in case of a permissioned blockchain with multiple stakeholders and what is the consensus mechanism need to be answered.
  5. How will the solution respond to a complex and dynamic environment?: A blockchain based 'smart contract' solution for invoice financing should be able to quickly adapt to complex and fast-changing real world environments - for example, changes in the regulatory framework.

It is important that a blockchain solution is adopted only if it is addressing persistent challenges in the Indian context. Characteristics/features of the technology itself pose another set of questions when considering the solutions. Thus, a cost-benefit analysis is of paramount importance before deciding the design of the solution.

Conclusion


Several measures have been taken over the past few years to boost invoice financing in India. Although TReDS is a good initiative, we must carefully evaluate its effectivesness to address the lacunae in the system. To this end, we have examined the existing design and performance of TReDS after considering the market's response and expectations of stakeholders. Primarily, a lack of incetives for buyers is holding up widespread adoption of TReDS. This is due to structural issues in the invoice discounting space as well as challenges with the TReDS platform. This classification of challenges is necessary since merely fixing the technology platform may not address the underlying distortions. Thus, both types of challenges - structural ones such as the bargaining power of buyers and TReDS related challenges like the absence of a dispute resolution mechanism within TReDS - need to be addressed to ensure TReDS' success.

Further, a cautious approach needs to be adopted when considering novel technology solutions for such challenges. In sum, this multi-layered problem needs a concerted effort from the authorities to uncover issues at the ground level and come up with the appropriate policy and technical solutions.

References


Department of Economic Affairs, Industry and Infrastructure, Economic Survey 2017-18 Volume 2, 127-128.

Mohmad, K. M. Factoring Services in India: A Study, 2015.

Reserve Bank of India, Concept Paper - Trade Receivables and Credit Exchange for Financing of Micro, Small and Medium Enterprises, 2014.

Dylan Yaga et al, Blockchain technology overview, 2018.


The authors are researchers at the National Institute of Public Finance and Policy. The authors would like to thank Radhika Pandey and Anirudh Burman for useful discussions.

The editor for this article was Anjali Sharma.