Thursday, April 23, 2020

Liberalising foreign capital flows in Government debt: No time for incrementalism

by Radhika Pandey, Rajeswari Sengupta and Bhargavi Zaveri.

On March 30, 2020, the Reserve Bank of India announced a "Fully Accessible Route" (FAR) that gives unlimited access to foreign portfolio investors (FPIs) to a select set of government securities (G-Secs), specified by the RBI from time to time. To the extent this initiative facilitates the liberalisation of India's capital account and aids market development, it is a step in the right direction. Opening up a set of G-Secs to unrestricted foreign investment may contribute to the depth and diversity of the market and also impose greater discipline on fiscal policy. However, it may only be partially effective unless accompanied by structural reforms and simplification of existing rules governing the access of FPIs to G-secs. In this context, we highlight three fundamental issues with the framework determining foreign investment in G-Secs: (i) frequent changes in rules resulting in uncertainty, (ii) fragmented landscape leading to complexities and (iii) a missing economic rationale for what appears to be an over-prescriptive regime.

The policy initiative announced by the RBI has been taken in furtherance of the budget statement made by the Finance Minister prior to the outbreak of the Covid-19 pandemic. However, the timing of the RBI's announcement is apt. There is a reasonable probability that in the coming one or two years, as a consequence of the ongoing economic crisis that has been triggered by the pandemic, domestic investment and savings will undergo large changes. As a result, India's current account deficit (CAD) may increase significantly. A large amount of foreign capital will be required to finance the rise in CAD. In that context, the FAR initiative is a timely policy decision. It is envisaged that the removal of caps on FPI investment in G-secs may allow India to be included in the global bond indices. This would pave the way for higher and stable foreign capital inflows.

Until recently, foreign portfolio investment in G-Secs was capped at 6% of the outstanding stock of such securities. In addition to the overall cap, investment by FPIs in short-term G-secs was capped at 30% of the overall investment of a particular FPI. According to the FAR scheme, FPI investment in specified G-Secs would not be subject to the 6% cap.

With the introduction of FAR, G-secs can now be classified into two categories:

  • Those in which FPIs are allowed to invest without any limit.
  • Those in which FPI investment will be capped at 6% of the outstanding stock of these securities.

As of March 30, the RBI has specified the following G-secs as eligible for the FAR:

  1. Five specific outstanding securities, which have already been issued by the government. These securities have a residual maturity of 5, 10 and 30 years respectively.
  2. All G-secs of 5-year, 10-year and 30-year tenor which will be issued by the government in the financial year 2020-21 as part of its annual borrowing calendar.

The G-secs of the kind referred to in item (1) together account for a market capitalisation of Rs 4.4 lakh crore which is less than 4% of the total government debt (Table 1). However, the securities referred to in item (2) will constitute roughly 63% of the half-yearly borrowings (Rs 4.88 lakh crore) of the Union Government under the annual borrowing calendar for 2020-21. Hence, this could potentially amount to a sizeable liberalisation.


Table 1: Details of the G-Secs specified under FAR
ISINNomenclatureDate of issueDate of maturityOutstanding stock
(Rs. Crore)

IN00201903966.18% GS 20244-Nov-20194-Nov-202448,552.52
IN00201804887.32% GS 202428-Jan-201928-Jan-202487,000.00
IN00201903626.45% GS 20297-Oct-20197-Oct-20291,05,840.16
IN00201804547.26% GS 202914-Jan-201914-Jan-20291,18,830.80
IN00201900327.72% GS 204915-Apr-201915-Jun-204984,000.00
Total4,44,223.48
Source: Reserve Bank of India

Frequent changes in the rules of access

India has always had a complex system of capital controls which are relaxed from time to time in a discretionary and piecemeal manner (Patnaik et al.,2013). Controls are relaxed or tightened on a continual basis, depending on the needs and exigencies of the economy. From 2014 till date, there have been several flip-flops by the authorities, on the rules of FPIs' access to the G-sec market. Table 2 gives an overview of the key changes in these rules from 2014 until 2019. The third column indicates whether the intervention relaxes or tightens the rules of access, relative to the prevailing legal position.


Table 2: Overview of key revisions in the rules of accessing the G-sec market for FPIs
Year Event Restriction or liberalisation
Upto July 2014FPIs could invest in the G-sec market
subject to an aggregate cap of USD 30 billion.
Sub-limits were assigned for investment by FPIs in G-secs of shorter tenors such as Treasury bills and longer term G-secs.

--
February 2015RBI prohibited FPIs from investing in:
(a) G-secs with a maturity period of less than three years, and
(b) liquid and money market market mutual funds.

Tightening
October 2015RBI announced a medium term framework within which:
(a) the absolute cap on aggregate FPI investment would be announced in INR;
(b) the cap on FPI investment in G-secs would be increased annually such that it reaches 5% of the outstanding G-secs by March 2018;
(c) the aggregate FPI investment in any G-sec issuance would be capped at 20% of the outstanding stock of that issuance.

(a) and (b) are neither relaxation nor tightening measures.
(c) is a tightening measure.
April 2018 RBI withdrew the restriction on investment in G-secs with a minimum residual maturity of 3 years. However, an FPI could still not invest in any G-sec with a residual maturity period of less than 1 year in excess of 20% of the total investment of the FPI in that category.

Relaxation
June 2018RBI re-allocated the sub-limits for investment among general FPIs and "long-term FPIs". The condition imposed in April 2018 with respect to FPI investment in G-secs with less than 1 year maturity was relaxed, and the cap was increased to 30% of the total investment of the FPI in that category.

Relaxation
March 2019 A new route for FPI investment, referred to as the Voluntary Retention Route, was announced. Under this route, FPIs were allowed to invest in G-secs of all maturities subject to conditions such as minimum investment size, lock-in period, etc.

Neither relaxation nor tightening.
Notes: 1. The entries in the third column are as per the authors' reading of the legal instrument announcing the intervention.
2. The third cell of the first row has been left blank as the entry summarises the legal framework till July 2014.

Table 2 shows that in a span of five years, there have been atleast eight changes to the rules for accessing the Indian G-sec market. In 2018 alone, there have been atleast two rule changes with respect to FPI investment in G-secs with a maturity period of less than one year.

These changes only pertain to the limits and caps on foreign portfolio investment in the Indian G-sec market. A comprehensive review of all the notifications issued by the RBI since 2000 shows that the rules governing foreign access to the Indian capital markets are, on average, revised nine times a year (Pandey et al., 2019). The maximum number of rule changes (42%) pertain to debt securities (both government and corporate debt).

A frequently changing policy regime creates uncertainty making it difficult for investors to plan ahead and hence, imposes implicit costs on market development. For FPIs to invest in Indian government bonds, global financial firms have to develop sufficient organisational capital in India in order to overcome India specific asymmetric information. This requires a sense of stability and certainty in the underlying regulatory apparatus. Frequent changes in norms disrupt the development of organisational capital.

When capital controls on foreign investment in debt markets are relaxed, at first foreign firms invest in liquid bonds. The magnitude of the intial investment may be small. As the investors gain confidence in the legal regime governing their access and also in the underlying macroeconomic environment, they start investing more in a broader range of securities. A deeper challenge is that of overcoming home bias, that is, the bias of investors to keep too much of their money invested in their home jurisdiction. Frequent changes in norms can amplify home bias.

In short, attracting long term foreign capital in the Indian market requires the creation of a stable, predictable and consistent regime that is not susceptible to flips-flops and frequent rule changes.

Fragmented access

With the introduction of the FAR, there are now three routes under which FPIs may access the government debt market:

  1. The Medium Term Framework (MTF) introduced in October, 2015 under which aggregate foreign investment is expressed as a percentage of outstanding bond issuances.
  2. The Voluntary Retention Route (VRR) introduced in March, 2019 under which FPIs are required to retain their investments in G-Secs for a minimum period of three years subject to individual FPI based limits.
  3. The newly announced FAR.

This framework is considerably more complex than the pre-2015 scenario where FPIs could access the Indian government debt market under a single set of rules. In October 2015, the framework governing capital controls on Rupee denominated debt changed from quantitative caps to percentage based limits. The framework referred to as the MTF thus envisaged percentage based limits on FPI investments in G-Secs.

The conditions of access under each of these three routes differ thereby resulting in a fragmented landscape. For example, while FPIs may invest in G-secs with a maturity of less than one year under the MTF subject to a percentage-based cap linked to the size of their investment, their investment in G-Secs under the VRR route is subject to a minimum commitment and a minimum retention period. On the other hand, if the investment is made under FAR, then none of these conditions applies.

Missing economic rationale

An overarching rationale document explaining India's long-term strategy on capital controls is missing. For instance, under the FAR, FPIs can only invest without limit in G-Secs of three specific tenors. It is not clear why the liberalisation is being done in a select few securities as opposed to the entire G-Sec market. No explanation has been provided as to why the RBI specifically selected these three tenors, whether this selection is backed by an assessment of the FPIs' risk appetite towards long tenor securities or by any specific economic rationale.

By not allowing more G-Secs in the FAR route, RBI has effectively imposed restrictions on the access of FPIs to the overall G-sec market. External sovereign debt is a legitimate concern when the currency risk is borne by the sovereign borrower. This happens when the sovereign borrower issues debt in a foreign currency. In such cases, the debt liabilities of the sovereign borrower expand or contract depending on domestic currency fluctuations. Throughout the 1990s, emerging economies could not issue debt in their local currency, a phenomenon widely known as 'original sin' in the literature. The high proportion of dollar denominated debt issued by these economies made them vulnerable to currency crises.

Since the 2000s, however, emerging economies have been increasingly issuing debt in their local currencies and there is considerable risk appetite among the FPIs to invest in these securities (Burger et al., 2015). The ability to borrow in the local currency is a positive development that enhances financial stability by ameliorating the currency mismatches that were at the centre of past crises (Goldstein and Turner, 2004). When FPIs invest in Rupee denominated G-Secs in India, they bear the currency risk.

A glance at the data shows that relative to its peers, the approach so far followed by the RBI with respect to allowing FPI investment in Rupee denominated G-secs has been largely restrictive. Table 3 shows the foreign holdings of local currency government bonds in select Asian economies. For most of these economies, the foreign holding of local currency bonds exceeds that of India.


Table 3: Foreign holding of local currency (LC) bonds
% of outstanding
LC bond issuance

Indonesia38.6
Japan12.7
Republic of Korea12.2
Malaysia23.0
Philippines4.9
Thailand17.2
India6.0
Source: Asian Bonds Online and RBI (as on September
2019)

Conclusion

RBI's announcement is a step in the right direction. It might facilitate India's entry into the global bond indices and through this channel, foreign inflows into G-Secs might go up. However, more needs to be done to create a stable and consistent regime governing the FPIs' access to the G-Secs market.

The approach of notifying only specific securities in which foreign portfolio investment will be allowed without limits, indicates hesitation on the part of the RBI to open up the debt markets to unrestricted access by foreign investors. Over and above global bond indices, FPIs might be interested in separately investing in different tenors of G-Secs. Selective liberalisation by the government and the RBI pre-empts that possibility thereby missing out on larger volumes of foreign capital.

The design and announcement of the FAR route provides an excellent opportunity to reorganise the capital controls framework in order to simplify the underlying regulatory regime. For example, the VRR allotment data shows that only around 16% of the amount allocated under this route has so far been utilised by FPIs. This calls into question the rationale for introducing and retaining this framework over and above the existing rules of access. With the FAR now in place, perhaps the older routes can be phased out and gradually all of the FPI investment in G-Secs can be brought under this new route.

It is high time India embarks on a systematic path of capital account liberalisation by combining multiple routes into a single, well defined one, by reducing legal complexities and simplifying the capital controls regime. Letting go of this opportunity might prove to be costly for India in the long run especially when the world economy starts recovering from the ongoing crisis and there is enhanced appetite of FPIs for debt instruments in emerging markets.

References

Patnaik, Ila, Malik, Sarat, Pandey, Radhika and Prateek (2013). Foreign investment in the Indian Government bond market, Working Papers 13/126, National Institute of Public Finance and Policy.

Burger, John D., Rajeswari Sengupta, Francis E. Warnock and Veronica Cacdac Warnock (2015). US investment in global bonds: as the Fed pushes, some EMEs pull, Economic Policy, CEPR;CES;MSH, vol. 30(84).

Goldstein, Morris, and Philip Turner (2004). Controlling Currency Mismatches in Emerging Economies, Washington, DC: Institute for International Economics.

Pandey, Radhika, Rajeswari Sengupta, Aatmin Shah and Bhargavi Zaveri (2020).Legal restrictions on foreign institutional investors in a large, emerging economy: A comprehensive dataset, Data in Brief, Volume (28).

 

Radhika Pandey is a researcher at NIPFP. Rajeswari Sengupta is a researcher at IGIDR. Bhargavi Zaveri is researcher at the Finance Research Group. The authors would like to thank three anonymous referees for valuable inputs.

Sunday, April 12, 2020

More testing: From concept to implementation

by Ajay Shah.

There are concerns about quantity and quality in Indian Covid-19 data. In terms of the quantity of testing, India is at 120 tests per million of population, which is among the lowest in the world. Countries like Germany, Italy, South Korea, etc. are at values of about 10,000 tests per million people. In addition, in India, there are concerns about the imprecision in measurement of infected persons and deaths.

As cities and states grapple with the challenge of Covid-19 in the coming year, improvements in testing are being envisioned. Everyone wants more testing. What does it mean to do more testing? In this article, we show the four elements of testing, from a public health point of view. At present, only one of these is in play in India. Public health leaders at the city and state level need to think about this full range of possibilities, and put all of them into motion.

Basic facts about testing


Before we get to the interesting public health and public policy questions, let’s review the science and engineering of testing. For people who are infected with Covid-19, the overwhelming majority recover in about 14 days. Most people experience minor symptoms, do not seek health care, and would not know that the Covid-19 infection took place.

There are two kinds of tests: The PCR test and the antibody test.

The PCR test looks for the virus in your body. It delivers a positive verdict when the virus is present at concentrations above a certain threshold. The absence of the virus can either mean that you are not infected or that you have recovered. Generally, by day 10, the PCR test returns a negative result.

The antibody test looks for the presence of antibodies made by the human body in fighting the virus. These antibodies are generally in place from day 7 and are likely to persist for months. It is possible that while the antibodies are present, you are still communicating the disease, which roughly corresponds to the second week of the progress of the infection.

After day 14, generally the antibody test would yield a positive result and the PCR test would yield a negative result.

After the recovery, immunity from the disease is likely. This paves the way for reopening the country. Ideally, we would like to run large scale antibody tests, find the people who have bounced back from the infection (and might not even have known that they were sick), so these persons can get back to normalcy in their lives. While this is a field of active research, the conclusions are not yet in. It is likely that once you recover, you are immune to the disease, for about 2 to 3 years. But Covid-19 is a new disease, and these are not settled questions.

In terms of operationalising the two tests, the PCR test requires more expensive equipment, the test takes more time, and scaling up to millions of tests is hard given global supply shortages of many of the inputs (reagents, primers, positive controls, extraction kits). PCR testing is unlikely to be available in large quantities in India or other countries for the next month or two, which will limit its usage to relatively low volume applications. The antibody test, though not a diagnostic test for health care settings, is more readily rolled out at scale, and most countries are exploring this from the viewpoint of mass deployment.

There is a neat idea called a “Group test”. Imagine pooling the blood sampled from 10 people and doing one PCR test on that pooled sample. If this came out positive, we would conclude that one or more of these 10 persons is infected. This is particularly useful given the limitations on the number of PCR tests that can be done. At the present moment, the precise protocols for pooled PCR testing for Covid-19 are not yet in place. This is also the subject of active research and we expect this problem will be solved soon.

This shows a testing landscape with two tests (PCR and Antibody) and the possibility of doing a group test with either.

With both classes of tests, there are many vendors with products of varying quality. It would be efficient for India to free ride on the state capacity of advanced countries, and accept any product which is approved by a regulator in a country that is a member of the OECD.

The role of testing in public health and health care


When we are admonished to increase testing, what testing is to be done at scale? It is useful to go to first principles, and think about the objectives of public health. This guides us in designing testing strategies. There are four pathways to testing, organised by the objective of the testing, by the question that is being asked.

  1. Testing in the context of health care: A person shows up in front of a doctor with certain symptoms, and the doctor commissions a test in order to know whether it is a Covid-19 infection. In this case, the question is: Is this person presently infected with Covid-19?
  2. The public health objective of understanding the state of a neighbourhood: When thinking about rules of social isolation in a geographical area, an assessment is required about the state of a neighbourhood. As an example, an airport may be in operation, and we might like to get a daily reading of the state of infection in the airport staff. In these cases, the public health crew cares about the question: Is there an active infection in this group of people?
  3. The public health objective of understanding the progress of the epidemic: The public health team in a city needs to have a situational awareness about what is going on in the city. In this, they would ask the question: What is the overall number of infected and recovered people in my city? How are these numbers moving over time? Each city would like to know: Is the active level of infection likely to rise beyond the available health care in the city in the next few weeks? This forecasting can be assisted by statistical epidemiological models, which can be estimated once this data is observed. In addition, understanding the epidemic curve will help guide decisions about escalation or de-escalation of social distancing measures in the city, and across cities.
  4. Antibody testing for the purpose of restarting the economy: It is likely that there is immunity against infection, for a few years, after a person has recovered from the infection. The entire course of events, from infection to immune system response, can happen without displaying any symptoms. Hence, counting the number of people who sought health care and then recovered is not useful. The antibody test shows whether a person has such immunity. Such persons are likely to be ready to rejoin the economy, and should particularly be brought into front-line roles. From the viewpoint of society and the economy, the key factor to watch for is the fear; Covid-19 is hacking into our minds, much like a terrorist attack. Each of us would like to know: Have I finished with one bout of Covid-19? Once a person tests positive on the antibody test, the terror would subside, one person at a time.

We see that there is not one concept in testing. Testing technology (PCR, Antibody, Pooling) are technical tools that are synthesised to answer four categories of questions. Each of these objectives is distinct, requires a different mechanism for implementation, and supports decision making in different ways. Let us dive into each of them.

Pathway 1: Testing in the context of health care, “Is this person infected with Covid-19?


The normal protocols of clinical care will be applied by a doctor, who will trigger a test when certain symptoms come together. The test of choice is the PCR test, because this will report on the presence of the virus in the first week. These results are very interesting for the individual and for the doctor in determining health care for the individual.

The statistics that are produced, out of such testing, are highly sensitive to: (a) Who are the individuals who feel symptoms (most don’t) and who are the individuals that access health care facilities; (b) The protocols and skill of the doctor in deciding to prescribe the test and (c) Capacity constraints in doing the PCR (maybe all the machines in the country max out at N tests/day) and the fact that when there is a backlog, delays in the heat might degrade samples and bias the results in favour of a negative outcome.

A lot of epidemiological research is presently being done using data that is produced from this clinical setting. It is important to be cautious about the extent to which this data can be interpreted. The only thing that we are sure of is that such testing helps in the clinical process. The four kinds of censoring described above (some individuals access health care, the protocols used by the doctor, the limitations of testing, the degradation of samples) are central to the data generating process, and are absent in most models of this data. This limits the usefulness of epidemiological models, when estimated using the existing data, for decision making in public health.

One step away from the clinical setting, and closer to the questions of public health, are PCR tests administered every day to samples of high risk groups (SARI, ILI, health care workers). These could be an early indicator of the spread of the disease and could help containment efforts. Such measurement projects are important and interesting for public health. Fusing this surveillance data into an overall dataset of clinical data, however, induces additional difficulties for epidemiological modelling.

Pathway 2: The public health objective of understanding the state of a neighbourhood, “Is there an active infection in this group of people?


At the level of a city, there is value in containing outbreaks. In an ideal world, we would have a PCR test result for each person for each day, and this would generate perfect information. However, this is not feasible as PCR testing is slow, expensive and does not scale up readily.

Public health staff face questions such as “Has an outbreak begun in X neighbourhood?” “Has the outbreak in X neighbourhood ended?” or “What is the state of health of the airport staff?”. These questions can often be nicely answered by doing a pooled PCR test [link, link]. The results can be used for modifying social distancing and isolation procedures on a day to day basis.

There is value in establishing the institutional infrastructure through which a civil servant is able to ask this question about a neighbourhood, after which a random sample of N persons is taken, and the pooled PCR test is run. Ideally, the turnaround time from decision to result should be about two days.

There is also value in establishing ongoing monitoring of high risk activities, such as health care workers or the airport crew, who should be sampled every day in this fashion, thus inducing the systematic creation of datasets.

Pathway 3: The public health objective of understanding the progress of the epidemic, “What is the overall number of infected and recovered people in my city?”, “How are these numbers moving over time?


The holy grail of this field is panel (i.e. longitudinal) data measurement of persons on infection and presence of antibodies. It would be particularly valuable to observe comprehensive socio-economic information about each individual, over and above these two facts. As an early step towards this objective, a recent study in one town in Germany measured 500 persons and found that 2% were infected and 14% were immune.

Suppose we are sampling 1000 persons, and suppose the true positive rate is 2%, and 2% of 1000 is 20 persons. To fix intuition, on average we would see about 20 persons testing positive, and a few sample realisations are : 24, 16, 25, 22, 27, 19, etc. In this, a 95% confidence interval of the estimated rate runs from 1.1% to 2.9%. This suggests that at rates of about 2%, a sample size of 1000 individuals is quite useful. (Lower rates call for larger samples).

With this dataset is in hand, it becomes possible to estimate epidemiological models, understand R0, anticipate the future course of the disease, watch how modifications to social distancing impact upon R0, etc. This can be particularly useful in anticipating surges in health care requirements, building and dismantling temporary hospitals, etc. These models can help improve decisions about social distancing measures in the city taken by the citizenry and public health authorities.

Pathway 4: Antibody testing for the purpose of restarting the economy, “Have I finished with one bout of Covid-19?


India has young demographics, and many will get the infection and bounce back without noticing it. Individuals should be able to test their own antibody status and put their fears at rest. There is a role for testing at regular intervals for each person, until that person gets the first positive reading.

This is important for restarting the economy. The economy today is hampered by lockdowns and fear. Antibody testing on scale holds the key to ending the fear, one person at a time, and restarting the economy. Persons who have a positive antibody test result should be preferred for front line roles.

Covid-19 has imposed large welfare costs upon humans who have been forced to be away from their loved ones. Widespread antibody testing will help the lucky ones to resume desired human interactions.

Elements of implementation


When we think about these four questions at the level of India, implementations appear implausibly difficult. If we think of creating a panel dataset of 1000 people in Bombay, it is much more tractable when compared with trying to create an all-India panel dataset.

The presence of four pathways to measurement, in any one city or district, creates one immediate advantage: it is then more likely that errors in any one element of the measurement strategy will be detected, and feedback loops established for remedying them.

Some ideas for implementation are sketched below.

  1. The first stage lies in establishment of a mechanism to take in data from all over the country, on all the pathways, and make it available as a unified repository to the public. A coalition of researchers should establish the data standards for all data coming into one shared public facility with data, where all incoming data is instantly released into the public domain. The governance of this effort should combine experts on public health, information systems, and civil liberties. Trust in this data will be enhanced if there is a lack of government control of this repository.
  2. There should be published protocols that determine when a doctor asks for a Covid-19 test as part of Pathway 1. There should be a single definitive source where these protocols, and all changes in these protocols, are made visible. When the doctor writes a prescription, this would generally be filled by a lab. The lab should get paid by the state in exchange for submission of a few (anonymised) facts about the individual, back into a public data facility.
  3. For Pathway 2 (pooled PCR testing in a neighbourhood), a problem that is faced is the stigma and fear that goes with Covid-19 in India today. The city/district government will need a contract with a lab to do the sample collection. Civil servants may need to accompany the staff of the lab in order to make the citizenry comfortable with what is being done. In time, there will be much comfort when people realise that no individual is being identified in the group testing. The contracting framework is required through which a civil servant commissions a test, and in a day or two the answer is obtained. Similarly, the contracting framework is required through which (say) a data point is obtained every day about a random sample of the airport staff. All the data generated here should be anonymised and go to the public data facility.
  4. For Pathway 3 (panel measurement), survey organisations partnering with testing labs are required to meet households and obtain samples. There is an important barrier in this, owing to the stigma and fear surrounding Covid-19 in India today, and these problems will need to be overcome. All the data generated here should be anonymised and go to the public data facility.
  5. For Pathway 4 (antibody testing for an individual), there is a role for a testing voucher through which each person can get tested every x weeks until a test shows positive. This would kick off a decentralised mechanism where individuals would step forward and get tested. Private labs would be required, as part of the voucher arrangement, to electronically submit anonymised data to the public data facility.

At present in India, most of the work in testing is on Pathway 1. In addition, most of the work in this is being done by government labs. Most of the testing capacity in India is in the private sector, so these pathways need to establish incentive-compatible PPP arrangements through which work is done in private firms with public funding, with release of anonymised data into the public domain. Perhaps a nice split is to have the public sector continue to play an important role in Pathway 1, and establish the additional three pathways in private labs.

There is a lot of concern about the practical problems of organising production at private labs. The private sector is best equipped to understand and solve complex problems of supply chains and organisation. The PPP contracts, that a city or a district gives to multiple labs, should establish frameworks for payment for tests, and also embed real options whereby the private firms will be paid for a certain floor level of testing even if the order flow does not materialise. This will create incentives for private laboratories to build their organisational capabilities and solve problems of production. Private firms will solve problems of organising production better than governments will.

All four lines of work will require time and effort in implementation. The Covid-19 epidemic is a problem that will play out in India over a year or two. It is efficient for each city or district to embark on a three month journey to establish these information systems, so as to exert a beneficial impact upon decision making thereafter.

Conclusion


Everyone agrees that more testing is required. But testing is a means to an end. The purpose of testing is to improve situational awareness. At present, we are in a state of high uncertainty; we do not know what is going on, and this induces greater fear and hampers decision making by private persons and by policy makers. The mere intensification of the existing approach to testing (i.e. testing in a health care context) does not address key objectives in public health and in restarting the economy.

To test is human, to create datasets divine. We should shift focus from the words "number of tests" to the intellectual clarity around the four kinds of datasets, each of which has their role in the overall problem.

Fighting an epidemic is inherently a decentralised problem. This is a battle that is played out at the field level. It is more useful to think about the problem of measurement at the city or district level. These four questions will have to be faced by the public health leadership in each city and each district. As an example, the leadership of Pune should ask themselves: How do we organise these four lines of work? This is far more feasible when compared with solving these problems for 3.3 million square kilometres.



I thank Prakash Hebalkar, Manoj Mohanan, Nandu Saravade, Pradnya Saravade and Suja Thomas for useful discussions.

Friday, April 10, 2020

Comments on the draft Personal Data Protection Bill, 2019: Part II

by Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman.

In our previous post, we had discussed some of the concerns arising out of the draft Personal Data Protection Bill, 2019 (the "Bill"), focusing on how the State-citizen relationship is dealt with under the Bill. We examined the provisions granting wide ranging exemptions to the State for surveillance and law enforcement purposes, as well as the problems in the design and functioning of the proposed Data Protection Authority of India (the "DPA"). In this post, we extend our analysis to discuss certain other issues with the Bill, including the provisions on data localisation, processing of children's data, implementation of privacy by design and regulatory sandbox, inclusion of non-personal data, the employment exception, and the research exemption. We argue that these provisions need to be amended in order to provide more effective safeguards for the privacy of individuals.

Cross Border Data Transfer (Data Localisation)

One of the most contentious issues in the drafting of India's privacy law has been the issue of data localisation, or in other words, the nature and scope of restrictions that should be applied to cross-border data transfers.

Section 33 of the Bill enables the transfer of personal data outside India by imposing transfer restrictions on two sub-categories of personal data. The first sub-category consists of sensitive personal data, such as financial data, health data, sexual orientation data, biometric data, etc., that has to be mirrored in the country, i.e. a copy of such data will have to be kept in India. The second sub-category consists of critical personal data (which has not been defined in the Bill), and which is barred from being transferred outside India. The constituents of this sub-category have not been identified in the Bill and are left to be notified by the Government at a subsequent stage. While imposing these restrictions, the Bill also specifies (in Section 34) a list of conditions that can enable a cross-border data transfer to take place. This includes determination of the adequacy of the laws of another country by the Government or requirements for data processing entities to put in place intra-group schemes or contracts to ensure appropriate standards for the protection of Indian data sent outside the country.

These provisions are significantly more liberal than those proposed in the 2018 version of the draft Data Protection Bill released by the Justice Srikrishna Committee ("PDP Bill, 2018"). The PDP Bill, 2018, required both personal and sensitive personal data to be mirrored in the country, subject to different conditions and exemptions. These provisions attracted significant criticism -- from dissenting members of the Srikrishna Committee, to technology companies (particularly multinationals), as well as sections of civil society (Basu et al., 2019). We had also argued in our submissions on the PDP Bill, 2018 that these restrictions were overly broad and that the costs of strict localisation measures may outweigh any possible gains.

The move to liberalise these provisions will undoubtedly be welcomed by many stakeholders. The less stringent provisions of the Bill imply that costs to business may be limited, and users will have greater flexibility in choosing where to store their data. Prima facie the Bill appears to reflect a more proportionate approach to the issue, thereby bringing it within the framework of the Puttaswamy tests of proportionality and necessity (Bhandari et al., 2017). This is achieved by implementing a sliding scale of obligations, ostensibly based on the sensitivity or vulnerability of the data -- "critical personal data", being the most vulnerable category, is required to be localised completely; while "personal data" being the broadest category, can be freely taken out of the country. The obligations with respect to "sensitive personal data" lie in between these two.

However, we believe that even the revised provisions of the Bill may not withstand the test of proportionality.

As explained by us previously on this blog, there are broadly three sets of arguments that are advanced in favour of imposing stringent data localisation norms (Bailey and Parsheera, 2018):

  1. Sovereignty and Government functions: Referring to the use of data as a resource to be used to further India's strategic and national interests, to enable the enforcement of Indian laws and discharge of other state functions.
  2. Economic benefits: The second claim is that economic benefits will accrue to local industry in terms of creating local infrastructure, employment and aiding development of the artificial intelligence ecosystem.
  3. Civil liberties: The third argument is that local hosting of data will enhance its privacy and security by ensuring Indian law applies to the data and users can access local remedies. It will also protect (Indian) data from foreign surveillance.

If the Bill was localising data for the first two purposes, it would have required that local copies be retained of all the categories of personal data, as was the case with the previous draft of the law. On the other hand, if privacy protection is the main consideration, as it now appears given the changes from the PDP Bill, 2018, and the fact that vulnerability or sensitivity of the data is the differentiating factor in terms of the obligations being imposed, we believe that the aims of this provision can be equally achieved through less intrusive, suitable and equally effective measures. This includes requirements for contractual conditions, and using adequacy tests for the jurisdiction of transfer, as already provided for in Section 34 of the Bill. This is also in line with the position under the European General Data Protection Regulation ("GDPR"). Further, the extra-territorial application of the Bill also ensures that the data protection obligations under the law continue to exist even if the data is transferred outside the country.

In case data localisation is meant to serve any of the goals other than privacy, sectoral obligations can be used to meet these specific objectives based on a perceived and specific need. This is already the case in respect of digital payments data, certain types of telecom data and Government data. Any such move would of course have to be preceded by an open and transparent process setting out the problem that is sought to be addressed and assessing the different alternatives before arriving at localisation as a solution.

Given the infirmities in the Bill, particularly concerning the powers of the State, individuals and businesses may well believe that their data would be more secure if stored and processed in jurisdictions with strong data protection laws and a more advanced technical ecosystem. Therefore, assuming that privacy is the primary motivating factor behind design of this provision, it would make sense to allow individuals to store their data in any location of their choice, provided that the specified conditions are being met.

Accordingly, we believe that Section 33 ought to be deleted from the Bill. As an alternative, general restrictions on cross-border transfers may be imposed only for "critical personal data". In this context, it is also important that the Bill should provide a definition of "critical personal data" or at least clarify the grounds on which personal data may be declared as such. This would help limit the otherwise extremely broad powers of the State in this respect.

Children's Data

Section 16 of the Bill contains an enhanced set of obligations for fiduciaries dealing with children's personal data and sensitive personal data. It requires fiduciaries to act in the best interests of the "child", defined to mean a person below 18 years. The provision mandates age verification and parental consent for the processing of such data, which, while well-intentioned, gives rise to some concerns.

For instance, a large part of India's internet using population comprises young people, including children. Requirements for age verification and parental consent may not be practical for a vast number of children who may not have access to relevant documents, may not receive parental support, or their parents may not be in a position to engage with the technology and verification system. Such a requirement is also likely to have a disproportionate impact on already vulnerable and marginalised communities, including adolescent girls. Section 16 also leads to a loss of agency for many young internet users, who are often the creators and consumers of online content for educational, recreational, entertainment and other purposes.

The procedure to conduct mandatory age verification is also beset with ambiguity, since any requirement to verify children's data will effectively amount to the verification of all users in order to be able to distinguish children from adults. This would clearly be a disproportionate invasion of privacy.

Finally, the Bill does not draw any distinction in the level of protection based on the age of the child, in effect treating children of 5 years and 17 years in the same manner. This, in essence, goes against the UN Convention on the Rights of the Child, to which India is a party. The Convention inter alia recognises that: (a) regulation of children should be in a manner "consistent with the evolving capacities of a child" and that children have a right to engage in play and recreational activities "appropriate to the age of the child" (Articles 5, 14 and 31); (b) children have a right to protection of the law against invasions of privacy and a right to peaceful assembly (Articles 16 and 15); and that (c) access to mass media, particularly from "a diversity of national and international sources" is important for a child's development (Article 17).

In order to allay these concerns, we recommend that the provisions pertaining to parental consent and age verification (Sections 16(2) and 16(3) of the Bill) should be deleted. In the event these provisions are retained, they should be amended to prevent the complete loss of agency for many young internet users; to enable a level of protection that is consistent with the age group of the child; and to ensure that the rights of all individuals to expression and access, including children, are not unduly restricted. Accordingly, Section 16 should lay down that the principle of best interests of the child and the requirement of consent from parents and guardians have to be interpreted "in a manner consistent with the evolving capacities of the child". Further, any requirement of age verification should be limited to guardian data fiduciaries to be classified by the DPA. Finally, the factors to be considered under Section 16(3) while deciding upon the manner of verification, should also include the impact of the verification mechanism on the privacy of other data principals.

Privacy by Design and Sandbox

Section 22(1) of the Bill requires every data fiduciary to prepare a privacy by design ("PBD") policy containing details of the processing practices followed by the fiduciary and the risk-mitigation measures put in place. According to Sections 22(2) and 22(3), the data fiduciary may submit the PBD policy to the proposed DPA for certification, which shall be granted upon satisfaction of the conditions mentioned in Section 22(1). The fiduciary and DPA shall then publish the certified PBD policy on their websites.

Section 22, as it is currently drafted, only requires data fiduciaries to prepare a PBD policy -- it does not require them to implement the same. Without a requirement to implement the PBD Policy, this would remain a mere paper requirement and serve no real privacy enhancing purpose. In contrast, Section 29 of the PDP Bill, 2018, required every data fiduciary to "implement policies and measures to ensure [privacy by design]". Similarly, Article 25 of the GDPR also requires data controllers to "implement appropriate technical and organisational measures" in order to meet the requirements of the regulation.

Further, given the range and scope of duties conferred on the DPA, requiring it to verify and certify every data fiduciary's PBD policy (as an ex-ante measure) could cast an unreasonable burden on the regulator. It must be noted that the scrutiny of a PBD policy will have to take into account each entity's specific business model, and the specific risk mitigation measures proposed to be implemented. This is clearly not an insignificant task. We therefore believe it would be prudent to permit independent data auditors to certify PBD policies, with further review of the certified policies by the DPA in cases where it is assessing the fiduciary's eligibility to participate in the sandbox under Section 40. This would reduce the burden on the DPA while enabling quicker turn-around times for business entities. The DPA could in turn regulate the process of certification by independent auditors through appropriate regulations.

Moving now to the issue of the regulatory "sandbox". This is a new concept in the data protection discourse in India although other sectors, such as finance, have already seen such developments. For instance, the Reserve Bank of India announced the creation of an enabling framework for a regulatory sandbox in 2019. We have also seen international examples that discuss such measures in the data protection context, such as in case of the UK's Information Commissioner's sandbox initiative.

Section 40 of the Bill permits the DPA to restrict the application of specific provisions of the Bill to entities that are engaged in developing innovative and emerging technologies in areas such as artificial intelligence and machine-learning. Presumably, the purpose is to enable companies to experiment with new business models without the fear of falling foul of the law (while at the same time enabling supervision by the authorities), in a controlled setting, where exposure to harm can be limited. According to Section 40, the DPA can modify the application of the provisions of the Bill relating to clear and specific purpose for data processing; collection only for a specific purpose; and limited period of data retention for eligible entities. In order to be eligible for the sandbox, an entity should have in place a PBD policy that has been certified by the DPA (Section 22).

The current draft vests significant discretion in the hands of the DPA in deciding which entities will be included or excluded from the sandbox. Despite this, there is no clear criteria provided in Section 40 that would allow the DPA to judge the entry of an entity into the sandbox. We believe that certain criteria, based on the expected level of innovation, public interest, and viability, should be specified in Section 40 itself, to improve transparency and accountability. The provision of specific criteria needs to be accompanied by the requirement of a written, reasoned decision by the DPA, so as to reduce arbitrariness. Apart from this, the DPA should also be empowered to lay down conditions and safeguards for data fiduciaries to follow (with respect to personal data processed while in the sandbox) once they have exited the sandbox. Finally, changes flowing from the proposed revisions to the certification process of the PBD policy (discussed above) will also need to be made to Section 40.

Non-consensual Processing for Employment Purposes

Section 13 of the Bill gives significant leeway to employers for carrying out non-consensual processing of personal data, other than sensitive personal data, that is necessary in the context of employment. Given the inherent inequality in an employer-employee relationship, we believe that the Bill should have greater safeguards to prevent coercive collection or misuse of employees' personal data by employers.

For instance, the present draft of the provision permits non-consensual processing of personal data of an employee if considered necessary for "any other activity relating to the assessment of the performance" of the employee. This phrase is very wide in scope and can be easily misused by the employer, for instance through continuous monitoring and analysis of all activities of the employee, including the time spent in front of screen, private calls and messages, etc. Given the increasing relevance of remote working arrangements, this sort of monitoring could even be extended outside the office premises.

We have already referred to the significant imbalance of power in the relationship between the employee and employer. There can be many ways in which technology can further tilt the balance of power in favour of the employer. For instance, there has been considerable reporting on the "productivity firings" by Amazon. The company is said to be using "deeply automated tracking and termination processes" to gauge if employees are meeting (very stringent) productivity demands placed on them (Lecher, 2019). Similar stories of management or termination based on algorithmic decision-making are increasingly being heard from many other sectors of the economy. When one considers the advances being made in tracking and privatised surveillance systems, the ability of employers to collect and analyse data of their employees without their consent, can become extremely problematic.

Accordingly, we believe the broad exemption provided for employers should be done away with by deleting this provision. However, if the provision is to be retained, we recommend that two amendments need to be made to it. First, the provision should only permit non-consensual processing as is "reasonably expected" by the data principal. Second, any processing under this provision should be proportionate to the interests being achieved.

Exemption for Research, Archiving, or Statistical Purposes

Section 38 permits the DPA to exclude the application of all parts of the law to processing of personal data that is necessary for research, archiving or statistical purposes, if it satisfies certain prescribed criteria. As highlighted in our earlier submissions, the framing adopted by the provision is very broad as it extends the exemption to research and archiving conducted for a wide variety of purposes, including situations where this may not be appropriate. This includes research that is predominantly commercial in nature. Market research companies carrying out consumer surveys, focus groups discussions, etc., often use intrusive means of data collection and are repositories of large quantities of personal data. We believe that such purposes should not be exempted from the purview of data protection requirements as doing so would significantly lessen the privacy protections offered to individuals, without any significant public benefit being achieved.

Accordingly, we recommend narrowing the scope of the provision only to the processing of personal data where the purpose is not solely commercial in nature and the activity is being conducted in public interest. Notably, the GDPR also limits exemptions granted to research purposes to "archiving purposes in public interest, scientific or historical research or statistical purposes"(Article 89). Further, a somewhat similar approach has been adopted in the Copyright Act, 1957, which in Section 32 provides for the issuance of licenses to produce translations of works, inter alia, for research purposes. Section 32 specifically excludes "industrial research" and "research by bodies corporate" (not being governmental controlled bodies) "for commercial purposes" from the scope of the law -- thus, the exemptions from copyright protection under the law do not apply to the use of copyrighted material for such categories of research.

In addition, it is unclear why provisions pertaining to transparency, fair and reasonable processing, deployment of security safeguards etc. are not made applicable to entities that may avail the exemption under Section 38, as was suggested in the earlier draft of the PDP Bill, 2018. As mentioned above, commercial research companies collect, process and store large quantities of personal data, thereby making them susceptible to significant breach of privacy (in the case of data breaches, unauthorised disclosures, etc). Therefore we suggest that Section 38 should be revised to ensure that the provisions of the law are only exempted to the extent they may significantly impair or prevent achieving the relevant purposes. Notably, the UK Data Protection Act, 2018, also follows a similar approach in Schedule 2 (Part 6, paragraph 27 and 28).

Non-personal Data

Section 91(2) is a new provision that has been introduced in the latest version of the Bill. Under this section, the Central Government may, in consultation with the DPA, direct any data fiduciary or processor to provide any non-personal or personal data that is in an anonymised form. The Government is required to lay down regulations governing this process. This non-personal data is to be used for "better targeting of delivery of services or formulation of evidence-based policies" by the Government.

We find that this provision is misplaced in the Bill and is disproportionate in nature, for the following reasons. First, regulating non-personal data flows is outside the scope of the present law. Notably, the White Paper and Report of the Justice Srikrishna Committee exclusively consider the regulation of personal data, as do the Statement of Objects and Reasons and Recitals to the Bill.

Second, the Government has already constituted a Committee of Experts to examine regulatory issues arising in the context of non-personal data. The inclusion of this provision pre-empts the findings and recommendations of this Committee of Experts.

Third, the provision does not adequately consider and balance all relevant interests, as it provides the State with an omnibus power to call for any non-personal data. This could affect property rights of data fiduciaries, competition in the digital ecosystem (especially where the State is a market participant), and also affect individual privacy, particularly in situations where unrelated data sets available with the Government could be processed to reveal personally identifiable data. There is significant literature on the possibility of anonymised data sets being re-identified through advanced computing, or on being combined or added to new information to reveal personal data.

Fourth, calling for data on grounds that it may be used for "evidence based policy making" is vague, ambiguous and susceptible to arbitrary use. Existing provisions of law allow sectoral regulators and Government agencies to collect relevant data (personal or non-personal) where required for making regulatory or policy interventions. The provision would therefore fail the Puttaswamy tests of ensuring proportionality and being subject to appropriate procedural safeguards.

In the circumstances, we believe the provision must be dropped from the Bill.

Conclusion

In this post, we have highlighted how the Bill offers limited privacy protections for individuals in various contexts, such as when it comes to an employee-employer relationship or in the context of processing of personal data by entities engaged in commercial research and statistical work. At the same time, certain provisions, while they may seem well intentioned, require significant fine-tuning so as to not unduly limit individual rights, such as the requirement for verification of users' age.

We show that by failing to ensure that data fiduciaries must implement a PBD policy, the Bill merely envisages a paper requirement, while at the same time casting a significant burden on the DPA to certify such policies. Similarly, the provision on data sandboxes, while in theory may not be a bad idea, also requires much more discussion and work. To begin with, we propose that the provision needs modifications to limit the discretionary power available to the DPA, particularly in terms of selection of entities to take part in the sandbox. Finally, we also explain why the provisions pertaining to data localisation and non-personal data are poorly conceptualised and disproportionate in nature.

Based on the discussions here and in our previous post on the Bill, we conclude that there are a number of areas where the Bill needs further work before it can be said to be providing an appropriate standard of data protection. Further, the introduction of various completely "new" provisions in the Bill at this stage, such as those pertaining to non-personal data, sandboxes, social media intermediaries, and consent managers is less than ideal given the significant public discussion carried out on the draft law over a two year period. In this context, the fact that the Joint Parliamentary Committee that is currently examining the Bill has called for, and is considering, public comments is a positive step.

References

Bailey and Parsheera, 2018: Rishab Bailey and Smriti Parsheera, Data Localisation in India: Questioning the Means and Ends, NIPFP Working Paper No. 242, October 2018.

Basu et al., 2019: Arindrajit Basu, Elonnai Hickok and Aditya Singh Chawla, The Localisation Gambit: Unpacking Policy Measures for Sovereign Control of Data in India, The Centre for Internet and Society, 19 March, 2019.

Bhandari et al, 2017: Vrinda Bhandari, Amba Kak, Smriti Parsheera and Faiza Rahman, An analysis of Puttaswamy: the Supreme Court's privacy verdict, LEAP Blog, September 20, 2017.

Justice K.S. Puttaswamy v. Union of India (Right to privacy case), 2017 (10) SCC 1.

Lecher, 2019: Colin Lecher, How Amazon automatically tracks and fires warehouse workers for 'productivity', The Verge, 25 April, 2019.

 

Rishab Bailey, Smriti Parsheera, and Faiza Rahman are researchers in the technology policy team at the National Institute of Public Finance Policy. Vrinda
Bhandari is a practicing advocate in Delhi. The authors would like to thank Renuka Sane and Trishee Goyal for inputs and valuable discussions.

Indian Supreme Court on virtual currency: Regulatory governance implications

by Pratik Datta and Varun Marwah.

The Indian Supreme Court in IMAI v. RBI (‘Crypto Judgement’) recently struck down a Reserve Bank of India (‘RBI’) circular that prohibited entities regulated by it from dealing or settling in Virtual Currencies (‘VCs’). While many commentators have lauded the outcome, the judgement itself is a milestone in the history of jurisprudence on rule of law and the working of regulators in India.

In this blog, we contextualise this decision in the broader context of regulatory governance in India. We argue that this decision may not be sufficient to nudge regulators to improve their internal governance arrangements. Instead, deeper legislative reforms are needed along the lines of the US Administrative Procedure Act ('APA') and the draft Indian Financial Code ('IFC').

Regulatory governance in India

When India embarked on a market oriented reform in early 1990s, there was a desire to break away from central planning and government control towards creation of competitive private markets in different sectors. This led to proliferation of specialised statutory regulators across sectors. The dominant motive behind setting up new regulators was to signal credibility to private investors and financial institutions. Another important objective was to create technocratic specialisation, which would have been difficult within the administrative constraints of government departments. Given these priorities, there was hardly much focus on regulatory governance, that is, the formal processes to be followed by a regulator while performing its internal functions. Consequently, the parliamentary statutes setting up these regulators did not provide much guidance on regulatory governance.

Lack of regulatory governance often leads to poor regulatory outcomes. For instance, Roy et al (2018) explains that poor legislative processes within a regulator may prevent its board from systematically evaluating the management’s proposals to regulate. It may also restrict the board from receiving appropriate feedback from regulated entities about proposed regulations. Therefore, one would have reasonably expected the Indian regulators to voluntarily adopt such regulatory governance norms through regulations.

However, the regulators did not make any systematic effort to improve their own regulatory governance. Krishnan and Burman (2019) note that the administrative processes within regulators are strikingly similar to those of government departments. This is because, at least in the initial days, most members as well as officials of these regulators came from the government. In absence of any statutory guidance, they transplanted the administrative processes of the government into the regulators. This became a source of deeper problems.

A statutory regulator is materially different from a government department. Unlike a government department, a regulator concentrates legislative (regulation-making), executive (monitoring and supervision) and judicial (issuing orders) powers. Moreover, the frequency and volume of legislative instruments issued by a regulator is significantly higher than most government departments. None of these unique features of a regulator are addressed by transplanting government processes within the regulator.

Given this vacuum in regulatory governance both in external administrative law (the statute) as well as in internal administrative law (regulations, circulars etc.), judicial precedents came to play a visibly important role in shaping regulatory governance in India. An analysis of these judicial precedents by Krishnan and Burman (2019) reveals two interesting features. First, the judiciary has generally been deferential towards the functioning of regulators, except in cases of blatant disregard of process. Second, judicial review of legislative actions of regulators has been rare. Even in such rare occasions, the ultra vires doctrine has been used to strike down regulations issued without appropriate legal powers. To the best of our knowledge, the only instance where the Indian Supreme Court struck down a regulation for inadequate regulatory governance was in COAI vs. TRAI ('Call Drop Judgement') in 2016. And now, the Crypto Judgement adds to this nascent jurisprudence.

The Crypto Judgment

On April 6, 2018, the RBI issued a circular prohibiting RBI regulated entities from dealing or settling in VCs (‘Circular’). The Circular was challenged by the Internet and Mobile Association of India (‘IMAI’) before the Supreme Court. The court struck down the Circular for infringement of Article 19(1)(g) of the Constitution of India. Article 19(1)(g) guarantees the fundamental right to conduct trade and business in India subject to reasonable restrictions that may be imposed by law in public interest. The Apex Court held that the prohibition in the Circular was an unreasonable restriction on this fundamental right to trade (in VCs and to operate VC exchanges) in India, because it was disproportionate.

The Apex Court found the Circular to be disproportionate primarily on two grounds:

First, RBI did not adduce any cogent evidence of the likely harm that its circular sought to address. RBI had not found the activities of VC exchanges to have actually adversely impacted any RBI regulated entity. In case any such harm was actually caused, the court expected at least some empirical data about degree of harm suffered by the regulated entities. In the absence of any such harm or any empirical data establishing the degree of harm to regulated entities, the court found the absolute ban on trading of VCs and functioning of VC exchanges to be disproportionate.

Second, RBI did not consider any less intrusive alternative regulatory response. An Inter-Ministerial Committee had initially suggested that an absolute ban would be an extreme tool. This Committee had observed that the same objectives could be achieved through less intrusive regulatory measures, as reflected in the Crypto-token Regulation Bill, 2018. Referring to this observation as well as several other authoritative international sources such as the European Parliament and the Financial Action Task Force ('FATF'), the court found that RBI did not consider the availability of alternatives before issuing the Circular imposing an absolute ban. Consequently, the Circular was held to be a disproportionate measure.

Both these reasons suggest that the Supreme Court expected the RBI to perform a basic Cost-Benefit Analysis ('CBA') before issuing the circular. A CBA would have enabled the RBI to identify multiple possible solutions to the problem and then choose the most appropriate one. Statutory laws in most advanced jurisdictions usually require regulators to conduct a CBA before issuing a regulation. In contrast, Indian laws do not impose such high regulatory governance standards on regulators. But this may soon need to change.

A nascent trend

As highlighted by Krishnan and Burman (2019), judicial review of legislative action by a regulator is rare in India and in the rarest of the rare cases, such judicial review hinges on regulatory governance standards. The Crypto Judgement is one such rare instance. To the best of our knowledge,the only other instance was in COAI vs. TRAI (‘Call Drop Judgement’) in 2016. In that case, the Supreme Court had similarly struck down a regulation issued by Telecom Regulatory Authority of India ('TRAI') for inadequate regulatory governance.

The Telecom Consumer Protection (Ninth Amendment) Regulation, 2015 required telecom operators to credit Rs. 1 to a calling customer for a maximum of three call drops per day. A number of telecom operators challenged this regulation for violation of Article 14 (arbitrariness) as well as section 11(4) of the TRAI Act, 1997, that imposes a broad legal obligation on TRAI to act transparently. The Supreme Court held TRAI’s action to be arbitrary since it had failed to substantiate how it arrived at a compensation amount of Rs. 1 and that too only to the calling customer. The court concluded that the regulation was based on mere guess work without any intelligent care and deliberation.

Further, the telecom operators had raised these issues in public comments, but TRAI had failed to consider their arguments while framing the regulations. Relying on the transparency requirements under section 11(4), the court held that TRAI should have responded in a reasoned manner to those comments which raised significant issues. Evidently, the Supreme Court struck down the call drop regulation due to inadequate regulatory governance standards in issuing regulations. For this, the court resorted to a broad interpretation of the transparency obligation under the TRAI Act, 1997.

In contrast to the TRAI Act, 1997, the RBI Act, 1934 does not explicitly impose any statutory obligation on RBI to be transparent or proportionate in regulation-making. The Supreme Court in the Crypto Judgement applied the general administrative law principle of proportionality to strike down the Circular. This has now set a precedent for holding regulators accountable while exercising their legislative powers, irrespective of whether their parent statute explicitly imposes any obligation of transparency or proportionality while issuing regulations.

Potential consequences

These two precedents undoubtedly empower citizens against arbitrary regulatory actions. Regulations issued by different regulators are likely to face legal challenges in the future on grounds of inadequate regulatory governance. Only time will tell whether such challenges would succeed. If they succeed, one would reasonably expect the respective regulators to take corrective actions to avoid more legal challenges (and the associated costs). That would indeed be the best outcome. However, research suggests, this may not be so.

Krishnan and Burman (2019) interviewed three past members of boards of Securities and Exchange Board of India, Pension Fund Regulatory and Development Authority and Competition Commission of India to understand whether statutory regulators undertake corrective exercises if their actions are struck down by courts or tribunals. The unanimous opinion was that regulators have no systematic process to analyse the decisions of courts and tribunals in order to correct defects in procedures and processes. Therefore, risk of future litigation by itself may not result in regulators improving their internal governance. Instead, deeper legislative reforms would be necessary.

Case for legislative reforms

Litigation is welcome in a democracy. It is the most potent tool in the hands of the citizenry to keep a check on the excesses by the powers that be, including the regulators. That tool is not to be blunted at any cost. But what is in question is its efficacy, delays apart, in laying down regulatory governance standards in a holistic manner by taking into consideration all aspects of regulation making.

Robust legislative reforms would be significantly better at improving Indian regulatory governance standards compared to case-law jurisprudence. A litigation at most raises few regulatory governance issues relevant to that particular case. The process takes a long time to complete, moving through the appeals process. Moreover, there could be debate on the applicability of a judgement delivered with respect to the regulations made by one regulator under one statute, to the regulations made under another statute by another regulator. This creates uncertainty in the regulatory regime. In contrast, a parliamentary legislation on regulatory governance would provide a relatively wholesome framework. Such a law could help India leapfrog to higher regulatory governance standards, instead of relying on piece-meal case-law jurisprudence to develop over decades. Between litigation and legislation, legislation is certainly a better tool to improve regulatory governance.

Proposed legislative reforms

In the Call Drop Judgment, Justice Nariman had exhorted the Indian Parliament to enact a regulatory governance law along the lines of the APA in the USA. The APA lays down standard procedures for rule making and adjudication in USA. It applies to all executive branches of the federal government and even independent agencies, subject to suitable modifications. The APA also prescribes standards for judicial review of agency actions.

In India, the Financial Sector Legislative Reforms Commission ('FSLRC') had recommended similar processes for financial regulators in 2013. These recommendations were hardcoded into the draft IFC. Based on this, the Ministry of Finance had released a handbook on regulatory governance in 2016 for voluntary adoption by the financial sector regulators. Evidently, the policy thinking on these issues is mature enough for initiating necessary legislative reforms.

Currently, India does not have a comparable statute like APA or the draft IFC. Each Indian regulator has its own unique regulatory governance standards embedded in its governing statute or in some cases, even in regulations. These standards hardly match up to the global best practices. For instance, Burman and Zaveri (2019) measured the performance of four prominent Indian regulators on a responsiveness index based on international best practices on public consultation process. None of the regulators scored more than 5 out of 10. The situation is likely to be worse in government ministries and departments, since their processes are based more on custom and lack any statutory backing. This creates a situation where not only regulators are following different statutory standards, but government ministries and departments are functioning without any statutory standards at all.

India needs an overarching regulatory governance statute along the lines of APA and draft IFC, applicable to all regulators and government departments. This law should have two broad elements. First, it should lay down standard processes for framing rules and regulations, conducting affairs of the regulatory board, annual reporting, approval for regulated activities, investigation and adjudication. For regulation-making, the minimum standards of public consultation, where feasible, and CBA must be embedded in the statute. While developing such CBA standards, policymakers must ensure adequate flexibility to regulators so that a CBA need not necessarily be quantitative and could also be purely forward looking in nature. Second, the law should lay down precise standards for judicial review of actions taken by government departments and regulators under the law. Judicial review should be restricted to ensure that minimum standards of regulatory governance are complied with. Overall, such a law would enhance regulatory governance and improve predictability.

Conclusion

Since the liberalisation of 1990s, the optimism about specialised regulators has been replaced with concerns about regulatory governance in these institutions. Judicial precedents such as the Crypto Judgement and Call Drop Judgement help address these concerns to some extent. However, the risk of future litigation by itself may not nudge regulators to improve their internal governance. Instead, deeper legislative reform along the lines of APA in the USA and the draft IFC in India, is necessary. Policymakers would do well to heed Justice Nariman’s advice. The good news is, the FSLRC suggested IFC has the draft for consideration.

References

Burman and Zaveri, Measuring regulatory responsiveness in India: A framework for empirical assessment, William & Mary Policy Review (2019).

Krishnan and Burman, Statutory regulatory authorities: Evolution and impact, in Kapur and Khosla, Regulation in India: Design, Capacity and Performance (2019).

Roy, Shah, Srikrishna, Sundaresan, Building state capacity for regulation in India, in Kapur and Khosla, Regulation in India: Design, Capacity and Performance (2019).

 

Pratik Datta is a Senior Research Fellow and Varun Marwah is a Research Fellow, at Shardul Amarchand Mangaldas & Co. We thank Mr. Shardul S. Shroff, Mr. Sudarshan Sen, Mr. Prashant Saran, Mr. Gopalkrishna S. Hegde and two anonymous referees for useful comments. All views expressed are personal.

Tuesday, April 07, 2020

RBI vs. Covid-19: Understanding the announcements of March 27

by Rajeswari Sengupta and Josh Felman.

When the first cases of Covid-19 started getting reported in India, the economy was already in a precarious situation and the space for a macroeconomic policy response was limited. Even so, the Reserve Bank of India has come up with a number of initiatives to combat the crisis. In this article, we consider the broad principles that should guide the macro policy response, summarise the RBI announcements of March 27, and assess the announcements against the principles.

Background


The "corona crisis" consists of three interlinked problems: a health shock, an economic shock following from the lockdown, and a global economic downturn. Each one of these shocks on its own is significant. Put together, they have created considerable pressure upon policy makers to act quickly and decisively.

Coming up with an effective policy response is not an easy task. For one thing, the corona crisis poses some exceptional difficulties. It is clear that the human and economic toll will be serious, but it is unclear how long the crisis will last or how deep the damage will be. And without a clear understanding of the size and duration of the problem, it is difficult to know how to calibrate the policy response. For example, monetary easing could take a year to have a significant effect. By then the problem might be over, and inflation might have re-emerged, at which point painful measures would be required to bring it down. This is not just a theoretical possibility, it is precisely what happened in the aftermath of the Global Financial Crisis in 2009-13.

Principles of policy response


Policy making is difficult in the best of times. It is harder in exceptional times, when there is pressure for quick actions, grounded in reduced analysis. It is in exceptional times that the toolkit of good governance becomes even more important:

  • The lowest cost actions are those which are grounded in root cause analysis.
  • Each action needs to be carefully weighed in terms of the costs and benefits imposed upon society.
  • As much as possible, policy responses should be fitted into existing rules and frameworks.
  • All state actions should be preceded by public debate and consultation.

This toolkit is a valuable discipline, an institutionalised application of mind. Why is root cause analysis important? Consider the problem of weak banks lending to firms in recent years. From 2018 onwards, RBI has been trying to address this problem by injecting more and more liquidity into the banking system, in the hope that banks would deploy these resources and lend more (link, link, link). But liquidity issues were not at the root of the problem, the twin balance sheet (TBS) stresses at firms and banks were the real issue. Bank lending has also been discouraged by the government’s measures to investigate and prosecute bank officials for their lending decisions. As a result of these factors, banks have remained reluctant to lend to the private corporate sector, curtailing credit to industry to a year-on-year growth rate of just 0.67 percent in February 2020.

As an example of poor cost-benefit analysis, consider the regulatory decisions after the Global Financial Crisis. At the time, it was felt that exceptional times called for exceptional deviation from prudent financial regulation. A series of restructuring schemes followed, allowing banks to postpone NPA recognition and hide bad news. With the benefit of hindsight, we know that this restructuring worked poorly, and helped prepare the ground for the twin balance sheet crisis of 2011-2020.

As for respecting frameworks, there is a temptation during crises to abandon rules and resort to discretion. But recent experience warns us that "temporary measures" are often difficult to reverse (consider the 2010 fiscal stimulus), while inadvertent consequences (such as NPAs) are difficult to resolve. More fundamentally, temporary measures disrupt the stable configuration of expectations of economic agents, which hamper the recovery. It takes many decades of consistent behaviour in a rules-based framework to shape the rhythm of the working of state institutions, to build up policy credibility. This credibility can be rapidly dissipated.

Hence, policy makers need to proceed cautiously.

The March 27 announcements


It is in this context that we need to examine the March 27 announcements. Four bold actions were taken, following an "out of cycle" i.e., unscheduled Monetary Policy Committee (MPC) meeting:

  • The repo/reverse repo rates were cut by sizeable amounts, to 4.40/4.00 percent from 5.15/4.90 percent. The 91-day treasury bill rate, which measures the de facto stance of monetary policy, dropped to 4.31 percent from 5.09 percent on 26 March.

  • Ordinarily, banks can borrow on a short-term basis from the RBI using the repo window. To supplement this facility, a new `targeted long-term repo operations' (T-LTRO) mechanism, with a limit of Rs.1 trillion, was announced. Banks may find this attractive because they do not have to mark to market the investments made with these borrowed funds for the next three years. However, there is a condition: the money that is borrowed here must be deployed in investment-grade corporate bonds, commercial paper, and non-convertible debentures, over and above the outstanding level of their investments in these bonds as on March 27, 2020.

  • The cash reserve ratio (CRR) was reduced by 1 percentage point, bringing it down to 3% of deposits ("net demand and time liabilities"). This is the first time the CRR has been changed in the last 8 years. RBI's initiatives appear to be motivated by the desire to increase liquidity, as their statement highlights that these measures will free up Rs 3.74 trillion in banks' funds.

  • Banking regulation requires banks to recognise and provide for a loan when there is a delay in payment. According to the Prudential Framework for Resolution of Stressed Assets, banks are required to classify loan accounts in special mention categories in the event of a default. The account is to be classified as SMA-0, SMA-1 and SMA-2, depending on whether the payment is overdue for 1-30 days, 31-60 days or 61-90 days, respectively. RBI has now modified this regulation, so that banks can offer a moratorium of 90days for term loans and working capital facilities for payments falling due between March 1, 2020 and May 31, 2020. However interest on the term loans will continue to accrue during this period. If a firm applies for and receives a moratorium, the loan account in consideration will continue to be recognised as a standard asset and the SMA classifications will no longer apply. Interest on term loans will continue to accrue during this period. 

Analysing the monetary policy announcements


Monetary policy is most effective when economic agents understand and can anticipate the behaviour of the MPC. This process of learning and understanding is still underway, given that India is in the early years of building up the credibility of the inflation targeting framework and the MPC process. So, one would have expected that the MPC statement would go into great details and spell out its macroeconomic forecast, explaining why it believed the 75 basis points rate cut was consistent with its commitment to the 4 percent inflation target.

However, tt did not explain the rate decision in the context of a revised inflation forecast, or any other element of a macroeconomic forecast. It did not offer a justification for the magnitude of rate cut chosen.

Since the rate cut announcement was not couched in the standard IT framework, the public does not have the assurance that the rate cuts will be reversed when inflation begins to rise again. To remedy this problem, monetary policy actions could henceforth be couched in terms of this framework, as a way of assuring the public that the RBI is keeping its eye on this critical objective, and that the mistakes of the past will not be repeated.

Analysing the banking regulation announcements


We know that the corona crisis is a temporary shock. Standard economic theory tells us that the optimal response to a temporary shock is for (viable) firms and households to obtain financing, so that they can tide over the difficult period. Over the next few months, three categories of firms will emerge: a) firms that are able to pay their dues throughout the crisis period, b) firms that are fundamentally viable and can survive provided they are given adequate credit support, and c) firms whose business is faulty and who should become bankrupt as a result of this shock.

It will be important for the banks to distinguish among these firms. Banks should ideally do nothing with firms in category (a), extend credit support to firms in category (b), and take the firms in category (c) to the insolvency and bankruptcy courts as and when that process resumes.

Under the 27 March package, the RBI has given regulatory approval to banks and other lending institutions to decide which of their customers needs a 90-day deferral. This decision, to allow banks but not require them, to grant moratoria is a good one, as it allows banks to distinguish among the three types of firms.

However, the plan is not without drawbacks.

  • No mechanism has been created to classify the loans that will be rescheduled, so transparency has been lost. Investors – already nervous because of accounting surprises at Yes Bank and other financial institutions – will consequently provide capital only at a cost marked up to reflect this information risk premium. And this increase in banks’ costs will be passed on to the borrowing corporate sector.
  • Moratoria will create problems for pass-through certificates, i.e. loans that have been bundled as bonds and sold to mutual funds, because there are no provisions in these certificates for loan rescheduling.
  • Finally, and most importantly, there is no clarity on what happens once the moratorium period is over. How will banks clean up the mess that will be created later, as many of the firms which benefited from the moratorium end up defaulting? There will be a new wave of NPAs, which we know from experience will be difficult to resolve.

There is also a risk: now that a "temporary" moratorium has been introduced, there will be pressure for it to be extended again and again. If the RBI is unable to resist, we will quickly find ourselves back in the 'extend and pretend' era of post-2008. Banks, investors, the RBI, will all be navigating in a fog, since no one will know – and hence, be able to deal with -- the true size of the bad loan problem.

In other words, under the current design, there are risks that the costs of the moratoria could end up exceeding the benefits. Is there an alternative? In fact, two supplementary actions could reduce potential costs, while preserving the benefits.

First, RBI could announce that firms seeking a moratorium would be marked in a separate category. This would give transparency regarding the true financial situation of the banks. There will also have been a bit of a stigma for borrowers, helping to preserve debtor discipline. If a firm has no choice, it will still postpone repayment. But if a firm can afford to pay, it will do so, in order to escape the stigma.

Second, forward planning could help deal with the consequences of the inevitable surge in defaults. Even before the corona crisis, bankruptcy cases were taking far longer than what the law stipulates. Large cases were taking several years to resolve. If this situation is not addressed, there is a risk that large sections of the economy will be tied up in bankruptcy courts, making it impossible for the economy to return to normal, even after the virus abates. To make sure this does not happen, the Insolvency and Bankruptcy Code (IBC) needs to be reformed urgently in order to ensure faster and effective resolution. Such reforms would also have an immediate benefit: banks would be more confident in lending now if they knew the IBC would not be overwhelmed by cases after the crisis is over.

Reviving credit growth


The need of the hour is to revive credit to the private corporate sector. But the marginal benefit of the RBI adding more liquidity to a system that is already in a surplus mode is not clear. This strategy has already been tried, without success. It is unclear why it would work now, especially now that uncertainty about firms' prospects has only increased.

For a proper root cause analysis, let’s go back to economic fundamentals. Consider a loan decision. When a bank decides to approve a loan, it is performing two functions simultaneously: it is assuming risk, and it is allocating capital. In the current circumstances, it is still possible for banks to allocate capital. They can assess which firms are more likely to be hit badly by the crisis and which firms are going to be less affected. That is, banks can figure out the relative risk. The problem for the banks is that right now they cannot assess the absolute level of risk, because they do not have any idea about how long the crisis is going to last, or how deep the crisis is going to be. And this shock has come at a time when banks have already become risk-averse given the last few years of balance sheet problems. Hence, it is difficult for them to lend, especially to new customers.

In these circumstances, giving them liquidity, exhorting them, coming up with any number of subsidy schemes, will not work. But there is a possible solution. The government-- not the RBI -- could relieve the banks of the burden that they cannot manage: the burden of risk.

This can be done through a mechanism as follows. The government can capitalise a fund which will then give loan guarantees. The scheme would have some selection criteria, say MSMEs that have been current on their bank loans. It would also specify the maximum rupee amounts per firm, pegged say to the annual revenues of the company. Once the eligibility criteria are specified by the government, the actual selection of the firms would be done by the banks. They would identify the best firms, originate the loans, and then apply to the fund for guarantee coverage. The banks should be charged a fee for this, to discourage them from using the fund unnecessarily.

In this way, we could use the law of comparative advantage to obtain better economic outcomes: the government would do what it does best in crises, namely bearing risk, while the banks would continue to do what they do best, namely allocating capital.

Conclusion


The RBI’s March 27 announcements were bold and decisive. In particular, the reduction in the repo rate by 75 basis points will provide significant debt service relief to firms and households. This is a welcome measure, at a time when their cash flows are going to be seriously strained. The announcement that banks will be allowed to grant temporary debt moratoria to firms and households could also prove a major help, for exactly the same reasons.

That said, the announcements could have been better grounded in basic principles. The root causes of the banks’ reluctance to lend have not been addressed. At the same time, the way the policy actions were designed and announced run the risks of damaging confidence in the existing frameworks. The public may not be so sure that the authorities remain committed to preserving low inflation or financial stability. Nor is it clear that there is an "exit strategy", to ensure that the defaults will be resolved expeditiously, allowing the economy to return quickly to normal, once the health crisis is over.

There is still time to clear up these ambiguities, and remove any doubts. Initial actions can be followed by supplementary steps, and initial problems can always be remedied. This will take careful root cause analysis, cost-benefit calculations, and a determination to reinforce existing policy frameworks.



Josh Felman is a researcher specialising on India. Rajeswari Sengupta is a researcher at IGIDR.