INDIA’S DIGITAL PROMISE
In many ways the past decade can be considered the golden age of India’s digital transformation. As a nation that bypassed manufacturing-led growth and leapfrogged into a service-driven economy, India has significant expectations from technology and its promise of social and economic development. The recent years have therefore witnessed an unprecedented push towards digitisation and increasing access to both basic technologies and government services. The “Digital India” programme – Prime Minister Narendra Modi’s flagship project – encompasses these goals by striving to provide reliable and secure digital infrastructure which can act as a conduit for government services. The programme aims to empower citizens th rough digitisation of government services while concurrently increasing literacy among many of India’s first-generation adopters of technology.
In an effort to remedy India’s high levels of income inequality, a significant portion of this push for digitisation is geared towards economic and financial inclusion – towards ensuring that Indian citizens have access to formal means of savings, credit facilities and investment opportunities. Digitisation has also created the opportunity to build an ecosystem that supports more economic activity in cyberspace, not only generating additional value and contributing to the country’s growth but also creating incentives for Indian innovation.
In this endeavour, digital payments systems have emerged as a primary indicator of India’s technology-led growth – serving previously underrepresented communities1 and encouraging the growth of disruptive startups. In many ways, the success of digital payments represents a maturing of an economy on its way to being truly cashless while also displaying a trust in technology that has so far been missing globally. To be sure, this is no small task. Technological adoption is replete with many challenges that are uniquely Indian. While many of these have been surmounted in recent years, maintaining the momentum of digitisation and growth would truly indicate that the country is moving towards achieving economic parity and perhaps creating an ecosystem that can be replicated in other parts of the emerging world.
These difficulties associated with digital growth can be broadly categorised as those of infrastructure, capacity and regulation. The success of this story depends on reconciling these multifarious challenges while ensuring adequate safeguards for user rights. This paper begins with an overview of India’s digital payments landscape. It examines which regulatory principles have spurred the growth of payments and which ones have hindered it. It also takes stock of institutional safeguards currently in place to ensure the security of digital payments in India and offers recommendations to make this growth sustainable.
A NEW DIGITAL ECONOMY
India’s current regulatory push towards a cashless society is mindful of the realities around the lack of digital literacy and lack of access. The Digital India programme hopes to extend banking facilities to the unbanked while simultaneously allowing users to operate their accounts remotely and virtually authenticate their identities and transactions.
This ambitious goal is centred on the Indian government’s JAM trifecta (Jan Dhan-Aadhaar-Mobile). However, implementation of the programme is often hindered by the aforementioned challenges. The Jan Dhan programme2 is aimed at bringing about comprehensive financial inclusion by ensuring universal access to banking facilities for every household in India. Launched in 2014, it enables access to financial services such as savings accounts, insurance and pension by allowing citizens to open zero-balance accounts. For ease of access, these accounts can be opened by submitting an identity document issued by any government department or a letter issued by a gazetted officer. For those without any valid legal identity, the Aadhaar programme seeks to provide a unique digital identity to all Indian residents – giving those living at the fringes of society the ability to participate in the formal economy. Aadhaar issues a unique 12-digit number to every enrolled citizen that is matched with their biometrics – fingerprint and iris scan – and demographic information – such as address, registered phone number etc. The lynchpin of the JAM programme though is access to a mobile phone that users need to operate these services.
Official sources claim that the JAM trinity has resulted in the opening of as many as 295 million bank accounts since 2014. Up until a few years ago, a significant portion of the Indian population did not have access to banking, thus restricting their ability to conduct high-volume transactions. Although this has significantly improved over the past few years – with almost 80% of adult Indians now having access to financial institutions – many problems persist. Nearly 38% of all Indian bank accounts remain inactive, indicating that their owners are not yet integrated into the formal economy. Even for those that own bank accounts, access to ATMs and commercial bank branches remain woefully inadequate. While the Digital India programme has leveraged technology to create pathways to basic services, the true goal of inclusion is often foiled by the lack of supporting infrastructure.
It was thought that these limitations could be overcome by bypassing institutions such as banks and ATMs. In this regard, mobile payments have been considered a panacea to the physical limitations of the formal economy. And yet, in spite of India’s relatively high cellular penetration6 only about 5% of users access a financial institution over a mobile phone or the internet in 2017.7 Moreover, while 44% of urban customers have adopted digital payments services, the number drops to a meagre 16% in rural areas. This would indicate that in addition to the infrastructural shortcomings discussed above – such as access to secure smartphones and the lack of network infrastructure – other factors like inadequate digital literacy also cloud schemes meant to increase financial inclusion.
These setbacks, however, have not dampened New Delhi’s enthusiasm and the government continues to steer an administration with “Digital India” as its flagship programme. But in a marketplace where the immediate need is structural overhaul and capacity creation, India remains committed to solving systemic challenges through regulatory intervention. Indeed, what perhaps distinguishes India’s digitisation approach from that of western nations is the fluidity of its marketplace – where the government in addition to being a regulator has also assumed the role of an innovator, developing applications and services like the Bharat Interface for Money (BHIM) and the Aadhaar Enabled Payment System (AEPS).
While Aadhaar with its centralised database of over a billion Indians’ biometric information remains the current administration’s crown jewel, equally noteworthy is the creation of the Unified Payments Interface or UPI.8 The UPI is a single window payment framework that allows users to transact with banks, mobile wallets or applications. Once connected with a user’s bank account through a linked smartphone, the UPI ID allows a user to send and receive money across platforms. The UPI application program interface (API) has also allowed companies like Google9 and Whatsapp10 to introduce peer-to-peer payment systems in India. The adoption of UPI has also enabled transactions over Indian digital payment startups like PhonePe to skyrocket.11 The success of the UPI – marked by the emergence of numerous private payments apps – is partly due to the regulatory ecosystem. However, ongoing developments indicate that a slowdown in this growth may be imminent.
REGULATING THE NEW MARKETPLACE
At the heart of India’s digital payments infrastructure lies a body called the National Payments Corporation of India (NPCI). While the NPCI self-defines as an “umbrella organisation” for retail payments in India, the body escapes easy classification. Established as a Non-Profit Company and under the provisions of the Payment and Settlement Systems Act, 2007, the NPCI started out as an operator of inter-bank ATM transactions. Today, it manages instant electronic transfers between banks, owns and operates the UPI along with a suite of other digital payment apps, issues the RuPay card, which is a direct competitor to Visa and Mastercard, and drafts guidelines for digital payments in India. It is simultaneously a payments network, a payments app developer and a quasi-regulator.
While the overwhelming majority of shareholding of the NPCI is held by big banks, the body itself answers to the Reserve Bank of India (RBI), the Ministry of Electronics and Information Technology and the Indian Government’s think tank, the NITI Aayog. The Reserve Bank of India, which has the overarching mandate of regulating all financial and payment ecosystems in India, approves policies that are drafted by the NPCI, and issues its own guidelines.
This regulatory murk, coupled with the fact that the rate of adoption of digital payments has fallen well below expectations, has raised questions on the competence of the RBI to manage the digital payments ecosystem. Consequently, after 10 months of deliberations, an inter-ministerial committee (that included the RBI) has recommended removing digital payments from under the ambit of the central bank. All members of the committee, with the exception of the RBI, recommended the creation of an independent Payments Regulatory Board so that regulatory institutions can keep up with evolving technologies.
SECURITY VERSUS GROWTH
A large part of the slowdown in the adoption of digital payments in India can be attributed to the overly cautious approach adopted by the Indian regulatory ecosystem – specifically the RBI. Take for instance, the insistence of the central bank on mandatory two-factor authentication (2FA) for all digital transactions. The 2FA requirement, which India has adopted for nearly a decade, is being seen as a model that causes unnecessary friction in payments – especially subscription-based payments – thus hindering the adoption of digital payment systems by businesses. The only consolation that the RBI has provided in this regard is the relaxation of 2FA for card-not-present transactions for less that INR 2000 or approximately 30 US Dollars.
Although the author has previously argued that even this relaxation has the potential to lessen the security of digital transactions across the country, it is undeniable that certain payment models are entirely foreclosed by a mandatory 2FA requirement.
This point was driven home when the UPI 2.0 launched by the NPCI earlier this year also failed to introduce automatic payments. Automatic or recurring payments are what all subscription-based payments rely on and have the potential to increase the number of payments made over UPI manifold. In fact, they were being seen as such an obvious step in the evolution of digital payments that many payment service operators had already designed new payments packages before the UPI 2.0 was released. This too was seemingly a result of the RBI’s insistence.
While there is an increasing apprehension that these regulatory impulses might deny India the promise of digital transformation, the RBI’s approach is not entirely misplaced. In spite of boasting the world’s second largest internet user base, internet penetration in India remains under 30% and is restricted mostly to urban centres. The next wave of people coming online will not only be first-generation internet users but will also be relatively lacking in digital literacy. Given these realities, it is not difficult to imagine that relaxation of security standards will adversely affect this very demographic. These threats are only exacerbated when one considers the low institutional capacity among Indian law enforcement authorities to adequately tackle cyber-crimes.
Taken together these issues make the resolution of the digital payments problem in India a complex one. At first it may seem that the answer lies in solving the chicken and egg riddle: should the institutional security architecture be strengthened before increasing adoption of payments or will the opportunity to harvest digital payments-driven growth disappear if regulatory issues are not addressed? The problem may in fact lie in the dichotomous framing of the issue.
INCLUSIVE GROWTH AS THE FUTURE
The reason why the growth of digital payments in India seemed transformative – at least for a while – was because it relied on unnatural market impulses to surge ahead. In the wake of demonetisation23 of nearly 80% of India’s currency, the UPI, for example, saw a 1,540% rise in transaction volumes. This rate of growth is naturally unsustainable. As multiple analyses have subsequently shown, although digital payments are on the rise, cash-based transactions (a staple of the Indian marketplace) have normalised to pre-demonetisation levels.
The post-demonetisation behaviour also holds important lessons for the Aadhaar programme that has primarily relied on coercive measures for speedy adoption; that Indians may play by new rules when they are forced to, but will likely resort to natural behaviour when the pressure is eased. In addition to the structural complexities of transacting online, this is indicative of a wider distrust that Indians share of internet-based payment systems. Sustainable growth of the sector, therefore, is only possible when wider trust is built in the medium and questions around ease of access are addressed.
The creation of best-in-class standards for network, information and data security can go a long way in addressing some of these trust issues. A familiar refrain from India’s security establishment has always been that cyber security is not seen as a board-level priority by technology companies while the companies themselves bemoan non-involvement in standard-setting processes.
To address this, India’s standard-setting processes must be harmonised with increased private sector involvement. This can be achieved through continued multistakeholder consultations with the industry, allowing institutions to adopt self-regulatory frameworks wherever possible and increasing transparency in the rule-making processes of institutions like the RBI and NPCI.
When apprehensions around the relaxing-security-for-growth issue arise, Indian regulators can adopt a sandbox approach where market-friendly policies are adopted until enough data can be obtained to make regulatory decisions one way or another.
CONCLUSION
The one thing that becomes clear is that if India aspires to become a model of digital growth and development for the rest of the emerging economies, then it cannot just rely on exporting Indian technology and solutions to these markets. There are two significant strengths that the Indian marketplace offers. First, the large market size makes it an arduous proving ground for any technology-led innovation. If a digital solution is able to adapt to and scale in the Indian market with its linguistic and structural barriers then the model of growth for that solution is more likely than not sustainable in other parts of the world. Second, despite its manifold problems, Indian innovation operates within the bounds of a democratic ring-fence. Therefore, the digital solutions exported out of an Indian market will have necessarily demonstrated adherence to strong institutional safeguards.
These expectations also place an additional burden on Indian policymakers. For an economy that to a large part defines its growth in opposition to the Chinese model, India must ensure that it does not bow to the same market pressures (and compromises) that have defined its eastern neighbour.
***
Bedavyasa Mohanty is an Associate Fellow with Observer Research Foundation’s Cyber Initiative. His current work focuses on encryption and the regulation of lethal autonomous weapons systems. Bedavyasa coordinates ORF’s cyber security capacity building for Indian law enforcement officials and is the convenor of CyFy, ORF’s flagship conference on technology, security and society. He is a lawyer by training and completed his BA LLB (Hons) from the National University of Juridical Sciences, Kolkata. Bedavyasa’s latest paper, “Hitting Refresh”, analyses elements in the data sharing process between law enforcement agencies in India and the US and offers reforms to address them.
This article was published in Panorama. Insights into Asian and European Affairs, 2/2018: Digital Asia
For the full article including footnotes, please see the PDF.