If there is one regulator you don’t mess with, it’s RBI. At least it used to be. One of the most powerful regulators in the world, it balances the jobs that four different entities would do in most other countries. From watching over interest rates and balancing cash reserves to being the banking and payments regulator. Notionally, it’s an apex regulator for financial services and rarely involves itself in micromanagement. But with data and software ruling financial services, RBI has been drawn deep into the tech world. From data localisation to digital wallet interoperability to know-your-customer (KYC) rules.
On some issues, like KYC and interoperability of wallets, its decisions are unilateral. But in areas of regulation like data localisation, the central bank is left open to political pressure. In fact, RBI’s payments data storage rule came in the wake of deliberations with the PMO over privacy concerns following news of Facebook user data being harvested by political consulting firm Cambridge Analytica. At the same time, Facebook-owned messaging platform WhatsApp had announced a plan to launch payments services in India without having a physical presence in the country. RBI doubled down on its data security efforts.
“RBI is a sophisticated regulator, and far more difficult to deal with. So companies are negotiating with RBI from a distance. Lobbies like The US-India Business Council have gone to the PMO and Niti Aayog to help influence outcomes,” said the lawyer cited above.
But soon after the data localisation announcement, the finance ministry presented a new view and said the government was not opposed to data mirroring—i.e., keeping just a copy of data in India—creating more uncertainty, and a window of opportunity.
Currently, companies who don’t store data in the country, like Mastercard, Visa, Google and Facebook, are able to repatriate income and profits earned in India. And they are not taxed on those earnings here.
For instance, Facebook’s Indian arm—registered as Facebook India Online Services Pvt. Ltd—earned Rs 341.8 crore ($47.3 million) in revenue and Rs 40 crore ($5.5 million) in net profit in 2016-17. But it is structured as a business process outsourcing, or BPO, company that offers support services to Facebook itself. This way, the Indian arm only pays tax on the services it provides to its parent, but not on the revenue earned from Indian businesses buying ads on the social media network.
While Google has said it will store payments data in India, others like Mastercard and Visa, which are not taxed locally, said an executive at a payments company, have not made a move to invest in servers in India. These companies, said a MeitY official, know that even if they don’t comply, they won’t be asked to shut shop. The question is, who will blink first?
RBI has for a long time had a reputation for not blinking. But sometimes, it’s forced to. Last week, a panel formed by the Ministry of Finance came out with a payments and settlements system draft bill, which said that a payments regulator would be set up. So far so good. Then came the unexpected part. It said that the regulator would not be in RBI’s ambit, shocking those in the industry.
“It will be a disaster if payments oversight moves out of RBI, more so for users,” said the executive cited above. RBI is very cautious about how it’s policies impact end users and keeps them in mind while issuing licences or clearing companies to operate in this space. “If payments move out of RBI, the heaviest wallet will win.”
This is a reflection of the growing influence of the government on RBI. “It was a strong institution earlier. While still strong, under this government it is not as strong as it once used to be. So it could succumb to political pressures,” said a Bengaluru-based tech lawyer.
Another example of this is the central bank’s defiant refusal to make Aadhaar mandatory for bank accounts, as it clarified in response to an RTI query in 2017. But before long, even RBI had to bite the Aadhaar bullet. Directions from the home ministry resulted in a 2017 guideline that any new accounts opened had to be linked to Aadhaar within six months of opening. UIDAI: 1, RBI: 0.