20
Oct

Designing Regulations for a Rapidly Evolving Financial System – Financial Systems Design Conference 2017

By Nishanth K & Madhu Srinivas, Dvara Research 

Dvara Research (formerly known as IFMR Finance Foundation) held its 3rd Financial Systems Design Conference on August 4th and 5th, 2017 in Chennai India. The two-day Conference brought together a carefully curated group of regulators, academics and thought leaders in financial services to examine the trend of Modularisation and its implications for regulation design for the Indian Financial System.

Modularisation is defined as the unbundling of the financial services value chain into different modules. Traditionally, financial services industry has been populated with institutions that perform all the functions associated with the delivery of a product to a consumer. From the on-boarding of the customer to the delivery and servicing of the product, a majority of, if not all, the functions associated with the sale are performed internally within an institution like in the case of full-service banks.

The recent trend of firms engaging in only a specific part of a financial transaction typifies the growth of Modularisation in the system. In a modular financial system, each module contains a set of functions which may now be performed by different institutions. This allows specialised firms to combine their offerings together and provide a financial product to the end customer.

This unbundling of services could potentially benefit the consumer in multiple ways. However, regulation would have to evolve to mitigate any amplification of existing consumer risks as well as new risks to the consumer because of modularisation. Additionally the regulators would also need to be aware of the implication of modularisation on systemic risk.

Given the above context, the Conference hosted a set of sessions that covered a discovery of potential impacts, benefits and harms to consumers from Modularisation, as well as implications for prudential and customer protection regulations for the modular world, led by experts from India, US and Australia.


Conference Participants

The conference was structured in a manner conducive to addressing the following questions at its core:

  1. How Modularisation has been shaping, and could potentially shape the financial services industry?
  2. How should regulation respond to the trend of Modularisation?

The Conference yielded rich discussions and the participants identified several interesting issues and priorities for the Indian financial system. The Conference website contains the agenda and the profiles of participants. We will be in the coming days releasing the conference proceeds, and through a series of posts detail the insights that came out of the discussions at the conference.

10
Oct

Estimating Loss Distribution for a Securitisation Transaction

In the latest edition of The Securitisation & Structured Finance Handbook 2018 (published by Capital Markets Intelligence) Vishal Saxena and Dilip Mohan from IFMR Capital have authored a chapter as part of the publication. The chapter discusses an approach to estimate the loss distribution for a loan portfolio. This loss distribution can be used to calculate the expected loss in an securitisation transaction, loan loss reserves, economic capital and value-at-risk. The authors first derive the limiting distribution of the portfolio loss as presented in papers by Vasicek (1987 & 1991) and then describe how they have extended the model to take care of the non-homogeneous subgroups in the portfolio.

Click here to download the paper.

19
Sep

The Nature of Financial Advice for Low-income Households

By Bindu Ananth

I was at an excellent behavioural finance conference organised by the Michigan University’s Centre on Finance, Law & Policy last week. One of the panels on investor protection debated issues including the impacts of disclosures, choice architecture and social norms marketing on investor behaviour. There was also an interesting discussion on role of advice and advisors in de-biasing investors or exacerbating weaknesses.

In the audience Q & A, in response to a question on the role of financial advice for low-income investors, one of the panelists responded that failures in the market for advice were less of an issue here since by and large, the right answer in most cases is just “save more for the future”. I found myself disagreeing with this notion strongly and one more reminder that the field of household finance has failed to examine the financial lives of low-income families in sufficient detail. In this post, I attempt to share from our KGFS work what are some of the other important aspects where advice seems to matter.

One, given that human capital (NPV of net lifetime earnings) dominates financial capital (wealth) for a low-income household, all of the issues around protecting that human capital is critical because that might make the difference between bankruptcy & resilience in the face of illness/accident/death. Most advice tends to focus on investments and the portfolio allocation question and surprisingly, pays little attention to insurance. Ibbotson et al (2007) provide a comprehensive framework to understand how human capital interacts with investment and insurance decisions. With limited resources, which members of the household should buy insurance? How much insurance should you buy? We find these are important aspects where households benefit from good advice. Specifically, insuring young, adult members of the household for the full value of their human capital is an important step. (One dilemma we faced was that a significant investment in increasing human capital that is made by households is higher education for children. The return to this investment depends greatly on the specific program and employability potential. We did not have the expertise to advise clients on this aspect but it feels like an area closely linked to the role of a financial advisor in this context)

Second, low-income households are typically saving and borrowing simultaneously despite a significant wedge between lending and savings rates (upwards of 20% most times). We don’t understand very well the determinants of this behaviour. Clearly, it is not always the right answer to save. High rates of return on micro-enterprises have been documented by Christopher Woodruff and others. Often it makes sense for households, particularly with surplus labour to borrow to put together the initial capital required to undertake such enterprises. Similarly, households with low but stable cash-flows (the village municipal worker for instance) may find it reasonable to borrow to build a house rather than wait to save up for the same. Working with the household to determine when to borrow and when to save and even combination strategies such as save for the down payment or borrow to save strategies could be very valuable interventions.

Third, the balance sheet of a low-income household has a combination of physical and financial assets. Physical assets such as land and gold dominate. On the liabilities side, there is a combination of formal and informal loans of different maturities. It requires serious skill to arrive at the APR of some informal loans! Which loans to refinance now that advances in financial inclusion are making formal credit more accessible? Which assets may be “dud assets” (ex: a piece of land that is not being cultivated) that could be sold to bring down debt burden? Which loans have a repayment structure that adds to the financial stress of the household? Working with the household to arrive at this comprehensive “balance sheet view” seems like an important role of an advisor.

Of course, there are significant challenges in converting advice into action and requires more careful work and business model experimentation. Equally, careful research and creating the building blocks for good advice for low-income households is also necessary and cannot be extensions of existing advice frameworks. The myth that these households have simple problems that require simple fixes & simple products needs to be challenged by researchers and pioneering providers.

25
Aug

The Right to Privacy Judgment: Initial Reflections on Implications for Digital Financial Services

By Malavika Raghavan, IFMR Finance Foundation

The Supreme Court of India’s judgment on the fundamental right to privacy yesterday, 24 August 2017, speaks directly to the sweeping changes we are witnessing in the way that the State and private companies use citizens’ personal data. The collection and aggregation of individuals’ data to inform the entire chain of any welfare or commercial service provision is now de rigueur. In recent years, finance has become the poster child of this opportunity to use data: for first-time users of formal finance to be identified and diligenced; for products to be designed around their needs; for their digital and social information to stand-in where they have no assets to back their promises to re-pay credit. No where is this trend more alive than in India, and no where are the risks also writ as large. In the last 2 years we have seen a billion Indian mobile subscriptions, a billion Aadhaar numbers with over 67 crore bank accounts linked to Aadhaar numbers for direct DBT transfer among other services. We have also witnessed over 3.2 million individuals financial information being compromised by PoS/ ATM malware; the potential for stored biometrics to be used in unauthorised authentications, and for unauthorised entities to access citizen’s personal data for eKYC purposes.

If the direction of travel is towards a more digital world, what are our protections and how should we think about regulating data in our country? The judgements in Justice K S Puttaswamy & Anr v. Union of India & Ors have laid down some touchstones to anchor how we navigate these questions in the years ahead. This post first picks out some key messages from the judgment (especially around informational privacy which has special relevance for the use of personal data in retail finance) and then presents initial reflections on implications for financial services.

Privacy is recognised as an inalienable, natural right situated across our fundamental rights

This judgement—coming to the Court as it does, as a result of cases filed on the legality of the Aadhaar project—grounds its reasoning within the context of the world we find ourselves in today. Technology is now part of our lives in a way that could not have been imagined when the Indian republic was formed 67 years ago. However, the principles on which we have founded our republic have continued relevance precisely because they guide us towards solutions for the intractable problems of our time.[1] Taking stock of this, the Supreme Court has confirmed that privacy is a constitutionally protected right that emerges primarily from the guarantee of life and personal liberty in Article 21 of the Indian Constitution, and also arising across a whole raft of fundamental rights contained in Part III of the Indian constitution.[2]

The Court has tied back the right to privacy to the basic values that the Constitution and Indian society aspire to. These are given voice to in the preamble, among other parts of the Constitution. Across all six judgement texts delivered by the nine judges of the bench, certain values have been seen as inherent and intertwined with individual privacy.

Privacy is seen as a postulate of human dignity, and an essential part of individual liberty. Privacy enables individual autonomy. Indeed it is seen as lying across the spectrum of protections—for instance, its existence is needed to prevent the state from discriminating between citizens (and infringing the right to equality) by keeping certain aspects private. The Court has also noted that privacy has both subjective and objective elements i.e. subjectively, the expectation of individuals (where they desire) to be left alone AND objectively, those constitutional values that shape a protected zone where the individual ought to be left alone.[3]

In Puttaswamy, the Court has made several important observations about the nature and content of privacy protections which will no doubt be the subject of scholarship and interpretation for years to come. But two observations in particular merit the attention of those working to improve access to finance for the underserved. Firstly, the Court refuses any notion of a trade-off between individual freedoms and development. The Kesavananda Bharati[4] judgment’s view is re-iterated, that Parliament cannot abrogate the essential features of the individual freedoms secured to citizens in India. Our Constitution does not take the perspective that in order to build a welfare State, it is necessary to destroy some human freedoms. Indeed, to quote “Our constitutional plan is to eradicate poverty without destruction of individual freedoms.”[5]

Secondly, and crucially for those of us tracking the use of personal data in financial services, individuals’ informational privacy is now firmly within the protection of fundamental rights.

Informational privacy is part of our expectation of privacy as Indians

Informational privacy i.e. the interest in limiting or controlling the access to information about ourselves, is dealt with in the lead Puttaswamy judgement by Chandrachud, J which devotes an entire section to it.[6] The Court takes note of the way in which technology has changed our lives, the digital trails we leave behind as we transact online, and the aggregation of these data points to reveal things about us that we may not expressly disclose. It notes the use of cookies to track online behaviour, the collection of users’ browsing histories, and other tools like automated content analysis of emails which can be analysed with algorithms to profile individual users. The Court notes that the use of data mining techniques, Big Data and the possibility of database linking essentially allow for aggregation of data about every single person in a manner previously not encountered.

Given this context, the Court notes the important role of data protection laws in safeguarding the privacy and autonomy of an individual, and ensuring non-discrimination on the basis of racial or ethnic origin, political or religious beliefs, genetic or health status or sexual orientation. The Court has recognised that a good data protection law will need to delicately balance the complex issues between individuals’ privacy interests and legitimate concerns of the state.

Para 180 of the leading judgment by Chandrachud, J contains a three-fold prescription to act as important guidance when considering how privacy might be safeguarded by ensuring:

  • that there must be a law: A law is needed to justify any encroachment on privacy, to fulfil the requirement in Article 21 of our Constitution that no deprivation of liberty can be undertaken except by a procedure established by law;
  • that law must be reasonable: Such a law must fall within the zone of reasonableness as required by Article 14 as a guarantee against arbitrary state action;
  • the law must be proportional: Any encroachment on individual privacy must be proportionate to the object and needs sought to be fulfilled by such a law.

Kaul J in his remarks presents the test of proportionality and legitimacy for limiting the state’s discretion, which requires an action to be sanctioned by law, necessary for a legitimate aim, proportionate to the need for such interference and with procedural guarantees against abuse of such interference.[7]

Reiterating the principles set out by the Government of India Group of Expert of Privacy in 2012, the Court takes note of the Committee of Experts chaired by Justice B N Srikrishna that has been constituted and will suggest a new data protection regime for the country. The work of ensuring balance is achieved in law and is manifested in practice lies ahead for all of us.

On the regulation of personal data and implications for financial services

The observations of the Court in Puttaswamy have direct implications for operational aspects of retail finance and for newer digital financial services provision. The use of new and alternative forms of data about consumers to target advertising and communication, and to appraise individuals is now a reality, as is the use of algorithms to mine data for use in processes like credit scoring. Negative outcomes from such processes that affect individuals’ privacy or cause discrimination will now be seen as infringements of fundamental rights, where state entities are involved. A horizontal data protection regime (applying to state and non-state actors) based on the same understanding of privacy would extend privacy protections for users against all types of entities.[8] As we debate the contours of privacy for our new data protection regulation and in existing financial sector regulations, we have an opportunity to shine a spotlight on existing data practices around consumers’ personal and financial information in financial institutions.

For those involved in the chain of financial services provision that is increasingly becoming more “digital”, this judgment has flagged up a new understanding of core issues. In particular, it forces more granular reflection on:

  • the kinds of data that can and should be collected, keeping in mind values of privacy and dignity of the individual;
  • the kind of data mining and algorithmic techniques that can be used, keeping in mind that such techniques cannot infringe privacy and liberty, autonomy and free choice, and equality of all individuals;
  • whether individuals’ reasonable expectations of privacy can vary based on categories and context of data; and
  • how a fair, just and reasonable law can help us find a way to ensure that the use of personal data is tied to legitimate proportionate objectives and interests.

This judgement has moved the gears for privacy and data protection in the country, ushering us into an era of change where we are seeing data protection laws globally being re-purposed for rapidly evolving technological advancements. All this will require a shift in our understanding of liability, and for our practices around accountability and reporting. All of this will need to be tackled by new data protection regulation and updating appropriate financial sector regulation – and ultimately, in the way in which our day-to-day data practices evolve within government, industry and between citizens of India.

—-

[1] Justice Puttaswamy & Anr v. Union of India & Ors, ALL WP(C) No.494 of 2012, DY Chandrachud, J at page 213. (Puttaswamy).

[2] ibid, page 262.

[3] supra n 1, para 169, page 246.

[4] Kesavananda Bharati v. State of Kerala, (1973) 4 SCC 225.

[5] Ibid, para 666, pages 486-487 cited in Puttaswamy, para 108, page 105.

[6] supra n.1, para 170 – 185, pages 246 – 260.

[7] supra n.1, Kaul J at para 71, page 27.

[8] The argument of some respondents (including the UIDAI) was that the right to privacy is a common law right. This would mean it was applicable to state and non-state actors. As noted by Bobde, J in Puttaswamy, a right can be simultaneously recognised as a common law and constitutional law right. Bobde, J also noted that the content of privacy in both forms (common and constitutional) is identical, which gives rise for the potential for similar considerations to apply across state and non-state actors. See Puttaswamy, Bobde, J at para 17-18, page 15-16.

22
Aug

Big Data, Financial Inclusion and Privacy for the Poor

Guest Post by Dr Katharine Kemp, Research Fellow, UNSW Digital Financial Services Regulation Project

Financial inclusion is not good in itself.

We value financial inclusion as a means to an end. We value financial inclusion because we believe it will increase the well-being, dignity and freedom of poor people and people living in remote areas, who have never had access to savings, insurance, credit and payment services.

It is therefore important to ensure that the way in which financial services are delivered to these people does not ultimately diminish their well-being, dignity and freedom. We already do this in a number of ways – for example, by ensuring providers do not make misrepresentations to consumers, or charge exploitative or hidden rates or fees. Consumers should also be protected from harms that result from data practices, which are tied to the provision of financial services.

Benefits of Big Data and Data-Driven Innovations for Financial Inclusion

“Big data” has become a fixture in any future-focused discussion. It refers to data captured in very large quantities, very rapidly, from numerous sources, where that data is of sufficient quality to be useful. The collected data is analysed, using increasingly sophisticated algorithms, in the hope of revealing new correlations and insights.

There is no doubt that big data analytics and other data-driven innovations can be a critical means of improving the health, prosperity and security of our societies. In financial services, new data practices have allowed providers to serve customers who are poor and those living in remote areas in new and better ways, including by permitting providers to:

  • extend credit to consumers who previously had to rely on expensive and sometimes exploitative informal credit, if any, because they had no formal credit history;
  • identify customers who lack formal identification documents;
  • design new products to fit the actual needs and realities of consumers, based on their behaviour and demographic information; and
  • enter new markets, increasing competition on price, quality and innovation.

But the collection, analysis and use of enormous pools of consumer data has also given rise to concerns for the protection of financial consumers’ data and privacy rights.

Potential Harms from Data-Driven Innovations

Providers now not only collect more information directly from customers, but may also track customers physically (using geo-location data from their mobile phones); track customers’ online browsing and purchases; and engage third parties to combine the provider’s detailed information on each customer with aggregated data from other sources about that customer, including their employment history, income, lifestyle, online and offline purchases, and social media activities.

Data-driven innovations create the risk of serious harms both for individuals and for society as a whole. At the individual level, these risks increase as more data is collected, linked, shared, and kept for longer periods, including the risk of:

  • inaccurate and discriminatory conclusions about a person’s creditworthiness based on insufficiently tested or inappropriate algorithms;
  • unanticipated aggregation of a person’s data from various sources to draw conclusions which may be used to manipulate that person’s behaviour, or adversely affect their prospects of obtaining employment or credit;
  • identity theft and other fraudulent use of biometric data and other personal information;
  • disclosure of personal and sensitive information to governments without transparent process and/or to governments which act without regard to the rule of law; and
  • harassment and public humiliation through the publication of loan defaults and other personal information.

Many of these harms are known to have occurred in various jurisdictions. The reality is that data practices can sometimes lead to the erosion of trust in new financial services and the exclusion of vulnerable consumers.

Even relatively well-meaning and law-abiding providers can cause harm. Firms may “segment” customers and “personalise” the prices or interest rates a particular consumer is charged, based on their location, movements, purchase history, friends and online habits. A person could, for example, be charged higher prices or rates based on the behaviour of their friends on social media.

Data practices may also increase the risk of harm to society as a whole. Decisions may be made to the detriment of entire groups or segments of people based on inferences drawn from big data, without the knowledge or consent of these groups. Pervasive surveillance, even the awareness of surveillance, is known to pose threats to freedom of thought, political activity and democracy itself, as individuals are denied the space to create, test and experiment unobserved.

These risks highlight the need for perspective and caution in the adoption of data-driven innovations, and the need for appropriate data protection regulation.

The Prevailing “Informed Consent” Approach to Data Privacy

Internationally, many data privacy standards and regulations are based, at least in part, on the “informed consent” – or “notice” and “choice” – approach to informational privacy. This approach can be seen in the Fair Information Practice Principles that originated in the US in the 1970s; the 1980 OECD Privacy Guidelines; the 1995 EU Data Protection Directive; and the Council of Europe Convention 108.

Each of these instruments recognise consumer consent as a justification for the collection, use, processing and sharing of personal data. The underlying rationale for this approach is based on principles of individual freedom and autonomy. Each individual should be free to decide how much or how little of their information they wish to share in exchange for a given “price” or benefit. The data collector gives notice of how an individual’s data will be treated and the individual chooses whether to consent to that treatment.

This approach has been increasingly criticised as artificial and ineffectual. The central criticisms are that, for consumers, there is no real notice and there is no real choice.

In today’s world of invisible and pervasive data collection and surveillance capabilities, data aggregation, complex data analytics and indefinite storage, consumers no longer know or understand when data is collected, what data is collected, by whom and for what purposes, let alone how it is then linked and shared. Consumers do not read the dense and opaque privacy notices that supposedly explain these matters, and could not read them, given the hundreds of hours this would take. Nor can they understand, compare, or negotiate on, these privacy terms.

These problems are exacerbated for poor consumers who often have more limited literacy, even less experience with modern uses of data, and less ability to negotiate, object or seek redress. Yet we still rely on firms to give notice to consumers of their broad, and often open-ended, plans for the use of consumer data and on the fact that consumers supposedly consented, either by ticking “I agree” or proceeding with a certain product.

The premises of existing regulation are therefore doubtful. At the same time, some commentators question the relevance and priority of data privacy in developing countries and emerging markets.

Is data privacy regulation a “Western” concept that has less relevance in developing countries and emerging markets?

Some have argued that the individualistic philosophy inherent in concepts of privacy has less relevance in countries that favour a “communitarian” philosophy of life. For example, in a number of African countries, “ubuntu” is a guiding philosophy. According to ubuntu, “a person is a person through other persons”. This philosophy values openness, sharing, group identity and solidarity. Is privacy relevant in the context of such a worldview?

Privacy, and data privacy, serve values beyond individual autonomy and control. Data privacy serve values which are at the very heart of “communitarian” philosophies, including compassion, inclusion, face-saving, dignity, and the humane treatment of family and neighbours. The protection of financial consumers’ personal data is entirely consistent with, and frequently critical to, upholding values such as these, particularly in light of the alternative risks and harms.

Should consumer data protection be given a low priority in light of the more pressing need for financial inclusion?

Some have argued that, while consumer data protection is the ideal, this protection should not have priority over more pressing goals, such as financial inclusion. Providers should not be overburdened with data protection compliance costs that might dissuade them from introducing innovative products to under-served and under-served consumers.

Here it is important to remember how we began: financial inclusion is not an end in itself but a means to other ends, including permitting poor and those living in remote areas to support their families, prosper, gain control over their financial destinies, and feel a sense of pride and belonging in their broader communities. The harms caused by unregulated data practices work against each of these goals.

If we are in fact permanently jeopardising these goals by permitting providers to collect personal data at will, financial inclusion is not serving its purpose.

Solutions

There will be no panacea, no simple answer to the question of how to regulate for data protection. A good starting place is recognising that consumers’ “informed consent” is most often fictional. Sensible solutions will need to draw on the full “toolkit” of privacy governance tools (Bennett and Raab, 2006), such as appropriate regulators, advocacy groups, self-regulation and regulation (including substantive rules and privacy by design). The solution in any given jurisdiction will require a combination of tools best suited to the context of that jurisdiction and the values at stake in that society.

Contrary to the approach advocated by some, it will not be sufficient to regulate only the use and sharing of data. Limitations on the collection of data must be a key focus, especially in light of new data storage capabilities, the likelihood that de-identified data will be re-identified, and the growing opportunities for harmful and unauthorised access the more data is collected and the longer it is kept.

Big data offers undoubted and important benefits in serving those who have never had access to financial services. But it is not a harmless curiosity to be mined and manipulated at the will of those who collect and share it. Personal information should be treated with restraint and respect, and protected, in keeping with the fundamental values of the relevant society.

—-

References:

Colin J Bennett and Charles Raab, The Governance of Privacy (MIT Press, 2006)

Gordon Hull, “Successful Failure: What Foucault Can Teach Us About Privacy Self-Management in a World of Facebook and Big Data” (2015) 17 Ethics and Information Technology Journal 89

Debbie VS Kasper, “Privacy as a Social Good” (2007) 28 Social Thought & Research 165

Katharine Kemp and Ross P Buckley, “Protecting Financial Consumer Data in Developing Countries: An Alternative to the Flawed Consent Model” (2017) Georgetown Journal of International Affairs (forthcoming)

Alex B Makulilo, “The Context of Data Privacy in Africa,” in Alex B Makulilo (ed), African Data Privacy Laws (Springer International Publishing, 2016)

David Medine, “Making the Case for Privacy for the Poor” (CGAP Blog, 15 November 2016)

Lokke Moerel and Corien Prins, “Privacy for the Homo Digitalis: Proposal for a New Regulatory Framework for Data Protection in the Light of Big Data and the Internet of Things” (25 May 2016)

Office of the Privacy Commissioner of Canada, Consent and Privacy: A Discussion Paper Exploring Potential Enhancements to Consent Under the Personal Information Protection and Electronic Documents Act (2016)

Omri Ben-Shahar and Carl E Schneider, More Than You Wanted to Know: The Failure of Mandated Disclosure (Princeton University Press, 2016)

Productivity Commission, Australian Government, “Data Availability and Use” (Productivity Commission Inquiry Report No 82, 31 March 2017)

Bruce Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (WW Norton & Co, 2015)

Daniel J Solove, “Introduction: Privacy Self-Management and the Consent Dilemma” (2013) 126 Harvard Law Review 1880