Search interesting materials

Friday, February 09, 2018

Hollowing out of India's financial markets: Banning trading abroad is not a choice

by Ajay Shah.

For a long time, there has been a realisation that India's policy mistakes on capital controls, financial regulation and taxation will induce a hollowing out of Indian financial markets. Here is an example from May 2012. The two most important products are Nifty and the rupee, and these are increasingly dominated by overseas activity. Non-residents have a clear choice about where they wish to send their order flow and locals also are known to evade capital controls and take their custom to more competitive venues. In this week, there is an amplified concern about these problems e.g. see Mobis Philipose in the Mint and my article in the Business Standard.

These developments are good for the real economy, as superior mechanisms of financial intermediation are displacing the inefficiencies of the onshore financial system. This reduces the cost of doing business for foreign investors.

But at the same time, we in India are losing massive financial service exports as the business is shifting out of India. On the rupee, the estimated loss of revenue for India is around Rs.60,000 crore per year. Similar values are likely to prevail for Nifty.

In many developing countries, the lack of macro/finance policy capabilities gave a comprehensive hollowing out of domestic financial markets. This is the scenario that is being posed before India. 

The correct solution to this problem lies in going to the root cause, and solving our mistakes of financial regulation, capital controls and taxation. This  painstaking work has been analysed in by the Standing Council on the International Competitiveness of the Indian financial sector, which was setup by the Department of Economic Affairs in June 2013 in recognition of this problem.

Men and nations will do the right thing after trying every reasonable alternative. What are these `reasonable' alternatives?

Ban the product


I remember a time when RBI requested the UAE central bank to force DGCX to not trade INR futures. Such a ban is not in the interests of either DGCX or the UAE, and this request was not accepted.

Block the participants


RBI has tried to say to international firms operating in India: do not trade in India-related financial markets overseas. But the jurisdiction of RBI is limited. There are concerns about non-rule-of-law methods of harming firms who do not obey.  RBI and SEBI periodically try to ban PN trading.

These bans are futile as India's regulators have no ability to enforce these bans. In any case, even if the ban is effective, all that will happen is that the business will move from firms that comply with India's grab for extra-territorial jurisdiction to firms that do not care about  India's regulators.

Block the information products


Nifty is made by IISL, which is  an India-domiciled information company.

IISL is not a financial firm and is not exposed  to RBI or SEBI regulation. But perhaps non-rule-of-law techniques of coercion can be applied. Suppose  this succeeds, and IISL does not license Nifty to SGX.

SGX has numerous alternatives. SGX can go to a mom-and-pop index provider who makes a Nifty-like index: an index where 49 of  the 50 stocks are the same as those in Nifty. SGX can shift to the MSCI India index, and MSCI can gently move closer  to the Nifty composition.

If, somehow, SGX is prevented from having an effective exchange-traded Nifty product, the business will just go OTC.

Conclusion


Let's not lose sight of what is going on. There is a trading venue that offers lower costs in investing/trading on Indian assets. We are discussing tools for protectionism through which the cost of participating in the Indian economy is driven up. This is not in India's interests.

Our course of action should lie in solving the Indian policy mistakes of capital controls, financial regulation and taxation.

A Pragmatic Approach to Data Protection

by Suyash Rai.

A Committee constituted by the Central Government is working on a data protection law. The White Paper published by the Committee suggests that the Committee is in favor of a comprehensive law, with a number of rights and protections. Many of the stakeholders seem to be demanding an even more comprehensive law. In this essay, I present analysis of certain issues relating to regulation of data protection. These are organised around the themes of: regulatory capacity; the economics of data protection regulation; jurisdiction-related issues; the rights-based approach to regulation; the need to distinguish between data protection and broader privacy concerns; approach to data protection in government organisations; balancing regulatory clarity with flexibility to allow innovations; and regulatory governance and due process requirements. In my view, reflection on these issues will help create an effective law for data protection. Towards the end of this essay, certain specific suggestions on the legislative formulation are given. However, these suggestions, which flow from the analysis, are very tentative, because much more analysis is required.

Proposal for a data protection law

The Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. judgment on the right to privacy has brought privacy-related issues to the forefront of policymaking. The Order of the Court, inter alia, said, "The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution."

Among the privacy-related issues, a full-fledged policy process has been initiated on data protection. In the Puttaswamy Judgment, one of the opinions, which was signed by four of the nine judges, enjoined upon the Central Government to "examine and put into place a robust regime for data protection", which strikes "a careful and sensitive balance between individual interests and legitimate concerns of the state". Some of the other opinions also made references to the issues of informational privacy.

A Committee of Experts, chaired by Justice BN Srikrishna, was constituted while the hearings on the case were underway. The Committee has been asked to study "issues relating to data protection in India," to suggest "principles to be considered for data protection in India," and to suggest "a draft data protection bill" Following are some of the key points discussed in a White Paper published by the Committee.

  1. What is to be protected: Data protection is about protecting personal data. The Committee is deliberating what constitutes personal data. Its provisional view is that data from which an individual is directly or indirectly identified or reasonably identifiable is personal data, and this includes any information including opinions or assessments irrespective of their accuracy. The Committee is also considering whether and how to define a sub-category of "sensitive personal data", to be given enhanced protection. Its provisional view is that health information, genetic information, religious beliefs and affiliations, sexual orientation, racial and ethnic origin, caste information, financial information may be treated as sensitive personal data. Further, the White Paper says that, in other categories such as philosophical or political beliefs, an assessment may be made whether a person has an expectation of a high degree of privacy.
  2. Exemptions: The Committee has proposed wide exemptions for household purposes, journalistic/artistic purposes, and literary purposes. They have also proposed exemptions for: data processed for the purpose of academic research, statistics and historical purposes; information collected for investigation of a crime, and apprehension or prosecution of offenders; information collected for maintaining national security and public order. To ensure that exemptions are not misused, the Committee is considering safeguards, such as a review mechanism.
  3. Protections and Rights: The Committee's provisional view is that informed and meaningful consent for processing personal is central to protecting personal data. Other than clearly given exemptions, all other processing must be after consent. The Committee is considering what would constitute valid consent. The Committee has proposed certain preventive measures, such as data limitation (only processing the data required for a task), purpose limitation (data must be collected for a specified purpose and used only for that purpose), storage limitation (data to be erased after its purpose is met), and so on. The Committee is also considering certain individual rights. The first set of rights are: right to seek confirmation, right to access the data, and right to rectify the data. Given that such rights impose costs, the Committee has proposed allowing fees to be charged for them. The second set of rights are: right to data portability (data of an individual be made available in a universally machine readable format or ported to another service provider); right to not be subjected to a decision based solely on automated processing; right to object to processing for the purpose of direct marketing. The Committee also seems to endorse a right to be forgotten. The White Paper has a discussion on a general right to object to processing, but provisionally finds it unsuitable for India.
  4. Jurisdiction: The Committee has floated three alternatives: a) Cover cases where processing wholly or partly happens in India irrespective of the status of the entity; b) Regulate entities which offer goods or services in India even though they may not have a presence in India; c) Regulate entities that carry on business (i.e. consistent and regular activity with the aim of profit) in India. The Committee has also raised issues of scope relating to applicability of the law to data relating to juristic persons such as companies, differential application of the law to the private and the public sector, and retrospective application of the law.
  5. Differential obligations: The Committee is also considering greater obligations for entities that create more risks. The additional obligations on such entities may include: registration, data protection impact assessments, data audits; and a designated Data Protection Officer.
  6. Institutional mechanism: The Committee has proposed a Data Protection Authority (DPA) for implementation of the law. It would set standards, monitor compliance, and take enforcement actions. It would also work towards generating awareness. The Committee seems to be in favor of a co-regulation model involving close industry participation. The Committee's tentative view is that accountability should not only be enforced for breach of data protection obligations, but also, in certain circumstances, it could be extended to hold data controllers liable for the harms that they cause to individuals even without violation of any other obligation.

    For redress, the Committee has proposed a multi-tier system, wherein an individual would first approach the data controller, and if the data controller fails to resolve the complaint, the individual may file a complaint with the data protection authority. DPA may also initiate action against a data controller on a suo motu basis. The Appellate Tribunal under the IT Act may be the appellate forum for any decision of DPA. DPA may be given the power to impose civil penalties as well as order the defaulting party to pay compensation up to a threshold. Appeals against an order granting or rejecting such compensation, and compensation claims above the threshold may lie with the National Commission Disputes Redressal Commission.
  7. Principles: The Committee has endorsed seven principles to underpin the law: a) Technology agnosticism (flexibility to take into account changing technologies and standards of compliance); b) Holistic application (cover both private sector entities and government, with differential obligations for legitimate State aims); c) Informed consent (consent must be informed and meaningful); d) Data minimisation (data that is processed ought to be minimal and necessary for the purposes for which it is sought and other compatible purposes beneficial for the data subject); e) Controller accountability (the data controller to be held accountable for any processing of data); f) Structured enforcement (enforcement by a high-powered statutory authority with sufficient capacity); g) Deterrent penalties (penalties to ensure deterrence).

This suggests that a comprehensive regulatory regime, with a wide range of protections enforced by a powerful regulator, is in the offing. Going by the minutes of the consultations held by the Committee and some of the submissions to the Committee that are publicly available, the thrust of a plurality of stakeholder comments is to further expand the scope of the proposed law. More and more rights are being recommended. More preventive measures are being proposed. And more powers are being demanded for the proposed regulator.

It should be obvious that enacting a data protection law by itself will not ensure data protection. A regulatory law works through the regulatory system established by it. Actual data protection outcomes will depend on how effectively and efficiently the regulatory system regulates the market processes. I would go so far as to argue that for good outcomes, implementation matters more than what the law promises. In this journey from law to outcomes, regulatory capacity is the key.

The law and regulatory capacity

The proposed DPA will make regulations, monitor compliance, and take enforcement actions. On building regulatory capacity in DPA, I would like to make three India-specific points: first, this regulator will come up in the backdrop of relatively low regulatory capacity in India, compared to countries presently implementing advanced data protection laws; second, given the nature of data protection regulation, the regulator will find it very difficult to build capacity; third, the mismatch between the capacity and the mandate of the regulator can create poor outcomes, such that giving a broad mandate may produce worse outcomes than giving it a narrow mandate.

Relatively low regulatory capacity in India

The following chart shows percentile ranks (0 - lowest; 100 - highest) on "regulatory quality" for India and the countries whose laws the Committee has most frequently cited in the White Paper. This ranking is from the World Governance Indicators (WGI) published by the World Bank. For "regulatory quality" in India, data sources used were: Bertelsmann Transformation Index; Economist Intelligence Unit; Global Insight Business Conditions and Risk Indicators; Heritage Foundation Index of Economic Freedom; IFAD Rural Sector Performance Assessments; Institute for Management and Development World Competitiveness; Institutional Profiles Database; Political Risk Services International Country Risk Guide; World Economic Forum Global Competitiveness Report; World Justice Project.

Figure 1: Percentile rank on Regulatory Quality (Source: World Governance Indicators, World Bank)

India ranks much lower than the countries cited in the White Paper. Almost all these countries are close to the top rank (Singapore ranks number 1). Usually, on most indices of state capacity India ranks close to the median. Such rankings and indices are not precise, scientific measurements of capacity, but they are useful indicators of relative capacity. It is safe to say that regulatory capacity in India is much lower than that in other countries with advanced data protection laws. Why is this so? A variety of factors may determine State capacity in a country: organisation design and management; political system design; basis of legitimisation; and cultural and structural factors. Many of these factors are shaped by contingent social and political processes over long periods of time (see Francis Fukuyama's work on this: "State building: Governance and world order in the 21st century" and "The Origins of Political Order: From Prehuman Times to the French Revolution"). Further, many of the factors are not within the control of any one organisation.

The question, then, is: how should this fact of relatively low regulatory capacity inform the formulation of a data protection law? To answer this question, we need to first move from this general observation on regulatory capacity in India, to the specific nature of activities involved in data protection regulation, and the kind of capacity required to perform them. This may help us understand the specific challenges of building capacity in the proposed DPA.

Challenges of building regulatory capacity for data protection

Lant Pritchett and Michael Woolcock, in their paper "Solutions when the Solution is the Problem: Arraying the Disarray in Development", provide a framework to understand the challenges of capacity building. They analyse activities in terms of how discretionary (i.e. to what extent decisions will be made on the basis of information that is important but inherently imperfectly specified and incomplete) and transaction-intensive (i.e. the number of decisions required) they are. They find that it is most difficult to build real capacity for activities that are highly discretionary and transaction-intensive.

Many activities involved in Data Protection Regulation score high on both: they will be highly discretionary and transaction-intensive. The level of discretion may vary from one activity to another. Here are a few examples:

  • Data breach is a kind of problem that may require relatively less discretion to identify when it occurs, as there is a limited space for disagreement on whether there was a breach. However, the same problem can require more discretion if "preventive" actions are to be specified to avoid breaches. Experts can have wide disagreements on the best ways to manage the risk of data breach in different contexts.
  • Regulating to ensure informed consent can require a considerable amount of discretion, because, to be implemented effectively, it will require complex assessments about whether the consent was truly informed and meaningful.
  • Data minimisation is ensuring that no more data should be processed than is required for a task. This may require complex assessments to be made about the data required for a given task. Even if the regulator relies on self-assessments or third party audits, these assessments and audits will still need to be evaluated in a variety of contexts. Such judgments require sophistication and knowledge. A wealth manager, for instance, often collects and processes a large amount of personal data. There will always be considerable discretion in assessing whether data minimisation is being achieved.

Transaction intensity in data protection regulation arises out of its monitoring and enforcement functions, which will require directly or indirectly monitoring numerous events in a larger number of data controllers and processors across a number of sectors, and taking decisions about them. The transaction intensity is also shaped by a unique type of moral hazard problem that is seen in this domain. This problem, which is discussed in detail later in this note, arises out of the fact that "personal data" is not a finite resource to be protected. Users can, by sharing data and creating more personal data by online activities, change the scale of the problem for the data protection regulator.

The combination of these two characteristics (highly discretionary and transaction-intensive) makes it more difficult to build capacity, because it is not about appointing a few capable individuals exercising discretion (eg. Monetary policy) or about managing a large number of persons performing mechanised tasks (eg. Aadhaar enrolment; immunisation). Discretion is easy to abuse, and it also means that mistakes are not immediately seen as mistakes. Transaction-intensity poses the challenges of achieving good performance in a larger number and variety of situations.

DPA will have to evolve the organisation form suited for performing these functions in India’s context. For instance, DPA may choose to devolve many activities to self-regulatory organisations or recognised aggregators, leaving to itself only some of the activities, such as standard-setting, exception-handling, etc. But such strategies only change the type of capacity needed to be built. For instance, regulating aggregators is a different kind of challenge. The substantive responsibilities will remain with the DPA. So, it is advisable to be modest about expected capacity in the DPA during the initial years.

The mandate given to the authority may affect its ability to build capacity

In the initial years, the DPA will have low capacity. It is important to avoid mistakes that impede the process of building real capacity over time. The most common mistake is to give a regulator a broad mandate (a combination of expansive jurisdiction and a large number of varied responsibilites) and draconian powers in its early days, when its capacity is low. The possibilities can be depicted in the following matrix.

The Capacity-Mandate Matrix

Narrow MandateBroad Mandate
High CapacityQuadrant IIQuadrant I
Low CapacityQuadrant IIIQuadrant IV

Certain clarifications regarding the matrix are worth stating. First, although only four possibilities are shown, it is obvious that there is a continuum along both variables. Second, capacity is not a static phenomenon - some organisations perform well under stress, while others perform well during normal circumstances but collapse in situations of stress. Third, different types of capacities are required for different kinds of functions and responsibilities. The limited objective of the matrix is to highlight the choice to be made with regard to the initial mandate given to the DPA.

To produce good outcomes, there needs to be some correspondence between capacity (the type of capacity and its performance under stress) and mandate (jurisdiction and responsibilities, and the possibilities of stress). Since a new regulator will have low capacity during the initial years, the choice that the Committee has to make in its recommendation is between Quadrants III and IV. Beginning in Quadrant IV (low capacity and broad mandate) may lead to implementation failures:

  • Capacity collapse under stress: Government agencies differ from private firms in a number of ways. They do not have profit as a key indicator of performance, and must develop complex ways of measuring success and holding the staff accountable. They are usually not able to raise and allocate financial resources freely. They are not able to hire and fire easily. They are not able to procure goods and services without going through complicated processes. They need to be responsive to demands and interests of a variety of stakeholders in the society. They must constantly build and maintain political legitimacy, or they may be rendered irrelevant.

    In the context of these constraints, if a regulator begins in Quadrant IV, the huge mismatch between the mandate and the capacity, the overly optimistic expectations of the pace of improvements in outcomes, and unrealistic expectations about improvement of capacity would lead to stresses and demands on systems that will affect capacity-building in the regulator (for a discussion on failures due to "premature load bearing", see: Pritchett, Lant, Michael Woolcock, and Matthew Andrews. "Capability traps? The mechanisms of persistent implementation failure." (2010)). It is difficult enough to build capacity to deliver on a narrow mandate. With a broad mandate from day one, the regulator may never get a chance to carefully build capacity to perform its functions. It may always remain in coping mode, in face of expectations it cannot really fulfill. This may open the space for two pathways of implementation failure: preferring form over function and/or misuse of powers.

  • Preference for form over function: To maintain legitimacy, the regulator may simply imitate the forms of modern institutions without actual functionality. Regulators, like any government institution in a political society, need to gain and maintain legitimacy in the society. In face of expectations that are impossible to meet, a regulatory organisation may "mimic" forms of organisation and procedures, without functionally performing its role and producing the desired outcomes. (for a discussion on how institutions in contexts of high expectations and low capacity often choose to neglect actual performance of functions, and focus on mimicking forms of well-performing institutions, see: Pritchett, Lant, Michael Woolcock, and Matthew Andrews. "Capability traps? The mechanisms of persistent implementation failure." (2010)) This is a natural response when legitimacy is to achieved in a context of low capacity, great expectations and conflicting interests. The alternative is to achieve legitimacy through actual performance, but this is very difficult if the mandate is broad. So, the staff of the regulator may respond by following rules and procedures but not truly concern themselves with the outcomes. This does not yield actual outcomes. At best, it only creates a perception of performance.

  • Misuse of powers: a regulator with a broad mandate is usually also given draconian powers. As the organisation starts deriving more of its legitimacy by form and posturing, rather than by actual performance in delivering outcomes, this decline in integrity may also lead to inefficient and/or unfair use of powers. For instance, when faced with violations, it may be tempted to deploy a heavy-handed approach, using outright bans and disproportionate penalties, just to get political legitimacy. To some extent, this problem can be overcome by placing due process requirements on the regulatory authority (discussed later). However, in situations of capacity collapse and decline in integrity, these checks and balances may have limited efficacy. It is, after all, difficult to hold an organisation accountable to do the impossible.

    The risks that may emerge from a DPA misusing its powers are enormous. DPA would have considerable powers to intervene in private transactions. It could construct large-scale data surveillance mechanisms in the name of monitoring compliance with regulations. Such an Authority, if it starts abusing its powers, can do a lot of damage. Its employees will potentially intrude into many many kinds of transactions to try and decide questions of consent and standards of conduct. In doing so, they will access personal data to an extent that no other regulator currently does. This can make the dream of data protection go sour.

A regulatory organisation beginning in Quadrant IV risks being stuck in low capacity. Worse, it may lose integrity, and end up focusing more on appearance than on performance, preferring form over function. Worse still, it could start misusing its powers. So, moving from Quadrant IV to Quadrant I would be difficult. Further, even if the political leadership sees the problems and seeks to map expectations to actual capacity, moving from Quadrant IV to Quadrant III is not politically feasible, given the politics of reducing protections, especially in face of fierce activism that surrounds such issues. It would, therefore, be a mistake to place a new regulatory agency in Quadrant IV, i.e. hobble it with a broad mandate when it has little capacity. This will almost certainly produce poor outcomes.

It would be better if the DPA begins in Quadrant III (with a clear and narrow mandate), moves to Quadrant II by building capacity to deliver on its narrow mandate, and then, over time, moves to Quadrant I. As the regulatory system demonstrates ability to solve problems, its mandate may be broadened. We must resist the temptations of Quadrant IV. The law should be closer to Quadrant III, and lay the foundation for an effective regulatory regime for data protection. This raises the question: what is a "narrow" regulatory mandate? This is a difficult question to answer, but one that must be answered. Some of the analysis in this note may help identify the basis for narrowing the mandate, but much more work and discussion is required to come up with a suitable Quadrant III formulation.

The Economics of Data Protection Regulation

Economic analysis can inform the design of the data protection law by pointing at: how incentives may be shaped by the law; how the economics of purpose and risk may help prioritise allocation of regulatory resources; and how mandating economic analysis may help avoid wrong regulatory choices.

A unique moral hazard problem

What is to be protected under a data protection regime is "personal data". This data is to be protected from breaches, unapproved processing, etc. However, unlike, say, money, there isn't a finite amount of personal data to be protected. Users can share the same personal data with many data controllers. Users can also create more personal data by online activities. Each instance of sharing or creating personal data adds to the risks of data protection for the user, and thereby to the scale of the problem for the data protection regime. This ability of the users to significantly expand the very field of regulation makes data protection a unique regulatory challenge. Therefore, prudence exercised by users in sharing and creating personal data is critical for data protection, much more so than it is in any other field of regulation. The law should not give the users incentive to be imprudent, especially in decisions that they are well-placed to take.

The data protection regime could shape the behaviour of users. If the regulatory framework puts greater responsibility on the regulator to assure protections by taking preventive measures and to give quick redress based on individual grievances, users would have less incentive to be prudent while sharing and creating personal data. This a moral hazard problem - just because someone else is giving protection against the risks, one is likely to take more risks. On the other hand, if the regulatory approach is sharply based on user responsibility and consent, and lets users incur costs of their imprudence, we can expect more prudence from users.

Take the example of data minimisation. One construct could be to have consent-based data minimisation, wherein it is the responsibility of the user to determine whether data minimisation is being achieved at the time consent is sought. Such regulation would focus on ensuring that the users get the necessary information about the data to be processed for a given task, and the monitoring by regulator to ensure that processing is consistent with the consent. Another approach to data minimisation could be to empower the regulator to assess whether processors are processing more data than is required for a task, irrespective of whether consent has been given for such data to be processed. The latter construct would intensify the problem of moral hazard.

However, in certain areas, preventive measures by regulator are required. For instance, preventive measures may be required to maintain minimum standards of data security, because users will typically not be in a position to assess this at all, and harms caused by a breach may be significant. Such preventive powers should be given only where they are necessary.

One could argue that moral hazard is not unique to data protection regulation. In banking regulation, for instance, the State promises to make efforts to keep banks reasonably safe, and takes preventive measures to keep this promise. This gives the depositors a certain level of comfort, which makes them less likely to be careful while choosing the bank to put their money in. However, this effect works within a limited, defined space of banking, which is comprised exclusively of licensed banks. The regulator controls entry into and exit from that space. Contrast this with, for instance, mobile applications - the moral hazard would encourage behavior that will expand the scale of the problem in a manner that cannot be controlled by the regulator. In data-based applications (online or real world), it is infeasible to ensure an exclusive, licensed field of protected activities. So, users would assume that the regulator will protect them, and this may lead them to be more indiscriminate in sharing and creating personal data.

It might be tempting to point at problems of achieving informed consent and to advocate regulator-led measures of data protection that limit the role of consent and focus more on ex-ante, preventive measures monitored and enforced by the regulator, but this is a road to less prudence by users and ever-increasing responsibilities and powers of the regulator. Acknowledgment of this interplay between prudence of users and the responsibilites of the data protection regime should inform the nature, scope and extent of protections promised by the law.

One could argue that protections ensured by the regulator allow us to participate more freely, and not giving extensive protections may create a chilling effect, but there can also be a good kind of chilling effect, which makes us careful about sharing and creating personal data. Focus on user responsibility is essential to achieve the good chilling effect, and avoiding the bad chilling effect.

Purpose vs. Risk

There can be disagreements on the specifics, but it should be easy to see that all purposes that require processing of personal data are not equally important. For example, it can be argued that certain recreational applications such as mobile games are not as important as healthcare services. If we acknowledge such distinctions, we could argue that pragmatism demands that regulatory emphasis be given to providing greater protections for personal data in more important services, where there is relatively less user discretion. This also ties in with the importance of user responsibility. Users who freely share data with applications that are generally considered to be less important (eg. games that require a lot of personal data) should deal with the consequences of their choices. It is not a good use of limited regulatory capacity to ensure data protection in such situations. Similarly, greater emphasis may be required for sensitive personal data, as has been discussed in the White Paper.

Another distinction that can be useful is that between processing of personal data for personal benefits, and processing that is beneficial for the society. Personal data is, in most instances, a private good, and the person whose data is protected gets most of the benefits of the protection. In some instances, however, there are positive externalities of data sharing: a person sharing data that benefits others (eg. sharing data about blood group and contact details). On the margins, regulatory resources may be better used in protecting personal data with large externalities. Economic theory suggests that consent for such processing will be in under-supply. By augmenting protections, such activities can be encouraged.

Market failures, real problems, and effective regulation

The primary reason for regulatory intervention in markets is to address problems created by market failures. Market failures relevant for data protection are: market power (a controller/processor enjoys dominant market power that it can abuse), asymmetric information (user does not have information required to take the right decision), externalities (costs of mistakes by a controller/process are inflicted upon the users). The problems relating of abuse of dominant market position are usually addressed in competition laws, and should ideally not be included in a data protection law.

Market failures only create potentiality of harm. Often, there is no incentive for the controller/processor to take advantage of market failures, because other incentives are stronger. For instance, the market may reward more privacy-friendly providers, leading them to voluntarily protect data of users. So, any regulation must be in response to a clearly identified and significant problem arising out of a market failure. Some of the protections being envisaged do not appear to be based on such significant problems that they justify creating a general right in a law. In my view, these are: being subject to a decision based solely on automated processing; right to object to processing for direct marketing; and the right to be forgotten.

The problems of automated processing discussed in the White Paper seem to arise out of genuine mistakes, and may be resolved without creating a general right to not be subjected to automated decisions. There seems to be no intent to cause harm. The right to be forgotten is not a response to a market failure, but is coming from an extreme interpretation of privacy, which, as the White Paper discusses, allows costs to be imposed on the society so that a person can be forgotten. There can be other grounds to support such a right, but the case is weak on economic grounds. On direct marketing, there is a market failure in the form of negative externality imposed on those not seeking the good or service being sold. However, it is not clear that the problem is so grave that the State's coercive powers are required to uphold a general right against it.

Finally, even if there are significant existing or emerging problems due to market failures, it is important to demonstrate that the proposed interventions will be effective in addressing the problems. This calls for analysis of regulatory impact before regulations are made, and analysis conducted periodically to measure continued effectiveness. Before making a regulation, such analysis usually includes projections for several years into the future. This can help focus regulatory resources on significant problems that are already there or are likely to arise. Giving a general right in the law presumes such analysis has been conducted for all the problems that the right is supposed to be addressing. Perhaps some of the protections need not be formulated as "rights".

On the rights-based approach to data protection

Following the example of other countries, the Committee seems to have used the rights-based language for most of the protections it seeks to recommend in the law. This issue requires a careful rethink, because this has consequences for the way the regulatory system will evolve.

One way to think about this is to distinguish between protections that are required for the market processes to function well, and the protections that are outcomes of the market processes. Informed consent is a precondition for the market to produce good outcomes, because such consent is necessary as an input to the market processes about what the consumers want. Informed consent signals what the consumers see as useful trade-off between protecting their privacy and using their data productively. On the other hand, for instance, the extent to which a person is subject to a wrong decision solely based on automated processing is an outcome of the market processes.

The word "right" gives a sense that each individual can invoke the State's coercive powers to claim what is being called a right, without regard to the costs, and irrespective of the scale of the problem. In data protection, the right to informed consent is perhaps the only such right, and it can be said to entail a few participation rights, such as confirmation, access, and rectification, which are required to give effect to a proper right to informed consent. Even the basic participation rights may be exercisable only at a cost, and therefore fees should be allowed for confirmation, access and rectification. These fees should be regulated, so that they are not prohibitive.

The remaining protections, if any, may be given to the regulator as objectives to be achieved at aggregate level, but not given as rights to individual users. So, for such protections the focus of the regulator would be on achieving good outcomes in the aggregate, rather than upholding exercise of these rights by individuals. For instance, in a rights-based framework once a person exercises a right to object to a decision based solely on automated processing, the regulator would be required to ensure that this is done in all instances of exercise of this right. Similarly, for issues like direct marketing, the regulatory capacity would be misapplied in trying to secure exercise of rights by a number of individuals. Instead, it would be better for the regulator to specify regulations that would reduce the instances of excessive harms caused to users by automated processing or digital marketing. Individual rights-based approach should only be used for the basic rights required to give each user a reasonable control over her personal data.

Take the example of direct marketing. Firms conduct direct marketing because it connects them to persons who become their consumers, which also means that many consumers gain from the process. So, the society on the whole is better off because of direct marketing. The problem, however, is that an externality is being imposed on those who receive calls they are not interested in. Since many consumers value being let alone sometimes, there are market-based solutions to this problem. There are call filters (eg. Trucaller), email filters, etc., which are available for such consumers. Consumers can minimise the problem by blocking calls and unsubscribing from emails and message from particular sources by putting in a little effort. Framing this issue as an "individual right", and bringing in the State's "monopoly of coercion" into this situation may be excessive, and would discourage users to solve this problem by market-based solutions. If a generic right for this purpose is created, it would be included in the redress and enforcement mechanisms, and these mechanisms may be burdened by what is essentially a small problem. Doing so would also favor those who are better placed to pursue the redress and adjudication route. Instead, the regulator may be given an objective to improve the system of processing for direct marketing, so that situations where excessive costs are imposed on certain individuals are minimised. This can be done by setting standards for processing for direct marketing, which help minimise the "mismatch" problem in the aggregate.

Jurisdiction-related issues

Jurisdiction issues could be territorial, sectoral or based on type or size of organisations to be regulated.

Territorial jurisdiction issues

The online world is truly global. Most of the applications that we Indians use are hosted abroad, and offered by organisations with limited or no physical presence in India. For instance, Facebook does not have a data centre in India, and most of its software development is also done abroad. This poses difficulties for monitoring and enforcement by the proposed DPA. Establishing actual jurisdiction for the purposes of regulation and supervision requires having an identifier for the organisation (eg. registration), a line of communication with the organisation, being able to inspect the databases and softwares, and having an entity on whom penalties and other enforcement orders can be served. While this is relatively easy to achieve for organisations where processing already happens in India, it is difficult and expensive to establish jurisdiction over organisations that conduct processing abroad. The costs of establishing jurisdiction may vary depending on the type of entity. The question is: why would anyone agree to be regulated by a DPA in India? Whether a foreign organisation providing an online service will submit to regulations in India will depend on the disincentive of not doing so.

In finance also, for instance, there is a jurisdiction problem. It is potentially easy to get a financial service from a service provider abroad. It has been considered important to establish jurisdiction over any firm offering financial services for consumers in India. So, across sectors, there are prohibitions on offering financial services without authorisation from a regulator in India. In 2013, when recommending wide-ranging financial sector reforms, the Financial Sector Legislative Reforms Commission had also recommended that no person should be allowed to offer financial services in India without authorisation by a regulator.

China seems to have taken a similar approach for the internet, and ended up creating a parallel internet, wherein a large number of websites and applications are banned simply because they do not play by the rules made by the country. One could argue that this is reasonable, as each country has the right to define what kind of internet access its citizens should have. However, the costs of exercising this right are considerable, as this may lead to a large number of bans, and cut India off from larger parts of global flow of online services. So, if we want to establish jurisdiction over foreign firms collecting data from Indians, it would require creating a strong disincentive, such as a ban, for the controller/processor that does not give jurisdiction to the DPA. Even if we limit this to, say, "important" or "sensitive" personal data, it can create problems. For example, many patients from India send their medical information for second opinions from medical establishments abroad. This is usually done through some hospital in India. If the DPA insists that each such foreign establishment must register with it or such data cannot be shared, this would deny an important service to the patients.

In my view, it would be better to begin with regulating entities that are already processing data in India. This itself will need considerable discretion to be exercised, as has been seen in controversies around “permanent establishment” in tax cases. At the margins, there will be differences of opinion about when an entity can be said to be based in India. However, giving a regulator powers to take draconian measures to actively establish jurisdiction over entities based overseas may lead to excessive bans, especially when the regulator has low capacity, because capacity is required to determine suitable regulatory strategies for establishing jurisdictions by other means.

Sectoral jurisdiction

As the data protection authority will pursue its objectives across all sectors, this can raise conflicts with regulators. For example, in banking, securities markets, payments, etc, the data security issues are regulated by the respective regulators, because this is essential to these services. For instance, the RBI has recently established a subsidiary to work on data security issues. These services are largely operated through online systems, and a large part of prudential regulation is about ensuring security of these systems. If a payment system is breached, it would have direct financial consequence. The personal data in this case is mainly the financial data. When it comes to enforcement actions, it would be diffiult to disentangle data protection concerns from sectoral concerns. For instance, should the DPA be given the power to ban an RBI-licensed payment service provider, because of data protection concerns? Will DPA be in a position to consider the wider ramifications of such an action? Similar concerns can be raised for other sectors as well.Another issue in this context is that, even though the present data protections in those sectors are probably inadequate, there is existing regulatory capacity in some of the sectors.

Perhaps, a solution is to require the DPA to make regulations/standards in consultations with respective regulators, and once the regulations/standards have been specified, the sectoral regulators could supervise and enforce the law and the regulations. The respective regulators could do so in the course of their routine supervision of their sectors. I think this could be done for: financial firms, telecom service providers, internet service providers, etc. This may not appear to be a "clean" solution, but such aesthetic concerns should be weighed against the benefit of freeing up capacity at the DPA to focus on other sectors, and avoiding unnecessary conflicts. Also, since these regulators are in any case supervising their sectors, the additional capacity required to monitor and enforce data protection standards would probably be less than building the capacity for these sectors in the DPA.

Jurisdiction over small organisations

Given the scale of our country, it would be impractical to seek implementation of this law in every retail store and small firm. This is not to say that there are no data protection risks arising from small enterprises. But to begin with, the system should focus on achieving good outcomes with larger organisations. Small organisations should be exempt from the law. Largeness here should ideally be in terms of the amount of personal data controlled or processed, but proxy indicators, such as number of consumers, may be used to define a threshold.

Need to distinguish between data protection and broader privacy concerns:

The Committee is mandated to "study various issues relating to data protection in India". In my view, issues such as data portability, protection against being subject to a decision based solely on automated processing, and the right to be forgotten are not strictly data protection issues. They are data-related issues, but they have little to do with protection of personal data.

  • Data portability is not necessary for data protection, even though it may be good for the users to be able to shift from one controller/processor to another. This is a competition issue, as lack of portability hampers competition in a market. Arguably, denial of portability at a reasonable charge is an example of anti-competitive behavior. Further, the cost to the economy of securing a general "right" to data portability may be enormous, and a careful analysis of costs and benefits is required.
  • Being subject to a decision based solely on automated processing can sometimes become a problem, if it leads to a wrong decision. However, this is not related to protection of personal data. Automated processing can have benefits as well as costs. The examples given in the White Paper (person wrongly identified as IRA leader; loss of jobs, car licenses or voting rights because of wrong identification) are of situations where the automated processing led to a mistake. In such situations, there is no incentive for the processor to penalise the person. Since these are mistakes, is State intervention by creating a general right really required? In any case, this has little to do with data protection, and if it is being considered, this is the kind of protection that must be subjected to cost-benefit analysis.
  • The right to be forgotten: The White Paper seems to suggest that this right was endorsed by the Puttaswamy judgment. In the judgment, only one opinion discussed this right, and it cannot be reasonably considered to be the majority's opinion on the matter. EU has come to this big shift in the conceptualisation of the relationship between a person and society after a long process. Even in EU, the the right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014. We in India should not rush into such conceptions of privacy. In any case, this is not strictly a data protection issue.

Approach to data protection in government organisations:

In a way, data protection in government organisations is more important than in private organisations, because a lot of the personal data that government organisations have was obtained under the implied threat of the coercive power of the State. However, experience from other sectors (eg. banking) suggests that enforcement measures that are usually effective on private entities become less effective on government organisations. The penalties that are used by regulators to coerce the regulated entities to follow the regulations work less effectively with government organisations. Monetary penalties ultimately impose a loss on the taxpayers. Criminal cases are often difficult to initiate against civil servants, and in India, because of the way jurisprudence has developed, a larger number of persons working in government organisations are considered to be civil servants.

In principle, neutral application of law to both private and public sector is good, and this should be a principle underpinning the proposed data protection law also. However, there is also a need to think about other ways of ensuring data protection in the context of government organisations. Once the DPA is established and it builds capacity, it could become an advisor and reviewer of data protection policies in government organisations, so that its expertise is used to prevent mistakes from being made. It could also serve on the boards of government organisations processing a lot of personal data (eg. UIDAI). The law should contain an enabling provision to allow government to appoint the DPA to periodically review the data protection-related policies of government organisations, and have audits of their implementation conducted under DPA's supervision.

Regulations, Flexibility and Innovation

Regulatory systems work well when there are clear regulations that need to be followed, and employees of the regulator, the regulated entities, and the consumers have clarity about them. It is good to have clarity and certainty in regulations. However, this rules-based system comes at the cost of less flexibility. Once a regulator specifies a regulation, there can be little room for innovation that violates the regulation in word, even if it follows it in spirit. This is a perennial tension, but in data protection regulation, there is probably a deeper tension.

At the heart of a consent-driven data protection system is a trade-off between valuing one's privacy and valuing beneficial uses of one's personal data. Technology has multiplied the ways in which a person can use her personal data for deriving economic and social benefits. The use, of course, needs to be based on consent of the user. When a user is giving consent, she is supposedly making some calculation about how she may benefit from that consent. However, often, it is not obvious beforehand what kinds and scale of benefits can be gained by sharing certain kind of data. The users may be able to make a better choice if they see examples and demonstrations. However, a robust data protection regime may limit possibilities of innovation without explicit consent. So, there can be a logjam - users may not give consent without seeing demonstration of benefits, and processors may not be able to innovate without access to a critical mass of data. The logjam is for a good reason - both data protection and innovation matter. This is just one example, and there can be many situations where regulation may restrict innovation that could have led to better solutions for both data protection and beneficial use. For instance, what kind of a notice and consent process will work is an issue over which innovative solutions can be found.

One way to overcome such problems is to create a space within the regulatory system to allow limited scale innovations, where some regulatory exemptions are given. This "regulatory sandbox" needs to be provided in the law itself. Typically, a regulatory sandbox involves giving the regulator the power to oversee a closely supervised cohort of innovations for which certain regulatory exemptions are given. Once their lessons are documented, they may lead to modifications in regulations to allow innovations. This is a participatory approach where regulator and private participants work closely to help innovation happen. However, for this to happen, the law needs to empower the regulator to create these "safe spaces for innovation that achieve the objective of data protection while enhancing productive uses of data.

Need for sound regulatory governance and due process to be required by law

As a regulator, there are three types of actions that the DPA will take: drafting of regulations/standards; executive functions of inspection, investigation, and recommending penalties or compounding violations; and the quasi-judicial function of adjudication of disputes. Regulators are mini-States that perform all three functions. This creates potential for abuse of powers. The law should provide checks and balances to ensure that these powers are used properly. This requires two types of provisions: regulatory governance of DPA, and due process to be followed by DPA.

The law should provide for a good design of the Board of the DPA. The law should also give the processes and rationale for appointing or removing board members. This is important to maintain independence of the DPA. For its independence, it is also important that the funding process for the DPA is given in the law. Further, for accountability, it is important that the DPA be mandated to make annual plans, and publish annual reports that include performs on the previous years’ plan. Each type of regulatory action should be taken only after following due process, which should be laid down in the law. Independent authorities, such as the proposed DPA, have the power to be a judge in their own cases, i.e. they have their own officers adjudicating violations which have been investigated by the officers of the same authority. This conflict needs to be managed through checks built in the law itself.

Recommendations for the proposed data protection law

Based on the analysis present in this note, I would like to make the following tentative suggestions on the proposed data protection law:

  1. Protections and powers: Achieving informed consent should be the main focus of the law. To this end, certain individual rights need to be included. These include: right to seek confirmation, right to access the data, and right to rectify the data. However, these rights should be exercisable after paying reasonable fees, as they impose costs on data controllers/processors. The DPA should focus on building systems of regulation that ensure that the foundational requirement of informed consent is met in all circumstances, except where exemptions are given. This in itself is a difficult challenge in India's context. It would be great if the DPA is able to build capacity around solving this problem.

    The rights that should not be included at this stage are: Right to Object to Processing, Right to Object to processing for purpose of Direct Marketing, Right to not be subject to a decision based solely on automated processing, Right to Data Portability, Right to restrict processing, Right to be Forgotten. Among these, some could be given as objectives to the DPA with limited powers to nudge the processors towards better protection. On direct marketing and automated processing, the DPA may be given powers to work towards improving outcomes, so that some persons are not paying very high prices for these otherwise beneficial activities. Once the DPA gets this power, it may define certain thresholds above which it could intervene, but not use its coercive powers in situations below the threshold. This is a very different formulation from a formulation based on a general individual right.

    Similarly, "data minimisation","purpose limitation" and "storage limitation" should only be included as aspects of consent, and not included as general preventive measures to be enforced by the DPA. The DPA should focus on ensuring that if a user has given consent for certain data to be processed for a specific purpose, and has allowed storage for a certain period of time, the terms of this consent are actually being adhered to. Beyond this, the DPA should not have powers and responsibilities to make substantive judgments about these issues. That would be pushing the Authority into Quadrant IV. However, the DPA should be given the mandate to ensure minimum data security standards to avoid instances of breach.

    We should first get the basics right. Setting aside the debates about whether additional protections and preventive powers should ever be included in a data protection law, I am only suggesting not including them in the law in the first instance. In a few years, if the DPA is able to build capacity, and is able to deliver on the protections promised, additional protections may be debated, and introduced. Let us not forget that there is always a chance that it could become an ineffective, inefficient or even venal agency. Entrusting a new regulator with an expansive mandate on day one could be a recipe for failure.

  2. Tiered system: The law should create a three categories of "services and applications" based on their importance for an average person: tier I (necessary services, such as healthcare, education, financial services; plus, processing with positive benefits to the society), tier II (important but not necessary services, such as social media), and tier III (optional services, such as games). The law should mandate the DPA to put more resources into ensuring data protection for personal data shared for tier I, followed by tier II. The DPA should not focus on tier III usages, and users should make their own choices and face the consequences. Reasonable persons can disagree on what services should be in which tier, but this is not an argument against the need for a tiered system. Further, the DPA should be mandated to focus on protecting sensitive personal data, and this category should be given in the law.
  3. Jurisdiction: The jurisdiction should be limited to those entities that are processing in India. The DPA should not be given powers to "pursue" foreign entities to establish its jurisdiction over them, to bring them to process in India. Further, in sectors where regulators conducting regular supervision are already there, the responsibility for monitoring compliance and taking enforcement actions may be given to the respective regulators. Small organisations should be exempt from the law.
  4. Enable DPA to be the advisor/reviewer/auditor/board member for data protection in government organisations: The law should include an enabling provision for the government to appoint the DPA for advising government organisations on data protection policies and practices, reviewing their data protection policies and practices, and auditing implementation. DPA representatives could also serve on the board of organisations that handle a lot of personal data (eg. UIDAI). The DPA should, over time, develop into an organisation that can help the government take preventive measures to protect data, because ex-post measures are not likely to be effective with government organisations.
  5. Allow space for innovation, without compromising on the objective of the law: The law should empower the DPA to establish and oversee a regulatory sandbox to allow limited period trials of innovations that can be exempt from certain regulations. After these limited period pilots are documented, their experience may be used to modify the regulations.
  6. Board Composition: The DPA Board should have a majority of independent members, who may be experts, retired civil servants, consumer advocates, and others. The process of appointment as well as the grounds and process for removal of members should be laid down in the law. The Board should be required to make annual plans, and publish performance reports with annual reports every year.
  7. Due process requirements in the law: While making regulations, the DPA must publish draft regulations along with a statement on the legal authority to make the regulations, a statement of the problems to be solved, and an analysis of expected impact of the proposed regulation. After comments have been received, the DPA must be required to publish all the comments received, provide a reasoned response to the comments received, get the draft regulations formally approved by the board, and then publish the regulations. In case of emergency regulation-making, the requirements of consultation and analysis of regulatory impact may be relaxed, but such regulation should lapse after six months.

    The DPA will perform a variety of executive functions under this law. These include: inspections, investigation, and recommending penalties or compounding violations. When investigations are envisaged they should be carried out according to written terms of investigation; carried out by an appointed investigator; finished within a predetermined period, which may be extended by a quasi-judicial officer on a reasoned order; and carried out with least disruption to a business. Similarly for recommending penalties or compounding violations, the DPA should be guided by detailed regulations requiring the authority to show proportionality, and fairness. There must be a separate wing within DPA, which adjudicates violations. Members of such wing should not interact or report to persons carrying out or overseeing the investigation functions.

Conclusion: the importance of being pragmatic

It is interesting how a matter that was not even on the radar of policymakers has suddenly become an absolute necessity. Because of the heightened sensitivity around this issue, and the opportunity that this has created to get a law passed, it is tempting to demand a comprehensive law that envisages a wide range of protections and powers, as well as an expansive jurisdiction. This carpe diem temptation is a trap that must be avoided. In my view, we should take a pragmatic approach towards the law. We should consider what kind of a law will help produce actual data protection outcomes.

A proposed law should be judged on the basis of its expected practical consequences. This is because ultimately we care about outcomes and not just expression of good intent. In India, we have had many ambitious laws that did not lead to expected outcomes, and some have actually made us worse off. The implementation of a law depends on a variety of context-specific factors, such as regulatory capacity, resource availability, scale of a country, capacity of the adjudication system, and so on. So, the same law may have very different practical consequences in India, than it would have in, say, UK.

Pragmatism demands careful thinking about the nature of the problem and the context in which it is to be addressed. The law should be such that it ensures good outcomes in the long run, even if it disappoints some folks in the short run. Many of the features of a data protection law that have been provisionally endorsed by the Committee and/or are being demanded by many stakeholders have only recently found their way into the laws of developed countries. Simply including them in a law will not create protections, as outcomes of a regulatory law depend on the effectiveness of regulatory system. The focus should be on ensuring that the law is such the regulator is able to build the capacity to deliver on its mandate. Burdening a new data protection regulators with a broad mandate would likely set it up for failure.

We should begin with a law that gives a narrow mandate to the regulator, allow the regulator to build capacity to deliver on that mandate, and then expand its mandate. In my view, this narrowing of the mandate could entail: focusing specifically on achieving informed consent; giving limited preventive powers to the regulator on issues such as data security; limiting jurisdiction to entities processing in India, and not giving powers to demand jurisdiction on foreign entities; relying on sectoral regulators for monitoring and enforcement; applying the law only on entities that are above a threshold; and prioritising data protection for certain important purposes. In addition to narrowing the mandate, it is also important to mandate detailed checks and balances in the law, to minimise chances of abuse of powers.

The founding conditions cast a long shadow on the evolution of an organisation. If the law that establishes the data protection regime is rooted in careful consideration of the factors that are likely to shape its implementation, we will have a better chance of achieving good data protection outcomes.

 

Suyash Rai is a researcher at National Institute of Public Finance and Policy. The author would like to thank Renuka Sane, Anirudh Burman, Milan Vaishnav, and Ajay Shah for useful discussions. This essay is based on the comments the author has submitted to the Committee of Experts.

Working Titles: Property Rights for Slum Policy in India

by Jai Vipra.

This post argues that slum rehabilitation programs in India need to ask fundamental questions about which specific arrangement of property rights would be the most beneficial for all stakeholders, including the government, residents of slums, potential residents, and the rest of the city. It examines the option of providing less-than-complete titles to property as a slum rehabilitation strategy.

Urban informal settlements, largely slums, are a problem because they are squatter settlements, which means that the tenure is insecure and residents can be evicted at any time. The lack of legal tenure also affects access to services like water and electricity, and impedes the development of infrastructure such as roads and sewerage systems. Without proof of ownership of land, residents cannot mortgage or otherwise capitalise it. The lack of legality of land occupation is, of course, a problem in itself.

Slums sometimes crop up on public land, and can frustrate city planning objectives. This post does not examine the policy options for controlling the growth of new slums, which will include rural growth policy, job creation, public transport, overall land use management, etc. Here, I only focus on formalising existing slums.

Existing slum rehabilitation strategies

Sometimes, slum residents are relocated to city outskirts. This strategy has obvious problems, given that the main value proposition of slums is their location, and that relocation disrupts valuable social networks.

Mahadevia has classified slum rehabilitation strategies (other than relocation) in India into three buckets:

1. Basic Services Programs: for example, the Urban Community Development program that involved communities to reduce costs, the Slum Networking Program and the Urban Basic Services for the Poor program that integrated slum upgradation with social infrastructure.

2. Shelter and Services Programs: for example, the Slum Upgradation Program that provided land titles - leasehold or freehold - along with an optional housing loan. Another example is the Rajiv Awas Yojana, now discontinued, that provided for community participation at every stage and covered all slums, whether notified or not.

3. Special Programs: includes programs that aim to provide infrastructure and housing to cities and include slums in their strategy, for example, the Mega Cities Project.

Most of these schemes have included a provision to 'regularise' slums, and have excluded slums that could not be regularised, for example, those present on land owned by the Central government. Regularisation means that complete, or near-complete, legal tenure security is provided through full titles. Full legal tenure security means a title that grants the right to use, exclude from, inherit and alienate land through sale or transfer.

Such full titles create two kinds of problems:

1. Political economy problems: These include likely dispossession of land because of increased transaction value of property, and illegal subletting, among other issues. Dispossession occurs because full titles raise the commercial value of land, creating incentives to capture it, and thus decrease tenure security.

By some accounts, at least half of the people granted full titles in slum rehabilitation programs sublet their houses illegally.

Subletting or transfer of property rights is not an issue in itself. The issues arise either when titles are granted to non-residents pretending to be residents, or when residents, after acquiring titles, rent their properties out and move to another slum, simply shifting the issues with slums to another part of the city.

The first issue is one of monitoring and design. If community organisations play a role in determining who gets titles, their membership and conditions of membership must be rethought.

The second issue of title-holders moving to different slums indicates that a full title and a modern flat were not being demanded. Evidently some slum residents do not want these 'better' dwellings, and are using the titles to access capital. Perhaps our focus ought to be on increasing access to capital through other ways, while not losing sight of the need to improve living conditions in slums.

2. Public administration problems: Regularisation involves ascertaining original land ownership, resident status, identities, resolving disputes, etc. This process adds time and financial strain to already-strained state capacity. For example, the Slum Upgradation Program in Mumbai in the 1980s ran into problems even with a lease, because the private land would have to be acquired by the government first.

Property rights framework

We can already see that thinking of slum rehabilitation in terms of the kinds of property rights granted through titles helps us disaggregate issues. Some of the problems we saw above are caused by the peculiarities of full titling. They could presumably be solved by using less-than-full titles. Let us call such titles working titles. Working titles provide less-than-full tenure security. That means that they guarantee some, but not all, property rights. For example, a working title may guarantee the right to cultivate or occupy land, but not to alienate it. It may guarantee the right to construct non-permanent structures but not permanent structures. Working titles can avoid the need to amend the main state registry for every property transaction; they can be based on general demarcation of plots on makeshift maps; they can maintain ultimate state ownership of land when required.

They provide some tenure security, and because they do not give full ownership rights, they often skirt the need for the government to acquire private, encroached-upon land. Theoretically, they may reduce the moral hazard of encroaching on a property that will eventually be fully regularised. For this to be true, the property rights included in the working title have to be enough to provide tenure security to the urban poor but not enough for encroachment to become attractive.

There are many examples of programs providing working titles. The following table, derived from secondary literature, examines the objectives, effects, administrative design and issues of four such programs:


Working titles: Analysis of Case Studies
Area Purpose Instrument Rights Administrative design Coupled with Effects
Cape Town, South Africa | Source Violence Prevention Occupancy certificates Use Community register A project to upgrade infrastructure and state service provision Unclear effects on violence
Access to services Access to services Regular but voluntary updating of registry Improved access to services
Upgradation of infrastructure Social consultation process Upgradation delayed because of relocation requirement
High-level informal settlements working group Electrification
Dedicated, full time on site registration office
Brazil | Source Keeping public land public Concession of Real Rights to Use Use for a limited period of time, renewable Registration required in some areas Project to upgrade infrastructure and dwellings Public land remains public
Reducing disputes Transfer with municipal approval Monthly fee in some areas Services such as rubbish collection, water and electricity Unclear effects on dispute levels
Tenure security Decreased tenure security because it is perceived as a rental
contract due to program design and inadequate communication
Namibia | Source Less strain on state capacity Starter title Use Parallel registry Only been piloted, but legal framework important
Poverty reduction Sell, transfer Para professionals
Inherit Community involvement
Landhold title Use
Sell, transfer
Inherit
Mortgage
Botswana | Source Reducing strain on state capacity Certificate of Rights Use General plans for demarcating boundaries Services such as earth roads, water, toilets Did not reduce strain on state capacity
Access to services Inherit Similar to customary system Housing loan Improved access to services
Too much urban land state-owned because of historical reasons; need to transfer rights to squatters Transfer with municipal approval Monthly service charge Effectively transferred rights in public land to residents
Mortgage Dispute resolution system High level of disputes
No registration at deeds registry Unauthorised structures

Conclusion

We can draw some preliminary inferences from these case studies of working titles. Working titles seem to improve access to services by formalising rights. They also avoid the legal issues of registration in the main registry of a country, by using parallel processes and structures. They help with identifying actual residents because communities are heavily engaged in mapping processes. They can provide tenure security if their purpose and characteristics are communicated well.

While programs that provide working titles aim to also improve infrastructure, in reality, it seems as if the infrastructure provision increases community involvement and may end up making the working titles easier to implement, and an attractive option for the poor. The hypothesis is that when coupled with infrastructure provision, services and housing loans, working titles seem to have increased take-up and easier implementation.

While working titles reduce the need for state capacity in some ways, they increase it in others, particularly with the need to involve communities intensively. They require high commitment from the administration and the community towards solving issues of tenure insecurity. They may not reduce the strain on the state's dispute resolution system. The pilots have been small, and their effects in larger contexts are unclear. They also uniformly do not increase the mortgage-ability of land; however, as the same case studies and other sources show, neither do stronger titles in these and other countries.

While there is some research on such titles, more research is required on the optimal administrative design for such programs, so as to reduce the strain on state capacity and disputability among the community. It would also be beneficial to undertake systematic research on the suitability of working titles for India.

 

Jai Vipra is reasearcher at National Institute of Public Finance an Policy. The author thanks Anirudh Burman, Suyash Rai and Devendra Damle for useful discussions. The two anonymous reviewers also contributed very helpful insights.

Wednesday, February 07, 2018

Interesting readings

Can Planet Earth Feed 10 Billion People? by Charles C. Mann in The Atlantic, March 2018.

How best to play Finance SEZs by Ajay Shah in Business Standard, February 5, 2018.

Selfies for India: These long-term bonds can fund India's infrastructure needs and improve retirement security by Robert C Merton and Arun S Muralidhar in The Times of India, February 5, 2018.

Why stop at Hindi? in Business Standard, February 4, 2018. English as lingua franca is a multilateral disarmament treaty.

Budget 2018-19: Reading between the lines by Ajay Shah in Business Standard, February 1, 2018.

How Do We Explain This National Tragedy? This Trump? by T.J. Stiles in Literary Hub, January 31, 2018.

A game of chicken: how India's poultry farms are spawning global superbugs by Rahul Meesaraganda and Madlen Davies in The Hindu, January 31, 2018.

Resurrection of TPP - A wake-up call for India by Jayanta Roy in Business Standard, January 31, 2018.

The Shallowness of Google Translate by Douglas Hofstadter in The Atlantic, January 30, 2018.

(Not) the way to promote digital payments by Amol Kulkarni on 50p Blog, January 29, 2018. Also see: Subsidies are the last refuge of a failed policy maker by Ajay Shah in Ajay Shah's Blog, April 16, 2016.

Why E and V bands in telecom can solve a lot of connectivity issues by Surajeet Das Gupta in Business Standard, January 27, 2018.

Elephants Are Very Scared of Bees. That Could Save Their Lives by Karen Weintraub in The New York Times, January 26, 2018.

Do we want to keep the Republic? by Suhas Palshikar in The Indian Express, January 26, 2018.

Privacy shouldn't be the price of progress. Here's how to keep your data safe by Angus Hervey in Quartz, January 26, 2018.

Most unhappy people are unhappy for the exact same reason by Jean Twenge in Quartz, January 26, 2018, and Facebook should be 'regulated like cigarette industry', says tech CEO by Alex Hern in The Guardian, January 24, 2018, and This Is Serious: Facebook Begins Its Downward Spiral by Nick Bilton in Vanity Fair, January 23, 2018. Elite flight will make facebook and twitter uncool; it will be like cigarette smoking.

An interesting debate about the opacity of statistical algorithms and the opacity of human experts: Artificial Intelligence's 'Black Box' Is Nothing to Fear by Vijay Pande in The New York Times, January 25, 2018, Optimization over Explanation by David Weinberger in Medium, January 28, 2018.

Is Bay of Bengal the next BRICS? by Sourajit Aiyer in NIPFP YouTube Channel, January 25, 2018.

Announcements

IBBI-IGIDR Insolvency and Bankruptcy Reforms Conference

3rd and 4th August, 2018
Venue: New Delhi, India

Call for papers

The Finance Research Group at the Indira Gandhi Institute of Development Research (IGIDR) is inviting papers for the IBBI-IGIDR Insolvency and bankruptcy reforms conference. The conference aims to cover presentations and discussions across the following set of themes:

  • Enterprise value of firms in insolvency
  • Creditor and debtor incentives in insolvency
  • Measurement of probability of default and loss given defaul
  • Stressed assets industry
  • Incentivising creditors towards resolution
  • Economic impact of insolvency - an international perspectie
  • Interface with existing laws and
  • Institutional development for bankruptcy
The audience for the conference is expected to comprise academics, participants from the legal and financial industry, policy makers from government and regulators.

Timelines

  • Paper submission deadline: 16th March 2018
  • Expected date for notification of acceptance: 5th May 2018
  • Dates of the conference: 3rd - 4th August 2018

Submission instructions and review

  • The papers can have a quantitative, theoretical or policy research focus
  • The papers must be sent as PDF files to Jyoti Manke at jyoti@igidr.ac.in.
  • Submitted papers will be reviewed by the Program Committee, which includes:
    • Bindu Ananth, Dvara Research Foundation
    • Sumant Batra, Kesar Dass B. & Associate
    • Prof. Vikas Chitre, President, Indian School of Political Economy
    • Omkar Goswami, Chairperson, Corporate and Economic Research Group Advisory Pvt. Ltd.
    • M. S. Sahoo, Chairperson, IBBI
    • Ajay Shah, National Institute of Public Finance and Policy
    • Cyril Shroff, Cyril Amarchand Mangaldas
    • I. Srinivas, Secretary, MCA
    • Suresh Sundaresan, Columbia Business School
    • Susan Thomas, IGIDR
    • Bahram Vakil, AZB & Partners
    • T. K. Viswanathan, Director (ADR) International Centre for Alternative Dispute Resolution and Chairman of the Bankruptcy Law Reforms Committee.
  • 10 papers will be selected for the conference
Accommodation at the conference venue for 2 nights (2nd to 3rd August 2018) will be provided to academic presenters and discussants.

Contact details

For clarifications, please contact Jyoti at +91-22-28416592 (office) or +91-98205-20180 (cellphone).

About the Insolvency and Bankruptcy Board of India (IBBI)

The Insolvency and Bankruptcy Board of India (IBBI) is the regulator constituted under the Insolvency and Bankruptcy Code, 2016. It was established on 1st October 2016, and is responsible for the implementation of the Code, through creating regulations and suggesting amendments to thelaw to ensure the economic outcomes visualised under the Code. URL http://www.ibbi.gov.in

About the Finance Research Group, IGIDR

The Finance Research Group at IGIDR works in the area of quantitative finance, financial sector laws, regulation and policy. Research undertaken by the group spans questions about securities markets, household and corporate finance, insolvency and bankruptcy laws and land and access to finance. The group seeks to play a role in the policy issues and debates in India, both through papers and focused policy and technical notes. In the last two years, teams from the FRG have been the research secretariat for the Standing Council on the competitiveness of the Indian financial system, and the Bankruptcy Law Reforms Committee. The work of the group can be seen at the URL: http://www.ifrogs.org

Friday, February 02, 2018

Announcements

Positions at the Finance Research Group, IGIDR

The Finance Research Group at the Indira Gandhi Institute of Development Research (IGIDR), Mumbai is looking for researchers interested in financial regulation.

IGIDR is a PhD and Masters granting research institution set up in Bombay in 1989, and funded by the Reserve Bank of India. The Finance Research Group is a group of researchers (economists, lawyers and data scientists) working on the economics, policy and regulation of financial markets, household finance, firm financing and the land market.

The person will be required to support research in law and economics on a full-time basis. The position will involve working with persons from various disciplines. It will require working with data-sets, analyses and designing policy and regulatory interventions. It will provide exposure to cutting edge research in finance. Ideal candidates are persons having a degree or experience in law, finance, economics or public policy.

Specifically, we are recruiting researchers to work in the following areas:

Policy research in payments


The legal framework of the payments and settlement systems, Indian and global, clearing processes in payments systems of different kinds, optimal competition policy in payments, policy issues and market barriers in payment systems, and how to design policy to ensure a vibrant fintech ecosystem.

The work profile will include studying contemporary policy
developments, developing a point of view on the required reforms, writing policy papers and blog articles, running policy roundtables, etc.

Impact of interventions in financial markets


Our research program on financial markets will involve studying the impact of changes in regulations on market quality, evaluation of proposed regulations, and development of a cost-benefit analysis of the same.

The office functions on free and open source softwares like Linux, LaTeX, R and others. Previous experience in Linux is not required. However, if appointed, the candidate will be required to learn and use this software. The candidate must be willing to adapt to technology and work long hours.

Contact us


Please get in touch with Jyoti Manke at careersatFRG@gmail.com

Announcements

IGIDR Household Finance Research Workshop

24th February, 2018
Seanza Conference Hall, Indira Gandhi Institute of Development Research, Mumbai

Call for papers

The Finance Research Group at the Indira Gandhi Institute of Development Research (IGIDR) is inviting papers to be submitted for the workshop on Household Finance Research. The research focus is on:

  • Long term participation of investors and households in equity and debt markets.
  • How investors change trading and holding patterns in response to news and information.
  • The role of financial market intermediaries in improving access to finance.
  • FinTech innovations in financial inclusion.
  • The regulatory strategy to foster the optimal use of modern finance by firms. What should the law say? What should the regulations say? How should they be enforced?
  • Implication of macro-economic policies on household savings and investment behaviour

Dates

  • Paper submission deadline: 10th February 2018.
  • Notification of acceptance: 15th February 2018.

Support

Accommodation at the conference venue for 2 nights (23rd February and 24th February, 2018) will be provided for speakers at the workshop.

Contact

Submissions must be sent, as PDF files, to Jyoti Manke at jyoti@igidr.ac.in

For any clarifications, please contact Jyoti at +91-22-28416592 (office) or +91-98205-20180 (cellphone).

Tuesday, January 30, 2018

Bank recapitalisation: the allocation challenge

by Rajeswari Sengupta and Anjali Sharma.

The government has announced its plans to allocate the first round of recapitalisation funds to the public sector banks (PSBs). While the recapitalisation announcement was received by the market with great enthusiasm, the allocation has received mixed reviews (link, link). Nearly 60% of the Rs. 0.88 trillion being infused in the first round will go to the weakest 11 banks that are under the RBI's Prompt Corrective Action (PCA) framework. As part of the plan, IDBI Bank, the lender with the most stressed assets gets Rs. 0.10 trillion, the single largest amount. State Bank of India and Indian Bank, the relatively better performing banks, get Rs. 0.08 trillion and no allocation respectively.

In this article we look at four questions with regard to the allocation plan:

  1. Is this recapitalisation adequate?

  2. Why has more capital been allocated to the highly stressed banks?

  3. Could the government have adopted an alternate, more growth oriented allocation strategy?

  4. What objectives can recapitalisation fulfill?

Is this recapitalisation adequate?

No. The recapitalisation funds committed are far less than what the banks need.

In September 2017, the PSBs had stressed assets to the tune of Rs. 8.9 trillion. Against these, they held provisions of Rs. 3.4 trillion, which translates into a provision cover ratio (PCR) of 38%. PCR is an effective measure of what the banks expect to recover from their stressed assets. For example, if they expect to recover 40% of the value, they will provide for the remaining 60%. A PCR of 38% could mean one of two things. Either the PSBs expect to recover 62% of the value of their stressed assets, or they are under-provisioned. In an earlier article, we gave our reasons for believing that anything more than a 30% recovery rate is optimistic. Early indications from the corporate resolution plans submitted under the Insolvency and Bankruptcy Code (IBC) support this belief. Further, the true extent of PSBs' stressed advances is still not clear. Analysts are pointing out that stressed advances are set to grow further.

Given this, a 38% PCR indicates under-provisioning rather than expectations of recovery. Table 1 shows the additional provision required to increase PCR to various levels.

Table 1: Additional provision required at different levels of PCR

T1 capital required*

For PCR 50% 1.1
For PCR 55% 1.5
For PCR 60% 1.9
For PCR 70% 2.8

Source: Authors' estimates; PSBs Q2-18 Analyst
Presentations
* to maintain T1 CRAR of 9.5%.

PSBs currently have a Tier 1 capital base of Rs. 5.6 trillion. This is just adequate to meet the 9.5% Tier 1 capital adequacy requirement (CAR) imposed by RBI on the banks. This means that for every rupee of additional provision required, a rupee of Tier 1 capital will need to be infused in these banks. There is little hope that the PSBs' profits will reduce the need for recapitalisation. In the last two quarters, these banks have incurred losses, with Q2 losses being higher than that in Q1.

To reach a PCR of 70%, PSBs need to make additional provisions of Rs. 2.8 trillion. This is also the amount of additional capital they need. Since the IBC resolution process imposes a 270 day timeline, a large part of this requirement for capital will show up in PSB balance sheets in FY 18-19.

Against this, the government is committing Rs. 1.53 trillion, over two years. With this the PSBs will get to a PCR of 55%. This is low. The two year phasing, with Rs. 0.88 trillion being infused in FY 18-19 and the remaining Rs. 0.65 trillion in FY 19-20, is also a problem. It will ensure that: (1) PSBs will continue to be capital starved in FY 18-19, and (2) all the additional capital will get consumed for stress resolution, with no room left for supporting any growth in credit.

Why has more capital been allocated to the highly stressed banks?

There is no other choice. The stressed banks need additional capital today, without which their condition will worsen.

To understand this we look at bank level data. We classify the 21 PSBs into three categories, based on what their Tier 1 capital position would be if they were to increase their PCR to 70%, with no additional capital being infused.

  • Category 1: Banks whose Tier 1 CAR will be at 7% or more.

    Under Basel III norms, banks need to hold Tier 1 CAR of at least 7%. RBI requires Indian banks to hold a Tier 1 CAR of 9.5% (7% Tier 1 Capital + 2.5% Capital Conservation Buffer).

  • Category 2: Banks whose Tier 1 CAR will be positive but less than 7%.

  • We further divide category 2 banks into two sub-categories:

    • Category 2a: Banks whose Tier 1 CAR will be more than 3.5% but less than 7%.
    • Category 2b: Banks whose Tier 1 CAR will be between 0% and 3.5%.

    Within category 2, category 2a are the relatively less stressed banks, and 2b are the more stressed ones.

  • Category 3: Banks whose Tier 1 CAR will be negative.

In Table 2, we present details of the asset quality, capital adequacy and profitability of these categories as at September 2017. We also look at the additional Tier 1 capital that each of these categories needs in order to reach a PCR of 70%, while maintaining Tier 1 CAR at 9.5%.

Table 2: Category level analysis of PSBs

Unit Category 1 Category 2a Category 2b Category 3
(T1 ≥ 7%) (3.5% ≤T1 ≤ 7%) (0% ≤ T1 ≤ 3.5%) (T1 ≤ 0%)

Number of banks 2 7 8 4
Banks in RBI-PCA - 1 6 4
Names of banks SBI, Vijaya Bank, BoB, Allahabad Bank, Andhra Bank, IDBI Bank, IOB,
Indian Bank Syndicate Bank, OBC, UCO Bank, J&K Bank. Dena Bank
Union Bank of India, Central Bank, Corporation Bank, United Bank of India
BoI, PNB, Canara Bank Bank of Maharashtra

Sept-17 performance
Stressed advances/Total advances % 11.5 13.8 18.5 28.4
PCR % 39.8 38.5 38.1 34.3
T1 CAR % 11.1 9.2 8.1 8.5
H1 Net Profit Rs. trillion 0.04 0.01 -0.06 -0.04
Additional T1 capital needed* Rs. trillion - 0.07 0.22 0.10

At PCR of 70%
T1 CAR (without capital infusion) % 7.7 4.6 2.1 -0.9
Additional T1 capital needed** (A) Rs. trillion 0.4 1.0 0.8 0.6
Share of additional capital % 14 37 29 20

Phase I capital infusion
Allocation (B) Rs. trillion 0.09 0.35 0.24 0.21
Allocation/Requirement (B/A) % 24 32 29 40
PCR after Phase 1 allocation % 43.5 46.7 42.3 45.1

Source: Authors' estimates; Q2 analysts' presentations of
PSBs
* To bring T1 CAR to 9.5%, at a existing level of
PCR.
** To bring T1 CAR to 9.5%, at a PCR of 70%.

We find that banks in categories 2 and 3 are short of their Tier 1 capital requirement even today. They need around Rs. 0.39 trillion of additional capital in FY 18-19 just to meet the regulatory requirement of 9.5% Tier 1 capital, with no improvement in their PCR. The 12 most stressed banks, those in categories 2b and 3 need close to 80% of this additional capital.

Unless the most stressed banks get additional capital, they will not have the ability to take the haircuts that the IBC outcomes will require them to take. Most stressed corporate loans are through lending consortia which include both the less stressed and the highly stressed PSBs as members. If these weak banks do not receive capital, they will stall the IBC resolution process, thereby affecting the recovery from stressed assets for all banks involved.

Since the most stressed banks are also the ones incurring losses, over time their capital position will worsen. The first phase of capital allocation reflects this reality and allocates the largest share to these banks.

With the Phase I infusion, after meeting the regulatory capital requirements, the overall PCR will increase from the Sept-17 level of 38% to 44.5%. Even at these levels, given that recovery rates are likely to be far lower, PSBs will remain significantly under provisioned.

Could the government have adopted an alternate, more growth oriented allocation strategy?

Not really. Capital for dealing with stress has to precede growth capital.

Table 2 highlights the challenge of allocating the recapitalisation amount among the 21 PSBs. All PSBs are stressed, some less and others more so. Even the relatively less stressed banks like SBI and Indian Bank will require capital infusion to shore up provisions to levels where they can deal with their stressed assets while meeting the regulatory capital requirement. As long as the aggregate supply of capital is less than the Rs. 2.8 trillion that is required (Table 1), there is no allocation scenario under which all PSBs will be able to meet their regulatory capital requirement and also grow their advances.

Within the constraint of the capital committed, we consider some scenarios to evaluate whether any alternate allocation strategies could have prioritised growth.

  1. Scenario 1: The entire Rs 0.8 trillion of capital is given to the two banks in category 1 and the less stressed banks in category 2a. The banks in categories 2b and 3 get nothing.

    Theoretically, this scenario can generate some credit growth. The trade-off being that the most stressed banks do not get any additional capital. In reality, this is not a scenario that the government can implement for various reasons:

    • There is a public perception problem. If the government chooses the less stressed banks over the highly stressed ones, it will push the ones that are not chosen into further distress. These stressed PSBs will not be able to raise capital from the market, sell their non-core assets at reasonable valuations, or make recoveries from their stressed assets. It is possible that such an action may cause panic among the investors and depositors of these banks.

    • The highly stressed PSBs, like other PSBs, have raised capital by issuing AT1 or T2 bonds. In most cases these bonds have also been subscribed to by foreign investors. For these banks, a fall in the level of capital below regulatory thresholds will tantamount to a technical default. Since PSBs are owned by the government, their bonds carry the implicit guarantee of the government. A technical default on these bonds would be equivalent to a sovereign default.

    • There is also a question whether some banks can be kept in a state of non-compliance with regulatory capital norms on an ongoing basis. This can only happen if the RBI relaxes its regulatory standards on a selective basis for the most stressed banks. Such an action would be undesirable, from the perspective of systemic risk, and macroeconomic stability.

    • If the highly stressed banks are kept capital starved, they will derail the stressed asset resolution process for other banks in the system as well, as discussed earlier.

  2. Scenario 2: The entire Rs. 0.8 trillion of capital is allocated to the 12 highly stressed banks in categories 2b and 3.

    The banks in these categories need Rs. 1.4 trillion of capital infusion (Table 2) to bring T1 CAR to 9.5%, at a PCR of 70%. While their health will somewhat improve with this infusion, the capital gap will continue to exist. Under this scenario, there will be no growth in credit for the next two years. Given that the capital gap will persist, the PSBs may continue to delay recognition and resolution of their stressed assets.

  3. Scenario 3: The government merges the highly stressed banks with the less stressed ones, or closes down the highly stressed banks.

    The need for additional capital to deal with stressed assets will not go away with a merger between PSBs. It will continue in the merged entities. Since most PSBs are very similar to each other in the composition of their assets and their liabilities, a linear addition of their balance sheets is not a solution to their stressed assets problem.

    The same holds true even if some of the most stressed banks are closed down. Their assets, including the stressed assets, will need to be transferred or sold to another bank or financial institution at some value. If this sale/transfer takes place at face value, the entities that buy these assets will need the additional capital required to take haircuts and resolve stress. If the sale/transfer takes place at a discount to face value, the banks being closed down will need additional capital to meet all their liabilities and obligations prior to being closed down.

The government does not have a real choice in allocation strategy as long as the capital supplied is less than the capital required for dealing with the PSBs' stressed assets. The requirement for additional capital remains, irrespective of the banking sector strategy that is adopted.

What objectives can recapitalisation fulfill?

The Indian banking system currently faces two big challenges:

  1. The banking system is burdened by stressed assets and its existing capital base is inadequate to deal with this problem. Banks need additional capital to take the necessary haircuts to resolve these stressed assets.

  2. Bank credit to the industrial sector has stagnated over the last few years. In the last six quarters, quarter-on-quarter bank credit growth has been negative. Non-bank credit sources such as the corporate bond market remain under developed. While there are demand side constraints owing to stressed corporate balance sheets, for an economy growing at 6-6.5%, there are many other segments which are in need of credit. These segments remain credit-starved because of the slowdown in the banking sector. This will have adverse consequences for the overall growth of the economy going forward.

The bank recapitalisation program could be an important step to address both these challenges. It could provide PSBs with the capital required to deal with their stressed assets, and it could revive bank lending, to the extent that demand for credit exists or picks up going forward. However, this can happen if the PSBs hold adequate levels of capital to meet both the objectives.

Our analysis shows that the additional capital that is required for dealing with stress far exceeds what has been committed so far. Only after this capital gap is addressed, can there be a possibility of re-starting credit growth. At the current level of recapitalisation commitment, PSBs will reach a provision cover of 45% on their stressed assets. This implies that they need to recover 50-60% of the value of these stressed assets. This seems highly optimistic given the status of resolution efforts currently underway as part of IBC proceedings.

In the first phase of recapitalisation, the government has decided to inject bulk of the Rs. 0.88 trillion of capital into the most stressed PSBs. Our analysis shows that the government does not have a choice to adopt an alternative allocation strategy that would have revived credit growth. To do that, the overall supply of capital needs to be increased to levels that are in excess of what is required for dealing with the PSBs' stress.

Given that the government has chosen to solve the banking crisis through a recapitalisation program, we have empirically analysed the objectives that such a program may fulfil. The larger issue at hand is the use of taxpayers' money to repeatedly bail out failed banks. Recapitalisation is not the solution to the problems of Indian banking. This needs wide ranging structural and regulatory reforms. The question that needs to be asked is that in absence of such reforms, how wise is it to keep throwing public money at a recurrent problem?

 

Rajeswari Sengupta and Anjali Sharma are researchers at Indira Gandhi Institute of Development Research, Mumbai. The authors thank Joshua Felman and Harsh Vardhan for useful comments and suggestions. We also thank Utso Pal Mustafi of IGIDR for assistance with the data.