Over the weekend, the RBI rolled out its much-awaited ‘draft enabling framework for regulatory sandbox’ (RS). This came at the behest of the recommendations of the inter-regulatory working group, stressing the need for the framework to increase efficiency, manage risks and create new opportunities for consumers.

While the policy is welcome, there are some crucial points of ambiguity, particularly with respect to customer privacy and data protection that raise serious concern.

To begin with, the framework simply demands of an applicant entity to “demonstrate arrangements to ensure compliance with the existing regulations/laws on consumer data protection and privacy.” However, the status quo on consumer data protection and privacy, much less a curated financial data protection framework is woefully inadequate.

Existing legislation

The right to privacy is still only a Constitutional right espoused by the Supreme Court, and the widely contested Data Protection Bill remains unenforceable.

The existing applicable legal framework for the fintech industry is encapsulated primarily in the Information Technology Act, 2000, which while providing for some norms for data collection and its usage, doesn’t elaborate adequate guidelines for data storage techniques, data processing or user consent when it comes to particular kinds of financial data.

To this extent, although a motley of other financial legislation also provide some perspective on privacy, they are largely inconsistent across the financial sector, disparate in providing harmonised protections, and designed to focus more on fraud, than on privacy.

Most importantly, both for entities and consumers, the legal landscape on financial data protection is exceptionally complex.

Burden shifting

Further, the regulations make the entity responsible for maintaining customer privacy, without clarifying the liability and compensation frameworks, and the adequate metrics and ring-fenced mechanisms for limiting customer liability. Most alarmingly though, the RBI continues to rely on the problematic policy stance of making entities seek “explicit consent” from their customers.

Not only does this shift the burden of consumer protection from the state to private entities, the policy fails to realise that consent based privacy policies, particularly in the frontier fintech space, may fail given the usual fintech jargon (this can be mitigated, for example, by the regulator prescribing a standard language in certain cases) and un-nuanced financial customers. In effect, by placing the onus of compliance with data protection laws on applicant entities, what the policy also does is shift the burden on the consumer to review the proposed innovation and ask for a meaningful enforcement of their rights; a cost too high for any one individual.

Even within the consent–privacy conception of consumer rights, the least the regulator should ask for is meaningful consent, and application of key data protection principles like purpose limitation and access control, transparency in data-collection and usage at every stage, and a clear exit strategy for consumers to opt-out when they choose; all of which are missing in the draft framework.

The draft framework’s silence on the application of the principle of proportionality to entities, that is, the applicability of the framework in a manner that takes into account an institution’s size, internal organisation and nature, the complexity of its activities is particularly telling.

No overarching law

The European Banking Association’s guidance on this matter asks regulators to seek appropriate risk-mitigation measures based on these factors, before permitting the commencement of the test. It must be remembered that India still does not have an overarching and dedicated financial consumer law (unlike other countries like the US), and data protection legislation is still just being formulated.

In the absence of both, fielding obscure regulations without clarity on liability and compensation with regard to both customer privacy and protection is dangerous.

Further, unlike many countries, the framework of RS in India has been restricted largely to the banking sector, with no mention of other allied sectors like insurance.

In Hong Kong for instance, the sandboxes of the Hong Kong Monetary Authority, the Securities and Futures Commission and the Insurance Authority are linked, so that there is a single point of entry for pilot trials of cross-sector fintech products.

To reduce regulatory arbitrage and achieve a harmonised approach to innovation, it is imperative that the domestic regulators create a common forum of information exchange and joint initiatives. This is also useful for coordinating efforts on consumer protection, competition and data protection across the board, and will be particularly helpful to firms looking to explore innovative business models, and products that intersect multiple policy areas. A regulatory sandbox introduces the potential to revise and shape regulatory conversations around new technology and innovation with agility.

However, if the goal is to promote innovation and safety, it will take more concerted effort than just providing a sandbox.

For instance, in South Korea, the RS programme was followed by a government allocation of 2.89 billion won and 2.81 billion won to the industry and science ministries, respectively, to carry out related tests and help companies find new markets; and the Financial Services Commission was also given four billion won.

Lastly, as global thought on the subject recommends, it is hoped that a regulatory sandbox doesn’t become a distraction for policy makers, and draw attention and resources away from more urgent policy interventions on larger customer protection and data privacy goals.

The writer is Fellow, Esya Centre