The Insurance Regulatory and Development Authority of India (IRDA) recently released draft regulations for regulatory sandbox (in simple terms, live testing of financial innovations for regulatory compliance) for the insurance sector in India.
The regulations are based on a report released in February this year by the regulator, and seek to lay down principles based on which innovative insurance firms can be allowed to develop products in a relaxed regulatory environment.
However, apart from lacking on several critical fronts, the regulations have been put out in the public domain for comments, for exactly 13 days, critically placed at a time when the country’s national election results were being announced, and in any case a time period too short for any serious analysis and scrutiny.
The regulations themselves scriimp on important issues of customer protection. To start with, they speak to customer protection at exactly one place, the ‘objective’. There is no explicit provision detailing the liability frameworks that would hold an applicant entity accountable for ensuring customer protection, or on compensation measures.
On data protection, the draft regulations provide very little clarity. The regulations simply mandate the maintenance of confidentiality of customer data, and an eventual deletion of all personal data of customers, without prescribing any other measures for data protection, and prevention of exploitation of such data by entities.
The regulations painfully confuse ‘confidentiality’ of customer data with data protection. Unlike the report released by the regulator earlier which put the onus of policyholder data protection on the applicant entity — data preservation, confidentiality, integrity and availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the regulations provide for nothing.
The regulations also do not mandate express customer consent — to buy the policy or be given information about the potential risks; a critical aspect of data protection, and affording customers agency. In fact, the regulations fail to provide policyholders with an option to opt out of the policy post the proposal stage, something that was emphasised in the February report.
Most critically, the regulations have no provisions on preventing applicant entities from selling policies to un-nuanced and vulnerable financial customers. With no concrete liability or compensation framework, negligible emphasis on data protection, and no overarching law on financial customer protection in India, these regulations lack serious oversight, and offer little credibility.
Further, the regulations do not mandate firms to develop, and inform the regulator and customers about risk mitigation strategies. This is in sharp contrast to regulations released by other countries. For instance, Singapore’s consultation paper on the creation of pre-defined sandboxes, known as Sandbox Express, expressly stated that this leeway was suitable for activities where the risks are generally low.
A reading of the guidelines mentioned in the consultation paper revealed that to safeguard the interests of the entity’s customers and contain potential risks of the experiment, a number of procedures were required to be followed by the applicant entity like providing clear and proper disclosure to every user and obtain an acknowledgement before the user can be on-boarded as its customer; limiting the customer base to only institutional and accredited investors who are not individuals; maintaining records of all transactions; disbarring the handling or holding of customer’s monies, ensuring the fitness and propriety of the firm’s shareholders, chief executive officer, directors and broking staff; and putting in place internal controls and processes to mitigate risks associated with the experiment, like money laundering and terrorism financing risks and technology risks such as cyber attacks.
It also seems counter-intuitive to have multiple regulators release their own guidelines on the same issue of technology and innovation (the RBI came out with its draft framework for fintech firms last month) particularly when the issues facing them are essentially the same — how best to protect financial consumers, while promoting financial innovation.
In such a scenario, it might be better to establish a common council or forum, with representation from all the financial sector regulators, to create a harmonised regulatory environment.
In Washington DC for instance, the Mayor established a ‘Financial Services Regulatory Sandbox and Innovation Council’, chaired by a Commissioner for the Department of Insurance, Securities and Banking.
This not only ensures the evolution of a common regulatory framework for innovation hubs and regulatory sandboxes for all fintech firms looking to innovate and grow, but also creates a level playing field, capitalising on regulatory foresight and the development of best practices.
In fact, the recent joint report of the European Supervisory Authorities reveals that in an analysis of the regulatory sandboxes established across Europe, it was clear that they are not limited to a specific part of the financial sector but are cross-sectoral (e.g. banking, investment activities and services, and insurance) in the kind of work they do.
In Hong Kong, the Fintech Supervisory Sandbox launched in 2016 has now been upgraded, to provide feedback to entities at an early stage of their fintech projects, and the sandboxes run by the other Hong Kong regulators like the securities regulator and the Insurance Authority have been linked, to provide a single point of entry for pilot trials of cross-sector fintech products.
With the IRDA and the RBI both releasing draft frameworks for fintech firms, coupled with growing consciousness over data privacy and customer protection, we need a holistic approach to financial sector innovations. A harmonised approach to data privacy and customer protection, both in the regulatory sandbox space and outside of it will enable a deeper understanding of operating principles for fintech innovation and risks, cross-sectoral innovation, and regulatory co-ordination.
Without a uniform and rigorous approach to issues to technology, the most likely to suffer will be the most disenfranchised amongst us, and innovation will be limited to pockets of convenience and privilege.
The writer is policy lawyer based in Delhi