Money Aug 25, 2014
By Suyash Rai and Ajay Shah
When you finish a taxi ride, between two to ten minutes are wasted in dealing with the payment. You could pay cash, he might fumble on change, you could swipe a credit card, after an interminable delay the device does not work, and so on.
A few years ago, there was an important innovation in this business by a firm named Uber. Their process flow works like this. The customer goes to the Uber website and submits credit card details (as is done with any E-commerce website). Now he undertakes a ride in a taxi. At the destination, the customer steps out of the taxi and walks away without doing anything on the question of payment. The payment is effected using the pre-stored credit card details. A bill is sent to the customer by email. This saves two to ten minutes for customer(s) and the taxi drivers.
If you multiply millions of taxi rides per year by a saving of two to ten minutes, it adds up to GDP growth. It is estimated that there are 5 million taxi rides per day in India. Assuming that we're dealing with 3 persons per taxi ride, then the new technology will potentially save 91 million man-hours of time for each one minute that is shaved off the payment step. This sort of process innovation is how, one small step at a time, the world achieves productivity growth.
RBI has issued multiple regulations imposing specific restrictions on card-based and card-not-present transactions. Instead of a signature, consumers are required to enter a PIN at merchant outlets. For online, card-not-present transactions, we are required to enter one time passwords or other authentication information. Uber was using a loophole in the RBI regulations, which allowed payment transactions with foreign exchange outflow to be exempt from the authentication requirement. The payment was flowing to Uber's bank outside India, and then Uber was sending payment to the taxi driver in India, even though the receipt was issued on behalf of the taxi driver in India. Competing taxi services were also considering such a method of routing payment through a gateway abroad, but it was harder for them to overcome India's capital controls, as they are based in India, unlike Uber which is a foreign company.
RBI's decision creates a level playing field between Uber and Indian taxi companies -- one in which all taxi companies are equally bad in their dealing with consumers, forcing two to ten minutes of time wasted with every ride.
The reason behind this and many other such steps can be found in RBI's overall approach towards regulation. It prefers paternalistic micro-management to market-based solutions.
Need for a composite strategy: prevention and law enforcement
Every month India is clocking about 100 million debit and credit card transactions on Point of Sale (POS) devices, with total value of about Rs 20,000 crore. This means an annual card-based transaction volume of 1.2 billion, with a value of Rs 240,000 crore, and growing fast. Over and above this, there are "card-not-present" or online transactions. In calendar year 2012, the total money lost due to frauds relating to ATMs/Debit Cards/Internet Banking and Credit Card, amounted to about Rs.52 crore. This may seem like a very small number compared to the total value of payments, but each instance of fraud is a crime and must be dealt with. This raises questions about consumer protection and law enforcement.
The consumer protection objective in this context is: consumers' funds must be protected from fraud. The question is: how should this be done? There are basically two approaches to this: prevention and enforcement. Both are important in an overall anti-fraud strategy. The regulator can impose security requirements that make it difficult to defraud customers, but each requirement has costs. Law enforcement can also help the consumer recover the money lost to fraud, but this also has costs and the consumers may get their money with a time lag or not at all.
When it comes to prevention, it is important to consider who is best placed to develop and implement preventive steps. This responsibility can be substantially shared by service providers, who are often better placed to make the right preventive choices, as long as they are held accountable. Service providers, in any case, have an interest in maintaining trust in their systems, and in addition to that, they could be held accountable by the regulator.
What has India's approach been?
RBI has been writing regulations to address this problem which have largely been paternalistic, micro-managing, and technology-specific. Earlier, one could make a card-based transaction by simply swiping a card and signing on the slip, but now one must enter PIN in the POS device. This has made every transaction more cumbersome, especially where the POS device is not present in the immediate vicinity of the transaction (e.g. at restaurants). Earlier, one could transact online (called "card not present" transactions), with one factor of authentication, but now two factors are required, one of which is often a one-time password, generated and sent over the mobile network or on email. Given the relatively low reliability of SMS in India, this often leads to delays and failed transactions.
In the world of E-commerce, all over the world, customers link a credit card to a merchant website once, and transact at wish. This is not allowed in India. In addition, RBI has imposed several requirements on technological specifications for cards, POS devices, etc.
These measures have improved security of transactions. But were they optimal? Do they pass the test of cost-benefit analysis? Effectiveness of a measure is not the only consideration. Excessive regulation can be effective but not efficient. Regulators such as RBI have enormous powers, and they must always be asked to defend the use of these powers - on effectiveness, efficiency, and jurisdiction. This is essential to ensure accountability of these agencies.
All preventive measures impose costs on consumers, and, on the margins, create a preference for cash payments and contribute to the tendency to avoid online transactions and the white economy. On the other hand, they also increase robustness of transactions, thus increasing the trust in these systems, and encouraging greater participation in these systems. When we look closely we find that all payment transactions do not pose the same level of security risk. Systems can enable small-value transactions with minimal friction, and require significant authentication processes for higher value transactions. Some transactions might justify 3 factors of authentication, but some other transactions may require just 1 factor. Regulatory intervention at system level takes a one-size-fit-all approach, which is costly. So, preventive measures are crucial, but they need to be proportionate to risks. This proportionality cannot be achieved by regulatory diktat. It must come from innovative market practices. The incentive for such innovation is destroyed by RBI's paternalistic approach. The counter-factual world that we do not see is one where innovative firms in the business of payments invent improved methods of risk management.
Continues on the next page
Pages: 1 2
More From R Jagannathan.