Stress Testing Methodology – Brief Comparison Across Regulators

By Nishanth K & Madhu Srinivas, IFMR Finance Foundation

The below table summarises, along some key dimensions, the stress testing methodologies adopted by the central banks in India, US, UK and EU to assess the stability of their banking system. It is to be noted here that the stress tests that individual banks conduct by themselves, as part of their Internal Capital Adequacy and Assessment Process (ICAAP), do not figure in our comparison. Also the below analysis is based on the stability/stress test reports of the respective regulators for the year 2016.

All data for the above comparison was taken from the following references:

Click here for PDF of the infographic.


Aadhaar’s Potential for Financial Inclusion

By Bindu Ananth & Malavika Raghavan, IFMR Finance Foundation

We should care deeply that millions of Indians are still turning to expensive informal financial services in the face of seasonal and volatile incomes, despite years of trying to improve access to basic financial services. Any innovation with a promise to provide disruptive solutions deserves careful attention and a concerted effort to ensure success. It is in this spirit that we approach the Aadhaar debate.

Test and learn—but then evolve

For years, our country’s financial inclusion strategy tried to expand access by opening more bank branches. One reason this has not scaled is because providers face high operating costs for “low-value” services, driven in part by physical “know your customer” (KYC) procedures and paper-based verification of transactions. Previous work by our colleagues Anand Sahasranaman and Deepti George showed that the cost of delivering a rural loan of Rs10,000 through a branch could be Rs4,153 (41.53%) for a public sector bank and Rs3,207 (32.07%) for a private sector bank.

Aadhaar and IndiaStack have held out the promise of overcoming these costs using technology—through e-KYC for users, remote verification of transactions and lowering transaction costs of payments. Taken with other inclusion efforts, we are within striking distance of every Indian having access to a bank account and being able to easily send and receive payments. Not a panacea by any means but a definite milestone for inclusive development.

However, we have also arrived at an inflexion point for the unique identifier (UID) system. If the first part of the task for this system was about technology implementation, now it faces an important next step—creating trust and confidence in that technology and the institutions that administer and oversee Aadhaar. We must have the openness and the humility to leverage the potential of Aadhaar to deliver access to basic services while continuing to work on gaps and weaknesses, some of which we will only learn as we go.

Improving protections for users

We have some specific suggestions that need immediate attention with respect to financial service providers, the Unique Identification Authority of India (Uidai) and users, when considering Aadhaar and its use in digital financial services.

We must make providers liable to put customers back “in the money” for failed/unauthorized transactions: it is important that the users of Aadhaar-linked accounts and Aadhaar-enabled payment processes do not bear the costs of failures in this system as the volume of digital payments increases. The Reserve Bank of India (RBI) has taken the right steps by releasing a draft circular on limiting liability of customers in unauthorized electronic banking transactions. We need to move this into live regulation and extend it appropriately for non-bank providers and third parties.

Over 1.15 billion Aadhaar numbers are now in existence. Such a massive public database containing citizen information needs clear audit and accountability procedures.

We should support an independent observatory to monitor Aadhaar-based transactions: more hard data about the successes and failures of Aadhaar-based transactions will help drive an informed discussion about the system’s efficacy. An independent body monitoring Aadhaar transaction failures and user experiences, and publishing this data periodically, could be a strong accountability mechanism and improve Aadhaar.

We need a “living will” for Uidai: in large-scale projects of this nature, it is helpful to think about worst-case scenarios. In the banking world, “living wills” have been an interesting policy tool to force systemically important institutions to lay down their game plan in the event of bank failure. Similarly, no matter how improbable it might seem today, it would be useful for Uidai to lay out a plan to deal with a severe security breach.

We also need to reform the Aadhaar redress mechanism: currently, we have an opaque redress and complaints system at Uidai, especially a concern since the Aadhaar Act empowers only Uidai or its officers to initiate proceedings for disclosure or misuse of users’ information. Renuka Sane and Vrinda Bhandari’s writing addresses these lacunae clearly. We need a new framework and investment to set out accountability, reporting and performance expectations of Uidai on the Aadhaar grievance process.

We need market conduct oversight for data use by firms across the financial sector: in addition to stronger data protection laws, we need active oversight for firms using personal data. This applies more widely to the financial sector, but we highlight it in this discussion since Aadhaar-seeding of bank accounts is rising, requiring enhanced monitoring to prevent risks, and as more financial firms use IndiaStack as authorized user agencies. We must actively supervise how these firms and government use the Aadhaar system in conjunction with other customer data they hold.

We need to protect the privacy of all residents of India across all platforms, including Aadhaar: the idea that poorer people are less entitled to privacy should be dispelled. Compromising financial privacy could set back wider financial inclusion efforts, if improper disclosure of data leads to denial of credit or reputational harm. This issue goes well beyond Aadhaar, but the ubiquitous use of the Aadhaar number, including for finance, makes this more pressing.

To conclude, a project such as Aadhaar with implications for transforming service delivery must be strengthened in specific ways discussed here so that confidence and trust in the system grows.

This article first appeared in Livemint.


Pudhuaaru KGFS Turns 9 – The Journey of the First Branch


Insights from the “Digital Payments Roundtable” hosted by the Future of Finance Initiative

(This post is authored by the Future of Finance Team at the IFMR Finance Foundation).

In April, the Future of Finance Initiative (FFI) hosted a series of closed door workshops with a small set of digital financial service providers focusing on payments, credit and investments. The primary goal of the workshops was to map the “transaction journeys” of individuals using digital financial services in India and identify points of weakness from a supply side perspective. This helped us get a clearer understanding of the emerging customer level vulnerabilities in the Indian digital financial landscape. This blog summarises key insights from the first workshop that we hosted on digital payments. The discussions were held under the Chatham House Rule, so this post is limited to overall themes without attributing comments to participants. We thank the participants for their frank and open views presented at the discussions.

The payments ecosystem in India has undergone rapid evolution in the recent past. Post demonetisation, the big push from Government to scale up digital payments has been front-and-centre on the policy and industry agenda. Given all of this, we wanted to understand:

  • How are providers providing solutions relevant to new market segments?
  • Where are the risks and vulnerabilities across the chain of the players and processes associated with making a digital payment?

We posed some of these questions to the carefully curated set of participants of the digital payments workshop. They reflected players across the payments ecosystem in India including wallets, payment system operators, payment gateways, card payment processors and software developers.

New customer segments need new products tailored to their needs

The workshop kicked off with a discussion on broad trends and considerations emerging for those working in the payments industry in India. A key observation was that new segments of customers are being brought into the digital payments ecosystem who are different in their capacity to absorb any losses, compared to existing customers. This opens up new opportunities and responsibilities for providers, including on product design and innovation.

Specifically, financial services tailored for low income consumers, have not evolved in the Indian financial market — unlike other sectors such as telecommunications (where for e.g. different levels and durations for phone recharges are available). As an illustration, most credit cards are set up for 45 days cycles as they are aimed to cater to “salaried’ employees who earn once a month. However, there are no cards with 20 days cycles for people earning twice a month or at more frequent intervals (such as those in part-time work or the informal sector). In the future, such a segment could be served by small finance banks and payment banks, potentially in partnership. Some participants felt that this approach to banking could be a more effective for fostering financial inclusion than recent government schemes which scale-up inflexible products (such as no-frills bank accounts).

Services providers in the chain of payments

The FFI’s focus to date has been understanding customer-level risks in digital finance. We wanted to use this opportunity to test our concerns with providers involved in payments transactions. To frame the discussion, and locate the various parties in the chain of a payments transaction, we presented a simplified schematic of our understanding of the payments ecosystem to the participants.

Figure 1: Card Not Present[1]: Online Payment Schematic

Source: The Future of Finance Initiative (2017)

The black arrows track transaction data flows and the green arrows tracking funds flows in the back end of a typical payments transaction. Participants agreed that this reflected the flows of a standard payments transaction. This schematic has remained broadly the same at the back-end for most forms of payments, but the challenges from the push towards newer forms of digital payment methods arise mainly due from (1) the variance among front-end customer-facing applications (2) increases in volumes of transactions and (3) the related data. 

Pain Points include security, transaction failures and policy uncertainty  

Discussions then followed through the afternoon about the operational aspects of completing payment transactions and pain points in the current scenario.

Data protection and data security: Payment services providers generally include clauses in their terms and conditions regarding customer data use. However the practices around this vary vastly. A key concern with direct impact on customers relates to data security, given the amount of data collected, stored and transmitted digitally in the payments process. ISO 27001 is the key global standard to which players in the payments industry generally aspire to. It was observed that full compliance with the standard was unaffordable for most providers, though the majority of them complied to the best extent possible.

Issues with the Payment Card Industry Data Security Standard (PCI DSS) — the industry standard for policies and procedures aimed at protecting data in card and payment transactions –- were also discussed. Adherence to all aspects of the PCI–DSS was patchy across industry participants. The standard does not have an enforcement body (being an industry standard with compliance driven by the requirements of other payment brands and acquirers). Concerns were raised that certain payment gateways and services were falling foul of the requirements without being censured –for example, by storing CVV for extensive periods of time in contravention of PCI-DSS.[2] It was pointed out that the PCI DSS provisions are from a pre-mobile era, and tend to be web-focussed. This results in gaps arising even in these standards with respect to data security for mobile transactions.

With regard to future regulation, participants stressed the need to balance the costs of compliance to be measured against evaluations of risk carefully when regulations are being formulated.

Hardware security: Hardware security is often overlooked in discussions around payments security. Participants discussed the absence of hardware checks for mobile phone handsets or regulations limiting pre-installed applications on mobile phones. This opens up the possibility of phones manufactured in other countries being sources of data theft and spyware. For instance, in 2016 firmware was found on Chinese manufactured smartphones being sold in the US which transmitted personally identifiable information (PII) to servers in China via a back door.[3]

To raise consumer awareness of security vulnerabilities and to drive providers to adopt better security practices, one idea suggested was to develop standardised indicators on apps and webpages to give usersSource: hostcats.com (2016) an immediate indication of the level of security. An existing example of this is the green lock HTTPS URL marker (right) currently used to indicate that a web browser holds a Secure Socket Layer (SSL) certification.

Transaction failures and frauds: Participants noted that the payments industry needs to improve on the failure rates for transactions to avoid affecting consumer confidence and usage. There was consensus that the regulator could play a constructive role in publishing aggregated information about transaction failure rates to incentivise higher data security standards. Providers themselves would shy away from publishing this kind of data individually. However, aggregated data published by a neutral third party or regulator could drive the providers to measure themselves against this benchmark and aspire to better rates.

Regulatory uncertainty and intervention: Participants discussed concerns about the impact of regulatory uncertainty along with how prescriptive regulatory standards had the potential to stifle innovation. Providers were concerned about competing with Government sponsored payments products and services and were anxious about Government subsidies and price caps that could put pressure on market prices, and introduce uncertainty for providers who were seeking to be commercially viable. There was also discussion on the need for having a level-playing field for new payment service providers as against established providers like banks.

Overall, the workshop was a fascinating deep dive into the perspective of the various actors who participate in making a payment transaction possible – while keeping the customer’s experience and concerns at the heart of the discussions.


About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.

[1] Card not present (CNP) refers to a purchase a consumer makes without physically being present or presenting his or her credit or debit card at the time of purchase.  CNP transactions often occur online and are conducted by consumers without the actual in-store credit card swipe – which is likely the major direction of travel, as more digital payments are made over mobile/internet to pay for goods and services.

[2] For more see: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

[3] For more see: http://gadgets.ndtv.com/mobiles/news/chinese-firm-installed-back-door-on-thousands-of-smartphones-says-it-was-a-mistake-1626136


Natural Catastrophe Insurance – In Conversation with Mr. Ulrich Hess

By Vipul Sekhsaria, IFMR Holdings

In the below video we share a brief conversation with Mr. Ulrich Hess, GIZ. Mr. Hess is currently a Senior Advisor, InsuResilience Initiative at GIZ, and has worked extensively in the field of natural catastrophe risk insurance market. In the video he shares his insights on the impact of natural disasters on the livelihoods of households and the risks associated with it. He also talks about the challenges in designing a natural catastrophe insurance product and addressing issues associated with both inefficiencies and effective delivery of the product.