SynopsisThe Reserve Bank has recently barred the two payment-system operators from issuing fresh cards for delayed compliance. While the move has best intentions, it has the unintended consequence of increasing financial stability risk over the medium term. Here’s a deep-dive into the regulator’s enforcement actions in the light of case law and financial policy.
The Reserve Bank of India (RBI) recently prohibited Mastercard from onboarding new customers on its network on account of non-compliance with its data-localisation norms. According to the RBI’s release and media reports, the regulator issued sanctions against Mastercard for delaying compliance with the aforementioned norms.
It may be recalled that the apex bank also banned American Express from adding new users on similar grounds recently.
However, it is important to remember that RBI and other regulators are subject to the law of the land. It is also important to ensure that the regulatory and enforcement policy does not lead to what economics refers to as unintended consequences.
This article will take a closer look at RBI’s enforcement actions in the light of case law and financial policy. Should the banking regulator have pursued a more proportionate course of action than an outright ban on card issuance? Such a proportionate measure can include levying financial penalties on the regulatee for instance.
In the above context, the article will evaluate RBI enforcement sequentially in terms of its unintended consequences; as per language of Section 17 of the Payments & Settlements Act; and finally, under the proportionality test of administrative law.
The unintended (but predictable) consequences
Mastercard, Visa, and NPCI are three principal payment systems networks operating in India. Mastercard and Visa operate across the cross-section of use-cases for cards — debit, credit, prepaid. NPCI issues and processes RuPay cards in the debit-card segment. Mastercard processes approximately 33% of the card volume in India, as per industry estimates. To offer greater quantitative context, Visa and Mastercard together process around 70% of the credit-card transactions in the country.
As the prudential regulator of the country, RBI has the mandate to regulate and supervise for financial stability. As the financial crisis of 2008 revealed, concentration risk can be a source of financial stability risk in a system. Simply put, concentration risk arises when a particular system — in this context the payments ecosystem — is overwhelmingly reliant on one or a few of the market participants for processing and settlement.
Since Mastercard operates a “4-box” model, barring Mastercard had the predictable consequence of issuers moving to Visa across the card users. This is notably the case in the corporate credit-card segment — a market worth INR6,000 crore a year, as per industry estimate.
It is important to note that even in the debit cards space, the “zero MDR” policy applicable to RuPay cards creates disincentives for debit card issuers to seek integration with it. So, practically, with the foreclosure on Mastercard, there is only one major payments network operating in India that issuers have a rational incentive to integrate with. The public policy consequence of RBI’s enforcement is thus to increase the concentration of card issuance on one network, albeit over a medium term. And with it comes the financial stability risk.
Indeed, RBI recognises that financial stability risk emanating from concentration can arise in the payments space. That is the very premise of the NUE licensing framework. And yet, its enforcement policy appears at odds with its regulatory objectives and mandate. Regulatory activism that is at odds with the goals mandated by the Parliament to the regulator to pursue will be counter-productive in the long run.
Section 17 is NOT punitive, it’s remedial
RBI relied on Section 17 of the Payments & Settlement Act to enforce the foreclosure on issuing fresh cards on both American Express and Mastercard. Barring a regulatee from conducting its business is a punitive measure. But a bare reading of the section will reveal that it does not empower RBI to impose punitive measures on a regulatee. For a better understanding to the reader, it states in summary that:
If a payment system or PSP is engaging or about to engage in a course of conduct that results in, or likely to result in systemic risk being uncontrolled, then RBI is empowered to issue directions to the payment system or PSP to cease and desist from (such) course of conduct, and to take necessary steps to remedy the situation.
It is plausible to argue that delay in complying with data-localisation norms may have systemic risk implications. However, as is evident from the summary, acting under Section 17, RBI may only issue directions to arrest the delay and expedite compliance with data localisation. Section 17 does not vest punitive powers to RBI. So, the regulator’s use of enforcement powers relying on Section 17 appears to be legally suspect in both American Express and Mastercard contexts.
The ‘proportionality’ test of administrative law
Administrative law is a branch of law that deals with judicial review of regulatory actions. As the Supreme Court has held in a long line of cases, courts afford regulators a wide measure of latitude in the exercise of their powers, except in cases where, among other limited grounds, regulatory actions are disproportionate. In other words, RBI’s actions in the exercise of its powers are required to pass the test of proportionality.
As the Supreme Court held in several cases, including most notably in Om Kumar vs. Union of India, the proportionate regulatory action requires a regulator to balance interests served and prejudiced respectively, account for other less-restrictive alternative remedies, and rely on them if they are available.
Applied in the context of delayed compliance with RBI’s data-localisation norms, it is transparent that RBI could have taken several alternative steps instead of the punitive measure of barring these entities from issuing fresh cards. Just to illustrate, it could have issued directions to both the payment-system operators to take remedial measures to comply with mandated norms in a timely manner. It could also have imposed monetary penalties on two entities contingent on further delays.
Instead, the regulator pursued the extreme step of barring both payment-system operators that, taken together, processed a significant card transaction volume.
The last word
While undoubtedly acting with best intentions, RBI’s actions, barring two payment-system operators from issuing fresh cards for delayed compliance / non-compliance of the data-localisation norms, have the unintended consequence of increasing financial stability risk over the medium term.
Moreover, RBI’s actions also appear legally questionable under both the statute it relies on to impose them, and broader administrative law as enunciated by the Supreme Court. It would serve both financial public policy and the law for RBI to permit the payment-system operators to issue fresh cards and impose a monetary penalty instead.
(The author is founder-principal of Black Dot Public Policy Advisors. Views are personal. Black Dot is not advising any of the entities discussed in the article.)
The latest from ET Prime is now on Telegram. To subscribe to our Telegram newsletter click here.