A Great Leap Forward to Transform Fintech: Data Empowerment

India is one of the first nations in the world to kick off Open APIs for consented financial data sharing. And nobody’s heard about it! 

Dear Kickass Financial Product Managers and (current & future) Fintech Entrepreneurs,

Amidst the usual flurry of sensational headlines, you may have missed a quiet announcement a few weeks ago that marked a monumental shift: RBI became the first central bank globally to publish a common technology framework – including detailed APIs – for consent driven data sharing across the entire financial sector (banking, insurance, securities, and investment).

This is a gamechanger for the industry.

Out of context, yet another circular with a good deal of jargon is an easy thing to gloss over. But it turns out this effort is actually a global first: although the UK, EU, Bank of International Settlements (BIS), Canada, and others have begun thoughtful public conversations around Open Banking (e.g. through that famous BIS report making the case, initiatives like PSD2, conferences, and various committees), India is one of the first nations in the world to actually make it a market reality by publishing detailed technical API standards — standards that are quickly being adopted by major banks and others across the financial sector in the country without a mandatory requirement from RBI. It’s not just the supposedly cutting edge banks of Switzerland, the UK, or the US driving fintech innovation: the top leadership of our very own SBI, ICICI, IDFC First, Bajaj Finserv, Kotak, Axis, and other household names have recognised that this is the way forward for the industry, and are breaking through new global frontiers by actually operationalising the powerful interoperable technology framework. Not only are they adopting the APIs, some are also starting to think through the new lending and advisory use cases and products made possible by the infrastructure. We think many new fintech startups should also be considering doing the same.

Why do the APIs Matter?

The world is focusing heavily on data protection and privacy – and rightly so. Securing data with appropriate access controls and preventing unauthorised third-party sharing is critical to protecting individual privacy. But to a typical MSME, portability and control of their data is just as critical as data security to empower them with access to a stream of new and tailored financial products and services. For instance, if an MSME owner could share trusted proof of their business’ regular historic GST payments or receivables invoices digitally with ease, a bank could now offer regular small ticket working capital loans based on demonstrated ability to repay (known as Flow-based lending) rather than just loans backed on collateral. Data sharing can become a tool for individual empowerment and prosperity by enabling many such innovative new solutions.

Operationalising a seamless and secure means to share data across different types of financial institutions – banks, NBFCs, mutual funds, insurance companies, or brokers – requires a common technology framework for data sharing. The published APIs create interoperable public infrastructure (a standard ‘rails’) to be used for consented data sharing across all types of financial institutions. This means that once a bank plugs into the network as an information provider, entities with new use cases can plug in as users of that data without individually integrating with each bank. Naturally, the system is designed such that data sharing occurs only with the data owner’s consent — to ensure that data is used primarily to empower the individual or small business. The MeiTY Consent Framework provides a machine-readable standard for obtaining consent to share data. This consent standard is based on an open standard, revocable, granular (referring to a specific set of data), auditable, and secure. Programmable consent of this form is the natural next innovation of the long terms and conditions legalese that apps typically rely on. RBI has also announced a new type of NBFC – the Account Aggregator – to serve as a consent dashboard for users, and seven new AAs already have in principle licenses. 

The Data Empowerment and Protection Architecture (DEPA) – in one image

In many other nations, market players have either not been able to come together to agree on a common technical standard for APIs, or have not been able to kick off its adoption across multiple competing banks at scale and speed. In countries like the US, data sharing was enabled only through proprietary rails – private companies took the initiative to design their own infrastructure for data sharing which end up restricting players like yourselves from innovating to design new products and services which could benefit people on top of the infra. 

What other kinds of innovative products and services could you build? 

Think of the impact that access to the Google Maps APIs allowed: without them, we would never have seen startups like Uber or Airbnb come to life. Building these consented data sharing APIs as a public good allows an explosion of fintech innovation, in areas such as:

  • New types of tailored flow-based lending products that provide regular, sachet sized loans to different target groups based on GST or other invoices (as described above). 
  • New personal financial management apps which could help consumers make decisions on different financial institutions and products (savings, credit, insurance, etc.) based on historic data and future projections. This could also branch out into improved wealth management or Robo advisory. 
  • Applications that allow individuals to share evidence of financial status (for instance, for a credit card or visa application) without sharing a complete detailed bank statement history of every transaction

…and many others, such as that germ of an idea that’s possibly started taking shape in your mind as you were reading.

In summary

This ecosystem is where UPI was in mid-2016: with firm, interdepartmental, and long term regulatory backing, and at the cusp of operationally taking off. UPI taught us that those who make a bet on the future, build and test early (PhonePe and Google were both at the first ever UPI hackathon!), and are agile enough to thrive in an evolving landscape end up reaping significant rewards. And just as with UPI, our financial sector regulators are to be lauded for thinking proactively and years ahead by building the right public infrastructure for data sharing. RBI’s planning for this began back in 2015! They have now passed the innovation baton onto you — and we, for one, have ambitious expectations.

With warmest regards,

iSPIRT Foundation

I’m Pinging A Few Whatsapp Groups Now, What Else Should I Send Them To Read? 

For any further questions or queries, please reach out to [email protected] and [email protected]

Bharat Calling In Bay Area

In the first week of October, around Dussehra, a bunch of Indians gathered in the Bay Area. The setting had nothing to do with Dussehra, it had more to do with whether they would be spending their next Dussehra while settled in India or in the Bay Area.

iSPIRT conducted two sessions around opportunities emerging in India, spurred by new digital public goods that are going to create a Cambrian explosion of new software products.

The startup activity in India over the past few years has been noted by Silicon Valley and the attendees had a keen interest to discuss what has been happening on the ground.

There were two primary tracks to the discussion:

  • how India has changed in the past decade or so and 
  • what factors have contributed to that radical change

The largely held view of the ecosystem among those gathered was of the 2008 – 2014 period, when the majority of them were last in India, studying or working.

The concerns raised about starting up were around ease of doing business and culture at the workplace but the consensus was that things are improving in these regards.

The keywords that came up to describe the factors causing the change in India were Jio, Modi and so on. However, the fascinating point to learn for all was about the rise of digital public goods and how they are fundamentally changing the market playground in India.

Many had heard of UPI (Unified Payment Interface) and rightfully so, credited Government for it but what awed everybody was how it came about with the effort of a bunch of volunteers believing in the idea of open-source public good and making India a ‘Product Nation’.

Everyone agreed that a new growth journey lies ahead for India, created by factors such as the rise of internet users, internet penetration with Jio, high data consumption and user education that comes along with it. However, it will get catalysed further when coupled with digital public goods.

UPI has been a success story and it crossed more than a billion transactions last month and had overtaken global volume of American Express months back! A number of successful companies like JusPay and PhonePe capitalised on UPI and similar opportunities now lie ahead with :

We dived into specifics of all these to discuss myriad product opportunities that will emerge, enabling new success stories.

This will further be enabled by :

  • Talent that is more agile and honed to operate in an ambiguous startup environment. This has turned around in the past few years, while a lot of talent was tuned to work in a corporate environment earlier.
  • More access to seed capital as more startup operatives have gained wealth and experience in the past few years
  • And parents are more supportive of the idea to join a startup or start one!

Capitalising on all these would need a new entrepreneur archetype that operates from first principles thinking to dig deep in the market and create viable products and business models taking advantage of unique local factors.

Volunteering with iSPIRT can act as a good channel to understand the market better, to get involved with understanding and building digital public goods that are shaping the times ahead in the country.

It’s the forum to engage with peers that help you learn more about yourself, discover your flow that brings joy and contribute towards a public good.

One attendee summed up the takeaway beautifully –

“In the US, I have created a professional career and learnt lessons by building on top of platforms in the West. Now, there are similar opportunities to build on top of platforms and participate in Indian playground. If I get to become an iSPIRT volunteer, I can not only build on top but also help build the very platforms that are driving India forward.

In my own backyard, I have the local know-how to build for India and should act on it, instead of watching Chinese and Western apps put their stake from Kashmir to Kanyakumari.”

To know more about emerging public goods, iSPIRT Foundation and know our volunteering model, check out www.ispirt.in and write to [email protected]

We would like to thank Jaspreet from Druva, Anand Subbarayan from Lyft for hosting us, Hemant Mohapatra from Lightspeed Partners for helping with the setup and our local volunteer Pranav Deshpande.

Some reflections on the fireside chat with Vinod Khosla and Nandan Nilekani

On a cloudy Bangalore evening on August 2nd, the otherwise quiet campus of a medical college in the ‘startup saturated hub of Koramangala’ was bustling with energy. That night the campus was hosting a fireside chat with Vinod Khosla (renowned Venture Capitalist and Co-Founder of Sun Microsystems) and Nandan Nilekani (Co-Founder of Infosys), with Sharad Sharma (Co-founder of iSPIRT) acting as moderator.

Sitting in the midst of many young entrepreneurs, Sharad remarked how energetic Vinod and Nandan are at their respective ages.

Vinod responded “I have this fear that you can grow old when you retire, not retire when you grow old. So, I hope I never retire. As long as you have interesting problems to work on, there’s nothing more exciting to do than work on that.”

Sharad commented that even after all of his accomplishments, it seems that Vinod sees himself as the David in a ‘David vs Goliath’-styled battle and wondered whether that was a fair assumption.

Vinod replied “You want to be the underdog. You want problems to be hard. If they were easy to solve, somebody would have solved them. The problems are very large when you look at them initially. If you apply exponential learning to that, you can catch up with any problem very quickly. If you get on the right path to exponential solutions, they’re not as hard as they seem. Just starting to solve the whole problem in one step is like trying to climb Mount Everest in one step and go straight to the top without going to base camp 1, base camp 2 along the way.”

Turning to Nandan, Sharad asked “I think India does not have a David vs Goliath mindset. Does it?”

Nandan replied “India didn’t get Independence without thinking big. India’s first elections is another example of thinking big. I think it’s all there. Now, we are applying it in new ways. We shouldn’t be daunted by the size of the problem. Whether you’re solving a small problem or a large problem, it requires the same amount of thinking. So, you might as well solve the large problem. There’s much more value for your time and money. Today, you’ve, on one side, an extraordinary array of things that need to be fixed. And, you have an extraordinary array of tools & technology that can fix those problems. You’ve access to enormous amounts of capital & great talent. There’s no better time than this”

Sharad brought the conversation back to Vinod, asking what it takes for entrepreneurs to step up to big problems, to unlearn, to position themselves to be breakthrough entrepreneurs.

Vinod expressed that, in his view, “most people, most of the time, are limited by what they think they can do, not what they can actually do. Most people limit themselves. It’s a surprising thing to say, but I almost always find it to be true.”

He elaborated that entrepreneurs must have the courage to take one little step at a time on this exponential climb. They do not have to figure out the whole journey in order to start the journey. They will determine the right paths to follow along the way. They just have to be creative in figuring them out.

He mentioned that he doesn’t mind failing and that his “willingness to fail gives [him] the ability to succeed. Most people fail to try, instead of trying and failing.”

He went on to share an observation with the audience. He said “I look back 40 years and I can’t find one major innovation that came from a large company. Not one. General Motors and Volkswagen couldn’t design an electric car. Boeing & Airbus couldn’t do space as SpaceX could. None of the media companies did media as Twitter and Facebook did. None of the Pharma companies did Biotechnology as Genentech did.”

It’s important to note that he mentions ‘large innovation’ and not ‘incremental innovation’. Also, he refers to innovations that turned out to be large in their impact on markets that they were meant for.

While there are many examples to support this claim, let’s take examples from the period of the early days of Sun Microsystems, about four decades ago.

Xerox’s PARC lab had a treasure trove of innovation that would have never seen the light of day, had it not been for Apple.

IBM at their research lab in mid-1970s, pulled together some of the smartest people in the field to create a functioning relational database system based on Ted Codd’s theory (Codd was an English computer scientist who, while working for IBM, invented the relational model for database management, which served as the theoretical basis for relational database management systems).

They succeeded and developed a functional language called SEQUEL (Structured English Query Language), later changed to SQL. In any sense imaginable, it was a breakthrough, but it wouldn’t have revolutionized the software industry had it not been for Larry Ellison’s Oracle.

Vinod mentioned that “when the path is not clear and you are inventing something new, almost certainly it would be a startup, despite how hard it may sound!”

He mentioned that when people in the energy sector looked to GE and Siemens to innovate, they didn’t.

In the current market dynamics with large tech monopolies, we see, at times, that an incumbent does well at copying what a startup does, but they rarely outdo the hunger and agility of a fast-growing startup. Google had trouble with the social network, and there are numerous examples to this effect. However, given the large distribution that few of the monopolies have with nearly zero marginal cost to acquire new customers, even if the product is not the best to be found in the market, some other inherent advantages can make a me-too product of a large incumbent thrive. For example, Microsoft, despite Slack’s rise and successful IPO, is doing well with Teams because it is leveraging its corporate-ubiquitous Office 365 suite. (Ending Q2 2019, Teams had 13 million DAUs as compared to Slack’s 10 million DAUs.)

These occurrences should in no way deter the entrepreneur, but he or she does need to immerse him or herself in systems thinking and order effects of multiple degrees when looking at how dynamics in the market that he or she is trying to disrupt, will evolve.

Following up on this point, Sharad pointed out that usually there is something working in the background enabling the entrepreneurs to carry out the change. The wind in their sails such as a technological shift, market change, and public goods.

He cited examples of GPS, India Stack and Solaris, (a UNIX operating system developed by Sun Microsystems) which came about as a result of AT&T and Bell Labs opening up UNIX standard to the world.

Nandan agreed and said “So far entrepreneurs’ successes have been built on huge investments in public infrastructure by governments like the Internet, GPS etc. We need to invest in long term digital infrastructure. Only governments can afford it or have that vision. Then open it for private innovation.”

He further mentioned that “It’s a philosophy that we have adopted in India. Just as the US invested in the internet, GPS etc, we will invest in identity, payment infra, etc. and API-fy them, thus allowing innovation to happen on top of that.”

Vinod chimed in saying that “almost all entrepreneurs build on things that are already there. In fact, how much you orient that infra towards entrepreneurial ventures makes a huge difference. There are lots of startups in the US-based on government funding in science and technology in US universities.”

Nandan added that the advantage that we have now, is that the technology has been democratized. “We have all kinds of open source stuff. We have a cloud. It’s all there and it’s all free. And it’s for entrepreneurs to take that and mix & match. That’s where we can do a lot of work.”

Sharad summarized this exchange aptly by saying that “solving hard societal problems needs ‘jugalbandi’ between public infrastructure and private innovation on top of it.”

Taking an another IBM example of how this ‘jugalbandi’ manifests, while IBM was working on SEQUEL, a group of professors at the University of California, Berkeley, were also working on a relational database as part of a project called ‘Project Ingres’, funded by the US Government. Oracle used both as a foundation to spear through the market.

It was ultimately the speed of execution that saw Oracle making headway, utilizing the nudge given to it (IBM introduced a commercial product in February 1982, despite having a relational database up and running in 1977. They also were invested in hierarchical database system called IMS and were not fast enough to cannibalize their product)

In India, if the BHIM app was a B2C reference implementation of UPI, PhonePe utilized the opportunity to build a massive business on top of the same UPI stack.

Shifting gears, Sharad recalled his interaction with Jeff Bezos where he said Jeff takes just 10 minutes to determine whether a new hire is a good fit or not and one of the key things he looks for while assessing, is resilience. Entrepreneurs need loads of it as a ‘David’

Sharad asks Vinod about what he looks for in an entrepreneur when he is deciding whether to fund a start-up.

Khosla said “There’s no one formula. As a tech investor, you’re looking for a unique solution where one can create an advantage over time. It’s as simple as that. The biggest ingredient is the quality of the team you assemble. If it’s a great team, we will fund it, whether it has an interesting business plan or not. Team matters the most. And then how clever you are, how differentiated your technology is, how far ahead are you of others in thinking through how you want to build it.

“An important characteristic when evaluating somebody who has failed is what’s their rate of learning. That’s probably the most important way you evaluate an entrepreneur. When they move from job to job, do their teams follow? What books do they read? Do they spend their time learning new things? There are half a dozen things like that, that I personally use in evaluating people. But it’s still the hardest thing you do.”

He further added that he also has a strong belief that people with expertise in the area apply old rules and old biases while noting that experience is one of the largest biases there is!

Taking his Fintech investments as examples, he explains how the founders of Square, Stripe and Affirm never had worked in Fintech. Not knowing the space proved to be a massive advantage, and the entrepreneurs tried to solve problems with great empathy towards the customer, iterating while operating with first principles thinking.

He added by giving the example of Elon Musk’s never having worked in the auto industry prior to founding Tesla. Automakers laughed at the Silicon Valley startup with no experience in auto-making. He made lots of mistakes but fixed them quickly while figuring out a better way to proceed than those decided through conventional wisdom.

For those looking to innovate in their existing field of expertise, Sharad echoed that unlearning is more important than learning.

Sharad posed a nuanced question for Vinod by asking whether a healthcare start-up hiring a VP of Sales should hire one from the healthcare sector or not. Sticking to his view, Vinod remarked that he would rather hire an athlete who would be innovative and learn quickly instead of someone with bias from experience!

Talking about the quantum of funding and the excess in Silicon Valley, Vinod said, “nobody can say what’s the right level of money. It feels like a lot of money is floating around in Silicon Valley. But that’s because there’s been a lot of really good ideas. When new platforms emerge, new applications become possible. Then great entrepreneurs build them.”

He continued, “if you look at your mobile phone, and the touch interface, there really hasn’t been a huge startup in the US in the last five years. If you look at Uber, Lyft, Airbnb, Pinterest, they are all done. We have to see where are new platforms coming along.”

When prodded on what these new platforms can be, he elaborated “I do think AI is a new platform and offers lots and lots of opportunity. Fortunately, other than ads, it offers opportunity in lots of societal impactful areas. Medicine is my favourite. 3D printing is another new platform that people aren’t using enough. One of my favourite startups right now is trying to 3D print whole houses. What’s the advantage of that? Much, much lower cost, 24 hours to print a house, but more importantly, it’s environmental footprint is much better.”

He also wanted to highlight for entrepreneurs that large problems to be solved are not confined to the domain of software, but are present in many other fields as well, such as food, construction, healthcare, transportation, etc., which are all open to radical innovation.

He said that when one merges biotechnology solutions, such as CRISPR, with AI, all kinds of disease solutions are possible. He also believes that startups will dominate drug discovery using AI, far more than the big pharmaceutical companies will.

He brought up the example of Impossible Foods and recalls everyone asking him why he was investing in a hamburger company.

Giving the rationale behind the investment, he said that “about 30% to 40% of the planet’s land surface area is used for animal husbandry of one sort or another. I think about 90% of it could be freed up if the same meat was produced using the techniques like Impossible Burger. Plant proteins are the best way to save the planet. It’s healthier than meat proteins for humans because they come with cholesterol and other negative things. So it’s a beautiful solution.”

Talking more about the funding and its quantum, he argued that “the more money you raise initially, the less likely you are to succeed. There’s some beauty & elegance in very small amounts of money because it forces you to think about your problem much harder…you’re much more creative with your solution.”

While speaking about the need for creativity, Sharad mentioned that when entrepreneurs hit an obstacle during the process, they need to re-imagine and rejig, however, there are certain components that ought not to be rejigged, such as the core set of company values.

He gave examples of Infosys and Wipro being built on that value-based culture while noting that Bangalore’s vibrant ecosystem today is definitely a beneficiary of that culture.

Nandan agreed and said “values are very important if we want to build companies to last. If we want to build companies that sustain themselves over decades and really have an impact on society and the world, they have to be anchored in a core set of values.”

Vinod concurred, reflecting that “if you don’t have values, the first time you run into a problem, people scatter. If you have values & you have a mission, people stick together & double their efforts as a team. Values play a big role during bad times”

Following this topic, the chat naturally steered towards how entrepreneurs evaluate risk and what can be the right framework for evaluation and mitigation.

Vinod said that there is no one set of rules and that everyone has their own way of looking at it.

He added, “most investors reduce risk to the point where the probability of success is high, but its consequences of success are inconsequential. It’s a good way to get a predictable rate of return. I personally find it much more exciting, where the probability of success is low, but consequences of success are consequential.”

He gives the example of Larry and Sergey, founders of Google, saying that they had no interest in making a billion dollars when Yahoo offered to acquire them. They wanted to be consequential and change the world.

While this statement is accurate, it is important for us to study the different risk scenarios that entrepreneurs face, as well as how they frame and mitigate them. The reason is that while the Google founders rejected a billion-dollar offer, they also badly wanted to sell ‘PageRank’ to AltaVista and Yahoo for 1 Million Dollars to go back and resume their studies at Stanford (from The Google Story by David A.Vise).

So then, the question that arises is that how do the founders have different outlook towards acquisition at different points in time? What changes in-between, what transitions entrepreneurs go through, and what indicators should they rely on? One can dive into ‘Prospect theory’ and other frameworks for decision analysis under risk, but we also need to consider the passion and hunger of entrepreneurs, the unquenchable fire that powers them through the risk. That will have to be another iSPIRT blog altogether!

Speaking about the risk entrepreneurs face, Nandan added “You need a social fabric which delinks failure from the person; which recognizes that failure is a tremendous experience which is likely to increase the probability of success the next time around. Here failure, person & institutions are entwined.”

————

Talking about AI, Vinod said “There will be enough jobs for humans after ‘Artificial General Intelligence. We don’t have enough humans for all the elder care we need and all the childcare. We could deploy ten times as many people and raise better children and look after elders much better. Those are just two examples. I think relationships are the inherent human tendency that will not go away and meaning will come from relationships.”

Nandan added that “the assumption that AI will automate everything and there will be no jobs left and therefore we need UBI and a way to keep them occupied is wrong. The way I think about it, AI amplifies human capability. The combination of human and AI is going to be very strong.”

As the chat drew to a close, it became more apparent than ever that for the Indian ecosystem to thrive and for us to build massive companies, we need a new entrepreneur archetype – the kind that can zoom out and look at macro-trends, applies ‘systems and first principles’ thinking, platform over product thinking, have big audacious goals while being extremely empathetic to their customers.

There used to be a long gestation period from the founding of a company until it faced foreign competition on Indian soil. From early days of MakeMyTrip, Naukri to Ola, Quikr a few years back, it has reduced drastically such that companies like PhonePe have to ward off heavyweights like Facebook, Google and Amazon within a year of starting up! Indian entrepreneurs will need to buckle up as the platform wars on Indian Playground with digital public goods will only intensify, unleashing massive opportunities and growth for the country.

Please write into [email protected] for a deep dive and information on upcoming iSPIRT events where we will discuss this new entrepreneur archetype as part of what we call ‘Athletic Gavaskar Project’, and to learn more about our volunteer model.

Data Empowerment and Protection Architecture Explained – Video

More commonly known as the ‘Consent Layer of the India Stack’, Data Empowerment and Protection Architecture (DEPA) is a new approach, a paradigm shift in personal data management and processing that transforms the currently prevalent organization-centric system to a human-centric system. By giving people the power to decide how their data can be used, DEPA enables the collection and use of personal data in ways that empower people to access better financial, healthcare, and other socio-economically important services in a safe, secure, and privacy-preserving manner.

It gives every Indian control over their data, democratizes access and enables the portability of trusted data between service providers. This architecture will help Indians in accessing better financial services, healthcare services, and other socio-economically important services.The rollout of DEPA for financial data and telecom data is already taking place through Account Aggregators that are licensed by RBI. It covers all asset data, liabilities data, and telecom data.

We, at iSPIRT, organised a learning session on the 18th of May, to give relevant and interested stakeholders a detailed primer on DEPA. We had 60-odd very animated and engaging people in the audience. The purpose of the session was to understand the technological, institutional, market and regulatory architecture of DEPA, it impacts on existing data consuming businesses and how people could contribute to this new data sharing infrastructure that’s being built in India.

The session was anchored by Siddarth Shetty, Data Empowerment And Protection Architecture Lead & Fellow, iSPIRT Foundation (Email – sid@ispirt.in). Please feel free to reach out to him for any queries regarding DEPA.

For other queries, please write to [email protected].

Drones, Digital Sky, Roundtables & Public Goods

This is a guest post by Dewang Gala and Vishal Pardeshi (Pigeon Innovative).

Unmanned Aerial Vehicles(UAV’s)/ Drones have been making a buzz all over the world. Drones in the past have been looked at as a threat in various countries. The public perception towards drones has been very different in the past and has been changing over the past few years when people have been able to see the real benefits that this technology can offer. However, there is a need for a regulatory body to avoid the misuse of drones.

India is one of the key markets where the future growth of drone technologies is likely to emerge. India’s drone market expected to grow $885.7 mn and drones market in the world will reach $16.1 billion by 2021. Thus this market will create lots of employment opportunities and help our nation’s economy grow. Just like how the Information technology sector flourished in India increasing its contribution to the Indian GDP from 1.2% in 1998 to 7.7% in 2017, the Indian drone industry shows a similar promise.

How can drones contribute to the public good in India?

Previously, drones were an area of interest for defense sector only, but in past decade drones have been able to come into the public and commercial space where they have been able to take high definition photos, map a large area in a short time, calculate crop health, spray pesticides, inspect man-made structure which would be difficult or unsafe while doing it traditionally, play a crucial role during natural calamities to save lives, deliver goods and medicines.

Countries like Rwanda have allowed a full network of drones in their airspace which has helped save lives with the delivery of medical supplies. The company operating there initially had a huge challenge to convince people that the drones were meant for good and the company did not have the intention to spy on them. Once the people of Rwanda saw that these drones could save lives, a whole network of drones emerged across the country. Imagine the impact it would create across different industries in India if we accept and embrace this technology and have regulations in place for its safe usage. The upsurge of new drone-based innovative companies is a positive sign of India heading towards becoming a global leader in this field.

India is a high potential market, still entrepreneurs and businessman in this sector experience oblivion. This is because a few years back drones were completely banned in India as a perceived threat and now steps have been taken in Drone regulation 1.0 to get the industry moving forward. Though there are many roadblocks for the regulations to be in full force as it tries to bring together multiple agencies, the good part of it is that government understands that they lack the necessary skills set to create regulation and is willing to take help from the existing players to contribute in making the regulation more robust and user friendly.

What can be the public goods in the drone industry and why do we need them?

Paul A Samuelson is usually credited as the first economist to develop the theory of public goods. But what exactly is public goods?
A good which is:

  • Non-excludable – it is costly or impossible for one user to exclude others from using a good.
  • Non-rivalrous – when one person uses a good, it does not prevent others from using it.
  • Indivisible – one cannot divide public goods for personal use only.

Traffic lights, roads, street lights, etc. are examples of public goods. With the seamless possibilities that drones can offer, it makes sense to have public goods defined for this sector.

Imagine a future where airspace is accessible to everyone, where we have defined drone ports and air corridors which will allow smooth and safe operation of the drones. A lot of industries can benefit from it. Creating public goods will also allow more people to participate in the system thus increasing the size of the pie. If everybody in the system starts feeling comfortable with the operation of drones in the open skies then we could fundamentally transform the way we do things.

Who should be responsible for creating public goods?

Although classical economic theory suggests public goods will not be provided by a free market. But in a market like India, where the market is neither free nor regulatory, groups of individuals or organization can come together to voluntarily help government bodies to provide public goods in this market. For example, DigitalSky platform is a software initiative developed by the joint effort of iSPIRT and the government, working towards creating an online platform for registration of drones and obtaining permission for its operation, with a vision of making it paperless and presence-less.

There is tremendous scope for innovation and improvement in this sector. In the case of public goods, no firms will find it profitable to produce these goods because they can be enjoyed for free once they are provided and they cannot prevent this from happening. To provide these goods then, we either rely on governments or private organizations which volunteer to work on these issues.

The growth in India’s drone market would be primarily driven by the proactive initiative of existing players who will lay the foundation of this market in India. Thus DICE and iSPIRT have taken an initiative and are spreading awareness through round table sessions.

Round table sessions organized by DICE and iSPIRT serve as a platform where drone based entrepreneurs come together and think towards growing this industry by creating a model that benefits everyone in the system. The aim is to create a win-win situation in B2B and B2G.

The round table primarily serves two purposes:

  1. To enable strategic partnerships between companies and encouraging companies to contribute to public goods.
  2. Bridging the gap between the companies and the government.

Behavioral economics suggests that individuals can have motivations other than just money.

For example, People may volunteer to contribute to local flood defenses out of a sense of civic pride, peer pressure or genuine altruism.

Even if we have a narrow self-interest point of view we have to understand that voluntarily helping government bodies in tackling and solving the issues in drone rules and regulation will in turn help this market to flourish. And companies or individual contributors will have an underlying first mover advantage. So it’s important to act proactively to help the government to create regulation on your futuristic business model. It’s our job to demonstrate government that business can be done safely with a minimum amount of agreeable risk. Working together will not only accelerate the pace at which the regulations are implemented but also ensure that India takes away a big slice of the $100bn drone market. [5]

How does the future look like?

If you have ever seen the cartoon “The Jetsons” from the 1990’s you can already imagine what the future could look like. We are in an era where we can clearly automation and AI takes over mundane and laborious tasks at an exponential rate. The computers around us today are becoming powerful with each day. It can be witnessed that today it has become much easier to survive and it isn’t hard to survive as it used to be back in the days. We are not too far from the singularity where machine intelligence surpasses human intelligence. Thus we should have an environment where we can ensure that the technology is exploratory and exploitation is avoided.

Technology doesn’t happen on its own, people work together to make those imaginations/dreams a reality. We can already see Proof of concept (POC) of drone deliveries, drone taxis, and other futuristic applications. Who knows what else could we have with us in the next decade. Imagine a future where you would own your own personalised autonomous flying vehicle which takes you to your desired place with just the press of a button. You would have mid-air fueling stations which would enable you to drive without having ever to touch the land. Millions of smaller sized drones would be able to deliver products within minutes just like the internet today delivers information. Drones would become smaller and smaller and nanotechnology will enable us to overcome the limitations we see in drones today. Many other applications will rise up as we start working towards.

If you have any suggestions/solutions/ideas on how the system can be made better you can definitely become a part of iSPIRT / DICE India and write to us on [email protected] or [email protected] and also become a part of the round table.

 

Scaling Good Advice In India’s Startup Ecosystem – A Research Paper On PNGrowth Model

In January 2016 iSPIRT ran the largest software entrepreneur school in India, called PNgrowth (short for Product Nation Growth).  The central vision of PNgrowth was to create a model of peer learning where over 100 founders could give each other one-on-one advice about how to grow their startups. With peer learning as PNgrowth’s core model, this enterprise was supported by a volunteer team of venture capitalists, founders, academics, and engineers.  See iSPIRT’s volunteer handbook (https://pn.ispirt.in/presenting-the-ispirt-volunteer-handbook/)

However, unlike a regular “bootcamp” or “executive education” session, the volunteers were committed to rigorously measuring the value of the peer advice given at PNgrowth. We are excited to announce that the findings from this analysis have recently been published in the Strategic Management Journal, the top journal in the field of Strategy, as “When does advice impact startup performance?” by Aaron Chatterji, Solène Delecourt, Sharique HasanRembrand Koning (https://onlinelibrary.wiley.com/doi/10.1002/smj.2987).

TLDR: Here’s a summary of the findings:

1.
 There is a surprising amount of variability in how founders manage their startups.  To figure out how founders prioritized management, we asked them four questions:

“…develop shared goals in your team?”
“…measure employee performance using 360 reviews, interviews, or one-on-ones?”
“…provide your employees with direct feedback about their performance?”
“…set clear expectation around project outcomes and project scope?”

Founders could respond “never,” “yearly,” “monthly,” “weekly,” or “daily.”

Some founders never (that’s right, never!) set shared goals with their teams, only did yearly reviews, never provided targets, and infrequently gave feedback. Other, super-managers were more formal in their management practices and performed these activities on a weekly, sometimes daily, basis. Not surprisingly, the supermanagers led the faster-growing startups.  Most founders, however, were in the middle: doing most of these activities at a monthly frequency.

2. Since PNGrowth was a peer learning based program, we paired each founder (and to be fair, randomly) with another participant. For three intense days, the pairs worked through a rigorous process of evaluating their startup and that of their peer. Areas such as a startup’s strategy, leadership, vision, and management (especially of people) were interrogated. Peers were instructed to provide advice to help their partners.

3. We followed up on participating startups twice after the PNgrowth program. First ten months after the retreat, and then we rechecked progress two years afterwards.

We found something quite surprising: the “supermanager” founders not only managed their firms better but the advice they gave helped their partner too.  Founders who received advice from a peer who was a “formal”  manager grew their firms to be 28% larger over the next two years and increased their likelihood of survival by ten percentage points. What about the founders who received advice from a laissez-faire manager? Their startup saw no similar lift. Whether they succeeded or failed depended only on their own capabilities and resources.

4. Not all founders benefited from being paired up with an effective manager though. Surprisingly, founders with prior management training, whether from an MBA or accelerator program, did not seem to benefit from this advice.

5. The results were strongest among pairs whose startups were based in the same city and who followed up after the retreat. For many of the founders, the relationships formed at PNgrowth helped them well beyond those three days in Mysore.

So what’s the big take away: While India’s startup ecosystem is new and doesn’t yet have the deep bench of successful mentors, the results from this study are promising. Good advice can go a long way in helping startups scale.   iSPIRT has pioneered a peer-learning model in India through PlaybookRTs, Bootcamps, and PNgrowth (see: https://pn.ispirt.in/understanding-ispirts-entrepreneur-connect/).

This research shows that this model can be instrumental in improving the outcomes of India’s startups if done right. If peer-learning can be scaled up, it can have a significant impact on the Indian ecosystem.

iSPIRT’s Response to Union Interim Budget 2019

Our policy team tracks the interest of Software product industry

INDIA, Bangalore, Feb 1st, 2019 – Proposals for Union budget of 2019 have been announced today by Finance Minister.

Being an interim budget not many announcements were expected. Some of the important announcements that may affect the expansion of the economy, in general, owing to increased income and ease of living in the middle class are as follows:

  1. Within two years tax assessment will be all electronic.
  2. IT return processing just in 24 hours
  3. Rebate on taxes paid for those with an income below 5 lakhs
  4. TDS threshold on interest income by woman on bank/post office deposits raised from Rs. 10,000 to 40,000
  5. Increase in standard deduction from Rs. 40,000 to 50,000
  6. Rollover of Capital gains tax benefit u/s 54 from investment in one house to two houses, for a taxpayer having capital gains up to Rs. 2 crore
  7. Recommendation to GST Council for reducing GST for home buyers
  8. Exemption from levy of tax on notional rent, on unsold inventories, from one year to two years
  9. Many benefits announced for Agriculture and Rural sector

The coining of the phrase “Digital Village” and placing it second on the list of ten-dimension vision statement in budget speech is a welcome step. The statement nudges the next Government to improve access to technology in rural India, a welcome step. We expect “Digital India” and easy and quality access to the internet for every citizen will remain a focus area, irrespective of which government comes to power.

The government has announced a direct cash transfer scheme for farmers. We are happy to see that technologies like the India Stack are being used by policymakers for effective policy-making irrespective of political ideology. Cash transfers promise to be more efficient initiatives that directly benefit our poor without needing them to run from pillar to post trying to prove their identity and eligibility. “Similarly, startups and SMEs remains a focus area in the vision statement. These are very important for a healthy ecosystem built up.

Similarly, focused phrases such as “Healthy India”, “Electric Vehicle” and “Rural Industrialisation using modern digital technologies” are welcome ideas in ten-dimension vision for Indian Software product industry and startup ecosystem.

However, among key issues for Startups and Investments which need to be addressed but have been missed out are Angel tax and Tax parity between listed and unlisted securities. Angel Tax is a very important issue which needs to be addressed conclusively at the earliest. We need to ensure gaps between policy declaration and implementation do not cause entrepreneurs and investors to relocate themselves aboard.

About iSPIRT Foundation

We are a non-profit think tank that builds public goods for Indian product startup to thrive and grow. iSPIRT aims to do for Indian startups what DARPA or Stanford did in Silicon Valley. iSPIRT builds four types of public goods – technology building blocks (aka India stack), startup-friendly policies, market access programs like M&A Connect and Playbooks that codify scarce tacit knowledge for product entrepreneurs of India. visit www.ispirt.in

For further queries, reach out to Nakul Saxena ([email protected]) or Sudhir Singh ([email protected])

#1 India’s Health Leapfrog – Towards A Holistic Healthcare Ecosystem

In July 2018, NITI Aayog published a Strategy and Approach document on the National Health Stack. The document underscored the need for Universal Health Coverage (UHC) and laid down the technology framework for implementing the Ayushman Bharat programme which is meant to provide UHC to the bottom 500 million of the country. While the Health Stack provides a technological backbone for delivering affordable healthcare to all Indians, we, at iSPIRT, believe that it has the potential to go beyond that and to completely transform the healthcare ecosystem in the country. We are indeed headed for a health leapfrog in India! Over the last few months, we have worked extensively to understand the current challenges in the industry as well as the role and design of individual components of the Health Stack. In this post, we elaborate on the leapfrog that will be enabled by blending this technology with care delivery.

What is the health leapfrog?

Healthcare delivery in India faces multiple challenges today. The doctor-patient ratio in the country is extremely poor, a problem that is further exacerbated by their skewed distribution. Insurance penetration remains low leading to out-of-pocket expenses of over 80% (something that is being addressed by the Ayushman Bharat program). Additionally, the current view on healthcare amongst citizens as well as policymakers is largely around curative care. Preventive care, which is equally important for the health of individuals, is generally overlooked.  

The leapfrog we envision is that of public, precision healthcare. This means that not only would every citizen have access to affordable healthcare, but the care delivered would be holistic (as opposed to symptomatic) and preventive (and not just curative) in nature. This will require a complete redesign of operations, regulations and incentives – a transformation that, we believe, can be enabled by the Health Stack.

How will this leapfrog be enabled by the Health Stack?

At the first level, the Health Stack will enable a seamless flow of information across all stakeholders in the ecosystem, which will help in enhancing trust and decision-making. For example, access to an individual’s claims history helps in better claims management, a patient’s longitudinal health record aids clinical decision-making while information about disease incidence enables better policymaking. This is the role of some of the fundamental Health Stack components, namely, the health registries, personal health records (PHR) and the analytics framework. Of course, it is essential to maintain strict data security and privacy boundaries, which is already considered in the design of the stack, through features like non-repudiable audit logs and electronic consent.

At the second level, the Health Stack will improve cost efficiency of healthcare. For out-of-pocket expenditures to come down, we have to enable healthcare financing (via insurance or assurance schemes) to become more efficient and in particular, the costs of health claims management to reduce. The main costs around claims management relate to eligibility determination, claims processing and fraud detection. An open source coverage and claims platform, a key component of the Health Stack, is meant to deal with these inefficiencies. This component will not only bring down the cost of processing a claim but along with increased access to information about an individual’s health and claims history (level 1), will also enable the creation of personalised, sachet-sized insurance policies.

At the final level, the Health Stack will leverage information and cost efficiencies to make care delivery more holistic in nature. For this, we need a policy engine that creates care policies that are not only personalized in nature but that also incentivize good healthcare practices amongst consumers and providers. We have coined a new term for such policies – “gamifier” policies – since they will be used to gamify health decision-making amongst different stakeholders.

Gamifier policies, if implemented well, can have a transformative impact on the healthcare landscape of the country. We present our first proposal on the design of gamifier policies, We suggest the use of techniques from microeconomics to manage incentives for care providers, and those from behavioural economics to incentivise consumers. We also give examples of policies created by combining different techniques.

What’s next?

The success of the policy engine rests on real-world experiments around policies and in the document we lay down the contours of an experimentation framework for driving these experiments. The role of the regulator will be key in implementing this experimentation framework: in standardizing the policy language, in auditing policies and in ensuring the privacy-preserving exchange of data derived from different policy experiments. Creating the framework is an extensive exercise and requires engagement with economists as well as computer scientists. We invite people with expertise in either of these areas to join us on this journey and help us sharpen our thinking around it.

Do you wish to volunteer?

Please read our volunteer handbook and fill out this Google form if you’re interested in joining us in our effort to develop the design of Health Stack further and to take us closer to the goal of achieving universal and holistic healthcare in India!

Update: Our volunteer, Saurabh Panjawani, author of gamifier policies, recently gave a talk at ACM (Association for Computing Machinery)/MSR (Microsoft Research) India’s AI Summit in IIT Madras! Please view the talk here: https://www.microsoft.com/en-us/research/video/gamifier-policies-a-tool-for-creating-a-holistic-healthcare-ecosystem/

Angel Tax Notification: A Step In The Right Direction, But More Needs To Be Done

There have been some notifications which have come out last week, it is heartening to see that the government is trying to solve the matter. However, this is a partial solution to a much larger problem, the CBDT needs to solve for the basic reason behind the cause of Angel Tax (Section 56(2)(viib)) to be able to give a complete long-term solution to Indian Startups.

While the share capital and share premium limit after the proposed issue of share is till 10 crores and helps startups for their initial fundraising, which is usually in the range of Rs 5-10 Cr. Around 80-85% of the money raised on LetsVenture, AngelList and other platforms by startups is within this range, but the government needs to solve for the remaining 15-20% as startups who are raising further rounds of capital, which is the sign of a growing business, are still exposed to this “angel tax”. Instead, the circular should be amended to state that Section 56(2)(viib) will not apply to capital raises up to Rs 10 Cr every financial year provided that the startups submit the PAN of the investors.

The income criteria of INR 50 lakhs and net worth requirement of INR 2 crores is again a move by the government that requires further consideration for the investing community. Therefore, to further encourage investments by Angels or to introduce new Angels to the ecosystem, there is a need to look towards a reduced income criterion of INR 20 Lakhs or a net worth of INR 1 crore, enabling more investors for a healthier funding environment. We also, need to build a mechanism to facilitate investments by corporates and trusts into the startups.

Most importantly, any startup who has received an assessment order under this section should also be able to for the prescribed remedies and submit this during their appeal. They should not be excluded from this circular since its stated scope is both past and future investments. The CBDT should also state that the tax officers should accept these submissions during the appeals process and take it into consideration during their deliberation.

So, to summarise:

  • Section 56(2)(viib) should not apply to any investment below Rs 10 crore received by a startup per year or increase the share premium limit to Rs 25 Crores, from Indian investors provided that the startup has the PAN of the investors
  • Section 56(2)(viib) should not apply to investors who have registered themselves with DIPP as accredited investors, regardless of the quantum of investment
  • The threshold stated should be either a minimum income of Rs 25 lakhs or a net worth of at least Rs 1 crore
  • Any startup who has received an assessment order should be able to seek recourse under this circular during their appeal

Through this circular, the government has reaffirmed its commitment to promoting entrepreneurship and startups in India. With these suggestions, the spectre of the “angel tax” will end up as a footnote in the history of the Indian startup ecosystem.

We look forward to the early resolution of these pending matters. For any suggestions, Do write to us [email protected]

The article is co-authored with Siddarth Pai, Policy Expert – iSPIRT Foundation and Founding Partner – 3one4 Capital.

White Paper On The Analysis Of High Share Premium Amongst Startups In India

“High share premium is not the basis of a high valuation but the outcome of valid business decisions. This new whitepaper by our iSPIRT policy experts highlights how share premia is a consequence of valid business decisions, why 56(2)(viib) is only for unaccounted funds and measures to prevent valid companies from being aggrieved by it”

What lies beyond the horizon: Digital Sky & the future of drones in India

Drones have been around for a long time, going back as far as World War II. For most of their history, they were considered part of the military arsenal and developed and deployed almost exclusively by the military.

However, the past decade has seen a tremendous amount of research and development in the area of using drones for civilian purposes. This has led industry experts to predict that drones will be disrupting some of the mainstay industries of the global economy such as logistics, transportation, mining, construction and agriculture to name a few. Analysts estimate a $100 billion market opportunity for drones in the coming few years  [1]. In spite of the overwhelming evidence in favour of the value created by drones, it has taken quite a few years for the drone industry to take off in a commercial sense globally.

The main reason for this has been the regulatory challenges around what is allowed to fly in the air and where is it allowed to fly. A common theme around the world is the unconventional challenges that old governmental structures have to face as they try to understand and regulate new technologies. Hence the default approach so far for governments has been reactionary caution as they try to control what are, essentially, flying robots in the sky.

However, with electronic costs coming down, the hardware becoming more accessible and the software interpreting data becomes more powerful a number of humanitarian, civilian and industrial application have emerged and as governments across the world are realizing the potential of drones, we are starting to see the first version of regulations being drafted and adopted across the globe.[2]

Closer home India has a relatively adverse approach to drones or more lackadaisical rather. [3]

But as India continues to drive to become a more technology-oriented economy the role of drones in the worlds fastest growing economy and the potential benefits it can bring are hard to ignore.[4]

However, India’s approach to drone regulations cannot be that of other major economies that have the luxury of friendly neighbours and a large network of monitoring apparatus, India has had to take an approach that has to be novel and robust. Something that balances the security landscape while also being designed to allow maximum utilization of the potential that drones offer. Out of this need to both regulate secure how and where a drone can fly and keep multi-ministerial stakeholder interests accounted for was born the Digital Sky, India’s foundational framework for all things drones.

What is the Digital Sky and how does it work?

What the Digital Sky accomplishes beautifully is to fill the institutional void that needs to be collectively fulfilled by so many institutions and make it easier for the industry and consumers to interface with the government legally through one platform. Permission to fly drone no longer requires a 90-day intimation with an arbitrary number of NOCs to be approved by umpteen number of ministerial bodies at the central and federal level. The industry and the public now know one place to interact with in order to register their drone, get recognised as a certified operator and apply for permissions and all concerned government agencies ensure their overarching interests do not interfere with the large-scale adoption of drones.  

There are crucial components required for the Digital Sky concept to work, the most central being that drone operators should not be able to fly drones if they are not approved by the government. To accomplish this the Drone 1.0 regulations revolve around the concept of No-Permission-No-Takeoff (NPNT).

Our maven Tanuj Bhojwani explaining NPNT at the DigitalSky RoundTable on 4 Dec 2018 in Bengaluru

What this implies is that unless a drone has got valid permission for a particular flight through tamper-proof digitally signed permission tokens, it will not be able to take off. The Digital Sky is the platform to automate the processing of these permission tokens as they flow in from different parts of the country without overwhelming the authorities through a flight information management system (one of only three countries to build this nationally after China and the USA). In order for this vision to come true, there will be an enormous change in the way drones are manufactured and operated. Entire new industry verticals around getting existing drones compliant, developing interfaces that interact with the Digital Sky platform and making applications for India’s needs will develop. Hence this begs the question.

How are the current state of the industry are changing with 1.0 regulations

Until the introduction of the regulations companies especially in the UAV operations were doing non-restricted work and end up becoming the jack-of-all-trades. Companies in the manufacturing domain were unclear of who is their target customer and what they needed to build. All the companies in this domain were working with no clarity on the safety and permissions.

With the introduction of the Drone Policy 1.0, there is a buzz which has been created and efforts are being made to understand the regulations by all the entities who are set to gain from it. They understand that there will be a new aspect that needs to cater to i.e. the sense of accountability.

For manufacturer’s The NP-NT mandate will be the most immediate requirement, the most common route to implement the mandate will be through changes to existing firmware architecture. The changes themselves are being driven by open source initiatives with various operators, system integrators and manufacturers contributing to the shift to NP-NT for all major drone platforms in the country. The Digital Sky has inadvertently catalysed the first industry-wide initiative to bring together all members of the ecosystem. Other requirements such as ETA bring in much-needed standardisation in the hardware space, this allows benchmarking of products, easier availability of information about the standards to look out for end users.

For operators, a massive increase in the volume of business is expected as they can now focus on getting certified drones into the air, and not so much on getting approvals. The Digital Sky brings in much-needed certainty and predictability into an industry that will be focused on balancing demand and supply of drone-related operations in a market that has a huge need for drones and their data but limited expertise to acquire and process it. This also puts onus an industry to become security and privacy conscious and insurance agencies will play an important role in this regard. It will also immensely help in changing the thought process of the companies providing services and their customers. Customers will start understanding that they also need to have a defined plan, process and execution instead of a haphazard existing process of execution.

How industry/playground will change over the coming years?

With the introduction on the regulations and a platform like Digital sky enabling the ease of doing business for the companies who are serious stakeholders in this domain, there is no limit to what developments will occur in the coming years. It opens up possibilities for utilization of Drone and its related technologies in Agriculture, Medical, Energy and Infrastructure and transportation.

The existing players will become more mature and more focused. They will understand that with regulations in place a more focused approach is the key to scale. They will look at opportunities to compete with the global market also as the solutions that are developed around the Drone Regulations 1.0 and 2.0 will be key factors that contribute to the Indian ecosystem to becoming a global standard to test, adapt and innovate drone applications and management.

What are the opportunities? What does that mean for the current and new players?

UAV/ Drones as a business was a far-fetched thought for many entrepreneurs and has been a struggling industry in the past in India. Going forward it is guaranteed that it will be one of the biggest markets in the world for UAV as a business. What the regulations and Digital Sky platform will enable is a new levelled playground ground for the UAV companies to initiate good scalable business models both existing and the ones entering new to the sector.

The existing companies with the right resources can now plan to scale their operations and also have the added advantage of doing work for the private sector in India. Due to the restrictive method of operations adapted previously the solutions to private agencies was unavailable. Now going forward the companies will shift their focus from being a B2G entity to a B2B entity. Many new businesses for UAV air traffic management, surveillance, AI and ML-based UAV solutions and deliveries will emerge out of India with technology specific to India.

If you want to join our future roundtable sessions on Digital Sky and more, please register your interest here.

The blog is co-authored by Anurag A Joshi from INDrone Aero systems, Abhiroop Bhatnagar from Algopixel Technologies and Gokul Kumaravelu from Skylark Drones

India Financial Services – Disrupt or Be Disrupted

Matrix India recently hosted two firebrands of the financial services world, Mr Sanjay Agarwal, founder AU Small Finance Bank and Mr Sharad Sharma, founder iSPIRT Foundation, Volunteer at India Stack, for a no holds barred discussion at the Matrix Rooftop in Bangalore. Here is an excerpt from the evening and some of our learnings for fin-tech entrepreneurs.

Part 1 of the two-part series features the untold story of AU Bank, in the words of Sanjay Agarwal himself, as below:

Sanjay Agarwal – on his background and early days before starting AU:

“In my early Chartered Accountancy days, I started out by doing audit work, taxation, and managing clients. I had studied hard and was naïve and enthusiastic at that time hoping, to solve the world’s problems. This pushed me to work harder and I had a desire to do something more.

I believe that we are the choices we make. While evaluating various choices, I eliminated all the options that I didn’t want to pursue e.g. to work for a fee or commission and then I started digging deeper on what really interests me – that was when the concept of AU Financiers was formed.

In 1996, as 26 years old, I began approaching HNIs to raise capital, as back then, there were no VCs. I was fortunate to raise INR 10 cr at a 12% hurdle rate and I had to secure the funding with a personal guarantee. But what is the guarantee of the guarantor? No one questioned this at that time. So, I technically became one of the first P2P lenders, and structured a product that didn’t exist– short term, secured and at a 30% rate of interest. That was the start of the AU journey.”

The Early Days of AU:

“I started off AU as a one-man army. I was everything from the treasurer to the collector. Slowly we built our team and rotated the 10 cr of capital to disburse 100 cr of loans – not a single rupee was lost. There were several challenges at that time for e.g., there was no CIBIL score, financial discipline was lacking, people were still learning how to take a loan and repay it and customer ids didn’t even have a photograph. But somehow, we managed.

The period from 1996 to 2002 taught me everything I needed to learn – how to lend, how to collect, how to manage people, read people’s body language, and most importantly how to manage yourself in different situations. I follow all of that until today, and my team also benefits or suffers from those learnings of mine even today. In those 7 years, we would have dealt with 2000 customers out of which 500 defaulted. That was the ratio of defaulters – 25%. But we managed and there were actually no NPL’s.”

Partnering with HDFC Bank

“In 2002, retail credit was beginning to take off, but our HNIs started pulling their money out, as they wanted a higher return. However, at that time, the most premium bank in the country, HDFC Bank, appointed us as their channel partner. The model we followed was very simple – AU was responsible for sourcing the customer, KYC processing and doing on the ground diligence while loans were booked on HDFC’s balance sheet. HDFC is perceived to be a conservative bank, and it is – however, they gave me Rs 400 cr, on a net worth of only Rs 5 cr! They made an exception in our case due to our strong track record, through execution, sound knowledge of the market, and most importantly our integrity.

By 2008, our net worth had increased to Rs 10 crore through internal accruals. At that time, HDFC told us that we can’t give you any more capital, as we were overleveraged, and that we now needed to bring in equity capital if we wanted to grow.”

Growing the balance sheet and partnering right

“I had two choices at that point, I could continue in Jaipur, keep my ambition under control and live comfortably or figure out what else is possible. I chose the latter and this marked the beginning of my partnership with Motilal Oswal. Its easier to raise equity now, back in the day shareholder agreements used to look like loan agreements with min IRR requirements, etc. As luck would have it, a few months after we raised equity, the Lehman Brothers crisis broke out and most banks stopped funding. We were supported once again by HDFC – they were our saviour and I will cherish my relationship with them always. Once the market settled down, having survived this negative environment, there was no looking back.

Our next major investor was IFC. For the entrepreneurs here, I want to say that you have to be selective about your investors, who will help with not just capital – there should be added value they bring to the table apart from money. IFC was giving me 20% lower valuation, but I knew that I didn’t have any lineage to fall back on. As a first-generation entrepreneur, I had to raise money on the strength of my balance sheet and not basis my family name. I knew that partnering with IFC would shift the perception of AU within the industry, especially for PSU banks. After their investment, we grew from one bank relationship with HDFC to 40 bank partnerships. One thing led to another and Warburg Pincus, ChrysCapital, and Kedaara Capital all came on board after that.”

Consistent performance

“From 2008 onwards, we started diversifying from vehicle lending and got into other forms of secured lending like a loan against property, home loans etc. We never tried unsecured lending and never ventured into microfinance or gold finance. Those were very popular products at that time but focusing on what we were good at resulted in a consistently strong performance. We never had a bad year. In the world of finance, the margin of error is very less. If you have a bad year you can almost never come back. Good companies survive regardless of the market condition, you can never blame the market for your company’s poor performance. In 2015-16, we were a successful NBFC, our RoA was close to 3% with an asset base of close to 8,000 crores, with a RoE of 27-28% and everyone was chasing us – the question at that time before us was, what next?”

How we became a bank

“As an NBFC, it is very hard to manage a book of Rs 50,000 cr with the same efficiency and effectiveness as it’s a people dependent business, there are limits to the kind of products you can do and you can’t keep raising capital. Hence, we became a bank because we wanted to be there for the next 100 years and that perpetual platform can only be created through a bank. That is the biggest platform and it is not available at a price. It’s available through your integrity, business plan and execution. Today, we receive Rs 100 cr of money every single day. This is the same person who was struggling to raise Rs 10 cr in 1996, and is now getting money at the speed of Rs 100 cr every day – it feels amazing but there is a lot of responsibility!”

Part 2 of the two-part series features insights from Sharad Sharma:

Recognizing the Athletic Gavaskar moment in Indian Financial Services

“Indian financial services industry is going through its equivalent of the Athletic Gavaskar project of Indian cricket. The motive behind this project was to instil the importance of being athletic to successfully compete in the modern game. A new team was created with the rule that if you are not athletic, you cannot be a part of the team, regardless of other skills that you bring to the table. Virat Kohli eventually became the captain of this team and the results are for everyone to see. Similar yet contrasting stories played out in hockey and wrestling. In hockey, we lost for 20 years because we refused to adapt to the introduction of astroturf. However, in wrestling, the Akhadas in Haryana embraced the move from mud to mat with rigour, and Indian wrestling is already punching above its weight class and hopefully will do even better over time. The idea of sharing this is that similar to sports, sometimes an industry goes through a radical shift. Take the telecom space, for example, if Graham Bell came alive in 1995, he would recognize the telephone system, 20 years later he wouldn’t recognize it at all. The banking industry is going to go through a hockey/wrestling or communications type disruption and a lot of us are working hard to make it happen.”

Infrastructure changes lead to New Playgrounds

“All the banks and NBFCs put together are not serving the real India today. We have 10 million+ businesses that have GST id’s, out of which 8 million+ are big enough to pay GST on a monthly basis, but only 1.2 million have access to NBFC or bank finance. This is a gap that needs to be addressed and it cannot be solved through incremental innovations.

Entrepreneurs and incumbents should learn from what happened in the TV industry when new infrastructure became available. When India went from state-run TV towers in 34 cities to cable and satellite TV in pretty much every town, there was a massive new market that was unlocked that did not want to watch the same Ramayan or Hum Log TV serials. What transpired was an explosion of entertainment products because of the high demand stemming from the new markets and the TV channel players that reinvented their content is thriving today while others that did not, are barely surviving or have shut down.

So where does this leave the bankers? I think it is the biggest opportunity for the right banker who understands this problem, wants to serve this section of the market and is willing to reinvent the way they do their business and take advantage of the new infrastructure that will be available.”

Dual-immersed entrepreneurs have the biggest advantage

“Entrepreneurs who are immersed in the messiness of both the new infrastructure and the old problem are “dual immersed entrepreneurs”. They are the ones that succeed when a market shift is underway. Today this is not happening. Some of our city-bred entrepreneurs are more comfortable with California rather than Bharat. And some of our sales-oriented entrepreneurs are intimidated by the messiness of the new technology infrastructure.”

New Playgrounds need new Gameplay

“In a world where eKYC exists, and we can transfer money through UPI from a phone, and sign documents digitally – we are ready to deliver financial products on the phone and this is the disruption that is required. Access to credit drives the economy and with this new infrastructure, it is now possible to lend to the real India. However, it’s easy to give money, but the ability to get it back and keeping defaults at a minimum is the real trick. Even there we are moving towards seeing a radical improvement. Debt providers now have powers they never had and defaulters are being brought to book. Customers are now incentivized to build their own credit history to get better and lower interest rates over time. A new Public Credit Registry is coming to enable this at scale. But the biggest innovation is related to the dramatic shortening of the tenor. One can structure a one-year loan into 12 monthly loans or 52 weekly loans. This rewards positive customer behaviour and brings about the behaviour change that is needed.

There is no secret sauce here, it requires gumption – like that shown by Reed Hastings, founder of Netflix. He disrupted the TV and home video industry by first having the wisdom to go from ground to cloud and then again when they started developing original content. In both cases, he had little support from the board or investors. If you can reinvent yourself before it becomes necessary, you’re a winner but this is harder to do for a successful company. The legacy of success provides resisters with the clout to block change. The real beneficiary of Aadhaar based eKYC in the telecom world was not the incumbents but Jio – eKYC allowed Jio to acquire customers at an unprecedented scale and they saved INR 5000 crores on KYC costs as well.”

About iSPIRT

iSPIRT is a non-profit think tank that builds public goods for Indian product startup to thrive and grow. iSPIRT aims to do for Indian startups what DARPA or Stanford did in Silicon Valley. iSPIRT builds four types of public goods – technology building blocks (aka India stack), startup-friendly policies, market access programs like M&A Connect and Playbooks that codify scarce tacit knowledge for product entrepreneurs of India.

About AU Small Finance Bank:

AU Small Finance Bank Limited (AU Bank) started in 1996 as a vehicle financing NBFC, AU Financiers and scaled to touch over a million underbanked and unbanked customers across 11 states of North, West and Central India, prior to becoming a bank in April 2017. During this time, AU attracted equity investments from marquee investors such as IFC, Warburg Pincus, Chrys Capital, Kedaara Capital and recently went public when its IPO was oversubscribed ~54 times. Over the years, AU Bank, led by its founder Sanjay Agarwal, has created significant shareholder value with its equity value growing from ~$120 million in 2012 to current market capitalization of ~$3 billion.

Please Note: The blog was first published and authored by Matrix India Team and you can read the original post here: matrixpartners.in/blog

iSPIRT Final Comments on India’s Personal Data Protection Bill

Below represents iSPIRT’s comments and recommendations on the draft Personal Data Protection Bill.  iSPIRT’s overall data privacy and data empowerment philosophy is covered here.  

Table of Contents

Major Comments
1. Include Consent Dashboards
2. Financial Understanding and Informed Consent for all Indians
3. Data Fiduciary Trust Scores Similar to App Store Ratings
4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data
5. Warn of Potential Credit and Reputation Hazards
6. A Right to View and Edit Inferred Personal Data
7. Sharing and Processing of Health Data

Suggestions and Questions

  • Fund Data Rights Education
  • Limit Impact Assessment Requirement
  • Passwords should be treated differently than other Sensitive Personal Data.
  • Does the Bill intend to ban automatic person-tagging in photos and image search of people?
  • Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.
  • Need for an Authority appeal process when data principal rights conflict
  • Do not outlaw private fraud detection
  • Limit record keeping use and disclosure to the Authority and the company itself.
  • Fillings may be performed digitally
  • Request for Definition Clarifications
  • Author Comments
  • Links
  • Appendix – Sample User Interface Screens

Major Comments

1. Include Consent Dashboards

We support the idea of a Consent Dashboard as suggested in the Data Protection Committee Report (page 38) and recommend it to be incorporated in the Bill in Section 26 – Right to Data Portability and Section 30 (2) Transparency.  

We envision all of a user’s personal and inferred data that is known by data fiduciaries (i.e. companies) being exposed on a consent dashboard, provided by a third party consent collector or account aggregator (to use the RBI’s parlance). Below is an example user interface:

This mandate would enable users to have one place – their consent collector-provided dashboard – to discover, view and edit all data about them. It would also allow users to see any pending, approved and denied data requests.

Furthermore, in the event of data breaches, especially when a user’s password and identifier (mobile, email, etc) have been compromised, the breach and recommended action steps could be made clear on the consent dashboard.

Given the scope of this suggestion, we recommend an iterative or domain specific approach, wherein financial data is first listed in a dashboard limited to financial data and for its scope to grow with time.

2. Financial Understanding and Informed Consent for all Indians

We applaud the Bill’s Right to Confirmation and Access (Chapter IV, Section 24):

The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

That said, we’ve found in practice that it’s difficult to appreciate the implications of digital policies on users until real user interfaces are presented to end users and then tested for their usability and understanding. Hence, we’ve put together a set of sample interfaces (see Appendix) that incorporate many of the proposed bill’s provisions and our recommendations. That said, much more work is needed before we can confidently assert that most Indians understand these interfaces and what they are truly consenting to share.

The concepts behind this bill are complicated and yet important. Most people do not understand concepts such as “revocable data access rights” and other rather jargon-filled phrases often present in the discussion of data privacy rights. Hence, we believe the best practices from interface design must be employed to help all Indians – even those who are illiterate and may only speak one of our many non-dominant languages – understand how to control their data.

For example, multi-language interfaces with audio assistance and help videos could be created to aid understanding and create informed consent.  Toll-free voice hotlines could be available for users to ask questions. Importantly, we recognize that the interfaces of informed consent and privacy control need rigorous study and will need to evolve in the years ahead.

In particular, we recommend user interface research in the following areas:

  • Interfaces for low-education and traditionally marginalized communities
  • Voice-only and augmented interfaces
  • Smart and “candy-bar” phone interfaces
  • Both self-serving and assisted interfaces (such that a user can consensually and legally delegate consent, as tax-payers do to accountants).

After user interface research has been completed and one can confidently assert that certain interface patterns can be understood by most Indian adults, we can imagine that templated designs representing best practices are recommended for the industry, much like the design guidelines for credit card products published by US Consumer Financial Protection Bureau or nutritional labelling.

3. Data Fiduciary Trust Scores Similar to App Store Ratings

We support the government’s effort to improve the trust environment and believe users should have appropriate, easy and fast ways to give informed consent & ensure bad actors can’t do well. Conversely, we believe that the best actors should benefit from a seamless UI and rise to the top.

The courts and data auditors can’t be the only way to highlight good, mediocre and bad players. From experience, we know that there will be a continuum of good to bad experiences provided by data fiduciaries, with only the worst and often most egregious actions being illegal.

People should be able to see the experiences of other users – both good and bad – to make more meaningful and informed choices. For example, a lender that also cross-sells other products to loan recipients and shares their mobile numbers may not be engaging in an illegal activity but users may find it simply annoying.

Hence, we recommend that data fiduciary trust scores are informed with user-created negatives reviews (aka complaints) and positive reviews.

In addition to Data Auditors (as the Bill envisions), user created, public ratings will create additional data points and business incentives for data fiduciaries to remain in full compliance with this law, without a company’s data protection assessment being the sole domain of its paid data auditors.

We would note that crowd sourced rating systems are an ever-evolving tech problem in their own right (and subject to gaming, spam, etc) and hence, trust rating and score maintenance may be best provided by multiple market actors and tech platforms.

4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data

…so 3rd party actors and civil society can act on behalf of users.

A privacy framework will not change the power dynamics of our society overnight. Desperate people in need of money will often sign over almost anything, especially abstract rights. Additionally, individual citizens will rarely to be able to see larger patterns in the behaviour of lenders or other data fiduciaries and are ill-equipped to fight for small rewards on behalf of their community.  Hence, we believe that user ratings and complaint data about data fiduciaries must be made available in machine-readable forms to not only to the State but to third-parties, civic society and researchers so that they may identify patterns of good and bad behaviour, acting as additional data rights watchdogs on behalf all of us.

5. Warn of Potential Credit and Reputation Hazards

We are concerned about the rise of digital and mobile loans in other countries in recent years. Kenya – a country with high mobile payment penetration and hence like India one that has become data rich before becoming economically rich – has seen more than 10% of the adult population on credit blacklists in 2017; three percent of all digital loans were reportedly used for gambling. These new loan products were largely made possible by digital money systems and the ability of lenders to create automated risk profiles based on personal data; they clearly have the potential to cause societal harm and must be considered carefully.

Potential remedies to widespread and multiple loans are being proposed (e.g. real-time credit reporting services), but the fact that a user’s reputation and credit score will be affected by an action (such as taking out a loan), most also be known and understood by users. E.g. Users need to know that an offered loan will be reported to other banks and if they don’t pay they will be reported and unable to get other loans.

Furthermore, shared usage-based patterns – such as whether a customer pays their bills on time or buys certain types of products – must be available for review by end users.

6. A Right to View and Edit Inferred Personal Data

The Machine Learning and AI community have made incredible strides in computers’ ability to predict or infer almost anything. For example, in 2017, a babajob.com researcher showed the company could predict whether a job seeker earned more or less than Rs 12000 / month with more than 80% accuracy, using just their photo.  She did this using 3000 job seeker photos, 10 lines of code and Google’s TensorFlow for Poets sample code.  Note the project was never deployed or made publicly available.

As these techniques become ever more commonplace in the years to come, it’s reasonable to assume that public facing camera and sensor systems will be able to accurately infer most of the personal data of their subjects – e.g. their gender, emotional state, health, caste, religion, income – and then connect this data to other personally identifiable data such as a photo of their credit card and purchase history. Doing so will improve training data so that systems become even more accurate. In time, these systems – especially ones with large databases of labelled photos – like the governments’, popular social networks’ or a mall’s point of sale + video surveillance system – truly will be able to precisely identify individuals and their most marketable traits from any video feed.

Europe’s GDPR has enshrined the right for people to view data inferred about them, but in conjunction with the idea of a third party consent dashboard or Account Aggregator (in the RBI’s case), we believe we can do better.

In particular, any entity that collects or infers data about an individual that’s associated with an identifier such as an email address, mobile, credit card, or Aadhaar number should make that data viewable and editable to end users via their consent dashboard.  For example, if a payment gateway provider analyses your purchase history and infers you are diabetic and sells this information as a categorization parameter to medical advertisers, that payment gateway must notify you that it believes you are diabetic and enable you to view and remove this data. Google, for example, lists these inferences as Interests and allows users to edit them:

Using the Consent Dashboard mentioned in Major Comment 1, we believe users should have one place where they can discover, view and correct all personal and inferred data relevant to them.

Finally, more clarity is needed regarding how data gathered or inferred from secondary sources should be regulated and what consent may be required. For example, many mobile apps ask for a user’s consent to read their SMS Inbox and then read their bank confirmation SMSs to create a credit score. From our view, the inferred credit score should be viewable by the end user before it’s shared, given its personal data that deeply affects the user’s ability to gain usage of a service (in this case, often a loan at a given interest rate).

7. Sharing and Processing of Health Data

The Bill requires capturing the purpose for data sharing:

Chapter II, point 5:

“Purpose limitation.— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.”

In the healthcare domain, collecting the purpose for which the data is being shared might itself be quite revealing. For example, if data is being shared for a potential cancer biopsy or HIV testing, the purpose might be enough to make inferences and private determinations about the patient and say deny insurance coverage. On the other hand, stating high-level, blanket purposes might not be enough for future audits. A regulation must be in place to ensure the confidentiality of the stated purpose.  

The Bill has a provision for processing sensitive personal data for prompt action:

Chapter IV, point 21:

“Processing of certain categories of sensitive personal data for prompt action. — Passwords, financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary— (a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal; (b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or (c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.”

While this is indeed a necessity, we believe that a middle ground could be achieved by providing an option for users to appoint consent nominees, in a similar manner to granting power of attorney. In cases of emergency, consent nominees such as family members could grant consent on behalf of the user. Processing without consent could happen only in cases where a consent nominee is unavailable or has not been appointed. This creates an additional layer of protection against misuse of health data of the user.

Suggestions and Questions

Fund Data Rights Education

We believe a larger, public education program may be necessary to educate the public on their data rights.

Limit Impact Assessment Requirement

Section 33 – Data Protection Impact Assessment —

  • Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section. …
  • On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as may be issued by the Authority.

We believe that the public must be protected from egregious data profiling but this provision does not strike an appropriate balance with respect to innovation. It mandates that companies and other researchers must ask government permission to innovate around large scale data processing before any work, public deployments or evidence of harm takes place. We believe this provision will be a large hinderance to experimentation and cause significant AI research to simply leave India. A more appropriate balance might be to ask data fiduciaries to privately create such an impact assessment but only submit to the Authority for approval once small scale testing has been completed (with potential harms better understood) and large scale deployments are imminent.

Passwords should be treated differently than other sensitive personal data.

Chapter IV – Section 18. Sensitive Personal Data. Passwords are different than other types of Sensitive Personal Data, given that they are a data security artifact, rather than a piece of data that is pertinent to a person’s being. We believe that data protection should be over-ridden in extraordinary circumstances without forcing companies to provide a backdoor to reveal passwords. We fully acknowledge that it is useful and sometimes necessary to provide backdoors to personal data – e.g. one’s medical history in the event of a medical emergency – but to require such a backdoor for passwords would likely introduce large potential security breaches throughout the entire personal data ecosystem.  

Does the Bill intend to ban automatic person-tagging in photos and image search of people?

Chapter I.3.8 – Biometric Data – The Bill defines Biometric Data to be:

“facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;”

The Bill includes Biometric Data in its definition of Sensitive Personal Data (section 3.35) which may only be processed with explicit consent:

Section 18. Processing of sensitive personal data based on explicit consent. — (1) Sensitive personal data may be processed on the basis of explicit consent

From our reading, we can see a variety of features available today around image search and person tagging being disallowed based on these provisions. E.g. Google’s image search contains many facial images which have been processed to enable identification of natural persons. Facebook’s “friend auto-suggestion” feature on photos employs similar techniques. Does the Bill intend for these features and others like them to be banned in India? It can certainly be argued that non-public people have a right to explicitly consent before they are publicly identified in a photo but we feel the Bill’s authors should clarify this position. Furthermore, does the purpose of unique identification processing matter with respect to its legality?  For example, we can imagine mobile phone-based, machine learning algorithms automatically identifying a user’s friends to make a photo easier to share with those friends; would such an algorithm require explicit consent from those friends before it may suggest them to the user?

Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.

Chapter IV – Section 25.4 – Right to correction, etc

Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

We believe the mandate on a data fiduciary to notify all relevant entities of a personal data change is too great a burden and is better performed by a consent dashboard, who maintains which other entities have a valid, up-to-date consent request to a user’s data. Hence, upon a data change, the data fiduciary would update the consent dashboard of the change and then the consent dashboard would then notify all other relevant entities.

It may be useful to keep the user in this loop – so that this sharing is done with their knowledge and approval.

Need for an Authority appeal process when data principal rights conflict

Section 28.5 – General conditions for the exercise of rights in this Chapter. —  

The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

This portion of the law enables a data fiduciary to deny a user’s data change request if it believes doing so would harm another data principal. We believe it should not be up to the sole discretion of the data fiduciary to determine which data principal rights are more important and hence would like to see an appeal process to the Data Protection Authority made available if a request is refused for this reason.

Do not outlaw private fraud detection

Section 43.1 Prevention, detection, investigation and prosecution of contraventions of law

(1) Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.

We worry the above clause would effectively outlaw fraud detection research, development and services by private companies in India. For instance, if a payment processor wishes to implement a fraud detection mechanism, they should be able to do so, without leaving that task to the State.  These innovations have a long track record of protecting users and businesses and reducing transaction costs. We recommend a clarification of this section and/or its restrictions to be applied to the State.

Limit record keeping use and disclosure to the Authority and the company itself.

Section 34.1.a. Record – Keeping –

The data fiduciary shall maintain accurate and up-to-date records of the following

(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;

We expect sensitive meta-data and identifiers will need to be maintained for the purposes of Record Keeping; we suggest that this Record Keeping information be allowed but its sharing limited only to this use and shared only with the company, its Record Keeping contractors (if any) and the Authority.

Fillings may be performed digitally

Section 27.4 – Right to be Forgotten

The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

The Bill contains many references to filing an application;  we’d suggest a definition that is broad and includes digital filings.

This also applies to sections which include “in writing” – which must include digital communications which can be stored (for instance, email).

Request for Definition Clarifications

What is “publicly available personal data”?

  • Section 17.2.g – We believe greater clarity is needed around the term “publicly available personal data.“ There questionably obtained databases for sale that list the mobile numbers and addresses of millions of Indians – would there thus be included as a publicly available personal data?
  • We’d recommend that DPA defines rules around what is publicly available personal data so that it is taken out of the ambit of the bill.  
  • The same can be said for data where there is no reasonable expectation of privacy (with the exception that systematic data collection on one subject cannot be considered to be such a situation)

Clarity of “Privacy by Design”

Section 29 – Privacy by Design

Privacy by Design is an established set of principles (see here and in GDPR) and we would like to see the Bill reference those patterns explicitly or use a different name if it wishes to employ another definition.

Define “prevent continuing disclosure”

Section 27.1 – Right to be Forgotten

The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary…

We request further clarification on the meaning of  “prevent continuing disclosure” and an example use case of harm.

Define “standard contractual clauses” for Cross-Border Transfers

Section 41.3.5 – Conditions for Cross-Border Transfer of Personal Data

(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this subsection to any other person or entity.

We would like to standard contractual clauses clearly defined.

Define “trade secret”

Section 26.2 C – Right to be Forgotten

compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.

We request further clarification on the meaning of  “trade secret” and an example of the same.

Author Comments

Compiled by iSPIRT Volunteers:

  • Sean Blagsvedt – sean _@_ blagsvedt.com
  • Siddharth Shetty – siddharth _@_ siddharthshetty.com
  • Anukriti Chaudharianukriti.chaudhari _@_ gmail.com
  • Sanjay Jain – snjyjn _@_ gmail.com

Links

Comments and feedback are appreciated. Please mail us at [email protected].

Appendix – Sample User Interface Screens

Link: https://docs.google.com/presentation/d/1Eyszb3Xyy5deaaKf-jjnu0ahbNDxl7HOicImNVjSpFY/edit?usp=sharing

******

Why the SC ruling on ‘Private Players’ use of Aadhaar doesn’t say what you think it does

On behalf of iSPIRT, Sanjay Jain recently published an opinion piece regarding the recent supreme court judgement on the validity of Aadhaar. In there, we stated that section 57 had been struck down, but that should still allow some usage of Aadhaar by the private sector. iSPIRT received feedback that this reading may have been incorrect and that private sector usage would not be allowed, even on a voluntary basis. So, we dug deeper, and analyzed the judgement once again, this time trying to disprove Sanjay’s earlier statement. So, here is an update:

Section 57 of the Aadhaar act has NOT been struck down!

Given the length of the judgement, our first reading – much like everyone else’s was driven by the judge’s statement and confirmed by quickly parsing the lengthy judgement. But in this careful reanalysis, we reread the majority judgement at leisure and drilled down into the language of the operative parts around Section 57. Where ambiguities still remain, we relied on the discussions leading up to the operative conclusions. Further, to recheck our conclusions, we look at some of the other operative clauses not related to Section 57. We tested our inference against everything else that has been said and we looked for inconsistencies in our reasoning.

Having done this, we are confident in our assertion that the judges did not mean to completely blockade the use of Aadhaar by private parties, but merely enforce better guardrails for the protection of user privacy. Let’s begin!

Revisiting Section 57

Here is the original text of section 57 of the Aadhaar Act

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Now, let us simply read through the operating part of the order with reference to Section 57, ie. on page 560. This is a part of paragraph 447 (4) (h). The judges broke this into 3 sections, and mandated changes:

  1. ‘for any purpose’ to be read down to a purpose backed by law.
  2. ‘any contract’ is not permissible.
  3. ‘any body corporate or person’ – this part is struck down.

Applying these changes to the section, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Cleaning this up, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual pursuant to any law, for the time being in force:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It is our opinion that this judgement does not completely invalidate the use of Aadhaar by private players, but rather, specifically strikes down the use for “any purpose [..] by any body corporate or person [..] (under force of) any contract”. That is, it requires the use of Aadhaar be purpose-limited, legally-backed (to give user rights & protections over their data) and privacy-protecting.

As an exercise, we took the most conservative interpretation – “all private use is struck down in any form whatsoever” – and reread the entire judgement to look for clues that support this conservative view.

Instead, we found that such an extreme view is inconsistent with multiple other statements made by the judges. As an example, earlier discussions of Section 57 in the order (paragraphs 355 to 367). The conclusion there – paragraph 367 states:

The respondents may be right in their explanation that it is only an enabling provision which entitles Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem.

Some pointed out that this is simply a discussion and not an operative clause of the judgement. But even in the operative clauses where the linking of Aadhaar numbers with bank accounts and telecom companies is discussed, no reference was made to Section 57 and the use of Aadhaar by private banks and telcos.

The court could have simply struck down the linking specifically because most banks and telcos are private companies. Instead, they applied their mind to the orders which directed the linking as mandatory. This further points to the idea that the court does not rule out the use of Aadhaar by private players, it simply provides stricter specifications on when and how to use it.

What private players should do today

In our previous post, we had advised private companies to relook at their use of Aadhaar, and ensure that they provide choice to all users, so that they can use an appropriate identity, and also build in better exception handling procedures for all kinds of failures (including biometric failures).

Now, in addition to our previous advice, we would like to expand the advice to ask that each company look at how their specific use case draws from the respective acts, rules, regulations and procedural guidelines to ensure that these meet the tests used by this judgement. That is, they contain adequate justification and sufficient protections for the privacy of their users.

For instance, banks have been using Aadhaar eKyc to open a bank account, Aadhaar authentication to allow operation of the bank accounts, and using the Aadhaar number as a payment address to receive DBT benefits. Each of these will have to be looked at how they derive from the RBI Act and the regulations that enable these use cases.

These reviews will benefit from the following paragraphs in the judgement.

The judgement confirmed that the data collected by Aadhaar is minimal and is required to establish one’s identity.

Paragraph 193 (and repeated in other paras):

Demographic information, both mandatory and optional, and photographs does not raise a reasonable expectation of privacy under Article 21 unless under special circumstances such as juveniles in conflict of law or a rape victim’s identity. Today, all global ID cards contain photographs for identification alongwith address, date of birth, gender etc. The demographic information is readily provided by individuals globally for disclosing identity while relating with others and while seeking benefits whether provided by government or by private entities, be it registration for citizenship, elections, passports, marriage or enrolment in educational institutions …

The judgement has a lot to say in terms of what the privacy tests should be, but we would like to highlight two of those paragraphs here.

Paragraph 260:

Before we proceed to analyse the respective submissions, it has also to be kept in mind that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21…

Paragraph 289:

‘Reasonable Expectation’ involves two aspects. First, the individual or individuals claiming a right to privacy must establish that their claim involves a concern about some harm likely to be inflicted upon them on account of the alleged act. This concern ‘should be real and not imaginary or speculative’. Secondly, ‘the concern should not be flimsy or trivial’. It should be a reasonable concern…

Hence, the privacy risk in these use cases must be evaluated in terms of the data in the use case itself, as well as in relation to biometrics, and the Aadhaar number in the context of the user’s expectations, and real risks. Businesses must evaluate their products, and services – particularly those which use Aadhaar for privacy risks. It is helpful that the UIDAI has provided multiple means of mitigating risks, in the form of Registered Devices, Virtual Ids, Tokenization, QR Codes on eAadhaar, etc. which must be used for this purpose.

What private players should do tomorrow

In the future, the data protection bill will require a data protection impact assessment before deploying large scale systems. It is useful for businesses to bring in privacy and data protection assessments early in their development processes since it will help them better protect their users, and reduce potential liability.

This is a useful model, and we would hope that, in light of the Supreme Court judgement, the Government will introduce a similar privacy impact review, and provide a mechanism to regulate the use of Aadhaar for those use cases, where there are adequate controls to protect the privacy of the users and to prevent privacy harms. Use cases, and an audit/enforcement mechanism matter more than whether the entity is the state, a public sector organization, or a private sector organization.

Note: This is in continuation of Sanjay Jain’s previous op-ed in the Economic Times which is available here and same version on the iSPIRT blog here.

The writer is currently Partner, Bharat Innovation Fund, and Chief Innovation Officer at the Centre for Innovation, Incubation and Entrepreneurship, IIM Ahmedabad. As a volunteer at iSPIRT, he helped define many of the APIs of the India Stack.  He was the Chief Product Manager of UIDAI till 2012

(Disclaimer: This is not legal advice)