Can SROs save the fintech sector from itself?

Will SROs succeed in making compliance the strong suit of Indian fintechs?

Just a few days ago, the Reserve Bank of India (RBI) released the omnibus framework for recognising self-regulatory organisations (SROs) for regulated entities. At first glance, the concept of self-regulation is paradoxical. The idea of regulation without external oversight seems counterintuitive even at an individual level. And then to expect an entire industry — that too one that is otherwise overburdened with regulatory compliance — to voluntarily agree to more guidelines and codes, defies conventional logic at least at face value.  

So, I decided to inquire into the principles and workings of a self-regulatory organisation before making judgements based on my intuitions.
 

First and foremost, how is a member-driven industry body any different from a self-regulatory organisation? 

If one reads the eligibility criteria section of the recently released SRO framework, it is clear that RBI is very serious about sectoral representation. In fact, if an SRO fails to meet specified membership at the time of application, it must submit a roadmap for attaining specified membership within a reasonable timeline. What’s clear from this is that the constitution of an SRO is no different from that of an industry body.

 This leads us to the next question: What is an SRO expected to do differently from an industry body? 

Well, from what I gather, the differences lie in the primary purpose of the two bodies, however their functions overlap. While an industry association is focused on representing and advocating for the collective interests of its members, an SRO is centred around regulating and overseeing a particular industry, often in collaboration with government regulators. Having said that, nothing prevents an industry association from establishing industry standards, best practices, and codes of conduct. 

For example, consider the Indian Banks Association (IBA), a significant force in banking since 1946. It set one of the earliest examples of self-regulation by establishing Ground Rules and Code of Ethics (GRACE), 1971 for preventing unhealthy practices among member banks for deposit mobilisation, which was later, extended to money market operations. But you’d be surprised to know that IBA has no statutory recognition as an SRO. Although the internet is full of misguiding references to IBA as an SRO, technically it’s a banking lobby group.  

This makes me wonder, what difference does a statutory recognition make to the powers and functions of a well-intentioned industry body. Logically, the answer must lie in enforcement capabilities. Despite an industry body’s proactive efforts in self-regulation, legal recognition could confer greater authority and enforcement mechanisms to ensure compliance — whether it is in the payments or lending space.  

SRO: An epistemic authority but a toothless tiger? 

Going back to the RBI’s framework, SROs will derive sufficient authority from membership agreements to set ethical, professional and governance standards and enforce these standards on the members. However, when it comes to violation of agreed rules/ codes, they can at best resort to counselling, cautioning, reprimanding or expelling members; no monetary penalties have been permitted. Does this make SROs toothless tigers? 

It is premature to draw such a drastic conclusion. The current structure of an SRO is justified when looked at from the standpoint of its mandate. It's essential to recognise that the necessity for rigorous regulatory oversight has largely arisen due to the digital revolution, particularly concerning data privacy and protection. Delegating this responsibility to a specialised organisation affiliated to an industry body has twin advantages; the specialised organisation will have the technical expertise and understanding of the intricacies and challenges of compliance. This is preferable to having the central regulator delve into the minutiae and closely monitor regulated entities. 

Why is NASSCOM, for instance, keen on an SRO licence? The initiative comes in the wake of allegations in the US and the UK that the country's call centre workers have stolen and sold data processed by local outsourcing/BPO firms. Global customers will find it easier to outsource activities only if they have the assurance that India is a safe country, and this has become the primary objective of the organisation. The SRO is believed to have been built by identifying the loopholes in the country's laws and then attempting to amend them, in a bid to bring them on par with global standards (such as US and EU laws).

Well, the expectation is that the SRO will rise above self-interests and address larger concerns of the industry and financial system as a whole. It goes without saying that an industry body is theoretically in a better position to balance consumer interests and business interests, unless they choose otherwise. It’s much like middle management — they can function as catalysts of change or become linchpins of doom. What's your take on the matter? I'm eager to hear your thoughts.