India’s Tokenisation Framework and its Discontents

To mitigate the consequences of breaches of consumers’ financial data, the Reserve Bank of India (‘RBI’) has recently attempted to formulate solutions to reduce vulnerability in the payment ecosystem. Tokenisation is one such solution, involving the replacement of a meaningful piece of information with a random array of characters, ie a ‘token’.

The tokenisation framework, as deployed by the RBI, incentivizes market players to populate the market with tokenisation-based solutions. Our paper argues, however, that such solutions are designed to be limited in application, since they respond to a single technology risk—the breach of payments systems in India. Further, they do so in the absence of a comprehensive law that can prioritise addressing both the technology-centric concern of data security and the human-centric concern of data privacy.

1. Limitations of the Tokenisation Framework

In the absence of a comprehensive framework for the protection of financial data, the RBI has resorted to piecemeal regulation to balance the imperatives of card data security and customer convenience. Our paper argues that this approach, embodied in the framework for tokenisation, prompts broader concerns regarding the protection of financial data in India.

First, while the framework ostensibly enhances the security of card credentials in the hands of merchants and intermediaries, it disregards numerous other risks to the security of cardholders’ financial data (including risks associated with actions such as point-of-sale (POS) skimming and phishing). We note that such a framework will be detrimental, both from the principled perspective of legal certainty and from the pragmatic perspective of compliance costs for financial service-providers.

Second, we note that the framework’s simplistic formulation of cardholder-consent fails to account for the various dimensions of consent involved in the processing of any form of financial data. These dimensions include the failure to account for the understanding by the cardholder of the level of risk taken while obtaining their consent, and the absence of guarantee of a minimum standard of service in the event of consent denial.

Third, we observe that the framework favours one technological solution, viz tokenisation, amongst a range of measures that can enhance cardholder data security—these include other technological solutions (such as encryption and anonymization) as well as regulatory mechanisms  to increase transparency and accountability in the functioning of payment systems (such as regulatory audits and privacy impact assessments). Effectively prioritizing tokenisation, without a relative assessment of its costs and benefits, risks disincentivizing the development of alternatives that may be more scale-sensitive, less disruptive, and protect cardholder data more robustly.

2. Addressing these Limitations

Our paper argues that the above discussed limitations render the tokenisation framework a sub-optimal privacy solution for payments data. An optimal solution, we argue, is the enactment of a comprehensive data privacy law. To this end, our paper identifies five benefits that a comprehensive privacy law confers over the tokenisation framework.

First, comprehensive data privacy laws adopt a principle-led approach to governing data. These principles can be applied to the risks, extant and novel, that arise out of the processing of financial data per se, without substantially amending the parent regulation.

Second, privacy laws make the processing of financial data more transparent. To this end, we study the role played by three tools in India’s draft Data Protection Bill, 2021 (‘DP Bill’)—auditing, data protection impact assessment, and data breach reporting. We find that these tools prioritise systemic risk-assessment for financial services. They empower individuals to better appraise the risks involved in the processing of their personal data.

Third, comprehensive data privacy laws treat financial data as sensitive personal data. This categorisation allows regulators to treat various sub-types of financial data as one. Such treatment helps stymie arbitrage-related concerns among piecemeal financial data privacy regulations.

Fourth, a comprehensive data protection law is likely to enforce a better consent framework for financial data.

Fifth, we address the possibility of turf wars in India’s financial data protection ecosystem. Assessing the potential for conflict between the RBI and a proposed Data Protection Authority of India (‘DPAI’), we note that instruments like the DP Bill are designed to promote regulatory co-operation. To this end, we analyse the conflict-ameliorating provisions of the DP Bill. We note that they are likely to be efficacious.

3. Conclusion

Even though the RBI’s tokenisation framework is motivated by necessary considerations of regulating for privacy and data security risks, its inherent limitations render it a sub-optimal privacy solution for payments data. Accordingly, we argue that the optimal method to address the relevant risks lie in enacting a comprehensive data protection legislation, with guiding principles and tools embedded within it.

Since the publication of our paper, India has released a new draft data protection law. The draft Digital Personal Data Protection Bill, 2022 (‘2022 Bill’) largely retains the key data privacy principles contained in the DP Bill. However, it also contains significant divergences—the DPAI, for instance, is replaced by a Data Protection Board. Scholars interested in the development of privacy laws in the Global South may want to look at the 2022 Bill.

KS Roshan Menon is a Research Fellow at Shardul Amarchand Mangaldas & Co.

Sohini Banerjee is a Research Fellow at Shardul Amarchand Mangaldas & Co.

Shobhit Shukla was a Research Fellow at Shardul Amarchand Mangaldas & Co. and is currently a Project Officer at the Centre for Communication Governance, National Law University Delhi.