India is gearing up to put in place what it calls a “consent architecture,” a system which allows users to digitally share their data with service providers in exchange for easier access to credit, insurance and other services. When fully operational, this could bring a big change in the way businesses, individuals, services providers and others use digital data in their day-to-day operations.

While the consent architecture can take several months to be fully implemented, we will see its application in areas such as small business lending before the turn of the year, say top officials who have worked on the project.

“In 3-4 months, you should see it in SME lending. There’s a lot of action in healthcare as well,” a top source who is working closely with the government told FactorDaily. The source requested anonymity because he is not authorised to speak to the media. For a complete roll out to take place, many things, including India’s data protection law and sector specific regulations need to fall in place and will take over a year.

The consent architecture is also likely to find use in the agriculture sector.

The architecture, gives the control of data to the end user. Take, for instance, small business lending. Currently, when a small business applies for a loan, it has to provide reams of documents including KYC documents, audited financials for three years, tax returns and bank documents. The consent architecture allows sharing of the business’s data with a lender. With this machine readable data, the bank can perform credit evaluation in seconds. If the system works as proposed, India could even have real-time data on the economy.

Lending and Consent Architecture

In the case of lending to small and medium businesses, it’s going to be tied to the data captured by the Goods and Services Tax Network or GSTN. The idea is for the end user (in this case the applicant) to be able to share digitally signed, machine readable data with a lender to easily prove creditworthiness.

“It’s like how you can use your Twitter ID to log into some other application but even better. With this, you can give fine grain control over how the data is viewed… whether it is at the aggregate level or more granular,” Thiyagarajan M, a fellow at ISPIRT, told FactorDaily. iSPIRIT, a software products think tank, has been building and championing the cause of India Stack, a set of code that helps developers build products and services riding on the country’s digital infrastructure.

The consent architecture is the fourth and final piece in the India Stack. The other three layers relate to identity management, a digital records repository, and cashless payments.

“The regulators, say in banking or telecom, may allow this to happen faster. But the broader use cases will take longer,” said Sanjay Jain, the Chief Innovation Officer at the ‎Centre for Innovation Incubation and Entrepreneurship, IIM Ahmedabad. Jain was one of the core team members who built India’s biometric identity system, Aadhaar.

The committee on data protection, headed by former Supreme Court judge B M Srikrishna, said Jain, will play a crucial role in protecting citizen data and also empowering them to use their data.

Also see: India’s top tech architect talks about the tech behind GST, data empowerment

There are over 51 million small and medium businesses in India and most of them struggle to access credit because banks have a tough time ascertaining their creditworthiness. Which is why only about 1.2 million companies in the country have availed bank loans.

The consent architecture, applied on top of the GSTN, is likely to change this for the better. Nearly 8 million companies have registered to be part of the GSTN. This could even help grow bank lending to industries, which has been slowing.

Some Fixes

“It’s not perfect yet but this is the part of the India Stack that I like,” Sunil Abraham, the Executive Director of Bengaluru-based research organisation, the Centre for Internet and Society, said. But he has a short wish list of fixes. “I’d want revocation of consent to be easy. A one button ‘do not dial’ for the information society,” said Abraham.

But in some cases, entities are required to retain data. For example, Abraham points out, banks may have to retain records as a legal requirement. The anti money laundering guidelines issued by India’s central bank in 2009, requires financial institutions to retain data for 10 years. “The user can choose to revoke consent in other cases,” said Jain.

Secondly, Abraham points out, there can be many people who can act as your “consent brokers,” ranging from an insurance or loan aggregator to an education service provider. There should be just one consent broker and that category should ideally be regulated, Abraham insisted. “The last piece is, that consent brokers can only get paid by the data subjects…if I mess up consent, I will lose revenues. In the current environment, it isn’t very clear how economic incentives will encourage good behaviour,” he said.

If done right, India could have one of the most advanced data regimes in the world. The European Union, recently came out with the General Data Protection Regulation, to strengthen data protection of individuals in the EU. It will be enforced in May 2018. But they are yet to come up with a technology layer to handle user consent.

---