No silver lining to RBI's cloud

There is no evidence to suggest that a state-run cloud server business would do a better job, with at least two reports of UPI-related data leaks having emerged in the last two years

The Reserve Bank of India’s (RBI) recent proposal to enter the cloud computing business raises important questions about the role of a developing country’s central bank. Should central banks be in the business of running a complex and resource-intensive information technology (IT) business? What does the Indian experience of the RBI running several IT businesses tell us? Finally, what problem will the RBI-provided server business solve that is not already solved? In short, as a former RBI governor has argued, in a different context, why fix what ain’t broken.

A basic Google search will reveal that cloud storage and computing services is a competitive market, with several companies — large and small, Indian and foreign — providing several cloud server offerings across a wide range of prices. There has been no major incident involving leakage of the data maintained by financial service providers on their cloud servers, and it doesn’t even seem to be the RBI’s case that the cloud services currently in use are unsafe. There is no evidence to suggest that a state-run cloud server business would actually do a better job, with at least two reports of Unified Payments Interface (UPI)-related data leaks having emerged in the last two years.

Competition and choice in this space already allows banks and financial institutions to easily switch to service providers that provide better security standards. Due to the RBI’s data localisation mandate of 2019, some of the largest foreign cloud service providers provide entirely India-located cloud servers. To be sure, data localisation mandates are not driven by concerns of data breaches or better security. In a country with no data protection law or protection from state surveillance, such mandates simply make firms and individuals more vulnerable to both breaches and state surveillance.

The second question is, where does the RBI get the legal mandate to run this business from, and is this a normal function of a modern central bank? In liberal democracies (the term denoting largely market-friendly economies), individuals are permitted to engage in every activity other than those explicitly prohibited by the law (otherwise the act of breathing would have to be explicitly legalised!), whereas the state must actively look for sources of law to justify its activities. The logic of this should be obvious — the law is intended to guarantee individual freedom and draw the limits of state power, whether in law enforcement or business.

In all developed countries and a majority of developing countries, central banks perform four functions, viz. monetary policy, currency note issuance, lender of last resort to banks, and regulating large-value payment systems. In some countries, central banks are vested with the additional mandate of financial stability. Indian law entrusts the RBI with additional functions, such as bank licensing and regulation and government debt management, but a cloud server business is not one of them. Equally, cloud servers have nothing to do with financial inclusion or promoting access to lending; they have nothing to do with facilitating payments either. At their most fundamental level, they provide the server space to store data, run software applications and large computations. It is hard to find any central bank that actually runs a cloud server business.

Finally, the general optimism towards the National Payments Corporation of India (NPCI) and UPI leads many people to believe that the RBI’s entry into the cloud server business will drive down the cost of availing such services, calling this idea a “digital public good”. This line of thinking is flawed as it is unlikely to bring down the real costs. Taxpayers heavily subsidise UPI transactions. While these transactions may seem free to the consumer, running, maintaining and upgrading the infrastructure is not free for the NPCI, banks or third-party payment application providers (PhonePe, Google Pay, etc). The RBI estimates the costs collectively incurred by these three stakeholders to be about 0.25 per cent of the value transacted. Based on this, for the month of November 2023 alone, the costs of UPI transactions to the system would be in the range of Rs 430-odd crore. The RBI-run cloud server will have to compete with many established players in this market, and to gain market share possibly subsidise the service, a cost that is hard to justify to taxpayers.

Conflating the business of IT services with public goods is dangerous as it tends to entrench the state in business and crowd out competition. Since the 1990s, the RBI has undertaken various IT “initiatives”, which are more in the nature of businesses. Prior to the 1990s, it ran clearing houses, pre-empting private sector participation in the business of clearing. In 1998, it set up INFINET (a proprietary network like SWIFT for Indian banks), competing with telecom companies. Similarly, the RBI-run NDS-OM, an order matching system for government securities trading, competes with exchange platforms. In each of these businesses, competition has been crowded out and de facto monopolies have been created, which are hard, if not impossible, to break.

The author is a doctoral researcher at the National University of Singapore