GSTN’s Ownership, Accountability And The Challenge Of Working With A ‘Moving’ Target
It is unusual, if not rare, for a company so intrinsic to the collection of taxes, to be majority owned by private entities. A BJP member of parliament referred to the ownership of the Goods and Services Tax Network (GSTN) as “shady”. But GSTN Chairman Navin Kumar explains that only a non-government, private-owned company would have been up to the task of setting up a national information technology (IT) network, which for the first time integrates the indirect tax administrations of the Centre and states.
Who Owns GSTN?
Incorporated in 2013 as a not-for-profit company, GSTN is also a non-government company. Fifty one percent of it is owned by private firms including two top banks, two housing finance companies and a subsidiary of India’s leading stock exchange – the National Stock Exchange. The rest is owned by the central and state governments.
The private ownership of GSTN has been criticised by none other than BJP MP Subramanian Swamy who referred to GSTN as a “shady organisation” when the Rajya Sabha was debating GST-related laws.
In response to that, Kumar recounted to BloombergQuint how the ownership structure of GSTN was finalised.
- The government set up a Technology Advisory Group for Unique Projects (TAGUP) under Nandan Nilekani to device the modalities for implementing large IT projects for the government. Five specific projects were referred. One of them was GST.
- That committee recommended the nature of the organisation that should implement such projects. It said this should be structured as a non-government, private company with a public purpose.
- The Empowered Committee of State Finance Ministers, in a meeting held in July 2010, approved the creation of an Empowered Group on IT Infrastructure for GST under the chairmanship of Nilekani and five state commissioners of trade taxes.
- The Empowered Group took into account the recommendations of TAGUP and it proposed an ownership structure for GSTN. It was decided that the government should own 49 percent and 51 percent should be with private sector companies in order to make this company a non-government, private company.
They said that since they (GSTN) will be handling a very large project which will need quick-footed work on the part of the organisation, such a company must have independence of management. It should be allowed to structure the organisation according to requirements and not be bound by government rules. It should have flexibility in decision making, it should be able to hire and retain professionals from the market at market salaries. So these were their requirements. That could happen only if this was a non-government, private company. This was accepted by the Empowered Committee of State Finance Ministers and the central government. The private entities agreed to join.
With only three of the current 13 (sanctioned 14) directors on GSTN’s board, Kumar says the private-sector owners gain nothing except for participation in a national project. They have no access to do the data on the GST network, he insists, adding that the security architecture and network design protects against external and internal breaches.
The GSTN will be dealing with a very large amount of data which pertains to the private life of citizens, very critical data. All of this is predominantly owned by private sector entities. Do you see that as a problem?
That is not a problem at all. If you look at any large IT project in government, if you take income tax, take Ministry of Corporate Affairs, it is been done by some private sector company. Be it Infosys or TCS.
But the ownership usually lies with that government entity, right?
Ownership of the project. But the data is with that company because they’re managing the system. So where’s the problem? Now here you have a company where the government is in fact sitting on the board. That is not in the case of companies which are in custody of data, similar kind of data.
What have you put in place as a security architecture to ensure that this data, at no point in time, can be compromised by just the sheer ownership of this organisation?
Right from day one this has been uppermost in our mind. When we drafted the RFP (Request for Proposal) for this project for selection of our IT partner, we put a specific section on this and we made our requirements very clear - that security of our system is an important requirement and we’re doing everything that is possible today, that technology or equipments, the best that are available for security in the world we’re going to use. We’re using ISO 27001 which is the highest standard for information security management in the world. Our system will be certified. So we’re doing everything that is required to make sure that the data is secured and we’re using various kinds of security - various steps like perimeter security, which is the physical security; security at the network level; at the application level; at the data level; even during the development of a software. We’re going to have a Security Operation Centre which will run 24x7. That will watch the security aspects and see if there are any attacks, they’ll try to contain that attack or take on the mitigation measures. We’re also having a separate organisation which we call the Security Management and Analytics Company, which will keep a tab/watch on the all the ongoing security operations. We’re taking all possible steps to ensure the security of the data.
I’m refering to not just the security of this data from external threats, hackers etc, but also from the very owners of this organisation? Because that’s one of the fears that’s been expressed. If the private sector owns this organisation, would this private sector then have access to this data?
It covers both. And let me also tell you, and through you, all the viewers, that GSTN has no access to data. We’re managing the system but we have no access to data. We cannot take data, we only have access to our own accounts. We’re also taxpayers.
So, you’re just a highway for the data, that’s it?
Our system is there. Whatever data comes there, it goes. No officer of GSTN can get access to any data.
It must be residing in your system back-end. The data must be stored on your servers?
That is the data centre. But our officers cannot go and take data from there. The data can be accessed only by those who are authorised by the government.
Who Is GSTN Accountable To?
GSTN has also faced questions regarding accountability. Recent media reports suggest GSTN has refused audit access to the Comptroller and Auditor General of India (CAG). Kumar denied that.
Given that GSTN is a privately-owned organisation is it subject to any audits by the CAG?
When you talk of audit, there are three aspects involved - first is the audit of the GST IT system. So our IT system, the system that we’re building, that’ll first of all be audited by a government organisation called STQC - Standards Testing and Quality Certification. Only after they test and give a clearance, we’d be able to deploy our systems, so that’s number one. The CAG also carries out a system audit of government-led deployments. Since this system is meant for government taxes, they’ll audit this. And in 2015, I had met the CAG and had requested that their IT team should start a dialogue with us so that when they come for a system audit we know what is required. So we have a dialogue with CAG over there, so there’s no problem. What has been coming in the media is that GSTN will not give data to CAG for audit, that’s not correct. CAG is empowered to audit the GSTN receipts into the consolidated funds of the Central and state governments. For that they need the data given by the taxpayers. What we have said is that we cannot give that data because we are not the owners of that data.
So, the government departments have to give that data?
The tax departments are there. So what happens today is that the audit team goes to a tax department to conduct an audit and then tax department gives them the data. So that can continue in the same mode because whatever data we get we are passing on to the respective tax department. Then they create more data, like a scrutiny or audit or adjudication, that data will not come to us. So if we have to give data from our system it will be incomplete. And the same data is with the tax department so they can take it from there. However, if the government says, ‘no GSTN should also give us data’, then we will give. But the respective tax departments will have to tell us.
GST = “Moving Target”
Controversies notwithstanding, GSTN’s biggest test will be the July 1 launch of the GST. In April, Parliament approved the four GST laws, but the rules have yet to be notified. Size, scale and complexity aside, this has been GSTN’s biggest challenge, said Kumar.
The major challenge here has been that we have been working against a moving target. If the law was given to me on a particular date, I would have prepared the system in nine months flat. Here what was happening was that while the process was being devised, while the law was being drafted, we were also working on our system. Because we couldn’t have waited until the passing of the law. So we did something, after that the law was notified, some more changes were required, then the law was revised. So that has been a challenge.
Located in a modern looking office in Aerocity near the Delhi International Airport GSTN is, what they’d call in aviation lingo, taxiing. Soon it will be time to take-off. The experience of other countries that have adopted GST suggests turbulence is unavoidable. But Kumar and his team are confident of a safe landing.