Fintech: Readiness for Data Privacy Regulations
One of the sectors that will have a significant impact by the introduction of the new Digital Personal Data Protection Act, 2023 (‘DPDP Act’) and rules thereunder is fintech due to the enormous amount of personal digital data being collected. Fintech companies offer solutions such as neobanks, personal finance management tools and act as payment aggregators. Additionally, certain players also provide credit scoring and analytics services to banks to enhance banks’ own service offerings.
Given the nature of data being collected which includes Aadhar details, KYC documents, credit card details and mobile numbers, there is substantial risk if such data is breached. In 20211, an Indian fintech company experienced a significant data breach which exposed the sensitive information of millions of customers and highlighted the critical importance of robust cybersecurity measures in the fintech industry. Even now, there continues to be leaks despite companies taking all reasonable care.
The current legal ecosystem for fintech has been more focused on data handling and management rather than data protection. Thus, there is a need for specific regulations dealing with individual digital data protection. The DPDP Act introduces more stringent provisions, requiring fintech players to overhaul their entire systems, with the possibility of heavy penalties for non-compliance.
Need for Separate Legislation
At present, the data issues are governed by combination of general laws and regulations. The Information Technology (IT) Act, 2000, and its associated rules mandate the protection of sensitive data and penalize unauthorized disclosures. The RBI circular on Storage of Payment System Data2 mandates that all payment system operators must store their entire data, including full end-to-end transaction details, exclusively within India. Additionally, the RBI Guidelines on Digital Lending3 require fintech lenders to ensure the security and privacy of borrowers’ data while prominently displaying information related to products and services.
Despite the above regulations, there was absence of an act that was specific to data privacy, zealously protecting individuals’ digital personal data rights while providing for stringent penalties for data leaks. Lack of a specific regulation, especially in the fintech sector, where the collection of sensitive personal data is significant, also limited India’s attempts for being recognised as a global fintech hub.
DPDP Act and the rules thereunder have the potential to refurbish the entire system related to data collection, its processing, storage and promises to provide a robust grievance redressal system albeit with an initial and continuous investment for every fintech entity. In the following paragraphs, we have commented on few organisational changes required by fintech companies for effective implementation of the new data privacy regulations.
Consent Management Mechanism
The concept of ‘consent’ plays a vital role in the new data privacy infrastructure. Consent has to be obtained not only at the very beginning but at every stage where the purpose of collecting the personal data alters. Fintech companies must find user-friendly and economically viable ways of obtaining consent from customers.
Data principals have the right to access, correct, update and erase their personal data, as well as the right to withdraw consent without any negative consequences under the DPDP Act. Such rights are to be clearly spelt out while collecting the data. In addition, exercising any of these rights should be simple by putting in place an accessible consent management mechanism.
Fintech companies may turn to a third-party consent manager specialising in this sector due to the volume of digital personal data being generated. Such management may benefit by including multi-factor authentication, real time consent tracking, integration with core banking system, context specific consent interface for instance obtaining consent during application of loan. Further, the consent management platform could be integrated with Anti-Money Laundering (‘AML’) tools and KYC requirements.
Automatic Data Processing
The term ‘processing’ has a wide definition under the DPDP Act and is likely to get refined through judicial precedents over the next few years. The fintech industry uses automated processes to handle personal data without human intervention. This may include deployment of artificial intelligence for ensuring adherence to KYC and AML compliances and checks. Similarly, insurers use these technology tools to improve both processing and verification of claims. Further, machine learning technology is utilised to check data from numerous sources to build accurate credit scores4.
The DPDP Act mandates that every processing must be undertaken by obtaining consent from the data principal by giving proper notice. Fintech companies will have to do deep dive into their multiple automated processes to identify the need for consent and customise the systems accordingly.
Data Transfer
DPDP Act empowers the Government to issue notification to restrict the transfer of personal data to certain jurisdictions. These jurisdictions will include those countries with weak or no laws on data protection. Fintech services are provided across borders especially related to money transfer & remittances, global payment processing, cross-border investments etc.
Companies will have to customise its system for monitoring such transactions and bring in appropriate restrictions to safeguard the data. Apart from system modifications, cross border contracts with third parties may require strong clauses such as the ones specified under the GDPR depending on the nature of restrictions issued by the Government.
Data Storage and Deletion
Under the DPDP Act, the data storage is primarily governed by the time prescribed for data storage under other regulations. For example, the storage period for data related to KYC of a customer is governed by the RBI regulations. Unless there is statutory requirement to store a particular data for a certain period, DPDP Act directs the data fiduciary to erase the digital personal data after the completion of specified purpose for which the data was collected in the first place or on the data principal’s requests for such deletion. Further, certain statutes in India also mandate data localisation in few cases.
Longer periods for storage of data increases the exposure for cyber-attacks and data leaks. At times, certain leaks could be of simple files containing data such as name and contact details. In order to protect such situations, fintech companies may adhere to data anonymization. Large fintech companies may explore data embassies in partnership with Government bodies5. A data embassy is a digital infrastructure in another country for storing critical data to ensure continuity in case there are natural disasters or any political stability.
Employee Training and Contracts
Adherence to DPDP Act by aligning one’s system with the regulatory requirements is not a onetime exercise but a continuous process where the training of the employees becomes vital. In a fintech company, employees are privy to data related to sensitive financial transactions, KYC & AML compliances including real time data processing.
Fintech organisations will have to not only train the employees for proper handling of such data but also come up with periodic modules as reminders for adhering to such norms. Furthermore, norms will have to be put in place to ensure that only relevant employees are given access to sensitive data with adequate training. The employment agreement clauses, to this end, could be made stringent.
Synergizing with Government
Recently RBI finalised Self-Regulatory Organisation (‘SRO’) framework for fintech6 industry. The SRO is to act as a conduit between RBI and related Government authorities and synergise efforts for proper implementation of privacy regulations. Given the amount of innovation that takes place within the sector, the regular interactions with SRO and the Government agencies will go a long way in not only identifying the data privacy issues but also modifying the regulations for effective implementation while managing cost for small players.
Conclusion
Data privacy issues in the fintech sector are of paramount concern, as the sensitivity and volume of personal financial information handled by companies make them prime targets for cyberattacks. A data breach is not just a technical failure but also represents a significant breach of trust leading to severe reputational damage and erosion of consumer confidence. To mitigate these risks, fintech companies must prioritize robust data protection measures and adhere strictly to data privacy regulations. To this end, the companies need to review their systems tway before the DPDP regulations are operationalised.
1 https://indianexpress.com/article/technology/tech-news-technology/mobikwik-database-leaked-on-dark-webcompany-denies-any-data-breach-7251448/ as extracted on 1 Aug 2024
2 Circular DPSS.CO.OD.No 2785/06.08.005/2017-18 dated 6 April 2018
3 Circular DOR.CRE.REC.66/21.07.001/2022-23 dated September 02, 2022
4 https://www.dqindia.com/news/tech-driven-efficiency-how-automation-is-reshaping-fintech-operations-3872791 as extracted from 1 Aug 2024
5 https://www.linkedin.com/pulse/fintech-data-protection-india-rohit-kilam/ as extracted on 1 Aug 2024
6 https://rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1263 as extracted on 31 July 2024
