Implications of India’s proposed data privacy landscape on the FinTech industry
“We’re witnessing the creative destruction of financial services, rearranging itself around the consumer. Who does this in the most relevant, exciting way using data and digital, wins!”, a well-contented quote by Arvind Sankaran, a highly revered name in the global investor scenario reaffirms the undisputed integration of technology in the financial services domain.
Fintech, in simplest terms, is a portmantologism for “financial technology”. At a time, when financial services extend much beyond the traditional banking system, FinTech has enabled diverse pecuniary transfers through a simple click of a button. Ranging from mobile applications of banks, crowdfunding platforms, payment gateways as well as cryptocurrency, FinTech has seamlessly integrated into our everyday activities. The same is evidenced by Ernst & Young’s 2019 Global FinTech Adoption Index, which affirmed that nearly two-thirds (64%) of the world’s population were using fintech applications in 2019, up from 16% in 2015. According to the report, 3 out of 4 consumers had become users of money transfer and payment solutions. Moreover, as per the Global FinTech Adoption Index 2023India has taken a lead in fintech inclusion, with an adoption rate of 87% amongst its population, which is substantially higher than the world average of 64%. The accelerated growth of FinTech in India is promoted by several governmental as well as private initiatives in this space such as UPI, E-Nach, Open Credit Enablement Network etc.
However, at a time, when the FinTech industry is dominating the economic landscape of India, unassailable regulatory compliances are required to be adopted by the government to protect data of its citizens. India saw the highest number of ransomware attacks in 2021 in the world according to a report by Check Point Research. Further, as per an IBM report, financial service providers were targeted the most in the last preceding three years. At present, India lacks comprehensive data protection rules that address crucial aspects of privacy, including in the financial sector. While in September 2022, the Reserve Bank of India (RBI) released guidelines to regulate digital lending such as lending through online platforms and mobile applications, India still lacks a dedicated legislation for protection of personal data on financial platforms. However, the proposed Digital Personal Data Protection Bill, 2022 (“DPDP Bill”) aims to impose stringent security standards on the manner in which digital personal data is collected, stored, processed and disposed. This will have undisputed imputations on FinTech companies which heavily rely on consumer data for the purpose of customer acquisition as well as providing services.
Current data-oriented regulations in the FinTech landscape
Data, especially financial data, is an extremely valuable asset for companies. It enables decision making with respect to market, products as well as prices. Considering the efficacious nature of such data, it is prone to theft and misuse. As per the IBM Cost of Data Breach Report 2021, the average cost of data breaches caused the fintech industry more than US$ 5.72 billion in the year 2021 itself. In order to prevent misuse of data, specifically in the FinTech sector, the Reserve Bank of India (RBI) in September 2022, issued the Digital Lending Guidelines (“The Guidelines”), aimed at streamlining the working of digital lending applications and protecting borrowers’ interests. The Guidelines contain several provisions regarding data security, privacy, confidentiality, and consumer protection and are applicable to both banks and non-banking finance firms (NBFCs). While the guidelines contain several directives on the nature and mode of digital borrowing, there are several provisions specific to protecting data of both direct consumers as well as businesses.
As per the guidelines, any data collected by the DLAs (Digital Lending Applications) is required to be need-based and should be collected with the borrower’s prior express approval and an audit record. Moreover, DLAs are directed to refrain from accessing additional data stored in devices: media, contact information, call logs, phone features, etc. One of the key aspects of the Guidelines is consent based collection, processing as well as disposal of borrower’s data. In order to achieve the same, the Guidelines cover several provisions. These include provisions such as a borrower must expressly authorise one-time access to the camera, microphone, location, or other facility intended for the onboarding/KYC procedure. Moreover, before sharing personal information with any third party, the borrower’s explicit consent is mandatory. In order to prevent data leakages, the Guidelines affirm clear mandates regarding the nature of data to be stored, duration of storage of data as well as data destruction protocols etc. Moreover, to facilitate the ease of redressal, the Guidelines also lay down the procedure for grievance redressal in addition to the procedure for appointment of an officer to deal with complaints.
Owing to the transformation of the digital lending landscape in the past few years, the Guidelines play an integral role in alleviating concerns around unbridled engagement of third parties, data leakage, misappropriation of data etc. While the RBI initiatives did create some extent of regulation in the digital financial space, the need for dedicated data privacy legislation is within all spheres of the society.
Proposed data-oriented regulations in the FinTech landscape
Under the proposed Digital Personal Data Protection Bill, 2022 (“the Bill”), FinTech companies, can be considered both as data processors and/or data fiduciaries. As per the Bill, Data Processor” means any person who processes personal data on behalf of a Data Fiduciary. Moreover, “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
In order to facilitate control of data on individuals to whom the data belongs (i.e., the data principal), the Bill proposes several obligations on data processors as well as data fiduciaries. The Bill requires that data principals must receive clear notice from data processors regarding the mode as well as reason for collection as well as storage of their data. Additionally, unambiguous consent is required on behalf of the data principal before their data is collected, stored or processed. However, Section 8 of the Bill recognises the circumstances wherein deemed consent of data principal is sufficient for data related processes. These include but are not limited to when it is reasonably expected that data principal would provide such personal data For compliance with any judgement or order issued under law In public interest for prevention and detection of fraud, recovery of debt, credit scoring, etc.
Moreover, Section 11 of the Bill gives the government the power to notify any Data Fiduciary as a Significant Data Fiduciary. Considering the nature of financial data being handled by FinTech firms, they are expected to fall under this category. Determinants under this category are required to comply with several additional obligations including but not limited to appointment of a ‘Data protection officer’ and an independent Data Auditor.
Regarding the extent of duration of data storage, Section 9(6) of the Bill provides that the data cannot be retained by a data fiduciary when its retention is not necessary for legal and business purposes and when the purpose for which it was collected is no longer served. These provisions prevent companies from retaining data or individuals even when the purpose of collection and storage of such data is completed. Lastly, non-compliance of these proposed provisions by FinTech companies may attract penalties ranging up to INR Rs. 250 Crore (Approx USD. 3,05,06,775).
With India’s financial data infrastructure witnessing unprecedented growth, the country cannot afford any regulatory oversights. Regulatory scrutiny of the FinTech industry will enable strengthening all pillars of the digital lending space, thus serving as a harbinger of both expansion of the industry as well as protection of its citizens and their data.
 ey-global-fintech-adoption-index-2019.pdf  https://yourstory.com/2023/01/india-took-lead-with-fintech-adoption-rate-of-87-economic-survey-2023  https://www.ibm.com/downloads/cas/OJDVQGRY  https://rbidocs.rbi.org.in/rdocs/notification/PDFs/GUIDELINESDIGITALLENDINGD5C35A71D8124A0E92AEB940A7D25BB3.PDF https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf