Insights by: Sumit Kochar, Shivam Gera & Jaydeep Saha
Introduction
Fintech, herein referred to as a portmanteau of “financial technology,” denotes a pivotal confluence of technological advancements within the realm of financial services.[1] In an epoch where financial activities have transcended the confines of conventional banking paradigms, Fintech has ushered in an era characterized by the facile facilitation of multifarious fiscal transactions, accessible through the simple actuation of a digital interface. This pervasive transformation encompasses a spectrum of financial instruments, encompassing mobile applications offered by financial institutions, crowdfunding platforms, payment gateways, and the burgeoning domain of cryptocurrencies. Notably, Fintech has seamlessly ingratiated itself into the daily lives of individuals, a phenomenon substantiated by the findings of the Ernst & Young 2019 Global FinTech Adoption Index.[2]
According to the aforementioned index, a substantial majority, approximately sixty-four percent (64%), of the global populace were found to be patrons of Fintech applications in the year 2019, an exponential ascent from the sixteen percent (16%) reported in the year 2015. This substantiates the paradigm shift in the financial landscape, wherein three out of every four consumers had integrated Fintech solutions into their fiscal activities, with a predilection toward money transfers and payment systems.
Furthermore, the Global FinTech Adoption Index for the year 2023[3] attests to India’s preeminent role in fostering Fintech inclusion, with an adoption rate soaring to an impressive eighty-seven percent (87%) among its denizens, significantly surpassing the global mean of sixty-four percent (64%). This heightened adoption rate in India can be attributed to a confluence of governmental and private-sector initiatives, such as the Unified Payments Interface (UPI), among others.
Nonetheless, in the current milieu where the Fintech industry exerts substantial dominance over the economic fabric of India, it is imperative that the government proactively embraces an impervious regulatory framework to safeguard the sensitive financial data of its citizenry. Alarming statistics further underline the urgency of such protective measures, with India registering the highest count of ransomware attacks worldwide in the year 2021, as elucidated in a report by Check Point Research.
In September 2022, the Reserve Bank of India (RBI) released a set of Guidelines on Digital Lending, 2022[4] (“DL Guidelines”) designed to govern the sphere of digital lending, encompassing online platforms and mobile applications.
Notably, as a response to the burgeoning necessity of fortifying the security and sanctity of financial data, in the year 2023, the Digital Personal Data Protection Act, 2023 (the “DPDP Act” or “Act”) was promulgated. This legislative instrument imposes exacting standards governing the collection, retention, processing, and disposal of digital personal data. The ramifications of this legislation are bound to reverberate profoundly across the Fintech landscape, impacting entities reliant on consumer data for both customer acquisition and service provisioning and aiming to strike a balance between protecting individuals’ personal data and fostering innovation in the fintech space.”
The Implications of the DPDP Act in the Fintech Industry
The Implications of the DPDP Act in the Fintech Industry are: –
- A primary implication posed by the DPDP Act arises from its definition of a Data Fiduciary in clause 2(j), which designates such a person as an entity, either individually or in collaboration with others, responsible for determining the purpose and methods of personal data processing. It becomes clear the title of Data Fiduciary applies to fintech companies.
- A Significant challenge for fintech companies is the determination of whether they qualify as Data Fiduciaries or fall under the category of Significant Data Fiduciaries (SDFs). The DPDP Act allows the central government to designate certain Data Fiduciaries as SDFs based on factors such as the volume and sensitivity of processed personal data, risks to data principals’ rights, state security, and public order. Considering the heavy reliance of fintech companies on technology and the extensive personal data they handle, many may likely be classified as SDFs. This entails additional responsibilities, including the appointment of a Data Protection Officer, an Independent Data Auditor, and the conduct of impact assessments and compliance audits.
- Notably, the DPDP Act imposes a statutory obligation on Data Fiduciaries to ensure the completeness, accuracy, and consistency of personal data processing, which contrasts with the previous practice of collecting data on an “as-is” basis. Consequently, Data Fiduciaries, when dealing with data collection and processing entities (which may include fintech companies), must ensure that their agreements indemnify them against any costs or damages arising from inaccurate, incomplete, or inconsistent data.
- The DPDP Act introduces the requirement for a “Consent Manager.” The DL Guidelines also require regulated entities (i.e., banks) to appoint nodal grievance redressal officers for fintech and digital lending-related complaints from borrowers. This raises questions about whether fintech companies now need two distinct designations to handle consent-related grievances. This becomes crucial considering that Consent Managers have specific requirements (e.g., registration with the Data Protection Board of India (the “DPBI”)) outlined in the DPDP Act, whereas nodal grievance officers do not. Furthermore, if a borrower files a complaint with the Consent Manager and it remains unresolved by the Regulated Entities for 30 days, it remains unclear whether the borrower can escalate the complaint through the Complaint Management System (CMS) portal.
- Another aspect to consider is the data breach reporting obligations. The Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks require immediate reporting of data breaches to the RBI. Additionally, CERT-In has issued directions mandating the reporting of cyber incidents within 6 hours. The DPDP Act adds to these obligations by requiring Data Fiduciaries to notify the DPBI and affected data principals in a prescribed format in the event of a personal data breach. This adds to the compliance burden for fintech companies.
- The DPDP Act allows for exemptions for certain Data Fiduciaries, including startups, from specific provisions, including prior notice, data completeness and accuracy requirements, data erasure, additional obligations of SDFs, and data principals’ right to access their data. Presently, a significant number of fintech companies are registered as startups. While the rationale for this exemption remains unclear, fintech entities must adhere to regulatory requirements until the central government formally notifies specific startups for exemption.
- The DPDP Act introduced the consideration of the repetitive occurrence of breaches when assessing monetary penalties. As Fintech’s dynamic nature often involves collaborations with various partners and entities. Given that the DPDP Act considers repetitive breaches when assessing monetary penalties, fintech firms should conduct thorough due diligence on potential partners’ data protection practices. This diligence is essential for informed decision-making and minimizing regulatory and reputational risks.
Conclusion
In essence, as the DPDP Act reshapes the data protection and privacy landscape in India, fintech companies must embrace this paradigm shift with diligence, adaptability, and a forward-thinking approach. By doing so, they can not only ensure compliance with the law but also harness the opportunities for growth and innovation that come with responsible data handling and privacy practices. The future success of fintech in India hinges on their ability to navigate this evolving regulatory landscape effectively.
[1] https://www.forbes.com/advisor/banking/what-is-fintech/
[2] https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/banking-and-capital-markets/ey-global-fintech-adoption-index.pdf
[3] https://www.moneycontrol.com/news/business/economic-survey-2023-india-outpaces-world-in-fintech-adoption-driving-financial-inclusion-9971651.html
[4]https://rbidocs.rbi.org.in/rdocs/notification/PDFs/GUIDELINESDIGITALLENDINGD5C35A71D8124A0E92AEB940A7D25BB3.PDF
