To print this article, all you need is to be registered or login on Mondaq.com.
An analysis of key fintech regulations which govern data, thepatterns they reveal, and the best practices that fintechs canadopt to ensure compliance.
For the last 5 years, data lawyers have been like the boy whocried wolf. The data bill is always being tabled "in the nextsession of Parliament". We've seen explainers, primers,deep dives, checklists (well, including our own) to help preparefor the law. The fourth version of the draft law is now out forpublic consultation. Meanwhile, the RBI has stepped in as a stopgapregulator for financial data for regulated entities (REs) andfintechs. As fintechs grapple with more existential questions: howmuch should you worry about data? Our fintech and data teams joinforces to tell you what to do. We break down five key RBIregulations to help you identify priorities for 2023.
Local storage of payments data by payment systemproviders
The RBI brought in stringent data regulation with its
data localization direction. It askedpayment system providers to store payments data in India. Paymentsdata can be processed outside India but must be brought back within24 hours of processing. It can be accessed from outside India foractivities like settlement processing and chargebacks (but muststill be stored in India).This direction is limited to a subset offinancial data – 'payments data' – which formspart of a payments instruction or transaction. It covers end-to-endtransaction details, including customer information, beneficiaryaccount details, transaction details, etc. And it extends only tocertain types of entities – payment system operators or PSOs(and through PSOs, to all system participants in the paymentschain).Which means PSOs must map their data, identify what is andwhat isn't 'payments data', identify whether they needoffshore access (for e.g., for global banks, payments processingmay take place centrally outside India), re-orient systems todelete data from offshore systems within 24 hours of processing,and contractually agree with vendors/ other processors to storedata within India.
No access to transaction data for co-brandingpartners
RBI's master directions on credit card anddebit card (RBI Card Directions) set out dos and don'ts forco-branding arrangements. Co-branding partners are barred fromaccessing transaction information. This is because a co-brandingpartner's role is limited to marketing/ distribution of thecard.
Transaction information isn't defined in RBI CardDirections. It seems to cover any data related to an activity onthe card post its issuance. Such as spends, chargebacks, rewards,etc. on the card. But not activities pre-issuance. Such as thecardholder's name, address, contact details, etc. Which means aco-branding partner can't directly be given data about spends,chargebacks, rewards, etc. to run loyalty programmes or otherincentive schemes. But it can still access cardholder's nameand contact details – information that it needs to carry outits function as a distributor/ marketer.
Only co-branding partners are barred from accessing transactiondata. Not outsourced service providers generally – since theoutsourcing guidelines don't have a similar prohibition. Ifthis were to be extended to outsourced service providers generally,it would mean functions like running reward or loyalty programmes,etc. couldn't be outsourced.
Limited access to borrowers' data by unregulatedlending service providers (LSPs)
RBI's digital lending guidelines (DLG)were predominantly data guidelines – no surprise, given thatdata is a vital ingredient in underwriting and defaultpredictions.
The guidelines are entity-specific. Meaning they extend tolenders, and through lenders, to lending service providers anddigital lending applications. Under the DLG, data collection bydigital lending apps must be need-based and with the prior,explicit consent of the borrowers. Apps must inform users of thepurpose of obtaining their consent at the appropriate stage of theapp interface. The DLG restricts access to mobile phone resources(such as contact lists and telephony functions) which lendersusually rely upon. It allows certain permissions to be taken once,with the borrowers' explicit consent (such as location accessfor the purpose of onboarding/KYC requirements). Overall, the DLGpromotes transparency, data minimisation, and purpose limitation– as seen in global data privacy laws.
The restrictions are also proportionate to the criticality ofthe data. For example, the DLG encourages access to the economicprofile of the borrower (such as age, occupation, income, etc.).But it restricts access to location data, which can only be takenfor the purpose of onboarding borrowers. Interestingly, RBI hasimposed limitations on location data, despite acknowledging that it's required toprevent fraud.
Storing card data
Last year, the RBI also implemented the card tokenization mandate – prohibitingall entities, except card issuers and card networks, from storingactual card data. The restriction also seems to be based on thecriticality of actual card data, which, if stolen, could causeserious harm to users.
Limited access to credit information
The RBI regulates access to/ sharing of credit information. Credit bureaus can onlyshare credit information with 'specified users' (whichusually includes regulated entities). This is understood as a'hard pull' – where a potential borrower's creditscore is pulled by a lender from the credit bureau without theborrower's consent. Specified users are further restricted fromsharing such data with any unauthorised person. Fintechs alsoaccess credit information of users through 'soft pull'– where they access credit information from credit bureaus onbehalf of the user with the user's consent.
The RBI has sporadically regulated data. RBI's dataregulation is entity-specific (meaning, because you are a certaintype of fintech, you may/ may not access data or must only use it acertain way) or data-specific (meaning, because the data is of acertain nature – sensitive or critical – it must behandled a certain way). The RBI is also increasingly exploring coreprivacy principles like data minimization (collect only the datathat you need), purpose limitation (use it only for a specificpurpose), consent (tell users what you're doing and get theirapproval) – drawing from the draft data laws we've seenover the years.
Importantly, the RBI is regulating for the absolute reckless– those that are leaving banana peels on the floor or leavingtheir doors unlocked – those with little or no datahygiene.
What should you focus on?
Know your data. The RBI is worried about certain types of data.For instance, card details are sensitive and if shared/ storedwilly-nilly, could expose an individual to fraud. Transaction datacan be a treasure trove of information about an individual. And so,the RBI only wants you to share it with partners who need it (andnot co-branding partners whose job is only to market the card).Location data is highly sensitive, as its unauthorized disclosurecould put an individual at risk of physical harm. And so, the RBIonly wants digital lenders to collect it once for user onboarding.So, fintechs must know what data they collect, why they need it,can they do without it, how long they need it, and so on.
Share with care. The RBI is worried about wanton data-sharing.For instance, credit information can only be shared by creditbureaus with 'specified users'. Borrowers' data can beshared with lending service providers only on a need-to-know basis,with borrowers' explicit consent. So, regulated entities andtheir tech partners must evaluate who can access data, whether theycan share data with an entity, can they limit access, etc.
Tell it all. The RBI is worried that individuals know nothingabout their data. So, RBI wants digital lenders to disclose theirpurpose at the appropriate stage through the user interface and getborrowers' consent for data collection. Also, several privacypolicies obfuscate more than they communicate. Consider this– "Notwithstanding anything to the contrary mentionedelsewhere, we may store and retain your Personal Information untilthe fulfilment of the duration which was conveyed to you at thetime of collecting the Personal Information." What they meanis – "When you give us any personal information,we'll let you know how long we'll hold it for."Instead of word salads, fintechs must tell users plainly how theirdata is collected, used, shared, etc.
The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.
POPULAR ARTICLES ON: Technology from India
Fintech Newsletter: Recent Legal Developments And Market Updates In India
The Securities and Exchange Board of India ("SEBI") vide a circular dated March 23, 2023, has mandated that all e-wallets for investments in mutual funds must be fully compliant with KYC norms as prescribed by the RBI.
The ‘ChatGPT Effect' – Parsing Privacy And AI Regulation In India
Chat GPT and its various ‘features' are at the centerpiece of many a recent dinner time conversation. Its popularity underscores just how much AI based tools such as chat bots...
Commercial Free Speech - No Longer A ‘fantasy': Holds The Delhi High Court In Digital Collectibles V. Galactus Funware
The right to privacy and the right of publicity are both facets of personality rights.
Law Governing Virtual Digital Assets – India Guide, 2022
The popularity of digital currency and virtual digital assets are on the rise in India.
FinTales Issue 29: Fintech's AI Insurrection
Remember the not-so-good-ol' days of being elbow deep into your sofa cushions, hunting desperately for some chillar? Well, we now have a modern-day equivalent.
The Reserve Bank Of India And The Regulation Of Fintech
The Reserve Bank of India ("RBI") operates as one of the Indian regulators in relation to fintech. Over the years, the RBI has approached the various developments, innovations...