Effective data privacy safeguards have today become an important source of competitive advantage in the modern era, as the consumers have increasingly begun to prefer dealing with organizations that give them a semblance of control over their data.
Also, individual consumers are today, more than ever, aware of their rights regarding their personal data. This awareness has been catalyzed by a global movement to debate, reject or adopt new laws to protect personal data. India too is set to pass a regulation governing personal data this year.
As we read through India’s Personal Data Protection (PDP) Bill 2019, it becomes apparent that lending by banks, NBFCs and the new-age fintech companies is bound to be impacted by a combination of compliance clauses included in the draft bill.
Let us start with the acknowledgement that acquisition of data is central to the lending operation. Lenders collect, process and analyze a host of customer data throughout the lifecycle of a loan. This helps the loan granting entity to gauge risk and offer personalized services adapted to the loan seeker’s needs.
To remain compliant, these data fiduciaries must ensure they understand the compliance norms and the rights of the data principals (or owners of data). Below, we explore the proposed data rights in the draft bill that directly translate into areas of compliance across the lending process.
The primary rights which affect compliance for lenders are explained below:
|Right of the Data Principal||Definition|
|Informed Consent||Personal data shall only be processed after explicit consent given by the data principal at the commencement of its processing. Hence, lenders cannot assume implied consent for processing customer data.|
|Specific Purpose||Personal data shall be collected only to the extent that is necessary for the purposes of processing. This means that it cannot be collected for reasons that are not known or declared.|
|Data Erasure||Personal data must be erased after the purpose for which it was shared has been met. The data principal has the right to ask for the erasure of their personal data.|
|Data Portability||When the processing of the personal data has been carried out through automated means, the data principal has the right to receive a copy of their personal data in a structured, commonly used and machine-readable format.|
These rights have a bearing on the different types of data collected at different steps of the lending process. Although the RBI and SEBI are yet to release separate, detailed guidelines for the fintech sector, we can reasonably anticipate the PDP bill’s impact on compliance as below:
The preliminary step of any lending operation is the Know-Your-Customer (KYC) process. The basic documents required for this are (a) Identity proof and (b) Address proof. This is already a consent based process.
The clauses from the draft bill that can affect the KYC process are:
- Storage Limitation: after the loan has been repaid, the data principal can request erasure of all the KYC data
- Data Portability: with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal
A number of data sources are inspected as a part of the credit underwriting process. These can be divided into:
This includes news articles about a customer, public social media profiles etc. Since this category of personal data is public, lenders do not have to worry about non-compliance.
There are a number of private sources that can be scraped for credit underwriting. Here we discuss a few of them that bring up the concern of compliance.
This method of credit assessment is considerably new, and it would require explicit consent for processing. It is yet to be determined whether consent would have to be taken from both parties associated in the SMS exchange.
Bank Login Based Pull
To evaluate a person’s financial history, many lenders perform a bank login based pull. Apart from the fact that explicit consent is required to access this data source, the question here is whether this would be a breach of the data fiduciary’s (bank’s) trust and if consent would be required from them as well.
Email Login Based Pull
Sometimes applicants are required to provide login credentials to a data source such as a personal email account. Till now explicit permission was usually sought for this to follow through, but not always. With the bill in place, email login based scaping would need to be 100% consent-based.
Credit Bureau Access
Lenders are often obligated to share a customer’s personal data with credit bureaus and other third parties while servicing a loan. Under the bill’s provisions, the transactions, details of the companies involved and the justification for this data transfer must be explained by lenders to their customers.
Although credit scoring is a “reasonable purpose exception” in the bill which allows personal data to be processed without consent, it is not certain if it grants an exception from the right to data erasure. The storage of personally identifiable information (PII) implies that a data principal can request it to be completely erased.
Non-Traditional Types Of Data
Bureau companies were previously mandated by the Credit Information Companies (Regulation) Act (CIC Act), which doesn’t allow credit bureaus to use alternative data in generating credit scores. Only loan account data from the core banking system could be used by the credit bureaus.
This included default history, size of defaults and repayment time of loans. With an increasing number of data sources, it is yet to be determined if alternative sources are allowed under the new bill. And, how compliance norms would apply to their processing. Potentially, such sources could be:
- Google Places/ Yelp
- Payment processors
- Ecommerce platforms
Privacy By Design
The bill mandates every data fiduciary to build a robust privacy system for storing and processing of personal data. A data protection system should be implemented from the outset. This “Privacy by Design” policy is a mandatory requirement and must be certified by the Data Protection Authority. The policy must be published on the organisation and the authority’s website.
Non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for fintech companies and banks to start preparing for these compliance measures.
Dissent From Lenders
The bill in its current form recognises all forms of personal financial data as ‘sensitive personal data’. This definition of sensitive personal data in the bill is restrictive and brings up concerns for lenders. The Digital Lenders Association of India (DLAI) had submitted recommendations to reduce potential restrictions that the bill enforces.
To make the lending process less prone to frauds, lenders need to access aspects of consumer data. This includes credit history, financial position and some alternative data of customers. Under the current PDP bill’s provisions, this process would become tedious. While compliance norms are necessary for personal data protection, such a definition will inadvertently hurt the lending operation.
The banking and fintech industry needs a clear compliance checklist. There is a dearth of understanding when it comes to how the current bill will affect compliance for data-centric processes like lending. This is because specific norms have not been released for the fintech space yet. The RBI and the government will need to come up with guidelines for the sector to ensure that function and compliance are not at odds.