Resources

How India’s Data Protection Bill Will Impact Lending And Fintech?

How India’s Data Protection Bill Will Impact Lending and Fintech
SUMMARY

Lenders collect, process and analyse a host of customer data throughout the lifecycle of a loan

The preliminary step of any lending operation is the Know-Your-Customer (KYC) process

The PDP bill mandates every data fiduciary to build a robust privacy system for storing and processing of personal data

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Effective data privacy safeguards have today become an important source of competitive advantage in the modern era, as the consumers have increasingly begun to prefer dealing with organizations that give them a semblance of control over their data.

Also, individual consumers are today, more than ever, aware of their rights regarding their personal data. This awareness has been catalyzed by a global movement to debate, reject or adopt new laws to protect personal data. India too is set to pass a regulation governing personal data this year.

As we read through India’s Personal Data Protection (PDP) Bill 2019, it becomes apparent that lending by banks, NBFCs and the new-age fintech companies is bound to be impacted by a combination of compliance clauses included in the draft bill.

Let us start with the acknowledgement that acquisition of data is central to the lending operation. Lenders collect, process and analyze a host of customer data throughout the lifecycle of a loan. This helps the loan granting entity to gauge risk and offer personalized services adapted to the loan seeker’s needs.

To remain compliant, these data fiduciaries must ensure they understand the compliance norms and the rights of the data principals (or owners of data). Below, we explore the proposed data rights in the draft bill that directly translate into areas of compliance across the lending process.

The primary rights which affect compliance for lenders are explained below:

Right of the Data Principal Definition
Informed Consent Personal data shall only be processed after explicit consent given by the data principal at the commencement of its processing. Hence, lenders cannot assume implied consent for processing customer data.
Specific Purpose Personal data shall be collected only to the extent that is necessary for the purposes of processing. This means that it cannot be collected for reasons that are not known or declared.
Data Erasure Personal data must be erased after the purpose for which it was shared has been met. The data principal has the right to ask for the erasure of their personal data.
Data Portability When the processing of the personal data has been carried out through automated means, the data principal has the right to receive a copy of their personal data in a structured, commonly used and machine-readable format.

These rights have a bearing on the different types of data collected at different steps of the lending process. Although the RBI and SEBI are yet to release separate, detailed guidelines for the fintech sector, we can reasonably anticipate the PDP bill’s impact on compliance as below:

KYC Process

The preliminary step of any lending operation is the Know-Your-Customer (KYC) process. The basic documents required for this are (a) Identity proof and (b) Address proof. This is already a consent based process.

The clauses from the draft bill that can affect the KYC process are:

  • Storage Limitation: after the loan has been repaid, the data principal can request erasure of all the KYC data
  • Data Portability: with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal

Credit Underwriting

A number of data sources are inspected as a part of the credit underwriting process. These can be divided into:

Public Sources

This includes news articles about a customer, public social media profiles etc. Since this category of personal data is public, lenders do not have to worry about non-compliance.

Private Sources

There are a number of private sources that can be scraped for credit underwriting. Here we discuss a few of them that bring up the concern of compliance.

SMS Reading

This method of credit assessment is considerably new, and it would require explicit consent for processing. It is yet to be determined whether consent would have to be taken from both parties associated in the SMS exchange.

Bank Login Based Pull

To evaluate a person’s financial history, many lenders perform a bank login based pull. Apart from the fact that explicit consent is required to access this data source, the question here is whether this would be a breach of the data fiduciary’s (bank’s) trust and if consent would be required from them as well.

Email Login Based Pull

Sometimes applicants are required to provide login credentials to a data source such as a personal email account.  Till now explicit permission was usually sought for this to follow through, but not always. With the bill in place, email login based scaping would need to be 100% consent-based.

Credit Bureau Access

Lenders are often obligated to share a customer’s personal data with credit bureaus and other third parties while servicing a loan. Under the bill’s provisions, the transactions, details of the companies involved and the justification for this data transfer must be explained by lenders to their customers.

Although credit scoring is a “reasonable purpose exception”  in the bill which allows personal data to be processed without consent, it is not certain if it grants an exception from the right to data erasure. The storage of personally identifiable information (PII) implies that a data principal can request it to be completely erased.

Non-Traditional Types Of Data

Bureau companies were previously mandated by the Credit Information Companies (Regulation) Act (CIC Act), which doesn’t allow credit bureaus to use alternative data in generating credit scores. Only loan account data from the core banking system could be used by the credit bureaus.

This included default history, size of defaults and repayment time of loans. With an increasing number of data sources, it is yet to be determined if alternative sources are allowed under the new bill. And, how compliance norms would apply to their processing. Potentially, such sources could be:

  1. Google Places/ Yelp
  2. Payment processors
  3. Ecommerce platforms
  4. Shippers

Privacy By Design

The bill mandates every data fiduciary to build a robust privacy system for storing and processing of personal data. A data protection system should be implemented from the outset.  This “Privacy by Design” policy is a mandatory requirement and must be certified by the Data Protection Authority. The policy must be published on the organisation and the authority’s website.

Penalties

Non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for fintech companies and banks to start preparing for these compliance measures.

Dissent From Lenders

The bill in its current form recognises all forms of personal financial data as ‘sensitive personal data’. This definition of sensitive personal data in the bill is restrictive and brings up concerns for lenders. The Digital Lenders Association of India (DLAI) had submitted recommendations to reduce potential restrictions that the bill enforces.

To make the lending process less prone to frauds, lenders need to access aspects of consumer data. This includes credit history, financial position and some alternative data of customers. Under the current PDP bill’s provisions, this process would become tedious. While compliance norms are necessary for personal data protection, such a definition will inadvertently hurt the lending operation.

Conclusion

The banking and fintech industry needs a clear compliance checklist. There is a dearth of understanding when it comes to how the current bill will affect compliance for data-centric processes like lending. This is because specific norms have not been released for the fintech space yet. The RBI and the government will need to come up with guidelines for the sector to ensure that function and compliance are not at odds.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Recommended Stories for You