Why the fintech ecosystem needs clear data laws to thrive
By Rajat Deshpande CEO & Co-Founder, FinBox
Let’s face it: our entire digital footprint in the form of data is out there in the big, wide world for anyone to access. Be it the targeted advertising that follows us around on social media or the mass of spam calls we receive, most of us have reluctantly accepted this paradigm of having little or no control over our data.
But the problems magnify when it comes to financial services. Misuse of data can lead to fraud, identity theft and massive financial damage for consumers in the sector, while a lax privacy structure can put banks, fintechs and other players out of business.
Indian banks witnessed 248 successful data breaches between June 2018 and March 2022. A majority of them were credit card data related. These numbers are simply a reflection of India’s underequipped banking and financial infrastructure for data protection. However, cyber breaches fall under the extreme end of the spectrum of online privacy breaches. In most cases, data is often compromised as soon as it enters the online space.
But that does not stop us from hoping that there will be strict rules. And why not? In an ideal world, we the public (or data commissioners in technical law speak) are the rightful owners of our data.
For years, the hope for a solid framework for data protection was linked to the proposed data protection law in 2019. But in early August, the central government withdrew the bill, promising a more comprehensive replacement. There is no doubt that a robust law is the need of the hour, not only to regulate the use of this data, but also to empower customers and businesses in good faith to make ethical and legal choices when it comes to utilizing this data.
A small online transaction, a giant leap for computer users
Any digital user who shops online always shares their data with multiple parties – some visible and others, not so much. For example, a simple e-commerce transaction provides data access for the merchant, the banks of both transaction parties, card network processors and possibly FinTech companies at the back end. Add more frills to an e-transaction, like an EMI payment or a direct purchase on social media, and the number of data users continues to grow.
The sharing of information does not stop there. In the absence of a clear regulatory regime for financial data, it is impossible for consumers or even regulators to be sure that the data is handled carefully, anonymized, encrypted and most importantly, not leaked to anyone who has no right to receive access to them. .
However, there are measures that regulatory bodies have taken to protect user data. For example, RBI’s push to tokenize card details on merchant websites helps protect user data to some extent. While such moves are a step in the right direction, India still has a long way to go when it comes to giving data principals control over their own information.
The rise of FinTechs and the lack of regulation
The last decade has seen an increase in digital transactions and with it a mushrooming of FinTech companies. EY reported that FinTech funding saw a 3X jump in 2021! While the government has encouraged this growth and the innovation that came with it, the regulation of this nascent but fast-growing industry remains fragmented, with no set framework to guide it. After all, formulating effective regulations for FinTech requires in-depth knowledge and a nuanced understanding of technology and its impact. This requires a regulatory body that takes into account three crucial aspects of FinTech: technology, financial institutions and data.
The nascent sector is often touted as the herald of innovation, but also written off for the lack of regulatory oversight. This is a conundrum that needs to be fixed with clear laws and guidelines that both set car protection for the entire sector and ensure that good actors can participate in innovative thinking without having to worry about exceeding their limits when it comes to utilizing data for use cases such as e.g. lending, asset management, consultancy and other areas.
Banks and their file on privacy
RBI regulations – which primarily govern banks and lenders – have yet to draft comprehensive data protection rules that address important aspects of privacy. While the new digital lending guidelines have held regulated entities accountable for storing and protecting data, there are no definitive guidelines against cross-selling information.
The privacy issue in the banking sector also goes beyond online activity. That is the often overlooked problem with data in physical form. Older institutions still have a fair amount of paperwork involved. For example, introducing a new customer requires paper applications and proof of identity. What happens to these physical pieces of sensitive information when they are fed into online systems? These small nuances of data protection can only be addressed when mapping the intricate journey of private data, end-to-end.
Conclusion
With the lack of all-encompassing data legislation today, responsibility for information sharing and protection currently rests with individuals. The measures, if any, are little known and expect citizens to go the extra mile – an impractical task in a country with over 900 million internet users. A robust privacy law is essential – it was needed yesterday. The government has promised a more comprehensive privacy rule instead of the privacy bill. Here’s hoping that these new regulations are watertight, take a privacy-first approach, and – above all – serve citizens’ interests.
