Data Privacy Legal Framework Pertaining to Fintech
Prof. (Dr.) P. Sree Sudha, LL.D (NLSIU)
Damodaram Sanjivayya National Law University(DSNLU) Vishakhapatnam Mobile: 9493425612, Mail id: sreesudha@dsnlu.ac.in Outline ▪ Data Empowerment and Protection Architecture for Fintech ▪ Data Protection Bill 2019 & Fintech Industry
▪ Data Localization and Cross Border Data
Transfers ▪ Unified Payment Interface (UPI)
▪ RBI Guidelines on Regulation of Payment
Aggregators ('PA') ▪ Payment Gateways ('PG') ('the Guidelines') 2020 ▪ Data-sharing among financial services providers (FSPs) 2021 A overview of FinTech ecosystem ▪ Telecom Regulatory Authority of India (TRAI) shows that there are 726 million digital users as of September 2020, which is an impressive 278% growth from September 2016. The increase is driven by mobile internet users, who account for more than 95% of total internet users. ▪ 3rd largest FinTech ecosystem globally ▪ It is expected that the Indian Fintech market, currently valued at $31 Bn, will grow to $84 Bn by 2025, at a CAGR of 22%. ▪ While Payments and Alternative Finance segments constituted more than 90 percent of the sector’s investment flows in 2015, there has been a major shift towards a more equitable distribution of investment across sectors since. ▪ In 2020, FinTech SaaS and InsurTechs saw total investments of $145 Mn and $215 Mn respectively, representing a 4-5X growth over their 2015 funding flow. ▪ Amongst India’s 50+ FinTechs with more than $100 Mn valuation, there are 4 Wealth and Broking FinTechs, 5 InsurTechs and 8 SaaS FinTechs. ▪ UPI is expected to grow significantly with the participation of domestic and international players (Paytm, Walmart and Google) continuing to dominate the segment, with a heavy focus on development the payments infrastructure through investments. ▪ Neo-banks in India are emerging as a key segment for growth in the space – with over 15 Neo-banks currently in India, several of them under development or in beta stages. The segment has been growing steadily, with several private banks partnering with these Fintechs to explore synergies and better means of service-delivery. What is Fintech ▪ Oxford dictionary defines “Computer programs and other technology used to support or enable banking and financial services.” ▪ “Fintech is a technical tool to support financial services”, making it simple for everyone on this planet earth along with promoting idea of “Financial Services as a basic right for every human being”. Scope of fintech ▪ Fintech has revolutionized many different markets, most notably the banking, trading, insurance and risk management industries. ▪ Fintech companies, which include startups, technology companies and established financial institutions, utilize emerging technologies, such as big data, artificial intelligence, blockchain and edge computing to make financial services more accessible and more efficient. Personal Data Protection Bill ▪ applies to the processing of personal data by the companies registered in India, foreign companies dealing with personal data of individuals in India, and the Indian Government. The PDP bill categorizes the collected data into three categories: ▪ Personal data -any data about or relating to a natural person who is directly or indirectly identifiable having regard to any attributes or characteristics of such person (online or offline) and includes any inference drawn from such data for the purposes of profiling ▪ Sensitive personal data -a subset of personal data which may reveal, relate to or constitute financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation. Additionally, the Central Government in consultation with the DPA and the sectoral regulators, notify other categories of personal data as sensitive personal data; and ▪ Critical personal data -a subset of personal data and will include such categories of personal data as may be notified by the Central Government ▪ The PDP bill proposed to store sensitive personal data and critical personal data in India. ▪ However, it permits the processing of sensitive personal data by transferring it to outside of India in certain cases provided that at least a copy of that data continues to be stored in India and explicit consent is needed for the same. ▪ Whereas critical personal data can only be stored and processed within India. Regulatory Foundation ▪ Supreme Court Judgement on the fundamental Right to Privacy (Aug 2017), ▪ the Personal Data Protection Bill (PDP) 2019 ▪ Justice Srikrishna Committee Report, and (for the financial sector) ▪ the RBI Master Direction on NBFC-Account Aggregators of September 2016. ▪ In the financial sector, four regulators across banking, securities, insurance, and pensions (RBI, SEBI, IRDAI, PFRDA) and the Ministry of Finance have come together to implement this model. ▪ This regulatory foundation is also expected to evolve with time (eg. with the forthcoming Data Protection Authority) as India’s experience and public discourse around data protection and sharing grows richer. RBI guidelines on the Data Localization Policy
▪ Reserve Bank of India (RBI) issued a circular dated
April 6, 2018, stating that all authorized Payment System Operators (PSOs) in India to ensure that the data related to payment systems such as customer data, payment sensitive data, payment credentials, and transaction data should be mandatorily stored within India itself under the Payment and ▪ All payment firms, including American Express, Master Card/Visa, PayPal, Google Pay, WhatsApp Pay, Paytm, and Phone Pe, should adhere to the RBI’s data localization rule. Subsequently, RBI insisted system providers for unfettered access to all data on complete end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction by submitting Audit Report (SAR) conducted by CERT- IN. Settlement Systems Act, 2007. Latest position on data localization ▪ RBI reiterated its stand on data privacy by issuing a circular stating that from April 1, 2021, all Payment system operators to submit a compliance certificate duly signed by their CEOs or Managing Directors on a half-yearly basis adhering to the RBI’s regulations on securing payments data. ▪ This again triggered an active interest in RBI’s continuous intervention on securing and continuously monitoring the data to avoid any future risks to the country. With the advancements in the digital economy, financial data security is a must for the country’s economic growth and development. Why hasn't banking transformed in the way that e- commerce has transformed in the last decade?
▪ banking is a heavily regulated domain
▪ Getting Banking License is in the hands of RBIThe last licence for a new bank was awarded in 2015 to IDFC (now IDFC First) and Bandhan Bank after a gap of 15 years. Private banking is a market with limited players and a high barrier to entry. Bundling of services: Unbundling of a bank:
▪ Unified Payments Interface (UPI) which was
introduced as public infrastructure in 2016 changed the game for good. ▪ UPI is a real-time payment system that facilitates the interbank transfer of money in the most seamless way possible. Since UPI was developed as public infrastructure, it allowed third-party developers (like Gpay, PhonePe etc) to build a superior user experience that resulted in a huge uptick in the adoption of digital payments and gave rise to a range of use cases that did not exist before. ▪ To put things in perspective, UPI has been consistently clocking more than 1 billion transactions in India. ▪ A huge part of this success is attributed to the demonetisation in Oct 2016. How UPI WORKS ▪ UPI uses existing systems, such as Immediate Payment Service (IMPS) and Aadhaar Enabled Payment System (AEPS), to ensure seamless settlement across accounts. ▪ It facilitates push (pay) and pull (receive) transactions and even works for over the counter or barcode payments, as well as for multiple recurring payments such as utility bills, school fees, and other subscriptions. ▪ Once a single identifier is established, the system allows mobile payments to be delivered without the use of credit or debit cards, net banking, or any need to enter account details. This would not just ensure greater safety of sensitive information, but connect people who have bank accounts via smartphones to carry out hassle-free transactions. ▪ Overall, UPI implies fewer cash transactions and potentially reduces the unbanked population. Privacy guidelines and UPI ▪ 1) PRIVACY & SECURITY OF WEBSITE ▪ (2) COLLECTION OF INFORMATION ▪ (3) STORAGE OF INFORMATION ▪ (4) USE OF COOKIES ▪ (5) PROTECTION OF INFORMATION ▪ (6) BREACH OF PRIVACY POLICY: RBI Guidelines on Regulation of Payment Aggregators ('PA')
▪ Payment Aggregators are “entities
that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own.” Payment Gateways ('PG') ('the Guidelines') 2020
▪ defined as “entities that provide
technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.” ▪ The RBI issued the present guidelines according to the power vested in it under section 18 read with section 10(2) of the Payment and Settlement Systems Act 2007 (the “PSS Act”). ▪ The PSS Act was enacted to ensure a secure, accessible, and efficient system of payments and settlement. The Guidelines prescribe that ▪ Prior to the Guidelines, payment service providers who facilitated electronic payments between users and online merchants were classified as 'intermediaries.' ▪ Intermediaries were regulated under the RBI's 'Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries ' ('the 2009 Directions'), dated 24 November 2009. ▪ There was no licensing regime for intermediaries under the 2009 Directions and instead, intermediaries were indirectly regulated by the RBI via the banks that they were involved with. The Guidelines are expected to replace the regime under the 2009 Directions in a phased manner. Payment aggregators ▪ Existing payment aggregator entities are required to apply for an authorisation on or before 30 June 2021 and achieve net-worth of INR 150 million (approx. €1.7 million) latest by the date of their application or 31 March 2021, whichever is earlier. ▪ Subsequent requirement of achieving net- worth of INR 25 million (approx. €290,000) will have to be met over a subsequent 3- year period. ▪ New entities which seek to commence activities of a payment aggregator appear to require an authorisation from the RBI prior to doing so. Monetization of Data ▪ other banking products like loans, insurances and investments are waiting to be disrupted. ▪ Since most of the financial data of individuals have been locked within a bank, it has been challenging to build innovative financial products, unless the bank itself decides to build it. A financial institution decides to provide credit to an individual based on two factors: ▪ Ability to repay the loan ▪ Intent to repay the loan Account Aggregators:
▪ The Account Aggregator (AA)
framework is the first application of this approach for unlocking value from personal data. ▪ The AA framework creates a well- defined and secure mode for users to share their personal financial data with other eligible entities. ▪ At the heart of the AA framework is a robust consent system that allows users to pick and choose the type of data they share, and the entities who can access this data. Data Sharing under AA ▪ Account Aggregators (AA) is built as a digital public infrastructure that allows individuals to share their own financial data from one party to the other with their consent. How do account aggregators work?
▪ Originator bank: The bank from
which the money needs to be deducted ▪ Destination bank: The bank to which the money is transferred ▪ UPI app: The mobile application which enables this transaction to happen (Example: PhonePe, Google Pay, BHIM etc.) Under the account aggregator framework, data sharing is enabled by three main entities:
▪ Financial information provider
(FIP): Entity that holds your data (Banks, Income tax department, GST, AMCs etc) ▪ Financial information user (FIU): Organisation that requests your data (Fintech app, digital lender etc) ▪ Account aggregator (AA): An RBI licensed entity that enables this data sharing (Mostly an app or a website) Future of Data Sharing:
▪ The consented data sharing under AA
allows any third party app to securely receive users data which in turn gives rise to a range of new use cases. Imagine a Uber driver being able to get a loan through their rider app by sharing their bank account statement as opposed to walking to a bank. The possibilities are endless. What data can be shared? ▪ Account Aggregator allows a customer to transfer his financial information pertaining to various accounts such as banks deposits, equity, mutual fund and pension funds to any entity requiring access to such information. ▪ There are 19 categories of information that fall under ‘financial information’, besides various other categories relating to banks. ▪ Financial Assets” means: ▪ bank deposits including fixed deposits, saving deposits, recurring deposits and current deposits, Deposits with NBFCs, Structured Investment Product (SIP), Commercial Paper (CP), Certificate of Deposit (CD), Government Securities (Tradable), Equity Shares, Bonds, Debentures, Mutual Fund Units , ETFs, Indian Depository Receipts, CIS (Collective Investment Schemes) units, Alternate Investment Funds (AIF) units, Insurance Policies, Balances under the National Pension System (NPS), Units of Infrastructure Investment Trusts, Units of Real Estate Investment Trusts , Any other asset as may be identified by the Bank for the purposes of these directions, from time to time; Banking and investments. Can an AA see or store data? ▪ Data transmitted through the AA is encrypted. ▪ AAs are not allowed to store, process and sell the customer’s data. No financial information accessed by the AA from an FIP should reside with the AA. ▪ It should not use the services of a third- party service provider for undertaking the business of account aggregation. ▪ User authentication credentials of customers relating to accounts with various FIPs shall not be accessed by the AA, Conclusion The World Economic Forum (Forum) on Emerging privacy enhancing techniques (PETs) : ▪ Differential privacy -where noise is added to an analytical system so that it is impossible to reverse-engineer the individual inputs ▪ Federated analysis - where parties share the insights from their analysis without sharing the data itself ▪ Homomorphic encryption - where data is encrypted before it is shared, such that it can still be analysed but not decoded into the original information ▪ Zero-knowledge proofs - where users can prove their knowledge of a value without revealing the value itself ▪ Secure multiparty computation, where data analysis is spread across multiple parties such that no individual party can see the complete set of inputs ▪ data privacy and cybersecurity will be an increasing risk with the usage of FinTech for financing. Policies regarding accuracy and reliability, accountability, consent, consumer’s rights, data collection, security, and transparency will need to be explored through a gender lens for an iron-clad policy framework Questions????