Data Privacy Legal Framework Pertaining to Fintech

Prof. (Dr.) P. Sree Sudha, LL.D (NLSIU)

Damodaram Sanjivayya National Law University(DSNLU) Vishakhapatnam
Mobile: 9493425612, Mail id: sreesudha@dsnlu.ac.in
Outline
▪ Data Empowerment and Protection
Architecture for Fintech
▪ Data Protection Bill 2019 & Fintech Industry

▪ Data Localization and Cross Border Data

Transfers
▪ Unified Payment Interface (UPI)

▪ RBI Guidelines on Regulation of Payment

Aggregators ('PA')
▪ Payment Gateways ('PG') ('the Guidelines')
2020
▪ Data-sharing among financial services
providers (FSPs) 2021
A overview of FinTech
ecosystem
▪ Telecom Regulatory Authority of India (TRAI) shows that there are 726 million
digital users as of September 2020, which is an impressive 278% growth from
September 2016. The increase is driven by mobile internet users, who account
for more than 95% of total internet users.
▪ 3rd largest FinTech ecosystem globally
▪ It is expected that the Indian Fintech market, currently valued at $31 Bn,
will grow to $84 Bn by 2025, at a CAGR of 22%. 
▪ While Payments and Alternative Finance segments constituted more than 90
percent of the sector’s investment flows in 2015, there has been a major shift
towards a more equitable distribution of investment across sectors since.
▪ In 2020, FinTech SaaS and InsurTechs saw total investments
of $145 Mn and $215 Mn respectively, representing a 4-5X growth over their
2015 funding flow.  
▪ Amongst India’s 50+ FinTechs with more than $100 Mn valuation, there are 4
Wealth and Broking FinTechs, 5 InsurTechs and 8 SaaS FinTechs.  
▪ UPI is expected to grow significantly with the participation of domestic and
international players (Paytm, Walmart and Google) continuing to dominate
the segment, with a heavy focus on development the payments
infrastructure through investments. 
▪ Neo-banks in India are emerging as a key segment for growth in the space –
with over 15 Neo-banks currently in India, several of them under development
or in beta stages. The segment has been growing steadily, with several private
banks partnering with these Fintechs to explore synergies and better means of
service-delivery.  
What is Fintech
▪  Oxford dictionary defines
“Computer programs and other
technology used to support or enable
banking and financial services.”
▪  “Fintech is a technical tool to
support financial services”, making it
simple for everyone on this planet
earth along with promoting idea of
“Financial Services as a basic right for
every human being”. 
Scope of fintech
▪ Fintech has revolutionized many
different markets, most notably the
banking, trading, insurance and risk
management industries.
▪ Fintech companies, which include
startups, technology companies and
established financial institutions,
utilize emerging technologies, such as
big data, artificial intelligence,
blockchain and edge computing to
make financial services more
accessible and more efficient.
Personal Data Protection Bill
▪ applies to the processing of personal data by the companies registered in
India, foreign companies dealing with personal data of individuals in India,
and the Indian Government. The PDP bill categorizes the collected data into
three categories:
▪ Personal data -any data about or relating to a natural person who is directly
or indirectly identifiable having regard to any attributes or characteristics of
such person (online or offline) and includes any inference drawn from such
data for the purposes of profiling
▪ Sensitive personal data -a subset of personal data which may reveal, relate
to or constitute financial data, health data, official identifier, sex life, sexual
orientation, biometric data, genetic data, transgender status, intersex status,
caste or tribe, religious or political belief or affiliation. Additionally, the
Central Government in consultation with the DPA and the sectoral regulators,
notify other categories of personal data as sensitive personal data; and
▪ Critical personal data -a subset of personal data and will include such
categories of personal data as may be notified by the Central Government
▪ The PDP bill proposed to store sensitive personal data and critical personal
data in India.
▪ However, it permits the processing of sensitive personal data by transferring
it to outside of India in certain cases provided that at least a copy of that
data continues to be stored in India and explicit consent is needed for the
same.
▪ Whereas critical personal data can only be stored and processed within India.
Regulatory Foundation
▪ Supreme Court Judgement on the fundamental
Right to Privacy (Aug 2017),
▪ the Personal Data Protection Bill (PDP) 2019
▪ Justice Srikrishna Committee Report, and (for the
financial sector)
▪ the RBI Master Direction on NBFC-Account
Aggregators of September 2016.
▪ In the financial sector, four regulators across
banking, securities, insurance, and pensions (RBI,
SEBI, IRDAI, PFRDA) and the Ministry of Finance
have come together to implement this model.
▪ This regulatory foundation is also expected to
evolve with time (eg. with the forthcoming Data
Protection Authority) as India’s experience and
public discourse around data protection and
sharing grows richer.
RBI guidelines on the Data Localization Policy

▪ Reserve Bank of India (RBI) issued a circular dated

April 6, 2018, stating that all authorized Payment
System Operators (PSOs) in India to ensure that the
data related to payment systems such as customer
data, payment sensitive data, payment
credentials, and transaction data should be
mandatorily stored within India itself under the
Payment and
▪ All payment firms, including American Express,
Master Card/Visa, PayPal, Google Pay, WhatsApp
Pay, Paytm, and Phone Pe, should adhere to the
RBI’s data localization rule. Subsequently, RBI
insisted system providers for unfettered access to
all data on complete end-to-end transaction
details/information collected/carried/processed as
part of the message/payment instruction by
submitting Audit Report (SAR) conducted by CERT-
IN. Settlement Systems Act, 2007.
Latest position on data
localization
▪ RBI reiterated its stand on data privacy by
issuing a circular stating that from April 1,
2021, all Payment system operators to
submit a compliance certificate duly
signed by their CEOs or Managing Directors
on a half-yearly basis adhering to the RBI’s
regulations on securing payments data.
▪ This again triggered an active interest in
RBI’s continuous intervention on securing
and continuously monitoring the data to
avoid any future risks to the country. With
the advancements in the digital economy,
financial data security is a must for the
country’s economic growth and
development.
Why hasn't banking transformed in the way that e-
commerce has transformed in the last decade?

▪ banking is a heavily regulated domain

▪ Getting Banking License is in the
hands of RBIThe last licence for a new
bank was awarded in 2015 to IDFC
(now IDFC First) and Bandhan Bank
after a gap of 15 years. Private
banking is a market with limited
players and a high barrier to entry.
Bundling of services:
Unbundling of a bank:

▪ Unified Payments Interface (UPI) which was

introduced as public infrastructure in 2016 changed
the game for good.
▪ UPI is a real-time payment system that facilitates
the interbank transfer of money in the most
seamless way possible. Since UPI was developed as
public infrastructure, it allowed third-party
developers (like Gpay, PhonePe etc) to build a
superior user experience that resulted in a huge
uptick in the adoption of digital payments and gave
rise to a range of use cases that did not exist
before.
▪ To put things in perspective, UPI has been
consistently clocking more than 1 billion
transactions in India.
▪ A huge part of this success is attributed to the
demonetisation in Oct 2016.
How UPI WORKS
▪ UPI uses existing systems, such as Immediate
Payment Service (IMPS) and Aadhaar Enabled
Payment System (AEPS), to ensure seamless
settlement across accounts.
▪ It facilitates push (pay) and pull (receive)
transactions and even works for over the counter or
barcode payments, as well as for multiple recurring
payments such as utility bills, school fees, and other
subscriptions.
▪ Once a single identifier is established, the
system allows mobile payments to be delivered
without the use of credit or debit cards, net banking,
or any need to enter account details. This would not
just ensure greater safety of sensitive information,
but connect people who have bank accounts
via smartphones to carry out hassle-free transactions.
▪ Overall, UPI implies fewer cash transactions and
potentially reduces the unbanked population.
Privacy guidelines and UPI
▪ 1) PRIVACY & SECURITY OF WEBSITE
▪ (2) COLLECTION OF INFORMATION
▪ (3) STORAGE OF INFORMATION
▪ (4) USE OF COOKIES
▪ (5) PROTECTION OF INFORMATION
▪ (6) BREACH OF PRIVACY POLICY:
RBI Guidelines on Regulation of Payment Aggregators ('PA')

▪ Payment Aggregators are “entities

that facilitate e-commerce sites and
merchants to accept various payment
instruments from the customers for
completion of their payment
obligations without the need for
merchants to create a separate
payment integration system of their
own.”
Payment Gateways ('PG') ('the
Guidelines') 2020

▪ defined as “entities that provide

technology infrastructure to route
and facilitate processing of an online
payment transaction without any
involvement in handling of funds.”
▪ The RBI issued the present guidelines
according to the power vested in it
under section 18 read with section
10(2) of the Payment and Settlement
Systems Act 2007  (the “PSS Act”).
▪ The PSS Act was enacted to ensure a
secure, accessible, and efficient
system of payments and settlement.
The Guidelines prescribe that
▪ Prior to the Guidelines, payment service
providers who facilitated electronic payments
between users and online merchants were
classified as 'intermediaries.'
▪ Intermediaries were regulated under the RBI's
'Directions for opening and operation of Accounts
and settlement of payments for electronic
payment transactions involving intermediaries '
('the 2009 Directions'), dated 24 November 2009.
▪ There was no licensing regime for intermediaries
under the 2009 Directions and instead,
intermediaries were indirectly regulated by the
RBI via the banks that they were involved with.
The Guidelines are expected to replace the
regime under the 2009 Directions in a phased
manner.
Payment aggregators
▪ Existing payment aggregator entities are
required to apply for an authorisation on or
before 30 June 2021 and achieve net-worth
of INR 150 million (approx. €1.7 million)
latest by the date of their application or 31
March 2021, whichever is earlier.
▪ Subsequent requirement of achieving net-
worth of INR 25 million (approx. €290,000)
will have to be met over a subsequent 3-
year period.
▪ New entities which seek to commence
activities of a payment aggregator appear
to require an authorisation from the RBI
prior to doing so.
Monetization of Data
▪ other banking products like loans,
insurances and investments are waiting
to be disrupted.
▪ Since most of the financial data of
individuals have been locked within a
bank, it has been challenging to build
innovative financial products, unless the
bank itself decides to build it.
A financial institution decides to provide
credit to an individual based on two
factors:
▪ Ability to repay the loan
▪ Intent to repay the loan
Account Aggregators:

▪ The Account Aggregator (AA)

framework is the first application of
this approach for unlocking value
from personal data.
▪ The AA framework creates a well-
defined and secure mode for users to
share their personal financial data
with other eligible entities.
▪ At the heart of the AA framework is a
robust consent system that allows
users to pick and choose the type of
data they share, and the entities who
can access this data.
Data Sharing under AA
▪ Account Aggregators (AA) is built as a
digital public infrastructure that
allows individuals to share their own
financial data from one party to the
other with their consent.
How do account aggregators work?

▪ Originator bank: The bank from

which the money needs to be
deducted
▪ Destination bank: The bank to which
the money is transferred
▪ UPI app: The mobile application
which enables this transaction to
happen (Example: PhonePe, Google
Pay, BHIM etc.)
Under the account aggregator framework, data
sharing is enabled by three main entities:

▪ Financial information provider

(FIP): Entity that holds your data
(Banks, Income tax department, GST,
AMCs etc)
▪ Financial information user (FIU):
Organisation that requests your data
(Fintech app, digital lender etc)
▪ Account aggregator (AA): An RBI
licensed entity that enables this data
sharing (Mostly an app or a website)
Future of Data Sharing:

▪ The consented data sharing under AA

allows any third party app to securely
receive users data which in turn gives
rise to a range of new use cases.
Imagine a Uber driver being able to
get a loan through their rider app by
sharing their bank account statement
as opposed to walking to a bank. The
possibilities are endless.
What data can be shared?
▪ Account Aggregator allows a customer to transfer his financial information pertaining to
various accounts such as banks deposits, equity, mutual fund and pension funds to any
entity requiring access to such information.
▪ There are 19 categories of information that fall under ‘financial information’, besides
various other categories relating to banks.
▪ Financial Assets” means:
▪ bank deposits including fixed deposits, saving deposits, recurring deposits and current
deposits, Deposits with NBFCs, Structured Investment Product (SIP), Commercial Paper
(CP), Certificate of Deposit (CD), Government Securities (Tradable), Equity Shares, Bonds,
Debentures, Mutual Fund Units , ETFs, Indian Depository Receipts, CIS (Collective
Investment Schemes) units, Alternate Investment Funds (AIF) units, Insurance Policies,
Balances under the National Pension System (NPS), Units of Infrastructure Investment
Trusts, Units of Real Estate Investment Trusts , Any other asset as may be identified by the
Bank for the purposes of these directions, from time to time; Banking and investments. 
Can an AA see or store data?
▪ Data transmitted through the AA is
encrypted.
▪ AAs are not allowed to store, process
and sell the customer’s data. No
financial information accessed by the AA
from an FIP should reside with the AA.
▪ It should not use the services of a third-
party service provider for undertaking
the business of account aggregation.
▪ User authentication credentials of
customers relating to accounts with
various FIPs shall not be accessed by the
AA,
Conclusion
The World Economic Forum (Forum) on Emerging privacy
enhancing techniques (PETs) :
▪ Differential privacy -where noise is added to an analytical system
so that it is impossible to reverse-engineer the individual inputs
▪ Federated analysis - where parties share the insights from their
analysis without sharing the data itself
▪ Homomorphic encryption - where data is encrypted before it is
shared, such that it can still be analysed but not decoded into the
original information
▪ Zero-knowledge proofs - where users can prove their knowledge
of a value without revealing the value itself
▪ Secure multiparty computation, where data analysis is spread
across multiple parties such that no individual party can see the
complete set of inputs
▪ data privacy and cybersecurity will be an increasing risk with the
usage of FinTech for financing. Policies regarding accuracy and
reliability, accountability, consent, consumer’s rights, data
collection, security, and transparency will need to be explored
through a gender lens for an iron-clad policy framework
Questions????