As laws to protect personal data are debated, rejected, and adopted across the globe, individuals are becoming aware of their data rights. Privacy of data has become a source of company competitiveness with consumers seeking to engage with organizations that give them a semblance of control over their data. If that wasn’t enough, India is set to pass a regulation governing personal data this year.
The context for compliance
Inferring from the soon to be passed Personal Data Protection Bill 2019, lending is an area that is bound to be hit by a combination of compliance clauses. Data is central to the lending operation. Lenders collect, process and analyze a host of customer data throughout the lifecycle of a loan. This helps the loan granting entity to gauge risk and offer personalized services adapted to the individual’s needs.
To remain compliant these data fiduciaries must ensure they understand the compliance norms and the rights of the data principals. This blog explores the data rights that translate into areas of compliance across the lending process.
The primary rights which affect compliance for lenders are explained below:
These rights have a bearing on the different types of data collected at different steps of the lending process. Although the RBI and SEBI are yet to release separate, detailed guidelines for the fintech sector, here is my take on the PDP’s impact on compliance:
- KYC process
The preliminary step of any lending operation is the Know-Your-Customer (KYC) process. The basic documents required for this are (a) Identity proof and (b) Address proof. This is already a consent-based process.
The clauses that have some bearing on this step are:
- Storage Limitation: after the loan has been repaid, the data principal can request the erasure of all the KYC data.
- Data Portability: with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal.
2. Credit Underwriting
A number of data sources are inspected as a part of the credit underwriting process. These can be divided into:
a. Public sources
This includes news articles about a customer, public social media profiles etc. Since this category of personal data is public, lenders do not have to worry about non-compliance.
b. Private sources
There are a number of private sources that can be scraped for credit underwriting. Here we discuss a few of them that bring up the concern of compliance.
i. SMS reading
This considerably new method of credit assessment would require explicit consent for processing. It is yet to be determined whether consent would have to be taken from both parties associated with the SMS exchange.
ii. Bank login based pull
To evaluate a person’s financial history, lenders perform a bank login based pull. Apart from the fact that explicit consent is required to access this data source, the question here is whether this would be a breach of the data fiduciary’s (bank) trust and if consent would be required from them as well.
iii. Email login based pull
Sometimes applicants are required to provide login credentials to a data source such as a personal email account. Till now explicit permission was usually sought for this to follow through, but not always. With the bill in place, email login based scaping would need to be 100% consent-based.
3. Credit Bureau Access
To ensure effective debt management, lenders share a customer’s personal data with credit bureaus and other third parties when servicing a loan. The transactions, details of the companies involved and justification for the data transfer must be explained to customers. Although credit scoring is a “reasonable purpose exception” in the bill which allows personal data to be processed without consent, it is not certain if it grants an exception from the right to data erasure. The storage of personally identifiable information (PII), implies that a data principal can request it be completely erased.
4. Non-traditional types of data
Bureau companies were previously mandated by the Credit Information Companies (Regulation) Act (CIC Act), which doesn’t allow credit bureaus to use alternative data in generating credit scores. Only loan account data from the core banking system could be used by the credit bureaus. This included default history, size of defaults and repayment time of loans. With an increasing number of data sources, it is yet to be determined if alternative sources are allowed under the new bill. And, how compliance norms would apply to their processing. Potentially, such sources could be:
a. Google Places/ Yelp
b. Payment processors
c. E-commerce platforms
Privacy by design
The bill mandates that every data fiduciary build a robust privacy system for storing and processing of personal data. A data protection system should be implemented from the outset. This “Privacy by Design” policy is a mandatory requirement and must be certified by the Data Protection Authority. The policy is to be published on the organization and the authority’s website.
Non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for fintechs and banks to start prepping for these compliance measures.
Dissent from lenders
The bill in its current form recognizes all forms of personal financial data as ‘sensitive personal data’. This definition of sensitive personal data in the bill is restrictive and brings up concerns for lenders. The Digital Lenders Association of India (DLAI) had submitted recommendations to reduce potential restrictions that the bill enforces. To make the lending process less prone to frauds, lenders need to access aspects of consumer data. This includes credit history, financial position and some alternative data of customers. With the current bill in place, this would become tedious. While compliance norms are necessary for personal data protection, such a definition will inadvertently hurt the lending operation.
The banking and fintech industry needs a clear compliance checklist. There is a dearth of understanding when it comes to how the current bill will affect compliance for data-centric processes like lending. This is because specific norms have not been released for the fintech space yet. The RBI and the government will need to come up with guidelines for the sector to ensure that function and compliance are not at odds.
Signzy is an AI-powered RPA platform for financial services. No matter how complex your workflow or operational complexity, Signzy is able to completely automate your back-operations decision-making process into a real-time API. This is possible due to a combination of Nebula — Our no-code AI model builder and our Fintech API Marketplace of over 200+ APIs. Today we work with over 90+ FIs globally including the 4 largest banks in India and a Top 3 acquiring Bank in US. Globally we have a strong partnership with MasterCard and offices in New York and Dubai to serve our customers in the 2 geographies. Our Product team of 120+ people is building a global AI product out of Bangalore.
Reach out to our team: email@example.com
For sales queries: Swati Saxena
Email : firstname.lastname@example.org