By Rajat Deshpande, CEO & Co-Founder, FinBox
The interpretation of the term ‘regulation’ is changing in Fintech circles. Once it was regarded with wariness as players considered it a deterrent to creating disruptive and innovative products. But the industry is slowly coming to terms with the fact that it is has become more essential than ever to regulate the sector.
The rising instances of fraud and predatory lending have drawn the attention of the Reserve Bank of India (RBI) and led to a series of regulatory measures that hold regulated entities like banks and NBFC’s, and their unregulated Fintech partners, accountable. As a result, app stores are flagging and eliminating dubious lending apps to protect consumers, their money, and their data. Moreover, entities registered with the RBI and other major financial sector regulators are expecting compliance from their Fintech partners.
Regulatory measures to protect consumers’ data privacy
Over the last few years, the RBI and legislative bodies have rolled out several pieces of regulation to protect consumers and their right to data privacy.
- Digital Personal Data Protection Act
The Digital Personal Data Protection Act requires firms to take a closer look at their data collection and customer consent practices. The Act also covers aspects of data protection like data management in outsourcing arrangements, and data handling throughout the user journey from on-boarding till the time the user concludes their relationship with the platform. - Guidelines on digital lendingThe RBI’s digital lending guidelines assign the responsibility of data privacy to regulated entities. The guidelines place the focus on transparency, mandating that REs provide borrowers with a key fact statement that gives them pertinent information around fees, APRs, and other loan information. They also place the control of data with the user, allowing them to grant and revoke consent to use their data, request deletions, and restrict data disclosure. Data storage is also covered within the ambit of these guidelines and requires Fintech to be compliant with cybersecurity standards.
- Self-regulationThe RBI released a draft framework for self-regulatory organisations within the Fintech sector. One of the primary focuses of these bodies would be to ensure customer protection and data privacy.
Best practices
While regulatory bodies are taking steps to inculcate a culture of data security and protection in the Fintech ecosystem, financial institutions and Fintechs have the duty to employ best practices to incorporate these measures and more.
- Partnerships are critical to the Fintech ecosystem and REs’ technology partners are cognizant of the growing scrutiny around data privacy. It is necessary for Fintechs to create processes and capabilities that facilitate this compliance.
- Fintechs must keep abreast of the latest developments in KYC norms. This would help make KYC for lender-partners seamless, digital. and compliant. For example, the KYC rules are set to change to create a regime of uniform KYC through the Central KYC Records Registry.
- Data usage and storage are critical areas for user data protection. Fintechs must ensure encryption of data in transit, follow rules around data storage, and conduct regular audits to ensure security.
Fostering trust
Compliance with data security measures is no longer an imposition on Fintechs, but an imperative. As regulatory scrutiny mounts, registered entities are required to partner with third parties that are equipped with compliance tools and measures. Moreover, as consumers become more aware of their rights to data privacy and security, it is necessary for Fintechs to incorporate measures to ensure this to gain their trust and confidence. Ultimately, non-compliance with data privacy mandates on Fintechs’ part would result in opportunities missed.