The Reserve Bank of India (“RBI”) has allowed certain non-banks to operate in the financial ecosystem for payment processing under the Payment and Settlement Systems Act, 2007 (“PSS Act”), in addition to banks. These non-banks are typically operate Cross Border Money Transfer (“MTSS”); Prepaid Payment Instruments (“PPI”); Bharat Bill Payment Operating Units (“BBPOU”); White Label ATM Operators (“WLAO”), etc.
The Digital Personal Data Protection Act, 2023 (“DPDP Act”), provides a holistic view on obligations on financial entities and PSP is not ignored. In this paper, we have discussed the implications of the DPDP Act on the payments sector and what should be the steps taken to address such implications.
- Consent Requirements: It should be free, specific, informed, unconditional and unambiguous with clear affirmative action. Consent request to be accompanied or preceded by a Notice informing the user about Personal Data being collected and its purpose.
- Data Processing: Personal data may be processed for lawful purposes for which consent needs to be obtained or for certain legitimate uses.
- Rights and Duties of Data Principal: Data Principals have the right to access, correct, erase, nominate and seek grievance redressal. They also have a duty to not impersonate another person, suppress material information, register frivolous complaints and furnish only authentic information.
- Data Fiduciary’s obligations: Personal Data collected should be complete, accurate and consistent. They are also obligated to undertake appropriate measures to prevent Data breach and inform the Data Board and the affected user in case of a breach.
- Significant Data Fiduciary (“SDF”): Any Data Fiduciary may be classified as an SDF by the Central Government. Such SDFs will have to comply with additional obligations mentioned under the DPDP Act and rules. PSPs are most likely to be classified as SDFs since they deal with large and sensitive Personal Data.
- Cross-Border Data Transfer: The Central Government may restrict transfer of Personal Data by the company to such countries or territories outside India as it may notify from time to time.
- Exemptions: The DPDP Act shall not apply to publicly available Data.
Implications and Next Steps:
In a payment ecosystem, among other roles played by a PSP as a licensed entity, its role qua theDPDP Act shall be deemed as that of a Data Processor. The implications and next steps for PSPs are:
- No Click-wrap options: The practice of click-wrap options will no longer be valid as consent so obtained will have to be free, specific, informed, unconditional and unambiguous with clear affirmative action. PSP will have to accordingly change their consent request mechanism in a manner which ensures the same.
- Where transaction data belongs to a child: Details of transactions where the beneficiary is a child or where the amount is debited from a child’s bank account should be handled with extreme care and additional security precautions must be taken. An internal mechanism will have to be developed to identify such Data Principals and transactions.
- Reporting Data Breach: Any event of Data breach must be reported to the Data Protection Board, the customer, and the bank. PSPs may appoint a reporting officer to detect and report Data breach and develop a pre-defined format for such reporting.
- Access, Correction and Erasure of data: PSPs will be required to provide Data Principals the option to access, correct and erase their Data. A separate portal may be designed to accommodate any request received for the same.
Further, various sectoral regulations are also applicable to PSPs, which they will have to continue to adhere to, in addition to the DPDP Act. The implications of the same are as follows:
- Cross-border transfers: The DPDP Act does not restrict cross-border transfer of Data, except to some countries notified by the Central Government. However, the RBI requires all system providers to ensure that their entire data is stored in a system only in India. Therefore, cross border transfer of Data by PSPs is not permitted.
- Audit Requirements: Under the DPDP Act, only SDFs are required to carry out periodic audits and appoint an independent data auditor to carry out data audit. However, all Payment Aggregators are required to submit a system audit report, including a cyber security audit conducted by CERT-In empanelled auditors. It will have to be seen whether the same report can serve the purpose of data audit and cyber security audit or separate reports will be required.
- Security and Risk Management: The DPDP Act requires Data Fiduciaries to implement technical and organisational measures and take reasonable security safeguards to prevent Data breach. In addition to this, the Master Directions issued by the RBI for PPIs require them to put in place a Board approved Information Security policy and various other security mechanisms like two factor authorization, cap on number and amount of transactions in a day, alert mechanism, etc. Therefore, PSPs will have to implement additional security mechanisms.
- Grievance Redressal: Data Fiduciaries are required to provide readily available means of grievance redressal and respond to them within a prescribed time limit. In this respect, the Sectoral regulations under the RBI guidelines for BBPOU and Master Directions for PPI require them to have a centralized complaint management system, which allows tracking the status of complaints received. Further, the DPDP Act requires a complaint to be raised before the Data Fiduciary and only then to the Data Board, but Master Directions for PPI provide recourse to the RBI integrated Ombudsman Scheme. Therefore, some clarity is required on the grievance redressal mechanism that may have to be followed by the Data Principals of PSPs.
The new data regime will require a drastic change in the working model of PSPs, including incorporating various organisational and technical changes. PSPs should ensure that these changes are made in such a manner that is compliant with the DPDP Act as well as the Sectoral Regulations applicable on them.