Listen to this post
FIG Paper (No. 27 – Series. 1): Implications of Digital Personal Data Protection Act, 2023, on Payment Service Providers

Introduction:

The Reserve Bank of India (“RBI”) has allowed certain non-banks to operate in the financial ecosystem for payment processing under the Payment and Settlement Systems Act, 2007 (“PSS Act”), in addition to banks. These non-banks are typically operate Cross Border Money Transfer (“MTSS”); Prepaid Payment Instruments (“PPI”); Bharat Bill Payment Operating Units (“BBPOU”); White Label ATM Operators (“WLAO”), etc.

The Digital Personal Data Protection Act, 2023 (“DPDP Act”), provides a holistic view on obligations on financial entities and PSP is not ignored. In this paper, we have discussed the implications of the DPDP Act on the payments sector and what should be the steps taken to address such implications.

Key Provisions:

  • Consent Requirements: It should be free, specific, informed, unconditional and unambiguous with clear affirmative action. Consent request to be accompanied or preceded by a Notice informing the user about Personal Data being collected and its purpose.
  • Data Processing: Personal data may be processed for lawful purposes for which consent needs to be obtained or for certain legitimate uses.
  • Rights and Duties of Data Principal: Data Principals have the right to access, correct, erase, nominate and seek grievance redressal. They also have a duty to not impersonate another person, suppress material information, register frivolous complaints and furnish only authentic information.
  • Data Fiduciary’s obligations: Personal Data collected should be complete, accurate and consistent. They are also obligated to undertake appropriate measures to prevent Data breach and inform the Data Board and the affected user in case of a breach.
  • Significant Data Fiduciary (“SDF”): Any Data Fiduciary may be classified as an SDF by the Central Government. Such SDFs will have to comply with additional obligations mentioned under the DPDP Act and rules. PSPs are most likely to be classified as SDFs since they deal with large and sensitive Personal Data.
  • Cross-Border Data Transfer: The Central Government may restrict transfer of Personal Data by the company to such countries or territories outside India as it may notify from time to time.
  • Exemptions: The DPDP Act shall not apply to publicly available Data.

Implications and Next Steps:

In a payment ecosystem, among other roles played by a PSP as a licensed entity, its role qua theDPDP Act shall be deemed as that of a Data Processor. The implications and next steps for PSPs are:

  • No Click-wrap options: The practice of click-wrap options will no longer be valid as consent so obtained will have to be free, specific, informed, unconditional and unambiguous with clear affirmative action. PSP will have to accordingly change their consent request mechanism in a manner which ensures the same.
  • Where transaction data belongs to a child: Details of transactions where the beneficiary is a child or where the amount is debited from a child’s bank account should be handled with extreme care and additional security precautions must be taken. An internal mechanism will have to be developed to identify such Data Principals and transactions.
  • Reporting Data Breach: Any event of Data breach must be reported to the Data Protection Board, the customer, and the bank. PSPs may appoint a reporting officer to detect and report Data breach and develop a pre-defined format for such reporting.
  • Access, Correction and Erasure of data: PSPs will be required to provide Data Principals the option to access, correct and erase their Data. A separate portal may be designed to accommodate any request received for the same.

Further, various sectoral regulations are also applicable to PSPs, which they will have to continue to adhere to, in addition to the DPDP Act. The implications of the same are as follows:

  • Cross-border transfers: The DPDP Act does not restrict cross-border transfer of Data, except to some countries notified by the Central Government. However, the RBI requires all system providers to ensure that their entire data is stored in a system only in India. Therefore, cross border transfer of Data by PSPs is not permitted.
  • Audit Requirements: Under the DPDP Act, only SDFs are required to carry out periodic audits and appoint an independent data auditor to carry out data audit. However, all Payment Aggregators are required to submit a system audit report, including a cyber security audit conducted by CERT-In empanelled auditors. It will have to be seen whether the same report can serve the purpose of data audit and cyber security audit or separate reports will be required.
  • Security and Risk Management: The DPDP Act requires Data Fiduciaries to implement technical and organisational measures and take reasonable security safeguards to prevent Data breach. In addition to this, the Master Directions issued by the RBI for PPIs require them to put in place a Board approved Information Security policy and various other security mechanisms like two factor authorization, cap on number and amount of transactions in a day, alert mechanism, etc. Therefore, PSPs will have to implement additional security mechanisms.
  • Grievance Redressal: Data Fiduciaries are required to provide readily available means of grievance redressal and respond to them within a prescribed time limit. In this respect, the Sectoral regulations under the RBI guidelines for BBPOU and Master Directions for PPI require them to have a centralized complaint management system, which allows tracking the status of complaints received. Further, the DPDP Act requires a complaint to be raised before the Data Fiduciary and only then to the Data Board, but Master Directions for PPI provide recourse to the RBI integrated Ombudsman Scheme. Therefore, some clarity is required on the grievance redressal mechanism that may have to be followed by the Data Principals of PSPs.

Conclusion:

The new data regime will require a drastic change in the working model of PSPs, including incorporating various organisational and technical changes. PSPs should ensure that these changes are made in such a manner that is compliant with the DPDP Act as well as the Sectoral Regulations applicable on them.


Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anu Tiwari Anu Tiwari

Partner and Co-Head in the Fintech Practice at the Mumbai office of Cyril Amarchand Mangaldas. Anu represents Indian and multinational banking, broker-dealer, exchange, asset management, speciality finance, fintech and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus…

Partner and Co-Head in the Fintech Practice at the Mumbai office of Cyril Amarchand Mangaldas. Anu represents Indian and multinational banking, broker-dealer, exchange, asset management, speciality finance, fintech and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private M&A, capital raising, commercial agreements and activism matters. Anu advises financial services clients on matters before the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Ministry of Finance, Enforcement Directorate and appellate tribunals. He can be reached at anu.tiwari@cyrilshroff.com

Photo of Sara Sundaram Sara Sundaram

Partner in the Disputes and White Collar Crime Practice at the Mumbai office of Cyril Amarchand Mangaldas. Sara specializes in the areas of internal investigations and compliance training, white-collar crimes, corporate and financial investigations, fin tech and financial matters and international sanctions. She…

Partner in the Disputes and White Collar Crime Practice at the Mumbai office of Cyril Amarchand Mangaldas. Sara specializes in the areas of internal investigations and compliance training, white-collar crimes, corporate and financial investigations, fin tech and financial matters and international sanctions. She has assisted and advised several foreign investors, corporates and financial institutions on anti-corruption, anti-bribery issues, anti-money laundering, sanctions violations, and serious fraud investigations.

She also advises several foreign and domestic Clients on on AML/ABAC compliance, regulatory compliance and trade sanctions, and has handled internal investigations into compliance violations and whistle-blower complaints for corporations and financial institutions. She has considerable expertise in corporate governance, international sanctions, and international fraud related issues and regulatory compliance issues and financial crimes and Fintech.  She can be reached at sara.sundaram@cyrilshroff.com

Photo of Utkarsh Bhatnagar Utkarsh Bhatnagar

Principal Associate in the corporate and financial regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Utkarsh has represented various Indian and multinational fintech, information/ emerging technology companies, and also pharmaceutical, and healthcare companies on transactional, enforcement and regulatory matters. His transactional…

Principal Associate in the corporate and financial regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Utkarsh has represented various Indian and multinational fintech, information/ emerging technology companies, and also pharmaceutical, and healthcare companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private M&A, commercial agreements and regulatory matters. He can be reached at utkarsh.bhatnagar@cyrilshroff.com

Photo of Gaurav Jain Gaurav Jain

Associate in the White Collar practice at the Mumbai office of Cyril Amarchand Mangaldas. Gaurav can be reached at gaurav.jain@cyrilshroff.com