Listen to this post
FIG Paper No. 28, Data Law Series 2:
Implications of Digital Personal Data Protection Act, 2023 on Indian Banks

Introduction

In the current landscape, Indian banks are bound by data protection obligations under the provisions and rules of the Information Technology Act, 2000, the Prevention of Money Laundering Act, 2002 and relevant directives of the Reserve Bank of India (“RBI”). As we await the enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the publishing of its rules (“DPDP Rules”), there will be a paradigm shift in the data processing protocols of banks amongst other financial entities.

For a brief overview of how the DPDP Act applies to the financial services industry, please refer to our previous FIG paper here. This FIG Paper reflects on the industry pulse and identifies key issues that Indian banks will need to address as they prepare for the DPDP Act.

Implications for Indian Banks

The major implications for Indian banks on the applicability of these provisions will be as follows:

Consent for Data Processing:

  • Notices – to be served on existing / new customers individually.
  • Consent Trigger – In existing RBI regulation, the trigger for consent arises from account-based relationships but in the DPDP Act regime, it is the processing of data by which any individual is identifiable. Therefore, processing of visitor information, nominee details, risk management services, customer lifecycle management, product development and other services that use personal data will require consent.
  • Data Sharing across Group – So long as consent is sought for specific purposes of data sharing with group entities and subsequent processing by these entities, personal data may be shared by a bank with its group.

Outsourcing to Data Processors:

  • Principal ResponsibilityBanks are responsible as Data Fiduciaries for personal data processing by intermediaries such as know-your-customer (“KYC”) verification agents, payment system operators (PSO), third-party application providers (TPAP), loan servicing agents, etc.
  • Responsibility for Sub-agentsUnder the RBI’s outsourcing norms, banks are responsible for the outsourced services of not only agents but sub-agents as well. This obligation may extend under the DPDP Act if the bank determines the purpose for which processing is undertaken by any sub-agent / sub-contractor. Currently there is no provision for joint and several liability under the DPDP Act. This might become an issue for regulated entities which take due care but can be held responsible for deficiencies or non-compliance on the part of Data Processors.
  • MonitoringBanks are required to monitor Data Processors for system resilience, seeking of consent for new personal data from existing customers and erasure of data from Data Processor systems if Data Principals withdraw consent.

Data Breach Reporting: In the events of personal data breach, intimation should immediately be provided to the customer and the Data Protection Board under the DPDP Act. The format for breach notices may be specified in the DPDP Rules. Since no materiality threshold has been notified yet, this breach notice is a mandatory requirement for all personal data breaches. Failure to comply attracts a penalty that may extend to INR 200 crore.

Internal Policies:

  • Existing grievance redressal mechanisms should expressly address handling of Personal Data complaints and their resolution timelines.
  • Special policies for products involving the personal data of children.
  • Separate portal / mechanism to handle applications for correction and erasure of data.

Cross-Border Data Transfer: Transfer of transaction details or customer data outside India for any specified purpose will require consent. Existing outsourcing or data analytics arrangements should conform to the technical and operational specifications under the DPDP Act before commencing such transfer.

Co-Branding Arrangements: For current and future co-branding arrangements, Indian banks (being Regulated Entities) would be considered as Data Fiduciaries, while card issuers would be deemed Data Processors since the banks determine the purposes of processing while the card issuers provide the payment rails. Such arrangements, when dealing with personal data, would attract obligations under the DPDP Act as well as relevant RBI directions, and compliance cannot be mutually exclusive to either.

Use of AI: Indian banks have begun to introduce artificial intelligence (“AI”) including large language models (LLM) in their existing banking products. AI uses large data sets which may include personal data. Unless such personal data is available in the public domain or provided voluntarily for this purpose, using personal data without seeking consent would fall foul of the DPDP Act.

Next Steps and Preparedness

Indian banks preparing for the DPDP Act may get a move on their compliance obligations, and be conscious of the following aspects:

  • Stock-take of Data: Conduct data inventory assessments for: (i) legacy datasets; and (ii) prospective datasets, and draft appropriate consent notice formats aligned with the DPDP Act in all the specified languages. A data segregation exercise may also be undertaken for existing practices such as web scraping by a bank’s generative AI, website cookie management, etc., that may fall within the ambit of the DPDP Act.
    • Data Verification Infrastructure: Integrate systems for handling KYC information obtained for customer due diligence (CDD), maintenance of consent artefact records, and verifying consent for the personal data of children.
    • Customer Contracts: Relook at customer agreements, especially for personal data usage, customer obligations for updating information, confidentiality, and associated personal data rights.
    • Agreements: Review exercises for loan agreements, service agreements, and outsourcing agreements for compliance with the DPDP Act.
    • Consent Manager Business Models: Once the DPDP Rules are published, determine how to interact with consent managers under different business models for managing consent of Data Principals.
    • System Security: Given the resources of Indian banks and existing RBI compliance requirements, leverage state-of-the-art cybersecurity systems (compliant with ISO 270001) and encryption standards (such as AES) for secure transmission and storage of datasets along with periodic implementation of stress testing measures. The DPDP Rules, however, may prescribe the exact technology and security standards.
    • Data Breach Management: Designate separate division within existing cybersecurity teams of banks for detecting, managing, and intimating personal data breaches, with a direct line of supervision by the designated Data Protection Officer of the bank.
    • Data Processor Readiness: Stress-test and assess the preparedness of the systems of outsourcing partners that deal with personal data in the capacity of Data Processors; ensure that those systems are compliant.
    • Awareness: Provide guidance to customers, employees, agents and intermediaries on managing personal data and DPDP Act compliance in the form of Frequently Asked Questions (‘FAQs’) on the bank website or physically.
    • Product Design: Ensure DPDP Act compliance as integral to product design when employing new technologies – such as blockchain and AI – that may utilise personal data.

    Conclusion

    Banks are in a unique position in the financial services industry, given their resources and systemic importance, to determine best practices for personal data processing across sectors. As the DPDP Rules are being drafted, it would be prudent for Indian banks to get an early mover advantage by proactively future proofing contracts, revamping governance frameworks, and aligning policies and protocols with this new regulatory direction for data, privacy, and technology in India.

    Print:
    Email this postTweet this postLike this postShare this post on LinkedIn
    Photo of Anu Tiwari Anu Tiwari

    Partner in the Corporate, M&A and Financial Institutions Advisory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Anu has over 15 years of experience and advises clients on matters related to public and private M&A, raising capital, commercial agreements, and activism. Anu…

    Partner in the Corporate, M&A and Financial Institutions Advisory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Anu has over 15 years of experience and advises clients on matters related to public and private M&A, raising capital, commercial agreements, and activism. Anu represents both Indian and multinational fintech, banking, broker-dealer, exchange, asset management, speciality finance and information technology companies on transactional, enforcement and regulatory matters.

    Anu has been a member of RBI’s Committee on Household Finance, SEBI’s Working Group on Mutual Fund Regulation, Fintech Committee of the Confederation of Indian Industries (CII) and a visiting faculty at the SP Jain School of Global Management.

    Mr. Tiwari has been recognised by Chambers & Partners, IFLRMergerMarket and as Lawyer of the Year 2021, India, by Global Law Experts for his work in the M&A, Financial Regulatory and Blockchain/  Cryptocurrency space. He can be reached at anu.tiwari@cyrilshroff.com

    Photo of Sara Sundaram Sara Sundaram

    Partner in the Disputes and White Collar Crime Practice at the Mumbai office of Cyril Amarchand Mangaldas. Sara specializes in the areas of internal investigations and compliance training, white-collar crimes, corporate and financial investigations, fin tech and financial matters and international sanctions. She…

    Partner in the Disputes and White Collar Crime Practice at the Mumbai office of Cyril Amarchand Mangaldas. Sara specializes in the areas of internal investigations and compliance training, white-collar crimes, corporate and financial investigations, fin tech and financial matters and international sanctions. She has assisted and advised several foreign investors, corporates and financial institutions on anti-corruption, anti-bribery issues, anti-money laundering, sanctions violations, and serious fraud investigations.

    She also advises several foreign and domestic Clients on on AML/ABAC compliance, regulatory compliance and trade sanctions, and has handled internal investigations into compliance violations and whistle-blower complaints for corporations and financial institutions. She has considerable expertise in corporate governance, international sanctions, and international fraud related issues and regulatory compliance issues and financial crimes and Fintech.  She can be reached at sara.sundaram@cyrilshroff.com

    Photo of Vishrut Jain Vishrut Jain

    Senior Consultant in the financial regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Vishrut has represented various Indian and multinational fintech and information / emerging technology companies on transactional, enforcement and regulatory matters. He can be reached at vishrut.jain@cyrilshroff.com.

    Photo of Aditya Sarkar Aditya Sarkar

    Associate in the Financial Regulatory Practice at the Mumbai office of Cyril Amarchand Mangaldas. He can be reached at aditya.sarkar@cyrilshroff.com