Listen to this post
FIG Paper No 29 – Data Law Series 3: (Implications of Digital Personal Data Protection Act, 2023, on Asset Management Companies)

Background:

  • Asset Management Companies (“AMCs”) act as fiduciaries of unitholders (i.e. investors who hold units in funds managed by an AMC), due to which the Securities and Exchange Board of India (“SEBI”) has mandated various data privacy obligations for AMCs, either directly or through the Association of Mutual Funds of India (“AMFI”).
  • SEBI, in a private letter to AMCs, AMFI and registrar and transfer agents (“RTAs”) dated July 10, 2020 (“SEBI Letter”), required that digital platforms involved in distribution/ advisory and AMCs/ RTAs must respect unitholder’s data privacy. The letter included the following two mandates:
    • unitholder data should not be shared with group entities having multiple business/ products; and
    • products and services of group companies cannot be cross marketed.
  • Thereafter, on March 29, 2022, AMFI, in consultation with SEBI, issued the Circular on ‘Data Sharing Principles to be followed by AMCs while sharing Unitholders’ Data’ (“AMFI Data Circular”). The AMFI Data Circular listed the following directions:
    • AMCs can only share data feeds with certain entities, including industry platforms[1], intermediaries[2], intermediaries serviced by AMCs and regulated (by SEBI or Reserve Bank of India (“RBI”) as well as unregulated service providers[3].
    • AMCs to have contractual arrangements with its service providers/ agents to ensure that unitholder data,
      • remains confidential;
      • is used only for the purpose for which it was shared;
      • is purged as soon as purpose for which it was shared has been served; and
      • is not shared with any other entity without approval of AMC or explicit customer consent as per Paragraph (c) below; and
      • is not used for cross-marketing of products/ services of group companies.
    • AMCs must not share unitholder data, except with entities mentioned in Point (a) above, without explicit consent of the unitholder, basis the following consent artefacts:
      • through the account aggregator (“AA”) ecosystem, duly licensed by the RBI; or
      • any other similar consent artefact that SEBI may notify. It may be noted that SEBI has not notified any such consent artefact.

The Digital Personal Data Protection Act (“DPDP Act”):

The swift passing of the DPDP Act by the Indian Parliament and subsequent Presidential assent has required financial services entities to ensure preparedness for the DPDP Act, as and when it is notified by the Central Government.

Please refer to our blog post (here), for key provisions of the DPDP Act.

Implications:

  • Outsourcing: Contractual liability in third-party contracts between AMCs and service providers will require alignment with the obligations of data fiduciaries and data processors as per the DPDP Act.
  • Cross-Marketing: As no explicit bar has been placed on AMCs to cross-market products under both the AMFI Data Circular and the DPDP Act, the same may be continued. However, consent notices will be required to be revised in a manner to satisfy the requirements for specified purpose.
  • Significant Data Fiduciary (“SDF”): AMCs are likely to qualify as SDFs basis the nature and volume of data handled, and would require a resident data protection officer, data auditor, periodic audit and data protection impact assessment.
  • Nomination Details:
    • AMCs may be required to obtain direct consent from the nominee, as their personal details would be “processed” by them.
    • Children Data: As nominee data may include children data, AMCs must build mechanisms to identify and prevent processing of such data for the purposes of marketing, analytics, cross-selling, etc.

Next Steps:

  • Data Mapping: Mapping will be required to be undertaken across AMC’s group, to assess type of data collected, customer touch points and current data sharing arrangements: (i) across group entities; and (ii) with outsourced partners/ vendors.
  • Data Outsourcing: AMCs to assess sharing/ access of data from AMCs to third-parties, and vice versa, in order to assess compliance. 
  • Audit Requirements: Under the DPDP Act, SDFs are required to carry out periodic audits and appoint an independent data auditor to carry out data audit. Given AMCs may be SDFs, preparedness for the aforesaid requirements to be progressed.
  • Security Standards: SEBI’s cyber security and cyber resilience framework for AMCs which requires them to assess and update their IT systems would require alignment with the “reasonable security safeguards” threshold of the DPDP Act.
  • Grievance Redressal Mechanism: A grievance redressal mechanism relating to data breach will have to be incorporated in the existing mechanism of the AMCs. Further, AMCs to ensure grievance redressal is readily available, which includes mechanism to respond within a prescribed time period.

Conclusion:

The new data regime will require a drastic change in the working model of the AMCs, including incorporating various organisational and technical changes. The industry should have ready-to-implement mechanisms in place and should work on sensitising the stakeholders of their business on the new data protection regime. AMCs should ensure that these changes are made in such a manner that is compliant with the DPDP Act as well as the applicable sectoral regulations.


[1] Platforms such as MF Central, set up by Qualifies RTAs or Depositories, providing services to investors and other stakeholders for transacting in mutual funds.

[2] Stock exchanges, MF Utility (providing execution platform to MF distributors), Investment Advisors and Stock Brokers.

[3] AMC shall only provide data to intermediaries/ custodians/ portfolio managers for transactions which are routed through them. Further, only such data which is required by service provider to render their services may be shared.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anu Tiwari Anu Tiwari

Partner (Head – Fintech and FSRP) at Cyril Amarchand Mangaldas. Anu represents Indian and multinational banking, broker-dealer, exchange, asset management, speciality finance, fintech and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private…

Partner (Head – Fintech and FSRP) at Cyril Amarchand Mangaldas. Anu represents Indian and multinational banking, broker-dealer, exchange, asset management, speciality finance, fintech and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private M&A, capital raising, commercial agreements and activism matters. Anu advises financial services clients on matters before the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Ministry of Finance, Enforcement Directorate and appellate tribunals. He can be reached at anu.tiwari@cyrilshroff.com

Photo of Sara Sundaram Sara Sundaram

Partner in the Disputes and White Collar Crime Practice at the Mumbai office of Cyril Amarchand Mangaldas. Sara specializes in the areas of internal investigations and compliance training, white-collar crimes, corporate and financial investigations, fin tech and financial matters and international sanctions. She…

Partner in the Disputes and White Collar Crime Practice at the Mumbai office of Cyril Amarchand Mangaldas. Sara specializes in the areas of internal investigations and compliance training, white-collar crimes, corporate and financial investigations, fin tech and financial matters and international sanctions. She has assisted and advised several foreign investors, corporates and financial institutions on anti-corruption, anti-bribery issues, anti-money laundering, sanctions violations, and serious fraud investigations.

She also advises several foreign and domestic Clients on on AML/ABAC compliance, regulatory compliance and trade sanctions, and has handled internal investigations into compliance violations and whistle-blower complaints for corporations and financial institutions. She has considerable expertise in corporate governance, international sanctions, and international fraud related issues and regulatory compliance issues and financial crimes and Fintech.  She can be reached at sara.sundaram@cyrilshroff.com

Photo of Kush Wadehra Kush Wadehra

Principal Associate in the Corporate and Financial Regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Kush has represented various Indian and multinational fintech, information/ emerging technology companies, on transactional, enforcement and regulatory matters. His transactional practice focus is on public &…

Principal Associate in the Corporate and Financial Regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Kush has represented various Indian and multinational fintech, information/ emerging technology companies, on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private M&A, commercial agreements and regulatory matters. He can be reached at kush.wadehra@cyrilshroff.com

Photo of Naman Lodha Naman Lodha

Associate in the Financial Services Regulatory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Naman advises clients on regulatory matters with respect to financial services. He can be reached at naman.lodha@cyrilshroff.com

Varnika Pasricha

Associate in the Financial Services Regulatory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Varnika advises on transactional and advisory matters in financial services. She can be reached at varnika.pasricha@cyrilshroff.com