Listen to this post
FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs

Background

Indian regulators in recent times have shown a keen interest in monitoring the intersection between data, information technology, and cybersecurity with regulated entities—more so in relation to Non-Banking Financial Companies (“NBFCs”) and ‘fintechs’. With the expected enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the promulgation of its rules, it becomes imperative for NBFCs and fintechs to map their journey of compliance from legal and regulatory perspectives.

Key Highlights

  1. Fiduciary/Processor: “Data Fiduciaries” are persons who determine the purpose and means of processing digital personal data; “Data Processors” process data on their behalf. Given that the compliance burden is on Data Fiduciaries under the DPDP Act, NBFCs and fintechs must analyse and determine their status as Data Fiduciary or Data Processor, based on the nature of each activity they undertake.
  2. New Consent Practices: Notwithstanding consent for know-your-customer (KYC) data under the RBI KYC Master Directions, the existing approach to processing personal data by NBFCs has been to seek generic omnibus consent. Only in the case of digital lending under RBI’s Guidelines on Digital Lending (“DL Guidelines”), explicit consent and disclosure of specific purposes for borrower data usage are mandated. Under the DPDP Act, explicit consent will be required for each use-case or purpose of processing. The notice requirement for consent acquisition applies not just to customers of the fintech/NBFC but also to employees, vendors, and visitors on the website.
  3. Outsourcing: In the interest of cost efficiency and expertise, NBFCs often outsource some of their functions to third parties. The RBI’s directions on Financial Service Outsourcing and IT Outsourcing make NBFCs liable for the acts of their service providers (including sub-contractors) and must ensure the outsourced partners’ systems are compliant. Similarly, under the DPDP Act, a Data Fiduciary is responsible for any personal data processing by its Data Processors, i.e., service providers. NBFCs must monitor their Data Processors for (a) system resilience, (b) seeking of consent for new personal data from existing customers, and (c) erasure of data from Data Processor systems if Data Principals withdraw consent. NBFCs ought to review and ensure existing outsourcing arrangements capture these requirements.
  4. Cross-border Data Transfers: The DPDP Act does not restrict cross-border transfer of personal data outside the territory of India, except to some countries the Central Government may notify. Existing laws prescribing a higher degree of protection or restriction on transfer of personal data will apply over and above the DPDP Act. Accordingly, NBFCs/fintechs will have to comply with the data localisation and IT infrastructure requirements for payments-related data, digital lending-related data, and insurance data under the RBI’s Payments Data Storage Circular, DL Guidelines, and IRDAI’s Maintenance of Records Regulations respectively.
  5. Significant Data Fiduciaries (“SDF”): Under the RBI’s Scale-based Regulation for NBFCs, the logic is to progressively regulate financial service activities based on their complexity, thereby creating the different scales of NBFCs—top, upper, middle, and base layers. The DPDP Act also applies this logic for the enhanced compliance obligations of SDFs. However, in conjunction, the two regimes may cause conflicting compliance requirements. For instance, NBFC-Account Aggregators (“NBFC-AA”) are in the base layer, but because of the volume and sensitivity of the personal data they handle, NBFC-AAs may be notified as SDFs with additional audit and personnel compliances.
  6. Grievance Redressal: While the DPDP Act mandates grievance redressal mechanisms by the Data Fiduciary (at the first instance) and escalation to the Data Protection Board (“Board”), the RBI also provides recourse to the Ombudsman under the RBI Integrated Ombudsman Scheme for violation of any of its directives. Where such grievance involves personal data, for instance, the leak of an individual’s personal and financial details from an NBFC loan provider’s systems, recourse may lie before the Board as well as the Ombudsman. The overlap in the respective jurisdictions of the grievance redressal authorities will need to be clarified.
  7. Data Mapping & Policy Review: To enable Data Principals to exercise rights of access to personal data summaries, correct and erase data, and withdraw consent for processing, Data Fiduciaries must establish processes and review internal policies to track third-party access, maintain lists of IT partners with access to systems, segregate data based on sensitivity, formulate policies for products geared to processing children’s personal data, and encrypt relevant data, if required.

Conclusion

NBFCs and fintechs will be required to align themselves with the obligations under the DPDP Act while balancing their obligations under sectoral regulations. Entities ought to focus on taking steps to understand their status and degree of liability under the DPDP Act, review outsourcing arrangements, and re-evaluate internal protocols to be adequately prepared for the enforcement of the DPDP Act and its rules in the coming months.


Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anu Tiwari Anu Tiwari

Partner in the Corporate, M&A and Financial Institutions Advisory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Anu has over 15 years of experience and advises clients on matters related to public and private M&A, raising capital, commercial agreements, and activism. Anu…

Partner in the Corporate, M&A and Financial Institutions Advisory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Anu has over 15 years of experience and advises clients on matters related to public and private M&A, raising capital, commercial agreements, and activism. Anu represents both Indian and multinational fintech, banking, broker-dealer, exchange, asset management, speciality finance and information technology companies on transactional, enforcement and regulatory matters.

Anu has been a member of RBI’s Committee on Household Finance, SEBI’s Working Group on Mutual Fund Regulation, Fintech Committee of the Confederation of Indian Industries (CII) and a visiting faculty at the SP Jain School of Global Management.

Mr. Tiwari has been recognised by Chambers & Partners, IFLRMergerMarket and as Lawyer of the Year 2021, India, by Global Law Experts for his work in the M&A, Financial Regulatory and Blockchain/  Cryptocurrency space. He can be reached at anu.tiwari@cyrilshroff.com

Photo of Vishrut Jain Vishrut Jain

Senior Consultant in the financial regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Vishrut has represented various Indian and multinational fintech and information / emerging technology companies on transactional, enforcement and regulatory matters. He can be reached at vishrut.jain@cyrilshroff.com.

Photo of Aditya Sarkar Aditya Sarkar

Associate in the Financial Regulatory Practice at the Mumbai office of Cyril Amarchand Mangaldas. He can be reached at aditya.sarkar@cyrilshroff.com

Photo of riddhi swami riddhi swami

Associate in the Financial Regulatory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Riddhi can be reached at riddhi.swami@cyrilshroff.com.