Are fintech firms and consumers ready for data protection regime?

Naveen Kukreja, CEO and co-founder, Paisabazaar.com

Prima facie it looks that financial services companies, especially fintechs, will be impacted. I will expect enough time be provided for organisations to build mechanisms and processes to ensure compliance.

A big challenge for fintechs may be the provision of “right to be forgotten” where an organisation will not be able to use customer data once the purpose for which it was provided is met unless it has an explicit consent from the customer.

Fintechs today are developing customer life-cycle management models, where consumers are offered customised financial solutions at different stages of their life, according to their changing lifestyle, credit profiles and life-stage needs. A large segment of consumers may not be fully evolved to understand the long-term benefits customised products may have and, hence, may not provide their consent proactively. In its absence, innovations that are genuinely good for the consumer’s financial health may be restricted. It is being predicted that a few key sectors like health may be provided with certain exceptions. I would hope it is extended to financial services as well.

Alok Mittal, President, Digital Lenders Association of India and co-founder and CEO, Indifi Technologies

It will take time for BFSI and fintech companies to adopt data protection guidelines. The draft is fairly prescriptive in terms of what should be included in consent and what needs to be highlighted for a customer. Most banks and NBFCs already have terms and conditions in place. But the format of the consent that would be required here and the optionality to be given to customers, clearly require significant design and implementation work. The draft also suggests that the industry should be allowed time for preparedness.

Since this is an absolutely new construct in India, there will be interpretation issues around the regulations, initially at least. Such things normally take a few years to get implemented, as complaints, cases and clarifications come up and the process gets refined. I don’t think there is a lot of impact on variable costs, though there will be some investment required to be compliant and then maintain that level of compliance. But per transaction costs will not go up.

Amit Jaju, senior managing director – FTI Consulting, India

The proposed Personal Data Protection Bill 2018 (PDPB) has taken BFSI and fintech companies by surprise. Many are still working towards compliance with the EU GDPR. If PDPB becomes law today, then a majority of BFSI and fintech companies may struggle to be compliant. Further, there are gaps in interpreting various aspects of the bill.

In April this year, the Reserve Bank of India (RBI) directed international financial companies that all payments data should be stored locally in India within six months. With less than two months to go, this may get extended due to overlap with PDPB. This also impacts Indian companies that store data of Indian citizens on overseas clouds. BFSI and fintech companies will need to relook their processes, technologies and third-party contracts to ensure the entire ecosystem understands and abides by the new law. For large financial services companies, ensuring compliance of contractors will be crucial as they will be the primary data custodians.

Manish Sehgal, partner, Deloitte India

A recently conducted GDPR preparedness survey and its result indicated that among various sectors, only 68% of BFSI organisations have started their journey towards GDPR readiness. Challenges of privacy-readiness journey vary among organisations depending on their current state of maturity with respect to governance, people and process and technology aspects.

The likely challenges for Indian organisations to be privacy-ready are building and maintaining a culture of privacy, compliance for sustaining privacy and increase in technical and administrative procedures. People’s acceptance to the culture of privacy is going to be a huge challenge.

Privacy and data protection requirements aren’t usually transactions or one-time efforts. Continued efforts are required to sustain and mature a privacy-enabled environment. Doing so is likely to add cost as organisations will need to invest to implement or strengthen sufficient safeguards to protect personal data.

It remains to be seen whether organisations consume such additional cost and efforts to build trust or pass on the cost to consumers.