Credit history should not be considered sensitive personal data as it would lead to higher data protection and compliance costs, the Digital Lenders Association of India (DLAI) said.
Instead, data such as “bank account numbers, passwords, ATM PINs, details of cards issued, etc." should be protected as sensitive personal data, since misuse and appropriation of such data may harm customers, the DLAI said in its recommendations to the ministry of electronics and information technology (MeitY).
Mint has reviewed a copy of the letter.
The recommendations were in response to the blanket criminal penalty for data breaches suggested in the draft privacy bill put out by the MeitY last year.
To assess loan applicants and prevent fraudulent transactions, fintech lenders source customer data from trading and brokerage accounts, and credit and debit card transactions directly from banks. Besides, a customer’s employment information and credit history are also accessed from credit bureaus approved by the Reserve Bank of India.
“While there will certainly be an increase in compliance cost (for tech startups in lending segment), some legislation is clearly required and we don’t expect the cost to be prohibitive as long as some of the industry recommendations are accepted," said Shivashish Chatterjee, co-founder, DMI Finance, a non-banking financial company (NBFC), in an emailed response.
DMI Finance serves as an NBFC partner to online lenders such as MoneyTap and ZestMoney, and is also a member of DLAI.
According to Chatterjee, suggestions in the draft legislation will lead to an escalation in compliance costs, especially for tech startups. “A more tempered approach, which only criminalizes malicious intent, will be welcomed by the digital lending industry," added Chatterjee.
Startups lending to small and medium businesses (SMEs) have also expressed concerns on the privacy bill, as they require access to personal information of SMEs, including the promoter’s personal data, which includes their bank details, ID proof, etc.
“As an organization, we believe that there needs to be clear demarcation between how we treat personal information vis-à-vis information such as credit score, which can be classified as public good…credit score is an amalgamation of many activities and cannot be attributed to a single organization. DLAI has, therefore, suggested that such information brackets are excluded from clauses such as ‘right to be forgotten’," added Alok Mittal, chief executive of SME lending firm Indifi Technologies, and founding member, DLAI.
Policy experts tracking the impact of the proposed privacy bill said that a lot of these data points are yet to be legally classified as “public", “personal" or “sensitive personal" data. And, each segment will require different levels of compliance and data protection rules.
However, a senior lawyer, who provides consultancy services to online lending firms, requesting anonymity, said: “While (fintechs and banks) gear up to migrate into a pro-data and pro-consent model, the data protection regime will always involve some costs. But if technology is well-advanced, the compliance costs will not be exorbitant."
Behavioural or biometric data meant for determining the risk profile of loan applicants must be considered “sensitive only when it is used for identification or establishing identity of an individual, and not when it is used for creating a credit profile for providing services", DLAI said.