Data privacy in the financial sector

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.

• Edward Snowden

In the early twentieth century, oil was the world’s most valuable resource. It powered machines, cars, homes. Oil—petrol, diesel… powered the world.

But in recent times, oil is no longer the most sought-after asset.

Clive Humby famously remarked that data is the new oil. Just as energy can be extracted from oil, information can be extracted from data, and this information is absolutely invaluable. The lending operation, too, thrives on this kind of data-driven information. Lending companies and organizations collect, process and analyse a large cache of customer data in order to gauge risk and offer personalized loan servicers to the customer. Without the data about the customer’s transaction history, preferences, personal credit scores, and income, risk analysis would be near impossible.

Banks and financial institutions, therefore, are privy to a large database of customer information, a major portion of which is confidential, private information. The technical term for this is SPDI (Sensitive Personal Information or Data), which includes any information not freely available on the public domain, like passwords, medical records, biometric information, or any other such details.

Banks and financial organizations do collect SPDI and so, they are bound by certain legally laid down procedures which are to be followed during the time of collection, transfer and disposal of data. ()

These data protection laws in India are laid down by then Information Technology Act, 2000, its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Right to Privacy.

Under this act, if a bank fails to protect their customer’s SPDI, causing wrongful loss or gain to any person, the bank is liable to pay compensation to the affected person; amounts which may go up to 5 crores.

These laws protecting the data of the Indian people remain woefully outdated. The IT act wasn’t even enacted for the purpose of protecting data privacy, and article 72A (mentioned above) is the only penalty for a data breach.

Countries like the US have extensive laws; data privacy is protected under legislations like the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act for financial information, the California Online Privacy Protection Act in California. In 2013, the average cost of a data breach in the US costed a whopping $5.9 million to corporates.

To keep up with the developments in the digital world, India, too, must renew and strengthen its data privacy protection policy.

The Personal Data Protection Bill 2019 sets out to do just that. Aligning India with the EU’s General Data Protection Regulation, the Bill, if passed, will be the first legislation on the protection of personal data.

But how will this bill affect the lending industry, which is so reliant on customer data?

Data security vs data privacy

Intuitively, the two terms are interchangeable. But their true meaning is largely different! Data security is maintaining the integrity of data and protecting information from third-party access or malicious attacks. Most banks are dedicated to this, and have extensive network securities and encryptions in place to ensure that data is accurate, reliable and available only to authorized parties.

Data privacy, on the other hand, is concerned with the rights of the people. People have the right to be left alone, and to be shielded from prying eyes. When an individual trusts a company with their data, it means that the company now has a responsibility to not intrude and not exploit the information they are entrusted with. It is about the proper usage, retention, deletion and storage of data.

An example of this would be your Facebook account.

The password that you protect your account with is a method of data security. The way Facebook uses and analyses the data it collects from your interactions through your account would be a concern of your data privacy.

This second term is where the industry lags behind.

The EU has the “Right to be forgotten” policy, a basic human right which allows its citizens the right to have their data taken off the public domain as and when they wish. This right is not available in the Indian constitution.

This lack of legal enforcement on data privacy has led to banks having to “self-regulate”, or follow company-based policies to ensure that their customers’ privacy is not exploited.

According to global management consultancy firm McKinsey & Co., 7% of all bank account holders in India conduct their transactions online. Branch banks fell by 15%, and it is predicted that non-traditional forms of banking like mobile payments are only going to rise. In this digital age, when data is exchanging hands at faster rates every day, the risk of privacy breaches is high. (https://www.mondaq.com/india/privacy-protection/172150/indias-data-protection-rules-and-their-impact-on-the-banking-and-financial-services-industry)

 

Financial Data and the Data Protection Bill

Now that the distinction has been made, we can understand what the Bill means for banks and financial data fiduciaries.

1. Informed Consent

Only after receiving the customer’s consent can data be collected and processed. Implied consent will no longer count as valid: explicit, informed consent must be taken.

1. Data Erasure

Once the purpose of data collection has been fulfilled, the data must then be erased: the customer has the right to demand this erasure of their personal information. This means that once a loan has been entirely repaid by the customer, they can demand for the erasure of KYC data.

1. Purpose

Unnecessary data, that which is irrelevant to the purpose of collection must not be collected. This means that the reasons for collecting any data must be stated and declared.

1. Data Transparency

Once the data has been collected and processed, the customer has the right to receive a copy of this processed data in an easy to read format. Therefore, banks must keep a copy of the data collected in case it is requested by the customer.

API protection

API (Application Program Interface) is a fast growing way of sharing financial data between data fiduciaries in the lending sector. (Read our article on the use of APIs in Banks to know more!) This interface allows third parties to access data without compromising on its safety and privacy. Before the PDP Bill was introduced, API exchanges fell outside the purview of the RBI. But once this Bill is passed, it will bring in data protection requirements for APIs as well.

Bill vs Law

Clearly, the PDP Bill is very much needed in India. But despite the need, it remains a Bill, and has not yet been passed into legislation. Many criticisms have brought out fears of turning India into a surveillance state, with a paradoxical lack of privacy.

Therefore, there is the need for the aforementioned self-regulation within banks to ensure data privacy of customers. Woefully few banks offer both security and privacy, but this must be the ultimate goal for any financial institution.

Here are a few pointers for self-regulation by Arpit Ratan and Ashish Kumar, writers for Signzy, a legal privacy blog.

1. Define privacy as primarily a legal and compliance regulatory matter.
2. Create a privacy office that develops privacy guidelines and interfaces with other stakeholders. If the financial institution does not currently have a separate privacy office, we recommend for the institution to hold an internal “privacy summit” that convenes key stakeholders from the lines of business, technology, compliance, and legal.
3. Identify and understand what the data is, where it resides, how it is classified, and how it flows through various systems. For example, financial, medical, and PII are subject to different restrictions in different jurisdictions.
4. Develop appropriate global data-transfer agreements for PII and other data that falls under privacy requirements.
5. Recognize and adhere to privacy requirements when developing core business processes and cross-border data flows.
6. Preserve customer trust as the primary goal.
7. Build a privacy taskforce consisting of specialists trained in privacy law and IT who are committed to ensuring compliance to these mentioned internal data privacy frameworks.

In the words of computer security expert MikkoHypponen, privacy is implied. Privacy is not up for discussion.