Background:
- Asset Management Companies (“AMCs”) act as fiduciaries of unitholders (i.e. investors who hold units in funds managed by an AMC), due to which the Securities and Exchange Board of India (“SEBI”) has mandated various data privacy obligations for AMCs, either directly or through the Association of Mutual Funds of India (“AMFI”).
- SEBI, in a private letter to AMCs, AMFI and registrar and transfer agents (“RTAs”) dated July 10, 2020 (“SEBI Letter”), required that digital platforms involved in distribution/ advisory and AMCs/ RTAs must respect unitholder’s data privacy. The letter included the following two mandates:
- unitholder data should not be shared with group entities having multiple business/ products; and
- products and services of group companies cannot be cross marketed.
- Thereafter, on March 29, 2022, AMFI, in consultation with SEBI, issued the Circular on ‘Data Sharing Principles to be followed by AMCs while sharing Unitholders’ Data’ (“AMFI Data Circular”). The AMFI Data Circular listed the following directions:
- AMCs can only share data feeds with certain entities, including industry platforms[1], intermediaries[2], intermediaries serviced by AMCs and regulated (by SEBI or Reserve Bank of India (“RBI”) as well as unregulated service providers[3].
- AMCs to have contractual arrangements with its service providers/ agents to ensure that unitholder data,
- remains confidential;
- is used only for the purpose for which it was shared;
- is purged as soon as purpose for which it was shared has been served; and
- is not shared with any other entity without approval of AMC or explicit customer consent as per Paragraph (c) below; and
- is not used for cross-marketing of products/ services of group companies.
- AMCs must not share unitholder data, except with entities mentioned in Point (a) above, without explicit consent of the unitholder, basis the following consent artefacts:
- through the account aggregator (“AA”) ecosystem, duly licensed by the RBI; or
- any other similar consent artefact that SEBI may notify. It may be noted that SEBI has not notified any such consent artefact.
The Digital Personal Data Protection Act (“DPDP Act”):
The swift passing of the DPDP Act) by the Indian Parliament and subsequent Presidential assent has required financial services entities to ensure preparedness for the DPDP Act, as and when it is notified by the Central Government.
Please refer to our blog post (here), for key provisions of the DPDP Act.
Implications:
- Outsourcing: Contractual liability in third-party contracts between AMCs and service providers will require alignment with the obligations of data fiduciaries and data processors as per the DPDP Act.
- Cross-Marketing: As no explicit bar has been placed on AMCs to cross-market products under both the AMFI Data Circular and the DPDP Act, the same may be continued. However, consent notices will be required to be revised in a manner to satisfy the requirements for specified purpose.
- Significant Data Fiduciary (“SDF”): AMCs are likely to qualify as SDFs basis the nature and volume of data handled, and would require a resident data protection officer, data auditor, periodic audit and data protection impact assessment.
- Nomination Details:
- AMCs may be required to obtain direct consent from the nominee, as their personal details would be “processed” by them.
- Children Data: As nominee data may include children data, AMCs must build mechanisms to identify and prevent processing of such data for the purposes of marketing, analytics, cross-selling, etc.
Next Steps:
- Data Mapping: Mapping will be required to be undertaken across AMC’s group, to assess type of data collected, customer touch points and current data sharing arrangements: (i) across group entities; and (ii) with outsourced partners/ vendors.
- Data Outsourcing: AMCs to assess sharing/ access of data from AMCs to third-parties, and vice versa, in order to assess compliance.
- Audit Requirements: Under the DPDP Act, SDFs are required to carry out periodic audits and appoint an independent data auditor to carry out data audit. Given AMCs may be SDFs, preparedness for the aforesaid requirements to be progressed.
- Security Standards: SEBI’s cyber security and cyber resilience framework for AMCs which requires them to assess and update their IT systems would require alignment with the “reasonable security safeguards” threshold of the DPDP Act.
- Grievance Redressal Mechanism: A grievance redressal mechanism relating to data breach will have to be incorporated in the existing mechanism of the AMCs. Further, AMCs to ensure grievance redressal is readily available, which includes mechanism to respond within a prescribed time period.
Conclusion:
The new data regime will require a drastic change in the working model of the AMCs, including incorporating various organisational and technical changes. The industry should have ready-to-implement mechanisms in place and should work on sensitising the stakeholders of their business on the new data protection regime. AMCs should ensure that these changes are made in such a manner that is compliant with the DPDP Act as well as the applicable sectoral regulations.
[1] Platforms such as MF Central, set up by Qualifies RTAs or Depositories, providing services to investors and other stakeholders for transacting in mutual funds.
[2] Stock exchanges, MF Utility (providing execution platform to MF distributors), Investment Advisors and Stock Brokers.
[3] AMC shall only provide data to intermediaries/ custodians/ portfolio managers for transactions which are routed through them. Further, only such data which is required by service provider to render their services may be shared.
