India – FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation And DPDP Act Compliance By NBFCs & Fintechs.

Background 

Indian regulators in recent times have shown a keen interest in monitoring the intersection between data, information technology, and cybersecurity with regulated entities—more so in relation to Non-Banking Financial Companies (“NBFCs”) and ‘fintechs’. With the expected enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the promulgation of its rules, it becomes imperative for NBFCs and fintechs to map their journey of compliance from legal and regulatory perspectives. 

Key Highlights 

1. Fiduciary/Processor: “Data Fiduciaries” are persons who determine the purpose and means of processing digital personal data; “Data Processors” process data on their behalf. Given that the compliance burden is on Data Fiduciaries under the DPDP Act, NBFCs and fintechs must analyse and determine their status as Data Fiduciary or Data Processor, based on the nature of each activity they undertake. 

2. New Consent Practices: Notwithstanding consent for know-your-customer (KYC) data under the RBI KYC Master Directions, the existing approach to processing personal data by NBFCs has been to seek generic omnibus consent. Only in the case of digital lending under RBI’s Guidelines on Digital Lending (“DL Guidelines”), explicit consent and disclosure of specific purposes for borrower data usage are mandated. Under the DPDP Act, explicit consent will be required for each use-case or purpose of processing. The notice requirement for consent acquisition applies not just to customers of the fintech/NBFC but also to employees, vendors, and visitors on the website. 

3. Outsourcing: In the interest of cost efficiency and expertise, NBFCs often outsource some of their functions to third parties. The RBI’s directions on Financial Service Outsourcing and IT Outsourcing make NBFCs liable for the acts of their service providers (including sub-contractors) and must ensure the outsourced partners’ systems are compliant. Similarly, under the DPDP Act, a Data Fiduciary is responsible for any personal data processing by its Data Processors, i.e., service providers. NBFCs must monitor their Data Processors for (a) system resilience, (b) seeking of consent for new personal data from existing customers, and (c) erasure of data from Data Processor systems if Data Principals withdraw consent. NBFCs ought to review and ensure existing outsourcing arrangements capture these requirements. 

4. Cross-border Data Transfers: The DPDP Act does not restrict cross-border transfer of personal data outside the territory of India, except to some countries the Central Government may notify. Existing laws prescribing a higher degree of protection or restriction on transfer of personal data will apply over and above the DPDP Act. Accordingly, NBFCs/fintechs will have to comply with the data localisation and IT infrastructure requirements for payments-related data, digital lending-related data, and insurance data under the RBI’s Payments Data Storage Circular, DL Guidelines, and IRDAI’s Maintenance of Records Regulations respectively. 

5. Significant Data Fiduciaries (“SDF”): Under the RBI’s Scale-based Regulation for NBFCs, the logic is to progressively regulate financial service activities based on their complexity, thereby creating the different scales of NBFCs—top, upper, middle, and base layers. The DPDP Act also applies this logic for the enhanced compliance obligations of SDFs. However, in conjunction, the two regimes may cause conflicting compliance requirements. For instance, NBFC-Account Aggregators (“NBFC-AA”) are in the base layer, but because of the volume and sensitivity of the personal data they handle, NBFC-AAs may be notified as SDFs with additional audit and personnel compliances. 

6. Grievance Redressal: While the DPDP Act mandates grievance redressal mechanisms by the Data Fiduciary (at the first instance) and escalation to the Data Protection Board (“Board”), the RBI also provides recourse to the Ombudsman under the RBI Integrated Ombudsman Scheme for violation of any of its directives. Where such grievance involves personal data, for instance, the leak of an individual’s personal and financial details from an NBFC loan provider’s systems, recourse may lie before the Board as well as the Ombudsman. The overlap in the respective jurisdictions of the grievance redressal authorities will need to be clarified. 

7. Data Mapping & Policy Review: To enable Data Principals to exercise rights of access to personal data summaries, correct and erase data, and withdraw consent for processing, Data Fiduciaries must establish processes and review internal policies to track third-party access, maintain lists of IT partners with access to systems, segregate data based on sensitivity, formulate policies for products geared to processing children’s personal data, and encrypt relevant data, if required. 

Conclusion 

NBFCs and fintechs will be required to align themselves with the obligations under the DPDP Act while balancing their obligations under sectoral regulations. Entities ought to focus on taking steps to understand their status and degree of liability under the DPDP Act, review outsourcing arrangements, and re-evaluate internal protocols to be adequately prepared for the enforcement of the DPDP Act and its rules in the coming months.