While it is commendable that RBI has stated that the transfer of information to account aggregators (Aas) should be based on explicit customer consent, equal emphasis should be placed on dispute resolution mechanisms. The central bank has done well to place information security and customer consent at the center of the guidelines. However, as of yet there is little clarity on what happens if a customer experiences an instance of consent violation. This is critical as more intermediaries join an ecosystem in which a large number of banks, non-banks, fintechs and Internet companies are already operating.
It is especially important for a country like India, where we do not have a law dedicated to data privacy. A large segment is still struggling to secure the most rudimentary forms of financial information, despite the best efforts of regulators. Frauds involving the theft of PINs, OTPs, passwords, and other account information, where a customer actually shares the information with a scammer disguised as a bank employee, are common. Such incidents are only increasing; To that end, the Indian financial ecosystem has a long way to go when it comes to financial and digital literacy.
In fact, the fact that we have an AA framework is a significant advance.
The framework empowers a set of entities, licensed under a special category of non-bank financial corporations (NBFC), to operate a consent-based financial data exchange system between ecosystem actors. As RBI Deputy Governor M Rajeshwar Rao recently observed, the transfer of information to AAs must be based on the explicit consent of the client. AAs must be equipped with the proper consent architecture and audit trails must be available. Regulatory guidelines also require providers of financial information providers to implement interfaces that allow an AA to send consent artifacts and authenticate each other. This will allow a secure flow of financial information to the AA.
Today there is a bit of suspicion surrounding the way technology-driven financial intermediaries treat customer data. The Delhi High Court is hearing a PIL against Google Pay for allegedly having unauthorized access and storing banking and Aadhaar information. It is unfortunate that users of a payment application have no choice but to file a PIL in Superior Court if they believe their data privacy is being violated.
Compare this to the General Data Protection Regulation (GDPR) of the European Union which aims to safeguard the data of anyone in the EU territory. Under the regulation, a person who believes that their data protection rights have been violated has the option of filing a complaint with the country’s data protection authority. The competent authority must investigate each complaint and inform the complainant of the progress or outcome of the investigation within three months.
If India really wants to become a digital driven economy, for at least most of its citizens, regulation will need to be very particular about privacy. The digital financial ecosystem continues to be an area where regulation is evolving and therefore the conversation must move beyond the purely self-indulgent.