Introduction
Welcome back to yet another edition of the Financial Services Data and Analytics newsletter. We are starting this new year with the discussion on the Digital Personal Data Protection (DPDP) bill.
With an increase in the volume of digital interactions, a considerable amount of personal data is generated and processed round the clock. It is important for the organisations to safeguard the personal data of their customers to build trust and envision a sustainable growth. The government has come up with a draft version of the DPDP bill to focus on the rights of individuals to protect their personal data. The DPDP bill is a proposed law in India that seeks to protect the personal data of individuals and regulate the collection, storage and processing of personal data by companies operating in the digital space of every sector. In this newsletter, we have deep-dived into the draft to understand the impact of the bill on Indian banks.
The newsletter also contains industry news around changes in other regulations by regulatory bodies towards ease of doing business in the country. These regulations will further increase financial inclusion and improve adoption of financial products.
Topic of the month – The draft DPDP bill
Overview of the DPDP bill
The Ministry of Electronics and Information Technology (MeitY) on 18 Nov 2022 released the DPDP bill for public consultation with an emphasis on some of the key globally-accepted principles of data protection, consent, accountability, integrity, limited storage, transparency and accuracy. The main objective of the bill is to tighten the ropes around digital personal data collection and processing, which in turn will help limit personal data breach.
Key components of the bill
The bill has been framed to establish the comprehensive legal framework governing digital personal data protection in India. The section below provides a brief overview of some of the key points of the bill.
- Data principals (an individual whose personal data is being processed, where such an individual is a child, the definition includes parents or legal guardians of the child) must be provided with a notice/request clearly stating that personal data is requested to be collected along with the purpose of such collection, unless obtaining consent is not practical. The concept of ‘deemed consent’ has been introduced for the situations where obtaining consent is not practical.
Major impact of the bill on the financial services sector
Banks and other financial institutions manage a large volume of sensitive customer information. The consequences of any data breach can be irretrievable. This makes banking a high-risk sector with respect to privacy and data protection.
The impact of the bill on the financial sectors can be accessed across the data collection lifecycle starting from the time the customer is onboarded into the banking system till the time the data is disposed-off from the system. With the advent of the DPDP bill it has become imperative for the banks to relook at the way personal data is being collected and managed in their systems. The extent of the impact of the bill on a financial sector firm will be dependent on various factors. Given below are some of the major deciding factors based on the banking divisions.
Key questions to test a bank’s adherence to the draft bill
A sample customer journey for taking home loans can be used to understand the various touchpoints and channels through which banks are collecting and processing personal data and how the bill will impact this journey.
When a customer wants to apply for a home loan, numerous options are available for the customer regarding the next course of action. The customer can approach a bank, search on the bank website or talk to a customer service executive. In all these scenarios, customers have to share their personal information including name, address, current salary details, Aadhar number and PAN number with the bank. While sharing their personal information with the bank, customers have the right to know how the bank collects, stores, processes and retains their personal information. It is imperative that the bank has a transparent system in place which showcases all the scenarios to the customer based on their needs. The bank should have a structured approach while collecting personal data from the customer and check whether they have the adequate processes in place to share the information with third parties.
How can firms leverage the bill to embark on a holistic growth curve?
With the draft version of the data protection bill in circulation for public review, it is a matter of time that the bill will be enforced. Organisations must leverage the bill to improve its existing data management and data security landscape. The implications of the bill can be accessed throughout the data lifecycle. Technological interventions at different stages can help companies achieve compliance with regulations and also embark on a journey of holistic growth.
- Collection and creation
- Storage
- Analysis and processing
- Sharing and transfer
- Retention and disposal
Collection and creation
Enhancing the customer’s trust while collecting their personal data
Organisations need to be proactive while collecting personal data in order to abide by the latest regulatory norms. Effective use of technology and redefining the existing processes could make it easier for organisations to ensure that the data is collected as per the norms. Consent and rights management solutions can provide greater ease to the companies to manage individual rights.
Storage
Trace customer data with state-ofthe- art data storage capabilities
Companies must have an effective data storage strategy to ensure traceability of personal data. The bill emphasises that data fiduciaries must standardise their storage capabilities. Leveraging standard practices in data traceability and management will help the organisations discover personal data which will smoothen the operations and reduce the response time.
Analysis and processing
Revamp the existing business operations for purpose-driven data processing
Multi-level strategy should be designed to understand how the data can be used and the benefits of its usage. Technological interventions coupled with customer-centric processes can help in processing high-quality data. The higher the quality of data, the closer the bank will be in understanding customers and mitigating their operational hurdles.
Sharing and transfer
Credible data sharing agreements between various stakeholders
Companies must redefine the data sharing processes and agreements with standardised controls to focus on the data which is being shared with other entities. There must be a predefined purpose for sharing personal data of the customers with other entities. With the use of technology, organisations can tokenise or anonymise data before transferring it to an external entity.
Retention and disposal
Redefining the data retention policies
Companies must ensure that personal data is deleted from the systems once the purpose is served. The data retention and archival policies and procedures must be redefined to standardise the time frames, which in turn will help in establishing trust and promote a culture of transparency. Complying with the data protection regulations will ensure that:
- Customer information is gathered with proper consent
- Information is stored in the repository with defined and standardised quality checks
- Lineage is established to trace back to the original issue if required
- A catalogue is maintained to find and review the customer’s personal information
- Security checks are performed to ensure that the data collected is secure
Organisations should understand the key points of the bill to define and improve their existing business processes which in turn will ensure well-managed and governed data flowing throughout the organisation and enable them to make data-driven business decisions, understand the customer requirements better and generate more value for them.
Knowledge Bytes
1. Bima Vahaks to be introduced by the IRDAI
To make insurance accessible to the entire population of our country, IRDAI has launched the concept of Bima Vahaks. Each gram panchayat will have a Bima Vahak who will be responsible to sell insurance products ‘Bima Vistaar’ covering health, property, life and personal accident and services related to it.
2. The RBI shortlists 7 consulting firms to boost its regulatory oversight with advanced analytics
The RBI has roped in global consulting firms like McKinsey, BCG, PwC and others, to enhance the regulatory supervision through the best use of advanced analytics, AI and ML. The firms have been selected based on the evaluation criteria laid out in its expressions of interest (EOI) document. RBI looks to upscale the potential of the advanced analytics already in use to benefit the RBI’s Department of Supervision.
3. IRDAI mandates KYC for buying all insurance policies
From 1 January 2023, KYC (know your customer) documents must be provided to buy all new insurance policies – life, general and health insurance. Untill now, it was a voluntary choice, but experts believe mandating KYC will make the claim process seamless and faster as well as improve the accuracy of risk assessment and pricing.
4. The asset management industry’s first AI-platform based on SaaS for modern distribution
The asset management industry is facing numerous challenges, including rapid proliferation of investment products, fee pressures and increasingly fragmented sales channels. As the AMCs grapple with these challenges, which are exacerbated by limited sales capacity and restricted integration between marketing, data and sales functions, TIFIN has introduced an interconnected AI-powered SaaS platform that integrates data from marketing and awareness activities, CRM information and other data feeds to generate actionable signals to fuel their lead generation, qualification, nurturing and optimisation in a firm’s distribution function.
5. Changes in the regulations for registration of Indian insurance companies
The IRDAI has published new regulations pertaining to registration of insurance companies to promote the ease of doing business and grow the insurance sector simultaneously. As per the new regulations, the minimum collective shareholding of all the promoter(s) should be maintained above 50% of the paid-up equity capital of the insurer. It also provides provision to reduce promoter(s) holding below 50% but not less than 26% on fulfilling certain conditions. These regulations also allow an investor to invest in any number of insurers provided that the investment does not exceed 10% of the paid-up capital of the respective insurers. It has also allowed the private equity funds to invest directly in an insurance company in the capacity of a promoter or investor. Further, the government has proposed amendments to the Insurance Act, 1938, with provisions for composite licenses to insurance companies.
Acknowledgements: This newsletter has been researched and authored by Abhinaba Bhattacharjee, Abhishek Chaurasia, Aniket Borse, Arpita Shrivastava, Anuj Jain, Dhananjay GoeI, Harshit Singh, Prakash Suman, Vaibhav Jain and Raghav Sharma.
Contact us
