INTRODUCTION
Data is critical in this digital and globalised world. One can avail banking, insurance, investing and so many financial services with ease. Peer-to-peer lending, real-time payments, and faster loan disbursal have also made it easy. In fact, after online services like shopping, cab booking and so on, financial services through mobile apps are the new normal. COVID-19 has also played a pivotal role in this shift. The Fintech companies have been disrupted by creating numerous opportunities for growth and financial inclusion in the finance sector. They have increased their market share rapidly by leveraging technology and data. Technology has made it possible as everyone is connected and networked nowadays. The number of fintech are increasing and the customers using their services are also showing an uptrend. AI is expected to bring further revolution in the sector and the game is set for a paradigm shift.
With the help of AI, Fintechs offer affordable, effective and efficient services, but services come with its own risks. Fintechs are data hungry and need data to prosper, while individuals are concerned about misuse of their personal data. The algorithms used by such financial apps for analysis and decision-making are complex due to its self-learning ability. Data churned by mobile users are used by such apps to predict human behaviour and decision-making. They offer products and services based on the behaviour and spending pattern of the individual. Any bug in the app can result in systemic risk.
Data is the lifeline and central to Fintech operations. Fintech collects data from multiple sources, like social sites, mobile networks, etc., to analyse consumer behaviour. Fintech is not dependent on IT-based applications and uses AI-powered services. As such, concerns of privacy, trust, transparency, and biasness are looming large. The Wirecard scandal highlighted the issue of public trust. Therefore, it is essential to understand the challenges posed by this technology in the financial sector.
Passed in November 2023, the DPDA Act[1] is an effort to protect the privacy and regulate the use of personal digital data. The Act gives control to the individual over its personal data. While offering any product or service, Fintech relies on personal data to know the credit history, CIBIL score, behaviour, etc. Such personal data is collected either directly or through third parties like banks, NBFC, and other vendors. Hence, under the DPDA Act, FinTechs are qualified as data fiduciaries and data processors, depending upon their nature of activity.
Under the DPDP Act and RBI, know your customer regulation consent is required for the collection, storage and processing of customer information. The customer data processed by FinTech is mostly Personal Identifiable Information (PII). PII can be misused for committing financial fraud, including identity theft.
As per section 6 of the DPDP Act, “the consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.”[2]
As per sensitive personal data rules, the data collecting agency must ensure that the provider of such sensitive personal data is aware that his sensitive personal data is being collected, the purpose of such collection, the recipient of such data and details of the agency collecting and retaining such data. If sensitive data is disclosed to any 3rd party, consent of such person must be obtained unless already agreed to search disclosure. As per the DPDP Act for seeking the consent of data principle, an itemised notice in intelligible language containing a description of personal data sought to be collected and the purpose of the processing of such personal data must be given by the Data fiduciary. The intent of the legislature here is to ensure transparency in the collection and processing of personal data and empower the Data Principal to take informed decisions.
All Fintech’s have privacy policy in place. Post DPDP Act, some changes have been made in privacy policies, but such policies vary in quality, quantity and readability within the Fintech sector itself. The privacy policy is like boilerplate clauses (standard form) to meet the legal requirements only. Asking the user to agree or give consent to Fintech privacy practices amounts to power asymmetry between such a person and a data fiduciary. It’s the responsibility of Fintechs to safeguard personal data, being custodian and in fiduciary relation. Data leak incidents prove that personal data is not secure with Fintech companies. So, an important concern is whether personal data with fintech companies is safe, questioning the capability of Fintech. Another concern is that personal data may be shared with other entities without consent, creating a trust deficit between the data owner and data fiduciary.
Fintech is using advanced technology tools like AI to make predictive analysis and decision making and Large Learning Models (LLM) are used to personalise offers, but due to its opaque decision-making, transparency issue arises, resulting in a trust deficit. The nature of such Blackbox algos makes it difficult to understand the process and rationale of decision-making. Transparency is also required in processing as a person whose data is to be processed needs to know the purpose of processing, and data can be used only for specific purposes for lawful purposes, with the consent of individuals and for certain legitimate uses.
The quality and quantity of data used to train the AI can result in biasness. It is expected that the fintech revolution will result in financial inclusion, but the reality is that not everyone has smartphones. Further, men using the internet are more than women users. If the data is not representative of a large population, there is a possibility that biasness may creep into decision-making. Such bias may prove counterproductive and result in financial exclusion and fuel inequality.
CONCLUSION
As the use of personal data for business purposes are increasing, data privacy and data protection are becoming a concern in this digital age while being a valuable asset for Fintechs. If data security issues in the fintech space are not handled with due care, it can lead to data breaches, exposing sensitive personal data of individuals. Recently, the threat to release HDFC life insurance company customers’ data has been in the news.[3] Earlier, Dave, a tech unicorn, faced a data security breach.[4] Organisations are under obligation to safeguard the data. If limitation or prohibition is placed on the collection of personal data to protect the privacy of individuals, it may harm the business interest of Fintech, resulting in a trade-off. There is a need to strike the right balance between the protection of privacy and promoting the growth of Fintech. Fintech need to prioritise data security to protect the customer data from misuse. A proper and well-designed privacy protection policy at the level of organisation and regulations at the state level can help. This calls for a collaborative approach to be followed between regulators and the Industry to create trust in the User. The risk can be mitigated through solutions like role-based access, encryption, secure applications, etc. Concern like privacy, transparency and biasness calls for further discussion and deliberation among the stakeholders to achieve the end objective of having a framework where fintech can play a role in financial inclusion while ensuring data security.[5][6]
Author(s) Name: Mr. Krishan Kumar (C.S.) (Associate Vice President – Spectra)
Reference(s):
[1] The Digital Personal Data Protection Act 2023
[2] The Digital Personal Data Protection Act 2023, s 6
[3] Surbhi Gloria Singh, ‘HDFC Life Insurance suffers data breach: What customers must know’ Business Standard (New Delhi, 26 November 2024) <https://www.business-standard.com/finance/personal-finance/hdfc-life-insurance-suffers-data-breach-what-customers-must-know-124112600328_1.html> accessed 20 December 2024
[4] Catalin Cimpanu, ‘Tech unicorn Dave admits to security breach impacting 7.5 million users’ (ZDNET, 25 July 2020) <https://www.zdnet.com/article/tech-unicorn-dave-admits-to-security-breach-impacting-7-5-million-users/> accessed 20 December 2024
[5] Gregor Dorfleitner, Lars Hornuf and Julia Kreppmeier, ‘Promise not fulfilled: FinTech, data privacy, and the GDPR’ (2023) Electronic Markets 33(1) <http://dx.doi.org/10.1007/s12525-023-00622-x> accessed 20 December 2024
[6] Rodney D Ryder and Nikhil Naren, Artificial Intelligence and Law – Challenges Demystified (Law and Justice 2024)
