Bank CEOs are tapping top legal minds, alerting their compliance teams, and discussing with each other to spot the pitfalls of the Digital Personal Data Protection Act (DPDPA) – a statute under which hundreds of crores of fines can be imposed on organisations for breaches.
The law that came into existence this year lays down that data can be collected only to the extent it is required, used only for the purpose for which it is taken and cannot be held on to beyond a point.
Last week more than 500 bankers joined a virtual meeting with senior lawyers to understand the dos and don’ts of the law that would force them to scan existing bank account opening forms and loan application documents, two persons from the banking industry told ET. This was a little after heads of some of the leading banks met to discuss the issue. Banks, it appears, will now closely examine whether they need all the information they fish out from new customers opening saving accounts or applying for loans and credit cards.
“Banking, financial services, and insurance companies hold data for purposes such as risk mitigation, fraud prevention, offering complimentary services, etc., retain data for longer periods, and share it within their group. While necessary in this industry, consents are often not clear, and regulatory requirements may be unclear, or even contradictory. Entities must carry out data mapping and review existing formats to identify the above. Where consent is not possible, getting a regulatory requirement, or adopting industry standards, before the DPDPA comes into force is advisable. BFSI entities may also be significant data fiduciaries, which will mean higher compliance requirements,” said Arun Prabhu, partner & head – technology & telecom, at the law firm Cyril Amarchand Mangaldas.
Being custodian of savings, leveraged nature of the business and their systemic importance, banks may have the leeway to store data to safeguard the financial system. But, there would have to deal with conflicting rules: while the Reserve Bank of India (RBI) may like banks to preserve customer information for years, the new law would require the bank to destroy data of individuals who cease to be clients.
At present most banks are clueless about how to navigate the new law which could also restrict them from sourcing customer information from social media or buying data from external agencies. To begin with, banks must find out what data resides with them, and create a legal framework for collection and obtaining consent from customers. It could mean changing several forms banks ask customers to sign.
Also, banks regularly share customer data with subsidiaries and joint venture companies in businesses like brokerages, non-banking finance, asset management, and insurance. Will the law stand in the way?
According to Supratim Chakraborty, partner at Khaitan & Co, “India’s new data protection law does not impose any blanket restriction in relation to cross-selling. Cross-selling benefits financial customers by diversifying available options, encouraging tailored product discovery for customers, relieving them of the burden of finding the right product besides encouraging innovation. That said, the manner in which it is carried out today may be disrupted once the DPDPA comes into play.”