Data Protection Laws should precede Open Banking Frameworks: RBI
Shri M. Rajeshwar Rao, Deputy Governor of the Reserve Bank of India (RBI), remarked that data protection and privacy laws should precede large scale open banking frameworks. He made the remarks in a webinar on Open Banking organized by Tata Consultancy Services (TCS) in association with the Embassy of India in Brazil, on April 14, 2021.
The Open Banking Framework
Open banking is the sharing and leveraging of customer-permissioned data with third party developers to build applications and services. The developers could then go on to innovate services that provide real-time payments, greater financial transparency options for account holders, marketing and cross-selling opportunities, etc.
Earlier, the financial system focused on payment channels and transactions. However, now it also looks to access financial data of customers to build new service models and remove inefficiencies in the system. Therefore, financial regulators are beginning to acknowledge the fact that enabling a simplified framework for exchange of financial data has the potential to transform the financial system. It could ultimately lead to product innovation and better facilitation of financial services for customers and end-user. The Deputy Governor thus also remarked that access to financial data could boost future economic growth.
He further added that:
An individual’s financial data is normally fragmented and spread across in the silos of data warehouses of financial institutions, government bodies and in some cases regulators. Though there exists some sort of formalized frameworks for seamless, safe, and swift data sharing between financial information providers (FIPs) and financial information users (FIUs), there still exists a void in terms of legally enforceable and permitted integrated solutions to aggregate user data for a seamless, wide-ranging picture of the financial history and transactions of the individuals and firms. Consequently, this vast amount of fragmented information is not being effectively optimized to identify and address financial needs and provide comprehensive service delivery to end-users.
Open Banking in India
In its pursuit of open banking, India has enabled Non-Banking Financial Companies (NBFC), who are licensed to undertake customer’s consent management.
An Account Aggregator is another entity which has a license to consolidate financial information of a customer, which financial entities typically hold. They act as an intermediary between Financial Information Providers (banks, insurance companies, pension funds, etc.) and Financial Information Users (entities using the data to provide services, regulated by any financial sector regulator). They facilitate, as an intermediary, the flow of data through Application Programming Interfaces (APIs).
This flow of data is based on explicit consent of the customer and an appropriate agreement between the account aggregator, the customer, and the financial information provider. The regulatory regime and the agreements ensure that the account aggregator does not utilize the data for any other purpose that what it is authorized for. It deploys explicit and robust data security and customer grievance redressal mechanisms to protect the customer’s interest.
Further, the RBI and NPCI have introduced the sector disruptive UPI. They released its API for banks and third party app providers to build upon.
Speaking of UPI and data security, the RBI recently introduced UPI help for digital payments and issued a Master Direction on Digital Payment Security Controls.
Comments on Data Protection and Privacy
Briefly touching upon the issue of data ownership, the Deputy Governor asks if financial institutions who hold data of customers should only act as agents or should they have an ownership stake driven by commercial considerations. He opines that the right to data accessibility and usage should clearly vest in the ‘owners’ of data rather than ‘holders’ of data.
Further, he says that in open banking frameworks, strong data protection and privacy laws should ideally precede large scale adoption.
In open banking frameworks, risks associated with the loss or theft of personal data on account of poor security, data protection violations, money laundering, and terrorist financing concerns cannot be ruled out. Therefore, large scale adoption of open banking frameworks should ideally be preceded by strong data protection and privacy laws. Such laws should anchor the ownership rights and ensure control and consent-based use of the data. They should also establish the boundaries of rights and obligations of third-party use, down-streaming of data to fourth parties and reselling it. India has already embarked upon the same and The Personal Data Protection Bill, 2019 has already been introduced. The Bill seeks to provide for protection of personal data of individuals and establishes a Data Protection Authority for the same.”
Lastly, he also said that all stakeholders need to appreciate the fact that while technological innovation is of paramount importance, the customer privacy and data protection are non-negotiable.
Alongside, the Deputy Governor also touched upon other risks of open banking- customer liability in case of a fraudulent activity, cybersecurity and operational risks, compliance and reputational risks, and constant updation of regulations governing grievance redressal.
You can read the full speech here.
Do subscribe to our Telegram channelfor more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.
You can also follow us on Instagram, Facebook, LinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.
