India's digital lending landscape has been rapidly evolving, driven by technological advancements and changing consumer behavior.
In August 2023, India ushered in a new era of data protection with the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act). This legislation significantly impacts digital lending entities, which rely heavily on consumer data for various functions, including underwriting and risk assessment. Concurrently, in September 2022, the Reserve Bank of India (RBI) introduced the Digital Lending Guidelines (DLG) to regulate data management practices specific to digital lending platforms.
In this blog post, we explore the implications of the DPDP Act on the digital lending sector in India, considering its intersection with the DLG and providing a comprehensive overview of the regulatory landscape.
Understanding the Regulatory Landscape
The DPDP Act introduces stringent requirements for the collection, processing, and protection of personal data, impacting digital lending platforms that rely heavily on consumer data for various functions including underwriting and risk assessment. While the DLG primarily focuses on data management practices specific to digital lending entities, the DPDP Act sets broader data protection standards applicable to all businesses operating in India. Both frameworks emphasize transparency and consent in data collection, however, they differ in their approach to certain aspects such as data localization and cross-border data transfer.
Consent and Data Processing
One of the key provisions of the DPDP Act is the requirement for obtaining explicit and informed consent from borrowers for the collection and processing of personal data. This aligns with the principles outlined in the DLG, emphasizing transparency and consent in data collection practices. However, the DPDP Act introduces the concept of legitimate use, allowing data fiduciaries to process data without explicit consent in certain circumstances, provided it serves a lawful purpose.
Data Localization and Cross-Border Data Transfer
A significant difference between the DPDP Act and the DLG lies in their approach towards data localization and cross-border data transfer. Under the DLG, the process for collecting Digital Personal Data (DPD) is distinct from the process under the DPDP Act. While the DLG mandates data localization, i.e., storage of data within India, for digital lending entities, the DPDP Act provides more flexibility, allowing cross-border data transfer except to countries specified in a negative list by the Central Government. This difference poses challenges for digital lending platforms in aligning their data management practices with both sets of regulations.
Under the DPDP Act, data fiduciaries and data processors are required to delete any DPD that is collected once the intended use of such collection has been satisfied. However, this is in contradiction to the existing Know Your Customer Directions (‘KYC Directions’) issued by the RBI. The KYC Directions mandate financial institutions to maintain records of transactions with their customers and the data of such customers for a minimum period of five years, which seemingly contradicts the position under the DPDP Act.
Data Retention and Security
Both the DPDP Act and the DLG emphasize the importance of data retention and security measures. While the DLG sets stringent requirements for data retention and mandates minimal data storage, the DPDP Act provides more flexibility, allowing data fiduciaries to retain data for legal or business purposes. However, data fiduciaries are obligated to ensure the accuracy, completeness, and security of the data they process, in line with the provisions of both legislations.
Compliance Challenges and Regulatory Oversight
Digital lending entities now face the challenge of navigating compliance with multiple regulatory frameworks, including the DPDP Act and the DLG. The establishment of the Data Protection Board of India (DPBI) under the DPDP Act adds another layer of regulatory oversight, potentially leading to overlapping jurisdiction with existing regulators like the RBI. This dual regulatory landscape necessitates robust compliance mechanisms and a clear understanding of the obligations imposed by both sets of regulations.
The quintessential structure of most fintech companies involves two entities, i.e., the regulated entity and the fintech operate. The regulated entity is typically a financial institution regulated by the RBI that provides the financing to customers. The fintech operate runs the digital platform through which customers avail financing. Currently, the DLG places the onus of protecting a customer’s DPD on the regulated entity. Such an entity has the additional obligation of also ensuring that the fintech operate complies with and ensures the privacy and the protection of a customer’s DPD once collected. The fundamental challenge faced in the fintech space with the introduction of the DPDP Act is the inability to determine whether the regulated entity or the fintech operate is a data fiduciary and/or a data processor. The broad manner in which a data fiduciary and a data processor have been defined under the DPDP Act, ensures that both regulated entities and fintech operates fall within the ambit of data fiduciaries and data processors as defined under the DPDP Act, respectively. Currently, both regulated entities as well as fintech operates determine the purpose for the collection and the means of processing DPD and collect and process DPD. Hence, fintech companies will now have to explicitly identify the exact nature of the relationship between the regulated entity and the fintech operate and their respective obligations prior to collecting the DPD of a customer. Be that as it may, given the ambiguity and the opacity in the DPDP Act, both the regulated entity and the fintech operate would still fall prey to the ambiguity of the extensive legislation. Furthermore, this position seemingly contradicts the DLG as regulated entities as well as fintech operators will be liable for any breach in the governance of DPD, whereas under the DLG only regulated entities were liable.
Building a Compliance Framework
To effectively navigate the implications of the DPDP Act on digital lending in India, entities must adopt a proactive approach to compliance. This involves:
- Identifying their role and responsibilities under the DPDP Act and the DLG.
- Understanding the nature of data handled and implementing data management practices compliant with both regulations.
- Developing a comprehensive data compliance framework, incorporating provisions from both the DPDP Act and the DLG.
- Ensuring transparency, consent, and security in data processing practices, aligned with the principles outlined in both legislations.
- Training the workforce and all stakeholders on the requirements of the DPDP Act and the DLG to foster a culture of compliance within the organization.
Conclusion
The implementation of the DPDP Act brings in a new era of data protection and privacy in India, with profound implications for digital lending entities. While aligning with the provisions of the DPDP Act presents challenges, it also presents an opportunity for digital lending platforms to enhance trust and transparency in their operations. By proactively addressing compliance requirements and adopting robust data management practices, digital lending entities can navigate the regulatory landscape effectively while continuing to innovate and serve the evolving needs of their customers in the digital age.
