[Manal Shah is a B.A. LL.B. (Hons.) student at NUALS Kochi and runs the Securities Blawg.
The first part of this series is available here]
Financial institutions deal with sensitive information. If they suffer a data breach, there is a significant amount of data at the impending threat of criminal activities such as thefts and identity frauds. It is thus important to understand the impact of this draft Bill on financial institutions and navigate the steps to be taken to be compliant.
Financial data under the draft Bill includes any personal data apropos the relationship between a financial institution and the data principal implying the inclusion of financial details such as account numbers, credit card numbers, financial status, credit histories and more notably transaction histories within the ambit of financial data.
Data stands at the centre point of all financial activity and is perpetually shared by financial institutions. According to the extant practice, it passes hands from one to another to employees and to third parties contracted for risk management as a part of development and support function outsourcing. Personal client data is often accessed by such third-party vendors. In this regard, the draft law imposes answerability on an end-to-end basis to prevent vendors from dissociating themselves from obligations towards data protection by imposing compliance not only from the bank but from all its support functions.
Banks and financial entities are not new to stringent regulations. Adhering to these new regulations would entail the collection and collation of customer data for various activities such as onboarding, relationship management, segmentation, personalization of services, risk management etc. During such progression, the financial data is exposed to several employees and third-party employees at different stages, bringing in the focal point of the draft law’s effects on this industry.
Following its enactment, the legislation is expected to be implemented in a phase-wise manner, similar to the GDPR. According to it, personal identifiers such as name, email addresses etc. are personal data. The law mandates explicit consent, different from the widespread automatic opting in method presently in use. Further, it requires disclosures to customers about the quantum of information held by such organization and the purpose of such utilization. The right to consent requires that the customer’s consent is taken beforehand. In addition, it is required that details regarding information given while obtaining consent and when and where the consent was taken are to be stored. Finally, one needs to understand that customers now have the right to withdraw this consent.
It is important to not take too lightly the convolutions involved in the potential of this law. Institutions require, firstly, an analysis of existing data protection set-up; secondly, an exercise of detecting the cavities between the requirement under the new law; and finally conducting an internal data impact assessment to define the scope of work required. Non-compliance with the law attracts not only a heavy economic penalty of 2% of the entity’s annual global turnover but may also cause customer dissatisfaction and reputational loss causing a reduction in customer, shareholder and investors’ confidence.
Presently personal data is spread across different systems in various storage systems across financial institutions. These institutions need to locate personal data and map out the future structuring with a view to laying down an accessible view of client data. Some financial institutions such as wealth managers gather unstructured client information and need to determine how to deal with data capturing and processing while retaining an all-inclusive general idea of data implementation of a clear policy framework. The draft Bill envisages a latent data structure transformation by compelling an understanding of all data flows across the multiple IT applications throughout its various systems, as well as organizational changes by introducing measures to keep sensitive financial documents secure and maintain records of transactions. This calls for archiving of all records in unchanged and unhampered. Care should be taken to destroy all such data post permitted retention period.
A financial institution being a data processor must identify their customer’s data access and capture point and, in this regard, an obligation is placed to safeguard personal details at every stage a financial document passes through. A safe and sound archival of both offline and e-documents is prescribed. The draft necessitates keeping a record of the data processed and the mode of processing. It also lays down that such data has to be presented to the customer when requested as a part of their right to data portability. An entity may find it difficult to comply with this requirement if it holds data on different systems or legacy systems not compatible with the newer software. The right of erasure places ‘off-boarding’ under the spotlight as it would not be appropriate to withhold data of customers beyond the expiry of the threshold time and expiry of the contract.
Another significant task expected to have long reaching effects involves re-training and guidance to client relationship managers as also to establish new customer relationship norms, and a sizeable contract amendment exercise for third party contracts to incorporate additional privacy considerations. Considering the kind of services offered, size of businesses and types of customers catered to, the draft Bill may have varying effects over different types of financial institutions. The bigger the entity, the higher will be its compliance requirement as personal data is likely to be handled by personnel and systems across departments and divisions. Financial entities providing a high level of individualized services and client interaction will be most affected by the draft bill e.g. wealth management. However, this does not imply that smaller institutions will not be affected; these may find it difficult to comply owing to the lack of technological and economic means.
At the outset, the author’s main concern regarding the right to erasure of data pertained to its effects on crime detection. Fortunately, the draft Bill provides that exemption is provided for reasonable purposes relating to activities such as prevention and detection of any unlawful activity including fraud, whistle-blowing, M&A, network and information security, credit scoring, and recovery of debt and processing publicly available personal data. This becomes important in light of the role of financial institutions in the detection of criminal activities including money laundering, fraud and insider trading.
Despite the groundbreaking changes which corporates will have to make to their organizations and the difficulties faced in the process, the draft Bill very well equates to the organized data protection regime which will be beneficial in the longer run. The Information Technology Act 2000 does not satisfactorily address the concerns of data privacy. There has long been a need for a data protection law for quite some time now and this. Despite being largely inspired by the European Law, this will work to the benefit of citizens and corporates alike.
– Manal Shah