In a recent development, the Delhi High Court received a Public Interest Litigation (PIL) from an applied economist, Reshmi P Bhaskaran, seeking to regulate the entry and operations of ‘TechFin’ platforms. Inter alia, the PIL asked the High Court to help develop a regulatory framework around the TechFin industry, also popularly known as the FinTech domain. Since then, the High Court has sought replies from various stakeholders, including the Ministry of Law, Ministry of Finance, RBI, SEBI, and NPCI regarding this issue.
The crux of the matter is that non-regulated technology platforms extend financial services without complying with the legal needs that Financial Institutions (FIs) have to fulfill. FinTech platforms partner with existing entities and even enjoy access to the UPI ecosystem as third-party applications. It poses certain systemic risks relating to financial stability, citizen data, cybersecurity, and the end-customers at large (people and businesses) alongside others.
The absence of a dedicated regulatory framework also limits the true growth potential of FinTech platforms as they carry the mantle of financial inclusion. So, let us delve deeper into the challenges, regulations, and prospective solutions in this context.
Aadhaar, Personal Data, and FinTech
FinTech – an abbreviation for Financial Technology – has today brought about the much-needed change by taking banking to the people. Aadhaar has also played a major role in this development. How? Well, Aadhaar has a massive cache of data that can be accessed by FinTech operators for wide-ranging purposes upon receiving the end-user consent.
A large number of FinTech firms are now also harvesting alternative data sources that include a customer’s online spending behavior and social media patterns. This data is typically stored and used for various use cases including targeted marketing, sales, and financial decision-making such as generating a credit score to determine a customer’s risk profile.
At the heart of this innovative approach lies peoples’ data. It not only includes payments or commercial data but also social data such as the interactions people have and the lives that they live. As data becomes the new currency, startups and financial institutions are willing to forego transactional fees to get rich digital information around their customers.
The collection of such in-depth, personally identifiable information poses legal questions as to whether customers are aware that it is being harvested. Legal concerns are also involved relating to data ownership and whether such data can be shared with third parties.
A few foreign entities have found a grey area when it comes to acquiring Indian customers’ data. They simply buy a stake in Indian entities for fulfilling this purpose. Some of these instances include TransUnion acquiring a 92% stake in CIBIL (Credit Information Bureau India Limited) and Facebook’s recent investment in Reliance Jio. This approach basically bypasses the adequate compliance procedures required for obtaining the explicit consent of the Data Principal.
For this reason, consent-based data access by all FinTech companies has to be streamlined. Fintech firms must have comprehensive and adequate privacy terms to comply with regulations while keeping their customers well-informed. Simultaneously, progressive policies must be developed with a holistic view of protecting economic stability, citizens and FinTech platforms as well as their innovations.
The 2019’s Steering Committee report on FinTech issues recommends that an Inter-Regulatory Technical Group should be set up to support hybrid financial institutions. It suggests collecting data from unconventional sources for better credit scoring and improving credit accessibility. Its other recommendations include Open Database regulation to enhance competition and the creation of a data pool vis-a-vis the companies that provide homogeneous services.
We have to understand that lending is a unique sales transaction and, perhaps, the only one where potential buyers are rejected. Lenders have and exercise the right to know their customers by accessing their data. It is because the transactional risk is on them for a prolonged period.
The solution to this multifaceted challenge is that FinTech firms must embed security protocols and cross-platform harmonization into initial technology design phases (Privacy by Design). Embedding such measures initially minimizes the vulnerabilities that later crop up such as cross-platform contamination. Startups must further expand procedural testing and audit processes for multi-platform compatibility.
The best way to overcome integration issues is to conduct thorough testing, integrate data better, and delineate areas of responsibilities between all parties. This will also help to minimize the cybersecurity risks and compatibility issues due to multiplatform integrations.
To protect the personal data of customers, companies use tools such as cryptograms that track data to ensure it is coming from the client. But this is a rudimentary check. Any imperfection in the platform’s code can be exploited. To find software vulnerabilities such as insecure APIs, FinTech companies are now adopting a practice called “AI fuzzing.” Simply put, this process uses machine learning to identify potential loopholes in an app’s codebase before hackers can find them.
In terms of innovation, the UK pioneered the regulatory sandbox concept in 2015 to encourage FinTech innovation and ease regulatory burdens while ensuring adequate customer protection. The sandbox model involves a temporary relaxation of certain regulatory requirements. It allows early-stage startups to test their products for a limited period without having to obtain a full license and regulatory permissions. This approach effectively reduces the entry-level hurdles and costs for startups while unlocking innovations. A variation of this approach is now also being seen in India with regulators including RBI, SEBI, and IRDA launching their unique regulatory sandboxes.
Another area of interest for regulators should be Blockchain. It is faster, more transparent, and efficient when compared to the traditional front, middle, and back-office functions in FIs. On this front, India is doing well by developing IndiaChain, which might eventually become the heart of governance in our country. Regulators must proactively collaborate with NITI Aayog and the GoI for a robust system that brings superior efficiency to the system.
In conclusion, as respective stakeholders aim to regulate the FinTech segment, interesting times are ahead of us. We will observe the rise of middleware solutions providers that will have dedicated use cases ranging from cybersecurity to legal compliance. Such approaches, supported by a strong regulatory framework, will decrease the go-to-market time of FinTech startups and their products while also making the process more cost-effective for them.
Views expressed above are the author’s own.
END OF ARTICLE