Blog

Data Security and Privacy for Financial Inclusion: Workshop Notes

Posted on June 13, 2018 by Sumita Kale

A workshop was organised by the Indicus Centre for Financial Inclusion in New Delhi on Friday 18th May 2018. Vibrant deliberations took place under Chatham House rules amongst 21 discussants spanning government, service providers, research institutions, thinktanks and intermediaries. A summary of the discussion and the main takeaways are presented in this post. Please feel free to mail in comments to sumita@indicus.org  

Agenda: Provision of financial services is enabled by easy sharing of data – including those on digital transactions and personal identity.  This is even more the case for the financially excluded, who do not have a significant enough asset base.  However, the sharing of such information has given rise to new concerns and Indian regulators and policy makers hav

e to look for a balance between innovation, convenience and customer protection.
There were four main themes set for discussion:

  • What kind of data should be classified and restricted and what should be shareable? How do the key benefits and key risks differ for the excluded?
  • What are the possible sources of transactional risk and security breaches in data sharing?  What are the global best practices and how can they be translated for Indian conditions?
  • How should customer consent architecture be framed and monitored, such that low literacy customers do not unknowingly give away information or leave the door open to be manipulated in future?
  • Who will protect and how? What is the role of the sectoral regulator vis-a-vis the Justice Srikrishna proposed National Data Protection Authority?

Part I: Open discussion - the main points that emerged were as follows:

 

A. Regulatory Framework

a)   While there remain gaps and grey areas in the regulatory framework, there is also a need to remove many unnecessary hurdles.  The resultant lack of clarity and unnecessary demands from stakeholders is delaying innovation and investment. 

  • Regulation must follow the principles of necessity, proportionality and legality. 
  • Overtly prescriptive regulations hit hard, hinder innovation and lose relevance.  
  • Simplicity and minimal regulations need to be the overarching guiding principles. 
  • Cost benefit analysis of proposed regulations is the need, as was also recommended by the Financial Services Legislative Reforms Commission (FSLRC).  
  • Insistence on OTP and mobile as the sole authentication mode is problematic considering that the whole family or even a SHG (Self-Help Group) often share a single mobile number. Alternative options must be explored and made available.

b)   Regulation must be consistent and well-coordinated while avoiding confusion, ambiguity and contradiction.

  • RBI has recently come out with data localisation guidelines for payment systems even as outcome of the Experts Committee on Data Protection Framework is awaited. Issues around data ownership and sharing need clarity.  This disjoint can be circumvented by the Experts Committee and the RBI coordinating on their views.
  • Multiple regulators exist within the financial services sector and also other relevant ones like TRAI and CCI need to act in synch. This synchronization could be enabled through the FSDC which could act as a platform for the same, with suitable empowerment.

c)  KYC (Know Your Customer) norms are needed to mitigate risks from money laundering and terror finance and hence, but they must be proportionate to risk and apt in terms of context. 

  • Overtly burdensome and tough KYC (e.g. signing of FATCA) raises the cost of servicing the poor thereby exacerbating the financial exclusion rather than bridging it.  
  • RBI requirement for credit reporting for SHGs has led to a huge rise in additional documentation of around 140 fields of information per customer, increased cost for banks, reduced credit availability for the groups – and the banks and the SHGs have no idea why this information is being collected. 
  • Central KYC Registry (CKYCR) was supposed to avoid the need of multiple and repetitive KYC but continues with paper-based system and without integration even as it asks for unnecessary information like names of both parents.
  • d)    Appreciation of technology – in terms of both its use and limitations – is rather inadequate amongst the regulatory institutions and must be enhanced. Special efforts need to be made by the regulatory institutions and also in the DFS.

B. Customer Information and Consent

  • An app like BHIM should not have access to information on all the bank accounts of the customer.
  • Customers should be made aware of which pieces of data are being collected for regulatory compliance, what additional data is being collected for business purposes and which pieces of information/ data cannot or should not be collected at all. 
  • Further, customer should be empowered to make informed choices.  Improved customer information and decision-making need to be a policy objective.
  • Even where there is positive discrimination, the same must be communicated transparently - for instance higher rates for deposits for senior citizens
  • As long as an individual cannot be identified, data should be sharable. E.g. Singapore has started a public database where postal code, size of flat and the rent are published without identifying particular property.
  • Even as we are concerned about privacy, location identifiers like village name or urban block or neighbourhood are critical for improved service to low income customers, such information should not however compromise individual or group security.   
  • Consent and Privacy agreements should be converted into visuals for easier comprehension.  A comic book like approach would greatly help low income and less literate populations.

C. Security and Privacy

  • While the migration from paper to digital has reduced data leaks dramatically, data at rest as well as in transit need better security to mitigate breaches.
  • Excel sheets increase data breaches and hence, application program interfaces (APIs) should be used.
  • Passwords should not be stored in plain text or using weak encryption.
  • Data leakage has been happening significantly through Aadhaar intermediaries.

D. Miscellaneous

  • Grievance redressal mechanism should be easy, accessible, speedy and affordable.  (Indicus workshop on this topic was conducted last year). 
  • More clarity is needed on role of whistle-blowers.
  • Scan and pay QR code is cost-effective but is not picking up.
  • The role of open APIs/open banking in reducing the cost of servicing customers should be explored in greater depth.

Part II: The discussion concluded with a list of suggested Dos and Donts for policy makers and industry

What to DO

  • Principle based regulation based on the trinity of principles, viz. necessity, proportionality and legality
  • Tiered KYC and consent norms proportionate to risk and apt for context and customer segment 
  • Keep costs in terms of both time and manpower low to ensure sustainability of services to low income customers
  • Raise regulatory enforcement capacity and capability of regulators
  • Allow data sharing across government agencies for larger public good
  • Institutionalise a real time data, anonymised that will aid policy and regulation (NSSO)
  • Raise capacity within regulators and government needs more open consultation with tech and industry
  • Allow public sharing of anonymised data
  • When data is shared, the source of data should be mentioned – e.g. whether data has been sourced directly from consumer or from bank or third party should be named
  • While giving information, customers should know which data is needed by law, which ones being collected by the service provider for his own business (there should not be too many categories however, that may confuse the customer)
  • The primary collector of customer data should be responsible for it. 
  • Regulatory architecture should be simple (it is important to raise regulatory capacity to appreciate the concept of simplicity and overburdening industry and customer should be avoided)

What NOT to do

  • Prescriptive regulation and compliance overload should be avoided
  • Do not apply the same rule for all, keep proportionality in mind to avoid burden on low income customers
  • Restrict mandates – e.g. OTP may not be suitable for all – customers should have choice of which mode of authentication to use
  • Issuance of guidelines on Friday evening should be avoided
  • Knee-jerk regulations to events should be avoided with the  prinicple -  When in doubt, don’t regulate
  • Anonymity should not impact sharing on hyperlocal (village or neighbourhood) information as that is the most critical for many services to the poor

 

Posted in Uncategorized

Copyright 2015 - All Rights Reserved