Data PrivacyData Privacy and Security in Banks

INTRODUCTION

Banking is one of the most vulnerable industries to privacy violations because of the sensitive and highly personal nature of the information exchanged, recorded, and retained. The management of an individual’s personal information, financial records, account access information, and credit histories information is increasingly becoming the foundation of banking operations.

In today’s era, paperless transactions are decreasing because of which only information is traded, which in turn has increased the need to protect such information.

The use of the Internet, Automated Teller Machines (hereinafter referred to as “ATMs”), mobile phones, and other technology in electronic banking has already altered the way that people conduct banking.

Information is clearly one of the Banks’ most valuable assets. It must be safeguarded in order to establish and maintain trust between a bank and its customers. Information technology has progressed from being a business enabler to a business driver. Information security is a critical organizational function that allows other business functions to operate effectively.

In the Banking Industry, privacy violations can occur in a number of ways, such as when:

• Personal Data is shared with third parties for marketing purposes without consent;
• Banking information or card of a customer are stolen or lost;
• Personal Data is shared with or given to third parties without the customer’s knowledge;
• An individual is not adequately informed about how their data will be used;
• More Personal Data is collected than is necessary; and
• A customer refuses to provide that information.

DATA SECURITY PRACTICES FOLLOWED BY BANKS

Pursuant to the data theft and breach of security, the banks must adopt an all-round security strategy to protect sensitive data of its customers in order to prevent internal or external data breaches. Few ways in which this is done are as follows:

1. Authentication

Every bank transaction must first be authenticated in order to verify the identity of the person initiating it. This applies to customers who use online or mobile banking systems, visit the bank in person, or use credit/debit cards. It is also applicable to the employees of the bank who have access to the data of the banks and their customers.

2. Audit Trails

A statement or passbook containing a history of banking transactions is always available. In addition, banking systems also keep an audit trail for every event that occurs during a customer’s interaction with the systems.

Whether a customer uses phone banking or online banking, the time of the interaction, as well as the details of the interaction, are recorded in the audit trails. This data is backed up daily and is never completely removed, instead is being archived at predetermined time intervals.

3. Secure Infrastructure

Secure infrastructure refers to the database systems and servers where data is stored, as well as the boundaries that are set up to secure these. In most core banking systems, production data is encrypted.

Important data such as bank account numbers, customer names, and addresses must be masked, if testing is required. Production systems are not accessible. Bank employees are typically provided with specialized equipment that restricts access to social media, personal emails, and Universal Serial Bus (hereinafter referred to as “USB”) ports.

4. Secure Processes

Many processes have been established by banks to ensure that security is implemented and tested. This includes updating customer Know Your Customer (hereinafter referred to as “KYC”) information, requiring non-disclosure agreements from employees and vendors, securing special zones within the premises, and using remote data centers.

Additionally, processes related to global and national regulations are put into place, and risk analyses are done to make sure these processes comply with the rules.

5. Continuous Communication

In addition to the periodic account statements that are generated and sent to customers, banks communicate with customers on a regular basis about system upgrades, the implementation of new authentication procedures, and so on. Customers can also set limits and alerts based on various conditions to ensure that they are notified if any unusual activity occurs with their accounts.

LEGISLATIONS AND REGULATIONS GOVERNING DATA PROTECTION IN BANKING SECTOR

In India, data privacy is currently governed by the Information Technology Act, 2000 (hereinafter referred to as “IT Act”) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as the “SPDI Rules”).

The SPDI Rules impose a number of obligations on corporate bodies (hereinafter referred to as the “Data Collector”) that collect and process personal information or sensitive personal data or information of a natural person who is a provider of said information (hereinafter referred to as referred to as the “Data Subject”).

In this regard, Section 43-A of the IT Act holds Data Collectors responsible for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information.

In case when negligence on the part of a Data Collector results into wrongful loss or gain to another person, such Data Collector may be held liable to pay damages to the affected individuals.

In addition to the IT Act, certain banking secrecy laws and other regulatory laws in India impose obligations to keep data secret and confidential. These laws address the following issues:

1. Reserve Bank of India issuances

Data Collectors must always follow the Reserve Bank of India’s (hereinafter referred to as “RBI”) data privacy guidelines, which are updated on a regular basis. The RBI  has issued instructions requiring all banks and payment system providers to localize payment transaction data in India and limit the storage of such data.

Additionally, the RBI has issued guidelines regarding the protection of customer data and the possible agreements that banks and non-banking financial companies (hereinafter referred to as the  “NBFCs”) may have with third parties.

2. The Banking Regulation Act, 1949

The Banking Regulation Act, 1949 (hereinafter referred to as the “Banking Regulation”) and its associated regulations also contain privacy principles in relation to regulating the collection, retention, and security of customer data.

3. The Credit Information Companies (Regulation) Act, 2005

The Credit Information Companies (Regulation) Act, 2005 (hereinafter referred to as the “CICR Act”) regulates the manner in which credit information companies handle data. The CICR Act specifies credit information, companies’ obligations regarding data access, data fidelity and secrecy, data collection and purpose limitation, disclosure norms, the obligation to maintain confidentiality, and accuracy.

Furthermore, the CICR Act empowers the Regulatory Authority to establish data retention standards from time to time.

4. The Bankers’ Book Evidence Act, 1891

The Bankers’ Book Evidence Act prohibits the officers of banks from making disclosures of bank records to anyone unless ordered by a court of law for a specific reason.

DIGITAL LENDING GUIDELINES

The Digital Lending Guidelines were introduced by the RBI in August, 2022 and more detailed guidelines were issued in September, 2022 wherein the RBI directed the Res to adhere to the new guidelines by 30.11.2022.

The revised Digital Lending Guidelines aim to simplify the digital lending process while also protecting consumers from lenders charging unusually high interest rates. The RBI has previously stated that the new Digital Lending Guidelines will prevent unethical loan recovery practices.

The Revised Guidelines are as follows:

• All loan disbursals and repayments are to be executed only between the bank accounts of the borrowers and the Regulated Entities (hereinafter referred to as “REs”), such as the banks and the NBFCs.
• It will cover areas across lending procedures, disclosures, technology, and data gathering by REs and it will also cover their Digital Lending Applications (hereinafter referred to as “DLAs”), and Lending Service Providers (hereinafter referred to as “LSPs”) engaged by them.
• In addition, REs rather than borrowers are responsible for paying any fee, charges, etc., due to LSPs during the credit intermediation process, according to the RBI’s statement.
• The RBI had stated that the REs should give the borrower a standardized Key Fact Statement (hereinafter referred to as “KFS”) prior to executing the loan contract.
• All-inclusive costs of digital loans should be given in the form of Annual Percentage Rate (hereinafter referred to as “APR”) to the borrowers and it will also form part of KFS.
• An automatic credit increase without consent would be prohibited and would require the borrower’s consent before it could be made.
• Furthermore, all involved REs must ensure that they have a qualified nodal grievance redressal officer who can handle complaints about fintech and digital lending. These grievance redressal officers must also handle grievances regarding the corresponding digital lending apps.
• Borrowers have a right to file complaints with the Reserve Bank Integrated Ombudsman Scheme if their complaints are not resolved by the RE within the allotted time frame i.e. currently 30 days.

BANKING SECRECY AND CONFIDENTIALITY

Banks are required to maintain confidentiality and secrecy in India.  In India, the scope of banking secrecy law has historically been based on common law principles based on implied contracts. The RBI has published circulars regarding banking secrecy.

In accordance with the 2015, RBI Master Circular on Customer Service in Banks dated 01.07.2015 banks had to maintain confidentiality stems from its contractual obligation to its customers, and no information should be disclosed to outside parties unless specifically authorized.

Furthermore, the RBI stated in the KYC Direction that when considering requests for data/information from the Government or other agencies, banks must satisfy themselves that the information sought is not of a nature that will violate the provisions of laws relating to banking secrecy.

AMLEGALS REMARKS

Banking consumers are still a “soft target” for new age attacks. Lack of client awareness, insecure customer endpoints, and their potential impact on banking system security remain major concerns. Individual bank efforts alone may not be sufficient to solve these challenges.

With assistance from the RBI, the entire Banking Industry must work together to raise security awareness among the banking clients. Banks, on the other hand, must improve their maturity in the area of customer-centric security.

While fundamental transaction security measures have been implemented, very few have been incorporated the next-generation authentication solutions such as dynamic tokens, identity grids, and risk-based authentication.

Although Data Privacy is largely governed by law and we currently lack the necessary legislation. The scope of Data Privacy is wider than simply obtaining users’ permission to collect and store data.

While banks and financial institutions are unlikely to grant their customers the “Right to Erasure” or “Right to be Forgotten,” they can certainly embrace Data Privacy as the norm.  With stringent self-regulation, Indian banks and financial institutions can help to build trust and transparency in the Indian digital banking scenario until laws are drafted.

Team AMLEGALS assisted by Mr. Lakshya Kothari (Intern)

For any queries or feedback, please feel free to get in touch with falak.sawlani@amlegals.com or aditi.tiwari@amlegals.com.