Data PrivacyFinTechData Privacy Policy and Concerns for FinTech Companies in India

January 19, 20220


The advancement and growth in the Internet have brought various benefits into the day-to-day lives of individuals. However, growth and advancement eventually result into an increase in concerns. One such factor is causing people to become increasingly concerned: Data Privacy. The issue of data privacy becomes much more pressing in the FinTech Industry wherein data security and trust are the base for client relationships.

FinTech companies in the digital lending market use cutting-edge strategies to grow their businesses. The credit decisions of such companies are based on alternative data rather than typical financial data. Contacts, frequent call lists, mobile storage space, reading texts and conversations, search history, GPS location history, and even social media activity can be used as alternative data for credit rating.

The FinTech industry in India has been expanding due to demonetization and the efforts of the Government to increase digital -payments. FinTech is commonly known as “technologically enabled financial innovation that may result in new business models, apps, processes, or products with a meaningful impact on financial markets and institutions, as well as the provision of financial services”.


Data can be simply understood as some information stored by/in a computer. Data privacy is also referred to as ‘Information Privacy’ in various contexts. It is a facet of the information technology (IT) that deals with an ability of an organisation or an individual to choose what data in a computer system can be shared with others.

According to the Srikrishna Committee, privacy is determined by society and culture that decides what constitutes an invasion of privacy. The Srikrishna Committee further stated that the data protection standards are based on the trust of the citizens in the institutions that administer them such as the regulatory authorities or private enterprises.

The European Union (EU) stands first in terms of data protection legislation, particularly with the EU General Data Protection Regulation, 2018 (GDPR). Human dignity and privacy are at the heart of the EU’s data protection strategy.


According to the Information Technology Rules, 2011 (IT Rules) that govern data protection in India, privacy policies should clarify what type of data is being used, the goal of data collecting, the third parties with whom data will be shared, the possibility for the user to withdraw their consent, and a method for resolving grievances must also be in place.

A very common example can be considered to understand the breach of data privacy policy when a FinTech company sends out newsletters, promotions, or other email communication and unintentionally uses the open CC field in an email. A corporation may also mistake by failing to blank out phone numbers or personal information of other customers, contacts, or ex-workers in their communications.

This may appear to be a little oversight; however, it still represents a severe violation of an individual’s privacy who has entrusted the company with their email and contact information.

Following are some policies that FinTech companies may adopt or may use while dealing with their clients:

  • In light of the best practices used in developing applications, FinTech companies may establish uniform coding patterns that would help them in smooth operation. Maintaining documentation of the code mentioned above would help new developers comprehend the background aspects. Any code manipulation should be detectable by changes, such as additions, removals, and/or other alterations made to the application and/or the competence of the people who produce it during its execution.
  • FinTech service providers must also have a sufficient track record in cybersecurity and data protection in general. Finastra, the third-largest FinTech company, was targeted by ransomware hackers in March 2020, owing to its position in the FinTech sector, as well as its unsatisfactory track record of cybersecurity and data protection, which included unpatched and outdated servers. Organizations that provide FinTech services to customers must conduct regular security audits and keep company files secured.
  • The GDPR imposes strict requirements on every company that deals with, targets, or collects personal data from EU citizens. Although, because of its broad territorial scope, it may potentially impact an entity’s business even if it does not have physical operations in the EU, such as if it provides services or monitors the Data Subjects’ behaviour in the EU.
  • One of the key objectives of the GDPR is transparency; FinTech organizations would be expected to have a clear, accessible, and unambiguous privacy policy, which would be brought to the user’s attention by default.

FinTech and technological developments in the financial sector, on the one hand, are becoming increasingly inevitable, commonplace, and assuming greater importance and significance with time, accelerated by global incidents such as the COVID-19 pandemic. Such difficult circumstances would make it extremely challenging for the FinTech companies to be in consonance with the ever-evolving compliance and regulations in place.


Partnering with organizations that provide additional data privacy and cybersecurity solutions can help any financial services gain greater trust and value. It is important to look for solutions that include dark web scanning, data broker removal, VPN and Wi-Fi protection, fraud alert, identity theft protection, and other features that protect what the customers care about the most- their sensitive and personal data.

Some of the major concerns faced by FinTech companies are:

1. Increased Phishing: During the pandemic, phishing has become more prevalent, and FinTech is not immune to this type of attack. Hackers pursue individuals for credit card and account information to gain access to their bank accounts.

The way to resolve this concern is by implementing and providing account monitoring for users, to keep an eye on their accounts for fraudulent activities. FinTech firms should also provide two-factor authentication with various authentication choices to make it simple for customers to convert. Furthermore, offering a service that runs dark web scans to users would also help to reduce fraudulent activity.

2. Third-Party Data Sharing: Even if a FinTech company has a good data privacy policy, it would not matter if it is not adequately reached out to customers. FinTech enterprises, according to over 75% of consumers, are more likely than traditional firms to sell their data. It is pertinent to note that approximately 62-81% of the FinTech app users are unaware that the applications can access various data or sell their data to third parties.

FinTech firms should be transparent about their data acquisition practices. Consumer trust can be increased only by incorporating those policies into marketing. Because of the nature of their products, financial services are built on trust more than other service providers.

If companies fail to meet their expectations and on the other hand promote good data privacy procedures, trust of the consumers is jeopardized. FinTech companies that are more transparent in describe the data they collect and use it will have a better chance of succeeding than other companies.

3. Deep Fakes: With each revolution in technology, organizations quickly pivot from one project to the next; often leaving something that is no longer relevant. While this is wonderful for providing customers with the most relevant products and services, it can invite security risks. Time and again it has been noted that abandoned web applications, APIs, and subdomains were the source of security, privacy, and compliance issues for several FinTech start-ups.

Deleting data from abandoned projects is a great way to enhance a firm’s security. Another option is to use a product or service that scans the dark web for the customers. This service will assist in detecting fraudulent activities on the Internet that may have gone unnoticed in forgotten initiatives.

Financial services are evolving, with technology playing a significant role. It is changing the way financial services are delivered, from credit and lending to insurance and possibly the future of money.


Technological advancements are generating an increasing amount of data, mostly to satisfy the financial services industry’s seemingly insatiable appetite for data. Cash is increasingly discouraged; the only alternatives available to the consumers do not safeguard privacy since they generate even more data.

As discussed above, there are various concerns that the FinTech companies have to face, and with these concerns, the companies have to face several challenges.

With the rise of FinTech businesses and the promise of financial inclusion, it is more important than ever that the consumers who use these services make informed data decisions. With an increase in technology, the role of FinTech firms would grow at a substantial rate.

FinTech firms will have to develop a system that would help them achieve smooth functioning and help them tackle issues that the consumers will face. Since FinTech companies rely largely on technologies like Artificial Intelligence and Machine Learning to decrease costs associated with client acquisition and service provision, the Personal Data Protection Bill, 2019, could significantly influence their business models.

– Team AMLEGALS assisted by Mr. Nimish Mundra (Intern)

For any query or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.