Data PrivacyFinTechKYC: Interplay between Data Privacy and FinTech – Part I

November 12, 20210

INTRODUCTION

The rapid advancement in digital technology has resulted in the transformation of the economic and financial landscapes in India. One such example is the evolution of the FinTech industry including advancements such as Blockchain, Digital Currencies, Mobile Wallets & Payments, Payment Gateways, Payment Aggregators, Peer-to-Peer Lending Platform and Marketplace Lending.

FinTech, short for Financial Technology, is a broad category that encompasses different technologies and software used by businesses to deliver financial services in an efficient and faster manner such as online banking, mobile payment apps, digital investment platforms, digital lending platforms etc.,

As per the Financial Stability Board (FSB), FinTech is defined as

“technologically enabled financial innovation that could result in new business models, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services”.

The main goals of FinTech are to transform the way people and businesses access money and to compete with established traditional financial services.

FinTech has been around longer than one may think as the history of Financial Technology can be traced back to the late 19th century when the internet and e-commerce business model soared in.

Thereafter, the India’s profound customer demand, diverse capital flows, technological development, higher tech savvy personnel and enabling framework policy has further fuelled the growth of the FinTech Sector in India, which has led to the emergence of the E-Commerce Model, Online Stock-Brokerage Services, Online Banking etc.

In India, today FinTech pose a great challenge to the traditional financial infrastructure as more and more traditional services shift towards a new technological paradigm such as, using a Payment Apps or E-Wallets instead of traditional cash payment options. The FinTech players are redefining the business models across different segments of the Financial Services industry, by enabling them to improve service delivery systems.

However, despite the plethora of opportunities that FinTech offers for the financial sector, it also faces various challenges right from consumers and financial institutions to regulators in terms of privacy, consumer protection, transparency, data security and cyber security.

Through this series of articles, we attempt to analyse the role of Know Your Customer (KYC) policy in addressing the challenges faced by consumers regarding the privacy and security of data stored by FinTech companies in India.

THE INDIAN FINTECH SCENARIO 

The FinTech sector in India comprises of Lending, Wealth Technology (Wealth Tech), Insurance Technology (InsurTech), Payments and Regulation Technology (RegTech).

The FinTech sector in India is growing tremendously and has witnessed a massive growth of the FinTech Start-ups during the period 2015-2020 and has now became one of the fastest growing FinTech market in the world. As per “MEDICI India FinTech Report 2020 2nd Edition”, India has second highest number of FinTech firms in the last three years after USA.

Thereafter, the demonetization drive conducted in the year 2016, which brought in rapid adoption of digital payments has further fostered the development of the FinTech sector in India.

At present, there are approximately 2100+ FinTech companies in India and as per the report of Federation of Indian Chambers of Commerce & Industry (FICCI) and Boston Consulting Group (BCG) ‘India FinTech: A USD 100 Billion Opportunity’. Currently, The FinTech Industry in India is evaluated at around US$ 50-60 Billion and has potential to reach a valuation of US$ 150-160 billion by 2025, increasing threefold in five years.

In India, there is, as of yet, no unified code of laws to govern the FinTech sector, and therefore, each segment under the FinTech sector has to be governed based on the services provided. Such as –

  • Reserve Bank of India (RBI) governs FinTech companies dealing with Payment or Lending services.
  • The Securities Exchange Board of India (SEBI) governs certain FinTech activities involving security and advisory functions, which include Fund Administration, Algorithmic Trading, Peer-to-Peer Trading and Exchange-Traded Funds.
  • The Insurance Regulatory and Development Authority of India (IRDAI) governs activities falling within the ambit of InsurTech or those falling under the Insurance Sector.
  • The Payment and Settlement Systems Act, 2007 (PSSA) to regulate digital payment and settlement mechanisms.
  • The Information Technology Act, 2000 (IT Act) and corresponding rules to ensure secured IT Framework, privacy and security of the Consumers private confidential data;

FINTECH COMPANIES AND KYC REQUIREMENTS

As discussed in the previous blogs, Know Your Customer (“KYC”) is an efficient mechanism, which allows businesses to instantly verify and validate a customer’s identity. The use of KYC for companies providing financial services i.e. FinTech is crucial, as it helps in preventing illegal activities such as money laundering, terrorist financing, etc.

In India, as per the RBI norms, all legal and financial institutions are required to validate their customers to prevent the occurrence of any illegal or fraudulent activities.

The RBI vide Master Direction – Know Your Customer (KYC) Direction, 2016 (“KYC Direction”) dated 25.02.2016 governs KYC process in India. The process of KYC starts with verification of the Proof of Identity and Proof of Address of a customer.

For Proof of Identity:

The documents required for Proof of Identity can be either Officially Valid Documents (OVD) defined under Regulation 3 (xiii) of KYC Direction, such as –

    • Passport;
    • Voter’s Identity Card;
    • Proof of possession of Aadhaar Number;
    • PAN Card;
    • Driving License;
    • NREGA Job Card; or
    • UIDAI Letter. 

In case, when the customer is unable to furnish the OVD documents, then additional documents such as Government Issued ID Cards or Letter issued from Gazetted Officer can be accepted.

For Proof of Address:

The documents required for address proof can be OVDs. However, in case when the OVDs furnished by customer does not have updated address, then the customer can submit the following documents, such as –

    • Utility Bill;
    • Property Tax receipts;
    • Bank Account Statements;
    • Electricity or Telephone Bills;
    • Pension Payment Orders;
    • Employer’s Certificate for Proof of Residence etc.

The KYC Direction is applicable to all “Regulated Entities” which includes, inter alia, all Payment System Providers, Payment System Participants as well as Prepaid Payment Instrument Issuers, requiring them to implement KYC Policy, Customer Acceptance Policy and a risk-based approach for risk management while undertaking transactions with their customers.

The main objective behind the KYC requirement is to help Banks and other Financial Institutions to adequately assess and validate their customers, which would, in turn, help them identify potential threats as well as other illegal or criminal activities while verifying the KYC documents.

Therefore, the FinTech companies are mandated to collect the details of Aadhaar of an individual eligible to enrol and receive an Aadhaar Number as per the KYC Direction and conduct KYC Authentication based on Aadhaar data for account-based relationships, since as per Section57 of the Aadhar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services), Act 2016 (Aadhaar Act), private companies were permitted to use Aadhaar for establishing customer identities.

Further, the Aadhaar (Authentication) Regulations, 2016 (Aadhaar Regulations) allowed an entity that was authorized to utilize e-KYC Authentication Facilities under the Aadhaar Regulations to share the e-KYC data of the holder of the Aadhaar Number with other entities for a specified purpose, provided the concerned individual’s consent was obtained.

This was all the more relevant for FinTech companies that offered a wide range of services through their group companies since they could on-board customers without the need of having each company of the group undertake the KYC process. The Aadhar based e-KYC facility provided by the Unique Identification Verification Authority of India (UIDAI) proved to be very helpful for FinTech companies.

As a result, the majority of FinTech companies relied on the OTP based e-KYC process as recognized by the Aadhar Act as well as KYC Directions for compliance with the requirement of the Customer Identification Process provided under Regulation 13 of the KYC Direction.

However, the Supreme Court in the case of K. S Puttaswamy (Retd.) v. Union of India [Writ Petition (Civil) No. 494 OF 2012] (Puttaswamy Case), struck down a part of Section 57 of the Aadhar Act, 2016 which permitted private companies to use an individual’s Aadhaar Number for establishing his/her identity for any purpose, stating it to be violative of the Fundamental Right to Privacy of the concerned individual.

The judgment in the Puttaswamy Case had a major impact on the FinTech sector, as restriction imposed on FinTech companies to access central KYC registry for customers’ identification process – that too in the absence of adequate legislative backing caused operational difficulties for FinTech players, especially for Start-Ups, to conduct their customers’ identification process in a cost-effective manner.

Therefore, post the verdict, the UIDAI introduced other legally recognized offline tools for identity verification such as:

  • Offline QR Code for Aadhaar that holds the non-sensitive details of the user who is also not required to share their Aadhaar number, biometrics and/or mobile number with the private entities;
  • Paperless or local e-KYC which involves the generation of digitally signed Extensible Markup Language (XML) that offers a secure sharable document to be used by the Aadhaar holder for offline identity verification.

Considering the challenges faced by the FinTech Industry in undertaking the KYC procedure, the Steering Committee on Fintech recommended several options for easing KYC standards such as Original Seen and Verified (“OSV”) Correspondents for Physical KYC, e-Sign, Non-Face-to-Face Onboarding, and Offline Authentication Mechanisms prescribed by the UIDAI.

The FinTech Industry, especially the Start-Up Sector breathed a sigh of relief when the RBI introduced Digital KYC and Video-Based KYC processes. The Digital KYC process uses either Aadhaar e-KYC, Aadhaar-based Offline Verification, or a combination of a live photo of the consumer of his OVD and his Geo-Location Data.

The Video KYC (Video-Customer Identification Process) as mentioned under Regulation 18 (b) of the KYC Direction, it initially requires the customer’s consent to produce their identity for video KYC, following which the Verification Officer ensures the customer’s presence by way of Geo-Tagging. Subsequently, the customer is required to answer certain questions and produce their PAN or Aadhaar Card. To complete the KYC procedure, Regulated Entities may use a screenshot (taken during a video call) or a live photo of a customer as proof of identification.

Video KYC, in particular, offers a substantial benefit for establishing scale, which has become a critical aspect in the success of FinTech ventures today, as well as for financial inclusion, as it gives a cost-effective way to achieve compliance even in remote regions.

AMLEGALS REMARKS

As already discussed above, the FinTech Sector has immense potential in driving India’s economy, especially given the predicted valuation of these companies by 2025. However, one of the major hindrances in the growth of the FinTech Sector is the rising privacy concerns all the more amplified by the lack of a codified Data Protection and Data Privacy Framework in India.

The RBI has, time and again, taken steps in ensuring that data flow within the FinTech sector remains secured through various means such as:

    • the introduction of Data Localization Norms in 2018, which mandated all authorized Payment System Operators (PSOs) in India to store transactional data within India itself;
    • the mandates to all the Banks and Financial Institutions to adopt KYC procedures under the Prevention of Money Laundering Act, 2002 (“PMLA”),
    • the Ombudsman Scheme for digital transaction for addressing consumer complaints, or the recent circular in 2021 requiring all PSOs to submit a Compliance Report duly signed by their CEO or Managing Directors on a half-yearly basis.

However, despite all these efforts, the void of codified legislation still remains. Thus, to address the opportunities and challenges presented by FinTech sector in India, it is crucial to align the existing laws and regulations with emerging trends of the digital economy. Since, security of the financial data is now a prerequisite for the country’s economic growth and development, due to the advancement in the digital economy. Thus, the current Personal Data Protection Bill, 2019 (“PDPB”) needs to strike a balance between increased accountability and commercial viability for the proper functioning of the economy.

 


For any query or feedback, please feel free to get in touch with arushi.vyas@amlegals.com or tanmay.banthia@amlegals.com

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.

 

Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.