Digital Personal Data Protection Act, 2023 Banking Sector Outsourced Services
Outsourced services to the banking industry are a large bucket, but some services including third party application providers may have access to large amounts of customer personal data.
For banking services particularly commercial banking, if information technology services are being outsourced, then there is a need to be guarded about customer personal data. Not only for compliance with India’s new digital privacy law and sectoral requirements but also to ensure the business maintains its competitive edge.
Introduction
Outsourcing in the banking sector is primarily regulated by the RBI’s 2023 Master Direction on Outsourcing of Information Technology Services, which applies to all ‘regulated entities.’ While this Master Direction predates the notification of the Digital Personal Data Protection Act, 2023 (DPDP), it will continue to apply in addition to the DPDP.
‘Regulated Entities’ covered by the Master Directions are broadly: banking companies, primary co-operative banks, NBFCs, credit information companies such as CIBIL, sectoral banks such as EXIM Bank, NABARD etc., and foreign banks operating through branch mode.
Outsourced services to the banking industry are a large bucket, but some services including third party application providers may have access to large amounts of customer transaction and personal data (‘customer data’) depending on the nature of the service deployed. For larger Regulated Entities, where IT is largely managed inhouse, this is less of a concern when compared to smaller entities that rely substantially on outsourced service providers and third party applications. With the proliferation of such third party services, the business case for using these is undeniable – savings on development cost and manpower, access to latest security and features, lower time to go-to-market. However, extensive outsourcing comes with risks including reduced control on customer data.
Key aspects the Regulated Entities and the Service Providers (SP) must note in outsourcing arrangements:
Understand Platform Data Access
Regulated Entities must have documented clarity from the SP about the level of access to its customer data that the SP will maintain. Access levels can vary depending on the nature and design of the platform and a nuanced understanding of the technical aspects of the solution is needed. For example, the SP may assure it does not use customer data but retain the ability to anonymize the data for analytics.
Privacy Program
Regulated Entities must design their own privacy compliance program for application-based services – and not solely rely on a package provided by the SP. While the SP may add value and save costs, any solution it provides will likely be optimized for its own efficiency.
Customer data management practices can differentiate a business from competitors, enhance customer trust, and provide a competitive advantage. Also, financial penalties under the DPDP are high - extending up to INR 250 crores (on the Regulated Entity as the ‘data fiduciary’ and not on the processor), apart from the reputational damage a breach or prosecution can cause, making it critical to have thorough oversight over the SP vis-à-vis privacy protection. While financial penalties could be contractually passed on to the SP, the Regulated Entity will be primarily liable as a data fiduciary and must also consider the practical ability to recover these.
SPs platforms should be designed to provide a robust level of technical compliance with the DPDP where customer data is processed for clients. For consumer facing services, in addition to security, SPs must technically ensure that the client can comply with its DPDP obligations such as data access requests, erasure, correction and updating personal data, consent withdrawal. Also, the platform should be capable of integrating with consent managers.
Consent Notices
Drafting a consent notice optimized for maximizing opt-in consent to non-essential processing such as for marketing and cross-selling products, will be relevant. Efforts and skills are needed to differentiate these notices from run-of-the-mill drafts and at the same time ensuring these meet the stringent requirements of the DPDP. These must be controlled by the regulated entity.
Customer Insights And Cohorts
Customer data is invaluable to sustaining and growing a business and inadequate attention to this can lead to handing over painstakingly gained business advantages to the competition.
An area where SPs can benefit, particularly those with data visibility and serving multiple Regulated Entities, is creating customer insights. This is often done through ‘cohorts’, where transactions and usage patterns can be analyzed to create generalized but insightful analytics on particular trends. For instance, the success of a client’s new marketing program or new product based on uptick in user adoption of a service or feature, the number of customers using a specific service, spending patterns, etc.
The upside for the SP is that cohort based insights are anonymized and unable to identify individuals, therefore unlikely to fall foul of the DPDP. They can sell this information to competitors or other industries. The downside for Regulated Entities is the deep insights into their user base that the SPs may be able to monetize and benefit its competitors. Attention to such finer points often get missed due to an overt focus on compliance without understanding the myriad ways in which customer data can be exploited.
Audit And Assurance
Regulated entities are already required to ensure robust audits and governance of SPs under the Master Directions. The Regulated Entities must also ensure that their IT outsourcing policy and organizational governance program, along with Board and senior management roles are appropriately extended to include DPDP compliance. The contract with the SP must be modified to include privacy compliance and data protection audits.
Breach Notifications
The DPDP adds a personal data breach notification requirement to existing notifications of security/ cyber incidents to the RBI, and to the Computer Emergency Response Team. The definition of ‘personal data breach’ under DPDP is expansive and includes accidental disclosure, destruction, etc., in addition to unauthorized access. The contract with the SP must adequately define a breach along with appropriate notification requirements, and penalties and indemnities for a failure to notify (the second highest slab of financial penalties, i.e., up to INR 200 crores is for a failure to notify the Data Protection Board of a personal data breach). Board of a personal data breach).
Robust Contract
Regulated Entities must expand the contract with the SP to include a detailed personal data compliance, assurance and governance framework, along with appropriate reporting mechanisms, audit provisions, financial disincentives, incident notification and remediation, and indemnities.
Overtly relying on contract remedies is not enough and does not mitigate the absence of an effective audit and assurance program, as many SP’s will not have the financial ability to make good on contractual promises if they breach.
For SPs, it is important to ensure that its liability is ringfenced commensurate with its role and earnings as a service provider.
Blanket indemnities and unlimited liability should be avoided as much as possible. A poorly negotiated contract can be a death sentence for a business.
Conclusion
While the DPDP will add compliance and some challenges for Regulated Entities when it comes to customer data, however, already heavily regulated and accustomed to strict regulations and supervision, Regulated Entities should be better placed to implement a DPDP compliance program without material disruption.
Given the requirements under the DPDP and the large financial penalties, privacy and data protection should be implemented and monitored as part of a board-driven initiative by Regulated Entities. The RBI has also enhanced vigilance and enforcement measures and underscored the importance of compliance for businesses operating across the financial sector.
Where IT services are outsourced, Regulated Entities must enhance their existing governance and audit framework to include DPDP compliance. Regular technical and security audits will be crucial to assuring compliance of the SPs and also in securing any competitive advantage through a focus on protecting customer data, and not only customer personal data. When it comes to privacy and data protection, compliance needs to be built in by default to ensure that the business has been built around legally sustainable products and services.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.