In a recent development, the Delhi High Court received a
Public Interest Litigation (PIL) from an applied economist, Reshmi P Bhaskaran,
seeking to regulate the entry and operations of ‘TechFin’ platforms. Inter
alia, the PIL asked the High Court to help develop a regulatory framework
around the TechFin industry, also popularly known as the FinTech domain. Since
then, the High Court has sought replies from various stakeholders, including
the Ministry of Law, Ministry of Finance, RBI, SEBI, and NPCI regarding this
issue.
The crux of the matter is that non-regulated technology
platforms extend financial services without complying with the legal needs that
Financial Institutions (FIs) have to fulfill. FinTech platforms partner with
existing entities and even enjoy access to the UPI ecosystem as third-party
applications. It poses certain systemic risks relating to financial stability,
citizen data, cybersecurity, and the end-customers at large (people and
businesses) alongside others.
The absence of a dedicated regulatory framework also limits
the true growth potential of FinTech platforms as they carry the mantle of
financial inclusion. So, let us delve deeper into the challenges, regulations,
and prospective solutions in this context.
Aadhaar, Personal Data, and FinTech
FinTech – an abbreviation for Financial Technology – has
today brought about the much-needed change by taking banking to the people.
Aadhaar has also played a major role in this development. How? Well, Aadhaar
has a massive cache of data that can be accessed by FinTech operators for
wide-ranging purposes upon receiving the end-user consent.
A large number of FinTech firms are now also harvesting
alternative data sources that include a customer’s online spending behavior and
social media patterns. This data is typically stored and used for various use
cases including targeted marketing, sales, and financial decision-making such
as generating a credit score to determine a customer’s risk profile.
The Challenge
At the heart of this innovative approach lies peoples’ data.
It not only includes payments or commercial data but also social data such as the
interactions people have and the lives that they live. As data becomes the new
currency, startups and financial institutions are willing to forego
transactional fees to get rich digital information around their customers.
The collection of such in-depth, personally identifiable
information poses legal questions as to whether customers are aware that it is
being harvested. Legal concerns are also involved relating to data ownership
and whether such data can be shared with third parties.
A few foreign entities have found a grey area when it comes
to acquiring Indian customers’ data. They simply buy a stake in Indian entities
for fulfilling this purpose. Some of these instances include TransUnion
acquiring a 92% stake in CIBIL (Credit Information Bureau India Limited) and
Facebook’s recent investment in Reliance Jio. This approach basically bypasses
the adequate compliance procedures required for obtaining the explicit consent
of the Data Principal.
For this reason, consent-based data access by all FinTech
companies has to be streamlined. Fintech firms must have comprehensive and
adequate privacy terms to comply with regulations while keeping their customers
well-informed. Simultaneously, progressive policies must be developed with a
holistic view of protecting economic stability, citizens and FinTech platforms
as well as their innovations.
Regulatory Solutions
The 2019’s Steering Committee report on FinTech issues
recommends that an Inter-Regulatory Technical Group should be set up to support
hybrid financial institutions. It suggests collecting data from unconventional
sources for better credit scoring and improving credit accessibility. Its other
recommendations include Open Database regulation to enhance competition and the
creation of a data pool vis-a-vis the companies that provide homogeneous
services.
We have to understand that lending is a unique sales
transaction and, perhaps, the only one where potential buyers are rejected.
Lenders have and exercise the right to know their customers by accessing their
data. It is because the transactional risk is on them for a prolonged period.
The solution to this multifaceted challenge is that FinTech
firms must embed security protocols and cross-platform harmonization into
initial technology design phases (Privacy by Design). Embedding such measures
initially minimizes the vulnerabilities that later crop up such as
cross-platform contamination. Startups must further expand procedural testing
and audit processes for multi-platform compatibility.
The best way to overcome integration issues is to conduct
thorough testing, integrate data better, and delineate areas of
responsibilities between all parties. This will also help to minimize the
cybersecurity risks and compatibility issues due to multiplatform integrations.
To protect the personal data of customers, companies use
tools such as cryptograms that track data to ensure it is coming from the
client. But this is a rudimentary check. Any imperfection in the platform’s
code can be exploited. To find software vulnerabilities such as insecure APIs,
FinTech companies are now adopting a practice called “AI fuzzing.” Simply put,
this process uses machine learning to identify potential loopholes in an app’s
codebase before hackers can find them.
In terms of innovation, the UK pioneered the regulatory
sandbox concept in 2015 to encourage FinTech innovation and ease regulatory
burdens while ensuring adequate customer protection. The sandbox model involves
a temporary relaxation of certain regulatory requirements. It allows
early-stage startups to test their products for a limited period without having
to obtain a full license and regulatory permissions. This approach effectively
reduces the entry-level hurdles and costs for startups while unlocking
innovations. A variation of this approach is now also being seen in India with
regulators including RBI, SEBI, and IRDA launching their unique regulatory
sandboxes.
Another area of interest for regulators should be Blockchain.
It is faster, more transparent, and efficient when compared to the traditional
front, middle, and back-office functions in FIs. On this front, India is doing
well by developing IndiaChain, which might eventually become the heart of
governance in our country. Regulators must proactively collaborate with NITI
Aayog and the GoI for a robust system that brings superior efficiency to the
system.
In conclusion, as respective stakeholders aim to regulate
the FinTech segment, interesting times are ahead of us. We will observe the
rise of middleware solutions providers that will have dedicated use cases
ranging from cybersecurity to legal compliance. Such approaches, supported by a
strong regulatory framework, will decrease the go-to-market time of FinTech startups
and their products while also making the process more cost-effective for them.
Click here for the
original article.