Home » , , ,

HDFC Bank checks for creditworthiness by reading user emails


Share on Facebook0Tweet about this on TwitterShare on LinkedIn56Email this to someone

The online verification process for HDFC Bank’s credit card application requires users to give the bank permission to view the user’s email messages & settings and permission to view all contacts, in addition to basic info like age range and language and other email addresses. (Hattip: Twitter user N). This information can be read by employees, and is likely not stored in India.

HDFC seems to channel this information though Verifi.Me’s verification services. Verifi.Me seems to provide verification services for ‘many partners’, although it does not specify any of them. It also offers an app for consumers that can be used to save digital copies of documents for verification, as well as to verify through online means such as email verification which the company claims “allows people to to prove their identities and fast-track their applications.” The app isn’t accessible in India.

According to Verify.Me’s privacy policy, the company collects a lot of personal data, including but not limited to name, email, tax information, employer information, stored contact information, educational background, bank and financial information, family information and information from social media accounts.

It also mentions that it only shares information which is required to be known for verification, however, this information is accessible to employees “who are required to know such information in order provide our Services to you.” Essentially, those verifying though this method for HDFC Bank, could end up having their emails, bank statements, photos and other sensitive information read by employees.

Advertisement

Worse, from Verifi.Me’s privacy policy, it appears that the company will be able to continue accessing user information, the permission for which cannot be revoked by users if they have an ‘outstanding obligation’, like the issuance of a credit card. The privacy policy further states that, “If you are located in a non-US jurisdiction, you may be sending your Personal Information to the United States or another jurisdiction.” Basically for verifying a user’s creditworthiness, HDFC Bank employs a third party to access all sorts of information from a user’s personal email and social media accounts, which can then be accessed by its employees, with atleast the data residing outside the gambit of Indian jurisdiction.

It’s not clear if what the bank is doing is legal and may be operating in the grey area of regulation given the lax privacy and security laws in India.

MediaNama has written and called HDFC Bank about the privacy issues while collecting customer data and we will update once we hear from them.

MediaNama’s take

The issue has been brought to HDFC Bank notice by various users on Twitter over the last few months, and the Bank has at times responded by asking users to send in an email. However, this problem is unlikely to be resolved by customer support, rather the bank will have to rethink how it collects data for verification in the first place. Additionally, it is high time the Government defined a clear privacy law especially with context to online identities and information, something it has been putting off for over 5 years now.

Excerpts of Verifi.Me’s privacy policy:

“We collect Personal Information at registration, signing in to Verifi.Me through a Third party registration tool and, in general when using any of the Services (including but not limited to, the following: your name, email address, phone number, gender, government ID, date of birth, occupation, employment and economic status (income, employer) tax information (tax returns and other information about your tax situation), contact information (such as telephone numbers, addresses, email addresses, etc.), educational background, family information, bank or financial information (bank accounts, loans, debt, monthly expenses), pictures, why you decided to use Verifi.Me, information from your social media accounts, and a means to authenticate your account (e.g. a password).”

“We do not have control over the use of your personal information once it is shared by our Partners or Third Party Providers, and we are not responsible for their privacy practices. Your rights with respect to their treatment of your information will be governed by their own policies.”

“However you will not be able to delete your account if you have an outstanding obligation (e.g. loan) with Verifi.Me or any of our Partners.”

“We restrict access to your Personal information only to those employees who are required to know such information in order provide our Services to you. We train our employees on all our security procedures, and we conduct audits to check compliance.”

“If you are located in a non-US jurisdiction, you may be sending your Personal Information to the United States or another jurisdiction that does not have laws that provide an equivalent level of data protection to the laws in your home country.”

Image source: Flickr user Opensource.com under CC BY-SA 2.0

Share on Facebook0Tweet about this on TwitterShare on LinkedIn56Email this to someone
  • sketharaman

    It’s normal for a bank to ask for a lot of private information like income to assess repayment ability while approving a credit product. Besides, when you give voluntary access to private information, how does it become infringement of privacy? India may not have great laws about privacy but that shouldn’t give people the license to make a hue and cry about privacy just for the sake of privacy and without reference to the context. If you don’t agree to share the required information, you’re always free to shop for your credit card from another bank that doesn’t ask for this information.

    • You’ll be out of luck once other banks observe nobody makes a fuss about it, and therefore will use the same procedure. Prevention is better than cure. Would you prefer banks gives lesser credit to those who save a lot of money from the earnings they get? Because eventually that’s what is going to happen. You comprimise one and you’ll have no what have you done until its too late.