Financial regulators such as RBI, SEBI, IRDA and PFRDA should “urgently review” their existing regulatory framework with respect to data protection and privacy concerns, in tandem with the draft Personal Data Protection Bill. This was recommended in the FinTech report by the Department of Economic Affairs, under the Finance Ministry. It also recommended that Ministry of Finance set up a taskforce, with financial regulators to safeguard consumer interests, “while also enabling a positive climate for innovation”. The committee noted that provisions of the proposed draft Data Protection (PDP) Bill will have far-reaching implications for the growth of fintech sector.

The report noted the need for a legal framework for grievance redressal of consumers in the financial sector, noting that this legal framework should be enacted “early”. This framework, according to the committee, should address the following:

  • Ensure consumers of digital financial services have meaningful choice and control over their personal data – including through informed consent
  • Mandate that users’ financial data not be used in an “unfair discriminatory manner”
  • Adequate security of financial systems
  • Online frauds
  • Potential misuse of Artificial Intelligence and Machine Learning

Draft Data Protection Bill: Regulators should assess impact early

Talking about the establishment of the Data Protection Authority (DPA), the report said that the DPA would have the power to draft regulations regarding informed consent, data processing, data audits, and data retention. It noted that the DPA should let sectoral regulators handle “some obligations” of the PDP Bill. It then recommended that financial regulators should assess the “impact of such regulations on their jurisdictions at an early stage”.

The report also said that regulation of the fintech sector must achieve a balance between encouraging the development of fintech-enabled solutions for consumers’ benefit, and ensuring adequate protection against potential risks to consumers.

In the context of privacy in fintech, the report recommended that fintech initiatives should take into account a comprehensive view of privacy impacts, including impacts on human rights such as equality, non-discriminatory and economic, social and cultural rights.