What’s the news: American Express (Amex) on October 14 informed its customers that it will share information about their credit card accounts with the National E-Governance Services Limited (NeSL) starting November 2022.
SBI Card and PNB are already submitting this information to NeSL, industry sources told MediaNama. We have reached out to NeSL, SBI and PNB seeking confirmation and will update this post once we receive them.
Déjà vu? Amex initially emailed customers in March this year saying that it will share data with NeSL in order to comply with a 2017 Reserve Bank of India (RBI) circular. However, cardholders and other experts raised concerns about the legality of this data-sharing mandate by RBI, as well as the privacy implications of such data sharing. Eventually, Amex put its plan on hold and informed that it will consult with the RBI on how to proceed. It now appears that RBI has asked Amex and other cardholders to proceed with the data sharing:
“As per the directive from the Reserve Bank of India, all financial creditors have to submit customers financial information to National E-Governance Services Limited (NeSL). We are reporting as per requirement of the RBI directive.” — An Amex spokesperson told MediaNama
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Why does this matter: The data-sharing mandate still poses the same concerns that it did earlier:
- There are privacy concerns as it involves sharing personal credit card spending information with government agencies without consent. Additionally, there is no way to opt-out from this sharing and no clarity on how much data will be shared, how the data is kept by NeSL and if there is any purpose limitation.
- It appears to be in contradiction to the Credit Information Companies (Regulation) Act, 2005, which prohibits companies from collecting credit card information such as the amount of credit and the amount outstanding without obtaining a certificate of registration from the RBI under the Act. NeSL is not registered with RBI as a CIC. Companies that are registered with RBI as CICs include CIBIL, Experian, Equifax, and CRIF High Mark.
- The Insolvency and Bankruptcy Code (IBC), 2016, which RBI uses as the legal basis for this data sharing, is laid out clearly for corporate insolvency, but when there is no clear insolvency regime for individuals.
For a deep dive into the above issues, read The Privacy Implications And Legality Of RBI’s Mandate To Banks To Share Credit Card Information With NeSL.
What data will Amex share with NeSL? Amex said that the following information about cardholders will be shared with NeSL:
- Demographics including name, email address, PAN number, etc
- Total outstanding
- Credit limit
Why are people concerned about privacy risks:
- Vinayak Hegde, an Amex cardholder, brought up the issue of scope creep the last time we did a story on this issue. “If you follow this place for a while, you know that there is a lot of scope creep. People can say now we have this data, let’s use it for this, let’s use it for that. And that kind of continues, right,” Hegde remarked.
- “Of course, I would have concerns about my data being shared. The thing is India has no privacy law. Data is shared without warning and information,” Prasanto Kumar Roy, technology and public policy analyst who is also an Amex cardholder, told MediaNama. But, Roy said that this is not a concern that is specific to Amex’s sharing with NeSL and that it applies to information sharing with CICs like Experian and CIBIL as well, and to the wider range of data sharing currently taking place.
- Srikanth Lakshmanan of Cashless Consumer Collective pointed out that this will go against the Puttaswamy judgement: “If one sees the spirit of proportionality in Puttaswamy judgement — and if the IBC law actually codifies individual insolvency regime — why should card dues data of all cardholders be shared to an IU and then have them validate the credit claim, presuming they all will go bankrupt? What prompted you to cite the RBI circular that is dated 5 years ago, which is openly worded for IBC compliance to share personal data that is specifically outlawed in CIC Act? If this is RBI doing it, why is that no other credit card issuer telling it to the customer?”
- Lakshmanan also noted that it helps RBI build an extralegal database like the Public Credit Registry: “This collection of all credit data – is fundamentally akin to build a Public Credit Registry (which RBI again is building without a law, regulatory powers to build one) and resting these with a private entity that is quassi owned by a Public Sector Undertaking (PSU) titled with ‘National’ is deceiving users at multiple levels to part with their data.”
What does the 2017 RBI circular say: The RBI circular dated December 19, 2017, states:
“According to Section 215 of Insolvency and Bankruptcy Code (IBC), 2016, a financial creditor shall submit financial information and information relating to assets in relation to which any security interest has been created, to an information utility (IU) in such form and manner as may be specified by regulations.” (emphasis ours)
In other words, the RBI circular mandates financial creditors like card companies to submit information related to debts to an information utility (IU). NeSL is currently the only IU registered with the Insolvency and Bankruptcy Board of India (IBBI).
What does NeSL do? “The primary role of NeSL is to serve as a repository of legal evidence holding the information pertaining to any debt/claim, as submitted by the financial or operational creditor and verified and authenticated by the parties to the debt,” NeSL’s website reads.
How will the data sharing take place? Amex explains in a FAQs page that the sharing of financial information with NeSL is a bilateral process:
- Amex submits financial information about cardholders to the NeSL database every month
- NeSL sends a notice to the cardholder to authenticate the details submitted by Amex
- Cardholders are required to register on the NeSL portal to authenticate/dispute the information submitted by Amex
- Once a record is authenticated or disputed by the cardholder, NeSL send a confirmation email to the cardholder
- If a customer does not authenticate/dispute a transaction after three reminders, then the transaction is deemed authenticated.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Amex Becomes The Last Company To Comply With RBI’s 2018 Data Localisation Norms
- Deep Dive: The Privacy Implications And Legality Of RBI’s Mandate To Banks To Share Credit Card Information With NeSL
- Amex Pauses Plan To Share Credit Card Data With NeSL After Customers Flag Privacy Concerns
- NeSL Receives Final Approval To Become India’s First Information Utility