Answer ... The Indian data privacy regime is set out in the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules). As per the Privacy Rules, an entity that collects or processes sensitive personal data (including bank account information and payment instrument details) pertaining to an individual must:

• establish a privacy policy;
• provide mandatory notice/disclosure to the data subject before collecting the information;
• appoint and provide details of a grievance officer;
• allow data subjects to access and update their information;
• ensure that data collected is not retained for longer than necessary under applicable law;
• obtain the prior consent of the data subject when collecting sensitive personal information;
• implement reasonable security measures and standards to protect this information; and
• ensure compliance with requirements for the transfer and of sensitive personal information.

The compliance requirements under the IT Act and Privacy Rules apply uniformly to both new fintech entrants and legacy players.

The Indian data protection regime is set for a revamp, as the government has proposed passing new legislation this year. The original bill was prepared by a committee of experts and submitted to the government in July 2018. Once passed, the new legislation will go some way towards aligning India’s data protection laws with the EU General Data Protection Regulation. The Bill is expected to be tabled for legislation in the winter session of the Parliament in 2019, or the subsequent session.

Some fintech companies engage in the business of account aggregation – that is, they facilitate the sharing of structured financial data between financial information providers and users. Given that this involves sensitive financial data, the Reserve Bank of India (RBI) has established a specific consent framework, including other registration requirements, for entities engaged in this business.

Answer ... The RBI has issued various regulations and directions to entities regarding the cybersecurity measures to be implemented by banks, non-banking financial institutions and other payment service providers. In July 2016 the RBI issued a notification on Cybersecurity Frameworks in Banks, which requires banks, among other things, to:

• establish cybersecurity policies;
• undertake vulnerability tests;
• monitor cyber risks in real time; and
• establish a cyber crisis management plan.

The Master Direction on Issuance and Operation of Prepaid Payment Instruments imposes similar – although slightly less onerous – compliance requirements on mobile wallet providers. Among other things, an entity operating a mobile wallet must:

• conduct an annual cyber security audits;
• constitute a Security Operations Centre (SOC) for managing security incidents;
• implement disaster recovery measures to recover rapidly from cyber-attacks/other incidents and safely resume critical operations; and
• report cyber security incidents immediately to the RBI.