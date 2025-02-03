'If you want their data, ask them. Every single time.' - Steve Jobs (to his developers)

You've probably been inundated with hot takes on the new data protection rules.

Everyone has a view, and it's going on LinkedIn. Including ours. We aren't cool enough to refrain from adding to sea of hot takes. You can read our two bits on the rules here and in our main course story. These are draft rules, so if you'd like to give your comments to government, you can write in here by 18 February 2025.

How do the new rules impact fintechs? They don't. Not in any unique way at least. Fintechs may infact be better placed, since they must follow RBI's standards on data processing, which are often stricter than the DPDP Act and rules.

One contentious aspect of the law is 'consent'. We've seen every interpretation of how to take consent and give notice under the DPDP Act and rules.

On one end of the interpretational spectrum is to throw everything in the privacy policy (and hope no one reads it). The idea is to confuse and bombard with words. It's the 'Twinkie bar interpretation', where the privacy policy reads like the ingredient list on a sugary snack - long, incomprehensible and 'just give me the candy' inducing. You don't want to know what goes in and even if you did, you wouldn't understand it anyway.

On the other end, is the 'Whole Truth interpretation': where platforms show each piece of data they use and ask permission. Like the Whole Truth business model, which in their own words is - "Our purpose is simple. We make food so clean; we can proudly declare every single ingredient that goes into it, upfront. And we can speak the whole truth, because we have #nothingtohide."

It will take years of weather-beating for clarity to emerge on where the puck lands within this interpretational spectrum. Till then, how you interpret the law depends on who you are. A Twinkie bar or a Whole Truth protein bar.

More about the rules in our main course story.

Main course: unpacking what the draft DPDP rules mean for fintechs and how the BULA bill is re-writing lending norms.

Dessert: sweet news on RBIH initiatives and the 'name look up feature'.

Mints: a refresher about recent fintech developments.

Main Course🍱

New year, new rules, new resolutions

By now you're fluent in DPDP lingo. Fiduciary, processor, data map, consent – you've heard it all and then some. But, after a year's wait, there's something new to dissect. The DPDP rules provide specifics of implementation, on aspects like notice, breach reporting, grievance redressal, consent managers, data deletion, and details of the Data Protection Board. All in all though, for RBI regulated entities (REs) and fintechs, this is nothing they haven't seen before, barring a few cryptic themes.

Stuff it in the T&Cs: Twinkie bar v. Whole Truth

A notice, under the rules, must be written in plain language. It should be clear and understandable independent of the other information given on the platform – aka no burying the notice in words salads. It should allow the user to give her informed consent. This is where you must decide who you are – a Twinkie bar, or a Whole truth protein bar, or somewhere in between.

At any rate, we think you must revisit your platform UI/UX and test out smart ways of communicating relevant details to their users – perhaps an intermediate screen with the notice or a layered notice or a drop-down (see here).

At a minimum, notices must provide an itemized description of the data, purposes, and services. Which means preparing data inventories, mapping purposes to data and specific activities/ services. Privacy notices typically have one section where businesses list out all the data they collect for various activities, and another section where they provide a laundry list of purposes. We think this won't work anymore. You must link the purpose of collecting the data to a particular activity – enough for a user to give consent. For instance, if a user is submitting an inquiry on a lending app through a 'Contact us' form, a Twinkie bar will give her a link to the privacy policy that is 50-pages long, and tell her what data is collected from website visitors, registered users, borrowers, defaulting borrowers, credit bureaus, social media platforms, and so on.

But a Whole Truth protein bar will tell her what data will be used for the specific task of responding to her inquiry – for instance, through a layered notice with an easily discoverable drop-down saying 'If you submit an inquiry using our 'Contact us' feature, here's what you need to know.

Easier said than done perhaps, given that each word added to the UI may deter a user from continuing. But fintechs are no stranger to notices on the platform – for instance, to show users details when fetching their data from credit bureaus. And we may see similar approaches emerge for getting users' consent under the DPDP Act and rules.

Data breaches: Say it one more time

REs already report data breaches to CERT-In and to the RBI. Now you must also report to the Data Protection Board and to all affected individuals.

You must report breaches on becoming aware to the Board, and then submit a more detailed report within 72 hours with details of facts and circumstances of the breach, causes of the breach, mitigation steps, and remedial measures. In many scenarios, 72 hours may not be enough to submit a final report with these details. While the Board can grant extensions, this could add stress to the breach management process, besides being administratively challenging for the Board to respond to such extension requests.

Then, on becoming aware of a breach, "without delay", you must also report to affected individuals, telling them what they can do to protect themselves. This is essential when a breach is ascertained with certainty and there is an imminent need to let the individual know besides giving them specific remedial actions, such as to change their passwords/ log out of devices/ re-set their PINs. But, breaches are defined widely in the law – any unauthorized processing or accidental disclosure that compromises the CIA triage (confidentiality, integrity, availability of data) must be reported. How widely would this be read? A laptop left unattended by an employee in a restaurant? A salary slip left in the photocopy machine? If you're a Whole Truth protein bar, you'll report it all. If you're a Twinkie bar, you'll report the big hits.

We understand where the Twinkie bar is coming from though. Reporting each instance could infact result in individuals ignoring the real warnings, which require their immediate attention and action. A threshold for reporting could help meet the objective of keeping affected individuals informed without leading to notification fatigue.

Due diligence, audits and assessments

If you're a significant data fiduciary – designated on the basis of volume/ sensitivity of data/ other public interest factors – you must conduct data protection impact assessments (DPIAs) and data audits annually. And submit "significant observations" to the Data Protection Board. The law doesn't tell you how detailed these should be. You decide whether you tell all (as a Whole Truth protein bar) or cherry-pick (as a Twinkie bar).

There is also the cryptic requirement to conduct due diligence to verify that "algorithmic software" does not pose risks to individuals' rights.

Other specifics

Besides these, the rules also suggest reasonable security measures, including encryption/ masking/ use of tokens, implementing access controls, maintaining access logs, backups/ business continuity, a 1-year retention requirement for logs (and associated personal data) to investigate unauthorized access. REs and fintechs are subject to such (and higher) security safeguards when processing financial data and are likely to only require incremental changes to ensure their affairs are in order on these aspects. There is also the tricky requirement to get parents' verifiable consent through tokens/ other means before processing children's data, data deletion timelines for e-commerce, social media and gaming platforms, exceptions for research, details of setting of the Board.

But two other themes caught our attention that fintechs may find of interest.

Data localisation

The DPDP Act seemed to have put the idea of data localisation to rest. It allowed data transfers to all countries except those specifically blacklisted by the government. The rules though allow the government to ask significant fiduciaries – designated on the basis of volume/ sensitivity of data/ other public interest factors – to keep certain types of data within India. This will be on the recommendations of a committee, whose composition is yet to be specified.

REs and fintechs are well-acquainted with data localization. In 2018, the RBI asked payment businesses to store payment data on Indian servers, with narrow exceptions for processing outside India. RBI's digital lending guidelines also required lending data to be stored in India.

But could this new proposed restriction mean a rethink of sectoral mandates? The IT minister noted that the provision is not an attempt to disrupt data flows, rather, the committee is a means to ensure harmonization among sectoral approaches. Would this mean sectoral regulators must first consult the committee before handing down local storage mandates? The IT secretary says no. But we await further details on this one.

Consent managers

The rules offer more guidance on who can/ can't be consent managers. They must be India-incorporated companies, with a net worth of >2 crore and suitable KMPs. Consent managers must avoid conflicts of interest with data fiduciaries. They must not "read" the contents of the data. They must not subcontract, must conduct audits, must not sell their business to another company without the Board's approval, among other things.

Again, fintechs are familiar with one variant of a consent manager – the account aggregators (AAs). Like AAs, consent managers must also be data blind. Perhaps we will see AAs donning consent manager hats, given that they already manage users' consent, albeit for the limited purpose of facilitating data-sharing in the financial services sector. At the moment, integration with consent managers seems voluntary under the law. But since it is individuals who may choose to give/ manage/ review their consent through consent managers, we wonder if this could mean companies may be required to integrate with consent managers at the behest of their users. Also, while there's some guidance on consent managers, their revenue models/ monetization remain unclear.

As we pore over the rules, if you have questions/ remarks/ comments, do write in to us at data@ikigaillaw.com.

Is BULA the Beginning of an End for Rogue Lenders?

A flashy digital lending app promises instant cash. Borrowers are lured in, but within days, they're bombarded with abusive calls from recovery agents. When probed, the app turns out to be linked to a foreign entity operating illegally.

A gaming app advertises itself as 'risk-free'. It baits users with promises of free virtual coins. Once these coins deplete, it pushes the users to buy more through discounted loans. Tempting rewards like 'gift cards' or 'cash payouts' keep users hooked. By offering loan-backed real-money games disguised as free games, the gaming app not just skirts gambling laws while also fuels debt traps.

Stories like these have dominated the headlines, exposing how Indian borrowers are falling prey to unscrupulous lenders – both online and offline. The Banning of Unregulated Lending Activities Bill (BULA) aims to curb such unlawful activities. The government has shared the draft for public consultation, with the deadline for sending comments set as 13 February 2025.

But what does BULA apply to? And will it really address the lending industry's challenges? Let's break it down.

BULA is India's latest attempt to address the menace of rogue lenders. Originally, the RBI Digital Lending Working Group (WG) suggested the Central Government to consider introducing BULA. It highlighted that while RBI/other regulators monitor activities of their regulated entities, there is no dedicated law/authority to keep unregulated lending in check. BULA addresses this issue. With its catch-all definition of unregulated lending, BULA prohibits all such lending activities that fall outside the purview of laws like the RBI Act, 1934, Banking Regulation Act, 1949, State Money Lenders Acts, etc. Simply put, if there's no regulator to turn to for help, the borrower now has BULA to rely on.

BULA bars any statements, promises, ads or forecast to promote unregulated loans. For instance, an influencer promoting an unregulated loan may be prosecuted under BULA. BULA also proposes to set-up/designate:

investigating authority : to intercept and investigate illegal lending cases; and

: to intercept and investigate illegal lending cases; and database authority: to maintain a searchable central database of regulated lenders. Public can also report illegal lenders to this authority.

Some examples to assess BULA's application.

Scenario 1: A rogue digital lender not backed by a bank or an NBFC

A digital lender operating without RBI's authorization falls squarely under the BULA's ambit, unless it is registered any other lending laws (like the state money lending laws). The lender would be penalized for lending illegally.

Hit by BULA? Yes.

Scenario 2: A digital lender backed by a bank or an NBFC but charging exorbitant interest rates

If the lender is a regulated entity (RE) like a bank/an NBFC, BULA does not apply, as REs are exempt from its purview. However, the RBI may penalize RE for such practices.

Hit by BULA? No.

Scenario 3: An offline lender that operates without a valid moneylending license

An offline lender operating without a valid license under the respective state money lending legislation is clearly engaging in unregulated lending activities. Such lenders would be penalized under the BULA provisions.

Hit by BULA? Yes.

BULA is well-positioned to address the lending industry's concerns. However, the current draft can still be refined further to realise the WG's vision.

Repository of illegal lenders: The WG suggested the Government to introduce a mechanism to share information about rogue lenders/lending apps with REs. For instance, it recommended Digital Intelligence Unit of the Government to share information about illegal lenders with fintechs and REs. It also proposed setting up of 'National Financial Crime Record Bureau' for REs. The idea was that REs can rely on this information to avoid associating with unscrupulous players.

While the bill proposes a mechanism to report illegal lenders, it is silent on if and how REs can access this information. We believe that Database Authority must also maintain a repository of illegal lenders and open it up for access by REs.

To make the repository of illegal lenders robust, the regulators must obligate not just their REs but also their SROs (like FACE, FIDC, SA-DHAN) to actively report any unlawful lending activities noticed by them to the Database Authority. Right now, as per the bill, RE's obligation is limited to sharing information requested by the Database Authority.

Verification badge for lawful apps: The WG recommended the Government to appoint an authority (DIGITA) to issue badges (a verified signature) to verified lending apps. The law enforcement agencies would look for these badges to intercept unregulated players. The BULA has not picked up this suggestion. A mechanism of this sort will strengthen the enforcement muscle. The Government should consider making the Database Authority responsible for issuing the badges.

Need for clarity: 'Public lending activity' is defined under BULA as the business of financing to earn interest. However, the provision banning unregulated lending does not use this term. It just prohibits 'unregulated lending activity'. This may lead to some intended consequences. Consider a scenario where A is a buyer and B, C, and D are sellers. A makes advance payments to sellers against purchase of goods. A does not charge any interest. In absence of interest, A is not lending. However, the current text of BULA is not clear enough to support this argument.

Also,BULA borrows definitions of 'client' and 'principal officer' from India's money laundering laws. But the reason for including these terms is unclear.

Lastly, the text of Rule 27 (Power of State Government to make rules) of BULA is incomplete. The Government should consider addressing these issues while finalizing the BULA.

🍦Dessert:

A sweet start to the year

Here are some developments which set a positive tone for the year:

RBIHinitiative for women: The Reserve Bank Innovation Hub (RBIH) and IIMA Ventures have launched Swanari TechSprint 3.0 – a program to encourage fintechs with women-centric financial products. The program will offer strategic resources, mentorship and grants to selected startups. Prototype to growth-stage startup can apply for the program. RBIH launches a new credit program pilot: RBIH has reportedly partnered with Vivifi Finance to offer unsecured loans to gig workers (food delivery, cab drivers, etc.). If the project's pilot succeeds, it will integrate with Unified Lending Interface. The project holds the potential to bridge credit gaps for gig workers. Name look-up facility for RTGS and NEFT: UPI allows payers to verify names of payees. The RBI has now introduced this facility for RTGS and NEFT transfers too. This may help reduce instances of erroneous transfers by payers. NPCI will develop this facility and onboard all banks on it.

🍀Mints

🤖RB(AI) – RBI has formed a committee on the Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) in the financial sector. The committee, led by Dr. Pushpak Bhattacharya, will assess AI adoption in India. It will study potential risks and analyze AI regulatory frameworks in other countries. Based on its findings, it will recommend a regulatory framework for AI. The industry will also help the committee with this project.

🧾Tax relief for Banks, NBFCs, and PAs: Finance Minister has announced that payment aggregators need not pay GST for their services if processed transaction is below Rs. 2000. Banks and NBFC also need not pay any GST on penal charges collected from borrowers for non-compliance with loan terms. However, these exemptions will not extend for payment gateways and other fintech services.

✅UPI access expands to PPIs: The RBI has allowed PPI issuers to enable discovery of PPIs on UPI apps like Gpay and PhonePe. PPI holders can now link their PPIs (e.g.: Amazon Pay wallet) to UPI through UPI apps and use their pre-existing UPI credentials to make PPI payments.

📲What is up WhatsApp Pay: NPCI has removed the user cap on WhatsApp Pay. Earlier, the NPCI had prohibited WhatsApp Pay from onboarding more than 100 million users. With this, WhatsApp will now be able to extend its UPI services to its entire user base in India. This gives WhatsApp an opportunity to make up for the lost time (and users) in the UPI space.

