Ensuring Regulatory Compliance in Digital Lending in the aftermath of the Data Protection Act

By Gaurav Sharma, Chief Compliance Officer, ​F​incfriends

India has been at the forefront of leveraging the advantages of sequential technological advancements whilst keeping an eye on its rampant penetration. As it moves towards becoming a robust economy, the interplay between technology and lending presents both opportunities and risks. In a major move to address the risks concerning data privacy and security, the RBI has introduced a series of strategic imperatives to bring greater clarity over the correspondence of data sharing and a layer of transparency in digital lending operations.

The foundational branches of the data-centric regulatory requirements had emerged in the form of RBI’s guidelines on digital lending, prioritising data protection and privacy. While these guidelines were successfully able to highlight and address the non-uniformity in lending practices by bringing unregulated lenders into a regulated space, its limited scope failed to cover non-lending digital entities. This, in return, created the need to add a layer of data protection, further paving the way for India’s first Digital Personal Data Protection Act.

Privacy with Digital Personal Data Protection Act (DPDPA)

Capitalising on the need to build a comprehensive data governance framework for digital lending entities, the Digital Personal Data Protection Act symbolises a significant leap in achieving complete data protection and privacy. With an increased focus on empowering lenders, the DPDPA takes into account the security of customer data and is moving towards developing impactful privacy governance programs for effectively mitigating businesses and reputational risks.

The financial services industry stands a chance to offer greater authority to lenders in data handling by simply being compliant with these stringent guidelines. Furthermore, these guidelines also act as a bridge to address the inconsistencies of the present lending framework and build a network of transparent and future-ready digital lenders. While this sudden transition may seem tedious at the present, but is key to creating a customer-centric digital lending ecosystem.

Interplay between Digital Lending Framework and DPDPA Guidelines  

Being driven by favourable socio-economic factors and an increased proliferation of digital lending platforms, the Indian digital consumer lending market is expected to surpass the $720 billion mark by 2030. This growth is further aggravated by the lucrative opportunity pool and simplified access to credit, which can be accredited to digital lending platforms that have helped the underserved segment gain timely funds without rigorous documentation and processing. However, this also means negligence of customer data privacy, which makes the DPDPA a strategic imperative.

The introduction of DPDPA guidelines in the digital lending space marks the beginning of a refurbished regulatory framework in consideration of data privacy, customer protection, information security, and outsourcing activities, amongst many others. The implementation of these guidelines requires lenders to adopt a well-nuanced approach and reflect on the experience gained from the previous RBI guidelines. At the very core, to embrace these guidelines, digital lenders need to capture data only on a need basis after the procurement of proper consent.

Implications of the Data Protection Act

In the aftermath of the Data Protection Act, all digital platforms collaborating with regulated lending entities will be addressed as ‘Data Processors’ and will have to comply with the DPDPA standards. As the digital lending process works on assessing customer data to grant credit and reduce fraud risks, the DPDPA has mandated all lenders to procure customer consent before undertaking credit accessibility assessments for more transparent risk management.

In addition, the DPDPA standards have put a hold on outsourcing activities of customer management. They can be continued further only upon the subjection of these outsourcing arrangements as per the stringent framework. Further, digital lending players are also required to ensure that the customer data management cycle complies with DPDPA’s rules, which may affect different vertices of the lending process, including onboarding and building customer relations.

Final Thoughts

Given the Digital Lending industry’s potential to propel further, it is significant that lending platforms adhere to the DPDPA guidelines as the bedrock for ethical customer data management. While the implementation may not be easy, the benefits of data security and enhanced trust make this move paramount. With the potential to create a digital lending ecosystem characterised by the pillars of data protection and security, the Data Protection Act is the key to nurturing a tamper-proof and inclusive economy in the long run.