Recently, in the WhatsApp circles, there was news about RBI cautioning the public with “Multi Bank Balance Enquiry Apps”. This was actually an advisory issued earlier on 11th April 2015, in which RBI stated as follows.
“It has come to the notice of the Reserve Bank of India that an app (application) is doing rounds on WhatsApp purportedly to facilitate checking of balance in customers’ bank accounts. The application has an RBI logo with the title ‘All Bank Balance Enquiry No’ and has listed several banks with either a mobile number or call centre number.
The Reserve Bank wishes to clarify that it has not developed any such application. Members of public are, therefore, advised to use the application, if at all, at their own risk.”
This could well be the case of a “Fake App” or a “Fraudulent App” or the case of a misuse of the RBI trademark.
But in the era of growing FinTech companies, there are many genuine Apps that try to provide money management facilities which includes “Multi Bank Account Access” and hence this could be taken as a general guidance against all such Apps.
Since finance information is one of the most sensitive of the personal information and that today most Bank accounts are linked to Aadhar and Aadhar itself is linked to everything including the PAN card, these “Multi Bank Apps” represent one of the highest concentrations of “Privacy Risks” and call for a special attention on defining the “Data Security Requirements”.
While the RBI advisory above was re-circulated in the Social Media and created some caution, it does not amount to a proper “Information Security Advisory”. The Watal Committee report addressed the issue of growing security concerns in the digital payment systems along with the need to promote such payments and advised review of the Payment and Settlement Act 2007 (PSSA-2007) under which a “Payment Regulatory Board” (PRB) would supervise the requirements of information security in the digital payment industry.
The Watal Committee also mooted the idea of an “Open access” to the payment systems by non Banking PSPs (Payment System Providers). When guidelines for this do come up, the FinTech companies may be able to have unhindered access to the financial data of individuals. This could blur the difference betweeen Banks which people trust much more today than the PSPs many of which are start ups with quick profits as their goal. Today many of them do have an access to the credit information through CIBIL or other so called “Credit Rating Agencies” which many times work on imperfect data and create adverse issues for individuals. But what the new regulations open up is an access to the core Banking system where FinTech companies may have access to highly sensitive personal information.
In the EU zone, the “Payment Systems Directive” or the PSD addressed the issue of Privacy and Data Security in this domain. Now the PSD2 which is the revised directive has been made applicable with effect from 13th January 2018 along with the GDPR getting into force from 25th May 2018. The Watal Committee made a brief mention of PSD but did not take into account the PSD2. The Government has recently announced that by around Diwali, a new Data Protection Act could be in place in India and if so, it should incorporate some additional measures of data protection for Personal Financial Data (PFD) in tune with the strict EU standards.
While the IT companies involved in data processing contracts from the EU companies would be required to comply with PSD2 provisions as a contractual data processor, the FinTech companies themselves who may indulge in PSP activities may not take note of PSD2. They are presently bound by Section 43A and Section 79 of ITA 2000/8 and required to comply with the Privacy regulations and implement what may be termed as “Reasonable Security Practices”. However their practices are unlikely to meet the minimum standards of information security that is required in such cases.
Most mobile Apps access financial information by taking an unhindered permission for SMS, E Mail and Calls before the user even downloads the app and examines its dimensions. Since Banks send information about transactions to the SMS and E Mails, the entire financial history of the customer will be available to the App. This is used for creating expense accounts and other reprots which are presented as useful service to the data owner. There is no doubt that the information would be useful, but in the process the risk of critical PFD being shared with the FinTech Company is a source of concern.
When one views the Terms and Privacy policies of these FinTech companies, one may observe many anti-consumer clauses with absolutely no warranty on either the information security or even the quality of service.
It was further interesting to observe that if one tries to make a psychological profiling of the Company, one is further intrigued by the “About Us” page of the Company highlighting the assets of the company which is captured by the following illustration.
The Company boasts of 5 million downloads in the last three years and “Google Best App” award in 2015. As a keen observer of Information security practices, the Privacy concerns across the globe and the emerging data protection regulations in India, US and EU, it is difficult to get convinced that a company that is proud of the number of Beers consumed and its Bar Stools strength can be trusted with the financial information of a consumer.
This comment is not meant only against this company since this could be the typical approach of most of these “FinTech” companies which are managed by good techies but without matching concern for information security.
If on the otherhand the new Data Protection Act of India tries to adopt the strict terms of privacy regulations that a EU commission may expect under PSD2 or GDPR, then most of the Indian FinTech Companies will fail the “Test of Consumer Protection”. The Watal Committee report does focus on Consumer interest and even the RBI has many times indicated its concern on consumer interest being sidelined by technology based banking software products.
Unless the FinTech Companies include a mandatory Cyber Insurance package where the user’s are protected against direct and indirect losses arising out a data breach caused by using of the service, the Data Protection Commissioner should consider the security as “Inadequate” and redflag the Apps.
PSD2 or GDPR or even the ITA 2008 would basically work on “Consent”, “Disclosure” followed by other obligations of data protection. However, a “Disclosure” which is incomplete and misleading and a consent based on “Clicking of the Continue” button on an App will hardly suffice the rigid standards of Consent envisaged under any legal principles.
I therefore urge the members of the FinTech Companies to come out of their “Tech Shell” and understand the disservice they are doing to the community by luring public into Apps with little or no security and really introduce some measures which includes a fair insurance coverage for the users of their Apps along with a fair terms, and reasonable security.
I also request RBI that its 2015 advisory should not remain only as a formality and should be followed up by a new regulatory measure by the Payment Services Regulatory Board or the RBI committee which oversees these functions to address the issues of dilution of data security through mobile Apps.
Sooner this happens better it is for Indian public. In the meantime, I also urge the FinTech industry to introspect and generate a . “Self Regulatory Mechanism” that would protect the integrity of the industry.
In June 2016, RBI formed a committee under the Chairmanship of Mr Sudarshan Sen (SSWG) which had a scope to review the FinTech industry as it is emerging in India. However there is no further news on the activities of this Committee. If it is still active, it should take into account the requirements of protecting the FinTech customers of India in terms of data protection standards equivalent to PSD2 and GDPR through the proposed Indian Data Protection Act or through a notification from RBI which is revising the PSSA-2007 as recommended by the Watal Committee.