Custodians Of Financial Data And Its Protection In Indian Framework : Banking Sector

Data protection

INTRODUCTION

In a bank, the customer onboarding process entails collecting personally identifiable information, which can range from non-financial information like names, addresses, e-mail addresses, phone numbers, and social security numbers to financial information like savings, loan accounts, and debit/credit card numbers. Some people may take advantage of such information for their own amusement. Let’s take a closer look at this. This breach can occur in a variety of ways. It’s crucial to remember that not every data abuse results in serious consequences for anyone. It is only when personal data is abused, the issue arises.

WHAT IS PERSONAL DATA?

Personal Information/Data under Section 2(1)(i) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, is defined as any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available by a body corporate, is capable of identifying such person.[i]

When it comes to data protection law in India, the country lacks a specialised data protection legislation. Customers would have to rely on either the safeguards enshrined in the Information Technology Act, 2000, or the   fragmented financial regulations in the absence of a comprehensive law similar to General Data Protection Regulation (GDPR) in Europe.[ii]

WHAT IS FINANCIAL DATA

As we have a better understanding of what constitutes personal data, we can see that financial data is likewise an archetype of personal data. Financial data is made up of bits and pieces of information on a company’s financial health. Internal management uses the data to analyse business performance and assess whether tactics and plans need to be changed. People and organisations outside of a business use financial data supplied by the company to assess its creditworthiness, decide whether to invest in it, and evaluate whether it is following regulatory requirements.

THE ISSUE AT HAND

According to the findings of the “BCG Global Consumer Sentiment Survey”, “credit card and bank information” are the most private categories of data internationally.[iii] There is a fundamental change in the way banking is done across the world. Through the fast use of digital technologies, the ‘brick and mortar’ form of banking company is being phased out. Banks are increasingly migrating from on-premises infrastructure to cloud-based infrastructure. The initiation procedures are governed directly by the consumer in the channels arena (e.g., Internet banking, Cards Platforms, Point of Sale Terminals, etc.) with suitable security measures. The banking landscape is changing, with banks (especially local cooperative banks) employing their front offices to promote sales, cross-sell, upsell, and provide customer care. These banks give this data to Credit Information Companies. Banks are trying to ensure that their consumer data is not breached or compromised. But what if they are unable to Protect Consumer Data?

CURRENT STATUTORY STATUS

There is no express statute or Framework on safeguarding Financial Data in India as of now, Personal Data Protection Bill being still in Pipeline, similar provisions are enacted in some of the statutes that are currently serving some assistance to this issue and fill the Lacuna in Law. Some of these provisions are: Sections 44 of the SBI Act of 1955, Section 13 of the SBI (Acquisition and Transfer of Undertakings) Act of 1980, and Section 29 of the Credit Information Companies Act of 2005 describe the public financial institutions. The section is applicable to the respective Bank as a whole, and its directors, local boards, auditors, advisers, officers or other State Bank workers, and creditors are required to swear an oath of secrecy in accordance with the provisions.

Data protection

[Image Source : Shutterstock]

In view of this, in 2006, the Reserve Bank of India along with several banks of the Indian Banks Association (IBA) established a body called the Banking Codes and Standards Board of India to adopt higher standards of banking practices to extend better customer service and achieve higher levels of customer satisfaction. Chapter 5 of Code of Bank’s Commitment to Customers talks about ‘Privacy and Confidentiality’. It states that “We will treat all your personal information as private and confidential (even when you are no longer our customer). We will not reveal information or data relating to your accounts, whether provided by you or otherwise, to anyone, including other companies / entities in our group” thus creating an obligation to every bank to safeguard data and Consumer interests.[iv] But no clear provision on penalty has been subscribed.

IMPORTANT PRECEDENTS

The Telecom Disputes Settlement and Appellate Tribunal found ICICI Bank Ltd. Negligent in disclosing confidential information such as the customer’s password in ICICI Bank Ltd. V Umashankar Sivasubramanian[v], specifically stating that Section 43A of the IT Act, 2000 creates a special responsibility to protect sensitive personal data or information in a computer resource and a liability to pay compensation for certain kinds of negligence. Without ever discussing or placing this in the context of privacy, the Tribunal went so far as to suggest that a bank’s electronic records in a computer must have a safe and secure mechanism of access.

In another case, The Court of Appeal in England, in Tournier v National Provincial and Union Bank of England [vi], established the ultimate law on a banker’s obligation of secrecy to a customer. The Court did, however, identify four exceptions to this rule:

  1. disclosure required by law;
  2. disclosure originating from a public obligation;
  3. disclosure to defend the bank’s interests; and
  4. disclosure with the customer’s express or inferred permission.

 The said exceptions are also enunciated in the Code of Bank’s Commitment to Customers.

CONCLUSION

According to the IBM Security of a Data Breach Report 2020, financial services had the third greatest number of security breaches last year, after only healthcare and energy. A breach costs on average $5.85 million. [vii] When we see our statutes, they look self-sufficient but in reality, they were acceptable a few years ago, but with India still without a core personal data framework, dealing with data protection cases has become challenging. India has been trying to fill in this gap by enacting/ amending the law but has still not succeeded.  The quest for greater financial inclusion through fintech adoption is exacerbating these worries about financial data security, especially among the unbanked, who may be more exposed than their urban and financially more savvy peers. To Conclude, we must establish a balance between consumer data protection and business, as too much regulation might stifle growth while too little could lead to data theft and mismanagement.

Author: Keval Pankaj Khon, a 4TH Year B.L.S.LL.B student of SVKM’s Pravin Gandhi College of Law, Mumbai, in case of any queries please contact/write back to us at support@ipandlegalfilings.com or   IP & Legal Filing.

[i] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 of Information Technology Act, 2000, § 2(1)(i), No. 21, Acts of Parliament, 2000 (India)

[ii] Katharine Kemp and Ross P. Buckley, Protecting Financial Consumer Data in Developing Countries: An Alternative to the Flawed Consent Model (2017) 18 Georgetown Journal of International Affairs 35 <www.jstor.org/stable/26395922.>.

[iii]The consumer sentiment series. BCG Global. (n.d.). Retrieved July 4, 2022, from https://www.bcg.com/publications/collections/consumer-sentiment-series

[iv] Code of Bank’s Commitment to Customers, Banking Codes and Standards Board of India, January 2018.

[v] ICICI Bank Ltd. V Umashankar Sivasubramanian, 2019 SCC OnLine TDSAT 1561.

[vi] Tournier v National Provincial and Union Bank of England, [1924] 1 KB 461

[vii]  Cost of a data breach report 2020. IBM. (n.d.). Retrieved July 4, 2022, from       https://www.ibm.com/security/digital-assets/cost-data-breach-report/%23/