Draft DPDP rules: Task cut out for banks as operational challenges loom

The draft digital personal data protection (DPDP) rules, which require banks to obtain explicit consent from their customers before using their data for purposes beyond the original intent, although is being followed in spirit, leaves no room for regulatory arbitrage, experts said.

 

They said that the potential business impact is difficult to assess at this stage, but the formalisation of these rules will mean banks now need to establish clear data processing agreements with third-party entities to ensure compliance.

 

Banks engage in cross-selling financial products from their subsidiaries and third parties to their customer base. While consent is typically obtained before sharing customer data for cross-selling, as part of good governance, there have been instances where this norm has not been followed.

 

“Banks and NBFCs were not sharing data without the explicit consent of customers with their subsidiaries. Formal regulations make the requirement very explicit and leave no room for regulatory arbitrage. We do not foresee any business impact as such on account of the regulations. In fact, we see this as a great opportunity to build trust within the financial services ecosystem,” said Vivek Iyer - Partner, Financial Services Risk Advisory, Grant Thornton Bharat LLP.

 

Experts have suggested that the draft rules are positive for customers as these changes enhance data protection and align with global standards, experts said. 

 

According to corporate advisor Srinath Sridharan, the worry is if the banks are ready to handle all operational challenges, as they now need explicit consent before using customer data for purposes beyond its original intent. Except for a few large banks as outliers who have started internal work on being DPDP-ready, the sector is yet to take significant steps.

 

“One would assume that with the draft rules open for comments, the RBI might get the sector to ideate on this, through the Indian Banks’ Association (IBA) to help them prepare for DPDP implementation. This will require investment from banks - financial, technological, process change and training. A playbook of minimum acceptable operational norm could be expected from the regulator soon,” he added.

 

Banks and insurance companies are currently reviewing the draft rules, which have been made available for public comment, and have yet to finalise their views or determine the next course of action.

 

“We are studying the draft rules and will finalise our views in some time. However, for us, since mobilisation of customers is done by bank staff who are qualified for selling insurance, they get the forms filled by the customer with their consent duly signed,” said a senior private sector insurance executive.

 

Meanwhile, a senior private sector banker cautioned that since a lot of business works on cross-leveraging group customers, there could be some leakage if explicit consent is needed.

 

According to Tisha Bhambry, Director Analyst at Gartner, the DPDP rules necessitates the implementation of robust consent management systems that empower customers to give, manage, and withdraw consent easily.  Additionally, banks will need to establish clear data processing agreements with third-party entities to ensure compliance. While these changes enhance data protection and align with global standards, they also present both challenges and opportunities for banks to build greater trust with their customers through enhanced privacy measures.