For banking services, particularly commercial banking, if information technology services are being outsourced, then there is a need to be guarded about customer personal data. Not only for compliance with India’s new digital privacy law and sectoral requirements but also to ensure the business maintains its competitive edge.
Outsourcing in the banking sector is primarily regulated by the Reserve Bank of India's (RBI) 2023 Master Direction on Outsourcing of Information Technology Services, which applies to all ‘regulated entities.’ While this Master Direction predates the notification of the Digital Personal Data Protection Act, 2023 (DPDP), its requirements nevertheless impact both - the regulated entity and the outsourced service provider vis-à-vis the implementation of the DPDP.
‘Regulated Entities’ covered by the Master Directions are broadly: banking companies, primary co-operative banks, NBFCs, credit information companies such as CIBIL, sectoral banks such as EXIM Bank, NABARD etc., and foreign banks operating through branch mode.
Outsourced services to the banking industry are a large bucket, but some services, including third-party application providers, may have access to large amounts of customer personal data depending on whether the service provider deploys a hosted service or only licenses the application. With the proliferation of advanced Software as a Service [SAAS - Cloud-based software delivery model where applications are hosted by a third party and accessed via the internet] and Platform as a Service [PAAS - Cloud-based computing infrastructure platform allowing customers to develop, run, and manage applications without having to invest in infrastructure] platforms, the business case for using these is undeniable – savings on development cost and manpower, access to latest security and features, lower time to go-to-market. However, extensive outsourcing comes with risks including the loss of control of proprietary and customer data.
Key aspects the Regulated Entities and the Service Providers (SP) must note in outsourcing arrangements:
Understanding Platform Data Access
Regulated Entities must have documented clarity from the SP about the level of access to its customer data that the SP will maintain. Access levels can vary depending on the nature of the platform and design of the services including in SaaS and PaaS offerings. Understanding this is critical to build appropriate governance and contractual protections.
Privacy Program
Regulated Entities must design their own privacy compliance program for application-based services – and not solely rely on a package provided by the SP. While the SP may add value and save costs, any solution it provides will likely be optimized for its own efficiency.
Customer data management practices can differentiate a business from competitors, enhance customer trust, and provide a competitive advantage. Also, financial penalties under the DPDP are high, extending up to INR 250 crores (on the Regulated Entity as the ‘data fiduciary’ and not on the processor), apart from the reputational damage a breach or prosecution can cause, making it critical to have thorough oversight over the SP vis-à-vis privacy protection.
SP platforms should be designed to provide a robust level of technical compliance with the DPDP where personal data is processed for clients. For consumer facing services, in addition to security, SPs must technically ensure that the client can comply with its DPDP obligations such as data access requests, erasure, correction and updating personal data, consent withdrawal. Also, the platform should be capable of integrating with consent managers.
Consent Notices
Regulated entity: Drafting a consent notice optimized for maximizing opt-in consent to non-essential processing, such as for marketing and cross-selling products, will be relevant. Effort and skills are needed to differentiate these notices from run-of-the-mill drafts while ensuring these meet the stringent requirements of the DPDP. These must be controlled by the regulated entity.
Customer Insights and Cohorts
Customer data is invaluable to sustaining and growing a business and inadequate attention to this can lead to handing over painstakingly gained business advantages to the competition.
An area where SPs can benefit, particularly those with customer usage visibility and serving multiple Regulated Entities, is creating customer insights. This is often done through ‘cohorts’, where transactions and usage patterns can be analyzed to create generalized but insightful analytics on particular trends. For instance, the success of a client’s new marketing program or new product based on uptick in user adoption of a service or feature; the number of customers using a premium credit card; the number of high spending/ HNI customers of a bank; spending patterns - the possibilities are endless.
The upside for the SP is that cohort based insights are anonymized and unable to identify individuals, therefore unlikely to fall foul of the DPDP. They can sell this information to competitors or other industries.
The significant downside for Regulated Entities is the deep insights into their user base that the SPs may be able to monetize and benefit competitors. Attention to such finer points often get missed due to an overt focus on compliance without understanding the myriad ways in which customer data can be exploited.
Audit and Assurance
Regulated entities are already required to ensure robust audits and governance of SPs under the Master Directions. The Regulated Entities must also ensure that their IT outsourcing policy and organizational governance program, along with Board and senior management roles are appropriately extended to include DPDP compliance. The contract with the SP must be modified to include privacy compliance and data protection audits.
Breach Notifications
The DPDP adds a personal data breach notification requirement in addition to existing notifications of security/ cyber incidents to the RBI, and Computer Emergency Response Team. The definition of ‘personal data breach’ under DPDP is expansive and includes accidental disclosure, destruction, loss of access, etc., in addition to unauthorized access. The contract with the SP must adequately define a breach along with appropriate notification requirements, and penalties and indemnities for a failure to notify (the second highest slab of financial penalties, i.e., up to INR 200 crores is for a failure to notify the Data Protection Board of a personal data breach).
Data Portability
In addition to the requirements under the Master Directions vis-à-vis the transition of the outsourced services on exit from the contract, Regulated Entities should consider incorporating into the contract with the SP a ‘data portability’ requirement for migrating customer personal data to a new SP or itself. This will be more effective if based on an industry standard that enables seamless transfer of customer personal data, preferences, and profiles to the next SP, enabling seamless and lossless transition of services. However, this is not currently a requirement under the DPDP. It is possible that the RBI’s ‘account aggregator framework’ could be leveraged to create a standard to enable data portability for the industry.
Robust Contract
Regulated Entities must expand the contract with the SP to include a detailed personal data compliance, assurance and governance framework, along with appropriate reporting mechanisms, audit provisions, financial disincentives, incident notification and remediation, and indemnities.
Overtly relying on contract remedies is not enough and does not mitigate the absence of an effective audit and assurance program, as many SPs will not have the financial ability to make good on contractual promises if they breach.
For SPs, it is important to ensure that its liability is ringfenced, commensurate with its role and earnings as a service provider. Blanket indemnities and unlimited liability should be avoided as much as possible. A poorly negotiated contract can be a death sentence for a business. Also, SPs should avoid accepting responsibility for interpreting and implementing requirements based on regulations applicable to the client. The Regulated Entity must be required to interpret regulatory requirements and agree with the SP on the technical solution to be implemented.
The DPDP will add compliance and some challenges for banks when it comes to customer personal data. However, being already heavily regulated and accustomed to strict regulations and supervision, Regulated Entities are well placed to implement a DPDP compliance program without material disruption.
Given the requirements under the DPDP and the large financial penalties, privacy and data protection should be implemented and monitored as part of a board-driven initiative by Regulated Entities. The RBI has also enhanced vigilance and enforcement measures and underscored the importance of compliance for businesses operating across the financial sector.
Where IT services are outsourced, Regulated Entities must enhance their existing governance and audit framework to include DPDP compliance. Regular technical and security audits will be crucial to assuring compliance of the SPs and also in securing any competitive advantage through a focus on protecting customer data, and not only customer personal data. When it comes to privacy and data protection, compliance needs to be built in by default to ensure that the business has been built around legally sustainable products and services.
About the authors: Avinash Kumar Khard is a Partner and Abhishek Mitra is a Counsel at DSK Legal.