Synopsis: In this article, we discuss why borrowers are growing concerned about data privacy and security and the ways NBFCs are dealing with their concerns to retain and grow their trust. 

In the aftermath of the COVID-19 pandemic, digital lending has been scaling new heights, spearheaded by Non-Banking Financial Companies (NBFCs) and fintechs. The deepening smartphone and internet penetration and the adoption of digital technologies, complemented by a supportive regulatory environment, have spurred the Indian population to avail themselves of any time, anywhere finance at their fingertips. 

With a 30% share, NBFCs have been playing a dominant role in the digital lending ecosystem, according to the RBI’s working group (RBI WG) report. In fact, NBFCs witnessed a massive 55% rise between 2018 and 2020 in the number of loans sanctioned digitally due to their adoption of technological innovations and a hybrid presence that enables personalization and improved access. 

However, the surge in popularity of digital lending entails its pitfalls—a huge rise in online financial fraud, in particular. The same RBI WG report states that over 600 loan apps are operating illegally. Owing to the extant flouting of rules and uncouth harassment of customers over debt recovery, the RBI has been cracking down on several NBFCs in its strive to maintain trust and stability in the financial system. 

Below, we delve into the burgeoning trust deficit in digital lenders, especially NBFCs, and the recommended measures to enhance data security and privacy to rebuild customer confidence. 

Trust Deficit: The Interplay of Data and Financial Services Access 

Several Indian pockets continue to experience a lack of accessible and affordable finance as traditional banks shy away from reposing their trust in the repayment capabilities of these unserved and underserved sections. NBFCs have been catering to this cohort by offering tailored financial products and services through a mix of their digital apps and physical presence. 

Their relatively simpler decision-making processes, powered by the adoption of big data, artificial intelligence (AI), and machine learning (ML) algorithms, allow for easy lending and deeper consumer and geographical specializations. Collaborating with emerging fintechs (co-lending) and non-financial organizations (embedded finance) has also served as an effective modus operandi to service the last mile. 

But the provision of financial services entails the deployment of advanced analytics models that involve massive data processing and analysis. With Indians increasingly registering on the Aadhaar database, using UPI for payments, and interacting online, vast troves of data are being generated, making us data-rich before we become economically wealthy. 

However, this enhanced data access comes with its pitfalls: data farming and data breaches, as exhibited by the recent Cambridge Analytica scandal. Globally, the average data breach cost was $5.97 million in 2022, without accounting for the loss of trust and reputational damages. 

Consequently, the equation has been flipped, with the credit underserved fearful of providing data access and instead demanding stronger governance measures that ensure the highest data security and privacy. 

RBI’s Measures: Creating Security and Privacy Edifices  

To hone in on unethical data breaches and the resultant erosion of customer confidence in the digital ecosystem, the RBI introduced Digital Lending guidelines (DLGs). By encompassing customer protection, regulatory framework, policy transparency, and technology and data requirements, among other things, under their ambit, these guidelines aim to propel financial innovation further without compromising consumer trust. 

• The RBI mandates that digital lending apps (DLAs) only collect data on a need-basis with the borrower’s explicit consent and maintain adequate, clear audit trails. Besides, borrowers must have the option to select the specific data they wish to share with the NBFCs, along with the provision to revoke their consent at any time and have their data removed permanently. 

• Regulated NBFCs must also refrain from accessing the borrower’s call logs, files, and media from their mobile phones when onboarding clients. Unless required by law or explicitly consented to, a client’s personally identifiable data cannot be shared with third parties, thereby invoking consumer confidence. 

• Digital lenders have also been made liable to ensure data security at all times, further disallowing any sensitive, personal, and biometric data storage unless necessary for running operations. Moreover, all data must be stored on the Indian network in compliance with the regulatory measures. 

• The RBI also requires NBFCs to have publicly available privacy policies that disclose which third-party vendors can access their clients’ information. Additionally, digital lenders must maintain cyber hygiene by protecting their systems against malware, phishing attempts, social engineering attacks, and more. 

That’s not all; to ensure higher security, the RBI has introduced the framework of tokenization and anonymization of identifiable information. It has also been taking steps to improve financial literacy among the masses so that they remain privy to how their data is collected, used, and stored by financial institutions. 

India Stack: Mitigating Trust Issues with Account Aggregator Framework 

Typically, the digital loan lifecycle involves multifarious touch points from onboarding to collection, spanning across NBFCs, SaaS providers, and borrowers, which heightens data security risks, including identity theft and manipulation of customer biases to offer unfavorable products. The Account Aggregator (AA) framework, which is built on India Stack, was launched to stem any data leaks by weaving the “privacy by design” concept into the system. 

As the AA system empowers borrowers to share consent-driven data across banking, insurance, tax, pensions, and securities with the lenders, it helps build a holistic view of the client, enabling better provisioning of financial services. However, since the data is not stored in the AA network and the customer retains the right to withdraw his consent, they are assured of no unauthorized data sharing and privacy violations. 

The Way Forward: Building Long-Term Trust in NBFCs 

As NBFCs play an instrumental role in advancing financial inclusion, efforts have been made to streamline their data access, data management, and privacy policies. Given the constantly evolving financial landscape and the RBI’s insistence to update “travel rules” for data in tandem, NBFCs must stay abreast of the changing regulations and ensure the highest compliance. Working with RBI-regulated entities is another way to encourage customer confidence. 

Furthermore, NBFCs must implement transparent policies, offer customer support and redressal mechanisms, and have mechanisms to notify and deal with data breaches to build consumer trust. Employing advanced encryption techniques, two-factor authentication, blockchain technology, and biometric authentication methods are other ways to ensure data security. AI and ML can also be deployed for better risk management in conjunction with periodic security audits. 

Finally, digital players must move beyond mere data protection to data empowerment. Disseminating data and privacy clauses’ information in vernacular languages and enabling localized consent is a surefire way to build customer relationships. Adhering to the UN Principles for Responsible Digital Payments and the forthcoming Digital Personal Data Protection Act will also pave the road to long-term consumer trust.