Fintech startups in India are grappling with the potential challenges posed by the Digital Personal Data Protection (DPDP) rules, released last week. While the regulations aim to enhance data privacy and security, industry experts warn that the compliance burden could disproportionately affect smaller players in the burgeoning sector.
The DPDP rules, introduced by the Ministry of Electronics and Information Technology, mandate explicit user consent for data collection and usage, and require companies to implement robust data protection measures. These requirements could increase operational costs for fintech startups, which often operate on tight budgets and rely heavily on data-driven innovation.
"Compliance with the DPDP rules will necessitate significant investments in technology and personnel," said Rajnish Khare, chief digital officer at Union Bank of India. "This could be a major setback for early-stage startups that are still trying to find their footing."
Additionally, the DPDP rules could stifle innovation in the sector. The need to obtain explicit consent for every new product or service could slow the development and rollout of new offerings.
"The constant need to seek consent could hinder the agility and flexibility that are essential for fintech startups to thrive," said a senior executive with a UPI app.
While the long-term benefits of the DPDP rules are a huge step forward for users, the immediate impact on fintech startups is a cause for concern, though bigger ones could still manage to grow their products and services given their large customer base.
"Fintech companies, by their very nature, collect and process vast amounts of sensitive financial data, including personal identifiers, transaction records and account information. The DPDP rules require these companies to implement stringent security measures, such as encryption, secure storage and data minimisation practices," said Mayuran Palanisamy, partner at Deloitte.
According to Palanisamy, the DPDP rules mandate that fintech companies obtain explicit and informed consent from customers before collecting or processing their data. This means that users must be fully aware of what data is being collected, and how it will be used, and have the ability to easily withdraw consent at any time. "Implementing clear and transparent consent mechanisms can be particularly complex for fintech companies that offer multiple services or partner with third-party providers," he added.
According to another fintech startup executive, if a company has a partnership with another firm for identity verification or any other financial services for its customers, the former will have to ensure that its partners also follow the DPDP rules.
"Which company owns the beneficiary customer, they have the responsibility. This is tricky and could slow down bank partnerships for several startups. It is difficult to ensure that all your partners follow the DPDP rules," the executive added.
For most fintechs, the challenge lies in making consent management user-friendly and integrated into the customer experience for seamless usage and adoption, said a legal expert specialsing in data protection. "Fintech firms will need to invest in robust consent management platforms and ensure that consent is obtained and managed in a compliant manner throughout the customer lifecycle," the executive with the UPI app added.
The DPDP rules also introduce data principal rights, which empower individuals to access, correct or delete their personal data held by fintech companies. Fintech firms will need to establish processes to handle these requests efficiently and within the stipulated timelines.
Onerous provisions
"In some ways, while the sectoral regulations may be more onerous, particularly on data localisation and the prescribed cybersecurity architecture, in other ways—such as the provisions on having a consent manager moderate consent and the ability of the government to limit the nature of personal data (even outside of transactional data) that can be transferred outside the country—they can prove to be restrictive for fintech companies," said Namita Viswanath, partner at IndusLaw.
Moreover, the regulations require fintech companies to implement incident response protocols for timely data breach notifications. This includes notifying affected individuals and the relevant authorities in the event of a data breach.
"Data breaches can have severe consequences for fintech companies, including reputational damage, financial loss and regulatory penalties," said a cybersecurity expert. "Fintech firms must prioritise data security and invest in robust cybersecurity measures to mitigate the risk of data breaches."
According to Khare, while fintech firms can still provide and offer personalised products and services, the consent mechanism means that cross-selling might become difficult. However, most of the companies are not yet using customer data for cross-selling as most of the financial data is with banks.
"The DPDP rules represent a significant first step in this direction, but their successful implementation will require collaboration and understanding between the government, regulators and the fintech industry," the cybersecurity expert added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
