The digital lending landscape has witnessed a tremendous boost, especially during the Covid, which has shifted borrowers online searching for viable loan products online.
Fifty-seven per cent of consumers prefer internet banking, according to the latest World Retail Banking Report. That’s nearly half the world’s commercially active population reaching out to online banking channels. So, of course, this has given rise to banks and NBFCs taking the online route for offering and processing loans.
However, every development has its downsides, and this one is no different. Increased digital lending penetration means more personal and sensitive financial data being transferred over the internet, which has raised valid concerns around data privacy amongst the stakeholders. However, 87% of consumers said data privacy is a human right, according to a study published by KPMG in 2020.
So, how are banks, NBFCs, and other lending institutions planning to safeguard their customers’ critical data and handle data privacy issues that creep up during day-to-day lending operations? Some of these concerns have forced institutions worldwide to consider data privacy — an indispensable aspect while giving out loans.
Digital Lending and Rising Concerns around Data Privacy
The lending space has seen a considerable inclination towards digital routes for sourcing credit. As a result, 55% of the buyers use online tools for all their credit needs. In fact, by 2022, smartphones are expected to meet six out of ten transactions for personal loans and seven out of ten transactions for other retail loans. This means roughly 40 – 60% of loan purchase transactions across loan types are influenced via digital channels.
The digital lending sector is expected to become the highest penetration sector by digital channels in India by 2023, with a growth rate of 48% and an increased valuation of $350 billion from an earlier valuation of $110 billion in 2019.
These big numbers are sure to boost the lending ecosystem and bring out rising concerns around data privacy.
According to a global economic crime survey, cybercrime has surged like never before, parallel to the digitisation boom. And cybercrime (including data breaches) is now the top recorded financial crime. In addition, cybercriminals have discovered new ways to attack and breach data as the world has gone digital.
Banks in India have been targeted by organised criminals and hackers regularly. It was demonstrated in a recent instance involving Canara Bank, in which a hacker attempted to stop some of the bank’s e-payments by putting a rogue page on the bank’s website.
Hence, as a solution, lending institutions need to partner with fintech to provide data privacy solutions. Data should be treated as ‘currency’, and they must adopt data-driven lending programs to predict borrowers’ lending patterns and credit behaviour.
Customer data and privacy are sacrosanct to ethical digital lending endeavours. Institutions that have been able to deploy effective data management practices focused on safeguarding their customers’ data have seen better customer loyalty.
This development is riding on the fact that consumers are now increasingly aware of their rights in and around their shared data across several platforms.
What Threatens Data Privacy in Digital Lending?
Digital lending has been under the scanner for various data privacy issues that may crop up, putting important, private information at risk. This renders data privacy an indispensable part of the whole lending ecosystem.
However, specific issues threaten the very possibility of implementing proper data privacy protocols at the grass-root level. Some of them are as follows:
1. Low importance
Data breaches are underrated when in fact, they are of high priority. But, unfortunately, they are neglected in budgets and do not enjoy as much support from the top management.
2. Lack of Awareness
Since institutions accord low priority to data privacy issues, people generally lack awareness about its critical aspects. Moreover, most firms fail to invest in proper training and understanding of the same amongst their employees.
3. Mobile Phones
Mobile phone transactions have shot up significantly, especially for people who prefer cashless banking. Unfortunately, this has given a breeding ground for hackers to execute different frauds, which lead to data breaches.
4. Social Media
One of the major platforms used by exploiters to steal customers’ private data is social media channels. As more and more people share their confidential information online today, data privacy is under serious threat.
Data Privacy Legislations
It would be apt to shed light on the fact that data acquisition is an integral part of lending operations, and it is impossible without the same. Therefore, the typical lifecycle of a loan will entail multiple steps, which will involve collecting, processing and analysing data.
This forms an essential checkpoint for the lending entities to determine borrowers’ creditworthiness and customise their offerings according to their loan needs.
Coming back to increasing consumer awareness, several countries are taking the initiative to enforce appropriate data privacy laws, including India.
The European GDPR rules, for instance, are the current gold standard in terms of personal data security policies and are backed by big tech giants like Apple and Google.
India’s Personal Data Protection (PDP) Bill 2019, has brought in its wake specific laws that have managed to transform the lending norms for banks, NBFCs and the various fintech companies that exist in the lending ecosystem.
Eight Keys to Stay Data Privacy Complaint
Since a lender has a fiduciary duty to its consumers, they must work with third parties who adhere to the highest data security standards to secure their customers’ complete data privacy.
All enterprises that want to succeed in this new data economy must adopt best-of-breed encryption (symmetric and asymmetric capable) standards like AES/PGP for both data in motion and at rest, advanced 2FA security models, frequent VAPT/data security audits, and vendor evaluations as baseline standards.
Here are certain compliances that lenders need to adhere to according to the rights drafted in the PDP Bill:
#1. Understand the Importance of Security
The importance of security and security systems needs to be excited significantly within the banking and other such institutions. Only when security is looked at as a plus for regulatory compliances can the mindset of relegating it as a cost will be shed.
#2. Invest in Emerging Technologies
Banking and lending institutions need to invest accordingly into technologies that can identify malfunctions and predict possibilities of frauds that can occur at various data points.
#3. Generating consumer awareness
It is one of the most crucial areas where the consumer must be made aware of the importance of not giving their banking credentials to anyone. They must notify the Cybersecurity cell as soon as possible if they notice anything suspect in their transactions or bank account.
#4. Informed Consent
Lenders need to have the explicit and informed consent of the customers before any of their data can be used for processing. Therefore, implied consent by the lenders is not a valid ground for the usage of personal data.
“Consent must be freely given, specific, informed and unambiguous for processing of personal data.” — EU GDPR
#5. Specific Purpose
The data collection should be limited to the extent that is required and necessary for processing. For example, the collection of data for reasons not known or not declared is not allowed.
#6. Data Erasure
Once the purpose of the collected data is met, the data principal or the customer has the right to ask for the erasure of the data.
#7. Data Portability
Once the data has been used for the required purposes, data principals possess the right to receive a copy of their data in a structured and machine-readable format.
The above compliances will affect the following steps required in a typical lending situation.
#8. KYC Process
KYC or Know Your Customer process is the fundamental and preliminary step of any lending operation. Based on the documents required to execute the KYC guidelines, which are identity proof and address proof, KYC can be classified as a consent-based process.
Besides, the customers can request complete erasure of their data once the loan has been repaid. They can also request a copy of their data in the digital format because eKYC and VideoKYC are widely adopted across institutions.
Sticking Together with Regulations
To conclude, it would not be wrong to say that ‘Data serves as the oil running the wheel of current digital businesses’. Therefore, for lending institutions, safeguarding and protecting their customer’s data in a manner that their data privacy remains intact should be of utmost priority.
Emerging technologies such as blockchain, AI, ML and other risk management models will have a huge role to play in carving out data security strategies in this regard.
However, lending institutions need to stick to their guns and avoid data breaches from occurring at all times by adhering to data privacy laws and guidelines, which will only help them eliminate unnecessary legal fuss.
A futuristic approach that ensures an enhanced and safe lending ecosystem will go a long way in tackling data privacy concerns for all stakeholders.