Examining ‘Deemed Consent’ for Credit-Scoring under India’s Draft Data Protection Law

By Shobhit Shukla

On November 22, 2022, the Ministry of Electronics and Information Technology released India’s draft data protection law, the Digital Personal Data Protection Bill, 2022 (‘Bill’).* The Bill sets out certain situations in which seeking an individual’s consent for processing of their personal data is “impracticable or inadvisable due to pressing concerns”. In such situations, the individual’s consent is assumed; further, they are not required to be notified of such processing. One such situation is for processing in ‘public interest’. The Bill also illustrates certain public-interest purposes and notably, includes ‘credit-scoring’ as a purpose, in Clause 8(8)(d). Put simply, the Bill allows an individual’s personal data to be processed non-consensually and without any notice to them, where such processing is for credit-scoring.

Evolution of credit-scoring in India

Credit-scoring is a process by which a lender (or its agent) assesses an individual’s creditworthiness i.e., their notional capacity to repay their prospective debt, as represented by a numerical credit score. Until recently, lenders in India relied largely on credit scores generated by credit information companies (‘CICs’), licensed by the Reserve Bank of India (‘RBI’) under the Credit Information Companies (Regulation) Act, 2005 (‘CIC Act’). CICs collect and process ‘credit information’, as defined under the CIC Act, to generate such scores. Such information, for an individual, comprises chiefly of the details of their outstanding loans and history of repayment/defaults. However, with the expansion of digital footprints and advancements in automated processing, the range of datasets deployed to generate credit scores has expanded significantly. Lenders are increasingly using credit scores generated algorithmically by third-party service-providers. Such agents aggregate and process a wide variety of alternative datasets relating to an individual, alongside credit information – these may include the individual’s employment history, social media activity, and web browsing history. This allows them to build a highly data-intensive credit profile of (and assign a more granular credit score to) the individual, to assist lenders in deciding whether to extend credit. Not only does this enable lenders to make notionally better-informed decisions, but also to assess and extend credit to individuals with meagre or no prior access to formal credit.

While neither the Bill nor its explanatory note explain why credit-scoring constitutes a public-interest ground for non-consensual processing, it may be viewed as an attempt to remove the procedural burden associated with notice-and-consent. In the context of credit-scoring, if lenders (or their agents) are required to provide notice and seek consent at each instance to process the numerous streams of an individual’s personal data, the procedural costs may disincentivise them from accessing certain data-streams. Consequently, with limited data to assess credit-risk, lenders may adopt a risk-averse approach and avoid extending credit to certain sections of individuals. Alternatively, they may decide to extend credit despite the supposed inadequacy of personal data, thereby exposing themselves to higher risk of repayment defaults. While the former approach would be inimical to financial inclusion, the latter could possibly result in accumulation of bad loans on lenders’ balance sheets. Thus, encouraging data-intensive credit-scoring (for better-informed credit-decisions and/or for widening access to credit) may conceivably be viewed as a legitimate public interest.

However, in this post, I contend that even if this were to be accepted, a complete exemption from notice-and-consent for credit-scoring, poses a disproportionate risk to individuals’ right to privacy and data protection. The efficacy of notice-and-consent in enhancing informational autonomy remains debatable; however, a complete exemption from the requirement, without any accompanying safeguards, ignores specific concerns associated with credit-scoring.

Deemed consent for credit-scoring: Understanding the risks

First, the provision allows non-consensual processing of all forms of personal data, regardless of any correlation of such data with creditworthiness. In effect, this would encourage lenders to leverage the widest possible range of personal datasets. As research has demonstrated, the deployment of disparate datasets increases incidences of inaccuracy as well as of spurious connections between the data-input and the output. In credit-scoring, historical data using which the underlying algorithm is trained may conclude, for instance, that borrowers from a certain social background are likelier to default in repayment. Credit-scores generated from such fallacious and/or unverifiable conclusions can embed systemic disadvantages into future credit-decisions and deepen the exclusion of vulnerable groups. The exemption from notice-and-consent would only increase the likelihood of such exclusion – this is since individuals would not have any knowledge of the data-inputs used, or the algorithm using which such data-inputs were processed and consequently, no recourse against any credit-decisions arrived at via such processing.

Second, the provision allows any entity to non-consensually process personal data for credit-scoring. Notably, CICs are specifically licensed by the RBI to, inter alia, undertake credit-scoring. Additionally, in November 2021, the RBI amended the Credit Information Companies Regulations, 2006, to provide an avenue for entities (other than CICs) to register with any CIC, subject to the fulfilment of certain eligibility criteria, and to consequently access and process credit information for lenders. By allowing any entity to process personal data (including credit information) for credit-scoring, the Bill appears to undercut the RBI’s attempt to limit the processing of credit information to entities under its purview.

Third, the provision allows non-consensual processing of personal data for credit-scoring at any instance. A plain reading suggests that such processing may be undertaken even before the individual has expressed any intention to avail credit. Effectively, this would provide entities a free rein to pre-emptively mine troves of an individual’s personal data. Such data could then be processed for profiling the individual and behaviourally targeting them with customised advertisements for credit products. Clearly, such targeted advertising, without any intimation to the individual and without any opt-out, would militate against the individual’s right to informational self-determination. Further, as an RBI-constituted Working Group has noted, targeted advertising of credit products can promote irresponsible borrowing by individuals, leading them to debt entrapment. At scale, predatory lending enabled by targeted advertisements could perpetuate unsustainable credit and pose concerns to economic stability.

Alternatives for stronger privacy-protection in credit-scoring

The above arguments demonstrate that the complete exemption from notice-and-consent for processing of personal data for credit-scoring, threatens individual rights disproportionately. Moreover, the exemption may undermine precisely the same objectives that policymakers may be attempting to fulfil via the exemption. Thus, Clause 8(8)(d) of the Bill requires serious reconsideration.

First, I contend that Clause 8(8)(d) may be deleted before the Bill is enacted into law. In view of the CIC Act, CICs and other entities authorised by the RBI under the CIC Act shall, notwithstanding the deletion of the provision, continue to be able to access and process credit information relating to individual without their consent – such processing shall remain subject to the safeguards contained in the CIC Act, including the right of the individual to obtain a copy of such credit information from the lender.

Alternatively, the provision may be suitably modified to limit the exemption from notice-and-consent to certain forms of personal data. Such personal data may be limited to ‘credit information’ (as defined under the CIC Act) or ‘financial data’ (as may be defined in the Bill before its enactment) – resultantly, the processing of such data for credit-scoring would not require compliance with notice-and-consent. The non-consensual processing of such forms of  data (as opposed to all personal data), which carry logically intuitive correlations with creditworthiness, shall arguably correspond more closely to the individual’s reasonable expectations in the context of credit-scoring. An appropriate delineation of this nature would provide transparency in processing and also minimise the scope of fallacious and/or discriminatory correlations between data-inputs and creditworthiness.

Finally, as a third alternative, Clause 8(8)(d) may be modified to empower a specialised regulatory authority to notify credit-scoring as a purpose for non-consensual processing of data, but within certain limitations. Such limitations could relate to the processing of certain forms of personal data (as suggested above) and/or to certain kinds of entities specifically authorised to undertake such processing. This position would resemble proposals under previous versions of India’s draft data protection law, i.e. the Personal Data Protection Bill, 2019 and the Personal Data Protection Bill, 2018 – both draft legislations required any exemption from notice-and-consent to be notified by regulations. Further, such notification was required to be preceded by a consideration of, inter alia, individuals’ reasonable expectations in the context of the processing. In addition to this balancing exercise, the Bill may be modified to require the regulatory authority to consult with the RBI, before notifying any exemption for credit-scoring. Such consultation would facilitate harmonisation between data protection law and sectoral regulation surrounding financial data.

*For our complete comments on the Digital Personal Data Protection Bill, 2022, please click here – https://bit.ly/3WBdzXg) 

Cybersecurity in the Financial Sector: An Overview

By Sowmya Karun 

In the Union Budget for 2017-18, Finance Minister Mr. Arun Jaitley announced the setting up of a dedicated Computer Emergency Response Team for the Financial Sector (Cert-Fin). The proposed emergency response team is slated to work in co-ordination with financial sector regulators and other stakeholders.

This announcement comes on the heels of the Government’s demonetisation initiative. Demonetisation led to a substantial rise in the volume of digital payments and the use of instruments such as mobile wallets. The cumulative growth of electronic transactions has been reported to range between 95 per cent and 4,025 per cent from November 8 till December 27, 2016. This transition towards digital payments in the financial sector is slated to continue, with one report predicting that by 2020, the digital payments industry will grow to over $500 billion and contribute 15% to the national GDP.

In a previous post, we had examined the legal and policy regime relating to digital payments in the country. In this post, we examine technological vulnerabilities in the financial sector, as well as measures taken towards strengthening cybersecurity.

Cyber Security Vulnerabilities in the Financial Sector

The exponential growth in digital payments in India and the push towards a cashless economy has renewed focus on the need to strengthen financial cybersecurity. Banks and financial institutions are extremely vulnerable to various forms of cyberattacks and online frauds. India has steadily moved up the ranking for countries with the highest number of financial Trojan infections over the past three years. At least forty percent of Banking, Financial Services and Insurance (‘BSFI’) businesses have been attacked at least once. A six-fold increase in credit and debit card fraud cases has been reported over the past three years. In addition to core banking, additional services like e-banking, ATM and retail banking are also increasingly vulnerable to cybercrime. Mobile frauds are also expected to grow to 60-65% in 2017, which is especially alarming because 40-45 % of financial transactions are being conducted on mobile devices today.

The Indian banking landscape has seen several large-scale cyberattacks over the past year. Since June 2016, the SWIFT systems of four Indian banks have been targeted.  In October 2016, in what was the largest data breach in the country ever, 32 lakh debit cards of various banks were subject to a cyber malware attack.  Earlier this year, it was reported that hackers had infiltrated the systems of three government-owned banks to generate false trade documents. The increased focus on cybersecurity in banks follows not only domestic incidents but global developments as well. In its bulletin on security measures, for instance, the Reserve Bank of India makes reference to the Carbanak Gang which targeted bank’s internal systems across Russia and Ukraine to conduct a robbery of around $ 1 billion. Closer home, in February 2016, there was an attempted heist of around $951 million from the Bangladesh Bank.

Cyber Security Framework for Banks

In October 2016, the Reserve Bank of India directed banks to implement a security policy containing detailing their strategy to for dealing with cyber threats and including tangible “cyber-hygiene” measures. This was following a renewed emphasis on the early implementation of the RBI’s Cyber Security Framework in banks. The RBI had first notified the Cyber Security Framework (‘Framework’) in Banks in June 2016. The Framework was a successor to broad guidelines on information security and cyber frauds which had been issued in line with the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds in 2011.

The Framework is geared towards minimising data breaches and implementing immediate containment measures in the event of such breaches. It emphasises the urgent need to put in place a robust cyber security and resilience framework and to ensure continuous cybersecurity preparedness among banks. The Framework also mandates the adoption by banks of a distinct cybersecurity policy to combat threats in accordance with “complexity of business and acceptable levels of risk” within a set deadline. Further, the Framework requires the earliest setting up of Security Operations Centres within banks for continuous surveillance; disallowing unauthorised access to networks and databases; protection of customer information; and the evolution of a cyber crisis management plan.

Other Measures by the RBI and the Government

The RBI has also identified the need to evolve a framework for co-ordination and information sharing between financial institutions and public authorities in the event of cyber attacks. To this end, the RBI recently appointed its first information security officer and has formalised a sectoral sharing interface called the Indian Banks- Centre for Analysis of Risks and Threats (IB-CART). Further, the RBI also issued an ultimatum to banks, requiring them to report any breach of security immediately. Banks have been given until March 31, 2017 to put in place appropriate mechanisms.

Previously, there was limited reporting by banks as they were reluctant to report cyberattacks fearing devaluation of brand equity. Even in the event of large-scale cyberattacks, such as the above-mentioned malware infection which affected 32 lakh cards, it took six weeks to detect the fraudulent transactions. To counter this, and to enhance cyber resilience, the Institute for Development and Research in Banking Technology (‘IDBRT’) has been attacking vulnerabilities in banks’ security networks. This will enable them to share feedback with banks to improve their resilience.  Further, the Chief Information Security Officers of banks have also set up a forum to discuss cyberattacks and to share information, manage and plan for issues related to information security. The Ministry for Electronics and Information Technology has also formally urged banks to co-operate with the CERT-In for carrying out audits and other measures to strengthen their cybersecurity systems.

Conclusion

While these proactive steps being taken by the RBI and the Government are timely and much-needed, the resilience of our banking infrastructure against cyber attacks will depend on co-ordinated action from all stakeholders. The Cyber Security Framework must be strictly implemented in a timely manner, with regular audits to ensure comprehensive compliance. Cybersecurity at banks and financial institutions needs to be prioritised as part of the design architecture and must not remain restricted to reactive fire fighting during crises. Cyber security solutions must be deliberately designed to enable stemming of cyber attacks in real time.  Experts also suggest that the most effective ways to move forward with digitisation in order to ensure banks remain completely secure include the embracing of crypto-currencies and blockchain technology. Further, the Information Technology Act, 2000 is also ripe for a complete overhaul to counter the increased security risks in a cashless economy. These measures, of course, must also be accompanied by attempts to ensure widespread consumer education and awareness.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi