This is a collection of Indian legislation that can be used to regulate financial data.
The Information Technology Act, 2000 and Information Technology (Reasonable Security Practices) Rules, 2011
The Public Financial Institutions (Obligations to Fidelity and Secrecy) Act, 1983
The Insurance Regulatory and Development Authority Act, 1999
The Securitization and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002
The Banking Companies (Period of Preservation of Records) Rules, 1985
The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
Master Circular on Credit Card, Debit Card and Rupee Denominated Co-branded Prepaid Card operations of banks, 2013
Master Circular on Know Your Customer (KYC) norms/ Anti-Money Laundering (AML) standards/Combating of Financing of Terrorism (CFT)/Obligation of banks under PMLA, 2013
Master Direction on Issuance and Operation of Prepaid Payment Instruments
The IT Act, 2000 provides for protection of financial data that fall under the definition of personal information and sensitive personal data or information (SPDI). As per the definitions laid down in the Information Technology (Reasonable Security Practices) Rules, 2011, SPDI refers to inter alia passwords, and financial information, such as bank account or credit card details. Section 43A of the IT Act, 2000 holds body corporates liable to pay compensation in cases where any person experiences wrongful loss or wrongful gain because of the body corporate’s negligence in implementing and maintaining of reasonable security practices and procedures. Further, as per Section 72A of the IT Act, a service provider who discloses personal information can be punished with payment of fine or imprisonment. This provision requires that the disclosure must be done without the consent of the data subject or in breach of an agreement with such subject, and done with the intent to cause or knowing disclosure is likely to cause wrongful loss or wrongful gain.
Section 3 of this Act creates the obligation for public financial institutions to maintain the fidelity and secrecy of their constituents, unless they are divulging information for the purpose of efficiently discharging the institution’s functions. Entities to which information can be divulged are limited to the Central Government, the State Bank of India, and any other public financial institution.
Under Section 28 of the BR Act, 1949, the RBI and the NABARD have the power to publish information obtained from banking companies in the interest of the public. However, Section 34A protects banking companies from being compelled to produce or permit the inspection of any books, accounts, documents, or other information that the bank deems to be confidential in nature.
The credit information available with credit agencies is susceptible to misuse as credit agencies may disclose credit information without authority to insurers and employers. Chapter 6 of the Credit Information Companies (Regulation) Act creates a duty for credit information companies to duly protect credit information data against any loss, unauthorised access, or unauthorised disclosure. Additionally, the Act lays down specific “Privacy Principles” that every credit information company (CIC), credit institution, and specified users are expected to adopt.
The information stored with the CICs must be up to date and accurate. The Regulation also prescribes rules for data collection limitation, personal access to the data, retention, data anonymization, disclosure purpose limitation, use of credit reports, monitoring the use of data, notice of collection and rejection, accountability principles, openness, privacy procedures, liability, redressal mechanisms, etc.
Further, the RBI has the power to inspect all the books and accounts of any credit information company or credit institution. Clients can exercise rights over the data stored with the CICs, and can have their data updated at any time.
In 2006 Regulations under this Act were introduced, wherein CICs have been allowed to:
a) provide information to individual and corporate borrowers;
b) provide data management services to member Credit Institutions;
c) collect, process, collate, and disseminate data/information related to investments made in Securities other than those issued by the Central Government.
Furthermore, unless specified by law the CICs cannot disclose credit reports without the client’s consent.
The Insurance Regulatory and Development Authority (IRDA) is the nodal authority set up under the Act that has the duty to furnish data to the Central Government as stipulated under Section 20 of the Act. Further, the IRDA specifies the minimum categories of information that must be maintained by insurers.
A number of Regulations have been introduced under this Act such as the IRDA (Third Party Administrators) Health Services Regulations, IRDA (Sharing of Database For Distribution Of Insurance Products) Regulations, IDRA (Insurance Advertisements and Disclosure) Regulations, IRDA Health Insurance Portability Guidelines, and the IDRA Guidelines on Outsourcing of Activities by Insurance Companies.
This Act, under Section 2A, provides for safeguards to be undertaken by the banks for the security of data available with the banks, and to prevent unauthorised disclosure of information found in a Bankers Book.
This Act provides for the monitoring of banking customers and their business relations/financial transactions in order to prevent money laundering. This Act allows proactive disclosure of retained information, disclosure in public interest, and disclosure to foreign powers. The Act also prescribes principles on collection limitation, retention of evidence, procedure for retention, retention of transaction records, maintenance of records, etc.
Under Section 12 of this Act, every banking company, financial institution and intermediary is required to maintain a detailed record of all transactions, and furnish the recorded data to the Director of the Financial Intelligence Unit. These records are to be retained for a period of ten years from the date of transactions.
Additionally, these sections also requires verification, and maintenance of records of identity of all clients, which are to be maintained for a period of ten years from the date of cessation of transactions between the clients, and the banking company or financial institution or intermediary, as the case may be.
Section 66 of this Act also gives the Director discretionary power to disclose any of this information to any officer or legal authority for the purpose of performing their functions under law.
The Reserve Bank may at any time direct a securitisation company or reconstruction company to furnish statements and information relating to the business or affairs of the corresponding company, as the Reserve Bank may consider necessary or expedient to obtain.
The SARFAESI Act, 2002 provides for storage of information of unpaid debts of the secured creditors. Information relating to all transactions is stored by the Central Government in a Central Register, which is made available to the public at all times. The storage of these records are subject to safeguards as prescribed.
Under the FCRA, 2010 the government has the power to call for confidential financial information relating to foreign contributions of individuals and companies for reasons prescribed under the Act. The Government can also mandate proactive disclosure of information.
As per Section 285BA of this Act, the Income Tax authorities are required to collect statements of financial transactions from specified reporting persons.
The Indian Copyright Act prescribes protection of literary works, including large databases of information, which could include financial information. Infringement of the same will attract a penalty under this Act.
As per section 44, the banks have an obligation of fidelity and secrecy to its customers, and cannot divulge their information relating to the affairs of its constituents, unless prescribed by law. Further, under this Code the Information Utilities (IU) are creating a large database of financial information that can be accessed only by specified users.
Section 133 of the Act prescribes punishment for persons engaged in the collection of statistics under section 151 or compilation or computerisation thereof or if any officer of central tax having access to information, discloses any information of any return furnished under this Act without authorisation.
Section 152 precludes the disclosure of any information of any individual return without the previous consent in writing of the concerned person or his authorised representative. Authorities under this Act shall have access to information only for the purposes of prosecution under this Act or any other Act. However, the Commissioner is empowered to sanction disclosure of information in public interest.
As per Section 158, all particulars contained in any statement made, return furnished or accounts or documents shall not be disclosed. Such disclosure can only be done in accordance with the provisions of this section. Under Section 159, the Commissioner has been given the power to authorise disclosure of such information in public interest or in relation to any proceedings or prosecution.
The design of GST systems is based on role based access. The taxpayer can access his own data through identified applications like registration, return, view ledger etc. The tax official having jurisdiction, as per GST law, can access the data. Data can be accessed by audit authorities as per law. No other entity can have any access to data.15
These Rules were enacted in the exercise of the powers conferred by Section 45Y of the Banking Regulation Act. Section 2 states that every banking company shall preserve its books, accounts and other documents mentioned therein, relating to a period of not less than five years immediately preceding the current calendar year.
As per Rule 3, every banking company or financial institution or intermediary is mandated to maintain records of transactions of the stipulated documents. Rule 5 lays down the procedure and manner of maintaining information. Rule 6 prescribes the rules for retention of records, wherein the records referred to in Rule 3 shall be maintained for a period of ten years from the date of cessation of the transactions between the client and the banking company, financial institution or intermediary, as the case may be. Rule 10 lays down the guidelines for the maintenance of the records of the identity of clients.
The Aadhaar Act collects sensitive personal information like biometric data for authentication purposes. While financial information is not collected, due to Aadhaar seeding and linking to bank accounts, a large repository of data is created that gives access to sensitive financial information. A Central Identities Data Repository (CIDR) is created under the Act that stores the data for authentication purposes. Chapter VI of the Act stipulates the provisions for the protection of information. Under this Act, various regulations have been framed, namely - Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations, Unique Identification Authority of India (Enrolment and Update) Regulations, Aadhaar (Authentication) Regulations, 2016, Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016.
As per Section 45D of the Act, banking companies are bound to provide credit information to the RBI in relation to any financial arrangement entered into with the banking company. As per Section 45E, such information furnished under Section 45D shall be confidential.
The RBI introduced Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds. These prescribe the minimum security baselines to be followed by banks and service providers to ensure confidentiality and security of data. There must be a backup of records available on a cloud computing system. The guidelines also prescribe security steps to be followed, for example – signing of confidentiality agreements, default termination clauses, encryption of data, fraud risk management, etc.
These guidelines mandate the banks to designate a network and database administrator. The guidelines prescribe the security policy, SSL and encryption standards, logging accesses, saving messages, confidentiality, access controls, identification of customers, authenticating records, backups of data, disclosure of outsourcing companies, notification of risks, notification of security breaches, openness of contractual terms, etc.
The RBI issued this Master Circular to provide a framework of rules/regulations/standards/practices to the credit, debit, and prepaid card issuing banks and to the credit card issuing NBFCs to ensure that the same are in alignment with the best customer practices. The Guidelines prescribe security measures including use of direct sales agent/ direct marketing agents, random checks, protection of customer rights, limited disclosure, clear terms of disclosure, consent for disclosure, sharing of information, fair practices in debt collection, etc.
These guidelines were issued to prevent banks from being used, intentionally or unintentionally, by criminal elements for money laundering or terrorist financing activities. The guidelines prescribe measures to be taken to maintain confidentiality of customer’s information, reporting to Financial Intelligence Unit, Cash Transaction Report, Suspicious Transaction Reports (STR), Customer Profiles, Unique Customer Identification Code (UCIC), security mechanisms to prevent terrorism related transactions, etc.
These guidelines prohibit the banks from collecting customer information for the purpose of cross-selling to third parties, as this would breach the confidentiality agreement between the banks and the customers.
This Code24 lays down the standards to be followed by banks in order to protect customers and provide maximum customer satisfaction.
As per Clause 2.1.4 of the Code, all personal information is treated as private and confidential. As per Clause 4(c) even third parties providing support services are bound by the same principles of confidentiality and security. Clause 5 lays down the principles and policies to be followed for maintenance of privacy and confidentiality. Restrictions have been places on the disclosure and use of information. Clause 8.1.1 mandates collection of minimal information, as required to meet with statutory requirements, KYC, and Prevention of Money Laundering.
The RBI has issued guidelines for credit card operations of banks25. These guidelines prescribe the customer’s rights in relation to credit card operations primarily relate to personal privacy, rights and obligations, preservation of customer records, maintaining confidentiality of customer information and fair practices in debt collection, customer confidentiality, use of customer information, limited disclosure of information, etc. The consent of the customer is important before using the information.
As per sub-clause no. 6.3 the transaction logs are to be stored for a period of up to 10 years post the deletion of an account. Further, clause 15 lays down rules for security, fraud prevention and risk management framework.
The NPCI governs online payment gateways like Rupay, UPI, BHIM, Bharat BillPay, IMPS, NACH, CTS, NFS, AePS, BharatQR, BHIM Aadhaar. As such there are no common guidelines laid down to regulate the information collected and stored by these platforms. The NPCI in its Code of Conduct27 mandates the Director to maintain confidentiality of information concerning the Company’s business or activity to which a Director has access or which is in his /her possession in discharge of his/her official position. Such information can only be disclosed in exceptional situations as prescribed. To further the Company’s business, confidential information may have to be disclosed to potential business partners. It is the duty of the Director to protect the company’s physical assets, information and intellectual rights. The NPCI also prescribes steps to be taken for Fraud Risk Management.
The NPCI has released a White Paper on Cyber Security in banking on Cyber Risk Management and 10 essential tools security tools.28 The paper primarily prescribes guidelines for cyber risk management.
RuPay follows MIS and analysis Reporting and tracking as an important part of the RuPay Debit Implementation process. RuPay provides a number of reports to member banks to facilitate day to day operations efficiency. 29
The UPI platform retrieves customer accounts details that are linked with the mobile numbers in a masked manner i.e. UPI app can't see all the details. This exchange is said to be done over secure banking networks and UPI claims that this data is not stored.30 .
The Security & integrity of customer data in the UPI framework is the responsibility of the PSP/Bank.31 The PSP Bank should not share any customer data with merchant unless specified by industry regulator.32 No authentication data shared outside PSP Bank.33 The data is classified into “Customer data” and “Customer payment sensitive data”34 in order to lay down specific safeguards for the SPDI of customers. Customer account Balance is classified as customer sensitive data and accordingly, customer account balance shall not be stored or put to any use by either the PSP Bank or 3rd party for any purposes (Internal or external). The storage of customer account balance is not permitted even in encrypted format at the PSP & 3rd party systems / Apps.
The NPCI released a circular inviting 3rd party app providers to connect to UPI systems through multiple PSP banks, through a multi-bank PSP model open to large merchant/tech player having an access to large customer base.35 In the multi-bank API arrangement, NPCI shall provide the NPCI Common Library (CL) directly for integration to the third party app provider on behalf of PSP banks. The App connects to PSP bank systems through third party app provider’s system using API on secure channel. The participating banks must comply with the protections given to customer data and customer payment sensitive data in the multi bank model. The Circular also prescribes the PSP Bank’s ownership & responsibility. The T&C of NPCI at point 6.2 in the T&C documents, emphasises that only the user is responsible for any failed transaction or any loss and neither NPCI nor the bank can be held responsible.