The RBI recently cracked the whip on banks and NBFCs for allowing third party fintech companies access to the credit information of their customers. It shot out a letter, dated 16 September 2019, to banks and NBFCs, bringing them to notice of what appears to have been a prevalent practice of sharing consumer credit information from Credit Information Companies (CICs) directly to fintech firms. The RBI reinforced that such information sharing was not allowed, citing several provisions of the law, and required banks and NBFCs to confirm measures taken to ensure compliance within 15 days of the letter from the RBI.

In its letter, the RBI said it found that banks and NBFCs had appointed agents, such as fintech firms,  and allowed them to access the credit information bureau database. Such actions are against the Credit Information Companies (Regulation) Act, 2005 (CICRA), it said, warning of sanctions if any of the regulated entities breached its order.

Credit Information Companies, Financial Institutions, Fintech Companies And A Whole Lot Of Customer Credit Information

India has 4 credit information bureaus - TransUnion CIBIL™, Equifax, Experian, and CRIF High Mark. These credit information bureaus are directly regulated by the RBI’s Department of Banking Operations and Development. Under the 2005 Credit Information Companies (Regulations) Act (CICRA), banks and NBFCs are required to report every retail loan taken by a consumer to all four credit information bureaus. They also need to keep these credit agencies up to date on the consumer's repayment behaviours. This allows lenders to use this data before issuing loans and to evaluate customers. According to RBI's outsourcing policies for NBFCs and commercial banks, customer data is expected to be kept in confidence. So, what is the story behind the letter sent out by RBI?

Latest trend in digital lending is heavily dependent on automated processes set up by fintech companies. When an applicant uses the fintech company’s platform to check for their loan eligibility, it asks for some basic information like PAN card or Aadhaar number. With this information, the fintech company may source the information from any one of the credit information database to calculate the eligibility rate using one of its own algorithms. This method in turn works on a partnership between the fintech company and the financial institution, where the fintech company is the sourcing partner, and the NBFC is the funding partner. The fintech companies are able to access the credit information bureau’s database by getting into partnership with banks and NBFCs. This is where the RBI has raised its concern. Technically, by allowing these fintech companies to access consumer information, are the banks and NBFCs breaching customer confidentiality?

Let’s find out. 

Confidentiality Of Credit Information

In the event that any customer information is disclosed without a legal obligation on the part of the lender to disclose, it should be construed as wrong. We all have bank accounts and by the very nature of it, whether you like it or not, your banker has access to all your financial information. This we allow in good faith. However, when banker allows third party access to this confidential information, it can very well be a breach of confidentiality. 

This principle, developed as early as the 1920s in UK courts, is followed in India too. In an old case pertaining to 1987, it was upheld that compulsion to disclose must be confined to the regular exercise by the proper officer to actual legal power to compel disclosure.

This point was well discussed during the setting up of Credit Information bureaus in India. The 1999 RBI Working Group set up specifically for this purpose, discussed the issue of consumer confidentiality even then. The Working Committee, under the chairmanship of N.H.Siddiqui recommended that guidelines be put in place to protect customer confidentiality, as was the case all over the world, by setting up regulatory controls on information sharing by credit bureaus. An excerpt from the original report: 

“The Credit Information Bureaus, all over the world, function under a well-defined regulatory framework. Where the Bureaus have been set up as part of the Central Bank, the regulatory framework for collection of information, access to that information, privacy of the data, etc., is provided by the Central Bank. Where Bureaus have been set up in the private sector, existence of separate laws ensure protection to the privacy and access to the data collected by the Bureau. In the U.S.A. where Credit Information Bureaus have been set up in the private sector, collection and sharing of information is governed by the provisions of the Fair Credit Reporting Act, 1971 (as amended by the Consumer Credit Reporting Reform Act of 1996). The Fair Credit Reporting Act is enforced by the Federal Trade Commission, a Federal Agency of the U.S. Govt. In the U.K., Credit Bureaus are licensed by the Office of Fair Trading under the Consumer Credit Act of 1974. The Bureaus are also registered with the Office of the Data Protection Registrar, appointed under the Data Protection Act, 1984 (replaced by the Data Protection Commissioner under the new Act of 1998). In Australia, neither the Reserve Bank of Australia nor the Australian Prudential Regulation Authority (APRA) plays a role in promoting, developing, licensing or supporting Credit Bureaus. APRA holds annual meetings with the major Bureaus in Australia. The sharing of information relating to customers is regulated in Australia by the Privacy Act. This Act is administered by the Privacy Commissioner, who is vested with the responsibility of framing guidelines for protection of privacy principles and to ensure that Bureaus in Australia conform to these guidelines. In New Zealand, a situation similar to that of Australia exists. In Sri Lanka, the Bureau was formed by an Act of Parliament at the initiative of the Central Bank. A Deputy Governor of the Central Bank is the Chairman of the Bureau in Sri Lanka and the Bank is also represented on the Board of the Bureau by a senior officer. In Hong Kong, the Hong Kong Monetary Authority (HKMA), though not being directly involved in the setting up of a credit referencing agency has issued directions to all the authorised institutions recommending their full participation in the sharing and using of credit information through credit referencing agencies within the limits laid down by the Code of Practice on Consumer Credit Data formulated by the Privacy Commissioner. HKMA also monitors the effectiveness of the credit referencing services in Hong Kong, in terms of the amount of credit information disclosed to such agencies, and the level of participating in sharing credit information by authorised institutions.”

What Is The Impact Of This Order On Fintech Companies?

In the outset, it is expected to have a significant impact on the business models of fintech companies, as many of them rely on the data to evaluate customers when applying for loans. Important players to be affected include online marketplaces, IT companies, analytics firms and institutional agents. SIDBI’s PSB Loans in 59 Minutes platform could be impacted due to this new guideline. 

Current Guidelines On Sharing Credit Information

The CICRA already has guidelines in place regarding the collection, processing and sharing of customer credit information. It has clearly defined that banks and NBFCs must expound on the purpose of obtaining information, guidelines for access to credit information of customers, restriction on the use of information, procedures and principles for networking of CICs, credit institutions and specified users, etc. 

In addition, CICRA does not allow anyone other than the authorized person access to credit information. Other authorized entities who may be allowed access to this information include insurance companies, IRDAI, cellular service providers, rating agencies and brokers registered with SEBI, SEBI itself and trading members registered with Commodity Exchange.

This list does not include fintech companies or technology service providers as authorized access to this information and is hence a clear violation of CICRA. 

It should be understood that RBI is not trying to make a new law regarding sharing credit information but is only reiterating the existing clauses in an existing law. These guidelines have been an integral part of CICRA itself. RBI wants to caution banks and NBFCs about disregarding some provisions of the law in their eagerness to expand their business. 

Conclusion: Consumer confidentiality is inherent to the finance market. Consumer ignorance of these matters have boldened financial institutions to indulge in such practices putting customer privacy at risk. Consumers too are attracted by the mirage of instant loans and low interest rates on the internet to bother about sharing their information with fintech companies. After all, who doesn’t like a little extra purchasing power! It is important to understand what you are allowing the fintech companies to access and its impact on your data privacy. Though this guideline puts the very existence of fintech start-ups in question, RBIs attention towards this issue is pertinent and timely. It is also worthy to note that a few new start-ups have done well by moving away from the traditional pure-play loan sourcing business by securing their own NBFC license and turning to their own books.