New Delhi: India needs a robust regulatory framework to deal with multiple challenges emanating from increasing number of players sitting in different geographical locations getting involved in open banking operations, feel experts.
Open banking refers to sharing and leveraging of customer-permissioned data by banks with third-party developers and firms to build applications and services, including those that provide real-time payments, greater financial transparency options for account holders, marketing and cross-selling opportunities.
Sivarama Krishnan, Partner & Leader, Cybersecurity, PwC India, pitched for a three-level governance model to deal with the security issues concerning open banking, stressing that with open API (application programming interface) and disruptive innovations regulated entities will integrate even deeper with the external world.
“We need governance at three levels – broad country-level privacy framework (minimum principles to be met by all entities of certain size and above), individual regulatory framework for specific industry-related use cases around privacy requirements and organisational to evolve data protection techniques which help protect the data which can be shared for processing purposes with third parties,” he said.
Regulated entities then can mandate the data protection techniques to be followed by critical ecosystem partners who process sensitive data security for them, he added.
At a webinar on ‘open banking’ organised by Tata Consultancy Services (TCS) in association with the Embassy of India in Brazil recently, Reserve Bank Deputy Governor M Rajeshwar Rao had said that technological innovation in banking is of paramount importance but cannot be pursued at the cost of customer privacy and data protection which are non-negotiable.
Prakash Shetty, Head of Operations, Compliance and CS, Clix Capital, said open banking is still in its nascent stage of development at least in India and in some other similar developing jurisdictions.
“A comprehensive regulatory framework, covering eligibility criteria for participants, SOPs to maintain basic operational ethics, customer safety standards and all by keeping the dynamic nature of the industry in mind can solve a big range of issues, which RBI deputy governor has raised,” Shetty said.
Indian legislators, he added, had recently updated the data protection laws with a principle that customers own their data and have the right to control it.
“This can be a substance for an open banking framework; however, we expect specific guidance over system security protocols, open API standards and other technical specifications,” Shetty said.
Dhruv Matta, Principal Associate, Lakshmikumaran & Sridharan Attorneys, said: “Privacy in India is currently a paper-based right and to operationalise effective enforcement of this right, a national privacy legislation is the need of the hour.” He said that pending passage of the Personal Data Protection Bill, 2019 by Parliament, the sectoral regulators like the RBI should ensure that the consent models and privacy safeguards mirror the requirements mentioned in the Bill.
This, Matta added, will ensure better privacy standards for consumers and will ease the transition with the compliance requirements of the proposed legislation.
India kickstarted its approach to open banking by enabling an intermediary which will be responsible for the customers’ consent management. These intermediaries are licensed as Non-Banking Financial Companies.
In September 2016, the RBI announced creation of a new licensed entity called Account Aggregator (AA) and allowed them to consolidate financial information of a customer held with different financial entities, spread across financial sector regulators.