Podcast transcript: Digital Personal Data Protection Act: How fintech companies are dealing with new data security challenges
09 min | 20 September 2023
In conversation with:
Aniket Bhosle
EY India Cybersecurity Consulting Partner
Pallavi: Welcome to a new episode of the EY India Insights podcast series on ‘Gateway to data privacy and protection’. I am Pallavi, your host, and today we delve into the evolving landscape of data security challenges in the fintech sector. Joining us is an esteemed guest, Aniket Bhosle, Cybersecurity Consulting Partner at EY India. Aniket's expertise spans vital domains, including payment security teams, secure architecture, and innovative IT security services. He skillfully analyzes risk factors, designing secure architectures for diverse businesses. With 14+ years of experience, Aniket optimizes security operations and enhances customer data protection with his understanding of finance-technology intersection. Welcome to our podcast, Aniket.
Aniket: Thanks Pallavi. Pleasure to be here and share my thoughts with you.
Pallavi: FinTech firms (fintechs) have become ubiquitous to banks, insurance companies and NBFCs, but they are also facing data challenges. Could you tell us about the current data security challenges that fintechs are facing?
Aniket: FinTechs have opened up numerous possibilities to enable the growth of the financial services sector— not just in India, but globally as well. Today, some of the leading banks or NBFCs in our country have more than one fintech partner that they work with. This has opened up these organizations’ technical perimeter to fintechs and they are dependent on the fintech security practices as well. As this perimeter opens up, data flows in and out of the fintechs’ setup seamlessly without even the end customer knowing where the data is, in most cases. Depending on the fintech’s hosting model, data security, and in general, the security challenges that emerge will vary depending on the relationships. Data discoverability and knowing what data flows where is one of the primary challenges.
If you look at data protection, whether it is about classifying the data or encrypting the data elements or even tokenizing them, it is one of the challenges that needs to be addressed. This is complex for a fintech (to do) as different organizations that they cater to may have their own policies and control requirements.
Sharing of encryption key was yet another challenging area for fintechs, particularly (with) the banks. But in the recent past, a few fintechs have started providing access to the keys or are using the client’s key to encrypt the data.
Pallavi: Thank you for outlining those challenges, Aniket. Adding to the earlier question, lending fintechs have gathered a lot of data from consumers. How safe is the data?
Aniket: In the account aggregator ecosystem of our country, initiatives like Open Credit and Enablement Network or OECN are changing the way in which credit is given. The kind of data decisions that some of the fintechs take are as good or even more powerful than what credit rating agencies in the country have.
There are regulations that prevent storage and misuse of this data. There are guardrails in place, but these practices need to be sustained on an ongoing basis. Typically, whenever there is a new security initiative, it is implemented with great rigor, but ongoing sustenance and refreshing the program is where things begin to come apart. The safety of data depends on fintechs’ ongoing sustenance practices.
Pallavi: Does the use of Software-as-a-Service (SaaS)-based application increase our cybersecurity risk?
Aniket: SaaS-based applications bring a lot of benefits of fast to go lifelines, being cost effective, lesser overheads for developing and managing the tech stack and just leaving it to the domain experts... But with every new application being added, the attack surface is going to increase.
Whether you host within your enterprise or in a fintech, it is definitely increasing the attack surface. So, diligence is required in the security practices of different techs. Depending on the arrangement, it could either be an independent assurance, as is the practice generally, or the organizations do a review themselves on the security practices.
So far, we have spoken about one organization, either a bank or an NBFC working with one or more fintechs. But from a fintech’s perspective, they are working back with many financial services organizations in the country. If there is a flaw in one of their applications, there could be a systemic risk that is introduced. Imagine if there is a breach at the fintech and a malicious code is injected into one of their applications; it is going to cause a major risk to the financial services ecosystem. So, diligence is required beyond the usual point in time vulnerability assessment requirements that the industry is used to.
Controls around code management or identity access management also need to be looked at. Practices like obtaining software assurance or ISO 27001 certificates should be looked at for increasing their (fintechs’) client’s confidence in their technology, risk, and cybersecurity practice.
Pallavi: What are the current regulations related to the data that fintechs need to consider?
Aniket: Today, fintechs in the country are not directly regulated. There are regulations that are being passed to them via their clients, which could be banks or NBFCs. There are regulations such as the one around data localization, and aspects of card data tokenization, which ultimately have to be implemented at the data element level by the fintechs.
If you look at the card data tokenization specifically, it provides us a benefit as customers from a security standpoint and also limits the cost of compliance for the entire ecosystem.
Initially, there were challenges in implementing these regulations, but gradually, we are reaching a steady state. The fintechs have to live through this journey as well. With their security practices, they have to make sure that they understand, interpret, and stay in close touch with their clients to understand how some of these nuances are to be implemented.
The Data Privacy and Protection Bill will have to be tracked very closely as well. FinTechs will largely be data processors in the data privacy context. The challenge will arise if there is room for interpretation. Different clients of fintechs will come up with their own interpretation and different control requirements. That is something that the fintechs will have to keep in mind. The Reserve Bank of India is also exploring regulation of fintech entities. When that happens, investments will be required to both implement compliance and also to demonstrate compliance on an ongoing basis.
Pallavi: Thank you, Aniket, for sharing all these insights with us and spending the time to let us know the data security challenges in the fintech sector.
Aniket: Thank you so much, Pallavi. It was my pleasure.
Pallavi: Thank you. On that note, we come to the end of this episode, and if you would like us to explore other such topics on data security and privacy, please do leave us some suggestions that you would like us to deep dive into. Thanks for listening in and goodbye for now.