Threat Or Opportunity? Fintech Firms Eye India’s Attempt To Share Non-Personal Data

A government panel has said that non-personal data sharing above certain thresholds could be made mandatory. What does this mean?

A close-up of coloured fiber optic data cables. (Photographer: Andrey Rudakov/Bloomberg)
A close-up of coloured fiber optic data cables. (Photographer: Andrey Rudakov/Bloomberg)

Payment companies and fintech firms are closely watching a potential change in regulations governing non-personal data, with some seeing it as a potential threat to business models while others are hoping that it will open up new business opportunities.

A government-appointed panel, which submitted its report last month, made a case for regulation of non-personal data. The panel, headed by Infosys Ltd. co-founder Kris Gopalakrishnan, recommended that the government create an ecosystem of new institutions to manage and store non-personal data. It has also recommended the creation of data sharing market.

Non-personal data is defined as any data without personally identifiable information or data that is not defined under the Personal Data Protection Bill, 2019.

Where the report becomes contentious is in its suggestion that companies will have to register themselves as data businesses, and if they collect or process data above a certain threshold, they can be mandated to share their meta-data with others through data custodians and data trusts.

Is It A Threat?

This suggestion has sparked a debate on the potential impact on financial services firms, which hold a wealth of customer data.

For instance, card companies such as Mastercard Inc. and payment companies like PhonePe hold a wealth of data collected from their consumers and merchants. They use this to offer cashbacks, merchant discounts, loans and other marketing purposes.

If access to this data is opened up, it could hurt an organisation’s competitive advantage, said Ashutosh Chadha, vice president for public policy for South Asia at Mastercard.

For example, if data collected from an organisation is given to its competitor without consideration, it can impact the bottomline. Similarly in the long term, it could lead to reduced innovation and possibly even flight of capital if the framework is applied as is.
Ashutosh Chadha, Vice President - Public Policy For South Asia, Mastercard

The head of a fintech lending company, who spoke on condition of anonymity, explained that fintech firms collect data, beyond just basic financial information. Some of this is unique to their business and credit underwriting model.

Under a data-sharing regime, competitors of the company may seek the aggregated and anonymised data and therefore could replicate the underwriting model, this person said. If we had to share these non-financial alternative data sets, which are unique to our business, we would lose our competitive edge, this person added.

Sameer Nigam, founder and chief executive officer at PhonePe, argued that in a data sharing market, as proposed in the report, the odds could be stacked against startups and in favour of big companies because they will always be able to spend more.

“What sets you apart is the products you put out based on your market intelligence and your ability to differentiate, your ability to market and distribute effectively and using the data to deliver better products and more personalized experiences,” he said at a round-table discussion on Aug. 7, organised by MediaNama on the NPD report. Nigam said he fears suggestions of the committee would have a chilling effect on investments in Indian startups because big tech would have the capital to buy any startup’s data and add it to their existing cheap distribution advantage. Nigam was speaking in his personal capacity.

Or Is It An Opportunity?

Not everyone sees the committee’s suggestions as a threat.

“A lot of things in the fintech world are working towards creating more democratic infrastructure, by allowing new entities like data trusts, governed by rules and protocols, to share data,” said Meghna Suryakumar, founder of Crediwatch, a credit intelligence platform. “As an alternative data company we could gain access to more non personal data about borrowers and provide a better and more informed risk scores to lenders.”

Harshvardhan Lunia, co-founder and chief executive officer of LendingKart agreed. While startups and companies will need to figure out how to use data and design products, the move is a step in the right direction, he said.

If I have five types of data and another company has 50 types of data about their borrowers, the government’s aim is to ensure that through data sharing the ecosystem develops better products. It can be a huge opportunity for fintechs to build better products provided there is a level playing field.
Harshvardhan Lunia, CEO, LendingKart

Grey Areas

Financial services executives that BloombergQuint spoke to also highlighted that in most cases fintechs and banks would have ‘mixed databases’, where both personal and non-personal data is available together. As such, the first step would be to clean-up existing databases to comply with the proposed regulations.

“The report assumes that companies are capable of sharing data with the outside world as today at the most they share data with their partners and vendors,” said Sameer Anja and Shivangi Nadkarni, co-founders of Arrka, a data privacy and information security solutions provider. “Organisations do not store the data and meta-data separately and they may not have the capabilities,”

There’s also a potential conflict that may emerge between intellectual property right and such data sharing.

According to Arun Prabhu, partner at Cyril Amarchand Mangaldas, protection as intellectual property is fairly fragile and may apply to specific expressions rather than the data itself.

“The bigger concern may be inconsistency between directions from sectoral regulators and the NPD authority. While the two are notionally required to consult and align, given the rapidly evolving ability of competitors and bad actors to extract sensitive inferences from broad based data sets, regulated entities may find themselves in breach of sectoral obligations including confidentiality and fiduciary obligations by sharing “non personal” data.” he said.