It has dawned on banks that they need to tap the innovative capabilities of financial technology (fintech) start-ups to stay competitive. They are opening up their systems, or core banking platforms, for plug-ins with fintech players. The banks claim its helping them expand the financial services network and incubating new set of capabilities for lenders. Still, the marriage of convenience comes with its set of challenges. Increasingly, data security concerns and privacy issues are coming to the fore. A lax regulatory environment for third party system developers, particularly fintechs, is accentuating the concerns. The Reserve Bank of India, the banking regulator, is also worried.
"This is again a potential area where we have an opportunity to engage with fintechs that focus on machine learning, pattern matching, fraud detection and creating a more intelligent framework to detect anomalies and prevent any potential misuse," says Ritesh Pai, Chief Digital Officer at YES Bank. YES Fintech, YES Bank's business accelerator programme for fintech start-ups, is also experimenting with biometric solutions to prevent frauds while creating a seamless KYC and customer on-boarding, and adopting digital signature and AI technology for identification, background checks and forgery detection.
When a bank incubates a fintech company or a new initiative, fitting the start-up culture into its processes is a bit of a challenge. "Embedding a different culture company into the existing company is a big task and then there is the technology aspect. So, you are marrying a new technology with a settled logistics system," says Kartik Shinde of EY. Besides, a bank is a regulated entity and is held responsible for any compliance related issues in the new integrated system. Vivek Belgavi, Partner & Leader - Fintech at PwC India, puts security and privacy concerns from a bank's perspective into four categories - Data privacy and ownership; business continuity, particularly when the start-up winds down; cyber security related controls; and regulatory compliance as in some situations the liability lies with the bank.
With several banks incubating fintech start-ups in recent times, India has emerged as a leader in fintech revolution. "If you see the scenario outside India, no country has gone to this level of financial inclusion or fintech revolution and system integration," says Kartik Shinde, Partner, Cyber Security, EY. Today, a customer is able to open a bank account in a matter of a few minutes - only a fingerprint identification is needed and the KYC is done, without needing a slew of documents.
The RBI had stated in April 2018 that the new KYC guidelines making Aadhaar mandatory are subject to the final decision of the Supreme Court on the issue. "Aadhaar- based KYC is definitely a boon to onboard customers seamlessly, and I believe it will go a long way in improving customer experience as far as financial services are concerned," says Pai. But with the gigantic amount of private and confidential data amassed in one database, it can be understood why privacy concerns continue to dog Aadhaar and the Unique Identification Authority of India (UIDAI), the body that established it.
While experts are unanimous that there is need for expanding the scope of existing regulations for ensuring data protection and guarding privacy of individuals, particularly the IT Act of 2000, Shinde vouches for European Union's (EU) General Data Protection Regulation (GDPR) kind of a framework. "In India, data privacy has never been an issue and we are okay with giving out our phone number, even to a stranger," says Shinde. Today, many organisations, including banks, seek a lot of personal information from customers that is not required, largely because there is no law that prohibits it. In the EU, the GDPR will ensure data protection and privacy for all individuals and violation of its provisions comes with severe penalties of up to 4 per cent of worldwide turnover or 20 million euro, whichever is higher.
Certainly, India is not the leader in terms of fintech regulation - it is still in its infancy in India - despite initiating the process a couple of years' back. Monetary Authority of Singapore (MAS) and the Financial Conduct Authority, UK are ahead in this space. The RBI set up the Reserve Bank Information Technology Pvt Ltd (ReBIT) last year to take care of its IT requirements, including the cyber security needs of the bank and its regulated entities. Meanwhile, in terms of convenience, Aadhaar beats traditional paper-based and manual KYC model for banks. However, security and privacy concerns cannot be brushed aside.
Over a period of time, all security and privacy issues could get resolved and a robust financial ecosystem will come into being but it is still work in progress in India.