[Parth is a student at National Law School of India University.]
This article discusses the policy surrounding the National Financial Information Registry (NFIR) that was mooted in the Annual Budget speech by Finance Minister Nirmala Sitharaman in February 2023. The aims and implications of the policy are highly significant for credit lending and financial inclusion, and it is surely posed to cause buzz in the finance world once the draft of the policy is released.
As will be gathered by the nature of the policy, data lies at the core of it and that too at a large scale. The Digital Personal Data Protection Act 2023 (DPDPA) has been recently enacted and has become the relevant law governing data protection in India. Its enactment is bound to have crucial impacts on the policy and implementation of the NFIR. This article analyses the broader idea of the NFIR by examining its framework and tests it on the touchstone of the DPDPA to gauge how it would fare and the potential challenges that would need to be considered in the framing of the policy.
The manner in which this article conducts this analysis is that it first details the foundations of the NIFR, including its conceptual underpinnings, policy implications and potential scope. It then examines how the provisions of the DPDPA impact the framework and implementation of the NFIR. It also makes suggestions for the efficient implementation of the policy. It thereafter concludes with a brief take on how the policy works to the benefit of the financial health of the country.
Laying Down the NFIR Framework: Appraisal of the Policy
NFIR is a database that the Reserve Bank of India (RBI) is planning to set up to collate credit and ancillary information that relates to the determination of credit-worthiness of an entity as was mentioned in the Annual Budget in February 2023. The RBI Governor claims that it will enable the lenders to avail a “360-degree” perspective to determine the credit-worthiness of potential borrowers. The registry is intended to facilitate framing of better macro policies, promote financial inclusion, efficient credit flow, and create financial stability. Therefore, it is a boon to the credit landscape of the country.
The NFIR has also been termed as a ‘old wine in a new bottle’ version of the Public Credit Registry (PCR) which was announced by the RBI in 2018 and had a framework akin to the NFIR. However, not much was accomplished on that front apart from a report by the High Level Task Force.
The framework of the registry plans to not allow the data to be used for the purpose of the registry unless the entity whose data is being provided gives consent for the same, which acts as a blanket prohibition. Therefore, since the registry follows similar patterns as the DPDPA with respect to empowerment of the data principal (DP) which is the entity providing its data, it is pertinent to examine how the provisions of the DPDPA may have significant implications for the same.
Impact of the DPDP 2023 on the NFIR Framework and Other Issues
To understand the overlap between NFIR and DPDPA, it is crucial to examine the consent acquisition policy of the framework and the implications of DPDPA. As mentioned above, according to the RBI statement, the entities would hold the right to give permission to provide their data. Section 4(1)(a) of the DPDPA lays down that only the data which has been consented to by the DP can be processed by the data fiduciary (DF). Moreover, under Section 6(4), the DP also reserves the right to withdraw the data provided to the DF at any time. This can be detrimental to the maintenance of the NFIR as will be established hereon.
The logic behind the NFIR is that it will function as a registry that will be a repository of credit and ancillary information such as corporate balance sheet information, tax information, utility bill payments information, etc. This serves the purpose of the stakeholders such as the lenders to have a constant dataset to gauge the credit trends, since it is a registry to obtain an appropriate understanding of the risk associated in engaging in activities such as lending with the entities in the dataset. However, if the DP decides to withdraw some part of his data or all his data, this will strike at the purpose of the registry since the purpose of a registry is to have data stored for a long period of time for it to have utility. The lack of a constant dataset would make the information asymmetry continue to persist.
Further, the government cannot assume consent of the DP i.e., entities participating in NFIR. This is due to the fact that the substantive content of Section 7 under the DPDPA has been altered from Digital Personal Data Protection Bill 2022. Previously, in the 2022 bill, the equivalent provision was ‘deemed consent’ in Section 8 where the consent of the DP was assumed in certain circumstances such as for the performance of any function under any law. However, in DPDPA, the provision is termed as ‘certain legitimate uses’ without any deeming of consent.
The interpretation of the section as given in DPDPA has posed a tad bit of ambiguity as has been read by certain eminent legal practices. However, if plainly interpreted from the reading of the provision, it implies that government cannot assume consent for certain situations as it did in the 2022 bill. This makes it favourable to the DP to control their data by themselves and also withdraw it on their discretion. Consequentially, when applied to NFIR, it dilutes the utility that the registry could have had otherwise.
This issue is accentuated by Section 8(7)(a) and (b) of DPDPA wherein the DF is mandated to erase the data provided by the DP or cause the data processor to erase it, unless its retention is necessary to comply with any law that is in force. Therefore, unless there is such a law, the DF i.e., NFIR in this case, would not be able to retain the data which will refute the purpose of NFIR which is to provide information to further predictability.
Moreover, if this is let to happen, the purpose of the project would be negated due to the effectiveness of alternatives such as the account aggregator (AA) framework. In the AA framework, the consent requirements are the same as that mentioned in the DPDPA and the credit is not provided unless the borrower provides consent for the data requirements to avail the credit. This indirectly serves a similar function as the NFIR does i.e., providing all the necessary information to the service provider, without having to collect data in a registry format, therefore having a suitable policy for NFIR is necessary.
Therefore, for the practical utility of the NFIR to prevail, there would need to be a provision in the legislative enactment backing NFIR. This provision would have to require the DP providing the data, to keep it within the registry for a certain period so that the credit institutions have a better dataset to set the interest rates and study the situation of credit-worthiness of entities (trend analysis). This can be facilitated under Section 7(c) and (d) of the DPDPA which allows the DF to process data for the state or any of its instrumentalities to fulfill any function if there is any law in force at the time in India that mandates the same. This solution can be made better by making allowances for deanonymizing the data provided, to use it for the purpose of trend analysis without compromising privacy. However, this being a predominantly technical solution, it is difficult to comment upon its viability as compared to a legislative solution although it is desirable.
The second element deals with the compliance burden. The DPDPA places a heavy compliance burden on DFs and especially the significant DFs under Section 10 in the form of providing notices, obtaining granular consent, having complex security systems in place, appoints data officers, conducting regular data audits, etc. This leads to an inference that the compliance burden on the state for the implementation of NFIR is going to be quite high since the state is a DF which can be implied from a combined reading of Section 2(i) and (s) and can also be potentially classified as a significant DF. Therefore, it becomes imperative that while framing of the policy, RBI takes into consideration the compliance burden that will have to be adhered to with the setting up of the repository.
The third front which warrants attention of RBI is that of the cyber security of the data stored in the registry. The data comprises of credit and ancillary related information which is highly sensitive form of data. Moreover, India in the last couple of years has been subjected to a number of malware and ransomware attacks, possibly by hostile neighboring countries, with several of them being targeted towards databases. This poses a serious threat to the sensitive data that NFIR would contain. Therefore, bringing in extensive provisions that set a high threshold of security which is to be maintained by the registry is imperative to foster resilience as provided in Section 8(4) and (5) of the DPDPA. These can be emulated from the guidelines framed for the AA system and also the recommendations given in the high-level task force report on PCR. These frameworks also face a similarly considerable threat due to their infrastructure and information retained by them being sensitive as these also carries the information for other financial services.
These three fronts are in addition to the inherent factors that need to be deliberated for the legislative enactment backing the NFIR. These factors relate to the various elements of the framework, including the uniqueness of the registry as compared to other data repositories, the extent of ‘ancillary information’ that will be stored in the registry, the types of entities are covered by the registry, the potential sources of this data, extent of access to the information provided, etc. It is crucial to determine these factors as they play an integral role in how NFIR impacts businesses and the economic situation of the country. However, since the scope of this article is restricted to testing the application of DPDPA, the article does not dig deeper in these issues.
Conclusion: The Way Forward
This analysis essentially boils down to two elements- first, regarding how the NFIR would fare based on the newly passed DPDPA and second, the inherent considerations of the policy. Therefore, by providing crucial inputs to the policy of the NFIR, the article has aimed to aid in shaping the policy to suit the interests of maximum number of stakeholders and to the business that would be generated from putting this system in place. The successful implementation of the policy is fundamental since it has potential to improve India’s credit landscape manifold and will hold in good stead for the financial health of the country.