Page 54 - Banking Finance February 2025
P. 54
ARTICLE
tained in the Act will have to be embedded in the customer
information collection and verification process.
Key change areas:
1. Customer onboarding forms must be redesigned to align
with data minimization principles and provide clear con-
sent options.
2. Consent management system to record and manage
customer consent during onboarding is crucial.
3. Data privacy notices indicating type of data collected,
purpose of data collected etc. in multiple languages in
accordance with DPDPA will have to be designed.
4. Employee engaged in customer on -boarding process
needs to be trained on DPDA regulations and practices.
5. Investing in data protection technologies, such as un-
structured data scanning, encryption, cookie compli-
ance, and access controls, is essential.
the data locations. An inventory of personal data that a
bank holds need to be documented including aspects such (C) Credit Assessment & Risk Management Pro-
as where the data came from, and to whom it may be cess.
shared. For effective data management, bank must imple- Data minimization and purpose limitation introduced by
ment/ revisit the following areas: DPDPA will restrict certain credit assessment practices done
(a) Data Classification Policy: Formulating a compre- by banks. The policy for use of customer data for risk man-
hensive Standard Operating Procedure (SOP) for agement purposes will also need to be relooked consider-
data classification system to classify data into broad ing privacy obligations of DPDPA. Given below are some of
groups like Personal and Non- Personal. Within the probable implications:
Personal data, further sub classification as "Em- Lean Credit Assessment Models: Credit Assessment mod-
ployee- Non-Employee", Minor -Adult etc. needs to els may have to be modified. Extra data requirements, if
be done for recording granular details. any, will have to be pruned from the existing credit assess-
(b) Data Flow Mapping: In the new Data Protection ment models. Newer models, which rely on fewer data
regime, banks are under obligation to provide Data points or incorporates data points from alternative data
principal access to their personal data and concede sources (e.g., behavioral data, data from social media, open
to their request to withdraw consent etc. Hence, banking data etc.) may have to be developed for supple-
mapping the flow of personal data within the bank menting traditional methods of credit assessment.
to identify potential risks and vulnerabilities is of Data Sharing with Credit Bureaus - Another area requir-
prime importance. ing relook will be the sharing mechanism of customer data
Consolidating vast amounts of data into a centralized pool with third-party credit bureaus (CIBIL etc.). While customer
would make inventory management easier and compliance consent is obtained at present also for sharing data with
with DPDPA more systematic. But such a task is itself a chal- credit bureaus. But the consent mechanism as well as the
lenge especially for the bigger banks. This will require lot of type of data shared needs to be revisited in order to make
investment in technology and manpower upskilling. it DPDPA compliant.
Restricted Data Usage for Risk management - Risk Man-
(B) Customer On-Boarding Process agement is fundamental to banks. At present, banks lever-
The customer onboarding process followed hitherto will age large pool of diverse customer-related data for risk as-
need certain modification in light of DPDPA. "Consent re- sessment purposes. Post DPDPA the scenario is likely to
quirements" as well as "Data Minimization" principals con- change. Risk management function will have to ensure that
48 | 2025 | FEBRUARY | BANKING FINANCE
