OVERVIEW
In the digital age, data sharing has emerged as a cornerstone of modern financial ecosystems, enabling a myriad of benefits for consumers, businesses, and regulatory bodies.
As financial transactions and interactions increasingly occur online, the ability to share data seamlessly and securely becomes paramount. Data sharing facilitates enhanced risk management, personalized financial services, and robust fraud detection mechanisms, contributing to a more transparent and efficient financial landscape.
The digitization of financial services has democratized access to financial data, empowering consumers with greater control over their financial information. This transparency fosters trust and enables consumers to make informed financial decisions, ultimately promoting financial literacy and inclusion. Furthermore, data sharing drives innovation by allowing fintech companies to leverage comprehensive datasets to develop innovative products and services tailored to the unique needs of different consumer segments.
The Indian financial sector is on a transformative journey. Technological advancements are reshaping how financial institutions operate, and data is at the heart of this revolution. By leveraging user data, institutions can personalize services, assess risk profiles more accurately, and offer innovative financial products.
This data-driven approach hinges on a critical factor – user trust
In a landscape where financial information is highly sensitive, striking a balance between data utility and user privacy becomes paramount.
This report delves into the user experience with data sharing practices employed by Indian financial institutions. Drawing on a user survey conducted by Silence Laboratories, the report explores the delicate interplay between transparency, control, and user comfort with data sharing. It sheds light on the current state of affairs, unveils user expectations, and proposes solutions to bridge the gap between what is being communicated and how users perceive their control over their financial data.
REPORT HIGHLIGHTS
In India, privacy challenges are complex due to multiple reasons.
LOW LITERACY
in Cyber Risk Literacy Index
States with lower Foundational Literacy Scores
have higher cybercrimes
REGULATORY LAG
Cybersecurity regulatory frameworks falls 40.5x behind high-tech innovators’ infra
INEFFECTIVE CONSENT
Low clarity & control over granular aspects of data sharing terms
Lack of transparency and auditability
All of these problems create a false sense of safety & comfort
High trust in financial institutions and consent based data sharing
Poor risk perception and enhanced
vulnerabilities
Gap between the perceived privacy levels and on ground reality
There is no one stop solution to address the complex privacy challenges.
EDUCATION
Efforts to educate & inform customers about their rights & resources will play a huge role in addressing privacy challenges. However, this requires a long-term timeline to see noticeable impact.
PLACING TRUST IN TECH OVER LEGAL CONTRACTS
Preventing movement or exposure of data and collaborating on inferences to build a foolproof infrastructure that eliminates any risk of misuse or breaches.
Transparency, programmability and auditability to bind data processing with policy, governance and consent.
SURVEY OVERVIEW
The opacity surrounding data collection practices, the lack of user control over how their data is used, and the potential for misuse all contribute to a growing sense of unease amongst users.
Quest for Transparency and Control
The user survey exposes deficiencies in the current state of data sharing practices of Indian financial institutions. While a significant portion of users (80.4%) believe institutions are transparent regarding data sharing, there is a crucial disconnect.
6 terms of data sharing
Purpose of data collection
Duration of data storage
Frequency of data access (or refresh)
Specific data points collected
Parties with whom data might be shared
Options for revoking consent
While most users do not seem to be alarmed by such deficiencies, implementing better controls would lead to higher user satisfaction. A resounding 86.7% of users express a desire for granular control over data sharing, split roughly equally between document level control & data point level control. This disconnect between the desired level of control and the current reality is a cause for concern.
Document level control: Willingness to select the document type (for example - bank statements, Investment statements etc.) to be shared
Datapoint level control: Willingness to share specific elements within a document (such as total balances/credits/debits)
16 out of 20 people (80.4%) think that institutions are transparent about data sharing.
Only 1 out of 20 people (6.6%) actually have control over all aspects of data sharing.
The Comfort Spectrum: Privacy vs. Benefits
The user survey reveals a fascinating spectrum of comfort levels regarding data privacy, with a majority of users being open to sharing data in some way or the other.
Users value clear benefits and are more likely to share data if they understand how it translates to demonstrably improved financial products and services. This finding suggests a potential path forward – a future where informed users are empowered to make conscious choices about their data in exchange for demonstrably valuable services.
Building Trust Through Informed Consent
The report underscores the critical role of user consent in building trust.
ASSURANCE IN CONSENT MECHANISMS
70.5%
70.5% users are assured of their privacy if sharing data via formal consent mechanisms
While some progress has been made in terms of transparency around data sharing, there's a significant gap between what users are told and the control they feel they have over their data. This disconnect, coupled with user concerns about privacy and data minimization, necessitates a paradigm shift in how Indian financial institutions approach data sharing.
When users understand how their data is being used and have a choice in the matter, they feel more secure about their privacy.
CONTEXT
Global data regulations are converging on key principles like user consent, data security, and subject rights, while diverging on specifics like localization and exemptions.
At the same time, open banking is driving financial innovation worldwide.
Overview of Global Regulatory Context
Various countries & regions have implemented regulations aimed at protecting user data & fostering trust in the digital ecosystem, all of which comply with a core set of values.
Lawfulness, fairness, & transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
Overview of Regulatory Milestones in India
An overview of the key steps leading up to the DPDPA
Key Opportunities and Challenges Presented by the Digital Personal Data Protection Act of 2023
India's digital data landscape is undergoing a significant transformation with the recent introduction of the Digital Personal Data Protection Act (DPDPA) of 2023. This legislation aims to establish a framework for handling digital personal data, including user data shared for financial purposes.
The DPDPA enforces stricter user consent for data processing. Financial institutions that rely on user data for credit scoring, fraud prevention, or personalized financial products will need to obtain clear, verifiable consent from users before collecting or processing their data. This empowers users with greater control over their financial information and fosters trust within the financial ecosystem.
Lacks explicit definition of meaningful consent
Vague or pre-checked consent boxes could still disadvantage users, potentially hindering their ability to make informed choices about data sharing.
Lacks transparency for international transfers
The DPDPA loosens restrictions on transferring data to certain government-approved countries. The criteria for approval however remains undisclosed by the Data Protection Board.
Prioritizes user control over security measures
Even with user consent, data breaches can still occur if information security practices by financial institutions remain weak.
Only regulates digitally collected information
Personal information is often collected through physical forms or interactions. Without clear guidelines for offline data, effectiveness across touchpoints remains limited.
Exemptions for government agencies
Exemptions can potentially be misused to access user data without proper oversight. This lack of transparency discourages users from sharing financial information electronically.
Evolution of Data Sharing Practices
Historically, data sharing was limited to within individual institutions or between regulated entities for specific purposes like creditworthiness assessments.
The introduction of regulations like EU's PSD2, UK's open banking initiative and RBI’s Account Aggregator Framework in India enabled data sharing through standardized APIs.
The development of global frameworks and technologies has further standardized and broadened data sharing practices.
Why is Data Sharing important?
Data sharing enhances transparency and trust among consumers and financial institutions, facilitating better financial decision-making.
It supports financial inclusion by enabling access to credit for underserved populations, boosting economic growth, and reducing poverty levels.
Facilitates innovation in financial products and services by allowing fintech companies to leverage data for developing customized solutions.
Current Landscape of Financial Data Sharing
Open Banking
Open banking refers to the practice of allowing third-party financial service providers access to consumer banking, transaction, and other financial data through APIs.
Open Finance
Open finance expands this concept to include a wider range of financial products beyond banking, such as investments, pensions, and insurance.
Open Data
Rest of the data, Retail, transit, social media, health.
Global Adoption of Open Banking/Open Finance
SOURCE: Basel Commitee Member Survey (BCBS), 2024
Comparison among country profiles
Australia
Regulator driven
Centralised through NPP
Decentralised
Multilateral
Voluntary use
Brazil
Regulator driven
Centralised through Pix
Decentralised
Multilateral
Mandatory use
India
Hybrid
Centralised through UPI
Centralised
Multilateral
Voluntary use with strong encouragement
Mexico
Regulator driven
In development
In development
May involve a centralised API hub
Open banking opens competition
Specialist providers are challenging the service of large banks in core areas such as payments, personal banking, & even business banking.
UNBUNDLING OF PERSONAL BANKING
UNBUNDLING OF BUSINESS BANKING
Due to ease of data & context sharing, providers are able to collaborate and build bigger partnerships.
PARTNERSHIPS
Fintech product offerings have also expanded over time, with open banking allowing providers to offer more personalised services.
Lending
Debit Cards
Checking Accounts
Business Services
Stock Trading
Loan Offerings
Small Business Lending
Credit Monitoring
Financial Inclusion
Through data sharing enabled by open banking systems, number of mobile money accounts has seen a meteoric growth propelling financial inclusion.
2001
17 years
to onboard the
first 1B users
2017
2022
Types of consent mechanisms
When analyzing user data sharing practices, it's essential to understand the various types of consent mechanisms available in the market. These mechanisms form the foundation of how data sharing occurs, providing context on the methods used to obtain user consent and the extent of user awareness and control.
HISTORICAL CONTEXT
Consent management initially focused on healthcare, enabling patients to control access to their protected health information (PHI) and affirm participation in e-health initiatives.
EVOLUTION AND BROADER APPLICATION
With the advent of GDPR, consent management expanded to include private information access by various providers (e.g., online advertisers), reflecting similar consent mechanisms in both healthcare and the broader digital landscape as the same logical imperatives were relevant in the digital realm.
Frequently
Opt-in
Informed
Layered
Explicit
These consent mechanisms are highly prevalent, especially in regions with stringent data privacy regulations and industries handling sensitive information, such as finance and healthcare.
Moderately
Opt-out
Revocable
Implied
These mechanisms are commonly used where explicit consent is less practical or where the focus is on maximizing user participation without overwhelming them with too many choices.
Rarely
Broad
Granular
Broad consent is less common, typically seen in research settings where the future use of data may not be fully determined at the time of collection. It is less favored in commercial settings.
While consent lies at the heart of privacy regulations, the report explores the effectiveness of such mechanisms in delivering what they promise, and the need to redesign consent from a privacy perspective
SURVEY FINDINGS
This section presents the key findings of the research survey investigating user perceptions of data sharing practices employed by Indian financial institutions. The analysis is based on data collected from a sample of 1,520 respondents, adhering to the outlined methodology and focusing on the research objectives:
1
Assess user clarity and understanding of data collection practices in the Indian financial sector.
2
Evaluate user comfort levels with the types of data financial institutions collect and how it is used.
3
Analyze user preferences regarding control over data sharing, including consent mechanisms.
4
Investigate the relationship between user trust in financial institutions and their willingness to share data.
User Clarity and Understanding
Overall Clarity: While a significant portion of users (80.4%) reported feeling somewhat or very clear about the general terms of data sharing by financial institutions, the survey revealed a concerning gap in specific details.
Limited Transparency: While 69.7% respondents were clearly communicated the purpose of data collection, other crucial aspects such as the option to revoke the consent were cited as the least clear terms while giving consent to share their data.
Satisfaction: Even though the users initially felt informed about data sharing terms, deep diving into the specifics potentially puts things in perspective, and when later asked about the clarity and transparency of the consent experience, only 67.2% felt satisfied with the process.
What specific parameters of consent were you clearly able to find & understand?
Takeaways
These findings highlight a need for financial institutions to move beyond generic consent forms and prioritize clear communication about specific data practices. Customers need to be made aware of their rights, and consent requests should include all the key terms of data fetch in an easy to read format.
Furthermore, just as important as clear communication is the timing and placement of the consent terms, for example - even though a consent revocation would happen at a later stage, communicating the option to revoke while giving the consent makes the customers aware of their rights.
User Comfort Levels with Data Sharing
Spectrum of Comfort: The survey revealed a fascinating range of user comfort levels with data sharing. While a significant segment (38.8%) prioritized data minimization and only shared the absolute essentials ("Minimalists"), another sizeable group (42.0%) emerged as "Conditional Sharers," open to sharing some data for demonstrably personalized benefits.
Concerns Regarding Data Collection:
73.5%
users felt financial institutions collect more data than demonstrably needed, raising concerns about data minimization practices. Furthermore, the concerns could be heightened by the lack of awareness of the organisations who get access to customer’s data.
52.9%
customers think account aggregators/consent managers too have access to their financial data, whereas account aggregators are inherently data blind. While customers might trust traditional banking institutions, lack of awareness about who accesses the data and limited trust in newer fintechs or NBFCs may lead to customer concerns.
Privacy vs. Benefits Trade-off: Interestingly, despite privacy concerns, a majority (65.7%) were willing to share data for clear and demonstrably valuable benefits, highlighting the potential for user-centric data sharing models.
Spectrum of comfort regarding data privacy
User Preferences for Control Mechanisms
Limited Control Over Existing Data: Similar to the trends in clarity of terms of data sharing, users generally find themselves unable to control some of them, with <45% of them being able to modify the frequency of data access, parties who get access to this data and options for revoking consent.
Desire for Granular Control: In terms of the specificity of the data that is shared with a financial institution, a resounding 86.7% of respondents expressed a strong preference for having at least a document level control. Roughly half of these would in fact want to dive a level further deeper to select the specific data fields which they’d want to share with financial institutions. This finding emphasizes the need for financial institutions to design consent forms that offer granular control options.
Level of Satisfaction: When looking at the level of content across different aspects of the consent process, the satisfaction score for the control aspect of consent (68.4%) is rated lower than ease of navigation & trustworthiness / security. This clearly indicates control as a major pain point of the users when navigating the consent journey, and implies customer empowerment via data control as a tool to increase customer satisfaction.
Trust and Willingness to Share Data
The Role of Consent: Users have assurance in sharing their financial data if formal consent mechanisms are used, highlighting the power of informed consent in building trust and empowering users.
Understanding of privacy: Users also seem to associate privacy with security measures and consent mechanisms. When asked about their best understanding of privacy, strong security practices to prevent unauthorized access ranked highest with 29.1% respondents choosing this option, closely followed by clear consent mechanisms (27.0%).
What is your best understanding of privacy?
This misdirected association possibly instills a false sense of assurance when sharing data with proper consent and security practices. However, users need to be made aware that privacy can’t be guaranteed even with the existence of these practices.
Is User Confidence in Data Sharing & Security Justified?
Data Breaches: The Next Big Threat to Business
83%
of organizations faced more than one data breach in 2022
13.5%
higher audit fees for breached companies
$5.4B
mean market cap loss for publicly traded companies after a data breach
$4.35M
Global average cost of a data breach in 2022
IBM
80%
of impacted consumers are likely to stop doing business with a company after a cyberattack
$9.5Tr
expected losses due to cyber crime in 2024
Case Study: Estonia
Estonia faced a major cyberattack in 2007 despite being a leader in digital governance. DDoS attacks targeted critical infrastructure, including banks, government websites, and media outlets. The attacks were largely attributed to Russian cyber forces.
Paralyzed digital infrastructure
Catalyzed a shift in cybersecurity posture
Widespread disruption
Accelerated investments in cybersecurity infrastructure and human capital
Financial losses
Established the Cyber Emergency Response Team (CERT-EE)
Reputation damage as a secure digital nation
Enhanced international cooperation
The cyberattack highlighted the need for robust cybersecurity measures, technology, human capital, and international collaboration, even for digitally advanced nations.
>70%
of users feel secure about sharing data with financial institutions
1.3M+
cyber-attacks reported in the financial sector, with over 7,400 Crore INR in losses
How can user confidence be so high when the actual digital landscape is seeing an alarming rise in risks
UNDERSTANDING THE GAPS
The first edition of the Index ranks 50 geographies, including the European Union as a population-weighted aggregate of our ranked EU geographies. The Index, developed through consultations with policy, industry, and academic experts, leverages 42 aggregated indicators across 32 objectives that contribute to scoring 9 “pillars” of cyber risk literacy and education.
They in turn fall under five key drivers of cyber risk literacy and education:
Public motivation
Measures the population’s commitment to practicing cybersecurity, including metrics such as the rate of adherence to specific safe cyber practices
Government policy
Evaluates government policies to improve cyber risk literacy and education, including evaluation of metrics that assess the geography’s national cybersecurity strategy.
Educational system
Measures the extent to which cyber risk instruction is encouraged or mandated, includes metrics that assess primary and secondary school curricula;
Labor market
Measures the degree to which employers drive demand for cyber literacy skills, including metrics such as the uptake of cybersecurity-related roles and the number of cybersecurity startups
Population inclusivity
Measures degree of equal access to digital technologies and formal education in a geography, including metrics such as Internet access and school completion rates.
Unveiling Blind Spots in Indian User Awareness:
Perception vs. Reality in Financial Data Sharing
State/UT wise details of Citizen Financial Cyber Fraud Reporting Management System during the period 1.1.2023 to 31.12.2023
This was stated by the Minister of State for Home Affairs, Shri Ajay Kumar Mishra in a written reply to a question in the Lok Sabha. View press release
Inferences from Comparative Study: Survey Insights vs Cybercrime Stats
User Confidence
Rooted in trust built by legacy institutions over time
Based on brand value and perceived reliability of institutions with a long history of customer service
Emerging Issues
Increasing incidents of cyber financial crimes
Trust may be misplaced or overly optimistic
Users remain unaware of contemporary risks despite digital growth benefits
Necessary Actions
Identify and address factors contributing to the disparity between perception and reality
Enhance user awareness
Improve institutional accountability
Cyber Risk Literacy and Cyber Risk Awareness Across India: A Comparative Analysis of FLN Scores and Reported Cyber financial Crimes
In this section, we will explore how consumer perception and awareness, correlated with foundational literacy scores, demonstrate that higher literacy reduces vulnerability to cybercrime.They in turn fall under five key drivers of cyber risk literacy and education:
Why FLN Scores?
Public Motivation & Education System
Cyber risk literacy is deeply tied to public motivation and the education system.
A strong foundational literacy and numeracy (FLN) foundation equips individuals with the critical thinking skills needed to navigate cyber risks.
Prioritizing Education Systems
Countries that prioritize quantitative topics in their education systems tend to have higher cyber risk literacy.
Oliver Wyman Forum findings indicate that effective cyber risk education is rooted in strong foundational literacy
Weightage and Influence
Public Motivation (30%), Educational System (20%), and Government Policy (25%) cumulatively contribute to 75% of the overall index score.
The insights in Oliver Wyman Report indicate that Strong policy-driven education systems improve public motivation with respect to navigating cyber security risks.
Therefore, using FLN scores as a proxy for cyber risk literacy in the Indian Context is justified by the strong link between foundational education and cyber risk understanding.
Category wise ranking - Index on Foundational Literacy and Numeracy
Tap on a state to see details.
Key Findings:
Bihar & Uttar Pradesh have low FLN scores.
BIHAR
36.81
UTTAR PRADESH
38.46
TOTAL COMPLAINTS
239,576
AVERAGE COMPLAINTS
119,788
TOTAL AMOUNT
Rs 964.35 Crores
These states have the lowest FLN scores and report the highest number of cyber financial complaints and significant amounts of fraud, indicating higher vulnerability.
West Bengal and Kerala have high FLN scores.
WEST BENGAL
58.95
KERALA
67.95
TOTAL COMPLAINTS
53,561
AVERAGE COMPLAINTS
26,780
TOTAL AMOUNT
Rs 449.13 Crores
These states have high FLN scores and report fewer complaints and lower amounts of fraud, suggesting better resilience against cyber financial crimes.
The analysis underscores the significant correlation between foundational literacy and Cyber Risk Literacy, which directly impacts the vulnerability to cyber financial crimes. States with higher foundational literacy scores are less susceptible to such threats.
Clear communication, assurances of data deletion upon request, and education about customer rights significantly enhance trust in financial institutions
64%
customers have an increased trust in the companies which provide clear information
>70%
customers have an increased trust in the companies which provide clear information
IBM
Only 41%
organisations mentioned data principal rights
43%
organisations do not provide well-defined purposes for which personal data is shared with data processors for processing
The six dimensions of trust
India’s Account Aggregator (AA) ecosystem, often referred to as the UPI of data, is gaining significant traction. With 1.1 billion AA-enabled accounts and over 2.05 million users voluntarily sharing their financial data, the potential for AA is enormous. Current penetration is at 0.2%, but the annual transaction volume is expected to reach 1 billion by 2025 and 5 billion by 2027, according to Sahamati.
To ensure trust and sustainability, AAs must integrate the six dimensions of trust:
Security
Accountability
Transparency
Auditability
Fairness
Ethics
As AA volumes soar, incorporating these six dimensions of trust is essential. Addressing the gaps identified in Silence Laboratories’ survey around privacy, transparency, and auditability of consent mechanisms would be crucial for sustainable and secure growth.
Risks of Ignoring Cybersecurity and Cyber Risk Literacy in India's Financial Hypergrowth
The table below draws a parallel between the challenges faced in achieving financial inclusion and those currently hindering financial data privacy. Just as technological solutions like UPI and Aadhaar successfully addressed barriers to financial inclusion, adopting Privacy Enhancing Technologies (PETs) could similarly tackle the challenges in data privacy, ensuring a secure and resilient digital ecosystem.
Supply and Demand Side Challenges
Low literacy and lack of collateral
Absence of a universal identity solution for all citizens, regardless of educational background
Trust issues while transacting with digital money
Low cyber risk literacy
Awareness gaps of new age risks
Absence of cybersecurity solutions accessible to all citizens, irrespective of their level of cyber literacy
Regulatory Hurdles
Stringent bank requirements
Difficult onboarding
Complex data protection needs
Rising cybercrimes
Technological Solutions
UPI and Sahamati platforms
UIDAI (Aadhaar) for uniform identity
Privacy Enhancing Technologies (PETs)
Transparent, auditable & programmable consent
Impact
Easy onboarding
Access to safe credit and savings
Secure financial data
Resilient digital infrastructure
The Cost of Delaying Tech Adoption
Consider the impact if UPI and Aadhaar had been delayed—India’s rapid economic growth might not have materialized at the same scale. UPI alone has saved the Indian economy approximately $67 billion since 2016. A delay could have cost the nation billions, potentially stalling its rise to the 5th largest economy by 2022.
Similarly, Privacy Enhancing Technologies (PETs) are crucial for addressing current data privacy challenges. However, delays in their adoption could lead to escalating economic losses due to rising cybercrimes, which already resulted in over 1.14 million attacks and 7400 Crores INR in losses in the financial sector alone.
Interconnected Risks in a Hyperconnected World
A report by WEF suggests that, In our interconnected digital world, the risks posed by cyber threats are amplified. Unlike biological viruses, cyber viruses are more potent, spreading rapidly and uncontrollably. For instance, while COVID-19’s R0 is between two and three, the R0 for cyberattacks can exceed 27. The 2017 WannaCry attack crippled over 200,000 computers across 150 countries in a single day.
If not addressed urgently, these cyber threats could trigger a domino effect, compromising critical growth engines like UPI and Open Banking as financial crimes scale from targeting individuals to threatening entire institutions and sovereign infrastructure.
Estimated Regulatory Lag in Cyber Risk Regulation & Awareness Across Countries
Understanding Factors Influencing Cyber Risk Regulation
Government Policy
SUPPLY SIDE
DIRECT IMPACT
Government policies directly set the regulatory framework for cybersecurity.
The speed and effectiveness of these policies directly influence regulatory lag.
Educational System
SUPPLY SIDE
INDIRECT IMPACT
Integrates cyber risk literacy into formal education.
Produces knowledgeable individuals who advocate for stronger, timely regulations, indirectly reducing regulatory lag.
Labor Market
SUPPLY SIDE
INDIRECT IMPACT
Measures employer demand for cybersecurity skills.
High demand highlights the need for up-to-date regulations to protect businesses, indirectly influencing regulatory speed.
Public Motivation
DEMAND SIDE
INDIRECT IMPACT
Reflects public awareness and proactive behavior towards cybersecurity.
High public demand can push governments to expedite regulatory updates, indirectly reducing regulatory lag.
Population Inclusivity
DEMAND SIDE
INDIRECT IMPACT
Ensures equal access to digital technologies and education.
Inclusive policies ensure all demographics are considered in regulations, indirectly reducing lag by addressing comprehensive needs.
Estimating regulatory gaps
High Tech Business Vs US Government
9x regulatory gap
In 2011, Eric Schmidt, then CEO of Google, echoed former Intel CEO Andy Grove’s sentiment, highlighting a critical challenge:
"High tech runs three times faster than normal businesses, and the government runs three times slower than normal businesses. So we have a nine-times gap.”
Schmidt’s perspective underscores a fundamental issue—technology advancements occur at a pace that far outstrips the ability of regulatory frameworks to keep up. Google, recognizing this discrepancy, sought to shield itself from the sluggish pace of democratic institutions
The Indian Context
Based on Andy Grove's formula, if advanced countries like USA experience a 9x regulatory lag, then India, which ranks 45th in cyber risk literacy, would experience a regulatory lag proportion of 40.5 x. This disparity is not just a multiple of the difference in rankings but also reflects the compounded effect of lower public motivation, weaker government policy, less effective educational systems, a less responsive labor market, and lower population inclusivity.
% of financial regulators seeking a solution but not planned yet
Interdepartmental data
(e.g. stacking market conduct supervision data with prudential supervision data)
43%
Cross-entity analytics
stacking multiple data sources
43%
Alternative dispute resolution
37%
Detect algorithmic bias/error
37%
Terms and conditions, privacy policy, and consent management data
34%
Causes of the mismatch in demand and supply of RegTech /SupTech
There is a significant disconnect between financial authorities and technology innovators regarding the development and implementation of RegTech (Regulatory Technology) and SupTech (Supervisory Technology) solutions. This mismatch stems from various challenges faced by both parties as illustrated in the figure.
Unaware of solutions that are available or how to find them
Not aware of demands or needs of financial authorities
Lack resources, advice, or technical assistance
May perceive regtech for regulators as too small a market
Legacy or non-existent IT systems & processes
Discouraged by burdensome processes
Unable to express their needs to vendors in an easily understandable way
Lack of clarity on technical parameters & requirements
Limited collaboration across departments & agencies to share tools & data
Not accustomed to engaging with financial authorities
Regulatory Lag & the role of PETs
Based on Andy Grove’s formula and cyber risk literacy rankings, advanced countries like the USA experience a 9 x regulatory lag, while India faces a 40.5 x lag due to lower cyber risk literacy.
With increasing demand for personalised services and the recent introduction of DPDP Act in India, businesses struggle in managing regulatory requirements, and may inadvertently attract penalties for non-compliance.
Some ways to ensure compliance include
Regulators should communicate clear interpretation of laws and actionable steps for businesses
Advocacy of privacy based technologies and “privacy by design” by regulatory bodies
Adoption of RegTech and SupTech solutions by businesses to ensure compliance
The onus of compliance should not be blindly placed on trust between organisations or legal agreements, but by embedding policy as a code. Such programmability could be enabled by Privacy Enhancing Technologies (PETs), cryptographic tools which can unlock collaboration on siloed data, ensuring privacy and compliance with regulatory requirements
BRIDGING THE GAPS
The research highlights the inadequacy of simply informing users about data sharing practices. Instead, financial institutions need to move towards a model that empowers users with genuine control over their data. This shift can be achieved through clear and concise communication, offering granular consent options, and providing user-friendly tools for managing data access and revoking consent.
CLEAR, EXPLICIT, AND GRANULAR CONSENT
Empowering users with refined understanding & control over what data is shared and for what purpose through detailed yet lucid consent notices and forms at the time of signup
TRANSPARENCY BEYOND CONSENT
Providing unambiguous, sincere, and proactive communication about terms of data collection, storage, and usage including details of data sharing, duration of storage, and access procedures
EASY-TO-ACCESS CONTROL OPTIONS
Providing readily-available user-friendly mechanisms for revoking consent and conveniently managing data access whenever they desire
DEMONSTRATING VALUE
Illustrating and exemplifying clearly how more collected data translates to better products and services through distinctly enhanced user experience
PARTICIPATIVE DECISION-MAKING
Continuously interacting with users, keeping them informed of changes, eliciting & incorporating their opinion, & fostering a dialectical developmental ecosystem
Customer education
A cornerstone to building trust
The user-centric approach begins with the education of the customer
What are the rights which they have, and how can they exercise them
How privacy differs from consent mechanisms
or security measures, and its relevance for them
What terms of data sharing should they look out for, and the importance of control over their data
Marrying consent with compute
From contractual trust to mathematical guarantees
Prevention of data misuse is key to building customer trust. Consent given for a particular purpose should ensure data is being processed for the same, and provide verifiable mechanisms to audit as well. However, trust on third parties or legal contracts should not simply alleviate privacy concerns. Instead, the ability to only process what is consented should be programmed in the consent mechanisms.
Leveraging Technology
Secure and Transparent Data Sharing
Technological advancements offer powerful tools to ensure secure and transparent data processing practices. Privacy-preserving technologies like Multi-Party Computation (MPC) can unlock data-driven insights without compromising user privacy. Ensuring zero movement of data in its raw form and eliminating the risk of single point of failure enabled by such technologies could revolutionize collaborations with utmost respect to privacy.
CONCLUSION
Building a secure, streamlined, synergistic, and sustainable financial data sharing ecosystem is a shared responsibility, requiring collaborative effort from all stakeholders.
Financial institutions must prioritize transparency, provide user-centric control mechanisms, and utilize privacy-preserving technologies. Regulatory bodies need to establish a balanced framework that facilitates innovation while safeguarding privacy and other user rights. Finally, user education efforts are crucial to empower individuals to understand their data rights, develop a keen sense of discernment for data sharing, and make informed decisions about their data.
Although the aforementioned insights were derived in the context of financial institutions, they also broadly capture key general trends in user attitudes which would be of relevance to any industry. Industries must move beyond merely informing users about data sharing to empowering them with genuine control.
Observing the distinction and interrelationship between privacy, security, consent and control in thought,
communication, and practice would benefit all stakeholders and enable the world’s most populous country to harness the full potential of data, the fuel of the future.
