Most people seem oblivious to the potential threat of financial data theft and its extent. Till some time ago, financial transactions were limited to physical counters, which left little scope for financial frauds. But now, more people than ever are banking and making payments online. The pandemic has further accelerated the shift from physical to digital payments. The rise of fintech companies has also aided this surge. According to data from the Reserve Bank of India (RBI), the share of digital payments in total payments increased to 96.32 per cent at the end of FY22 from 95.4 per cent in FY20. The RBI Digital Payments Index, which tracks digital payments, was up 29.08 per cent, to reach an all-time high of 349.3 points in March 2022 from 270.59 points a year ago. With the exponential rise in the number of digital transactions, however, the threat of cyber frauds compromising your financial data has also jumped manifold.
From hacking to stealing, crooks have found innovative ways to defraud the public—through system malfunction, accidental release or not following security procedures. Any of these can expose your financial data. And it is not just the common man who faces the threat, as even celebrities like actors Rajkummar Rao and Sunny Leone have recently become victims of such frauds. It shows how susceptible the system is to breaches. Loans were taken out in their name using their KYC details, even though they had never applied for them. Though the amounts were small, it impacted their credit scores. This is just the tip of the iceberg, as these cases were the ones reported in the media. There are thousands of such incidents that are never reported.
According to RBI data, India witnessed banking frauds worth nearly `5 lakh crore in the past five years—at more than `100 crore a day on average. Out of this, card and internet frauds account for nearly `155 crore or 0.2 per cent. The amounts of money defrauded in such cases may not be huge but the volume of such breaches is enormous. As such, the risk of impending abuse of your financial data is huge—and that’s the reason why there are rich pickings for hackers in accessing such information. Incidentally, cybersecurity researcher Rajshekhar Rajaharia highlighted in December 2020 that personal data of 7 million credit- and debit card holders were reported to be compromised in India. Similarly, a threat actor known as AW Cards published a data leak containing details of around one million stolen credit cards on the dark web in 2021.
In such a situation, where financial services and tech are being integrated at a fast pace to serve a huge market like India’s, the biggest challenge is to secure online transactions and the users’ financial data. So, how do the authorities regulate this space?
Currently, Section 43A of the Information Technology Act, 2000, and the Information Technology Rules, 2011, provide safeguards for sensitive personal data. They also provide for compensation to be paid to the affected users by the corporate body responsible for the failure to protect sensitive personal information that may cause loss to any person. Information Technology Minister Ashwini Vaishnaw, at the recently-concluded Business Today India@100 conclave expressed the hope that he would soon present a revised and comprehensive personal data protection Bill that “will fit well into the legal framework”.
In that backdrop, regulators have recently introduced a few steps to add additional layers of protection to secure your financial data.
Account Aggregators
To counter the lingering fear of your financial data being misused by bad elements, the RBI, in September 2021, introduced the concept of the Account Aggregator (AA) network. It is a data-sharing system that is required for making investments or accessing credit, among other financial services. As a consumer, you can decide whom to share your data with. It also gives you the power to decide the duration of the consent along with the ability to withdraw it. You would be able to manage all consents on the AA dashboard, which acts as a conduit for the data flowing from one end to another. Experts say it drastically reduces the chance of financial fraud compared to the offline process, where documents can be faked and misused, as data available with AAs is encrypted.
For using the service, users have to open an account with an AA and link their various accounts such as savings accounts, FDs, or investment schemes. Usually, a unique identifier, such as your phone number, links these various accounts. “Using the identifier, the AA can fetch your information from your account with an OTP verification. The AA doesn’t store all this data on its server. Its job is to manage the flow of the data from the source to the seeker. When you apply for a loan, the lender can seek your data via the AA. With your consent, the AA will fetch your data such as bank statements and share it with the lender. This happens digitally. Consider the amount of time and costs this will cut down at scale when you don’t need to move photocopied proofs from Point A to Point B,” says Adhil Shetty, CEO of BankBazaar.com. Other forms of service providers, such as insurance and mutual funds, are also expected to be integrated soon.
AAs are essentially non-lending NBFCs licensed by the RBI, where borrowers can allow their data to be shared digitally with lenders. What is its advantage? “This [AA network] speeds up the KYC process, cuts down processing time and costs, [and] reduces the chances of fraud. [It also] gives more data points to the lender to evaluate and underwrite the borrower, and helps the borrower get the loan,” says Shetty.
Currently, there are six AAs—CAMSFinserv, Cookiejar Technologies, FinSec AA Solutions, NESL Asset Data, Perfios Account Aggregation and Yodlee FinSoft—in the country. Finance Minister (FM) Nirmala Sitharaman has also instructed all the public sector banks to adopt the AA system. Many private banks are already part of the network. Shetty adds, “The UPI (Unified Payments Interface) has been at the centre of a payments revolution in India. We believe AA, coupled with the RBI’s groundbreaking regulations such as video KYC, will unleash a similar revolution in digital lending.”
Tokenisation
In order to check the leakage of financial data, the RBI has come out with guidelines that prohibit merchants from storing the customer’s card details on their servers, and mandated the adoption of card-on-file (CoF) tokenisation as an alternative to card data storage. According to the RBI, most of the large merchants have already complied with the tokenisation norms, and 195 million tokens have been issued so far. Under the new regime effective from October 1, 2022, your card details saved on a merchant platform will get deleted as per the regulatory mandate, thereby reducing the chances of it being lost or compromised. Following that, you will have the option to either enter the full card details each time you make a payment, or opt for tokenisation.
The process of tokenisation replaces the actual card details with an alternate code called a ‘token’. It is a unique combination of the card’s details, token requester, and the device through which the request is generated. In this process, instead of saving your card details on platforms such as Amazon, Flipkart or Zomato, you would be using the unique token. And it would be only for that particular merchant and that particular device, but it can be reused. With no card data being saved with the merchant, the chances of it being compromised are minimal.
Cyber Insurance
It’s not just large corporates—that need to protect themselves from malware attacks, compromised emails and disgruntled employees—that require cyber insurance. It is equally important for an individual to buy one, too, to protect oneself against any financial loss incurred due to a leakage of financial data. Realising this need, the Insurance Regulatory and Development Authority of India (IRDAI) last year released guidelines for a model cyber insurance policy that general insurers are advised to follow.
For instance, even after taking all necessary precautions, if you become a victim of financial fraud—due to identity theft, social media breach, malware attack, phishing, or any other data breach by a third-party—then a cyber-insurance policy can cover your losses by providing coverage against the damages. The policy also covers counselling services in cases where a victim goes through an emotional setback.
An individual should buy a cyber-insurance policy because anything and everything, from his wealth to savings, is prone to be lost due to cyberattacks, says S.K. Sethi, Director of RIA Insurance Brokers, and the author of the book 1 Cyber Attack Can Ruin You Forever. “These policies are also available at an affordable rate. For example, the premium charged by Bajaj Allianz for a sum assured of `10 lakh is `2,848 (exclusive of GST). This product is also offered by other insurance companies and some of these are Tata AIG, ICICI Lombard, and New India Assurance,” he adds.
It is also important to keep the information secured as leakage of financial data can invite unwanted troubles. “In case details of your kidnapping and extortion insurance policy (sum assured, name of insurer, etc.) is leaked, the chances of you being kidnapped multiply, as the assumption is that the extortion amount will be paid easily as your insurer will pay the same,” Sethi says.
While these processes can help you add a layer of security to your financial data, one easy way to keep a check on your financial health is by tracking your credit score regularly. Any variance or misuse gets reflected on your credit score sooner or later. As they say, a stitch in time saves nine!
@teena_kaushal