India: Privacy of Client Data

Researched by: Ashwini Sahu, Credit Suisse

Executive Summary

(from CFI’s India Client Protection Summary)

The Indian banking sector is one of the world’s fastest growing markets for inclusive finance. As the largest democracy and the second most populated country in the world, India is a rising star. As the financial services industry becomes more entrepreneurial and innovative, its risk and product diversification grow. Following the 2006 credit crisis in Andhra Pradesh state, regulators, private banks, and MFIs alike have been increasingly concerned with consumer protection policies. The status of client protection in India seems strong because of a tough legal framework, specific and clear set of policies, and the presence of industry watchdogs as well as a commitment to compliance by the national networks of banks and MFIs. The country’s legal framework is buttressed by strong institutions and the political will to follow through on legislation.

Some of the strong points in the administration of consumer protection policies in India are as follows:

  • Banking networks have been persuaded by the Banking Codes and Standards Board of India to adopt a uniform code of conduct that enforces many pro-client clauses.
  • Indian Banking Associations have their own codes with strict penalties for non-compliant members.
  • Sa-Dhan is the leading national network of MFIs who have enacted a code of conduct proclaiming the organization to be first and foremost client-focused and designed to enhance client well-being in ethical, dignified, transparent, and cost-effective manners.


Since 1990, India has emerged as one of the world’s fastest growing economies and is a major player in international economic circles. The Indian economy encompasses a diversity of agriculture, handicrafts, textiles, manufacturing, and services. However, as of 2006, an estimated 29 percent, or 350 million Indians, lived below the national poverty line, and two thirds of the workforce earned their livelihood directly or indirectly though agriculture. There is a growing service sector which plays an increasingly important role in the country. Nevertheless, India faces huge obstacles as it will have to reconcile its soaring economy with the challenge of lifting a sizeable segment of its population out of poverty.

Along with the growing economy, liberalization policies contributed greatly to the expansion of the banking industry. There have been favorable policies for foreign direct investment, which has made the banking industry more dynamic and competitive. As the financial services industry becomes more entrepreneurial and innovative, its risk and product diversification grow. This has posed significant challenges for Indian regulators, who strive to develop clear rules and fair regulations for both customers and banks. Following the 2006 crisis in Andhra Pradesh, where the government closed nearly 50 branches of local MFIs because it accused them of having usurious interest rates, regulators, private banks, and MFIs alike have been increasingly concerned with client-protection policies.

The confidentiality of personal information is a right that protects privacy and individual liberties. The increasing complexity of the technology used to manage client data creates a particular challenge for financial service providers to maintain the privacy of client data. Privacy of Client information is a critical aspect of the whole Client Protection framework due to its sheer importance in an information oriented environment. The impact of globalization on privacy of an individual is growing. The fact that more and more personal information is crossing the borders in trans-border data flows means that data breaches often affect people in multiple countries, and may result in financial frauds.

Who’s Who – Microfinance Sector in India


India has quite established financial service providers and banks which cater to the needs of the common masses for inclusive finance. The Indian microfinance sector primarily operates through 2 channels:

  • Microfinance institutions (MFIs)
  • NABARD’s (National Bank for Agricultural and Rural Development) Self-help groups (SHG) bank linkage programme (SBLP)


Microfinance institutions (MFIs) can be further classified into the following groups

  1. Non-profit MFIs – Public trusts, societies, Section 25 companies
  2. Mutual benefit groups – Self-help groups (SHG) and federations; cooperative societies
  3. For profit groups – Non-banking financial corporations (NBFC)

A typical flow of funds from investors to micro-credit borrowers is as below


SHG-Bank linkage program (SBLP)

The microfinance movement started in India with the introduction of the SHG-Bank Linkage Program in the 1980s by NGOs that was later formalized by the Government of India in the early ‘90s. Pursuant to the program, banks, which are primarily public sector regional rural banks, are encouraged to partner with SHGs to provide them with funding support, which is often subsidized.

A self-help group, or SHG, is a group of 10 to 20 poor women in a village who come together to contribute regular savings to a common fund to deposit with a bank as collateral for future loans. The group has collective decision making power and obtains loans from the partner bank. The SHG then loans these funds to its members at terms decided by the group. Members of the group meet on a monthly basis to conduct transactions and group leaders are responsible for maintaining their own records, often with the help of NGOs or government agency staff.

NABARD (National Bank for Agricultural and Rural Development) is currently operating 3 models of linkage with SHGs and NGOs:

Model 1 – In this model, the bank itself acts as a Self Help Group Promoting Institution (SHPI). It takes initiatives in forming the groups, nurtures them over a period of time and then provides credit to them after satisfying itself about their maturity to absorb credit.

Model 2 – In this model, groups are formed by NGOs or by government agencies. The groups are nurtured and trained by these agencies. The bank then provides credit directly to the SHGs, after observing their operations and maturity to absorb credit.

Model 3 – Due to various reasons, banks in some areas are not in a position to even finance SHGs promoted and nurtured by other agencies. In such cases, the NGOs act as both facilitators and micro- finance intermediaries.

Some of the largest microfinance institutions in India by scale are as follows

  1. SKS Microfinance – SKS Microfinance is the largest MFI nationally one of the fastest growing microfinance institutions globally. Started in 1996, as a private NGO, SKS currently provides full-scale microcredit facilities in 15 states and 1 union territory in India including savings & deposits, micro loans, remittance facilities and community based investments. The company follows the group-lending model in lines with the Grameen Bank, Bangladesh. SKS was the first microfinance institution in India to successfully run an IPO and get publicly listed in 2009.
  2. Spandana Spoorthy Financial Ltd – Spandana Spoorthy is another large active public listed company providing microcredit services in India. It is registered as an NBFC (non-banking financial corporation) and operates on the joint & individual SHG lending model.
  3. Share Microfin Ltd – Share Microfin (SML) was the first MFI in India to transform into an NBFC from a non-profit outfit in India during 1999-2000 and is credited for successfully pioneering Bangladesh Grameen Bank’s group lending model in India. SML started commercial operations by taking over a branch network of the Society of Help by awakening Rural poor (SHARE) in 2000. SML has presence in 19 states and recently has changed from a community based structure to institutional leadership structure with equity investments from Legatum Ventures and Aavishkar Goodwell.
  4. Ujjivan Financial Services Ltd – Considered as one of the best capitalized MFIs in India, Ujjivan Financial’s main focus group are urban poor who lack access to inclusive finance services. It operates on the joint lending group model and has its funding through local and foreign direct investments.
  5. Bandhan – Bandhan, through its NBFC registered entity, Bandhan Financial Services Ltd operates one of the largest full scale micro-credit services network in 18 states across India including lending, remittance and pension services. Bandhan Financial operates through the joint group lending model.

Regulators and Supervisors

The Ministry of Consumer Affairs, Food and Public Distribution, a cabinet level ministry, has a Department of Consumer Affairs. The Ministry’s mandate is the oversight of all measures of consumer protection in the country. The Department of Consumer Affairs is in charge of administering policies for consumer cooperatives, price monitoring, consumer movement in the country, and the control of statutory bodies like the Bureau of Indian Standards and Weights & Measures. The Bureau, however, does not certify any financial services standards. To provide inexpensive, speedy and summary redressal of consumer disputes, the National Consumer Disputes Redressal Commission (NCDRC), a quasi-judicial body headed by a governing committee of judges from various high courts and the Supreme Court of India. The commission has oversight on consumer protection act in the country and processes all cases relating to consumer protection in India.

The Reserve Bank of India (RBI), India’s central bank, through its board, undertakes consolidated supervision of the financial sector comprising commercial banks, financial institutions and non-banking finance companies. Some of the initiatives undertaken by RBI include:

  • Restructuring of the system of bank inspections;
  • Introduction of off-site surveillance;
  • Strengthening the role of statutory auditors; and
  • Strengthening the internal defenses of supervised institutions.

Within the microfinance sector, there are 2 main apex bodies which set the standards for microfinance institutions in India – Microfinance Institutions Network (MFIN) and Sa-Dhan. MFIN is the self-regulatory organization (SRO) for the Indian Microfinance industry. It was established in October 2009 with the sole purpose of promoting the key objectives of Microfinance in India and establishing guidelines for responsible lending and client protection in the Microfinance industry. MFIN seeks to work closely with regulators and other key stakeholders to achieve larger financial inclusions goals through microfinance.  Currently MFIN member organizations consist of 46 of the leading NBFC/MFIs whose combined business constitutes over 80% of the Indian microfinance sector. As a step towards more stringent self-regulation, MFIN has defined a code of conduct for its members, which focus on fair practices with borrowers and among member organizations. The MFIN code of conduct establishes limits on overall lending at the client level, establishes guidelines for fair collection practices promoting transparency and standardized recruitment and training practices for member MFIs.

Sa-Dhan was established in 1998 to provide a common collaboration platform for MFIs, NGOs, community development financial institutions and government agencies like NABARD and serves as a forum and advisory body for organisations and individuals engaged in the field of community development and financial inclusion. The key strategies that Sa-Dhan works on are as follows:

  • Encourage existing and new MFIs through financing and capacity building as well as a supportive regulatory framework
  • Incentivise existing mainstream financial institutions to provide microfinance
  • Building a strong demand system through community based development financial institutions (CFDI)

In order to successfully execute its strategy, Sa-Dhan is working in the following three thematic areas:

  • Policy interventions – It looks at providing an enabling environment for the enhancement of microfinance activities.
  • Setting standards – Its main function is to facilitate the adoption of best practices within the sector
  • Capacity building – It aims to build sectoral capacity in microfinance.

Available Laws

Microfinance Laws

In the area of microfinance, the Microfinance Institutions (Development and Regulations) Bill, 2011 is a major step towards the centralization of microfinance policies in India under the supervisory umbrella of the central bank, Reserve Bank of India (RBI). This will facilitate many of the already developed consumer protection policies within the banking system to be applied to the microfinance sector.

Under the new Bill, RBI is designated as the umbrella authority that will regulate microfinance institutions. The Bill details the powers exercisable by RBI over the various types of institutions currently carrying on microfinance activity (which include non-banking finance companies and cooperatives). More importantly, the draft legislation seeks to do away with the fragmentation that currently exists in regulating the sector. As for regulation of the sector itself, the scope of the Bill largely covers the role of RBI in overseeing the sector in terms of its supervisory powers over various institutions carrying on microfinance activity. All institutions will be required to register with the RBI.

Some of the key provisions of the bill are as follows

Registration for MFIs:  every institution in microfinance should register with the regulator, transform into a company when they attain a significant size, be subject to a variety of prudential and operational guidelines that are introduced by the regulator, provide periodic information to the regulator and face penal action for violation of law or any rules framed

National and state level supervision: Proposal for regulation and supervision of MFIs at a state level in addition to the national level. Setup of state councils is proposed which would involve state governments and would be linked to the central government council. State councils would monitor lending activities undertaken by MFIs to check for over-indebtedness and defaults, recovery practices adopted by MFIs, appropriate grievance redressal mechanisms in place and overall assessment of impact of measures for financial literacy and inclusion

Pricing and interest rates: The RBI will have the authority to set interest rates and margin caps for pricing of loans.

Microfinance Development Fund: Proposal to create a Microfinance Development Fund to provide funding and other financial assistance to MFIs, give grants and loans for training and capacity building of MFIs, invest in equity or other form of capital of an MFI and meet expenses related to collection, analysis, dissemination of information relating to microfinance, conduct research and to promote practices which are conducive to the growth of microfinance services

Penalties: The bill proposes penalties for MFIs of a maximum of Rs 500,000 for not following the rules set forth by the governing councils and facilitates the RBI to delegate powers and enforcement to NABARD.

Client protection Laws

The Monopolies and Restrictive Trade Practices Act, 1969 lists trade practices considered unfair in India

  • Making false or misleading claims about products or services through advertisements or otherwise
  • Offering bargain prices and making bait advertisements
  • Offering pseudo gifts or prizes and conditioning sales on promotion contests, the lottery, or games of chance or skill;
  • Supplying unsafe or hazardous products; and
  • Hoarding or destroying goods, or refusing to sell goods, resulting in price increases.

The Consumer Protection Act of 1986 (CPA) was the most significant milestone in the history of consumer protection in India. It established national, state, and district level judicial platforms where consumers can speedily and inexpensively seek redress for their grievances. It also set up consumer-protection councils at the national and state levels. Banking and financial insurance are considered “services” under the act, making it part of the general consumer-protection framework, but also meaning that banking-specific instances such as interest rates, collection practices, and over-indebtedness policies are not included.

The National Consumer Disputes Redressal Commission (NCDRC) was created by the CPA to enforce its provisions instated. The National Commission is empowered to issue instructions regarding:

  • Adoption of uniform  procedures in the hearing of the matters/dispute resolution;
  • Provision of copies of documents produced by one party to the opposite parties;
  • Speedy granting of copies of documents; and
  • Generally overseeing the functioning of the State Commissions or the District Forums to ensure that the objects and purposes of the Act are best served without  in any way interfering with their quasi-judicial freedom.

The RBI is in charge of a Banking Ombudsman which directly deals with consumer complaints in areas such as credit cards, service deficiencies, charges, and non-compliance with the fair practices code. The Reserve Bank is also in an advanced stage of setting up an independent Banking Codes and Standards Board of India (BSCBI) to ensure that comprehensive codes of conduct for fair treatment of customers are formulated by banks and adhered to voluntarily. The BSCBI has drafted a series of codes known as the Banking Code Rules that seek to clearly delineate the banks’ obligations to consumers and microenterprises.

The codes have been developed with the objective to:

  1. Promote good and fair banking practices by setting minimum standards in dealing with consumers;
  2. Increase transparency so that consumers have a better understanding of what they can reasonably expect of their services;
  3. Encourage market forces, through competition, to achieve higher operating standards;
  4. Promote a fair and cordial relationship between consumers and their bank;
  5. Foster confidence in the banking system.

Data Protection & Privacy Laws

Privacy of Client Data – Principle (As in CFI Client Protection Principles)

The privacy of individual client data will be respected in accordance with the laws and regulations of individual jurisdictions. Such data will only be used for the purposes specified at the time the information is collected or as permitted by law, unless otherwise agreed with the client.

Compared to other emerging economies, Indian legal system has a relatively well developed framework to deal with data protection & privacy. There have been several enactments such as- i) Indian Telegraph Act, 1885 ii) The Public Financial Institutions Act, 1983 iii)  The Consumer Protection Act, 1986 iv) The Credit Information Companies (Regulations) Act, 2005 and v) the IT Act , 2000  which have cited data and personal information privacy rights.

IT (Amendment Act), 2008 – Section 43A & Section 79

On April 11, 2011, India adopted new privacy regulations, known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These obligations require companies to provide privacy policies, restrict the processing of sensitive personal data, restrict international data transfers and require additional security measures.

Key Provisions

  • Privacy Policy – The body corporate, or any person on its behalf, that “collects, receives, possesses, stores, deals or handles” personal information must provide a privacy policy that clearly sets out its practices and policies, identifies any sensitive personal data collected and processed, explains the purposes for which the data is collected and used, discloses specific information in relation to the newly defined category of “sensitive personal data,” and provides for reasonable security practices and procedures.
  • Definition of Sensitive Personal Data – Sensitive personal data is now a defined term, although the definition is narrower than had originally been proposed in draft regulations. Sensitive personal data includes physical, physiological and mental health conditions, medical records and history, and sexual orientation.  The definition also includes biometric data, passwords and financial information such as bank account details, credit and debit card details.  Information that is freely available or accessible in the public domain is excluded from the definition of sensitive personal data.
  • Restrictions on Data Collection and Processing – At the point of collection of any data, individuals must be made aware of the fact that their data are being collected, the purpose for which the data are collected, the intended recipients of the data and the contact details of both the agency collecting the data and the agency that will retain the data.  Further, all data is subject to a restriction on any processing for secondary purposes.  It must be processed only for the purpose for which it was collected.
  • Additional Restrictions for Sensitive Personal Data – The prior written consent of an individual is required before their sensitive personal data may be processed.  Consent may be obtained by letter, fax or email.  The provider of the sensitive personal data must be given the option, at the outset, not to provide data and may withdraw their consent to the processing at any time.  In addition, sensitive personal data may only be collected for a lawful purpose connected with a function or activity of the body corporate, and the collection of the data must be necessary for that purpose.  Sensitive personal data may not be retained for longer than required for the purpose for which it may lawfully be used.
  • Rights of Access and Correction – Individuals have the right to review the information about them and to ensure that inaccurate or deficient data is corrected or amended, as feasible.
  • Disclosure to Third Parties – Information (including sensitive personal data) may only be provided to a third party with the consent of the provider of the information.  There are exceptions where the disclosure has been agreed to contractually, is required for legal compliance purposes, or where the disclosure is to government agencies mandated to obtain the information for specific purposes.  The body corporate processing the information (or any person on its behalf) may not publish it and any third party recipient is prohibited from further disclosing the information.
  • International Data Transfers – A body corporate or another person on its behalf may transfer sensitive personal data or information to another body corporate or person in India or abroad where the same level of data protection is assured.  The Rules also stipulate that “the transfer may be allowed only if it is necessary” for the performance of a lawful contract with the provider of the data or with their consent.
  • Security – The Rules state that a body corporate will be taken to have complied with reasonable security practices and procedures where they have implemented those practices and have a comprehensive documented information security program and policies that contain managerial, technical, operational and physical control measures commensurate with the information assets and nature of the business.  In the event of a security breach, the organization must be able to demonstrate that it has implemented its documented security control measures when asked to do so.  An organization that has implemented International Standard IS/ISO/IEC 27001 or an approved industry code of practice is deemed to have complied with reasonable security practices and procedures, provided that compliance with the standard or code of practice has been audited annually.

The Banking Code and Standards Board of India – Code of Bank’s Commitment to Customers

The BCSBI is an independent watchdog for financial institutions in India, which has set forth clear rules and code of conduct for banking operations in India. Section 5 of the code focuses on Privacy and confidentiality of information.

Section 5: Privacy and Confidentiality

This section of the code highlights the principles to be followed by banks in India where all client information is agreed to be kept confidential and not released to any other person or organization unless exceptional cases as below

  • Disclosure of information required by law
  • If there is a duty towards the public to reveal the information
  • In accordance with the bank’s safety and interests
  • Upon written consent from client
  • Information about availed credit and debt repayments are advised to Credit Reference Agencies

Indian Banks Association – Code of Conduct

The Indian Banks Association (IBA) code of conduct also mentions a section on privacy of client information which all banks are legally bound to comply with.

Sa-Dhan – Code of Conduct for Microfinance Institutions

The Code of Conduct for MicroFinance institutions in India, sets forth key principles to be followed by all microfinance institutions.

Section III-D: Privacy of Client Information

MFIs must keep personal client information strictly confidential. Client information may be disclosed to a third party subject to the following conditions:

  • Client has been informed about such disclosure and permission has been obtained in writing.
  • The party in question has been authorized by the client to obtain client information from the MFI.
  • It is legally required to do so.

Data Security Council of India

Data Security Council of India (DSCI), a section 25 not-for-profit company, was setup as an independent self-regulatory Organization (SRO) by NASSCOM (National Association of Software Companies), to promote data protection, develop security and privacy codes & standards and encourage technology industries to implement the same. DSCI has developed Best Practices for Data Protection that is in line with global standards and cover emerging disciplines of security and privacy. While its immediate goal is to raise the level of security and privacy of IT and BPO service providers to assure their clients and other stakeholders that India is a secure destination for global sourcing, DSCI also promotes these best practices for domestic industry segments like banking, financial institutions, telecom and e-governance.

DSCI Data Privacy Framework – DPF

To protect privacy of personal information from unauthorized use, disclosure, modification or misuse, DSCI has conceptualized its approach towards privacy in the DSCI Privacy Framework (DPF©) which is based on the global privacy best practices and frameworks.


Figure 1 – DSCI Data Privacy Framework (DPF©)

Key sections of the DPF© include:

  1. Visibility of Personal Information (VPI)
  2. Privacy organization and relationship (POR)
  3. Privacy policy and processes (PPP)
  4. Regulatory compliance and intelligence (RCI)
  5. Privacy contract management (PCM)
  6. Privacy monitoring and incident management (MIM)
  7. Information usage and access (IUA)
  8. Privacy awareness and training (PAT)
  9. Personal Information security (PIS)

DSCI Data Security Framework  – DSF©

DSCI Security Framework brings a fresh outlook to the security initiatives of an organization by focusing on each individual discipline of security. Each security discipline, as depicted in DSF©, has evolved with very specific approaches to address the specific challenges faced by it.


Figure 2 – DSCI Data Security Framework (DPF©)

Key sections of the DSF© include:

  1. Security strategy and policy (SSP)
  2. Security organization (SEO)
  3. Asset management (ASM)
  4. Governance risk and compliance (GRC)
  5. Infrastructure security (INS)
  6. Application security (APS)
  7. Secure content management (SCM)
  8. Threat and vulnerability management (TVM)
  9. User access and privilege management (UAP)
  10. Business continuity and disaster management (BDM)
  11. Security audit and testing (SAT)
  12. Security monitoring and incident management (MIM)
  13. Physical and environmental security (PEN)
  14. Third party security management (TSM)
  15. Personnel security (PES)
  16. Data security (DSC)


The status of client data protection and privacy in India seems to be in a good state because of a strong legal framework (Banking Regulations Act, IT (Amendment) Act 2008), specific set of policies and industry watchdogs like BCSBI as well as compliance by national networks of banks (IBA) and MFIs. With an increasing focus and investment in e-governance and technology based services in India, the topic of privacy rights and data security is very crucial to national development and appropriate functioning of these services. The banking and financial services, microfinance and community & rural development sectors are in a continuous process of development and are working on adopting the latest industry standards in data privacy and consumer protection. The IT (Amendment) Act, 2008 now makes it mandatory for many organizations using IT enabled services to follow data protection and privacy policies. The DSCI DPF© and DSF© frameworks provide a state-of-art model for upcoming financial services institutions to use as a model for their organizations.



Back to Client Protection Library


Stay informed. Subscribe to our newsletter.