The role of fintechs and payments intermediaries – Data fiduciary vs. data processor?
While the popular view is that fintechs and payments intermediaries would be deemed as data processors, the answer is not really as simple. There are a number of unique use cases and operating models due to which the balance may tilt towards being a fiduciary. While the Digital Personal Data Protection (DPDP) Act does not define the role of a “joint fiduciary” similar to the “joint controller” in GDPR, there is no restriction on the number of fiduciaries. Service models where the traditional fiduciaries such as banks operate in an outsourced/SaaS model with fintech partners in a ‘co-branded’ manner are a classic scenario where both could be perceived as fiduciaries while the bank continues to own the customer relationship. Similarly, fintechs that provide services related to fraud monitoring, threat intelligence, concierge, tokenization could also be involved in determining the purpose of personal data collection without having a direct customer-facing interface. Hence, while revisiting service contracts is of essence, it is vital for fintechs and payments…
