Establishing trust between a financial institution and its customers poses a complex challenge. The latter are expected to grant data access, while organisations face heightened scrutiny regarding their data practices and ethics. Although data ethics alone isn't the ultimate solution, adopting an ethical approach to personal data processing is vital to instilling confidence and encouraging customer engagement.

Especially in a world where digital lending is built on alternate data and modular infrastructure,  consumer trust is key to increasing the uptake of modern credit products, winning new customers, and fostering financial inclusion.

FinBox combines credit infrastructure and alternate data for reliable lending, all while employing ethical technology that ensures borrower safety and control over information.

Currently, we work with 210 partners and 60 million of their customers trust FinBox, thanks to our transparency and ease of access.

FinBox adheres to strict standards of privacy - we go above and beyond to ensure integrity, honesty, and transparency in all our operations. We make sure to thoroughly understand constantly evolving regulations to design and implement the right policies and ethical practices. 

Out with the regulatory grey, in with regulatory white 

At FinBox, we implement the following controls to facilitate compliance with data privacy and security measures entailed by the guidelines - 

As per the RBI directives on digital lending: 

The Digital Lending Apps (DLAs)  should offer customers a user-friendly privacy notice that is easy to access and understand. This notice must include essential information about the collected customer data, such as its purpose and nature, storage location and duration, details about third-party transfers and data security.

What we do at FinBox 

• We obtain explicit consent from individuals, along with our lender partners, by displaying a clear data collection consent screen before initiating data sync. 

• This screen specifies the data to be synced and its purpose. Google pop-ups ensure that only explicitly allowed data is synced for profiling. 

• We strictly sync non-PII data and transactional information that maintains individual privacy. Our in-device risk engine, DeviceConnect, does not collect any customer phone numbers, contacts, emails, or names. At FinBox, we only sync appographic information, device attributes, transactional SMSes (from 6-digit numbers) with masked PII, and a singular coarse location data point during onboarding. 

• Data reaching our servers is associated with an anonymous user ID, ensuring it is used solely to generate insights that will enable better loan offers from the specific lender's app.

• Customers can request permission revocation and deletion of all synced data (already anonymised) through our lender partners' "Forget Me" page or support email.

2. Creditworthiness

As per the RBI directives on digital lending: 

Regulated Entities (REs)  must retain customer personal and financial data for credit assessment before granting loans via LSP and/or DLA. This data should not be used for automated decision-making regarding credit limit adjustments without the borrower's explicit consent. 

What we do at FinBox

As FinBox is not an RE, we do not make decisions regarding increasing or decreasing credit limits for borrowers. However, we assist lenders in assessing  New-To-Credit (NTC) borrowers through DeviceConnect, as an alternative or a companion to bureau data, enabling these customers to access formal credit. . Moreover, we also offer precise income estimates with confidence scales to help lenders make responsible offers based on the borrowers' financial health. 

As per the RBI directives on digital lending: 

Prior to establishing a partnership with an LSP for digital lending, REs are required to perform due diligence. This includes evaluating the LSP's technical capabilities, data privacy policies, and data storage systems.

What we do at FinBox

• To ensure robust data security and privacy, we undergo ISO, CICRA, and VAPT audits twice a year, safeguarding against external and internal threats. 

• Additionally, REs have the option to request audits of our system, including Man in the Middle Audits, to verify compliance with specified data syncing requirements.

• We ensure that data collected through RE apps can only be utilised by the corresponding RE. This is achieved by technically syncing data against an anonymous hash, generated by the RE itself for each user. This means that only the REs possess the knowledge of mapping the anonymous hash used by FinBox for data syncing to the customer's real-world identity. The key (mapping) and the lock (data) are kept separate, with REs retaining control of the key to prevent unauthorised access and data extraction

As per the RBI directives on digital lending: 

Customers must be given the choice to grant or refuse explicit consent before their data is collected, and organisations are responsible for keeping records of such consent. Borrowers have the right to exercise their preferences at every stage of data collection, including decisions regarding the use, disclosure to third parties, retention, and requests for deletion of their data.

What we do at FinBox

• We provide individual data points separately in the consent screen, and Google permission pop-ups are tailored to each data point

• Customers have the flexibility to allow or disallow the syncing of specific data

• Even after the data has been synced, customers can request through our lender partners to revoke specific permissions and delete all data associated with their customer ID, which has already been anonymised.

Conclusion 

Our vision at FinBox entails a world where the next billion are part of the formal financial system - and where they have full control over their personal information. To transform this vision into reality: 

• we leverage data-informed decisions using DeviceConnect, which reduces lending risk by 30% and increases approvals by 25%

• Prioritise customer trust by fostering transparency in every aspect of our operations.

Get in touch to know more!