In recent times, unauthorized use of PAN (Permanent Account Number) cards by financial technology and consumer tech firms has raised serious concerns about data privacy. The Ministry of Home Affairs (MHA) has now acted to curb this issue, aiming to secure citizens’ financial and personal data. This decision comes in line with India’s new data privacy laws under the Digital Personal Data Protection Act, 2023 (DPDP Act), ensuring that sensitive information is handled securely.
Why PAN Cards Are Targeted for Misuse
The PAN card, which initially served as an identity and tax identification tool, has now evolved into a primary means of accessing a person’s financial history. Loan companies and consumer tech firms often used PAN cards to verify and cross-check personal details of individuals. This information allowed these companies to create financial profiles that helped them market loans and other financial products. However, this unauthorized use of PAN card data has opened up citizens to risks of data misuse and privacy violations.
What Was the ‘PAN Enrichment’ Service?
A key element in this data misuse was a service known as “PAN Enrichment.” This service enabled loan companies to access detailed profiles based on PAN card numbers, allowing them to evaluate customers’ financial standing. Through this service, companies could obtain personal information such as names, addresses, phone numbers, and even credit scores of individuals. This background check was done without the consent of the individuals involved, raising ethical and legal concerns.
To stop this misuse, the Indian Cybercrime Coordination Center (I4C), a wing of the MHA, has issued directives to halt unauthorized use of PAN cards by fintech companies. This marks a decisive step in protecting citizens’ data from exploitation by unauthorized parties.
How Was PAN Information Being Misused?
According to industry experts, certain backend systems linked to the Income Tax Department provided PAN-linked personal information, allowing firms to access complete customer profiles without authorization. This data was being used primarily by:
- Consumer Loan Platforms: These platforms used PAN data to verify applicants’ financial information.
- Direct Sales Agents (DSAs): DSAs accessed PAN details to assess creditworthiness while promoting loans.
- Credit Aggregators: These platforms used PAN information to consolidate and analyze users’ credit scores.
This unauthorized access meant that sensitive data, meant solely for tax and legal identification purposes, was being circulated for commercial gain.
The Government’s Stand on Data Protection
The DPDP Act 2023 lays down strict rules about data access, requiring companies to obtain explicit consent from individuals before using their information. This law was enacted in response to the Supreme Court’s ruling on data privacy and is part of a larger drive to protect citizens’ personal data.
The MHA’s latest move highlights the government’s commitment to secure sensitive data and prevent misuse. It ensures that organizations comply with the legal framework and refrain from unauthorized data practices, providing individuals with greater control over their data.
What’s Next for Fintech Companies and Data Security?
The government’s crackdown may challenge the operations of some fintech firms, especially those who relied heavily on PAN data for customer profiling. With these new restrictions, companies will need to adapt to secure, transparent processes for data handling. Fintech firms will now have to seek alternative ways to validate customer information, potentially focusing more on authorized data sources and formal customer consent.
Additionally, data security practices are likely to improve across the financial industry, as companies become more cautious in adhering to privacy laws. This shift towards transparency and security aligns with India’s broader goals for a safer digital economy.
