Will the BNPL juggernaut hit a bump with data security?

Chitwan Kaur   /    Content Specialist    /    2021-09-02


The last year would have you believe the Indian economy was in doldrums, people had cash flow issues and small businesses were nearing the end of the road. And yet, something clocked a 569% increase, riding on all these factors. We’re talking about the digital lending offering - buy now, pay later (BNPL) - that caught on during the pandemic-induced lockdown. 

Indians warmed up to the credit product because of the ease of access it promises and the repayment flexibility it boasts of - all with no to low interest. This catapulted India to be the fastest-growing market for BNPL adoption, also spurred by the fact that only 3.3% Indians are credit card holders.

But as the dust settles and people take stock, BNPL has come under scrutiny for the use of data and everything that comes with it. As a quick access to ready credit, BNPL requires borrowers to share personally identifiable information and runs it through intelligent engines that assess risk and credit appetite for each borrower. 

To do this within minutes, these engines would need access to alternative sources of data (those that traditional lenders often do not factor in), such as text messages, contact list, recent account activity, lending app stack etc.  

And that raises concerns around data security and if it’s worth trading data for easy credit. Not that the credit industry has ever been watertight on data security. There is a reason why MasterCard and American Express are banned from issuing new cards. And the recent breach at the Swedish BNPL whiz Klarna didn’t help matters either. However, as the industry matures, data security is being democratized for safer and more secure transactions. Here’s how.

Complex ecosystem

Unlike traditional credit, where only two entities – the lender and the borrower – interact, BNPL functions in a more complex ecosystem involving numerous stakeholders. In a B2B context, the players involved are a lender, a merchant's digital platform, a FinTech company providing the BNPL service, the merchant and the end customer.

FinTech provides software that can be integrated into merchant platforms. It may partner with lenders to offer BNPL through their channels on the merchant platform. Merchants can choose to onboard BNPL as a payment option through the FinTech company. The end customer chooses the BNPL option on checkout and can avail of credit financed by the lender.

Open banking enables a free flow of financial and personal data among these players. Data security assumes utmost importance while relaying sensitive information at each step – from procurement, processing through storing user data. As a result, each player in the lending process assumes responsibility for the end-user’s cybersecurity. To that end, several technological, regulatory and policy measures are implemented at each touchpoint in the process.

User consent and regulation

Ensuring data security starts with obtaining explicit user consent. The end-customer seeking BNPL is explicitly asked for permission to scour through their device for relevant information that will help the FinTech company underwrite accurately. Users can, at any point in time, choose to revoke their consent or alter device permissions to restrict access.

  • DEPA: The NITI Aayog has introduced a consent driven data-sharing framework called the Data Empowerment and Protection Architecture (DEPA). This will allow users to give consent at a granular level wherein they can authorise access to their data for a specific period of time or for certain functions. This consent flow must also be recorded using the log artifact of the Ministry of Electronics and Information Technology, DEPA mandates. DEPA will form the final data empowerment layer of India Stack alongside Aadhaar's identity layer and UPI's payments layer. The policy calls for the creation of consent managers - a new crop of "data blind" institutions that will provide a connection between individuals, organisations that possess their personal data, and businesses that seek access to such data.  At FinBox, we ensure DEPA compliance with our in-device data analyzer - DeviceConnect - that makes the process of acquiring, storing and using data 100% secure and private.

  • Banks’ security infrastructure: A recent KPMG report identified a regulatory norm unique to India in the digital banking space. Digital banks acted as SaaS providers, with the bulk of the regulatory responsibility with their bank partners. This ensures that banks, who have decades of experience in credit regulation, take the lead in ensuring data security. The Reserve Bank of India (RBI) has announced its master direction on Digital Payment  Security Controls that requires regulated entities (REs) such as small finance banks, payments banks, scheduled commercial banks to routinely check their third-party associates such as BNPL providers for risks to cybersecurity.  REs must now encrypt API gateways, APIs and KYC with the use of artificial intelligence and machine learning. Banks and other registered entities are instructed to use their own trained resources to manage cyber risks.

  • Self-regulation: Whether to fill the void arising from a lack of regulation or to augment existing legislation, BNPL companies are forming a consortium to self-regulate. In Australia, companies such as Klarna, Afterpay, Brighte, Latitude and the Humm Group have come together to formulate a code that ensures “fair, honest, and ethical” behavior on their part. Best practices listed under this code include the assessment of new borrowers for compliance with anti-money laundering.

How technology protects user data

Data security is supported by the twin pillars of regulation and technology. While regulatory measures provide the framework within which BNPL can operate responsibly, the everyday machinations of the BNPL credit line rely heavily on technology.

  • Fraud prevention: BNPL service providers can include biometric authentication such as fingerprints or source insights from behavioural patterns such as keyboard usage, typing speed and geolocation tagging to institute enhanced safety guardrails. They can also protect users from account takeovers by detecting attempts at credential stuffing, analysing alternative information such as device location and time to supplement other authentication  tools. FinTechs also utilise machine learning algorithms to detect anomalies and ascertain whether a fraudulent transaction has taken place.

  • Confidential computing: Sharing user data with other parties forms a crucial part of enabling BNPL. Companies resort to confidential computing to present data for analysis to protect user data. E-commerce platforms share a user's encrypted details confidentially with the BNPL provider's risk assessment application. The application decrypts the data and processes it to send information about an incoming order to the BNPL provider.

  • Devaluing data: The storage of data over the long term exposes it to increased risks of breaches. Companies can ensure that even if data is breached, it serves no use to attackers. Many BNPL providers devalue data to ensure that user data is used in an intent-bound manner. They use encryption to translate personally identifiable information (PII) into code that is understandable only to those who have the right digital key. Devaluing data also involves tokenisation under which PII is stored digitally as random characters. 

Data security has, for all intents and purposes, been democratised. Each stakeholder along the value chain has a role to play in ensuring it. At the lender’s level, data security measures such as Sensitive Personal Data or Information (SPDI) and DEPA adherence, along with secure APIs for open banking are used to provide ironclad protection to user data. Encryption, access to selective data, user consent and the elimination of manual intervention are some practices observed by the BNPL provider or FinTech company. However, the end-users perform the most crucial role of all – they control how and when their data is accessed and used.


In contrast to traditional lending, BNPL already has enhanced security models in place at each level of the value chain. The onus of data security is on each stakeholder. Regardless, efforts are being made to create unimpeachable systems through new policies and regulatory measures.  A combination of shared responsibility, robust tech-based solutions and policy will ensure that BNPL is readily adopted as a payments solution.