Big Crackdown on Unauthorized Use of PAN Details

The Indian Cybercrime Coordination Centre (I4C), operating under the Union home ministry, has directed the cessation of unauthorized usage of Indian citizens’ Permanent Account Numbers (PAN) by financial technology companies and other consumer tech firms, informed sources told ET.

Government Takes Stringent Action

The government is taking stringent action against technology companies’ unauthorized handling of personal data as it moves forward with implementing the Digital Private Data Protection Act, 2023 (DPDP). This act requires businesses to obtain proper consent and use authorized channels when processing citizens’ information.

PAN Enrichment Service

A top executive at a fintech firm explained that the unauthorized service was known as a ‘Pan enrichment’ service, which would help loan distribution companies create a profile of their customers against their PAN numbers, for cross-selling of credit and other financial products. This data was also used to cross-check the details put in by the customer in their application form.

Disruptions in Services

Recent weeks have seen disruptions in these services as government intervention has led to the closure of many unauthorized operations, according to reliable sources.

Unauthorized Access to Income Tax Department’s Backend Infrastructure

Based on information from three industry experts, numerous firms accessed customers’ personal information, including full names, addresses, phone numbers, and other details, by utilizing their PAN numbers through the Income Tax department’s backend systems. One executive highlighted that PAN numbers’ connection to consumer credit scores made it particularly valuable data.

Authorized Service

There has been no disruption in the authorized service, which is through the National Securities Depository (NSDL), where they do not share any personal data against the PAN number but just verify whether the details provided match with their database.

Industry Sources

Several industry sources indicated that this unauthorized service was widely used by various financial entities, including consumer lending platforms, loan sourcing channels, direct sales agents, and credit aggregators. However, identifying specific companies is challenging as these practices were part of their internal operations.

Alignment with Data Protection Regulations

An executive mentioned earlier suggested that these actions align with the government’s broader initiative to eliminate unauthorized access to Indian citizens’ Personal Identifiable Information (PII), which will be examined thoroughly after data protection rules are implemented.

DPDP Act of 2023

Under the DPDP Act of 2023, businesses must obtain proper consent and use authorized channels when processing citizens’ information. The executive also mentioned that after the Supreme Court judgement on Aadhaar, the rules around access to this database had gotten codified and formalized, and now the government will crackdown on every unauthorized access to any government database.

Industry Experts’ Views

Industry experts acknowledge that while the restrictions may cause operational challenges, they believe this will ultimately help organizations align their systems with upcoming stringent data protection regulations.

Article Details

• Published On Nov 6, 2024 at 11:03 AM IST
• 2 min read