All 48 fintech entities surveyed including BHIM, Google Pay, PhonePe, Amazon Pay, and MobiKwik, were found not fully compliant with a law that orders damages payment in case a personal-data security breach results in loss or gain to any person.
Others that took part in the survey by The Centre for Internet and Society and Hewlett Foundation included JioMoney, Paytm Payments Bank, Airtel Payments Bank, BillDesk, PayU, Citrus Pay, and Bill Junction. PolicyBazaar, Rubique, BankBazaar, Loylty Rewardz, and Walnut also took part in the survey.
Interestingly, the BHIM app, designed by retail payment body National Payments Corporation of India, responded with a no to all questions concerning reasonable security practices and procedures, and grievance officer and redressal. Google Pay as well as Paytm Payments Bank did not explicitly state the specific type of sensitive personal data or information being collected nor did they specify that the user has the option of not furnishing the data.
Also, 42 of the respondents said that personal information is disclosed to government agencies or investigating authorities only when legally mandated by them.