By Srinath Sridharan
Why does an unsolicited wealth manager from a brand I don’t know call me with investment advice after a large credit transaction hits my bank account? It’s not my bank’s relationship manager or their wealth division, making me question if my financial data is being leaked. After repeated incidents, the answer is clear: Data privacy is an uncomfortable truth that we don’t want to discuss.
Even though banking regulations promise strong data protection, these incidents undermine consumer trust. The insurance sector is no better — just before policy renewals, unknown brokers and call centres flood us with detailed knowledge of our policies, raising serious concerns about data security.
Years ago, marketing companies would collect personal details from passenger lists posted on train compartments, and couriers would ask for PAN card copies. Today, database seekers have transitioned to tapping into digital data pipelines and social media.
In a few sectors, regulations mandate that entities must have a chief information security officer (CISO). Beyond this formal obligation, no one — industry participants or regulators — seems to care that in many cases, the CISO is just an on-paper contractual hire, for a pittance. The very person responsible for protecting may be tempted to leak data for a fee. In numerous instances, CISOs are contractors, much like licensed pharmacists who lend their names to chemist shop licences. Recently, allegations surfaced of a data leak at an insurance firm involving a CISO. Yet, alarmingly, for nearly a fortnight, we did not hear publicly from the regulator.
Despite this ostrich mindset, data continues to leak like viral videos, while institutions bask in self-praise for supposedly robust data protection efforts. Ask any hacker and they’ll tell you that most entities’ data is available, whether through a hack or for the right price.
For every publicised data breach, likely many more go unreported or unnoticed. It’s as if we’re living in a “what you don’t know won’t hurt you” framework. Take the “do not disturb” framework in telecom. Despite years of a broken and almost non-existent regulatory enforcement, the system remains ineffective. This, when India is a leader in digital public infrastructure. And when breaches occur, the typical response is that things are being “upgraded” — a euphemism for “no bad news, not on my watch”.
The real concern is how regulators across industries will adapt to the digital and data challenges posed by emerging technologies like artificial intelligence. Disruptive technologies have the potential to bring about positive social change, but they also introduce big unknown risks. Yet many policymakers and regulators seem caught up in feel-good presentations and conferences, without understanding the complexities of these technologies.
Where is the tech expertise within our regulatory systems, and how effectively is it applied when designing new regulations or building the capacity for tech-enabled supervision? In the past, policymakers dealt with relatively predictable advancements, and hierarchical social acceptance of their authority. Not anymore. Today, a tech-savvy 16-year-old can create a disruptive system bug, leaving even the most experienced regulators scrambling. The solution isn’t to stifle new ideas but to build agility and make tech-first approaches the foundation of regulation.
This shift requires a new style of leadership in our institutions, one that values tech expertise and talent over conventional hierarchies. Do we have leaders in our institutions who are agile, excited about the unknowns, and capable of fostering such an environment?
Some of them have a resilient talent pool, eager to learn and adapt to changes in society, consumer behaviour, and technology. But these are the exceptions. Most regulators are slow to evolve, content with incremental adjustments that maintain their relevance and soundbytes, even as the gap between them and the tech world widens.
Regulators now need to understand not just their sector but also the technologies transforming it. They must shed old habits, embrace younger talent, and lead from a place of knowledge, not outdated notions of seniority. Is this even possible in our current mindset? What is the incentive for policy leaders who have short-tenured roles to think long?
One key issue is the knowledge gap. Disruptive technologies are highly complex, and most policymakers, businesses, and consumers lack a deep understanding of how they work, their potential applications, and consequences. This information asymmetry makes it difficult to craft informed policy. Moreover, asymmetries exist between investors, companies, consumers, and regulators. Unlike traditional products and services, emerging technologies evolve through an iterative process, often leading to applications and impacts not anticipated at their inception (think of platforms like social media or the internet).
In the guise of expertise, private actors could offer beneficial solutions but carry Trojan-like risks, embedding personal gain and network advantage into the core of public systems. The subtlety of their influence often slips past scrutiny with ease.
These challenges highlight the need for a more informed, flexible, and forward-thinking regulatory approach, one that can keep pace with the rapid evolution of technology. Traditional command-and-control and incentive-based policy tools are ill-suited for this, largely due to the lack of information and the networked, decentralised nature of the tech innovations.
This imbalance is pronounced, thanks to the political urgency to signal leadership in adopting technologies ahead of other nations, even though the policies, laws, and regulations in place are not adequately prepared to support them. The current regulatory framework — designed with traditional institutions in mind and built on activity-specific, entity-specific or scale-size requirements — is outdated and inadequate.
Technology and regulation are often seen as opposing forces — technology driving markets, commerce, and growth, while regulation embodies governance, restraint, and boundaries. Without a more cohesive approach, we risk creating a system where stakeholders are left disillusioned, confused by the disconnect between politics, policy, and regulation.
The author is policy researcher and corporate advisor.
Disclaimer: Views expressed are personal and do not reflect the official position or policy of FinancialExpress.com. Reproducing this content without permission is prohibited.