Sebi should also reconsider its position on financial institutions not sharing responsibility for security and compliance with cloud service providers, which can be addressed by treating them as third-party risk. This calls for a differentiated treatment of public and private cloud, which the current proposals do not provide for. Migration to the cloud is dependent on the evolution of risk control, and by prescribing a yardstick, Sebi is restricting the scope for innovation by financial institutions in managing risk. Local data processing could dilute business efficiency by impeding cross-border information flow. This is critical for fast-moving financial markets. Finally, the business case for strong internal controls over commercially sensitive data is compelling and regulation can be built around them.
India has had to climb down on a broader framework for data protection by permitting its export to select countries. Sebi’s proposals for data regulation should be guided by limits to sovereign safeguards. As both sets of rules are trashed out, policymakers will benefit from an increased awareness of global interdependence in regulating technology and finance. India stands to gain from the globalisation of tech-enabled services and should tailor data protection accordingly.