The online verification process for HDFC Bank’s credit card application requires users to give the bank permission to view the user’s email messages & settings and permission to view all contacts, in addition to basic info like age range and language and other email addresses. (Hattip: Twitter user N). This information can be read by employees, and is likely not stored in India.

Applied for @HDFC_Bank credit card. It sent me a link to “verify” my email address. The verification site needs this access. Yeah right! pic.twitter.com/JeOApLgyek — N (@coderzombie) January 9, 2017

HDFC seems to channel this information though Verifi.Me’s verification services. Verifi.Me seems to provide verification services for ‘many partners’, although it does not specify any of them. It also offers an app for consumers that can be used to save digital copies of documents for verification, as well as to verify through online means such as email verification which the company claims “allows people to to prove their identities and fast-track their applications.” The app isn’t accessible in India.

According to Verify.Me’s privacy policy, the company collects a lot of personal data, including but not limited to name, email, tax information, employer information, stored contact information, educational background, bank and financial information, family information and information from social media accounts.

It also mentions that it only shares information which is required to be known for verification, however, this information is accessible to employees “who are required to know such information in order provide our Services to you.” Essentially, those verifying though this method for HDFC Bank, could end up having their emails, bank statements, photos and other sensitive information read by employees.

Worse, from Verifi.Me’s privacy policy, it appears that the company will be able to continue accessing user information, the permission for which cannot be revoked by users if they have an ‘outstanding obligation’, like the issuance of a credit card. The privacy policy further states that, “If you are located in a non-US jurisdiction, you may be sending your Personal Information to the United States or another jurisdiction.” Basically for verifying a user’s creditworthiness, HDFC Bank employs a third party to access all sorts of information from a user’s personal email and social media accounts, which can then be accessed by its employees, with atleast the data residing outside the gambit of Indian jurisdiction.

It’s not clear if what the bank is doing is legal and may be operating in the grey area of regulation given the lax privacy and security laws in India.

.@HDFC_Bank has sent me a message through verifi.me asking me to verify my digital identity. Asking for access to FB, Gmail, Linkedin. Safe? — Mohammad Omar (@omar1618) December 30, 2016

So @HDFCBank_Cares wants access to my whole email account to verify my credit worthiness #privacy #surveillance #digitalsecurity — Chinmayi (@chinmayiarun) September 1, 2016

@HDFCBank_Cares @HDFC_Bank This is an infringement of an individuals privacy No sane person cn give access 2this personal data #Verifi (3/3) — aviraj gunjal (@avirajgunjal) July 30, 2016

MediaNama has written and called HDFC Bank about the privacy issues while collecting customer data and we will update once we hear from them.

MediaNama’s take

The issue has been brought to HDFC Bank notice by various users on Twitter over the last few months, and the Bank has at times responded by asking users to send in an email. However, this problem is unlikely to be resolved by customer support, rather the bank will have to rethink how it collects data for verification in the first place. Additionally, it is high time the Government defined a clear privacy law especially with context to online identities and information, something it has been putting off for over 5 years now.

Excerpts of Verifi.Me’s privacy policy:

“We collect Personal Information at registration, signing in to Verifi.Me through a Third party registration tool and, in general when using any of the Services (including but not limited to, the following: your name, email address, phone number, gender, government ID, date of birth, occupation, employment and economic status (income, employer) tax information (tax returns and other information about your tax situation), contact information (such as telephone numbers, addresses, email addresses, etc.), educational background, family information, bank or financial information (bank accounts, loans, debt, monthly expenses), pictures, why you decided to use Verifi.Me, information from your social media accounts, and a means to authenticate your account (e.g. a password).” “We do not have control over the use of your personal information once it is shared by our Partners or Third Party Providers, and we are not responsible for their privacy practices. Your rights with respect to their treatment of your information will be governed by their own policies.” “However you will not be able to delete your account if you have an outstanding obligation (e.g. loan) with Verifi.Me or any of our Partners.” “We restrict access to your Personal information only to those employees who are required to know such information in order provide our Services to you. We train our employees on all our security procedures, and we conduct audits to check compliance.” “If you are located in a non-US jurisdiction, you may be sending your Personal Information to the United States or another jurisdiction that does not have laws that provide an equivalent level of data protection to the laws in your home country.”

Image source: Flickr user Opensource.com under CC BY-SA 2.0