Author: Signzian

Data privacy

Data privacy for Banks & Financial Institutions

Posted on | by Signzian

About 85 countries in the world have their data privacy policies in place. Sadly, India isn’t one of them. While the Information Technology Act, 2000 does touch upon privacy policies, it’s hardly sufficient. The countries that have data privacy regimes are also evolving their models to suit the BIG DATA wave. For example, in the US, where user data privacy is protected under a bunch of legislations like the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act for financial information, the California Online Privacy Protection Act in California, etc is still looking for more a better way to regulate.

Comparing the US, the framework with the one from EU, Michelle De Mooy, the director for privacy and data at the Center for Democracy & Technology, explains that Europe has a “people-first mentality” that’s ”more than we do here in our capitalist society, where innovation is sort of equated with letting businesses do whatever they need to grow. That has translated into pretty weak data protection.

EU is tightening its laws further with the upcoming GDPR. It has already got companies hustling to making their privacy policies compliant with the new laws. As the world gears up for a more stringent GDPR, let’s look at how Indian banks and financial institutions can approach data privacy despite the lack of regulations.

Failing on the data privacy score

Most banks and financial companies are committed to maintaining their data integrity and protect it against breaches. However, the same isn’t true when it comes to ensuring security & privacy. You could say that there’s some degree of laxity. Blame it on the “largely self-regulated” privacy guidelines or the “depends-on-the-context” grounds, but banks and financial institutions offering both data security and privacy are few.

In a global survey of more than 180 senior data privacy and security professionals, Capgemini found that lesser than 29% of them “offered both strong data privacy practices and a sound security strategy.

 

What makes the situation more serious is that today’s banks use a giant tech ecosystem with partners sharing data to build better digital experiences for the end users. As data exchanges hands and lives in multiple places, the risk of data privacy breaches increases. This calls for an even more robust and thorough data privacy regime applying to the entire banking and fintech ecosystem.

But without much legal guidance on approaching data privacy, banks and financial institutions too are forced to take the self-regulation route just like the cryptocurrency businesses. Here’s how banks can handle data privacy until the regime gets regulated.

Self-regulation

While the data privacy laws are ever-evolving, some best and practice data privacy practices can prepare banks and financial institutions for the time when the laws and policies are actually formulated. PwC offers 6 excellent action points for financial institutions to use when handling data privacy:

  • Define privacy as primarily a legal and compliance regulatory matter.
  • Create a privacy office that develops privacy guidelines and interfaces with other stakeholders. If the financial institution does not currently have a separate privacy office, we recommend for the institution to hold an internal “privacy summit” that convenes key stakeholders from the lines of business, technology, compliance, and legal.
  • Identify and understand what the data is, where it resides, how it is classified, and how it flows through various systems. For example, financial, medical, and PII are subject to different restrictions in different jurisdictions.
  • Develop appropriate global data-transfer agreements for PII and other data that falls under privacy requirements.
  • Recognize and adhere to requirements when developing core business processes and cross-border data flows.
  • Preserve customer trust as the primary goal.

McKinsey & Company recommend another great tactic for approaching data privacy that companies can adopt to become data stewards. This strategy is of creating a “golden record” of every personal-data processing activity in a company to ensure compliance and traceability that goes “beyond documenting the system inventory and involves maintaining a full record of where all personal data comes from, what is done with them, what the lawful grounds for processing are, and whom the data are shared with.“

This tactic applies seamlessly to banks and financial institutions. They can start off by building records of what data they collect from their users and how the sharing with their tech partners happens — all of this while ensuring users’ consent for all their operations using the data.

In fact, in addition to self-regulating the data collection, usage, and sharing regime, banks must also build a data privacy taskforce that’s committed to ensuring compliance with the internal data privacy framework.

With the right records, resources, banks, and financial institutions must also see how they can ensure data privacy into their services and offerings by design and by default.

At Signzy, we don’t just view user data privacy proactiveness as a risk management strategy, but we see it as a core building block of a digital trust system. It’s a competitive advantage. We believe that data privacy inspires trust. And when we build digital solutions to tackle challenging legacy financial processes, we make sure that our solutions are structured in a way that user data privacy isn’t compromised while balancing both user expectations and regulatory compliance.

Wrapping it up

Although privacy is a largely law-regulated — and we currently lack the laws — it’s still not optional. And it goes way beyond just seeking the users’ consent for collecting and storing the information. While banks and financial institutions can’t probably go so far as to give their users the “right to erasure” or the “right to be forgotten,” they can surely embrace data privacy as the norm. With stringent self-regulation measures, Indian banks and financial companies can contribute to building trust and transparency in the Indian digital banking scenario until the laws get formulated.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Global digital trust system

How we replaced legacy banking processes with AI-driven technology

Posted on | by Signzian

Signzy — Building Global digital trust system using AI & Blockchain

One such interesting use case we encountered recently was about an id verification software. Given an image of an identity card the algorithm has to classify it to one of the following classes..

  1. Aadhaar
  2. PAN
  3. Driving License
  4. Passport
  5. Voter Id

In this blog post we will take you to behind-the-scenes of our state-of-the-art system and how we tackled the problem, ultimately overpassing the targeted accuracy required for real world use.

Knowing the beast we are to fight

As soon as we began to dive deeper into understanding the problem and identifying techniques we would use to attack it, we realised the most important constraints of the id verification software that we had to work within and the aim we are striving to achieve.

The idea is to deploy the pipeline into financial institutions with all possibilities of input variation and yet it should surpass or at least be equivalent to accuracy of a human being. The solution is to work on data which arrives from the most rural parts with pics taken from even 0.3 MegaPixel cameras and travelling over a dramatically slow connectivity. We knew the toughest challenge was to cater to variations that could arrive in inputs.

Humans have evolved intelligence for thousands of years, and created the systems to be easily processed by themselves. Take for instance an identity card. It is designed in dimensions to sit in pocket wallet, color formats to be more soothing to human eyes, data format which could sit well read by humans. If the Identity cards were designed to be consumed by a computer vision software it would have been an easier game, but since that’s not the case it becomes especially challenging.

We talked with different on-ground stakeholders to identify variations in input to the id verification software. Collecting initial samples wasn’t that hard, since a lot of these variations were told by our end users, but we knew creating training data is not going to be easy. We realized this quickly and started creating exhaustive training data in heavily curated and precisely controlled laboratory settings. We were able to get desired training sets successfully, which was half the problem solved.

World is not the cozy laboratory, we know that!

Our target was to create an id verification software which could be more than 99% accurate and yet be fast enough to make an impact. This isn’t easy when you know your input is coming from the rural end of India and you won’t have high end GPUs to process on (As a matter of fact, our largest implementation of this solution runs without GPUs).

 

A gist of environment where our input is created

The id verification app is expected to perform well in different sorts of real world scenarios like varying viewpoints, illumination, deformation, occlusion, background clutter, less inter-class variation, high intra-class variation (eg. Driving License).

You can’t reject an application by an old rural lady, who has brought you a photocopy of printout which in turn is obtained from a scanned copy of a long faded PAN card. We took it as a challenge to create the system so that it can help even the rural Indian masses.

A few samples that we expect as input into our system are here:

 

Fig(1): Few samples our expected input data

The number of samples we have for training is a huge constraint, you only have so much time and resources to prepare your training data.

Creating the id verification software

Baby steps ahead

We tried out various online identity verification methods for solving the problem. Firstly we extracted features using Histogram of Oriented Gradients (HOG) feature extractor from OpenCV and then trained a Support Vector Machine (SVM) classifier on top of the extracted features. The results were further improved by choosing XGBoost classifier. We were able to reach about 72% accuracy. We were using Scikit learn machine learning framework for this.

 

Not enough, let’s try something else

In our second approach, we tried ‘Bag of words’ model where we had built a corpus containing unique words from each identity card. Then we feed the test identity cards to an inhouse developed OCR pipeline to extract text from the identity card. Finally we input the extracted text to a ‘Naive bayes’ classifier for the predictions. This method boosted the accuracy to 96% . But the drawback of this approach was that it can be easily fooled by hand written text.

 

 

Taking the deep learning leap

“The electric light did not come from the continuous improvement of candles.” — Oren Harari

In the next approach we trained a classical Convolutional Neural Network for this image classification task. We benchmarked various existing state of the art architectures to find out which works best for our dataset eg. Inception V4, VGG-16, ResNet, GooLeNet. We also tried on RMS prop and Stochastic Gradient Descent optimizers which did not turn out to be good. We finalized on ResNet 50 with Adam optimizer, learning rate of 0.001 & decay of 1e-5. But since we had less data our model could not converge. So we did a transfer learning from “Image net”, where we used the existing weights trained originally on 1 million images. We replaced the last layer with our identity labels and freezed the remaining layers and trained. We noted that still our validation error was high. Then we ran 5 epochs with all layers unfreezed. Finally we reached accuracy of around 91%. But still we were lagging by 9% from our target.

 

Hit the right nail kid, treat them as objects

The final approach is where the novelty of our algorithm lies. The idea is to use an image object detector ensemble model for image classification purpose. For eg. the Aadhaar identity has Indian Emblem, QR code objects in it. We train an object detector for detecting these objects in card and on presence with a certain level of confidence we classify it as a Aadhaar. Like this we found 8 objects which were unique to each identity. We trained on state of the art Faster Region Proposal CNN (FRCNN) architecture. The features maps are extracted by a CNN model and fed into a ROI proposal network and a classifier. The ROI network tries to predict the object bounding box and the classifier (Softmax) predicts the class labels. The errors are back propagated by ‘softmax L2 loss function’. We got good results on both precision and recall. But still the network was performing bad on rotated images. So we rotated those 8 objects in various angles and trained again on it. Finally we reached an accuracy of about 99.46% . We were using Tensorflow as the tool.

Fig(7): FRCNN architecture from original paper

 

 

But we were yet to solve one final problem i.e the execution time. It took FRCNN approximately 10 seconds to classify in a 4 core CPU. But the targeted time was 3 seconds. Because of the ROI pooling the model was slow. We explored and found out that Single shot multibox detector (SSD) architecture is much faster than FRCNN as it was end-to-end pipeline with no ROI layer. We re-trained the model in this architecture. We reached accuracy of about 99.15%. But our execution time was brought down to 2.8s.

Fig(12): SSD architecture from original paper

Good work lad! What next?

While the pipeline we had come up with till here has a very high accuracy and efficient processing time, it was yet far from the a productionised software. We conducted multiple rounds of quality checks and real world simulation on the entire pipeline. Fine-tuning the most impactful parameters and refining the stages, we have been recently been able to develop a production ready, world class classifier with an error rate less than human and at a much much lesser cost.

We are clearly seeing the impact deep learning can have on solving these problems which we once were unable to comprehend through technology. We were able to gauge the huge margin of enhancement that deep learning provides over traditional image processing algorithms. It’s truly the new technological wave. And that’s for good.

In the upcoming posts, we will share our story on how we tackled another very difficult problem — Optical Character Recognition (OCR). We are competing with global giants in this space including Google, Microsoft, IBM and Abby and clearly surpassing them in our use cases. We have a interesting story to tell over “How we became the global best in enterprise grade OCR“. Stay tuned.

Thank you.

Signzy AI team

Be part of our awesome journey

Do you believe that the modern world is driven by bits and bytes? And think you can take it on? We are looking for you. Drop us a note at careers@signzy.com.

Summary view

  1. Real world is not your laboratory, training data needs to be diverse and needs better outlier handling
  2. Deep learning requires you to be patient but once it starts getting effective it gives your exponential returns
  3. In a narrow use case you can beat a global giant with all the computing power in the world.

So future of deep learning is not commoditized products but adoption of deep learning in use cases as a tool to bring intelligence across the board. Deep Learning has to be company culture and not just a ‘tool’.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Updates from Signzy

Updates from Signzy and a few useful reads from around the fintech world

Posted on | by Signzian

Here are some updates from Signzy and a few useful reads from around the fintech world.

Signzy becomes the only fintech startup to make it to the TOP 6 at the Magnetic Maharashtra Convergence Startup Awards 2018

We made it to the TOP 6 finalists in the Startups under 30 competition at the Magnetic Maharashtra: Convergence 2018 Startup Awards organised by Maharashtra Industrial Development Corporation (MIDC). This award recognises young entrepreneurs who are trying to build a robust startup ecosystem in the state and thereby accelerating the nation’s economy. We’re so glad to have received this huge recognition. Acknowledgments like these drive us to work even harder towards cherishing our dream of transforming traditional banking into a fully digital experience. Read here.

Signzy wins NDIM’s ‘Business Excellence and Innovative Best Practices Academia Award — 2017’

 

We’ve been honoured with NDIM’s ‘Business Excellence and Innovative Best Practices Academia Award — 2017’. Every year the NDIM — a globally recognised premier management institute recognises professionals from different fields for their exemplary achievements strengthening India’s reputation nationally and internationally. Humbled to have been recognised for our work for helping financial institutions overcome their regulatory challenges and making them simple, secure yet compliant. It feels even more humbling to get the same recognition as top companies like Whirlpool, YourDOST, Bharat Financial Inclusion, Glenmark Pharmaceuticals, ART Capital, Blue Star and Premier Futsal.

Signzy listed amongst the 7 Most Innovative Companies In India

We’ve been included in the list of the 7 Most Innovative Companies In India. It feels great coming from Meltwater as it’s a leading brand management company serving top companies all over the world. We strive to build innovative solutions using AI to transform current semi-manual processes in financial institutions into real-time digital systems, thereby making regulatory processes simple, secure yet compliant for these institutions. Read here.

Events we attended

Magnetic Maharashtra : Convergence 2018: We participated in the “Start Ups under 30 competition” at the Magnetic Maharashtra : Convergence 2018 Start-up awards and made it to the TOP 6 finalists. The state’s first-ever Global Investment Summit was organised by Maharashtra Industrial Development Corporation (MIDC). Being a fintech startup we showcased our potential in the fintech domain and explained our vision of transforming banking to a fully digital experience which is inline with PM’s vision of Digital India. (18th-20th Feb Mumbai)

Fintegrate Zone 2018: We were at Fintegrate Zone 2018: India’s largest FinTech Conclave. The 3-Day conference saw more than 100 speakers, industry thought leaders, influencers, and founders sharing their insights on the key verticals of FinTech. Signzy’s Arpit shared his views on how RegTech is helping advance the Fintech ecosystem (27th-1st Mar Mumbai)

ENSPIRIT- 2.0: We were at ENSPIRIT- 2.0: IIM Raipur’s Management cum Cultural Festival. The Equinox flagship event brought together venture capitalists and founders who interacted with students encouraging their entrepreneurial spirit. We also participated and contributed to IIM Raipur’s vision of empowering Entrepreneurial excellence. Signzy’s Ankit spoke on the theme “Breaking Digital” at the mega event (9th Mar Raipur)

Cryptocurrency and Crypto Attacks (and How Regulation Can Help)

From our blog:

 

Cryptocurrency and Crypto Attacks (and How Regulation Can Help) — A quick read explaining the different types of crypto attacks and how introducing regulations can bring them down and pave the way for a safer and more secure cryptocurrency trading environment. Read here.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Crypto attacks

How to Safeguard Against Crypto Attacks?

Posted on | by Signzian

Crypto attacks have surged in tandem with the rising popularity of digital currencies, emphasizing the need for robust security measures. To safeguard against these threats, users must employ multi-factor authentication, maintain updated software and wallets, and be cautious of phishing attempts. Educating oneself on the latest types of attacks and remaining vigilant while conducting transactions is crucial.

We’re just two months into 2018 and $2,653,302,364+ of real money has already been spent to buy virtual money. Cryptocurrencies — whether regulated or not — have buyers all over the world, even in countries where their status lies in the limbo.

However, just like real money, virtual money is also being stolen. And just like real money investment scams, the virtual currency space, too, has its share of investment scams with cheats floating schemes promising lucrative returns and running away with all the money.

Let’s look at some of the most common crypto attacks and how regulation can bring them down.

ICOs and the Disappearing Act

ICOs (or Initial Coin Offerings) is a means of crowdfunding that allows new ventures/startups to raise capital without following the regulated processes and compliance needed by venture capitalists, stock exchanges, and banks.

While cryptocurrency ICOs intend to raise money for building the proposed ground-breaking blockchain solutions, scamsters only use them to loot. Their modus operandi is the same: Announce an ICO. Lure investors. Collect the cash and disappear.

The Benebit scam is one such recent ICO scam. In its whitepaper, Benebit had proposed a revolutionary customer loyalty blockchain solution. But it did a runner with about 4M USD when someone reported that Benebit’s website’s photos were stolen from some school’s website.

Phishing and Crypto Attacks & Thefts

When dealing with virtual currencies, customers face the same risks as they face when doing net banking. Cryptocurrency users are prone to all kinds of cyber attacks like phishing, password hacking, trojan software and others.

IBM’s X-Force research group states how cyber criminals have modified TrickBot, a banking trojan, to target cryptocurrency trading platforms by redirecting the virtual currency to their wallets during transactions.

Coincheck, a cryptocurrency exchange from Japan, was a victim of a cyber stealing attack and lost $530 million of its users money. Another Japan-based bitcoin exchange company, Mt. Gox, had in 2014 lost $400 million of its users’ funds. Although it promised to return the lost money, it ended up filing for bankruptcy.

Unlike traditional banks or card processing companies, cryptocurrency exchanges can’t do much to recover virtual currency.

Crypto Attack: ‘Cashing’ in on the Hype

When a technology is so new and disruptive as blockchain, it creates hype. A stream of scamsters use nothing but this hype and lure unsuspecting victims into investing their money.

The Suppoman scam is one such scam. A youtuber scammed hundreds of his viewers by promising information on a “secret ICO” if they bought one of his Udemy’s paid courses and joined his Facebook mastermind group. To join this group and get access to the password, the viewers were required to pay 10$.

Suppoman succeeded in creating such hype around the “secret ICO” that people started buying even his old Udemy courses so they could get the password. To the disappointment of the buyers, the secret ICO turned out to be: Seele, which is a very popular ICO everyone knows of.

There are also instances where scamsters rebranded old cryptocurrencies and raised funds all over again, only to run away with the money.

Countries that accept (or the ones that haven’t banned) cryptocurrencies are working on creating regulations to protect the investors against such attacks.

Regulatory Red Tape on Cryptocurrencies

Treating cryptocurrency companies like any other financial institutions and forming regulations for the same will clamp down — if not eliminate — most of the different crypto attacks.

Regulating to avoid tax evasion and ensure the money isn’t used for sponsoring shady activities: Subjecting cryptocurrency trading companies to stringent KYC, AML, user data privacy and other financial norms will help monitor the flow of fiat currency to crypto and vice-versa. This will also impose checks on issues like tax evasion.

In US (where cryptocurrencies are undergoing rapid regulation), virtual currency trading companies are required to register as money services businesses with the Financial Crimes Enforcement Network, a part of the U.S. Treasury Department.

Regulating to avoid fraud ICOs from raising funds: Regulating how ICOs are released and what happens to the money in the case of a non-delivery will protect investors from ponzi virtual currency schemes.

Gibraltar is working on a law that will regulate Initial Coin Offerings (ICOs) in the British overseas territory. This law aims to regulate how ICO tokens are promoted, sold, and distributed. Sian Jones, a senior GFSC advisor, says the regulation will introduce the concept of “authorized sponsors,” who’d be “responsible for assuring compliance with disclosure and financial crime rules.”

Regulating to strengthen the security norms of cryptocurrency makers and trading companies: Regulating the security standards for companies that deal with cryptocurrencies will help prevent thefts.

When it comes to securing users’ money in banks, RBI has given as many as 24 best practices on user, software, asset, environment, and security management. It would be interesting to see if RBI could introduce comparable standards for the cryptocurrency companies as well.

Regulation can pave the way for a safer and more secure cryptocurrency trading environment. Regulation will also handle the government’s key concerns such as financing illegitimate activities, money laundering, and terrorist financing related to crypto trading.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

Cryptocurrency

Due Diligence Best Practices for Cryptocurrency Firms

Posted on | by Signzian

Although the cryptocurrency market is largely unregulated in India, cryptocurrency remains an investment option of interest for young Indians. Just recently, the Indian Income Tax Department issued tax notices to thousands of cryptocurrency investors. BR Balakrishnan, Director General of Investigation (Karnataka and Goa), Income Tax Department, said that they couldn’t turn a blind eye to the whole cryptocurrency investment space and that “It would have been disastrous to wait until the final verdict was out on its legality.

So legal or regulated or not, cryptocurrencies are selling in India.

But the lack of government regulations on cryptocurrencies like bitcoins makes them prone to frauds. Recently, India has witnessed several cases of cryptocurrency frauds right from the 84-crore Goregaon cryptocurrency investment scam to the 2,200-crore Mumbai fraud incident.

Although RBI has never supported the usage or trading of cryptocurrencies in India, it hasn’t imposed any bans either. But the rising fraud instances show that there’s an urgent need to regulate the market.

Recently while presenting the Union Budget 2018, finance minister Arun Jaitley said “The government does not consider cryptocurrencies as legal tender or coin and will take all measures to eliminate use of these cryptoassets in financing illegitimate activities, or as part of the payment system.” The Finance Minister’s speech has triggered lots of responses from the Indian Cryptocurrency exchanges.

Shivam Thakral, co-founder and CEO Delhi-based BuyUcoin, said “Nothing new was quoted by our Finance Minister in the budget announcement today. It was a repetition of the same old cohort whilst the industry was expecting clarity over taxation and it’s regulation from the Government.”

Another bitcoin exchange Unocoin also maintains that no new Legislature has been introduced and the legal status of Cryptocurrency remains unchanged. That it’s the same unregulated virtual currency now as it was earlier. The Chief executive and co-founder of Unocoin Sathvik Vishwanath said “There is no change in the government stance with respect to trading cryptocurrencies. Cryptocurrency holders need not panic and the business is as usual.”

But even with the ‘impending’ official regulations, cryptocurrency companies can (and some are) proactively following norms such as KYC and AML, which they could certainly be subject to if the regulation happens. These measures will also address the key concerns the Finance Ministry has with cryptocurrencies.

Regulatory processes some Indian Cryptocurrency Companies are already implementing

While Indian cryptocurrency companies wait for the official regulation to happen, some of them are going ahead and borrowing the guidelines that apply to other financial institutions. This is the way to go as the international law firm, Norton Rose Fulbright, notes: “As a general rule, where no specific steps have been taken to regulate cryptocurrencies in the relevant jurisdiction, it would be necessary to refer to the existing legal and regulatory frameworks to understand how they might apply to the new circumstances that the technology enables.

Which brings us to norms such as KYC, AML, and Data Privacy among others.

Atulya Bhatt, Founder of India’s leading cryptocurrency marketplace, BuyUcoin, stresses on how with self-regulation cryptocurrency companies can counter the anonymity of transactions and tackle money laundering in cryptocurrency trade. He says:

Indian exchanges counter the anonymity of transactions and money laundering issues via self-regulation.”

Bhatt also recommends using advanced technological solutions for digital identity verification processes.

Hemanth Kumar, CIO at Unocoin (India’s most popular bitcoin wallet company), also underlines the importance of following KYC and AML provisions for cryptocurrency companies to remain accountable. He says:

Regulation of entry points through strict KYC norms and deploying AML policies for monitoring the flow of the funds is key for any crypto exchange to bring in accountability of its customers.

As you can see, KYC and AML are recurring themes even as cryptocurrency companies are practicing proactive self-regulations.

South Korea, which has just recently legalised cryptocurrencies, has already released a regulatory framework focusing on AML measures and KYC. The official document states that these measure will “reduce room for cryptocurrency transactions to be exploited for illegal activities, such as crimes, money laundering, and tax evasion.”

Key points from South Korea’s KYC and AML measures in its cryptocurrency regulation policies:

  • Cryptocurrency companies need to share (with the banks) information about the purpose of the transactions, the sources of funds, details about services the exchanges provide, and whether the exchanges are using verified real-name accounts
  • Cryptocurrency companies need to monitor (and report any) suspicious transactions
  • Cryptocurrency companies can only get bank accounts for functioning IF the exchanges provide their users’ ID information

If India, too, issues a similar framework, AML measures and KYC will clearly be the central themes.

In addition to these, cryptocurrency companies will also have to look into user data protection. Because cryptocurrencies use blockchains, and because blockchains are decentralized, distributed, and public, protecting the information on a blockchain can be challenging.

Wrapping it up…

Given the current state of regulation on cryptocurrency trading in India, cryptocurrency companies already have a lot at stake. But if India does end up following the likes of Japan, US, and South Korea and make virtual currencies legal, then all these companies will be expected to face regulations similar to most financial institutions.

Starting to work on deploying stronger KYC, user data privacy, and AML policies look like a great way to prepare for a time for when the regulation does happen. These measures also reinforce the government’s key concerns such as financing illegitimate activities, money laundering, and terrorist financing.

Signzy disclosure: The above content is an opinion and is for informational purposes only. Please don’t consider this as legal advice. It’s best to seek a legal consultant’s opinion before framing your policies.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Updates from Signzy

Updates from Signzy and a few useful reads from around the fintech world

Posted on | by Signzian

Here are some updates from Signzy and a few useful reads from around the fintech world.

Signzy amongst top 9 finalists of the ABS Global Fintech Awards, 2017

We were among the top 9 finalists of the the ABS Global Fintech Award at the Singapore Fintech Fest 2017! We‘re so glad to have gotten the opportunity to showcase India’s fintech potential at the global stage.The fintech festival saw an incredible turnout with 25,000 amazing folks from 100+ countries. Ankit — who represented Signzy — also interacted with the Deputy Prime Minister of Singapore, Mr. Tharman Shanmugaratnam. We’ll continue striving towards our vision of transforming traditional banking processes into digital and more optimized ones.

Signzy shortlisted for the “Start-Up of the Year Award” category at the Express I.T. Awards

We competed with top startups like FlexiLoans.com, Razorpay Software, Lendingkart Group and others at the prestigious Express IT Awards. IT Awards honours the finest talents/companies driving innovation and leading professionals across the I.T. industry. It feels great to be recognized for our work for making financial institutions’ regulatory processes simple, secure, and compliant using advanced AI and cryptography. Read here.

Mastercard, Mswipe to use Signzy’s digital KYC solution to develop Asia’s first digital merchant onboarding experience

Mastercard in collaboration with Mswipe has developed Asia’s first digital merchant onboarding experience. This pioneering initiative is built upon Signzy’s digital KYC solution. Our KYC solution enables companies offer slick digital onboarding with real-time KYC. In this case, the merchants’ KYC processes will be completed within 30 minutes (as opposed to the standard 3-day period). Read here.

Events we attended

  • Global Conference on Cyber Space (GCCS) 2017 — We were at GCCS — one of the biggest cyberspace conferences in the world — at New Delhi. GCCS focuses on promoting policies and frameworks that aim to uphold digital democracy, maximize collaboration, and strengthen security, safety, technology, partnerships, and freedom. Arpit from Signzy attended the global event and demonstrated Signzy’s solution being used by SBI to Shri. Ajay Prakash Sawhney, Secretary Ministry of Electronics & Information Technology. (23rd Nov New Delhi)
  • GES 2017‏ — We were invited by NITI Aayog for the world’s biggest entrepreneurship summit that brings together entrepreneurs, investors, and business representatives from around the world. Signzy was among the selected startups whose solution were showcased at the event.(28th-30 Nov Hyderabad)
  • SCB Banking Digitisation Event — We were a part of the panel at the ‘Banking on Digitization’ event at the Taj Lands End, Mumbai. Ankit Ratan from Signzy presented our views on,”Competition vs partnership between fintechs and banks/regulators.” We also discussed why KYC is a constant source of complains, what are the hassles financial institutions face in adopting KYC, and how DLT and AI technologies can be used to transform current semi-manual processes into real-time digital systems. (28th Nov Mumbai)
  • Meeting with delegation of Banks in the ASEAN region — We presented our views on how fintechs can work with banks to a delegation of Banks in the ASEAN region. With IFC (International Finance Corporation) — a member of the World Bank Group, and MAS’s(Monetary Authority Of Singapore) support, fintechs and banks can collaborate to usher in rapid digitization of the entire Banking infrastructure. (17th Nov)

Smart Contracts — An Indian Perspective

From our blog:

Smart Contracts — An Indian Perspective: A must read explaining the emergence of smart contract technology, its legality, and feasibility from an Indian perspective. Read here.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Updates from Signzy

Here are some updates from Signzy and a few useful reads from around the fintech world.

Posted on | by Signzian

Here are some updates from Signzy and a few useful reads from around the fintech world.

Signzy Becomes the Only Indian company to Make it to the 30 Finalists of the MAS Fintech Awards, 2017

 

We’ll compete with 29 of the world’s large and innovative financial institutions like Citibank, Firstdata, UOB and others at the prestigious MAS Global FinTech Awards 2017. We’re honoured to be recognised for our SME onboarding solution and can’t wait to showcase the Indian fintech potential at the global stage. Read here.

Signzy awarded with Nasscom Emerge 50 Awards 2017

Signzy received a special award in the fintech category at the Nasscom Emerge 50 Awards 2017. Over 400 companies participated and went through tough screening and scrutiny across parameters like value proposition, market differentiators, customers, market visibility, scalability, financials, growth and most importantly, innovation impact. Read here.

Product Update: Helping Users Onboard and Verify Identity Easily

Signzy has launched a new product — VideoComply. This allows remote users to onboard fully digitally and still complying with In person verification (IPV) norms. It uses cutting-edge video analytics to eliminate identity fraud. This advanced technology ensures your digital journey is secure and compliant.

Events we attended

  • DCB Innovation Carnival — DCB Bank Innovation Carnival at Mumbai and Bengaluru, brought Fintech enthusiasts, students, startups, designers and developers together to share their ideas, innovations, and solutions in the fintech space. Signzy was among its big Technology Partners like Redhat, Infosys, Microsoft and others at this mega carnival.
  • India Fix Conference — At the India Fix Conference (Mumbai) — India’s leading trading event — market participants, policy makers, regulators, solution providers, industry peers and colleagues discussed the most pressing problems in the trading world. Ankit Ratan from the Signzy team spoke on AI’s application in trading and finance.
  • The Economic Times Cards and Payments Summit — The Economic Times Cards and Payments Summit at Mumbai was a big tech event that discussed the emerging technologies in the cards and payments industry. Signzy’s Arpit Ratan presented a great pitch session at the Economic Times Cards and Payment Summit where he addressed some of the most pressing problems of the cards and payments industry industry.
  • OICV-IOSCO event — The OICV-IOSCO event focussed on the key issues about maintaining safety regulations worldwide. Signzy’s Ankit Ratan shared his views on artificial Intelligence’s transformative nature on the financial industry and what it means for the security regulators at the event. (IOSCO is the global body of securities regulators).
  • YESFINTECH Event — Fintech experts, entrepreneurs, investors, and mentors shared insightful discussions about collaboration between fintech startups and banks at the YESFINTECH event held at Mumbai and Bengaluru. Ankit Ratan, founder of Signzy explained how such partnerships benefit both parties as they allow sharing of assets, resources, and expertise to bring more value to the customers.
  • Anti-Money Laundering — 7th Annual Summit 2017, FintelektThe AML conference held at Mumbai gave a platform to regulators, financial industry practitioners, and consultants to have interesting interactions on current AML trends and issues, CFT, Trade Based Money Laundering, Money Laundering Threats from Virtual Currencies and more. Signzy cofounder Arpit Ratan was a part of the panel and spoke on Digital Payment Products, AML Risk Management, and P2P.

Upcoming Events

If you too are attending do come and see us.

Security in a Digital World — Passwords, Biometrics, and OTPs (and Why Secrets Are Core to Safety)

From our blog:

Security in a digital world — Passwords, Biometrics and OTPs (and why secrets are core to safety) A must read explaining the different authentication factors that can help protect online security of financial institutions. Here’s the full story.

Full KYC Compliance Deadline, Interoperability, a Min 5 Crore Net Value and More — All You Need to Know About RBI’s New PPI Guidelines

Full KYC Compliance Deadline, Interoperability, a Min 5 Crore Net Value and More — All You Need to Know About RBI’s New PPI Guidelines — an informative article about the changes RBI has brought for all prepaid payment licence and wallet holders to enhance safety, security, and flexibility of online transactions. Read here.

Industry News: RBI Announces Guidelines for P2P NBFCs platforms

RBI has released new guidelines for P2P lending (NBFC-P2P). P2P lending is a form of crowdfunding that raises unsecured loans. This update will prove impactful for all P2P players. Read on to know more about the current RBI P2P regulations and their scope. Check out the full story here.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Know all about RBI’s New PPI Guidelines

Know all about RBI’s New PPI Guidelines

Posted on | by Signzian

The RBI has recently released a revised set of directions in the PPI regulator framework. In its 20-point notification, RBI has asked all the PPIs (Prepaid Payment Instruments) to improve how they operate. With the latest regulations, in effect already, RBI will treat PPIs more or less like banks subjecting them to full compliance in the provisions like Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT), and more.

In this article, we’ll look at the most significant changes that the RBI has introduced to the PPI framework.

But before that, we’ll see how the world has fought money laundering with a powerful tool called “KYC” because the biggest change that the updated RBI regulations bring to the PPI players is a mandatory full KYC.

Fighting money laundering with KYC

The UN General Assembly declaration in 1990 (precursor to the PMLA) — which was the first constructive global step against money laundering — focused on prevention of financing to illicit drug trade. Today the objective of the legislation is to stop money earned through illegal means from coming into traditional financial system and getting converted into legitimate money. Also, the same being used to fund such illegal activities including terrorism.

In pursuance of this noble objective, regulators have defined a KYC regime for financial institutions to follow. The Financial Action Task Force (FATF) is an intergovernmental body which recommends to countries regulatory regime for prevention of money laundering. Very recently FATF has defined a more risk based approach to counter money laundering.

One of the most important functions of financial regulators is to manage the risk within the financial system. This function manifests into a massive regulatory regime of KYC, which quite literally means know your customer and in essence know if he is a fraud, a money launderer or a terrorist.

Adopting KYCs as an AML measure in India

With a view to curb money laundering, terrorist financing, and fraudulent activities, RBI introduced KYC norms for banking institutions in 2002. These norms directed banking authorities to carry out tests and audits and freeze any accounts with suspicious activities (transactions).

RBI has always stressed on strict compliance of these guidelines and several big banks like Bank of Maharashtra, Dena Bank and the Oriental Bank of Commerce faced heavy penalties (1.5 crore each) for violation and non-compliance of certain KYC regulations and Anti Money Laundering (AML) norms.

Until now, October 2017, the RBI’s KYC guidelines were only applicable to banks. However, the latest regulation brings PPI players into its ambit.

A quick note about PPIs

In 2009, RBI paved the way for a new payment instrument which would not require the two factor authentication for small payments and will help in easier acceptance of payments by merchants. These pre-paid instrument (“PPI”) could be recharged with money and then used upto the recharged amount.

The initial PPI had allowed PPI to be issued for upto Rs. 1000 by accepting any customer identity document and upto Rs. 5000 by accepting an Officially Valid Document (OVD). This went through a transformation and in 2014 was relaxed by allowing PPI upto Rs. 10,000/- (total usage in a month) by accepting “minimum details of the customer”. Which transformed the PPI industry into what it is today and led to opening of wallets through mobiles and emails. Somehow though this was a boon for the industry, it did not go down well with the regulator.

In October 2016, an RBI senior official Nanda Dave stated that PPIs have been very lax in following KYC norms: “The customer is being identified by his or her mobile number, period. And such wallets have been used for routing money which has been fraudulently taken from bank accounts,” said Dave. “When we have no details of customers with us, it is very difficult to even trace where that money has gone,” she said.

The framework for regulation, authorisation, and supervision of the PPIs are governed by RBI’s “Issuance and Operation of PPIs”. These were issued in April 2009 and thereafter amended from time to time.

Since regulations on PPIs have been very light with low entry barriers, it was necessary for RBI to impose stiff and stringent norms on them.

To address the same, RBI released a Draft Circular called the “Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India” in March last year. The circular was issued following the growing usage of PPIs for buying goods/services and for transferring money. In the circular, RBI recognized requests from stakeholders for relaxations in certain areas and also considered aspects that would strengthen the security and safety norms, mitigate risk, and protect customers using PPIs.

RBI took inputs from the different stakeholders on the provisions of the circular, following which, in a major step forward in this direction, RBI passed fresh rules for all prepaid payment licence and wallet companies. These include improved standards for safety, security, and flexibility of online transactions, interoperability of PPIs (and banks), full KYC, and more.

Let’s now take a look at a brief summary of these regulations.

The Updated Regulation Summary

  • Mandatory full KYC: As per the new directions, PPIs have to become full KYC compliant within 12 months. “The amount loaded in such PPIs during any month shall not exceed Rs 10,000 and the total amount loaded during the financial year shall not exceed Rs 100,000,” RBI said. If the compliance is not made further credit will be disallowed.
  • Interoperability: Interoperability can be enabled in only Full KYC (banking and non-banking) PPIs. This time-consuming process will be applied in phases with the first phase (spanning across the first 6 months) bringing interoperability between wallets, and the subsequent phases working on the interoperability between wallets and bank accounts, followed by the enabling of interoperability in PPI cards.
  • New capital requirements of Rs 15 crore for non-banks: For non-banking PPIs, new capital requirement is of Rs 15 crore (5 crore at the time of application and 15 crores within the next 3 financial years).
  • Cross border inward and outward remittances: Fully KYC complaint Wallets will now be able to undertake cross-border inward remittances. However, transaction limit can’t exceed Rs 5000 per cross-border transaction and the maximum wallet limit shouldn’t exceed Rs 50,000.
  • PPI issuers need to maintain records of transactions: PPI Issuers to maintain a record of all the transactions undertaken using the PPIs issued by them. They should also file Suspicious Transaction Report (STR) to Financial Intelligence Unit — India (FIU-IND).

Along with the new guidelines, RBI has also released a new Security Framework for PPI Issuers to prevent fraudulent activities and ensure user security.

The Newly Introduced Security Framework for PPI Issuers

  • Separate login for the PPI account: PPI issuers should maintain a separate login for PPI accounts and it should not be used to access any other services offered by the PPI Issuer or its associate/parent/group company etc.
  • Timeout features: PPI issuers should prevent invalid sign-in attempts and add inactivity timeout features.
  • Capping: PPI issuers should implement customer-enforced transaction caps on their users’ wallet transactions. The users should however be allowed to increase/exceed the caps with additional authentication and validation.
  • Cooling period for funds transfer: While opening an account/ loading funds/ adding a beneficiary, PPI issuers should place a cooling period for transfer of funds to prevent the fraudulent use of PPIs.
  • Other mechanisms: Issuers should place internal and external escalation mechanisms to prevent suspicious operations, loading and reloading of funds into the PPI and also alert the customer in case of such transactions.
  • Reporting frauds: PPI issuers should report frauds on a monthly/quarterly basis to the concerned Regional Office as per the directions. They should also monitor, handle, and follow-up on cyber security incidents and breaches immediately with the concerned authorities.

These updated regulations have raised a number of challenges for the wallet companies. Here’s a quick look into the most challenging aspects of the new norms.

The Key Challenges Wallet Companies Face Because of the New Norms

1. Full KYC compliance within 60 days

Complete KYC compliance will increase acquisition costs for wallet companies as it introduces tons of documentations and the paperwork. Cost of KYC per customer is estimated at nearly 150–200 Rs per customer by the industry.

2. Mobile wallet companies are required to have a minimum net worth of Rs 5 crore, hence will need fresh funding.

As per earlier guidelines, a minimum net worth of Rs 2 crore was required for mobile wallets. This net worth is now raised to Rs 5 crore at the time of application and Rs 15 Cr within 3 financial years after getting the authorization. This means, smaller wallet companies will need fundings to comply with the directions of RBI.

3. A one-year validity of the wallets. Also, auto-closing of wallets with zero balance.

Users’ wallets will be closed automatically if they continue to have zero balance for a year. A notice, however, will be issued to all such users before closure of their wallets.

“There are a large number of inactive wallets with no money in them,” said Gupta. “By enforcing this rule, RBI is all set to weed out those numbers and bring out actual figures around how many wallets are there in the system.

4. Implementing interoperability.

At present interoperability is limited to only UPI-based banks. However, with the new requirement of interoperability, PPIs will have to deal with a lot of technical and operational requirements of safety, security, and risk mitigation. The implementation is very complicated.

How the industry is gearing up to comply with the new PPI Guidelines

From the reactions that are coming in from the different payment players, it’s clear that they’ve already begun working on their KYC.

Bhavik Vasa, chief growth officer, EbixCash says:

“ Interoperability with KYC is a great leveller and catalyst towards Collaborative Innovation for the ecosystem. We commend the RBI for its proactive stride and look forward to ongoing progressive regulations also for micro-payments use-cases with minimum or risk-based compliances. Especially if we need to transition to less-cash the digital alternatives need to be as seamless, frictionless and at par with other sectors like gold purchases which are completely anonymous up to Rs. 2 Lacs. Additionally the Finance Ministry and RBI have commissioned noteworthy committees like the Watal Committee on Digital Payments and Ramadorai Panel on Household Finance with apt findings and recommendations that as they get incorporated into regulations would fast forward in achieving the India FinTech potential.”

MobiKwik, another popular digital payments company, is also planning to increase its agent strength for the same and also trying for Aadhaar-based KYC through a one-time password.

We have set a target of achieving 20 million full KYC wallets within the next one year and we are expecting an expenditure of around Rs 50 per customer,“ said Bipin Preet Singh, founder of MobiKwik wallet. “Though we have 65 million users, KYC formalities cannot be done with all of them.”

Oxigen Services, will give incentives to it’s retailers to look after the KYC process of the customers.

The long-term approach payment wallets must take (as RBI expects bank-level preparedness from them when dealing with money laundering)

Know all about RBI’s New PPI Guidelines

Bringing at Par with Banks

The updated KYC norms for PPIs have made their KYC regime at par with banks. Therefore, there needs to be greater focus on compliance and audit. This move by RBI also indicates that wallet companies will now face KYC and AML audits like banks and may have to face heavy fines and penalties in case of non-compliance, thus necessitating more investment toward customer KYC.

The current wallet onboarding only includes email and mobile number verification. This will now have to upgrade to systems that can capture KYC documentation and data. Not only that, it will also need to have a risk and compliance check inbuilt for AML/CFT risk of the customer as well as a backend operations team to process these applications. The cost of customer onboarding for wallets will also raise as a result of this full KYC process.

The way forward for wallet providers is to find and use modern KYC solutions that will not only help them overcome this challenge but also ensure that they are able to scale operations without incurring heavy costs. Failing to do so would mean even these wallets will face the same challenges as banks face when scaling their KYC operations.

Investing in security and laundering protocols

In the long run, wallet companies, too, should aim for the same degree of security that banks offer. This includes:

Performing due diligence. Due diligence should be performed on the initiator and recipient who make/receive payments to ensure compliance of transactions with the anti-money laundering (AML) and counter-terrorism financing checks. Frequent screening that identifies accounts with unauthorised and unusual transactions should also be conducted and such accounts should be freezed.

Implementing transaction monitoring. To view transaction patterns of the customer base, machine learning models should be used. With the help of such AI, shady transactions can be detected. Moreover, transaction monitoring should be combined with AML and KYC screening to alert against suspicious financial activities of the customers. Transaction profiles should be maintained with all the account details of the customers such as cash deposits, withdrawals, transfers and payments.

User and data security- Multiple authentication factors such as passwords, OTPs, and biometric should be used to protect the users against security breaches. A mix of authentication factors goes a long way in providing an extra layer of security that helps prevent fraud instances. Read our in-depth article on how financial institutions can design safe authentication processes using the different authentication factors.

Security in a digital world — Passwords, Biometrics and OTPs (and why secrets are core to safety)
Bashing passwords as vulnerable means of online security is quite common these days. Sure — authentication means like…blog.signzy.com

How the end-user can use wallet apps responsibly

Wallet apps have become a mainstream payment method as they offer convenience and value (by offering several coupons, membership cards, event passes, loyalty points, cashback and more) Customers can indeed save a lot of time and resources by using these wallet apps. However, instead of signing up for 10s of e-wallets with nil balances in each, users must use just one or two that support maximum apps/payments and keep them active. Also, the money transfer feature these wallets offer must also be used responsibly.

Wrapping it up…

Thanks to the growing government initiatives to push toward a cashless economy and the acceptance from the masses, the PPI space has grown exponentially in India. So there’s no doubt we need better regulation over PPIs. This update in the regulation — however strict it may seem — is needed, because even PPIs wouldn’t want their users to engage in money laundering or terror funding activities.

By bringing the PPI market tightly under the ambit of the more serious financial regulations, RBI has taken a big step toward a safer, cashless economy. So while the updated PPI norms do challenge several smaller companies in the short term, they will pave way for a safer, more user-friendly wallet experience eventually. Also, the security framework laid out by RBI is a big step toward ensuring the security of crores of Indians who are now actively opening up to the possibilities of a cashless economy.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Security

Security in a digital world!

Posted on | by Signzian

Security in a digital world has become paramount as our personal, financial, and professional lives increasingly shift online. The rapid proliferation of digital technologies, while offering immense convenience and connectivity, also brings forth a plethora of challenges in safeguarding sensitive data and maintaining privacy. Cyberattacks, identity thefts, and data breaches are becoming more sophisticated, emphasizing the need for robust cybersecurity measures. Individuals, corporations, and governments alike are recognizing the imperative of bolstering their digital defenses, ensuring that as we embrace the conveniences of the digital age, we’re not compromising our security and integrity. In essence, as we navigate this digital era, being cyber-aware and proactive in our security measures is not just an option, but a necessity.

Bashing passwords as vulnerable means of online security is quite common these days. Sure — authentication means like biometrics, OTP, mobile, etc., do sound fancy and are touted as cornerstones in future security practices. But fundamentally there is nothing wrong with a password paradigm. In fact, it’s the weakness of individual passwords that leads to a security risk.

In this article, we are going to give you a background to passwords, their philosophical underpinning, and also evaluate the other possible options we have.

Passwords have a long history. They are used to access private accounts, applications, documents, databases, websites and more since long. Even the treasure den in the fabled tale of Ali Baba and the Forty Thieves had a password! The other way to access such secrets was through some body tattoo or possession of a unique seal.

Interestingly, these three ancient methods of verification still do represent the fundamental principles of modern authentication practices:

  1. What you know — Passwords/PIN
  2. What you have — Seal/OTP/Credit Card/Tokens
  3. Who you are — Biometrics/Body tattoos

The combination of these three factors (3FA) is seen to represent an authentication framework for accessing information or doing risky transactions. Take an example of a Credit Card swipe. The card represents “what you have” and the pin represents “what you know”. Combining the two provides greater security than any one method alone. When any two of these are used, it’s called two-factor authentication. More factors imply higher security.

What is often not discussed is which factors are safer in which contexts. Given we are moving into rapid digitization it might be important to discuss the three factors, their types and when should they be used.

Let us trace this movement from password based to other factors and see what maybe a good framework to keep consumers and systems safe.

How passwords work?

Passwords are stored in a system as hashes.

A hash is a one-way pseudo-random function, which means that it can produce a random text from a password.

But the random text can’t reproduce the original password.

Let’s take an example of SHA-2 Hash algorithm.When we feed it a password, say “ankit8388”, it produces a random text like “96c32e63d785c77d8de8089523a346210d2299a25c349c518dc8bf0181ff911b”. This hash is now stored in the database and with it the website can authenticate me without ever storing my original password.

(Even when the database is hacked, my password doesn’t get leaked because the original data is never saved in a database.)

How hackers hack passwords?

To hack passwords, hackers create pre-created hash tables for all possible password combinations.

For the “ankit8388” password, a hash table of small letters and numbers of length 9 would be able to find a match.

This means the hacker will need to process all the possible permutations and combinations of small letters (26) and numbers (10) for 9 places. In mathematical terms this would be (10+26)⁹ combinations. This is a highly intensive task and a single computer might still take 50 years to do this.

But hackers work together and pool resources, which means 50 hackers with their computers can create such a table in less than a year.

Further, it’s possible that they will find a match at a half-way stage or within 6 months.

The point is this:

A password becomes unsafe when it’s too short and simple to guess or crack.

Alternatively, if a user sets a complex, multi-character long password, there’s a risk the user will keep it noted somewhere (and this note might reach unsafe hands and cause a vulnerability).

So passwords (either too simple or too complex) can be unsafe in their own ways. That said, the other authentication means available, too, aren’t foolproof. Lets get a bit more understanding on other authentication methods.

Why biometrics and OTPs can’t be the foolproof solutions for the Digital Security?

The two emerging contenders for future digital authentication are biometrics and OTPs.

Biometrics, along with a password, would indeed enhance security by providing a two-factor authentication. But when used alone, it’s not the best bet for the future because it comes with three big problems:

  1. Unlike passwords, biometric data cannot be stored as a hash. This means that the web application will need to store your biometric data as is. This is a very risky proposition as, in case of a hack, your actual biometric data (or its mathematical representation, in some cases) is revealed. In one of the biggest data breaches in the US, 5.6 million fingerprints of government employees got hacked from the the U.S. POM (Office of Personnel and Management), which gave the hackers access to raw biometric data.
  2. In case biometric data is ever compromised, there is no resetting like a password. This means, you would forever be prevented from using your biometric authentication during your lifetime.
  3. Biometric systems are extremely susceptible to spoofing. In spoofing, a stolen digital template of a biometric trait could be inserted into the authentication process to authenticate the wrong user. In 2013, Jan Krissler, a famous German hacker spoofed Apple’s Touch ID (iPhone 5S) on the other day of it’s release. He used the smudge on the screen of an iPhone to print a dummy finger using wood glue and sprayable graphene. He then used this print to successfully unlock a phone registered to someone else’s thumb. The same hacker then used high-resolution photos of Ursula von der Leyen, Germany’s Minister of Defence, to beat fingerprint authentication technology.

OTP, as an alternate authentication means, has its own set of risks:

An OTP is a one time password consisting of characters, numbers or symbols that’s used to authenticate a user for a single login session. And it becomes invalid after a few seconds.

Take an example of a credit card swipe as I’ve explained earlier. (The card represents “what you have” and the pin represents “what you know”). When you swipe the card you get a code ( an OTP) and you aren’t authenticated until you enter the code and are verified.

So, here two authentication methods are being used for authentication (two factor authentication) which ensures more security. But still they can’t be considered as the best security solution.

  1. The biggest challenge to the OTP authentication factor comes from trojan software.

Hackers show their victims a browser pop-up box or ad that looks like an authentic message from the bank and prompts the user to download a “security application” or a “mobile banking application” on their phones.

Once a user downloads such fake applications, hackers can easily intercept their SMSes. Which allows the hackers to read the OTPs sent on the mobiles.

Security expert, Brian Krebs, tells how an Android botnet targeting banks in the Middle East could infect more than 2,700 phones and intercept at least 28,000 text messages:

This attack affected customers from various banks including the ones from the Riyad Bank, SAAB, AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.

 

2. SIM swap/cloning: By procuring a duplicate SIM card in a user’s name, hackers can use it to receive communication from the banks (including the OTPs).

3. Social engineering: Hackers also call users claiming to be from the bank. And during the call, they ask for the OTP. Unsuspecting users are usually easy victims to such attacks.

4. SS7 Attacks: Using flaws in Signaling System 7 (SS7) hackers can listen to private phone calls and read text messages of the users. According to a report from German-language newspapers Süddeutsche Zeitung, in a cyber attack in Germany hackers intercepted OTP’s using SS7 flaws and stole customer’s money from their accounts.

As you just saw, all the three authentication factors — passwords, biometrics, and OTPs — have their set of risks. However, passwords stand out because users can exponentially strengthen their passwords (while also keeping them easy to remember). So let’s re-examine passwords and see how we can improve them, and then explore the Password 2.0 approach.

How passwords can be made more secure?

As we discussed earlier hackers have been able to pool resources and pre-create hash tables hence making guessing of simple passwords really easy. Then what could be the way to make their life hard? Increase the combinations, of course. And the usual way of doing it has been to increase possible inputs:

  • Alphabet (Small letters and caps) — 52
  • Numbers — 10
  • Special characters — 33

So this gives a total combination of 95 characters. Cracking this is so hard that it would take the same hacker group over 6000 years to hack password in the same way. And at that point, I obviously don’t care (unless AI leads to afterlife; another topic for another blog :))

Therefore, from a security guy’s point of view, all these rules of having multiple combinations is really helpful because it keeps you safe. But at the time of signing up or using a service, this becomes a huge pain and a turn off. Also, it’s an eventual security risk as people keep forgetting such tough passwords and hence often note it down in insecure places, such as desktop files or random pieces of paper.

Introducing Password 2.0 — the Paraphrasing Approach (the security and user-friendly password solution)

Now, there is another way to do this, which seemed to have been neglected until now: the length of the password. I could have achieved a similar tough password by simply having 4 more characters, i.e., a 13-letter-long password, without any restriction on small letters, caps, numbers, special characters, etc.

This new paradigm is what I call Password 2.0: the passphrase approach. It’s easy to remember a passphrase, such as “thisisacoolpassphraseforthiswebsite”. Such passphrases can provide a better user experience at the time of signing up and also during authentication.

Also, at its length (35 characters), hash tables will be almost impossible to compute. Thus we can build passwords that are convenient yet secure.

Why passwords are crucial for Security?

One principle that has to be accepted in a security paradigm is — you will get hacked. This principle is important to remember when choosing one or a combination of the three authentication factors (passwords, biometric or an OTP).

The property of biometrics in this context is really risky. As biometrics can never be changed, once hacked they become vulnerable for that person for their lifetime. So in a biometric auth world, over time more and more people would get vulnerable. Thus you would inevitably reach a stage where, for a certain population, biometric will not be a valid authentication mechanism.

Mobile phones, or number can also not be changed very frequently or easily and hence make changing of the auth factor difficult.

Unlike biometrics and mobile numbers (or handsets), passwords can be changed if they get hacked. That too quite easily. Hence they have no permanent vulnerability. Another great property they have is the ability to protect the actual password at each authentication. This paradigm is akin to knowing a secret that you will never reveal but are able to prove you know it.

So while biometric and OTP authentication breaches leave their users vulnerable (for life), passwords breaches always give the users a way to “reset”. Because of their simplicity and cryptographic beauty, passwords will continue to dominate as the higher security layer. And when you add an additional layer of authentication to a password (like biometric or an OTP), you can probably design a more secure system. (In a further article we will go through the best combination given a business use-case)

The password 2.0 approach — of creating complex but easy-to-remember “secret-style” passwords — can be a useful tool in such a scenario where the password is a mainstay in the security authentication mix. So, start thinking of a secure passphrase because in a modern digital world, “a strong secret” will be worth more than any other assets you own.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Supreme Court Judgement & Re-birth of Privacy

Supreme Court Judgement & Re-birth of Privacy

Posted on | by Signzian

In a recent judgement, a nine-judge Supreme Court Bench unanimously ruled that individual privacy is a fundamental right. The court noted that the “Right to Privacy is an integral part of Right to Life and Personal Liberty guaranteed in Article 21 of the Constitution.” The right to privacy verdict, although primarily passed on a petition filed about the Aadhar Card scheme, will impact every company that collects and handles user data.

In its 547-page judgment, the Supreme Court touched upon the different aspects of informational privacy — and explained how collecting data could threaten an individual’s privacy.

This Supreme Court ruling is a check: For both the government (against which the case was mainly fought) as well as the non-state actors or private companies because it doesn’t just oppose any privacy invasive practices employed by the government but also applies to private companies that collect user data.

In this article we will give a short description of court’s view on what is private and their concerns in a digital world. Then we will look at the new rulings impact on the financial sector with a 7-point framework. We will be looking at areas like cross-selling, credit history, SMS scraping, Aadhar KYC, Payments, Banking Agents, Social behavioral data among others. Now lets start with the basics.

Defining what is “personal and confidential”

The information must be “personal and confidential” to be protected by right to privacy. One of the points raised by the opposing counsel during the trial was that privacy was vague and ill-defined. The judges patiently tried defining what is “private” data, to carve out the scope of law.

For example, the Court pointed out that data about electricity consumption pattern of a person is NOT personal or confidential, and couldn’t be protected as “private information”. That said, the Court also cited a UK judgement that stated the storing of the biometric data indefinitely of individuals no longer suspect of criminal activities would be an invasion of privacy. Clearly, a person’s biometric data is both “personal and confidential”.

The Supreme Court used an infographic (from Bert-Jaap Koops et al., “A Typology of Privacy”) in its judgement to depict the nature of data and its classification. This is extremely rare and hence also shows how judges understood the importance of the judgement and that it would be read by people who might need simpler language and symbols to understand the implications:

 

Supreme Court Judgement & Re-birth of Privacy

Privacy in the Digital World

While the court had a broader mandate and covered privacy from all aspects,they did cover digital privacy in detail. At some level they felt the real challenge to privacy is coming from this rapid transformation of processes from offline to digital. They also gave an intriguing example of a travel agent, which illustrates this point well:

“The old-fashioned travel agent has been rendered redundant by web portals which provide everything from restaurants to rest houses, airline tickets to art galleries, museum tickets to music shows. These are but a few of the reasons people access the internet each day of their lives. Yet every transaction of an individual user and every site that she visits, leaves electronic tracks generally without her knowledge. These electronic tracks contain powerful means of information which provide knowledge of the sort of person that the user is and her interests. Individually, these information silos may seem inconsequential. In aggregation, they disclose the nature of the personality: food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation. In aggregation, information provides a picture of the being: of things which matter and those that don’t, of things to be disclosed and those best hidden.”

Expressing privacy concerns about how tracking happens in the digital world, the Court hinted at the possibility of scrutinizing activities carried on by companies like reading/analyzing/tracking emails, messages, other social behaviour.

Further the court stressed upon properties of the digital world that make it difficult to detect privacy invasion and hence heighten privacy concerns:

  • Non-rivalrous — simultaneous use by multiple users
  • Invisible — invasions of data privacy are difficult to detect — and it travels at speed of light making it further difficult to trace any breach of privacy. Data can be accessed, stored and transmitted without notice
  • Recombinant — data collected can be used, analysed and combined to create more data output which is unseen earlier

Expanding on these principles the order stated that owing to the nature of digital data, it becomes possible to combine data from social profiles and IoT devices to create information about the individual which did not exist. Secondly, while collecting the behaviour of one person it could also be possible to gather information about other individuals around him. The Court noted that these concerns are from both State and Private entities as both use Big Data to analyse data about individuals which is a concern to privacy.

Easily one of the most tech-savvy orders ever, this Supreme Court judgement took into account various technical intricacies of the digital world and cited specific instances:

  • Cookies used for tagging IP
  • Browsing information to create profiles using algorithms
  • Automated content analysis of emails for targeted marketing
  • Online purchases like books, airlines, book taxi etc. and their history for user behaviour and doing income analysis
  • Metadata and IoT — used to collect information about a person’s behaviour

It is refreshing to see such technical detail quoted in the judgement.

The court also gave details on what can be the future of digital privacy and principles of the new law. We have tried to summarize it below in a simple framework. But for any legal geeks out there we have also created another article which details out laws examined by the court and their approach in reaching to this conclusion.

A 7-point framework to guide companies’ data policies (based on the privacy case judgement)

We’ve analyzed the judgement in extensive detail and have come up with a simple 7-point framework that shows the key points that organizations need to think about when framing their data policies :

Personal vs Private: Every data that is personal is not necessarily private. A user’s name, for example. Because a person’s name is used in public communication, name can be considered to be non-private personal information. Also any information that is anonymized is neither personal or private and exempt from purview of the law.

Explicit Consent in plain words: User’s consent has to be taken explicitly and cannot be hidden inside lengthy terms of service or agreements.

Consent alone is insufficient: Court has also opined that in certain situations, even a consent based mechanism may not be able to protect the customer and hence encroachment of privacy shouldn’t be a preferred option.

Necessity: This is a simple principle which asks the question if collecting it is really necessary to invade privacy to achieve the outcome.

Proportionate benefit or risk: Whenever it is necessary it should be weighed against proportionate benefits and risks. Privacy should not be encroached unless there is some proportionate good possible or some bad that is preventable.

Right to Forget: Eventually the user should have the right to revoke access to his/her data

Access and Correction: The ownership of data is with the individual whose private data is collected. Therefore he has a right to access and correct the data or delete as given above.

Note: We hope this will help businesses make sound and compliant judgement around their data, but do take professional help to make sure you are fully compliant.

Few instances of impact in the financial world

The right to privacy might initiate changes in current processes and hence some of the current and emerging areas may need a relook:

Credit History under Credit Information Act

  • Collection of credit data: Collection of credit data by the creditor is completely ok as it is consent-driven private data between the two parties.
  • Exchange of credit data: Banks report credit data to licensed agencies. These agencies then exchange this data with other banks as requested by the bank. This might require clear exceptions made in the privacy act or a re-look into how credit reports are requested, what kind of information can be shared and what is to be hidden.
  • Access and control over credit history: Currently consumers cannot easily request credit history to be forgotten or edited. Going further there would need to be an option to have greater control and access of one’s own credit history.

Pulling data of a customer from KRA by Mutual Fund and AMCs

  • Collection of data: Currently the agency that collects the data and the one that stores the data are different. Clear consent and declarations hence maybe needed.
  • Current practice of data pull from PAN, without an appropriate consent layer may also need a relook.

Account Details

  • Login based scraping: Account username and password definitely fall into the domain of private data. And the reason in many cases is convenience, as it might be more difficult for the user to submit a copy of bank statement himself. Thus this encroachment may not meet the principle of necessity or proportionate benefit.
  • Account Aggregator: The new RBI guidelines provide for a consent layer and a lot of regulation around security of such data. The data does not remain with the aggregator post-completion of the purpose and therefore the guidelines seemed to have given protection to privacy and may not be greatly affected by the judgment.

Mobile data collection during application download

Following are few of affected the categories and let’s go through them one by one:

  • Malware or Security risk: The data collected to assess malware risk may not fall within privacy parameter. Specially if it can be anonymized enough to be unlinked to the individual himself. But current assessment tools and processes might need to ensure they follow this principle.
  • SMS reading: This is being seen as a new innovative way to provide credit assessment. But within the new privacy regime, this maybe really tricky. Let us explain: SMS reading is a clear invasion into privacy and hence would require explicit consent. But where it gets really tricky is that SMS is usually a private conversation between two parties and hence you would need consent of both the parties to read SMS. It will be interesting to see how the innovation can be enabled without being unlawful.
  • Reading personal contacts to use later for collection: Like SMS reading this may also need consent of two parties and hence should be seen in the same light. (Signzy would be coming up with another article on multi-party conversations including email, sms, call etc. We will examine in detail the implications under a privacy law.)

Aadhar based KYC regime

  • There are two KYC possibilities in Aadhar A) Demo Auth B) eKYC — biometric or OTP. As the Aadhar regime has a robust consent architecture in place it should hold good even in the present regime. The only concern raised by the court was on biometrics being private. Hence the nature of benefit should be proportionate as consent alone, as noted by the court may not be enough protection. Hence biometric based KYC for account opening, new SIM or other risky scenario might be acceptable. Biometric based KYC for non-risky scenarios such as event registration might need a relook.
  • The other more grave change maybe the need for an alternate option. While the financial regulators in line with government view had been pushing a biometric KYC, the current law would require the financial system to provide alternatives. This is especially true for cases where there maybe no real risk or proportionate benefit of forcing biometric KYC.

Users financial transaction history

  • Cross-sell: Financial data mining for targeting for another product might definitely fall under invasion of privacy. The judges have clearly defined “financial information” as private. And such targeting in no ways provides “proportionate” benefit. Hence banks will need to take explicit consent in the original account opening form, even then it’s best that such analysis and targeting is totally automated. Closer on the lines of Google’s approach where a Google employee at no point has access to your records even though you are targeted based on your personal data. This will make sure that there is no leakage or profiling and hence the principles are being adhered to. But there would need to be clear regulation to define such actions by the bank.
  • AML/CFT risk assessment: This is one use case where the risk may justify privacy invasion. But we need to weigh it against the principle of necessity. Again as it stands out it might not be necessary to invade privacy. The court has enunciated how “anonymity” does provide privacy, and hence analysis of data that has been “anonymized” will not be a breach of privacy. Only when suspect transactions are found, should the bank de-anonymize the data an identify the actual account holder. (We understand this might need much more detailed explanation, rest assured we will be writing a longer post on the impact on AML/CFT processes)
  • Credit Risk monitoring: Unless the risk is large it might be very difficult to justify reading of transactions. The Financial Institution will have to provide the borrower a mechanism to provide consent each time such an assessment is made. This might defeat the whole purpose as someone with a risk may actually deny consent every-time. Thus it would be interesting to see how this part of the system pans out and what regulations are framed to balance risk and privacy concerns.

Banking Agents

  • Collection of data: Even current regulations require Banks to ensure that agents are registered and a clear trail can be established which ensure zero data leakage. This might now fall under a clear law or regulation, further not only Banks but all financial institutions (FIs) might need to have stricter regulations for agent models.
  • Storage of data: The storage of data will strictly require physical or digital records to be destroyed by the agents post transaction. Unless there is explicit consent by the consumer for such storage.
  • Sharing of data with other parties: Many a times agents do end up sharing data with parties who at the time of consent were not in the picture. As an example if the intended Bank doesn’t give a loan, data might be shared with other parties as well. Now one will need to take clear consent to ensure that this sharing is agreed by the user.

Payments

  • Aadhar Pay: Biometric has been considered by the court as a core private space. And it has also opined that at times consent may not be enough as the users may not understand the risks. In this light, Aadhar Pay might not have “proportionate” good. As while KYC carries risk to financial system and hence proportionate good, mere payments might not be an ideal scenario to invade individual privacy.
  • Cards based payments: Current cards eco-system relies on a “card” and PIN and no specific private data, at least from our point of view it doesn’t encroach privacy during payments. Fraud rules are also generally based on aggregated behavior and hence might also not carry any risk of privacy encroachment.
  • Mobile wallets: Since it is based on a standalone wallet that I recharge it has no personal data about me other than my basic KYC, phone number, email and my transaction details. Therefore no private information is shared with wallets. But wallets would not be able to leverage on my digital footprint for credit assessment without clear consent.

Social behavioral data

  • Social media: Google and Facebook have recently shown interest in using customer data gathered over a period of time as credit decision tools. This data has clearly been stated to be private. Thus this too would fall under the gambit of future regulation
  • Application’s own data: Even if the data is not coming from a third party but reflects user behavior on the same platform, such as Amazon, Uber etc. It will still be considered within the domain of privacy and needs to be regulated

As social behavior data is rich and possibly being seen as an alternative to many traditional data stores it important to share another case regarding Whatsapp’s decision to share its data with Facebook (its parent company). The matter concerns the privacy of 160 million Indian Whatsapp users. Such data has expressedly been considered to be private — and Judge’s comments left no room for imagining what their views were:

Recently, it was pointed out that “‘Uber’, the world’s largest taxi company, owns no vehicles. ‘Facebook’, the world’s most popular media owner, creates no content. ‘Alibaba’, the most valuable retailer, has no inventory. And ‘Airbnb’, the world’s largest accommodation provider, owns no real estate. Something interesting is happening. […]

Uber’ knows our whereabouts and the places we frequent. ‘Facebook’ at the least, knows who we are friends with. ‘Alibaba’ knows our shopping habits. ‘Airbnb’ knows where we are travelling to.

Social networks providers, search engines, e-mail service providers, messaging applications are all further examples of non-state actors that have extensive knowledge of our movements, financial transactions, conversations — both personal and professional, health, mental state, interest, travel locations, fares and shopping habits […]

Large number of people would like to keep such search history private, but it rarely remains private, and is collected, sold and analysed for purposes such as targeted advertising[…]

Thus, there is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors. There is also a need for protection of such information from the State”

These are just some of the instances that maybe impacted by this judgement. We will be happy if you can share any areas we may have missed and we will add them here.

Way Forward

This is certainly a landmark judgement and in some ways can claim to be the re-birth of privacy. In a digital world it was assumed that privacy has been sacrificed at the altar of convenience. But the court has upheld an individual’s right to his privacy providing him means to protect it and hence re-introduced a principle which seemed lost in the digital world. As the next steps, it’s incumbent upon the legislature to create clear law regarding this concern. But it’s safe to assume that usage of such data would be become much more regulated than it is now.

We are hoping that this article would be useful to you and also help you make sound business decisions. We might not have been able to go into depths of few topics which need much more deliberation. Hence we would be coming up with few more articles going in depth into some of these topics. We will be happy to receive feedback and also get to know which areas would you want much more in-depth analysis.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

1 21 22 23 24