Here are some updates from Signzy and a few useful reads from around the fintech world.
Signzy becomes the only fintech startup to make it to the TOP 6 at the Magnetic Maharashtra Convergence Startup Awards 2018
We made it to the TOP 6 finalists in the Startups under 30 competition at the Magnetic Maharashtra: Convergence 2018 Startup Awards organised by Maharashtra Industrial Development Corporation (MIDC). This award recognises young entrepreneurs who are trying to build a robust startup ecosystem in the state and thereby accelerating the nation’s economy. We’re so glad to have received this huge recognition. Acknowledgments like these drive us to work even harder towards cherishing our dream of transforming traditional banking into a fully digital experience. Read here.
Signzy wins NDIM’s ‘Business Excellence and Innovative Best Practices Academia Award — 2017’
We’ve been honoured with NDIM’s ‘Business Excellence and Innovative Best Practices Academia Award — 2017’. Every year the NDIM — a globally recognised premier management institute recognises professionals from different fields for their exemplary achievements strengthening India’s reputation nationally and internationally. Humbled to have been recognised for our work for helping financial institutions overcome their regulatory challenges and making them simple, secure yet compliant. It feels even more humbling to get the same recognition as top companies like Whirlpool, YourDOST, Bharat Financial Inclusion, Glenmark Pharmaceuticals, ART Capital, Blue Star and Premier Futsal.
Signzy listed amongst the 7 Most Innovative Companies In India
We’ve been included in the list of the 7 Most Innovative Companies In India. It feels great coming from Meltwater as it’s a leading brand management company serving top companies all over the world. We strive to build innovative solutions using AI to transform current semi-manual processes in financial institutions into real-time digital systems, thereby making regulatory processes simple, secure yet compliant for these institutions. Read here.
Events we attended
Magnetic Maharashtra : Convergence 2018:We participated in the “Start Ups under 30 competition” at the Magnetic Maharashtra : Convergence 2018 Start-up awards and made it to the TOP 6 finalists. The state’s first-ever Global Investment Summit was organised by Maharashtra Industrial Development Corporation (MIDC). Being a fintech startup we showcased our potential in the fintech domain and explained our vision of transforming banking to a fully digital experience which is inline with PM’s vision of Digital India. (18th-20th Feb Mumbai)
Fintegrate Zone 2018: We were at Fintegrate Zone 2018: India’s largest FinTech Conclave. The 3-Day conference saw more than 100 speakers, industry thought leaders, influencers, and founders sharing their insights on the key verticals of FinTech. Signzy’s Arpit shared his views on how RegTech is helping advance the Fintech ecosystem (27th-1st Mar Mumbai)
ENSPIRIT- 2.0: We were at ENSPIRIT- 2.0: IIM Raipur’s Management cum Cultural Festival. The Equinox flagship event brought together venture capitalists and founders who interacted with students encouraging their entrepreneurial spirit. We also participated and contributed to IIM Raipur’s vision of empowering Entrepreneurial excellence. Signzy’s Ankit spoke on the theme “Breaking Digital” at the mega event (9th Mar Raipur)
Cryptocurrency and Crypto Attacks (and How Regulation Can Help)
From our blog:
Cryptocurrency and Crypto Attacks (and How Regulation Can Help) — A quick read explaining the different types of crypto attacks and how introducing regulations can bring them down and pave the way for a safer and more secure cryptocurrency trading environment. Read here.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Crypto attacks have surged in tandem with the rising popularity of digital currencies, emphasizing the need for robust security measures. To safeguard against these threats, users must employ multi-factor authentication, maintain updated software and wallets, and be cautious of phishing attempts. Educating oneself on the latest types of attacks and remaining vigilant while conducting transactions is crucial.
We’re just two months into 2018 and $2,653,302,364+ of real money has already been spent to buy virtual money. Cryptocurrencies — whether regulated or not — have buyers all over the world, even in countries where their status lies in the limbo.
However, just like real money, virtual money is also being stolen. And just like real money investment scams, the virtual currency space, too, has its share of investment scams with cheats floating schemes promising lucrative returns and running away with all the money.
Let’s look at some of the most common crypto attacks and how regulation can bring them down.
ICOs (or Initial Coin Offerings) is a means of crowdfunding that allows new ventures/startups to raise capital without following the regulated processes and compliance needed by venture capitalists, stock exchanges, and banks.
While cryptocurrency ICOs intend to raise money for building the proposed ground-breaking blockchain solutions, scamsters only use them to loot. Their modus operandi is the same: Announce an ICO. Lure investors. Collect the cash and disappear.
The Benebit scam is one such recent ICO scam. In its whitepaper, Benebit had proposed a revolutionary customer loyalty blockchain solution. But it did a runner with about 4M USD when someone reported that Benebit’s website’s photos were stolen from some school’s website.
Phishing and Crypto Attacks & Thefts
When dealing with virtual currencies, customers face the same risks as they face when doing net banking. Cryptocurrency users are prone to all kinds of cyber attacks like phishing, password hacking, trojan software and others.
IBM’s X-Force research group states how cyber criminals have modified TrickBot, a banking trojan, to target cryptocurrency trading platforms by redirecting the virtual currency to their wallets during transactions.
Coincheck, a cryptocurrency exchange from Japan, was a victim of a cyber stealing attack and lost $530 million of its users money. Another Japan-based bitcoin exchange company, Mt. Gox, had in 2014 lost $400 million of its users’ funds. Although it promised to return the lost money, it ended up filing for bankruptcy.
Unlike traditional banks or card processing companies, cryptocurrency exchanges can’t do much to recover virtual currency.
Crypto Attack: ‘Cashing’ in on the Hype
When a technology is so new and disruptive as blockchain, it creates hype. A stream of scamsters use nothing but this hype and lure unsuspecting victims into investing their money.
The Suppoman scam is one such scam. A youtuber scammed hundreds of his viewers by promising information on a “secret ICO” if they bought one of his Udemy’s paid courses and joined his Facebook mastermind group. To join this group and get access to the password, the viewers were required to pay 10$.
Suppoman succeeded in creating such hype around the “secret ICO” that people started buying even his old Udemy courses so they could get the password. To the disappointment of the buyers, the secret ICO turned out to be: Seele, which is a very popular ICO everyone knows of.
There are also instances where scamsters rebranded old cryptocurrencies and raised funds all over again, only to run away with the money.
Countries that accept (or the ones that haven’t banned) cryptocurrencies are working on creating regulations to protect the investors against such attacks.
Regulatory Red Tape on Cryptocurrencies
Treating cryptocurrency companies like any other financial institutions and forming regulations for the same will clamp down — if not eliminate — most of the different crypto attacks.
Regulating to avoid tax evasion and ensure the money isn’t used for sponsoring shady activities: Subjecting cryptocurrency trading companies to stringent KYC, AML, user data privacy and other financial norms will help monitor the flow of fiat currency to crypto and vice-versa. This will also impose checks on issues like tax evasion.
In US (where cryptocurrencies are undergoing rapid regulation), virtual currency trading companies are required to register as money services businesses with the Financial Crimes Enforcement Network, a part of the U.S. Treasury Department.
Regulating to avoid fraud ICOs from raising funds: Regulating how ICOs are released and what happens to the money in the case of a non-delivery will protect investors from ponzi virtual currency schemes.
Gibraltar is working on a law that will regulate Initial Coin Offerings (ICOs) in the British overseas territory. This law aims to regulate how ICO tokens are promoted, sold, and distributed. Sian Jones, a senior GFSC advisor, says the regulation will introduce the concept of “authorized sponsors,” who’d be “responsible for assuring compliance with disclosure and financial crime rules.”
Regulating to strengthen the security norms of cryptocurrency makers and trading companies: Regulating the security standards for companies that deal with cryptocurrencies will help prevent thefts.
When it comes to securing users’ money in banks, RBI has given as many as 24 best practices on user, software, asset, environment, and security management. It would be interesting to see if RBI could introduce comparable standards for the cryptocurrency companies as well.
Regulation can pave the way for a safer and more secure cryptocurrency trading environment. Regulation will also handle the government’s key concerns such as financing illegitimate activities, money laundering, and terrorist financing related to crypto trading.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Although the cryptocurrency market is largely unregulated in India, cryptocurrency remains an investment option of interest for young Indians. Just recently, the Indian Income Tax Department issued tax notices to thousands of cryptocurrency investors. BR Balakrishnan, Director General of Investigation (Karnataka and Goa), Income Tax Department, said that they couldn’t turn a blind eye to the whole cryptocurrency investment space and that “It would have been disastrous to wait until the final verdict was out on its legality.”
So legal or regulated or not, cryptocurrencies are selling in India.
But the lack of government regulations on cryptocurrencies like bitcoins makes them prone to frauds. Recently, India has witnessed several cases of cryptocurrency frauds right from the 84-crore Goregaon cryptocurrency investment scam to the 2,200-crore Mumbai fraud incident.
Although RBI has never supported the usage or trading of cryptocurrencies in India, it hasn’t imposed any bans either. But the rising fraud instances show that there’s an urgent need to regulate the market.
Recently while presenting the Union Budget 2018, finance minister Arun Jaitley said “The government does not consider cryptocurrencies as legal tender or coin and will take all measures to eliminate use of these cryptoassets in financing illegitimate activities, or as part of the payment system.” The Finance Minister’s speech has triggered lots of responses from the Indian Cryptocurrency exchanges.
Shivam Thakral, co-founder and CEO Delhi-based BuyUcoin, said “Nothing new was quoted by our Finance Minister in the budget announcement today. It was a repetition of the same old cohort whilst the industry was expecting clarity over taxation and it’s regulation from the Government.”
Another bitcoin exchange Unocoin also maintains that no new Legislature has been introduced and the legal status of Cryptocurrency remains unchanged. That it’s the same unregulated virtual currency now as it was earlier. The Chief executive and co-founder of Unocoin Sathvik Vishwanath said “There is no change in the government stance with respect to trading cryptocurrencies. Cryptocurrency holders need not panic and the business is as usual.”
But even with the ‘impending’ official regulations, cryptocurrency companies can (and some are) proactively following norms such as KYC and AML, which they could certainly be subject to if the regulation happens. These measures will also address the key concerns the Finance Ministry has with cryptocurrencies.
Regulatory processes some Indian Cryptocurrency Companies are already implementing
While Indian cryptocurrency companies wait for the official regulation to happen, some of them are going ahead and borrowing the guidelines that apply to other financial institutions. This is the way to go as the international law firm, Norton Rose Fulbright, notes: “As a general rule, where no specific steps have been taken to regulate cryptocurrencies in the relevant jurisdiction, it would be necessary to refer to the existing legal and regulatory frameworks to understand how they might apply to the new circumstances that the technology enables.”
Which brings us to norms such as KYC, AML, and Data Privacy among others.
Atulya Bhatt, Founder of India’s leading cryptocurrency marketplace, BuyUcoin, stresses on how with self-regulation cryptocurrency companies can counter the anonymity of transactions and tackle money laundering in cryptocurrency trade. He says:
“Indian exchanges counter the anonymity of transactions and money laundering issues via self-regulation.”
Bhatt also recommends using advanced technological solutions for digital identity verification processes.
Hemanth Kumar, CIO at Unocoin (India’s most popular bitcoin wallet company), also underlines the importance of following KYC and AML provisions for cryptocurrency companies to remain accountable. He says:
“Regulation of entry points through strict KYC norms and deploying AML policies for monitoring the flow of the funds is key for any crypto exchange to bring in accountability of its customers.”
As you can see, KYC and AML are recurring themes even as cryptocurrency companies are practicing proactive self-regulations.
South Korea, which has just recently legalised cryptocurrencies, has already released a regulatory framework focusing on AML measures and KYC. The official document states that these measure will “reduce room for cryptocurrency transactions to be exploited for illegal activities, such as crimes, money laundering, and tax evasion.”
Key points from South Korea’s KYC and AML measures in its cryptocurrency regulation policies:
Cryptocurrency companies need to share (with the banks) information about the purpose of the transactions, the sources of funds, details about services the exchanges provide, and whether the exchanges are using verified real-name accounts
Cryptocurrency companies need to monitor (and report any) suspicious transactions
Cryptocurrency companies can only get bank accounts for functioning IF the exchanges provide their users’ ID information
If India, too, issues a similar framework, AML measures and KYC will clearly be the central themes.
In addition to these, cryptocurrency companies will also have to look into user data protection. Because cryptocurrencies use blockchains, and because blockchains are decentralized, distributed, and public, protecting the information on a blockchain can be challenging.
Wrapping it up…
Given the current state of regulation on cryptocurrency trading in India, cryptocurrency companies already have a lot at stake. But if India does end up following the likes of Japan, US, and South Korea and make virtual currencies legal, then all these companies will be expected to face regulations similar to most financial institutions.
Starting to work on deploying stronger KYC, user data privacy, and AML policies look like a great way to prepare for a time for when the regulation does happen. These measures also reinforce the government’s key concerns such as financing illegitimate activities, money laundering, and terrorist financing.
Signzy disclosure:The above content is an opinion and is for informational purposes only. Please don’t consider this as legal advice. It’s best to seek a legal consultant’s opinion before framing your policies.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Here are some updates from Signzy and a few useful reads from around the fintech world.
Signzy amongst top 9 finalists of the ABS Global Fintech Awards, 2017
We were among the top 9 finalists of the the ABS Global Fintech Award at the Singapore Fintech Fest 2017! We‘re so glad to have gotten the opportunity to showcase India’s fintech potential at the global stage.The fintech festival saw an incredible turnout with 25,000 amazing folks from 100+ countries. Ankit — who represented Signzy — also interacted with the Deputy Prime Minister of Singapore, Mr. Tharman Shanmugaratnam. We’ll continue striving towards our vision of transforming traditional banking processes into digital and more optimized ones.
Signzy shortlisted for the “Start-Up of the Year Award” category at the Express I.T. Awards
We competed with top startups like FlexiLoans.com, Razorpay Software, Lendingkart Group and others at the prestigious Express IT Awards. IT Awards honours the finest talents/companies driving innovation and leading professionals across the I.T. industry. It feels great to be recognized for our work for making financial institutions’ regulatory processes simple, secure, and compliant using advanced AI and cryptography. Read here.
Mastercard, Mswipe to use Signzy’s digital KYC solution to develop Asia’s first digital merchant onboarding experience
Mastercard in collaboration with Mswipe has developed Asia’s first digital merchant onboarding experience. This pioneering initiative is built upon Signzy’s digital KYC solution. Our KYC solution enables companies offer slick digital onboarding with real-time KYC. In this case, the merchants’ KYC processes will be completed within 30 minutes (as opposed to the standard 3-day period). Read here.
Events we attended
Global Conference on Cyber Space (GCCS) 2017 — We were at GCCS — one of the biggest cyberspace conferences in the world — at New Delhi. GCCS focuses on promoting policies and frameworks that aim to uphold digital democracy, maximize collaboration, and strengthen security, safety, technology, partnerships, and freedom. Arpit from Signzy attended the global event and demonstrated Signzy’s solution being used by SBI to Shri. Ajay Prakash Sawhney, Secretary Ministry of Electronics & Information Technology. (23rd Nov New Delhi)
GES 2017 — We were invited by NITI Aayog for the world’s biggest entrepreneurship summit that brings together entrepreneurs, investors, and business representatives from around the world. Signzy was among the selected startups whose solution were showcased at the event.(28th-30 Nov Hyderabad)
SCB Banking Digitisation Event — We were a part of the panel at the ‘Banking on Digitization’ event at the Taj Lands End, Mumbai. Ankit Ratan from Signzy presented our views on,”Competition vs partnership between fintechs and banks/regulators.” We also discussed why KYC is a constant source of complains, what are the hassles financial institutions face in adopting KYC, and how DLT and AI technologies can be used to transform current semi-manual processes into real-time digital systems. (28th Nov Mumbai)
Meeting with delegation of Banks in the ASEAN region — We presented our views on how fintechs can work with banks to a delegation of Banks in the ASEAN region. With IFC (International Finance Corporation) — a member of the World Bank Group, and MAS’s(Monetary Authority Of Singapore) support, fintechs and banks can collaborate to usher in rapid digitization of the entire Banking infrastructure. (17th Nov)
Smart Contracts — An Indian Perspective
From our blog:
Smart Contracts — An Indian Perspective: A must read explaining the emergence of smart contract technology, its legality, and feasibility from an Indian perspective. Read here.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Here are some updates from Signzy and a few useful reads from around the fintech world.
Signzy Becomes the Only Indian company to Make it to the 30 Finalists of the MAS Fintech Awards, 2017
We’ll compete with 29 of the world’s large and innovative financial institutions like Citibank, Firstdata, UOB and others at the prestigious MAS Global FinTech Awards 2017. We’re honoured to be recognised for our SME onboarding solution and can’t wait to showcase the Indian fintech potential at the global stage. Read here.
Signzy awarded with Nasscom Emerge 50 Awards 2017
Signzy received a special award in the fintech category at the Nasscom Emerge 50 Awards 2017. Over 400 companies participated and went through tough screening and scrutiny across parameters like value proposition, market differentiators, customers, market visibility, scalability, financials, growth and most importantly, innovation impact. Read here.
Product Update: Helping Users Onboard and Verify Identity Easily
Signzy has launched a new product — VideoComply. This allows remote users to onboard fully digitally and still complying with In person verification (IPV) norms. It uses cutting-edge video analytics to eliminate identity fraud. This advanced technology ensures your digital journey is secure and compliant.
Events we attended
DCB Innovation Carnival — DCB Bank Innovation Carnival at Mumbai and Bengaluru, brought Fintech enthusiasts, students, startups, designers and developers together to share their ideas, innovations, and solutions in the fintech space. Signzy was among its big Technology Partners like Redhat, Infosys, Microsoft and others at this mega carnival.
India Fix Conference — At the India Fix Conference (Mumbai) — India’s leading trading event — market participants, policy makers, regulators, solution providers, industry peers and colleagues discussed the most pressing problems in the trading world. Ankit Ratan from the Signzy team spoke on AI’s application in trading and finance.
The Economic Times Cards and Payments Summit — The Economic Times Cards and Payments Summit at Mumbai was a big tech event that discussed the emerging technologies in the cards and payments industry. Signzy’s Arpit Ratan presented a great pitch session at the Economic Times Cards and Payment Summit where he addressed some of the most pressing problems of the cards and payments industry industry.
OICV-IOSCO event — The OICV-IOSCO event focussed on the key issues about maintaining safety regulations worldwide. Signzy’s Ankit Ratan shared his views on artificial Intelligence’s transformative nature on the financial industry and what it means for the security regulators at the event. (IOSCO is the global body of securities regulators).
YESFINTECH Event — Fintech experts, entrepreneurs, investors, and mentors shared insightful discussions about collaboration between fintech startups and banks at the YESFINTECH event held at Mumbai and Bengaluru. Ankit Ratan, founder of Signzy explained how such partnerships benefit both parties as they allow sharing of assets, resources, and expertise to bring more value to the customers.
Anti-Money Laundering — 7th Annual Summit 2017, Fintelekt– The AML conference held at Mumbai gave a platform to regulators, financial industry practitioners, and consultants to have interesting interactions on current AML trends and issues, CFT, Trade Based Money Laundering, Money Laundering Threats from Virtual Currencies and more. Signzy cofounder Arpit Ratan was a part of the panel and spoke on Digital Payment Products, AML Risk Management, and P2P.
Security in a Digital World — Passwords, Biometrics, and OTPs (and Why Secrets Are Core to Safety)
From our blog:
Security in a digital world — Passwords, Biometrics and OTPs (and why secrets are core to safety) A must read explaining the different authentication factors that can help protect online security of financial institutions. Here’s the full story.
Full KYC Compliance Deadline, Interoperability, a Min 5 Crore Net Value and More — All You Need to Know About RBI’s New PPI Guidelines
Full KYC Compliance Deadline, Interoperability, a Min 5 Crore Net Value and More — All You Need to Know About RBI’s New PPI Guidelines — an informative article about the changes RBI has brought for all prepaid payment licence and wallet holders to enhance safety, security, and flexibility of online transactions. Read here.
Industry News: RBI Announces Guidelines for P2P NBFCs platforms
RBI has released new guidelines for P2P lending (NBFC-P2P). P2P lending is a form of crowdfunding that raises unsecured loans. This update will prove impactful for all P2P players. Read on to know more about the current RBI P2P regulations and their scope. Check out the full story here.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
The RBI has recently released a revised set of directions in the PPI regulator framework. In its 20-point notification, RBI has asked all the PPIs (Prepaid Payment Instruments) to improve how they operate. With the latest regulations, in effect already, RBI will treat PPIs more or less like banks subjecting them to full compliance in the provisions like Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT), and more.
In this article, we’ll look at the most significant changes that the RBI has introduced to the PPI framework.
But before that, we’ll see how the world has fought money laundering with a powerful tool called “KYC” because the biggest change that the updated RBI regulations bring to the PPI players is a mandatory full KYC.
Fighting money laundering with KYC
The UN General Assembly declaration in 1990 (precursor to the PMLA) — which was the first constructive global step against money laundering — focused on prevention of financing to illicit drug trade. Today the objective of the legislation is to stop money earned through illegal means from coming into traditional financial system and getting converted into legitimate money. Also, the same being used to fund such illegal activities including terrorism.
In pursuance of this noble objective, regulators have defined a KYC regime for financial institutions to follow. The Financial Action Task Force (FATF) is an intergovernmental body which recommends to countries regulatory regime for prevention of money laundering. Very recently FATF has defined a more risk based approach to counter money laundering.
One of the most important functions of financial regulators is to manage the risk within the financial system. This function manifests into a massive regulatory regime of KYC, which quite literally means know your customer and in essence know if he is a fraud, a money launderer or a terrorist.
Adopting KYCs as an AML measure in India
With a view to curb money laundering, terrorist financing, and fraudulent activities, RBI introduced KYC norms for banking institutions in 2002. These norms directed banking authorities to carry out tests and audits and freeze any accounts with suspicious activities (transactions).
RBI has always stressed on strict compliance of these guidelines and several big banks like Bank of Maharashtra, Dena Bank and the Oriental Bank of Commerce faced heavy penalties (1.5 crore each) for violation and non-compliance of certain KYC regulations and Anti Money Laundering (AML) norms.
Until now, October 2017, the RBI’s KYC guidelines were only applicable to banks. However, the latest regulation brings PPI players into its ambit.
A quick note about PPIs
In 2009, RBI paved the way for a new payment instrument which would not require the two factor authentication for small payments and will help in easier acceptance of payments by merchants. These pre-paid instrument (“PPI”) could be recharged with money and then used upto the recharged amount.
The initial PPI had allowed PPI to be issued for upto Rs. 1000 by accepting any customer identity document and upto Rs. 5000 by accepting an Officially Valid Document (OVD). This went through a transformation and in 2014 was relaxed by allowing PPI upto Rs. 10,000/- (total usage in a month) by accepting “minimum details of the customer”. Which transformed the PPI industry into what it is today and led to opening of wallets through mobiles and emails. Somehow though this was a boon for the industry, it did not go down well with the regulator.
In October 2016, an RBI senior official Nanda Dave stated that PPIs have been very lax in following KYC norms: “The customer is being identified by his or her mobile number, period. And such wallets have been used for routing money which has been fraudulently taken from bank accounts,” said Dave. “When we have no details of customers with us, it is very difficult to even trace where that money has gone,” she said.
The framework for regulation, authorisation, and supervision of the PPIs are governed by RBI’s “Issuance and Operation of PPIs”. These were issued in April 2009 and thereafter amended from time to time.
Since regulations on PPIs have been very light with low entry barriers, it was necessary for RBI to impose stiff and stringent norms on them.
To address the same, RBI released a Draft Circular called the “Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India” in March last year. The circular was issued following the growing usage of PPIs for buying goods/services and for transferring money. In the circular, RBI recognized requests from stakeholders for relaxations in certain areas and also considered aspects that would strengthen the security and safety norms, mitigate risk, and protect customers using PPIs.
RBI took inputs from the different stakeholders on the provisions of the circular, following which, in a major step forward in this direction, RBI passed fresh rules for all prepaid payment licence and wallet companies. These include improved standards for safety, security, and flexibility of online transactions, interoperability of PPIs (and banks), full KYC, and more.
Let’s now take a look at a brief summary of these regulations.
The Updated Regulation Summary
Mandatory full KYC: As per the new directions, PPIs have to become full KYC compliant within 12 months. “The amount loaded in such PPIs during any month shall not exceed Rs 10,000 and the total amount loaded during the financial year shall not exceed Rs 100,000,” RBI said. If the compliance is not made further credit will be disallowed.
Interoperability: Interoperability can be enabled in only Full KYC (banking and non-banking) PPIs. This time-consuming process will be applied in phases with the first phase (spanning across the first 6 months) bringing interoperability between wallets, and the subsequent phases working on the interoperability between wallets and bank accounts, followed by the enabling of interoperability in PPI cards.
New capital requirements of Rs 15 crore for non-banks: For non-banking PPIs, new capital requirement is of Rs 15 crore (5 crore at the time of application and 15 crores within the next 3 financial years).
Cross border inward and outward remittances: Fully KYC complaint Wallets will now be able to undertake cross-border inward remittances. However, transaction limit can’t exceed Rs 5000 per cross-border transaction and the maximum wallet limit shouldn’t exceed Rs 50,000.
PPI issuers need to maintain records of transactions: PPI Issuers to maintain a record of all the transactions undertaken using the PPIs issued by them. They should also file Suspicious Transaction Report (STR) to Financial Intelligence Unit — India (FIU-IND).
Along with the new guidelines, RBI has also released a new Security Framework for PPI Issuers to prevent fraudulent activities and ensure user security.
The Newly Introduced Security Framework for PPI Issuers
Separate login for the PPI account: PPI issuers should maintain a separate login for PPI accounts and it should not be used to access any other services offered by the PPI Issuer or its associate/parent/group company etc.
Timeout features: PPI issuers should prevent invalid sign-in attempts and add inactivity timeout features.
Capping: PPI issuers should implement customer-enforced transaction caps on their users’ wallet transactions. The users should however be allowed to increase/exceed the caps with additional authentication and validation.
Cooling period for funds transfer: While opening an account/ loading funds/ adding a beneficiary, PPI issuers should place a cooling period for transfer of funds to prevent the fraudulent use of PPIs.
Other mechanisms: Issuers should place internal and external escalation mechanisms to prevent suspicious operations, loading and reloading of funds into the PPI and also alert the customer in case of such transactions.
Reporting frauds: PPI issuers should report frauds on a monthly/quarterly basis to the concerned Regional Office as per the directions. They should also monitor, handle, and follow-up on cyber security incidents and breaches immediately with the concerned authorities.
These updated regulations have raised a number of challenges for the wallet companies. Here’s a quick look into the most challenging aspects of the new norms.
The Key Challenges Wallet Companies Face Because of the New Norms
1. Full KYC compliance within 60 days
Complete KYC compliance will increase acquisition costs for wallet companies as it introduces tons of documentations and the paperwork. Cost of KYC per customer is estimated at nearly 150–200 Rs per customer by the industry.
2. Mobile wallet companies are required to have a minimum net worth of Rs 5 crore, hence will need fresh funding.
As per earlier guidelines, a minimum net worth of Rs 2 crore was required for mobile wallets. This net worth is now raised to Rs 5 crore at the time of application and Rs 15 Cr within 3 financial years after getting the authorization. This means, smaller wallet companies will need fundings to comply with the directions of RBI.
3. A one-year validity of the wallets. Also, auto-closing of wallets with zero balance.
Users’ wallets will be closed automatically if they continue to have zero balance for a year. A notice, however, will be issued to all such users before closure of their wallets.
“There are a large number of inactive wallets with no money in them,” said Gupta. “By enforcing this rule, RBI is all set to weed out those numbers and bring out actual figures around how many wallets are there in the system.
4. Implementing interoperability.
At present interoperability is limited to only UPI-based banks. However, with the new requirement of interoperability, PPIs will have to deal with a lot of technical and operational requirements of safety, security, and risk mitigation. The implementation is very complicated.
How the industry is gearing up to comply with the new PPI Guidelines
From the reactions that are coming in from the different payment players, it’s clear that they’ve already begun working on their KYC.
“ Interoperability with KYC is a great leveller and catalyst towards Collaborative Innovation for the ecosystem. We commend the RBI for its proactive stride and look forward to ongoing progressive regulations also for micro-payments use-cases with minimum or risk-based compliances. Especially if we need to transition to less-cash the digital alternatives need to be as seamless, frictionless and at par with other sectors like gold purchases which are completely anonymous up to Rs. 2 Lacs. Additionally the Finance Ministry and RBI have commissioned noteworthy committees like the Watal Committee on Digital Payments and Ramadorai Panel on Household Finance with apt findings and recommendations that as they get incorporated into regulations would fast forward in achieving the India FinTech potential.”
MobiKwik, another popular digital payments company, is also planning to increase its agent strength for the same and also trying for Aadhaar-based KYC through a one-time password.
“We have set a target of achieving 20 million full KYC wallets within the next one year and we are expecting an expenditure of around Rs 50 per customer,“ said Bipin Preet Singh, founder of MobiKwik wallet. “Though we have 65 million users, KYC formalities cannot be done with all of them.”
Oxigen Services, will give incentives to it’s retailers to look after the KYC process of the customers.
The long-term approach payment wallets must take (as RBI expects bank-level preparedness from them when dealing with money laundering)
Bringing at Par with Banks
The updated KYC norms for PPIs have made their KYC regime at par with banks. Therefore, there needs to be greater focus on compliance and audit. This move by RBI also indicates that wallet companies will now face KYC and AML audits like banks and may have to face heavy fines and penalties in case of non-compliance, thus necessitating more investment toward customer KYC.
The current wallet onboarding only includes email and mobile number verification. This will now have to upgrade to systems that can capture KYC documentation and data. Not only that, it will also need to have a risk and compliance check inbuilt for AML/CFT risk of the customer as well as a backend operations team to process these applications. The cost of customer onboarding for wallets will also raise as a result of this full KYC process.
The way forward for wallet providers is to find and use modern KYC solutions that will not only help them overcome this challenge but also ensure that they are able to scale operations without incurring heavy costs. Failing to do so would mean even these wallets will face the same challenges as banks face when scaling their KYC operations.
Investing in security and laundering protocols
In the long run, wallet companies, too, should aim for the same degree of security that banks offer. This includes:
Performing due diligence. Due diligence should be performed on the initiator and recipient who make/receive payments to ensure compliance of transactions with the anti-money laundering (AML) and counter-terrorism financing checks. Frequent screening that identifies accounts with unauthorised and unusual transactions should also be conducted and such accounts should be freezed.
Implementing transaction monitoring. To view transaction patterns of the customer base, machine learning models should be used. With the help of such AI, shady transactions can be detected. Moreover, transaction monitoring should be combined with AML and KYC screening to alert against suspicious financial activities of the customers. Transaction profiles should be maintained with all the account details of the customers such as cash deposits, withdrawals, transfers and payments.
Wallet apps have become a mainstream payment method as they offer convenience and value (by offering several coupons, membership cards, event passes, loyalty points, cashback and more) Customers can indeed save a lot of time and resources by using these wallet apps. However, instead of signing up for 10s of e-wallets with nil balances in each, users must use just one or two that support maximum apps/payments and keep them active. Also, the money transfer feature these wallets offer must also be used responsibly.
Wrapping it up…
Thanks to the growing government initiatives to push toward a cashless economy and the acceptance from the masses, the PPI space has grown exponentially in India. So there’s no doubt we need better regulation over PPIs. This update in the regulation — however strict it may seem — is needed, because even PPIs wouldn’t want their users to engage in money laundering or terror funding activities.
By bringing the PPI market tightly under the ambit of the more serious financial regulations, RBI has taken a big step toward a safer, cashless economy. So while the updated PPI norms do challenge several smaller companies in the short term, they will pave way for a safer, more user-friendly wallet experience eventually. Also, the security framework laid out by RBI is a big step toward ensuring the security of crores of Indians who are now actively opening up to the possibilities of a cashless economy.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Security in a digital world has become paramount as our personal, financial, and professional lives increasingly shift online. The rapid proliferation of digital technologies, while offering immense convenience and connectivity, also brings forth a plethora of challenges in safeguarding sensitive data and maintaining privacy. Cyberattacks, identity thefts, and data breaches are becoming more sophisticated, emphasizing the need for robust cybersecurity measures. Individuals, corporations, and governments alike are recognizing the imperative of bolstering their digital defenses, ensuring that as we embrace the conveniences of the digital age, we’re not compromising our security and integrity. In essence, as we navigate this digital era, being cyber-aware and proactive in our security measures is not just an option, but a necessity.
Bashing passwords as vulnerable means of online security is quite common these days. Sure — authentication means like biometrics, OTP, mobile, etc., do sound fancy and are touted as cornerstones in future security practices. But fundamentally there is nothing wrong with a password paradigm. In fact, it’s the weakness of individual passwords that leads to a security risk.
In this article, we are going to give you a background to passwords, their philosophical underpinning, and also evaluate the other possible options we have.
Passwords have a long history. They are used to access private accounts, applications, documents, databases, websites and more since long. Even the treasure den in the fabled tale of Ali Baba and the Forty Thieves had a password! The other way to access such secrets was through some body tattoo or possession of a unique seal.
Interestingly, these three ancient methods of verification still do represent the fundamental principles of modern authentication practices:
What you know — Passwords/PIN
What you have — Seal/OTP/Credit Card/Tokens
Who you are — Biometrics/Body tattoos
The combination of these three factors (3FA) is seen to represent an authentication framework for accessing information or doing risky transactions. Take an example of a Credit Card swipe. The card represents “what you have” and the pin represents “what you know”. Combining the two provides greater security than any one method alone. When any two of these are used, it’s called two-factor authentication. More factors imply higher security.
What is often not discussed is which factors are safer in which contexts. Given we are moving into rapid digitization it might be important to discuss the three factors, their types and when should they be used.
Let us trace this movement from password based to other factors and see what maybe a good framework to keep consumers and systems safe.
How passwords work?
Passwords are stored in a system as hashes.
A hash is a one-way pseudo-random function, which means that it can produce a random text from a password.
But the random text can’t reproduce the original password.
Let’s take an example of SHA-2 Hash algorithm.When we feed it a password, say “ankit8388”, it produces a random text like “96c32e63d785c77d8de8089523a346210d2299a25c349c518dc8bf0181ff911b”. This hash is now stored in the database and with it the website can authenticate me without ever storing my original password.
(Even when the database is hacked, my password doesn’t get leaked because the original data is never saved in a database.)
How hackers hack passwords?
To hack passwords, hackers create pre-created hash tables for all possible password combinations.
For the “ankit8388” password, a hash table of small letters and numbers of length 9 would be able to find a match.
This means the hacker will need to process all the possible permutations and combinations of small letters (26) and numbers (10) for 9 places. In mathematical terms this would be (10+26)⁹ combinations. This is a highly intensive task and a single computer might still take 50 years to do this.
But hackers work together and pool resources, which means 50 hackers with their computers can create such a table in less than a year.
Further, it’s possible that they will find a match at a half-way stage or within 6 months.
The point is this:
A password becomes unsafe when it’s too short and simple to guess or crack.
Alternatively, if a user sets a complex, multi-character long password, there’s a risk the user will keep it noted somewhere (and this note might reach unsafe hands and cause a vulnerability).
So passwords (either too simple or too complex) can be unsafe in their own ways. That said, the other authentication means available, too, aren’t foolproof. Lets get a bit more understanding on other authentication methods.
Why biometrics and OTPs can’t be the foolproof solutions for the Digital Security?
The two emerging contenders for future digital authentication are biometrics and OTPs.
Biometrics, along with a password, would indeed enhance security by providing a two-factor authentication. But when used alone, it’s not the best bet for the future because it comes with three big problems:
Unlike passwords, biometric data cannot be stored as a hash. This means that the web application will need to store your biometric data as is. This is a very risky proposition as, in case of a hack, your actual biometric data (or its mathematical representation, in some cases) is revealed. In one of the biggest data breaches in the US, 5.6 million fingerprints of government employees got hacked from the the U.S. POM (Office of Personnel and Management), which gave the hackers access to raw biometric data.
In case biometric data is ever compromised, there is no resetting like a password. This means, you would forever be prevented from using your biometric authentication during your lifetime.
Biometric systems are extremely susceptible to spoofing. In spoofing, a stolen digital template of a biometric trait could be inserted into the authentication process to authenticate the wrong user. In 2013, Jan Krissler, a famous German hacker spoofed Apple’s Touch ID (iPhone 5S) on the other day of it’s release. He used the smudge on the screen of an iPhone to print a dummy finger using wood glue and sprayable graphene. He then used this print to successfully unlock a phone registered to someone else’s thumb. The same hacker then used high-resolution photos of Ursula von der Leyen, Germany’s Minister of Defence, to beat fingerprint authentication technology.
OTP, as an alternate authentication means, has its own set of risks:
An OTP is a one time password consisting of characters, numbers or symbols that’s used to authenticate a user for a single login session. And it becomes invalid after a few seconds.
Take an example of a credit card swipe as I’ve explained earlier. (The card represents “what you have” and the pin represents “what you know”). When you swipe the card you get a code ( an OTP) and you aren’t authenticated until you enter the code and are verified.
So, here two authentication methods are being used for authentication (two factor authentication) which ensures more security. But still they can’t be considered as the best security solution.
The biggest challenge to the OTP authentication factor comes from trojan software.
Hackers show their victims a browser pop-up box or ad that looks like an authentic message from the bank and prompts the user to download a “security application” or a “mobile banking application” on their phones.
Once a user downloads such fake applications, hackers can easily intercept their SMSes. Which allows the hackers to read the OTPs sent on the mobiles.
This attack affected customers from various banks including the ones from the Riyad Bank, SAAB, AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.
2. SIM swap/cloning: By procuring a duplicate SIM card in a user’s name, hackers can use it to receive communication from the banks (including the OTPs).
3. Social engineering: Hackers also call users claiming to be from the bank. And during the call, they ask for the OTP. Unsuspecting users are usually easy victims to such attacks.
4. SS7 Attacks: Using flaws in Signaling System 7 (SS7) hackers can listen to private phone calls and read text messages of the users. According to a report from German-language newspapers Süddeutsche Zeitung, in a cyber attack in Germany hackers intercepted OTP’s using SS7 flaws and stole customer’s money from their accounts.
As you just saw, all the three authentication factors — passwords, biometrics, and OTPs — have their set of risks. However, passwords stand out because users can exponentially strengthen their passwords (while also keeping them easy to remember). So let’s re-examine passwords and see how we can improve them, and then explore the Password 2.0 approach.
How passwords can be made more secure?
As we discussed earlier hackers have been able to pool resources and pre-create hash tables hence making guessing of simple passwords really easy. Then what could be the way to make their life hard? Increase the combinations, of course. And the usual way of doing it has been to increase possible inputs:
Alphabet (Small letters and caps) — 52
Numbers — 10
Special characters — 33
So this gives a total combination of 95 characters. Cracking this is so hard that it would take the same hacker group over 6000 years to hack password in the same way. And at that point, I obviously don’t care (unless AI leads to afterlife; another topic for another blog :))
Therefore, from a security guy’s point of view, all these rules of having multiple combinations is really helpful because it keeps you safe. But at the time of signing up or using a service, this becomes a huge pain and a turn off. Also, it’s an eventual security risk as people keep forgetting such tough passwords and hence often note it down in insecure places, such as desktop files or random pieces of paper.
Introducing Password 2.0 — the Paraphrasing Approach (the security and user-friendly password solution)
Now, there is another way to do this, which seemed to have been neglected until now: the length of the password. I could have achieved a similar tough password by simply having 4 more characters, i.e., a 13-letter-long password, without any restriction on small letters, caps, numbers, special characters, etc.
This new paradigm is what I call Password 2.0: the passphrase approach. It’s easy to remember a passphrase, such as “thisisacoolpassphraseforthiswebsite”. Such passphrases can provide a better user experience at the time of signing up and also during authentication.
Also, at its length (35 characters), hash tables will be almost impossible to compute. Thus we can build passwords that are convenient yet secure.
Why passwords are crucial for Security?
One principle that has to be accepted in a security paradigm is — you will get hacked. This principle is important to remember when choosing one or a combination of the three authentication factors (passwords, biometric or an OTP).
The property of biometrics in this context is really risky. As biometrics can never be changed, once hacked they become vulnerable for that person for their lifetime. So in a biometric auth world, over time more and more people would get vulnerable. Thus you would inevitably reach a stage where, for a certain population, biometric will not be a valid authentication mechanism.
Mobile phones, or number can also not be changed very frequently or easily and hence make changing of the auth factor difficult.
Unlike biometrics and mobile numbers (or handsets), passwords can be changed if they get hacked. That too quite easily. Hence they have no permanent vulnerability. Another great property they have is the ability to protect the actual password at each authentication. This paradigm is akin to knowing a secret that you will never reveal but are able to prove you know it.
So while biometric and OTP authentication breaches leave their users vulnerable (for life), passwords breaches always give the users a way to “reset”. Because of their simplicity and cryptographic beauty, passwords will continue to dominate as the higher security layer. And when you add an additional layer of authentication to a password (like biometric or an OTP), you can probably design a more secure system. (In a further article we will go through the best combination given a business use-case)
The password 2.0 approach — of creating complex but easy-to-remember “secret-style” passwords — can be a useful tool in such a scenario where the password is a mainstay in the security authentication mix. So, start thinking of a secure passphrase because in a modern digital world, “a strong secret” will be worth more than any other assets you own.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
In a recent judgement, a nine-judge Supreme Court Bench unanimously ruled that individual privacy is a fundamental right. The court noted that the “Right to Privacy is an integral part of Right to Life and Personal Liberty guaranteed in Article 21 of the Constitution.” The right to privacy verdict, although primarily passed on a petition filed about the Aadhar Card scheme, will impact every company that collects and handles user data.
In its 547-page judgment, the Supreme Court touched upon the different aspects of informational privacy — and explained how collecting data could threaten an individual’s privacy.
This Supreme Court ruling is a check: For both the government (against which the case was mainly fought) as well as the non-state actors or private companies because it doesn’t just oppose any privacy invasive practices employed by the government but also applies to private companies that collect user data.
In this article we will give a short description of court’s view on what is private and their concerns in a digital world. Then we will look at the new rulings impact on the financial sector with a 7-point framework. We will be looking at areas like cross-selling, credit history, SMS scraping, Aadhar KYC, Payments, Banking Agents, Social behavioral data among others. Now lets start with the basics.
Defining what is “personal and confidential”
The information must be “personal and confidential” to be protected by right to privacy. One of the points raised by the opposing counsel during the trial was that privacy was vague and ill-defined. The judges patiently tried defining what is “private” data, to carve out the scope of law.
For example, the Court pointed out that data about electricity consumption pattern of a person is NOT personal or confidential, and couldn’t be protected as “private information”. That said, the Court also cited a UK judgement that stated the storing of the biometric data indefinitely of individuals no longer suspect of criminal activities would be an invasion of privacy. Clearly, a person’s biometric data is both “personal and confidential”.
The Supreme Court used an infographic (from Bert-Jaap Koops et al., “A Typology of Privacy”) in its judgement to depict the nature of data and its classification. This is extremely rare and hence also shows how judges understood the importance of the judgement and that it would be read by people who might need simpler language and symbols to understand the implications:
Privacy in the Digital World
While the court had a broader mandate and covered privacy from all aspects,they did cover digital privacy in detail. At some level they felt the real challenge to privacy is coming from this rapid transformation of processes from offline to digital. They also gave an intriguing example of a travel agent, which illustrates this point well:
“The old-fashioned travel agent has been rendered redundant by web portals which provide everything from restaurants to rest houses, airline tickets to art galleries, museum tickets to music shows. These are but a few of the reasons people access the internet each day of their lives. Yet every transaction of an individual user and every site that she visits, leaves electronic tracks generally without her knowledge. These electronic tracks contain powerful means of information which provide knowledge of the sort of person that the user is and her interests. Individually, these information silos may seem inconsequential. In aggregation, they disclose the nature of the personality: food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation. In aggregation, information provides a picture of the being: of things which matter and those that don’t, of things to be disclosed and those best hidden.”
Expressing privacy concerns about how tracking happens in the digital world, the Court hinted at the possibility of scrutinizing activities carried on by companies like reading/analyzing/tracking emails, messages, other social behaviour.
Further the court stressed upon properties of the digital world that make it difficult to detect privacy invasion and hence heighten privacy concerns:
Non-rivalrous — simultaneous use by multiple users
Invisible — invasions of data privacy are difficult to detect — and it travels at speed of light making it further difficult to trace any breach of privacy. Data can be accessed, stored and transmitted without notice
Recombinant — data collected can be used, analysed and combined to create more data output which is unseen earlier
Expanding on these principles the order stated that owing to the nature of digital data, it becomes possible to combine data from social profiles and IoT devices to create information about the individual which did not exist. Secondly, while collecting the behaviour of one person it could also be possible to gather information about other individuals around him. The Court noted that these concerns are from both State and Private entities as both use Big Data to analyse data about individuals which is a concern to privacy.
Easily one of the most tech-savvy orders ever, this Supreme Court judgement took into account various technical intricacies of the digital world and cited specific instances:
Cookies used for tagging IP
Browsing information to create profiles using algorithms
Automated content analysis of emails for targeted marketing
Online purchases like books, airlines, book taxi etc. and their history for user behaviour and doing income analysis
Metadata and IoT — used to collect information about a person’s behaviour
It is refreshing to see such technical detail quoted in the judgement.
The court also gave details on what can be the future of digital privacy and principles of the new law. We have tried to summarize it below in a simple framework. But for any legal geeks out there we have also created another article which details out laws examined by the court and their approach in reaching to this conclusion.
A 7-point framework to guide companies’ data policies (based on the privacy case judgement)
We’ve analyzed the judgement in extensive detail and have come up with a simple 7-point framework that shows the key points that organizations need to think about when framing their data policies :
Personal vs Private: Every data that is personal is not necessarily private. A user’s name, for example. Because a person’s name is used in public communication, name can be considered to be non-private personal information. Also any information that is anonymized is neither personal or private and exempt from purview of the law.
Explicit Consent in plain words: User’s consent has to be taken explicitly and cannot be hidden inside lengthy terms of service or agreements.
Consent alone is insufficient: Court has also opined that in certain situations, even a consent based mechanism may not be able to protect the customer and hence encroachment of privacy shouldn’t be a preferred option.
Necessity: This is a simple principle which asks the question if collecting it is really necessary to invade privacy to achieve the outcome.
Proportionate benefit or risk: Whenever it is necessary it should be weighed against proportionate benefits and risks. Privacy should not be encroached unless there is some proportionate good possible or some bad that is preventable.
Right to Forget: Eventually the user should have the right to revoke access to his/her data
Access and Correction: The ownership of data is with the individual whose private data is collected. Therefore he has a right to access and correct the data or delete as given above.
Note: We hope this will help businesses make sound and compliant judgement around their data, but do take professional help to make sure you are fully compliant.
Few instances of impact in the financial world
The right to privacy might initiate changes in current processes and hence some of the current and emerging areas may need a relook:
Credit History under Credit Information Act
Collection of credit data: Collection of credit data by the creditor is completely ok as it is consent-driven private data between the two parties.
Exchange of credit data: Banks report credit data to licensed agencies. These agencies then exchange this data with other banks as requested by the bank. This might require clear exceptions made in the privacy act or a re-look into how credit reports are requested, what kind of information can be shared and what is to be hidden.
Access and control over credit history: Currently consumers cannot easily request credit history to be forgotten or edited. Going further there would need to be an option to have greater control and access of one’s own credit history.
Pulling data of a customer from KRA by Mutual Fund and AMCs
Collection of data: Currently the agency that collects the data and the one that stores the data are different. Clear consent and declarations hence maybe needed.
Current practice of data pull from PAN, without an appropriate consent layer may also need a relook.
Account Details
Login based scraping: Account username and password definitely fall into the domain of private data. And the reason in many cases is convenience, as it might be more difficult for the user to submit a copy of bank statement himself. Thus this encroachment may not meet the principle of necessity or proportionate benefit.
Account Aggregator: The new RBI guidelines provide for a consent layer and a lot of regulation around security of such data. The data does not remain with the aggregator post-completion of the purpose and therefore the guidelines seemed to have given protection to privacy and may not be greatly affected by the judgment.
Mobile data collection during application download
Following are few of affected the categories and let’s go through them one by one:
Malware or Security risk: The data collected to assess malware risk may not fall within privacy parameter. Specially if it can be anonymized enough to be unlinked to the individual himself. But current assessment tools and processes might need to ensure they follow this principle.
SMS reading: This is being seen as a new innovative way to provide credit assessment. But within the new privacy regime, this maybe really tricky. Let us explain: SMS reading is a clear invasion into privacy and hence would require explicit consent. But where it gets really tricky is that SMS is usually a private conversation between two parties and hence you would need consent of both the parties to read SMS. It will be interesting to see how the innovation can be enabled without being unlawful.
Reading personal contacts to use later for collection: Like SMS reading this may also need consent of two parties and hence should be seen in the same light. (Signzy would be coming up with another article on multi-party conversations including email, sms, call etc. We will examine in detail the implications under a privacy law.)
Aadhar based KYC regime
There are two KYC possibilities in Aadhar A) Demo Auth B) eKYC — biometric or OTP. As the Aadhar regime has a robust consent architecture in place it should hold good even in the present regime. The only concern raised by the court was on biometrics being private. Hence the nature of benefit should be proportionate as consent alone, as noted by the court may not be enough protection. Hence biometric based KYC for account opening, new SIM or other risky scenario might be acceptable. Biometric based KYC for non-risky scenarios such as event registration might need a relook.
The other more grave change maybe the need for an alternate option. While the financial regulators in line with government view had been pushing a biometric KYC, the current law would require the financial system to provide alternatives. This is especially true for cases where there maybe no real risk or proportionate benefit of forcing biometric KYC.
Users financial transaction history
Cross-sell: Financial data mining for targeting for another product might definitely fall under invasion of privacy. The judges have clearly defined “financial information” as private. And such targeting in no ways provides “proportionate” benefit. Hence banks will need to take explicit consent in the original account opening form, even then it’s best that such analysis and targeting is totally automated. Closer on the lines of Google’s approach where a Google employee at no point has access to your records even though you are targeted based on your personal data. This will make sure that there is no leakage or profiling and hence the principles are being adhered to. But there would need to be clear regulation to define such actions by the bank.
AML/CFT risk assessment: This is one use case where the risk may justify privacy invasion. But we need to weigh it against the principle of necessity. Again as it stands out it might not be necessary to invade privacy. The court has enunciated how “anonymity” does provide privacy, and hence analysis of data that has been “anonymized” will not be a breach of privacy. Only when suspect transactions are found, should the bank de-anonymize the data an identify the actual account holder. (We understand this might need much more detailed explanation, rest assured we will be writing a longer post on the impact on AML/CFT processes)
Credit Risk monitoring: Unless the risk is large it might be very difficult to justify reading of transactions. The Financial Institution will have to provide the borrower a mechanism to provide consent each time such an assessment is made. This might defeat the whole purpose as someone with a risk may actually deny consent every-time. Thus it would be interesting to see how this part of the system pans out and what regulations are framed to balance risk and privacy concerns.
Banking Agents
Collection of data: Even current regulations require Banks to ensure that agents are registered and a clear trail can be established which ensure zero data leakage. This might now fall under a clear law or regulation, further not only Banks but all financial institutions (FIs) might need to have stricter regulations for agent models.
Storage of data: The storage of data will strictly require physical or digital records to be destroyed by the agents post transaction. Unless there is explicit consent by the consumer for such storage.
Sharing of data with other parties: Many a times agents do end up sharing data with parties who at the time of consent were not in the picture. As an example if the intended Bank doesn’t give a loan, data might be shared with other parties as well. Now one will need to take clear consent to ensure that this sharing is agreed by the user.
Payments
Aadhar Pay: Biometric has been considered by the court as a core private space. And it has also opined that at times consent may not be enough as the users may not understand the risks. In this light, Aadhar Pay might not have “proportionate” good. As while KYC carries risk to financial system and hence proportionate good, mere payments might not be an ideal scenario to invade individual privacy.
Cards based payments: Current cards eco-system relies on a “card” and PIN and no specific private data, at least from our point of view it doesn’t encroach privacy during payments. Fraud rules are also generally based on aggregated behavior and hence might also not carry any risk of privacy encroachment.
Mobile wallets: Since it is based on a standalone wallet that I recharge it has no personal data about me other than my basic KYC, phone number, email and my transaction details. Therefore no private information is shared with wallets. But wallets would not be able to leverage on my digital footprint for credit assessment without clear consent.
Social behavioral data
Social media: Google and Facebook have recently shown interest in using customer data gathered over a period of time as credit decision tools. This data has clearly been stated to be private. Thus this too would fall under the gambit of future regulation
Application’s own data: Even if the data is not coming from a third party but reflects user behavior on the same platform, such as Amazon, Uber etc. It will still be considered within the domain of privacy and needs to be regulated
As social behavior data is rich and possibly being seen as an alternative to many traditional data stores it important to share another case regarding Whatsapp’s decision to share its data with Facebook (its parent company). The matter concerns the privacy of 160 million Indian Whatsapp users. Such data has expressedly been considered to be private — and Judge’s comments left no room for imagining what their views were:
“Recently, it was pointed out that “‘Uber’, the world’s largest taxi company, owns no vehicles. ‘Facebook’, the world’s most popular media owner, creates no content. ‘Alibaba’, the most valuable retailer, has no inventory. And ‘Airbnb’, the world’s largest accommodation provider, owns no real estate. Something interesting is happening. […]
Uber’ knows our whereabouts and the places we frequent. ‘Facebook’ at the least, knows who we are friends with. ‘Alibaba’ knows our shopping habits. ‘Airbnb’ knows where we are travelling to.
Social networks providers, search engines, e-mail service providers, messaging applications are all further examples of non-state actors that have extensive knowledge of our movements, financial transactions, conversations — both personal and professional, health, mental state, interest, travel locations, fares and shopping habits […]
Large number of people would like to keep such search history private, but it rarely remains private, and is collected, sold and analysed for purposes such as targeted advertising[…]
Thus, there is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors. There is also a need for protection of such information from the State”
These are just some of the instances that maybe impacted by this judgement. We will be happy if you can share any areas we may have missed and we will add them here.
Way Forward
This is certainly a landmark judgement and in some ways can claim to be the re-birth of privacy. In a digital world it was assumed that privacy has been sacrificed at the altar of convenience. But the court has upheld an individual’s right to his privacy providing him means to protect it and hence re-introduced a principle which seemed lost in the digital world. As the next steps, it’s incumbent upon the legislature to create clear law regarding this concern. But it’s safe to assume that usage of such data would be become much more regulated than it is now.
We are hoping that this article would be useful to you and also help you make sound business decisions. We might not have been able to go into depths of few topics which need much more deliberation. Hence we would be coming up with few more articles going in depth into some of these topics. We will be happy to receive feedback and also get to know which areas would you want much more in-depth analysis.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
The need for technological developments to be incorporated into the procedure and paperwork of litigation petitions.
Problem in Status Quo: Electronic Petitions
A standard process of litigation is known to be very cumbersome. Everyone has to deal with innumerable visits to court and endless paperwork. The process of litigation is intertwined with inefficient administration in Courts as well. For a simple litigation, all parties involved have to go through countless stacks of paper in the form or orders, plaints, written statements etc. A single case has various stages to it and each stage leads to a multiplicity of paper and excessive documentation. A paperless system of filing of petitions would ensure an environmental friendly judiciary and a substantial amount of time saved, not to mention bringing additional transparency and efficiency.
Applying Minimalism to the Process of E-Filing
The judiciary has already shown that it is willing to embrace minimalism and move towards a digitised system. Instances like electronic recording of witness statements, a digital FIR process being envisioned; are indicators of change. Thus, it is obvious to see that the Government is already taking steps towards a minimalist approach and is keen on digitisation. Hopefully this will make the potential change quicker.
Implementation
a.Technology
Implementation of a process where petitions can be filed is not as hard as it sounds. Various tech companies across the world have proven to be proficient in generating a system where e-filing can be achieved, as can be seen by the following case study:
The Government of Brazil decided to address the critical problem of overloading of litigations in the court, as it was burdened with approximately 2 million cases per year. The Government wanted to address the need of speedy justice. Microsoft came up with an integrated set of technologies which served as a solution to the specific problems at hand. The software company focused on making the system easy to use and driven by consumer need and demand. The system is capable of handling about 30,000 processes a day, which adds up to an estimated 7 million different litigations a year.
The digitization and usage of ICT by courts in Brazil has gained legitimacy after a federal law was passed to that effect in 2006. The judiciary is to achieve the efficiency that electronic filing promises.
b.Security of Identity
A possible obstacle may arise in cases of fraud or other problems but given that the process is online, the verification of identity of a person is made easy. The idea of a Digital India is to make online copies of documents available and this can be achieved by adapting minimalism.
c.Certification of Documents
Documents like say, written statements, affidavits etc. are required to be certified in court for the purposes of admissibility of the same. The same can easily be done online at the time of submission of the documents electronically to vouch for their authenticity.
Benefits of Electronic- Filing
E-Filing and other information and technology sharing initiatives are extremely beneficial to the public as it reduces congestion and delay by doing away with cumbersome processes. It facilitates a unique model of justice which allows an aggrieved party to obtain justice whilst in the comfort of his/her four walls. A large number of judicial processes and justice systems can become well connected if they use electronic systems efficiently.
Conclusion
The electronic system (with special reference to the E-filing of petitions) is one that is achievable and practically implementable as well, as seen by the Government’s efforts to digitise the judiciary. All that is needed is a concrete step toward complete digitisation of processes, which will greatly benefit the judicial system in India.
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Malicious Prosecution, while often viewed through a negative lens, offers an unexpected advantage in the realm of judicial efficiency. By identifying and curtailing cases initiated with ill intent or without a solid legal basis, courts can significantly reduce their pendency of cases. This approach not only ensures that genuine litigants receive timely justice but also discourages the misuse of the judicial process for personal vendettas or tactical delays. The growing awareness and consequential action against such practices could pave the way for a more streamlined, effective, and trusted legal system, minimizing case backlogs and promoting the true essence of justice.
In India, when a person is prosecuted by the criminal justice system, all he can do is defend himself. In the event of successfully coming out clean from the due process of law, he is just left with the order of the Court. The mental stress and agony, the loss of reputation, the loss of personal liberty in case of arrest and detention, loss of livelihood and earning, the costs of defending the prosecution, the physical hardships etc are not accounted for. The victim of vexatious or malicious litigation has no legal recourse to protect himself against such abuse of process of law.
Supreme Court Precedent on Reputation and Allied Concepts
The Supreme Court of India has said that Right to Reputation is part and parcel of Right to Life and Personal Liberty guaranteed by the Constitution of India[1]. The same was reiterated by the Hon’ble Supreme Court in 2014 in the case of Umesh Kumar v. State of Andhra Pradesh[2]. Also in January, 2014, the Apex Court while deciding a case observed that instances of police machinery filing false charges is increasing day by day, and such cops should be punished[3].
The Supreme Court reiterated in July, 2014 that there is a rising trend amongst the women to file false cases under Sec. 498A of Indian Penal Code, and that the police should not make automatic arrests in such cases as it permanently scars the reputation of the person.[4] In Subroto Roy Sahara v. Union of India & Ors.[5], the Hon’ble Apex Court made a suggestion to the legislature to formulate mechanism that one who initiates and continues senseless litigation should pay for the same. From this, it is very apparent, that even the judiciary of our country is feeling the need to curb malicious prosecution.
Failure of Criminal Justice System
The basic purpose and the soul of the criminal justice system of our country was to punish the criminals, and create deterrence among them, so as to provide for a law abiding society for the common man. However, over the years, the very soul of this justice system has been lost. It is no longer effective in punishing the culprits. Instead it is increasingly being used to harass the common man.
There are endless citizens in our country who face the judicial system and prosecution for years together, and in the end it turns out that there was no merit in the case. For a matter of fact, as of today, in countless cases recourse is taken to criminal proceedings only as a way of ‘pressure tactic’ or to illicit a ‘compromise’. In the end, the real victim turns out to be the accused, as he has to face the complicated and time consuming justice delivery system of India. Action for malicious prosecution will be the apt tool to fight this menace.
Concept of Malicious Prosecution
The concept of malicious prosecution recognises the individual’s interest in not being subjected to unjustified litigation. Litigation, especially criminal, brings along with it great humiliation, harassment, annoyance, loss of reputation and loss of livelihood amongst other things. In order to curb the unjust litigation, malicious prosecution plays an important role.
One of the earliest cases to be decided on the concept of Malicious Prosecution was Savil v. Roberts [6]. The said case laid down a three-part test for malicious prosecution: damage to the person, damage to the property and damage to the man’s fame. Any litigation which has been intentionally initiated to accomplish either of these three tasks, would be a malicious prosecution. An action, for damages for being subjected to such a litigation, is called an action for malicious prosecution.
What can be Done
It is the need of the hour to address this issue. It is necessary to add legal provisions which act as an effective deterrent for such ‘malicious prosecution’ and compensates the people for their loss of reputation, earnings, livelihood, and the trauma. This could possibly be achieved by adding a chapter dedicated to malicious prosecution by way of amendments to the Code of Criminal Procedure, or promulgating a new legislature on the following lines –
The person initiating malicious prosecution (aggresor) is punished with imprisonment term and/or fine, equivalent to the punishment mentioned for the charges levelled by him in the malicious prosecution.
Loss of reputation and livelihood be compensated by imposing additional fine on the aggresor by computing the amount after taking into consideration the income, qualification and social status of the victim of malicious prosecution. The said amount can be secured by attaching the bank accounts or property of the aggresor, if the payment is not made forthwith.
Immunity should not be given to the prosecuting and investigation agencies who falsely prosecute any person. In a country like ours, where even the highest judicial courts are held accountable for their actions, this is the least we can do.
Malicious Prosecution: A Tool to Achieve Minimalism
Various governments over the years in India have promised to curb the pendency of cases in our courts. However, none have been successful in delivering on this promise. The essential reason for the pendency is the complexity on one hand, and the easy and free initiation of criminal proceedings without any penal or punitive action for false initiation of proceedings on the other hand. Formulation and strict implementation of provisions of Malicious Prosecution would aid in reducing the pendency to a great extent, as people would be very cautious before initiating criminal proceedings. As a result, a great percentage of cases would never be filed thereby reducing the burden of the judiciary. In return, the judiciary can focus all its resources on genuine cases due to which the disposal of the same would be much quicker.
Malicious Prosecution has been largely implemented effectively in countries like Canada and United States of America to curb malicious litigations. Specifically in United States of America, the implementation of the law of Malicious Prosecution is so stringent, that damages amounting to millions of dollars are to be paid if a person initiates a malicious prosecution. As a result, people think twice before initiating any legal proceeding thereby protecting innocent citizens as well as saving the precious time of the judiciary. This ensures that no superfluous and redundant litigations flood the court, thus proving to be truly minimalistic in nature.
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.