Category: Regulations

Welcome to our Regulations category, a comprehensive resource meticulously designed to assist you in navigating the intricately woven tapestry of regulatory norms governing the fintech industry. With regulatory frameworks being in a state of constant evolution, staying abreast of the latest changes is crucial for businesses and professionals operating within the financial sector.

The articles housed within this category delve deeply into an expansive range of regulatory topics. We explore everything from the shifts in KYC/AML guidelines to the influence of data privacy legislations on financial institutions. Our aim is to provide a multi-faceted understanding of these regulatory transitions and the implications they carry for businesses.

At Signzy, we recognize the significant role regulatory compliance plays in the financial industry. Our innovative solutions are crafted with a keen eye on the most recent regulatory requisites. Our aim is to help businesses remain compliant without having to sacrifice efficiency or compromise on delivering exceptional customer experiences.

Whether you’re a compliance officer diligently ensuring that operations align with regulations, a fintech entrepreneur navigating the challenging waters of the industry, or a professional immersed in the financial sector, our Regulations category offers invaluable insights into the ever-changing regulatory landscape.

We cordially invite you to join us as we embark on an exploration of the world of fintech regulations. Through our articles, we aim to provoke thought, spark discussion, and provide guidance on how to navigate the complex regulatory environment effectively. Join us on this enlightening journey as we untangle the intricate web of regulatory norms shaping the world of fintech.

Leveraging Technology & Tackling Money Laundering

Leveraging Technology & Tackling Money Laundering

Posted on | by Signzian

Last year Forbes reported that 2% to 5% of the world’s GDP is laundered every year. This estimates to an amount between $800 billion and $2 trillion. The astounding fact about the report was that only 10% of the laundered money is detected, implying more than 90% of the laundered money is unknown to most regulatory bodies and financial institutions.

Money laundering is a major issue in the world. Governments are striving to find newer methods to tackle it. Most financial institutions and companies are accustomed to traditional methods for preventing money laundering. These include in-person verification or traditional automation.

But with the advent of advanced technologies like AI and Machine Learning, they have to adapt for better results. The latest technology integrated Suspicious Activity Reports(SARs) caused more than 31% of laundered money to be blocked.

Thus the need for technology in preventing money laundering is not a matter of if, but when. But how do we do it? What technological tool can we use? Here comes Application Programming Interfaces(APIs) for the financial industry. This article explores what AML screening solutions APIs are and how they can help in preventing money laundering.

Why Is AML Essential In The Financial Industry?

Anti-Money Laundering includes all measures taken by authorities, institutions and individuals to prevent financial criminals from disguising and hiding illegally obtained money as legitimate income. It is essential as money laundering is a financial crime that affects the economy on a microscale as well as momentous levels. The methods of money laundering are transforming with the development of technology. It is only essential that AML screening solutions up their game too.

In July 1989, many nations came together to form the Financial Action Task Force(FATF). The summit was held in Paris and aimed at analysing laundering risks and preventing them with AML measures and AML screening solutions. But after the 9/11 attacks, in October 2001 the FATF updated their agenda and mission to include modes to stop terrorist funding through money laundering. AML procedures have been made better through the decades since.

The European Union also acknowledged and implemented the first AML directive in 1990. It prevented using the flaws in the financial system for laundering. Now The Union is one of the pioneers in revising and upgrading AML measures to reduce risk and terrorist funding. The International Monetary Fund(IMF) with its 189 member states also takes initiatives for AML with compliance measures for financial institutions. Thus all governments are forced to ensure compliance and all institutions are expected to follow suit.

In 2019 the US State Department published a report stating general AML measures succeeded only 0.2% because of non-compliance and inefficient processes. More than 85% of the 11500 companies evaluated in the US were not AML compliant. 2019 also saw AML non-compliant banks paying more than $6.2 Billion in fines globally.

What Is The AML Process And Why Is Compliance Important?

Government bodies and other regulators provide guidelines and procedures that companies and financial institutions can follow to prevent money laundering.

  • One of the most important and effective processes is Know Your Customer(KYC). KYC ensures that companies know who their customer is by verifying his financial data with pre-existing credible databases. This way any suspicious activity by the customer can be red-flagged easily.
  • Customer Due Diligence(CDD) is also a relevant procedure for AML. Companies evaluate the risk involved with each customer and take necessary measures. This is the process of CDD. They categorize customers as low, moderate or high risk. For example, a Politically Exposed Person(PEP) falls under the high-risk umbrella.
  • Another measure is setting a limit for transactions to be monitored. For example, in the US any transaction of more than $10,000 is reported by the institution to the authorities for monitoring. Each country has such a limit to detect any massive fraud. Thus, monitoring and reviewing customer transactions without compromising privacy is very important to prevent AML. If any suspicious activity is detected, then an activity report is generated and transferred to the Compliance and Risk Department.

It is of incredible significance that financial companies follow all the regulatory compliance guidelines for AML. Even a single discrepancy can result in dangerous repercussions. Money Laundering is no longer just for the money. It can even be used as a wrench in the equilibrium of world peace. Besides this, if companies don’t comply they are charged heavy fines by regulatory bodies. AML fines amounted to $4.27 billion in 2018 which nearly doubled in 2019 to $8 billion. This is a collective effort and even the smallest of the financial institutions need to play their part well by following the compliance guidelines.

How Are APIs Used To Help Prevent Money Laundering?

Software connections between computer programs or even computers are called Application Programming Interfaces(APIs). It offers services to other software once it is integrated into a working system. It can be grossly described as an intermediary software that helps other applications communicate among themselves. They are used in almost all companies with a demand for any form of software technology.

AML screening solution APIs are taking over not just the financial sector, but any industry interested in innovative automation. This is because APIs offer agility and more importantly scalability for companies. Recently, after several government policy amendments, APIs are starting to play crucial roles in AML and KYC compliance. This is because the verification of tens of thousands of customers is not practical with traditional processes.

APIs are used for almost all forms of innovative verification procedures. It ensures that processing is efficient without human error. Since it can be replicated on a large scale, it becomes commercially viable. In addition to this most APIs can be procured at affordable prices. Hence, be it a large bank or a small financial institution, automation is simple and inexpensive. APIs help all businesses Combat Financial Terrorism(CFT) at a modest price.

They are in high demand among elite institutions because they offer swifter and inexpensive methods to ensure services meeting customer demands. Since they are adaptable and customizable, they do get an advantage of future-proofing. In the Financial category alone, more than 2000 types of APIs are used across the globe. This will exponentially grow with advancements in AI, Machine Learning and Blockchain technology.

APIs In AML And Regulatory Compliance

Improved user-friendly APIs are available in the industry now. But it needs to fulfil another crucial criterion for integration into any service or product- Regulatory Compliance. Across the world, there are numerous regulatory guidelines for financial institutions. A good example is the PSD2 changes in Europe. Not only are companies encouraged to accomplish more with AML screening solutions and related technologies, but are fined for any lack of compliance on their part.

Financial Institutions that wait and observe if the new technology trends will be left behind in the race. The most adaptable companies will flourish in the long run. Traditional modes of in-person verification processes and human error packed execution are outdated. APIs can automate almost the entire processes saving companies time and money. On an estimate, more than $500 million is spent by financial institutions for financial crime prevention and compliance requirements.

What Are The Benefits Of Using APIs For AML?

APIs do not merely automate the AML and regulatory processes. They enhance them. There are numerous benefits associated with using APIs for AML and verification processes. They include:

  • TAT is reduced resulting in quicker processing and better customer journey.
  • Near zero human error
  • The extremely customizable nature of APIs makes integration easy.
  • Inexpensive in the long term.
  • The human workforce can focus on discrepancies rather than regular workflow, increasing efficiency.
  • Eliminates all storage spaces as all documentation will be in soft copies.
  • The better customer onboarding experience
  • Better user interface

How Can Signzy Help You?

We offer numerous services, products and AML screening solutions APIs that are useful for your ventures. We Make sure that they are state of the art, because we do not compromise quality. Signzy’s quiver of APIs and associated products are incredibly customizable. You can select which specific APIs suit your requirement and then integrate them into the required systems.

With over 240+ microservice APIs alone, the collection is diverse and versatile. All of our products meet regulatory compliance standards without compromise. But we make sure that the user would not be troubled with inefficient customer journeys. Our systems are efficient and seamless rendering the user experience truly satisfying.

With advancing technology financial institutions and companies deem change. If you do not opt for the right changes, the entire entity’s progress would decelerate. That’s why we at Signzy ensure that you get that which suits your needs. We can make your customer’s journeys easy while making your aspirations easier.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

Knowing KYC Norms- How will RBI’s Latest Directive For Implementing V-CIP Affect The BFSI Sector?

Posted on | by Signzian

The Reserve Bank has always tried to remain adaptable in changing times. Its directive to utilize a video-based customer identification process(V-CIP) for know your customer (KYC) procedures is the latest evidence for this. The announcement came as an amendment in its master direction on the 10th of May 2021.

V-CIP utilizes facial recognition technology to identify the customer. It can also include an authorised official from the regulated entity (usually an RM) performing the live customer due diligence with informed consent for verification. This is far more convenient, secure, and seamless since the whole process is an audio-visual interaction between the RM and the customer.

What Is The RBI’s Directive?

The Reserve Bank stipulates regulated entities(RE) to use V-CIP in Customer Due Diligence(CDD) for:

  • New individual customer onboarding.
  • Proprietors(Proprietorship Firms)
  • Beneficial Owners(BOs) and authorised signatories among legal entity customers.

The directive is also for other RBI regulated entities including banks, payment system operators and NBFCs. Updation of KYC for existing customers and customers who had opened accounts through non-face-to-face modes( Using Aadhar OTP based e-KYC verification) is also to be done with V-CIP.

The RBI provides guidelines for a minimum standard for all REs to maintain baseline cybersecurity for banks and financial institutions. These include them:

  • House all technology infrastructure in the RE’s premises.
  • Use secured network domains for V-CIP connection origins.
  • Ensure all outsourcing of technology associated with the process to be compliant with respective RBI guidelines.
  • Maintain end-to-end encryption of information between V-CIP hosting point and customer’s device.
  • Obtain auditable and alteration proof customer consent.
  • Create a transparent workflow and SOP(standard operating procedure) for all V-CIP related processing.

REs should appoint specially trained officials for operating the V-CIP process. These officials would record audio-video and obtain photographs(mostly real-time) of customers whose identification is to be verified.

These officials can obtain the customer identification information with an Offline or OTP based Aadhaar e-KYC verification. They can also retrieve the required information from CKYCR or equivalent OVD e-document repository through DigiLocker.

How Will It Impact The Sector?

Many financial institutions have already taken up V-CIP as an additional armour of protection against fraudsters and scammers. The RBI’s amendment of the master direction will further encourage more institutions and REs to adopt V-CIP. The usually hesitant players will adopt this mode of technology for their benefit. Even the traditionally slow to adapt government sector banks and NBFCs will also follow suit.

The change would not only affect the REs and institutions, but also the customers in a rather positive fashion. With the pandemic looming over the country, every individual desire to be safe and avoid all in-person interactions. With this directive, the REs and financial institutions are compelled to help solve this issue. With remote V-CIP methods, all customers will be at zero health risk.

Additionally, no customer prefers the extra time commuting and the plethora of documentation formalities that may follow in legacy systems of CDD. V-CIP makes the journey easier, preferable and convenient for the customer, all while saving the REs and their employees time and resources.

But it is important to be aware of how REs avail V-CIP services from Regtech firms. When it comes to such crucial aspects it is always safe to bet on reliable and supportive companies for assistance.

Why Signzy?

Signzy is a ‘no-code AI platform’ for financial services. No matter how complex a workflow or an operation, Signzy can completely automate the back-office operations and decision-making processes into a real-time API. Signzy’s pantheon of V-CIP related products is efficient and reliable to another class.

Some of the features Signzy’s V-CIP and Video KYC products have are:

  • Real-time OVD verification
  • Matching face on ID with face in the video (with % confidence score)
  • Unlimited video storage and instant retrieval
  • Geo-location capture and IP check
  • End-to-end encryption for video, channel, and communication
  • Video forensics for pre-recorded risk and spoof detection
  • Digital forgery check on the displayed ID proof
  • Customer identity verification through offline Aadhaar XML
  • Seamless and interactive UI for live video interaction
  • Timestamp and audit trail for every application and video interaction

Signzy’s V-CIP services and products are 100% in compliance with all the RBI regulatory guidelines and directives. This is essential as all REs are supervised for the right compliance practices and Signzy offers to negate all possible complications. Signzy’s solutions are easy to use with immediate responses which make it fast and efficient.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

SC Judgement, PDP Bill, and NPD Framework — The Saga Of Data Privacy In India

Posted on | by Signzian

 

The base for data privacy and protection is crucial for an upcoming data-driven economy like India. India hosts almost 450 million Internet users and a consistent growth rate of 7–8%, as per Forbes. The transition to a digital economy is radically underway. However, this implies that the processing of personal data is already on the verge of becoming universal.

 

The population of mobile phone users in India has already crossed the 750 million mark. This number is expected to reach 490 million by 2022. Therefore, personal data and information become available in the public domain. Sources estimate that India has about 390 million millennials and about 440 million generation Z that follows millennials.

The Gen Z generation processes data faster. The most common use of this data is for mobile applications like Snapchat, Vine, and so on, apart from the usual popular social media apps. This leads to the creation of huge amounts of personal data for an individual — be it personal, behavioral, attitudinal, and financial. Which can essentially be used for both illegal and nefarious purposes, like what happened with Cambridge Analytica; Hence, data privacy will be of paramount importance in the coming years for governments across the world specifically to protect their citizens.

The IT Act 2000 — The First Ancestor Of Data Privacy

Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing, or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected.

The Government of India has ratified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules provide guidance against protection of “Sensitive personal data or information of a person”. This consists of such personal information which has information relating: –

  • Passwords
  • Financial information — Bank account or credit/debit card or other payment instrument information;
  • Physical, physiological, and psychological health conditions;
  • Sexual orientation
  • Medical records and history;
  • Biometric data.

Section 72 of the IT Act highlights the penalty for breach of confidentiality privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document, or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.

While the IT Act 2000 was not officially cleared for regulating data privacy in India. It can be considered as the stepping stone which laid the foundation for future legislature.

The Supreme Court Ruling of 2016- Amendment Of Data Privacy In Aadhaar Act

In 2016, India amended its biometric identification system, known as Aadhaar. This enabled both the government and private entities to collect an individual’s ID number for any purpose. Human rights advocates had decried this as a violation of privacy. There was a lot of concern and growing uncertainty surrounding this authorization. However, businesses in India continued to require ID numbers for certain services. It was also used for the ID numbers for consumer profiling and targeted advertisements.

The Supreme Court of India amended the 2016 Act which enabled private businesses to ask for customer ID numbers for any purpose. The Supreme Court was required to ascertain the validity of the provisions of the Aadhaar Act. The objective was to verify if the act was contrary to the right to privacy. This was later established as a fundamental right by the Supreme Court in 2017.

Key Findings in the Judgement

The judgment was unanimous with all nine judges concurring with the final order. However, six judges — Justice Chandrachud, Justice Nariman, Justice Chimaleshwar, Justice Kaul, Justice Sapre, and Justice Bobde, wrote separate opinions covering a wide range of issues.

The key points of the judgment are summarized below:

(a) Privacy — A Fundamental Right

The Supreme Court confirmed that the privacy rights of an individual are a fundamental right. It does not need to be separately articulated. It can be considered as a derivative of articles 14, 19, and 21 as mentioned in the Constitution of India. It is a right that subsists as a fundamental consequence of the right to life and liberty. It protects a person from the scrutiny of the State in their home, of their whereabouts, etc.

The same applies to more personal choices like reproductive choices, food habits, etc.

(b) Necessary But Not Absolute Right

The Supreme Court also highlighted that the fundamental right to privacy is not absolute. It will always be subject to considerable restrictions. The State can declare restrictions on the right to privacy to protect justifiable State interests. This can only be done by following the three-pronged method summarized below:

  • Establishment of a law that rationalizes an encroachment on privacy
  • A legitimate State aim or requirement which ensures that the nature of the composition of this law falls is reasonably valid. It should also operate to guard against arbitrary State action.
  • The measures taken by the State are in tune with the objectives sought to be fulfilled by the law.

The Personal Data Protection Bill — India’s First Step To Legalize Data Privacy

Backdrop of The PDP Bill — How it came about

The Supreme Court observed during its judgment that privacy of personal data and facts is an essential aspect of the right to privacy.

Based on this, the Ministry of Electronics and Information Technology (MeitY) formed a 10-member committee led by retired Supreme Court judge B.N. Srikrishna. This committee was hence named the Srikrishna Committee. On 27 July 2018, the committee submitted an extensive draft which is now known as the Personal Data Protection Bill. India is now set to have a comprehensive personal data protection law. On 11.12.2019, MEITY introduced the Personal Data Protection Bill (PDP Bill) in Lok Sabha as Bill №373 of 2019.

 

The Birth Of PDP — India’s Data Privacy Bill

The PDP Bill seeks to provide for the protection of the personal data of individuals. It also intends to create a framework for processing such personal data. To do so, the bill proposes the establishment of a Data Protection Authority.

Key Takeaways of The PDP Bill

The following are the salient features of the Bill:

  • The PDP Bill is meant to improve data handling and data privacy in a way that is similar to the European Union’s GDPR.
  • The PDP Bill emphasizes the need to create a Data Protection Authority (DPA). This will be similar in fashion to the organizations present as part of the members of the European Union. The bill also defines the categories of sensitive personal data that require protection.
  • The PDP Bill defines ‘data fiduciary’. It also proclaims the various obligations for them. These are based on how they shall obtain, deal/process, and retain personal data.
  • If the PDP Bill becomes official, businesses would be required to inform users about their data collection practices. They would need the customers’ consent for the same as well. It would be their responsibility have to collect and store evidence of the fact that such notice was given and consent was received. The consumers would have the ability to withdraw their consent. This means that the businesses would have to design systems to allow clients to withdraw their consent on the same.
  • The PDP Bill gives consumers the power to access, edit, and delete their data after the same is processed to fulfill its objective. As such, the businesses would have to create ways to allow consumers to do so.
  • The PDP Bill enables clients to transfer their personal data. This can include any inferences made by businesses based on such data, to other businesses.
  • The PDP Bill mandates all businesses to make changes on an organizational level to protect data better.

How PDP Inevitably Led To NPD

The PDP Bill stipulates that the Central Government can direct a data fiduciary or a data processor to provide anonymized personal data or non-personal data.

This can be done “to enable better targeting of delivery of services or formulation of evidence-based policies by Central Government”.

It was based on this that in September 2019, MeitY formed a committee of experts led by the co-founder of Infosys — Kris Gopalakrishnan. The purpose of the committee was to draft a framework to regulate non-personal data (NPD).

The NPD Framework

As stated above, the Indian government is considering a framework to regulate non-personal data (NPD). The Committee released its report on 12 July 2020 for public consultation/feedback.

A Brief Overview

The NPD framework could affect the entire value chain just like PDP. The impact could range from creators of tech services and products to enablers and consumers. The NPD framework will require companies to obtain user consent. This has to be done before anonymizing data and using it.

NPD includes data generated through online transactions. These can be orders through delivery platforms or any online service. The data is anonymized and all personal identifiers are removed. This data is then harnessed to enhance the quality of service, ML algorithms, and other technologies.

Non-Personal Data Authority — The New Player

There is an apparent need to regulate the collection, processing, storage, and sharing of NPD. For this, the Committee recommends the formation of a separate NPDA authority. The details on the constitution of the NPDA need to be figured out.

As of now, the Committee has highlighted that the NPDA should have some members with relevant industry experience. The Data Protection Authority (DPA) under the PDP Bill protects personal data. Similarly, the NPDA is meant to protect the value of NPD.

The NPDA should work simultaneously with the DPA. The same applies to other sectoral regulators like the Competition Commission of India. The Committee also advises that NPDA should play the roles of both enabler and enforcer.

As an enabler, the NPDA should ensure that NPD is available for various social, public, and economic purposes. This applies highly to legitimate NPD sharing requests. Other areas include:

  • Regulate and supervise NPD sharing agreements between relevant stakeholders
  • Supervise the market for NPD.

As an enforcer, the NPDA should overlook the provisions for the proposed NPD legislative affairs. This will include:

  • Regulating Data Businesses
  • Mandating the sharing of NPD in certain circumstances
  • Setting standards and certifying frameworks, including for NPD sharing
  • NPD safety
  • Anonymization of PD.

Introduction Of “Data Business”

Under the NPD framework, the Committee advises that private and public sector entities who collect NPD be required to register as a Data Business. This will be dependent upon meeting certain criteria as per the guidelines of NPDA. For entities that do not meet these criteria, this registration will be voluntary. The Committee further recommended that this will be a one-time event. The process for registration will be lightweight and fully digital. The entities must provide details regarding their function. This includes the type of data they collect, process, and use. It also highlights the manner and purpose. To enhance the process, these disclosures will be made with respect to those relating to PD under the PDP Bill, if at all applicable.

PDP and NPD — Similar Grounds

Similar to the classification of personal data under the PDP Bill, the committee classifies NPD into 3 categories namely general, sensitive, and critical categories. The framework also necessitates businesses to obtain user consent before anonymizing even NPD. For example, A cab aggregator wants to aggregate rider travel data from a section of the user base to derive insights. In this case, it would need consent from each rider in the cohort. Execution of this is bound to create practical challenges for companies. It will make analytics a lot more complicated for tech companies as well.

 

To know more about PDP stakeholders and details, click here

Key Stakeholders of NPD — An Elaborate Overview

The Report lists the following roles for potential players within the NPD framework:

(i) Data Principal — In the case of Public NPD and Private NPD, this is the person (individuals, companies, communities) to whom the data relates. In the case of Community NPD, the community that is the source of the NPD would be the Data Principal. This is similar to the categorization of a data principal under the PDP Bill, in relation to PD, with Data Principals being allowed to exercise significant control and economic rights over their NPD.

(ii) Data Custodian — This is the person who undertakes collection, storage, processing, and use of NPD. Data Custodians may be public or private sector entities who process NPD such as government ministries, telecom companies, or e-commerce entities. Data Custodians must comply with requirements under the NPD Legislation, such as adopting prescribed anonymization standards. NPD must be used by Data Custodians in a manner that is in the ‘best interest’ of the Data Principal. They have a ‘duty of care to the individual or community from which NPD has been collected. This principle is similar to that of a data fiduciary under the PDP Bill, which lays down specific obligations to be undertaken by the data fiduciary with respect to the data rights of the Data Principal.

(iii) Data Trustee — This is the person through which a community exercises its data rights and who takes action to protect the community against any collective harm arising from the use of Community NPD. In most instances, the Data Trustee will be the closest and most appropriate representative body for a community and maybe a government agency at any level (such as the Ministry of Health for data on diabetes in India). However, it could also be citizens’ groups (such as residents’ welfare associations for local data), or civil society organizations. However, there is no clarity provided as to how a Data Trustee would be identified, the eligibility criteria for such an entity, or whether the community data principals play a role in identifying the Data Trustee, and this is to be provided under the NPD Legislation.

(iv) Data Trust — This is an institutional structure bound by rules for handling a specific set of NPD. Such trusts may hold NPD which may be voluntarily shared by Data Custodians, or mandatorily shared NPD on the basis of orders from the government or Data Trustees (as described below in Section 8). However, the Committee has provided very little insight as to how Data Trusts will function, including how such trusts will be constituted, who determines its members, and its role in the NPD ecosystem.

Impact Of NPD — What This Means For Businesses

Tech companies or organizations that meet the currently undefined threshold of collected or processed data will be considered ‘data businesses’ under the proposed framework.

Such businesses will be subject to a host of compliance requirements, including registration, monitoring of operations, and disclosure obligations. They will have to submit metadata about the data they collect to open-access ‘meta-data directories — essentially sharing data on the data they collect.

Based on the above, anyone can query the business for their dataset. Quite obviously, there is a fear that even small companies and startups processing data could qualify as data businesses. Another point of concern is that they will be subject to excessive compliance and data-sharing framework. This will increase operational and data storage costs and hinder the ability of startups to develop their services.

The proposed framework could hamper business prospects by imposing mandatory sharing and a higher compliance burden. Given the absence of a global benchmark for NPD regulation, proposing specific legislation and a regulatory body for NPD without adequate consultation may be premature.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

The Saga Of KYC In US Banking Regulations — BSA To Patriot Act And The Road Ahead In The Digital Age

Posted on | by Signzian

KYC regulations have critical implications for consumers in the financial space. Banks need to comply with KYC to limit fraud. However, KYC requirements for banks are often passed down to those with whom the banks do business.

KYC In Banking — The Base At The Banking Secrecy Act”?

KYC requirements for banks help them verify the identities of their clients. It is also a way to assess any potential risks of forming a business relationship with them. The goal of KYC is to prevent banks from being used, intentionally or not, for money laundering and other illegal activities.

In 1950, the Federal Deposit Insurance Act was passed to monitor the Federal Deposit Insurance Corporation (FDIC). The bill included a list of regulations that banks must comply with in order to remain insured by the FDIC. This event was crucial to forming the foundation of modern KYC laws.

In 1970, the U.S. Congress introduced the Bank Secrecy Act. The BSA is an amendment to the Federal Deposit Insurance Act. It requires banks to produce 5 types of reports to FinCEN and the Treasury Department:

 

  • Currency Transaction Reports (CTR): This contains any cash transaction that exceeds $10,000 in one business day. It can include multiple transactions.
  • Suspicious Activity Reports (SAR): This report shows any cash transaction where a customer violates BSA reporting requirements.
  • Foreign Bank Account Report (FBAR): Any U.S. citizen/resident with a foreign bank account of at least $10,000 is required to file an FBAR report each year.
  • Monetary Instrument Log (MIL): Banks must keep a record of all cash purchases of monetary instruments. This includes money orders, cashier’s checks, traveler’s checks, etc.
  • Currency and Monetary Instrument Report (CMIR): Anytime a person or institution physically transfers monetary instruments in excess of $10,000 into/outside of the United States must file a CMIR.

The ABCs of KYC — The Major Focus Of Patriot Act

KYC laws were launched in 2001 as part of the US Patriot Act. The law was passed after 9/11 to provide a means to hamper terrorist behavior.

The particular section of the Act that pertained specifically to financial transactions added requirements and enforcement policies to the Bank Secrecy Act of 1970 that had thus far regulated banks and other institutions. These changes had been in the works for years before 9/11. The terrorist attacks finally provided the thrust needed to enforce them.

Thus, Title III of the Patriot Act requires that financial institutions deliver on two requirements for stricter KYC. These two are the Customer Identification Program (CIP) and Customer Due Diligence (CDD).

 

CIP — The First Pillar Of The Patriot Act

CIP is the more straightforward of the two components, and likely more familiar.

To comply with CIP, a bank asks the customer for identifying information. Each bank conducts its own CIP process, so a customer may be asked for different information depending on the institution. An individual is generally asked for a driver’s license or a passport.

Information requested for a company might include:

  • Certified articles of incorporation
  • Government-issued business license
  • Partnership agreement
  • Trust instrument

For either a business or an individual, further verifying information might include:

  • Financial references
  • Information from a consumer reporting agency or public database
  • A financial statement

Nonetheless, every bank is required to verify their customers’ identity and make sure a person or business is real.

CDD — The Second Pillar of The Patriot Act

The second component, CDD, is more nuanced.

In conducting due diligence, banks aim to predict the types of transactions a customer will make.

This is done in order to be able to detect anomalous (or suspicious) behavior.

This also helps assign the customer a risk rating that will determine how much and how often the account is monitored.

Finally, it also helps identify customers whose risk is too great to do business with.

Banks may ask the customer for a lot more information. This can include the source of funds, the purpose of the account, occupation, financial statements, banking references, description of business operations, and others. There’s no standard procedure for conducting due diligence. This means banks are often left up to their own devices.

In fact, the Patriot Act doesn’t even directly highlight a CDD requirement. On the contrary, it denotes that a bank is required to file a suspicious activity report if it suspects or has reason to suspect such activity. But without knowing about its clients, a bank won’t be able to meet this requirement — hence the CDD.

The Financial Crimes Enforcement Network (FinCEN) regulates and strictly enforces KYC. FinCEN also manages other regulators for banks. It also manages the Fed’s Board of Governors, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency of the U.S. Treasury. Other financial institutions can be regulated by the SEC, the U.S. Treasury, the IRS, or the National Credit Union Administration, among others.

As a result of due diligence, a bank might flag certain risk factors. These are like frequent wire transfers, international transactions, and interactions with off-shore financial centers. A “high-risk” account is then monitored more frequently. In such cases, the customer might be asked more often to explain his transactions or provide other information periodically.

KYC requirements for banks in the Digital Age

Today, banks and their fintech counterparts can go to great lengths to assure compliance with KYC standards. As a result, more money is poured into new KYC technologies constantly. This was found as a study of the CEB TowerGroup. Currently, KYC solutions rank amongst the most valuable banking technologies. More than 62 percent of executives are certain, KYC investments will grow even more in the future.

In the modern context of digital, border-free and contactless payments, AML and KYC cannot deny their beginnings. Many KYC procedures still derive from a time when financial services were stationary. Back then, the client had to be physically present in a banking branch to access them. Identity verification was a simple matter of seeing the client physically. This was usually followed with collating the paper documents and ID with official records. The client databases had to be updated manually.

Users supply bank account data, social security numbers, etc to fulfil the KYC requirements for banks. They may also provide hard physical proofs of identity like a valid passport and utility bills (water or electricity bills). Should the customer deliberately hand over false information, the reviewing company will have the case investigated. This may ultimately lead to legal action. Modern technologies help alleviate the human factor. AML procedures today are more about lines of code on a server than types of seals on paper documents.

Yet, in many cases, banks and fintech businesses don’t settle for the state-of-the-art in regulatory tech. A KYC Market Report by CEB states that the systems by which banks identify their customers are often outdated. With general anti-money laundering technology, the situation gets even worse.

This is why banks and financial institutions are invited to rethink the KYC requirements for banks in light of modern software solutions and technologies like:

 

  • Blockchain: Sharing of KYC related data without intermediaries
  • Artificial intelligence: Approvement of documents via self-learning algorithms
  • Biometrics: Identification through biometrical features
  • CDD and EDD by evaluation of social media activity
  • Streaming: Voice and face identification via video chat

Regulatory technology (or RegTech) like this has the potential to make processes a lot faster, more accurate and transparent with digital kyc.

Conclusion

In our current time of digital disruption, KYC and AML are in a constant state of change. The online market for financial services and products is growing and so are the risks for customers engaging with them. The international banking and fintech scene keeps changes this will keep regulators occupied. Innovative technologies and flexible software give businesses an edge, allowing them to stay compliant and to adapt to new forms of cybercrime.

But within this period of change, one thing remains firm:

There will always be customers. And knowing what they are up to, will always be a key factor for corporate success.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

The Common Factors Of Global Privacy Framework — A Brief Overview On GDPR, CCPA & DEPA

Posted on | by Signzian

“India needs a paradigm shift in personal data management” — stated in the NITI Aayog draft on DEPA architecture. With the introduction of the PDP Bill, the argument holds rightfully so. We already have the blueprint, so isn’t it time we get started on the building architecture itself? So the DEPA was just a matter of time.

The DEPA framework is robust and unique to Indian data privacy laws. Anyone who goes through the proposal will agree that it overlays some areas which are not unique. These areas can be found in the data privacy framework of other nations as well. Let us take examples of the two prominent ones — Europe’s GDPR and California’s CCPA.

CCPA — Popularity Of Privacy In California

There is no single authority for oversight on data privacy in the U.S.

Instead, the country maintains a sectoral approach. It is dependent on a collective of sector-specific laws and state laws.

 

There are almost 20 industry — or sector-specific federal laws. on the state level, more than 100 privacy laws exist (in fact, there are 25 privacy-related laws in California alone) .

The California Consumer Privacy Act (CCPA) provides citizens of California with 4 rights for power over personal data:

– right to notice

– right to access

– right to opt-in (or out) and

– right to equal services.

Any organization which gathers the personal data of California residents must adhere to CCPA.

Personal Data Classification in CCPA

The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In other words, the State recognizes a “broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information” that can be used to identify an individual. Examples of covered personal information include:

  • Personally identifiable information (PII) . This can be name, address, phone number, email address, social security number, driver’s license number, etc.
  • Biometric information, such as DNA or fingerprints.
  • Internet or similar electronic network-based activity information. This can be browsing history, search history, and information regarding a consumer’s Internet activity.
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, data or similar format of data.
  • Professional or employment-related information.
  • Education information, defined as information not readily available for the public.
  • Inferences drawn from any of the above examples that can create a profile about a consumer. This reflects the consumer’s preferences, characteristics, psychological trends. It also displays predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

GDPR — The European Breakthrough In Privacy

GDPR is an EU regulation that has been designed to protect user’s personally identifiable information (PII). It also enables businesses to hold a higher standard in terms of how they collect, store, and use this data.

Similar to CCPA above, GDPR gives EU citizens control over their personal data. It also assists in changing the data privacy approach of global organizations.

Key Highlights

 

  • GDPR is applicable to all who process “personal data”. Most obviously, these are names, email addresses, and other types of PII
  • It creates significant new responsibilities. Processing personal data makes you responsible and accountable for its security and use.
  • It has a global reach. Despite being an EU law, it applies to all, regardless of their location.
  • It doesn’t just apply to traditional businesses. The principles are concerned with what you do with other people’s data, not who you are or why you do it;
  • There are hefty fines for non-compliance. These can go up to €20 million ($24m) or 4% of global revenue, whichever is higher.

What are the common denominators?

The CCPA is about increasing transparency for California residents. It allows them to discover and change how their data is collected and transacted. Meanwhile, the GDPR is a binding regulation. It monitors data privacy across the E.U., replacing dozens of national privacy laws with a single framework. However, GDPR does have implications for businesses in the US, despite originating in Europe.

Side by side, here’s how they compare:

Both regulations arose to protect people in a world of increasing global interconnectivity. This is in a world where international transfers of personal data are more frequent and elaborate. Regrettably, advances in technology have resulted in data misuse scandals & sophisticated cyber attacks.

CCPA and GDPR apply to individual organizations in different ways. While there are some nuances in scope that distinguish both sets of legislation, they share similar goals.

How do the laws define personal information?

Personal information (CCPA) vs. personal data (GDPR)

CCPA deals with the collection and sale of personal information. GDPR on the other hand addresses personal data processing.

The CCPA defines personal information as any information that identifies, describes, relates to, or can be linked with a consumer or household. This includes PII as previously discussed.

Under the GDPR, personal data refers to any information that directly or indirectly identifies someone. While this doesn’t include household identifiers, any identifying personal data that is not anonymized falls under the GDPR. The CCPA, however, exempts specific categories of medical and personal information from its scope.

Contributions of CCPA & GDPR:

The two regulations overlap when it comes to some rights — so if you’re already compliant with GDPR, you’re well on your way to meeting CCPA requirements.

Here’s what the CCPA and GDPR have in common:

  • The right to know: Under the CCPA, businesses must disclose to consumers (upon request) the information that is collected, used, disclosed, and sold. Organizations under the GDPR must notify individuals at the time of collection and inform them of the purpose. They must also inform how long they’ll retain this data, and who it will be shared with.
  • The right to access: Individuals are entitled to access their personal data. They can request copies of their personal information verbally or in writing. Businesses have a month to respond to requests under the GDPR and — most of the time — can’t charge fees to deal with them.
  • The right to portability: Individuals protected by the CCPA and GDPR have the right to request their personal information. This can be inaccessible, machine-readable formats such as CSV, XML, and JSON.
  • The right to erasure: Consumers have the right to request the deletion of any personal information. This can be to an organization has collected or stored under a variety of circumstances.

 

DEPA — How Laws Like GDPR and CCPA laid the groundwork?

The PDP Bill introduces the construct of consent managers. They are data fiduciaries registered with the DPA. They provide interoperable platforms that aggregate consent from a data principal. This is similar in many ways to the GDPR Data Controllers. As mentioned above, personal data identification is also similarly reflected by the CCPA. The assigning of key stakeholders is also the same here.

Data principals may provide their consent to these consent managers. The consent is for the purpose of sharing their information with various data fiduciaries. They may even withdraw their consent through these consent managers. This is a unique construct. This concept has been introduced to support the Data Empowerment and Protection Architecture (DEPA) for financial and telecom data. This currently powers the Account Aggregators licensed by the RBI.

DEPA — Building From The Data Privacy Blueprint

 

NITI Aayog has presented a draft policy highlighting DEPA. DEPA stands for Data Empowerement and Protection Architecture. It allows individuals to “seamlessly and securely access their data. This can be shared with third-party institutions.

The report looks into assisting organizations with sharing the personal data of an individual with one another. This can be done through the concept of “consent managers”. They will manage people’s consent for data sharing.

The policy constitutes this new data governance model in light of ‘individual empowerment’. This is done by enabling the seamless exchange of personal data among institutions. The process is secure and minimizes privacy harms.

This draft policy follows the myriad of other data-related policies in India. These include the Non-Personal Data Governance Framework and the National Digital Health Mission. NITI Aayog has stated that the policy will be publicly launched and operationalized in 2020 itself.

Features:

  • DEPA will authorize individuals with control over their personal data. This will be done by implementing a regulatory, institutional, and technology design for secure data sharing.
  • DEPA is designed as an evolvable and agile framework for good data governance.
  • DEPA empowers people to seamlessly and securely access their data. It can be shared with third-party institutions.
  • The consent given under DEPA will be free, informed, specific, clear, and revocable.
  • Consent Managers: DEPA will involve the introduction of new stakeholders — User Consent Managers. They will ensure that individuals can provide consent for all data shared. These Consent Managers will also work to protect data rights.
  • Account Aggregators: Reserve Bank of India (RBI) had earlier issued a Master Directive for creating Consent Managers in the financial sector. They are to be known as Account Aggregators (AAs). A non-profit collective or grouping of these stakeholders form the DigiSahamati Foundation.
  • Open APIs: These enable the seamless and encrypted flow of data between data providers and data users through a consent manager.
  • Implementation: RBI, SEBI, IRDAI, PFRDA, and the Ministry of Finance are set to adopt and execute this model. This regulatory foundation will eventually evolve with the onset of new legislation (eg. with the forthcoming Data Protection Authority envisaged under Personal Data Protection Bill, 2019).

Background:

The regulatory direction on data privacy, protection, consent, and the new financial institutions required for DEPA’s application in the financial sector was provided through the following sequence of events:

  • Supreme Court Judgement on the Fundamental Right to Privacy in 2017.
  • Personal Data Protection Bill (PDP), 2019.
  • Justice Srikrishna Committee Report, 2018.
  • RBI Master Direction on NBFC-Account Aggregators, 2016 (for the financial sector).

Impact On Financial sector:

  • Individuals and Micro, Small and Medium Enterprises (MSMEs) can use their digital footprints with DEPA. They can also access not affordable loans. Other amenities include insurance, savings, and better financial management products.
  • The framework is expected to become functional for the financial sector starting fall 2020.
  • It will help in greater financial inclusion and economic growth.
  • Flow-based lending: DEPA can provide portability and control of data. This could allow an MSME owner to digitally share proof of the business’ regular tax (GST) payments or receivables invoices easily. On the other hand, a bank could design and offer working capital loans. This can be based on the demonstrated ability to repay. (This is known as flow-based lending). This is suitable for offering bank loans backed by assets or collateral.

Conclusion

This is the beginning of a new uniquely Indian journey on data empowerment and financial inclusion. An open and vibrant data democracy can be created. But this is only if we can enable a billion individuals to thrive in an increasingly digital economy.

The digital economy should comprise digital public goods. These should be designed to scale to meet the needs of a diverse population. Moreover, the technology standards constituting DEPA are open and publicly available. This also means that the technical and institutional architecture can also be applied to other countries. An institutional body could even be designed to help globalize this standard. This will help apply it to other nations facing similar challenges as appropriate.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Reach us at: www.signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

1 5 6 7 8 9 11