Category: Regulations

Welcome to our Regulations category, a comprehensive resource meticulously designed to assist you in navigating the intricately woven tapestry of regulatory norms governing the fintech industry. With regulatory frameworks being in a state of constant evolution, staying abreast of the latest changes is crucial for businesses and professionals operating within the financial sector.

The articles housed within this category delve deeply into an expansive range of regulatory topics. We explore everything from the shifts in KYC/AML guidelines to the influence of data privacy legislations on financial institutions. Our aim is to provide a multi-faceted understanding of these regulatory transitions and the implications they carry for businesses.

At Signzy, we recognize the significant role regulatory compliance plays in the financial industry. Our innovative solutions are crafted with a keen eye on the most recent regulatory requisites. Our aim is to help businesses remain compliant without having to sacrifice efficiency or compromise on delivering exceptional customer experiences.

Whether you’re a compliance officer diligently ensuring that operations align with regulations, a fintech entrepreneur navigating the challenging waters of the industry, or a professional immersed in the financial sector, our Regulations category offers invaluable insights into the ever-changing regulatory landscape.

We cordially invite you to join us as we embark on an exploration of the world of fintech regulations. Through our articles, we aim to provoke thought, spark discussion, and provide guidance on how to navigate the complex regulatory environment effectively. Join us on this enlightening journey as we untangle the intricate web of regulatory norms shaping the world of fintech.

How NBFC-Account Aggregators Ease Financial Processes And Protect Privacy

Posted on | by Signzian
How NBFC-Account Aggregators Ease Financial Processes And Protect Privacy 0
Account Aggregators(AA) are financial entities belonging to a new class of NBFCs introduced by the Reserve Bank of India(RBI) in 2016. With consent, NBFC-AAs consolidate, organize, and retrieve customers’ financial data when required by Financial Information Users(FIU) constituted mostly of NBFCs for a fee or otherwise. The mechanism must mandatorily follow consent architecture as prescribed by RBI. In a far simplified tone,

NBFC-AAs make a requirement like a loan application easier for customers by providing financial access to their data with consent.

Even though the introduction of NBFC-AA was in 2016, the concept existed prior as well. Account aggregators like Perfios and Yodlee were engaged in consolidating financial data and analysing it for customers or institutions. Recently the Government decided to bring into effect entities that keep track of scattered financial data. These entities are scrutinised by multiple financial regulators(like RBI, SEBI, IRDAI). This was an official statement of transparency.

Why are Account Aggregators needed?

Most of an individual’s financial data is scattered due to accessing multiple financial products from multiple financial institutions. The customer herself would be confused about her financial data.

Another significant factor relates to data security. For the customers, there is no way to provision data securely to distinct entities. Current modes include:

  • Account credentials are shared through third-parties.
  • Data is provided as hard copies.
  • Limited exchange of data through paperless transactions.

These modes are highly volatile as secure data acquirement and privacy can be compromised to a greater extent.

Thus the purpose of an NBFC-AA becomes to give a collective idea of the customers’ holdings and products. It provides information on multiple accounts held by the customer in a consolidated, organised and retrievable format. This will be exclusively voluntary and would not be done without the consent of the customer.

An NBFC is usually associated with transactions in financial assets by the customer. But An NBFC-AA does not have such a role in the process. It’s the only role is in account aggregation avoiding all financial transaction-oriented involvement.

NBFC-AA’s services are backed by necessary authorisations among customer, aggregator and financial service provider(FIP). This restriction along with most others have been introduced by the Financial Stability and Development Council (FSDC). This is where the part of an NBFC-AA covers not just the sphere of financial data but extends into other domains.

How does NBFC-AAs ease financial transactions?

NBFC-AAs can retrieve financial data of a customer from any financial regulator. This is consolidated and organised in a single portal. It can be shared with an FIU(Financial Information User), who must be regulated by a financial sector regulator like RBI, SEBI, IRDAI, etc. All data transfers should be consented by the customer without which no action will occur. For this, a detailed ‘Consent Architecture’ is to be implemented by the NBFC-AA.

In the pragmatic speech, this plethora of information is a gold mine for the FIUs(NBFCs) as it allows them to retrieve, with consent the customer’s data from the NBFC-AA. But, RBI had ruled that account aggregators can access customer data, but not store them.

The process is explained with the following illustration –[reference. Image 1]

 

Source- http://vinodkothari.com/2020/02/nbfc-aa-consent-gateways/

Some aspects of the process:

  • If a customer’s loan application is through a digital lending app, the NBFC requires the applicant’s financial data to execute a credit evaluation and determine its approval or denial.
  • NBFC-AAs would ease the process by not demanding all financial holdings data individually and in hard copy. Instead, the customer can provide consent allowing data to be revealed from the NBFC-AA to the NBFC involved(customer can even determine to what extent in time this data is to be shared). This process takes a minuscule period, usually merely seconds.
  • More than the time this saves, the information sharing impedances are considerably reduced while not compromising security.

What about when the Fintech Company is involved?

There are two partners and an entity in the process:

  • The Sourcing Partner- a fintech company
  • The Funding Partner- Usually an NBFC that provides the funds
  • The Third entity- Account Aggregators(NBFC-AA) that provide the information required with consent.

The role of a fintech entity in the triangle would be its capacity to apply for an NBFC-AA license by itself or incorporate a new entity who has applied for the license and is capable of carrying out the role of an NBFC-AA in the proceedings. The former option will require the fintech company to maintain Rs. 2 crores as Net Owned Fund (NOF) for eligibility and registration.

This image illustrates the process with a fintech entity — [reference. Image 2]

 

Source- http://vinodkothari.com/2020/02/nbfc-aa-consent-gateways/

Why is Consent Architecture the most important aspect of NBFC-AAs?

It is the most significant part of an NBFC-AA. An absence of customer’s consent will render the NBFC-AA’s capacity void. The obtainment, submission and managing of consent should strictly be consonant with the Master Directions offered by the RBI. The prescription has specifically denoted the consent to be a standardized consent artefact containing:

  • Customer’s identity.
  • Contact information.
  • Requested financial information’s nature.
  • Specified purpose of obtaining such information.
  • The identity of information recipients.
  • URL or other address to be notified every time the consent artefact is utilised to access the information
  • Consent creation date and expiry date.
  • Account Aggregator’s identity and signature/ digital signature.
  • Any other attributes prescribed by RBI.

The artefact can also be in an electronic form capable of being logged, audited and verified.

The customer can revoke the consent any time she desires rendering the artefact utility null. Once revoked, a fresh consent artefact is shared with the FIP.

Which are The Prevalent NBFC-AAs

RBI provided operating licenses to four AAs in 2016:

  • CAMS FinServ
  • Cookiejar Technologies Pvt Ltd. (Product titled Finvu)
  • FinSec AA Solutions Private Limited (The Product titled OneMoney)
  • NESL Asset Data Limited

RBI provided in-principle approvals to three AAs in 2016:

  • Jio Information Solutions Limited
  • Perfios Account Aggregation Services Pvt Ltd
  • Yodlee Finsoft Pvt Limited

Sahamati, a collective of the AA ecosystem has reported that currently, Axis Bank, Bajaj Finserv, Bank, Kotak Mahindra Bank, ICICI Bank, IDFC First Bank, HDFC Bank, and State Bank of India are developing their FIP/FIU implementation. Of these, Indusind Bank has already gone live. The reluctance exhibited by FIPs to share data with consent is considerably reducing with the evolving account aggregation domain.

BG Mahesh (Co-founder of Sahamati) said that AA platforms are in the final stage of the ‘wave one marathon. They passed the proof-of-concept stage last year. State Bank of India and a few big private banks are in the pre-production stage. In the next month, they will go into production,”

FIPs like GST, CBDT and TRAI are expected to join the ecosystem once the framework is implemented to success. The total AAs are expected to increase in number in the coming years with tech giants keeping a close eye to join in on the next wave of this evolution.

What is Sahamati and how does it further help NBFC-AAs?

DigiSahamati Foundation (Sahamati) is a not-for-profit collective of account aggregators established as a private limited company under Section 8 (of the new Companies Act of India). Sahamati came into existence as a response to the massively scattered financial data of customers and its need to be consolidated and organised.

Sahamati seeks to bring together people with versatile backgrounds in finance and technology to determine and achieve India’s Account Aggregator network, Protection Architecture and Data Empowerment. These goals and actions include examples such as ensuring banks implement proper consent architecture, FIP certifications to be robust or design novel methods for data sharing without compromise.

How do we register an AA license from RBI?

Companies with Net Owned Fund (NOF) more than 2 crores are eligible to apply for an AA license. AAs regulated by other sector regulators can not obtain a license from RBI if they are aggregating accounts and consolidating information on customers of only that sector.

Procedure for obtaining the NBFC-AA license — [reference. Image 3]

 

How NBFC-AAs Led to The Formation of DEPA

After the establishment of NBFC-AAs, an entity for a collective of Account Aggregators was expected. DigiSahamati Foundation(Sahamati) fulfilled this. Started as a private non-profit organisation, with the advice of RBI and other regulatory bodies, Sahamati was also one of the pioneers of new data architecture. This led to a more tight-knit and secure form of data architecture to be developed. This was later strategized and formulated as DEPA(Data Empowerment and Protection Architecture) in 2020.

DEPA, introduced as a draft policy by NITI Aayog is an approach or paradigm shift in managing personal data. It proposes a framework for consent approval that permits users to access and share data with third-party institutions. The policy involves RBI, SEBI, IRDAI, PFRDA and the Ministry of Finance operating together for implementation.

DEPA puts forth the concept of User Consent Managers in the data architecture. They are entities that manage consent for data sharing. They work to protect data rights. They obtain selected data from FIPs and deliver it to FIUs for a specified time. What data is to be shared and for what time it is to be shared is determined by the customer. Without the customer’s consent, no process will start.

Under DEPA, the individual, potential user and the institution holding the individual’s data will interact through consent managers. These consent managers are ‘data blind’ and can not view or use the individuals’ data themselves. All information is encrypted.

How Will NBFC-AA Help Users and Their Privacy?

The idea to collate and transfer data with strict consent architecture will help a data-rich country like India towards becoming more economically rich. As interactions like verification and lending become quicker and simpler with the help of Account Aggregators, the economy with increased motion will be churned to an essence.

The major concern regarding NBFC-AAs was the issue of privacy. How safe were we with transferring data through a data manager? Once the proper structure of DEPA and how the privacy will be protected was elaborate, more companies and organizations have initiated their FIU plans. The real trust comes from the fact that none of the NBFC-AAs can breach the privacy of the user even if they collate and transfer user data. This is because:

  • No action can be initiated without the consent of the customer.
  • Customers can determine the specific data to be transferred.
  • Customer can determine the Specified time for the data to be transferred( be it a week, a month or the time he prefers).
  • The content is not revealed to NBFC-AAs.
  • The transfer is directly from FIP to FIU and NBFC-AA merely organises the interaction for a specified fee or otherwise.
  • With the help of Collectives like Sahamati grievances of all parties can be swiftly addressed.
  • Oversight by regulators provides superintendence.

The Verdict

Most modern NBFCs prefer to acquire the license or avail the services of an NBFC-AA as this would enable them to provide easier and quicker services for the customer and help themselves cut down on the expenses and manpower required, otherwise. The customer not requiring to even exit an app on her phone increases her affinity towards an institution that provides such a facility.

Nonetheless, it must be ensured that the revenue model should be constructed for the NBFC-AA to benefit from the services it would provide to other NBFCs. This would include easier approval and sanction methodology for lending.

The recent steep increase in interest for acquiring an NBFC-AA license provides sufficient evidence as to how this relatively new entity would change the financial transactions in this era.

The concerns of privacy being breached and other malpractices occurring due to the easy accessibility of personal financial data need to be considered. But one must keep in mind that the data is accessed easily, the operative word being ‘Easily’. This does not imply that it will be accessible unsafely or irresponsibly. With an impeccable consent architecture, the data accessibility is exclusive for selected entities for a selected time. The final call for all of this is for the customer.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

Indian PDP Bill’s Impact on Lending

Posted on | by Signzian

As laws to protect personal data are debated, rejected, and adopted across the globe, individuals are becoming aware of their data rights. Privacy of data has become a source of company competitiveness with consumers seeking to engage with organizations that give them a semblance of control over their data. If that wasn’t enough, India is set to pass a regulation governing personal data this year.

The context for compliance

Inferring from the soon to be passed Personal Data Protection Bill 2019, lending is an area that is bound to be hit by a combination of compliance clauses. Data is central to the lending operation. Lenders collect, process and analyze a host of customer data throughout the lifecycle of a loan. This helps the loan granting entity to gauge risk and offer personalized services adapted to the individual’s needs.

To remain compliant these data fiduciaries must ensure they understand the compliance norms and the rights of the data principals. This blog explores the data rights that translate into areas of compliance across the lending process.

The primary rights which affect compliance for lenders are explained below:

 

These rights have a bearing on the different types of data collected at different steps of the lending process. Although the RBI and SEBI are yet to release separate, detailed guidelines for the fintech sector, here is my take on the PDP’s impact on compliance:

  1. KYC process

The preliminary step of any lending operation is the Know-Your-Customer (KYC) process. The basic documents required for this are (a) Identity proof and (b) Address proof. This is already a consent-based process.

The clauses that have some bearing on this step are:

  • Storage Limitation: after the loan has been repaid, the data principal can request the erasure of all the KYC data.
  • Data Portability: with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal.

2. Credit Underwriting

A number of data sources are inspected as a part of the credit underwriting process. These can be divided into:

a. Public sources

This includes news articles about a customer, public social media profiles etc. Since this category of personal data is public, lenders do not have to worry about non-compliance.

b. Private sources

There are a number of private sources that can be scraped for credit underwriting. Here we discuss a few of them that bring up the concern of compliance.

i. SMS reading

This considerably new method of credit assessment would require explicit consent for processing. It is yet to be determined whether consent would have to be taken from both parties associated with the SMS exchange.

ii. Bank login based pull

To evaluate a person’s financial history, lenders perform a bank login based pull. Apart from the fact that explicit consent is required to access this data source, the question here is whether this would be a breach of the data fiduciary’s (bank) trust and if consent would be required from them as well.

iii. Email login based pull

Sometimes applicants are required to provide login credentials to a data source such as a personal email account. Till now explicit permission was usually sought for this to follow through, but not always. With the bill in place, email login based scaping would need to be 100% consent-based.

3. Credit Bureau Access

To ensure effective debt management, lenders share a customer’s personal data with credit bureaus and other third parties when servicing a loan. The transactions, details of the companies involved and justification for the data transfer must be explained to customers. Although credit scoring is a “reasonable purpose exception” in the bill which allows personal data to be processed without consent, it is not certain if it grants an exception from the right to data erasure. The storage of personally identifiable information (PII), implies that a data principal can request it be completely erased.

4. Non-traditional types of data

Bureau companies were previously mandated by the Credit Information Companies (Regulation) Act (CIC Act), which doesn’t allow credit bureaus to use alternative data in generating credit scores. Only loan account data from the core banking system could be used by the credit bureaus. This included default history, size of defaults and repayment time of loans. With an increasing number of data sources, it is yet to be determined if alternative sources are allowed under the new bill. And, how compliance norms would apply to their processing. Potentially, such sources could be:

a. Google Places/ Yelp

b. Payment processors

c. E-commerce platforms

d. Shippers

Privacy by design

The bill mandates that every data fiduciary build a robust privacy system for storing and processing of personal data. A data protection system should be implemented from the outset. This “Privacy by Design” policy is a mandatory requirement and must be certified by the Data Protection Authority. The policy is to be published on the organization and the authority’s website.

Penalties

Non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for fintechs and banks to start prepping for these compliance measures.

Dissent from lenders

The bill in its current form recognizes all forms of personal financial data as ‘sensitive personal data’. This definition of sensitive personal data in the bill is restrictive and brings up concerns for lenders. The Digital Lenders Association of India (DLAI) had submitted recommendations to reduce potential restrictions that the bill enforces. To make the lending process less prone to frauds, lenders need to access aspects of consumer data. This includes credit history, financial position and some alternative data of customers. With the current bill in place, this would become tedious. While compliance norms are necessary for personal data protection, such a definition will inadvertently hurt the lending operation.

Conclusion

The banking and fintech industry needs a clear compliance checklist. There is a dearth of understanding when it comes to how the current bill will affect compliance for data-centric processes like lending. This is because specific norms have not been released for the fintech space yet. The RBI and the government will need to come up with guidelines for the sector to ensure that function and compliance are not at odds.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Making KYC Digital For Mutual Funds In India — Landmark SEBI Guidelines & The Way Forward

Posted on | by Signzian

The onboarding process for Asset Management Companies (AMCs) is among the most complex of all client-facing activities. Reams of documentation are exchanged between a client and the investment management firm. It is then distributed throughout the organization. Most of this requires approvals, signatures, and validations.

Digital onboarding requires finalizing legal agreements, Know Your Customer (KYC) and Anti Money Laundering (AML) activities. It also involves opening client accounts on multiple systems and transitioning incoming assets. Each of these activities engages multiple groups throughout the organization. Examples include client service, legal, compliance, and operations. Without well-defined and coordinated procedures, this could lead to errors. Ex: misplaced information, breakdowns in communication, and duplicated efforts are likely. The right-hand needs to know what the left hand is doing in order to properly manage all the hand-offs and moving parts.

Benefits of improving onboarding:-

  • Ability to generate fees sooner.
  • Increased potential to cross-sell, additional products, and services.
  • More referrals from clients due to a positive experience.
  • Reduced client turnover.
  • More efficient resource allocation.
  • Better views into process status.
  • Fewer mishandled communications and handoffs between the team.
  • Measurable efficiency through metrics.
  • Faster addition of new products and services.

Why Digital KYC? The Need For Digitization Of KYC In Mutual Funds

  • At present, investing in a mutual fund requires a second round of KYC. This is also true even for customers who have completed KYC in their bank accounts. The procedure involves the submission of identification and address proofs along with photographs. The distributor or adviser must physically meet the customer to conduct ‘in-person verification’ for him/her. This requirement greatly hampers the growth of mutual funds online.
  • It also affects access to mutual fund investments for those in remote areas. In 2019, the Nilekani committee proposed that there should be a simple KYC procedure for opening a mutual fund account funded from a KYC-verified bank account. However, inflows into such a folio and redemptions to it must be restricted to this account.

This leads to the digitization of KYC. Among the many advantages of getting paperless KYC done, the following benefits are most important:

  • Personal Details are Secure: All information is stored and transmitted on the website with a special configuration. Whether it is your Account Information, Demographic Data, Biometric Data, etc. The KRA, Fund House, or AMC’s Portal is maintained with the highest level of Security. It reduces illegal activities of money laundering, loan scams, identity theft, and fraud.
  • You are the Boss: The option to invest will always be yours. The digital KYC mechanism is completely dependent on your decision. Not only that, you have the choice of providing access to your details to whomsoever you want. In some cases, if you change your mind. You may not want to invest in Mutual Funds. Whereas, if you opt for offline KYC. It is possible that your self-attested documents end up with unauthorized parties. This risk gets reduced to a large extent by taking the online KYC mode.
  • Instant Process: No Human element is involved that means no Red Tape is involved. The efficiency in the digital process ensures no delays. Comparatively, the offline process would take at least a few days.
  • Transparency: Incidents of the KYC documents in illegal and illegitimate persons occurred commonly. Opting for Online KYC, you can avoid such an event. The websites store the data in encrypted servers. It makes the possibility of a breach highly unlikely. Besides, the trespasser or the source of the breach can be traced in online transactions. They can be brought to legal authority with proof.
  • No Hidden Costs: Some Mutual Funds agents may charge extra amount as KYC Registration fees. And investors need to pay to avoid the hassle of taking time off from work and visiting the Government Agency in person. With eKYC, you do not need to pay in addition to the investment amount.
  • Compliance: Your data gets validated using the latest technologies. This increases the overall security of the system. It also ensures that the digitally transferred document is legally valid.

The Road To Digitization Of KYC

As per regulatory developments from January 1, 2011, KYC is mandatory for investors wanting to transact in Mutual Funds. This is regardless of the transaction amount. It implies that you will not be able to process any fresh MF purchases post January 1, 2011. This is true except when you are MF KYC compliant as per CDSL Ventures Limited (CVL) norms.

This implies that you can always ask your broker to provide you forms for submission to your KYC. Since there are no charges for mutual funds they may not be useful. As such, it is better you also understand you can get your KYC done. Follow these steps:

1. Get the Form

The KYC application form can be availed from the investor service centers for the particular Fund, CAMS or at any specified ‘Points of Service’ (POS) of CDSL Ventures Ltd. You can also download it from your broker, advisor or AMC.

2. Documents

The following lists the set of documents which are required for submission with the KYC application form:

1. A recent passport size photograph

2. PAN card copy

3. Address proof (Recent bank statement will work but if you have to get your bank statement in the email you need to visit your bank branch to get an original one.)

The document submission can be done at the CAMS Online office in your city. Ensure you carry the originals along with a photocopy of the documents because at times they might need to verify with the originals.

3. Verification

Once the KYC application form and supporting documents are verified, the investors will receive a letter authenticating their KYC compliance. They normally give you the letter in a few hours to a max of 24 hours for this identity verification api .

You can verify your KYC status online. You should verify on the day of form submission that your status is processing. Once it is done, your status should change to VERIFIED.

Actually KYC need not be done at your broker’s end. But some online systems do not accept the order. This can happen if they don’t have the data in their own system and so it is better to get that done as well.

KRA and K-IPV In KYC Collection

SEBI had initiated the usage of uniform KYC by all SEBI registered intermediaries (RIs). This was done to bring uniformity in the KYC requirements for the securities markets. In this regard, SEBI had issued the SEBI KYC Registration Agency (KRA), Regulations, 2011.

KRA is the authority for the centralization of all KYC records and details in the securities market. The client who wishes to open an account with a broker shall submit the KYC details. They can be submitted through the KYC Registration form with supporting documents. The Intermediary is responsible for conducting the initial KYC. The RI should also upload the details to the KRA system. The KYC details are accessible to all SEBI RIs for the same client. So once the client has undergone KYC with an RI, it is not necessary to repeat the same process again with other RIs.

It is compulsory for each client to be registered with any one of the various KRA registered intermediaries. This should be done before availing the benefits of any intermediary. Such benefits include Stock Broker, Mutual Fund Companies, Depository Participant, Portfolio Management Services (PMS) etc.

In-Person Verification (IPV) is part of the process of doing KRA-KYC registration of clients. KRA compliant clients are not required to undergo this process.

Importance Of IPV

The Prevention of Money Laundering Act, 2002 (PMLA), came into effect from 1 July 2005. The Act enforces that no one could use investment tools to hide their illegal wealth. Soon after, SEBI mandated that all intermediaries should adopt the KYC policy. It was also necessary to plan and install certain policies. The policies should follow vis-a-vis the guidelines on anti-money laundering measures.

Since 1 January 2011, KYC compliance has been made mandatory for all investors. This is irrespective of the amount invested and includes the following transactions:

a. New / Additional Purchases

b. Switching Transactions

c. First-time Registrations for SIP/ STP/ Flex STP/ FlexIndex/ DTP

d. Any SIP/STP/trigger-related products which were introduced after the enactment of the act

e-KYC (Know Your Customer) is a value-added feature that is offered by many financial institutions. E-kyc is useful for making the application process convenient. Investors can access it and upload the necessary documents. It can be done from the comfort of their home or office. As previously discussed, this is applicable to only SEBI-approved KRAs. For ex: CVL and CAMS can complete the e-KYC process. This means that Digital KYC can be used for IPV as well.

EKYC — The Miracle Turned Myth

To remove the repetitive submission of documents, SEBI launched the concept of common KYC in 2011. With this move, the first intermediary processes the KYC-related information and sends them to the KYC Registration Agency (KRA). Once your account is created, any other intermediary can make use of the same details in the future for new accounts.

Why eKYC?

The concept of common KYC smoothened things for retail investors, However, it was still a time-consuming process (8–10 days). It also included the problem of in-person verification. This also increased the cost of servicing small investors while preventing immediate on-boarding of new customers.

SEBI launched eKYC in order to make the procedure more investor-friendly. It enabled customers to verify their identity and upload documents digitally. To get started, you only needed to quote your Aadhaar number, PAN number, e-mail id, and mobile number. Once you type in the details, you will receive a one-time password (OTP) in your Aadhaar-registered mobile number. After entering the OTP, the eKYC process would be completed and you could start investing in mutual funds within minutes.

While Aadhaar based eKYC had been introduced as a means for onboarding, there were a lot of discrepancies. This was especially after the Supreme court judgement on the use of Aadhaar based eKYC. It was later reintroduced. This had left a state of confusion and many AMCs continued traditional methods of KYC collection for onboarding. Physical KYCs are more time-consuming. The distributor has to submit the documents to KYC Registration Agencies or KRAs. The KRA nodal agencies have to manually fill in the data in their systems from the applications. If the handwriting is illegible, capturing the KYC data could lead to errors. This would delay the process further.

The SEBI Way Of Digital KYC

In a recent move on April 24, 2020, the Securities & Exchange Board Of India (SEBI) has issued the latest guidelines on the digitization of the KYC process. Some of the highlights are mentioned below:

1. Know Your Customer (KYC) and Customer Due Diligence (CDD) policies form a part of KYC. They are the foundations of an effective Anti-Money Laundering process. The KYC process requires every SEBI registered intermediary (also known as ‘RI’) to collect and verify the Proof of Identity (PoI) and Proof of Address (PoA) from the investor.

2. The provisions as laid down under the Prevention of Money-Laundering Act, 2002, Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, SEBI Master Circular on Anti Money Laundering (AML) dated October 15, 2019 and relevant KYC / AML circulars issued from time to time shall continue to remain applicable. Further, the SEBI registered intermediary will continue to ensure to obtain the express consent of the investor. This should be done before undertaking online KYC.

3. SEBI, from time to time has issued various circulars to simplify the process of KYC by investors / RIs. Constant technology evolution has led to multiple innovative platforms being created. These allow investors to complete the KYC process online. SEBI held discussions with various market participants and based on their feedback, technology like Aadhar-based e-Sign service which can facilitate online KYC will now be used. This is done with a view to allow ease of doing business in the securities market.

4. New regulations allow Investor’s KYC to be completed through an online / App-based KYC. There is also provision for in-person verification through video, online submission of Officially Valid Document (OVD) / other documents under eSign. It allows the introduction of VideoKYC, which was also allowed by RBI for the banking sector earlier this year. (Click here< to read more about RBI Guidelines for VideoKYC)

5. SEBI registered intermediary may implement their own Application (App) for undertaking online KYC of investors. The App shall facilitate taking photographs, scanning, acceptance of OVD through Digilocker, video capturing in a live environment, usage of the App only by authorized persons of the RI.

6. The guidelines also allow RIs to undertake the VIPV(Video In-Person Verification) of an individual investor through their App. This is done to ease investor onboarding.

Digital KYC For The New Era

Signzy has developed an AI-based electronic KYC solution called RealKYC. It consists of a host of microservices that provide the following benefits to AMCs

  • Reduction of TAT: During investor onboarding, the traditional method of KYC collection involves the submission of a lot of documents and processing that is done by several departments and their officers. This can be a time-consuming process but with VideoKYC, the entire process is automated and can be done in a matter of minutes in real-time.
  • Lower Operational Costs: The onboarding process for a new investor can require several checkpoints that are cost-effective. There is significant manpower involved as well which also raises the cost of onboarding. All these factors can be automated with RealKYC, thereby reducing operational expenses.
  • Remote Onboarding: With RealKYC, there is no need for investors/entities to pay multiple visits to the physical branch for the processing of KYC. They can simply visit the website and submit all their documents as well as get the verification done, online.

Signzy’s VideoKYC solution offers a simple, secure KYC collection process that is 100% compliant with the latest SEBI Guidelines. The benefits include:

  • Compatibility With Most User Devices: This solution has matured over dialects, browsers and low-internet scenarios. This means that most users can undergo VideoKYC without any technical pain points.
  • Improved BackOps; Our Patented AI reduces 90% Backops effort, making onboarding of investors a smooth process.

Conclusion

KYC or Know Your Customer is a compulsory requirement for those wishing to invest in Mutual Funds. It is mandatorily needed by the Market Regulator SEBI (Securities and Exchange Board of India). This identification process needs to be undertaken only once. KYC was introduced to avoid fraudulent activities. eKYC for Mutual Fund was launched for the ease of investors.Digitization of KYC merely changes the mode of KYC collection and not the process.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

PDP Skepticism: Big Brother, Big Tech and a Sandbox

Posted on | by Signzian

The politics of data protection can be seen through three lenses. That of the government, the individual, and private companies. The concerns of all three have to be addressed to devise an effective data regulation framework. For the government, pressure is mounting to safeguard citizens’ personal data. However, it is their prerogative to preserve national security. This may require access to personal data to combat illegal activities like trafficking. Companies are grappling to strike a balance between compliance, personalization and interoperability. It then becomes the data regulator’s responsibility to safeguard personal data. But, without risking national security or hampering innovation and economic growth.

The Indian Personal Data Protection Bill (PDP) of 2019 is on the verge of becoming a law. So, questions on it’s power and compliance are at the fore. This blog addresses prominent questions on the bill in the global & national context:

  1. Would PDP compliance result in GDPR (General Data Protection Regulation of the European Union) violation?
  2. Does the bill itself threaten global cybersecurity?
  3. Will government mission creep grow as a side effect?
  4. Is innovation stagnancy a real possibility stemming from the bill?

A preliminary understanding of the data protection regulations in place in the EU and India is helpful. You can take a look at our article comparing the GDPR and PDP Bill.

Will complying with India’s PDP Bill mean violating the GDPR?

The intent of the regulations is identical. Both were created to safeguard data and privacy. But, their criteria for compliance is not. This means that if a company’s operation is compliant to the GDPR, it won’t necessarily be PDP compliant. To remain compliant the data fiduciaries will have to chart their course according to the standards of each framework. Both regulations have different requirements and prerequisites. The question is if compliance to any provision in the PDP is contradictory to the needs of the GDPR.

  • Many obligations overlap or are at different degrees on the same spectrum. But, the International Association of Privacy Professionals (IAPP) points out a problem. Indian companies may find themselves at a crossroads when processing data under the purview of the GDPR. If the data they collected was only on the basis of “contractual performance”.
  • This is one of the lawful bases that permits an entity to process data under the GDPR. The PDP does not list “contractual necessity” as a legal basis for processing. This is why the confusion arises. Many businesses in the online services environment heavily rely on this criteria to process personal data. It allows an entity to transfer data to another entity as a contractual obligation. For example, shipping a product requires the data to be shared with the deliverers and customs officials. Travel agents require the data be shared with the hotel or airlines.
  • This creates a grey area. Complying with one regulation may make it difficult not to violate the other. This is because swapping the lawful bases (to comply with the PDP) is not allowed under the GDPR.

It can be assumed that the data fiduciaries/ data controllers are not violating the GDPR when they change the lawful basis. Even then it will be a challenge for larger entities. For example: Companies with several foreign subdivisions. They will have to redefine, re-communicate, and re-implement processes. In particular, data collection, usage, & protection protocols for all parties involved in the data flow.

Does the Indian Personal Data Protection Bill threaten global cybersecurity?

PDP proposes banning re-identification of data. Cybersecurity and privacy researchers have revealed that this discourages researchers. They cannot thoroughly investigate security weaknesses, thereby encouraging cybercriminals to exploit them.

But, what is re-identification? First it’s important to define de-identification and its necessity.

When a company processes an individual’s data, algorithms are used to decouple sensitive details from identifying information. For example: medical records and traces of location separated from phone numbers and email addresses . This is de-identification.

Organizations can recover the link between the users’ identities and their data when required. The reverse process is called re-identification. This is a routine practice when done in a controlled environment designed for security by legitimate entities.

The risk is of malicious parties getting their hands on a de-identified database and re-identifying it. Data breaches and leaks are an increasing concern in our data-fied world. The PDP proposes to criminalize the process of re-identification without consent of user data. It’s called illegitimate re-identification. While this seems only logical, it may threaten global cybersecurity.

Researchers often perform meticulous cybersecurity tests and privacy guarantees without knowledge or consent of an organization. They act with public interest in mind and their work makes the digital world a safer place. The blanket ban could hamper research altogether. With risk of penalties and even jail time, security researchers would not partake in this testing for social good. Worse yet, software vendors might be tempted to instigate legal action against such researchers.

At India’s scale, impeding cybersecurity and privacy research could leave the cyber realm at large to malicious forces. This threatens global cybersecurity.

What exceptions are given to the government and what does this mean?

The bill gives the central government the power to exempt its agencies from the purview of this act. The purpose of revoking the regulations are vaguely defined. It can be

  1. In the interest of sovereignty and integrity of India or
  2. To preserve national security

This thereby eliminates the obligations of consent, accountability and transparency to ensure just processing of data. A regulation drafted for the protection of personal data can rid the government it’s duties and result in mission creep. This can give rise to a Big Brother like situation with the government morphing into a surveillance state under the guise of national interest. In the absence of a privacy law, it can be dangerous for the State to have access to all our personal data.

Are there any provisions for companies working on innovative data driven tech?

Companies are preparing to adapt to the new compliance requirements. But, there are growing concerns for tech companies:

  • Mounting operational expenses
  • Compliance constraints
  • Rising cost of doing business
  • Increase in barriers to entry

This could limit the ability of new competitors to enter the market. Restrictions on sharing data with third parties could make it difficult for companies to collaborate on data-driven innovation.

There is a massive flux of data across borders. Governments are increasingly considering data and digital infrastructure as integral to national security and economic growth. Developing economies in the past wanted to foster domestic auto production. Today, governments are focusing on endeavors to make their domestic tech industries thrive.

Governments are drafting policies on data infrastructure and technology. This includes data localization constraints, and limits on foreign investment on technology. The aim here by this is to foster innovation at a local level. Barriers and constraints have the tendency to prioritize national goals over global innovation. And so it is important to find the right balance between multiple objectives.

As a welcome counter to such provisions, the PDP introduces the concept of a “sandbox”. It gives the Data Protection Authority the power to modify provisions for certain data fiduciaries. Those that work for “innovation in artificial intelligence, machine-learning or any other emerging technology in public interest”. Under Section 40 of the PDP bill exemptions may be given as part of the sandbox. This includes relaxations. Specifying a clear purpose for data processing and collection may be relaxed. The limits to the period of data retention can be revoked.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Ankit Ratan, CEO-Signzy

 

A Guide to EU’s New AI Guidelines

Posted on | by Signzian

The data economy can be a Catch-22. It can succumb to corporate surveillance capitalism on the one hand and an authoritarian digital “welfare” state on the other. The European Union (EU) places itself as the alternative to both. Its strategy to regulate technology over the next decade is to set that precedence. Whether it is successful is up for interpretation. On 19th February 2020, the European Commission (executive branch of the European Union) published a 26-page whitepaper on Artificial Intelligence (AI). The paper titled a European Approach to Excellence and Trust states the EC’s intent to regulate and advance AI.

This blog will explore the reach, requirements, and reservations of the guidelines the whitepaper introduces.

Reach: A Risk Barometer Approach

The whitepaper will have consequences for those using and developing AI. To be specific, businesses that are participants of the data economy. It’s drafted to effectively regulate AI while not being dictatorial. Strict measures could create a disproportionate burden for SMEs.

The paper defines AI as

“Systems that display intelligent behavior by analyzing their environment and taking actions — with some degree of autonomy — to achieve specific goals.”

However, the proposed requirements will mainly affect AI which is deemed “high-risk”. This is enumerated by the EC as:

“…deployed in health care, transport, energy and parts of the public sector, or if it is used in the employment sphere (for recruitment puposes or in situations impacting worker’s rights), or for remote biometric identification and other intrusive surveillance technologies.”

Due to this definition and set scope, the suggestions would not apply to advertising technology or consumer privacy. The assumption here is that risk can be finitely calculated. This leaves many contentious issues outside of the purview of the guidelines. For example, data brokers that leverage AI to predict identities and hyper-targeted advertising.

It is anticipated that the new framework will have extraterritorial impact, like the GDPR.

Requirements: The Precursor to Compliance

The AI applications classified as high-risk would be regulated by the following key features. These center on safety, security, fairness and transparency:

  • Training data
    The paper reiterates that if there is no data, there is no AI. The decisions and performance of an AI are dependent on the data sets it has been fed and trained on. To ensure that the services or products that the AI system enables are safe, the requirements dictate that it must be trained on a broad enough data set. The training data must also be representation to avoid inadvertent coded discrimination. The data collected to adhere to privacy and data protection standards i.e. the GDPR. (Interested in reading more on the data protection regulations in place in the EU and India? Take a look at our article comparing the GDPR and PDP Bill)
  • Data and record-keeping
    Considering the opacity and complexity of many AI systems, certain requirements are put forth to verify compliance. It could allow potentially problematic decisions or actions by the AI to be traced back. The regulatory framework proposes that the following records can be kept:
    a. Records related to the programming of the algorithm
    b. Data sets used to train and test the high-risk AI systems (when justified) along with a description of their main characteristic and the reason for their selection
    c. Documentation on the algorithm and the training methodologies adopted to build, test, and validate the AI
  • Information to be provided
    Apart from the above information, the AI system’s limitations and capabilities must be proactively provided. It should also mention the degree of accuracy to which the system can achieve a specific purpose. This information could be useful to those deploying the AI application. The whitepaper reiterates that citizens should be duly informed when they are interacting with an AI and not a real person. The details should be easy to understand, concise and objective.
  • Robustness and accuracy
    Across the AI system’s life cycle, it must correctly reflect its own degree of accuracy. The whitepaper mentions that the outcomes should be reproducible. The AI system must be able to deal with errors and inconsistencies. It should endure overt attacks, and be resilient against manipulated data.
  • Human oversight
    The AI system must be ethical and trustworthy. To not undermine human autonomy, the whitepaper insists on the AI being human-centric. This could manifest in different ways depending on the system’s purpose and functioning:
    a. Output is reviewed and validated by a human before it becomes effective. For example, human intervention needed to approve a person’s KYC.
    b. Human intervention post the output being effective. For example, reviewing why the AI rejected a credit application, after the decision was put into effect.
    c. Monitoring the operation of the AI system. This is with the possibility to intervene and stop its functioning in real time. For example, a deactivate button in a driverless car.
    d. Constraints integrated during the design phase. For example, a driverless car will stop when visibility is low.
  • Specific requirements (Example: For AI applications used for remote biometric identification)
    The application of AI systems for functions such as facial recognition affects the fundamental rights of a citizen. For example the right to a private life and the protection of one’s personal data. Processing of biometric data is to uniquely identify a person. This can only be done in special circumstances with adequate safeguards. The whitepaper declares that the EC will begin a “broad European debate”- on what these circumstances are and their justification.

Reservations: Missing the Mark

The proposed guidelines address issues of personal data protection and pivacy rights, non-discrimination, and cybersecurity. But, it seems to miss the perils of “low-risk” technologies with weakened guidelines.

The whitepaper overlooks that the classification of low risk is not absolute. This could actually be very risky for some. The harms of technology are often amplified to disproportionately affect the marginalized.

A draft version of the whitepaper was leaked in January. Held against that, the new criteria are feeble attempts to regulate the possible adverse implementations of AI. Here, the draft proposed a prohibition or what is called a “moratorium” on facial recognition in public spaces for 5 years. But, the released guidelines are merely a call for a “broad European debate” on the facial recognition policy.

Stakeholders can give their insights on the whitepaper by 31st May 2020. The EC will start drafting legislation based on the proposal and feedback at the end of 2020.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

1 6 7 8 9 10