Category: Regulations

Welcome to our Regulations category, a comprehensive resource meticulously designed to assist you in navigating the intricately woven tapestry of regulatory norms governing the fintech industry. With regulatory frameworks being in a state of constant evolution, staying abreast of the latest changes is crucial for businesses and professionals operating within the financial sector.

The articles housed within this category delve deeply into an expansive range of regulatory topics. We explore everything from the shifts in KYC/AML guidelines to the influence of data privacy legislations on financial institutions. Our aim is to provide a multi-faceted understanding of these regulatory transitions and the implications they carry for businesses.

At Signzy, we recognize the significant role regulatory compliance plays in the financial industry. Our innovative solutions are crafted with a keen eye on the most recent regulatory requisites. Our aim is to help businesses remain compliant without having to sacrifice efficiency or compromise on delivering exceptional customer experiences.

Whether you’re a compliance officer diligently ensuring that operations align with regulations, a fintech entrepreneur navigating the challenging waters of the industry, or a professional immersed in the financial sector, our Regulations category offers invaluable insights into the ever-changing regulatory landscape.

We cordially invite you to join us as we embark on an exploration of the world of fintech regulations. Through our articles, we aim to provoke thought, spark discussion, and provide guidance on how to navigate the complex regulatory environment effectively. Join us on this enlightening journey as we untangle the intricate web of regulatory norms shaping the world of fintech.

How Will Unified Data Protection Regulations Affect State, National, And International Banks In The USA?

Posted on | by Signzian

Introduction

Consumers’ personal data is used by companies to sell their products and services, but when this data is personal or private, discretion and safety are essential. In some of the US states, there are personal data regulations that keep an eye on companies processing and using consumers’ data. A good example of this is the California Consumer Privacy Act(CCPA). A relatively new law, CCPA came into effect on June 28, 2018, as part of the California Civil Code. It has been praised as a step in the right direction for data regulations by industry pundits, as it solidly defines how data can be protected and how its misuse will result in dire consequences.

But one of the questions that returned to the spotlight after it’s introduction was, ‘Why isn’t there a federal body like this to regulate data privacy all over the country?’ This is where the US can benefit from a step for Unified Data Protection, a central regulation from the Federal Government that oversees and regulates all handling of consumer data. It will give control to the consumers over their personal data while unifying data privacy laws for all states in the US and simplify regulations for international companies. A Unified Data Protection Regulation will have provisions to process US consumer’s data regardless of the location of the company.

Such a body will force the companies to disclose how the data is processed making the purpose, tenure, and sharing of data transparent to the consumer. The Government will impose heavy fines on companies that violate the regulations making the consent of the consumer irrevocably mandatory. This article focuses on how such a unified regulation would impact the different levels of banking and the types of banks in the US.

What Is The Current System Of Banking In The US And How Does It Handle Data Privacy?

Unlike most countries, banking in the US is regulated at state and federal levels, and depending on the class of the bank it is subject to state or federal regulations. The central banking system which regulates all other banks is called the Federal Reserve and was established in 1913.

Duties of the Federal Reserve include:

  • Conduct the national monetary policy
  • Regulate and supervise banking institutions
  • Sustain the stability of the financial system
  • Financial services to the U.S. government, depository institutions, and foreign official institutions.

Banks in the US are regulated by the Federal Reserve and overseen by the Federal Deposit Insurance Corporation(FDIC) and the Office of the Comptroller of the Currency(OCC). The banks are classified into:

National Banks
It includes all federally chartered banks and has permission to operate in any part of the country. It is not subject to state laws barring a few exceptions. Even though these banks fall under federal jurisdiction, they must comply with state regulations too, if there are any making it a burden for them.

Depending on the type of charter and structural organization, a bank may be subject to many federal and state regulations and is specifically supervised by the OCC. It is important to note that not all national banks possess nationwide operations as some of them have operations in only one city, county, or state. A common misconception is that the Federal Reserve is a national bank, but this is untrue as it is a system of institutions chartered by Congress for financial oversight.

Banks from other countries that have established a presence in the US are called International Banks. Even though they fall under the category of National Banks, It is noteworthy to consider them as a third category for easier understanding. Some of them have exceptions with the national status and a few of them already follow protocols from other countries’ financial regulatory bodies. Many of these banks are European and already follow GDPR regulations even in the US. Sometimes these are not direct implementations.

State banks
State banks are state-chartered and are permitted to operate within the state where they are chartered. They can acquire customers from other states, but they can not open branches in other states unless they acquire the respective state’s charter or a national charter from the federal government. It is also mandatory for them not to have “National” or “Federal” in their names and nomenclature.

 

Is Data Privacy Safe in This System of Banking?

Information security and banking privacy in the US is not protected through a singular law rendering the regulation of privacy sector-based. Thus regulations are different in different states and all states do not possess sufficient research data or machinery for good regulation. This leads to risk and data breaches.

Gramm-Leach-Bliley Act (GLB) regulates the collection, disclosure, and use of personal /non-public information by banks. Federal Trade Commission (FTC) with guidelines from GLB act as the primary protector of banking privacy. It fines violators of state and federal banking privacy laws and these violations are treated as civil offenses in contradiction to other countries where they are usually considered criminal offenses. Nonetheless, there are too many discrepancies and contradictions in these laws that create loopholes and increase risk.

Cyber attacks cost an average of $18.3 million annually per company in 2019 making the total cost $164.6 million. This was through more than 1,473 cyberattacks over the year. The risk is clear from this data and a change for the better is inevitable.

How Has Unified Data Protection Been Implemented In Other Regions?

The most relevant implementation of Unified Data Protection regulation is in the European Union which is the General Data Protection Regulation(GDPR). It sets the guidelines for the collation and processing of personal data, exclusive for consumers from the EU. GDPR instructs companies to give proper data disclosures to their consumers while not compromising any privacy and protection they are entitled to. For example, timely notification of any personal data breach to the consumer is mandatory while making sure this information can not be misused by any third parties.

GDPR succeeded the first Unified Data Protection initiative in Europe, Data Protection Directive 95/46/EC which was created on 24 October 1995. Major banks in the EU encouraged it because it brought more security and credibility for the financial sector. But with advancing technology it became outdated by the late 2000s forcing the EU to consider a new unified data protection framework for 4 years before sanctioning it on 14 April 2016. GDPR came into complete effect on 25 May 2018.

Even though GDPR is for consumers and companies in Europe it affects international entities too. Any company which uses the personal data of a consumer from the EU must follow the regulations which strictly include overseas companies. A bank from the US will have to reframe their process to comply with the regulation. This is important because international US banks already have to comply with data protection regulations rendering them more preferable for consumers.

Notable privileges prescribed for consumers:

Right to Access
Consumers have the right to access their personal data and information. They should be aware of how this personal data is processed and who all will have access to it. Data must be treated as a resource that belongs to its respective owner, the consumer.

Right to Erasure/Be Forgotten
Consumers or customers have the right to request the erasure of personal data. This can be on any one of a number of grounds prescribed. This has certain regulations provided by GDPR, but it still lets the option to be forgotten open to the customer.

Right to Object and Automated Decisions
This allows a consumer to object to processing personal information for non-service related reasons. This includes marketing or sales. Data controllers must allow a consumer the right to stop controllers from processing their data any time they prefer.

Notable guidelines to companies:

Data Controller and Processor
The processing of data has two entities involved- a data controller and a data processor. A data controller is an entity (person, organization, etc. that establishes the why and the how of processing data). A data processor is an entity that performs the data processing overseen by the controller.

Pseudonymization
Pseudonymisation is a needed process for stored data that transforms personal data. The resulting data is not attributed to a subject without the use of additional information. Examples include encryption, tokenization, etc. This renders the consumer data accessible while keeping it partially anonymous.

Notification
The data controller must notify the supervisory authority without delay, especially in cases of discrepancies and malpractices. In Normal functioning, there is an exception if the breach is unlikely to compromise the rights and freedoms of the consumers.

Data Protection Officer
The companies must appoint a data protection officer to oversee the processes.

Penalties to Companies
Penalties will be charged from companies for not sticking to the regulations. a fine up to €10 million or 2% of the annual turnover of the company is issued This may go as high as the authority deems necessary under a set guideline.

How Will Unified Data Protection Affect The Us Banking Sector?

The US is a considerable volatile environment for financial data privacy. 71% of all data breaches in the country are financially motivated which means that almost every 3 in 4 data breaches in the US is in the financial sector. The FBI reported that the amount lost to financial scammers is nearly $1 billion per year and the primary reason for this is the easy access scammers have to private data. Banks do not commercialize and misuse personal data like IT giants, but they do overuse it at times. There have been instances where financial institutions sold consumer data to third parties. Such practices need to be stopped, or at the least regulated.

In 2018 more than 67% of financial institutions reported increased cyber attacks. It was also noted that these cyber attacks are 300 times more likely to hit the banking sector than others. 65% of the top-ranked 100 banks failed web security testing in 2017. This was reported by Carbon Black; Markets Insider, Independent, and IBS Intelligence.

A Unified Data Protection Regulation will bring more clarity to the industry and other regulatory bodies will get defined guidelines and protocols. Banks will have a better understanding of consumer databases while maintaining privacy. Overall, the Unified Data Protection Regulation will have a major impact on the financial sector. Let’s look at how it will affect the three different tiers of the 5,177 banks and savings institutions in the country.

 

How Will It Affect State Chartered Banks?
Relatively, state banks will have to adapt more to the new mechanics. This is especially for banks in states with undefined regulations as they will need additional machinery and manpower. They will also have to dive deeper into automation banking and advanced technology, prima facie making this seem cumbersome. But in the long run, this will help the bank dwell in an advancing industry, and more importantly, this will give the consumer immeasurable authority over her personal data. That is the primary objective of Unified Data Protection.

The overall functioning level of state banks will upgrade with an exceptional increase in the standard of services. This includes more user-friendly online services, on-time notifications, and reduced delays.

Study shows 5,400 banks in the U.S. compete to sustain customer satisfaction. They need to attract new deposits. Local banks must exhibit their advantages in the fields of accessibility, customer service, and financial advice. To an extent, this would level the playing field.

How Will It Affect Federally Chartered Banks (National Banks)?
The capital to be spent on implementation for NationalBanks will be high but in the long term, it will help them establish an international standard in banking. It would make it easier for them to attain international bank status and branching out to Europe will be much easier as they will not have too many regulatory novelties from GDPR.

The biggest relief for National Banks is that they do not have to satisfy multiple regulatory bodies. JPMorgan Chase had reported the extra work going into adjusting data privacy regulation depending on each state. This is reduced with the introduction of a federal system.

How Will It Affect International Banks?
Most International Banks operating in the USA have a considerable presence in Europe and many of them are already following GDPR protocols. A similar system in the US would benefit them. As they have the most number of customers they will contribute the most to changing the financial landscape. International data breaches are most likely to occur and data protection at this level will reduce that risk. Even more dangerous aspects like money laundering and terrorist funding can be limited with such steps.

Banks will be aware of consumer information and will process it with better care as they are not allowed to provide data to third parties. This will give privacy to the consumer while maintaining a keen eye for malpractices. This is essential as the international economy is a sandbox for financial scams and regulations will reduce this.

Banks like HSBC and Deutsche Bank will have a more even battleground while competing with other National banks as they are already under the scrutiny of other international bodies of regulation. With a unified regulatory body, all banks will have to stick to the same rules and compete on the same track. This will benefit the consumer with better options and opportunities.

What Are The Boons And Banes That Follow?

Significant advantages of Unified Data Privacy include:

  • Improved Cybersecurity- It will directly impact data privacy and security improvements encourage banks to develop better security measures reducing risk.
  • Standardization of Data Protection– Its compliance will be assessed by state wise agencies cementing the credibility of each bank as they must stick to the same rule book.
  • Sustainable Reputation- The banks will have a better reputation as a single breach can bring down a financial Goliath. Regulations will render safety not just for the customer, but for the bank too.
  • Enhanced Trust- It will encourage consumers to genuinely share their data with the bank. They are aware of how safe their data will be handled giving them a sense of satisfaction to be in control.
  • Loyal Customers- The trust built fuels the customers’ loyalty making them prefer the services of the banks that provide the best service. Sustained credibility enhances loyalty.

 

Significant concerns may include:

  • Non-Compliance Penalties- Severe penalties are imposed on non-compliant participants because, without strong consequences, compliance will not be effective. Sometimes the magnitude of fines would be overwhelming but this is an avoidable responsibility for the banks. A good example of this is the fines imposed by GDPR for non-compliance. Google was imposed a fine of €50 million for breach of GDPR protocols by the French regulator CNIl.
  • The Cost of Compliance- The capital and machinery required for implementation will be considerable for banks. Especially for small banks. Though long term benefits outweigh this, it is still a concern.
  • Overregulation- If not properly implemented, it will backfire. Overregulation will add more complications to the banking process as too many formalities will tire the consumer and the bank. A delay in time could also occur due to the extra steps added for regulation. All of this is avoided with apt regulatory sanctions. Nonetheless, it is difficult to define them.

Conclusion

There is no doubt in saying that data has become a resource and companies are selling their customer’s data for profit. In such times it is necessary to keep personal data secure. In this perspective, the banking sector to data is what the judiciary is to governance- something that can never be tainted or compromised.

Banks contain a plethora of sensitive information and strict regulation on this is inevitable and precedent. As we are moving towards a global economy, it is only sensible to unify scattered sectors. The innovators in the financial sector should always keep in mind that all the short term discomforts will breed greater benefits for the industry and consumers.

Unified Data Protection regulations will enhance the safety of the consumers’ data. It will build the trust people are losing in companies and their handling of personal data. But furthermore, the significant aspect is that Unified Data Protection is merely the embracing of the coming. We are accelerating our advancements to the future where there is no doubt it holds multitudes of data resources. We are simply trying to protect that future with such strides.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

How NBFC-Account Aggregators Ease Financial Processes And Protect Privacy

Posted on | by Signzian
How NBFC-Account Aggregators Ease Financial Processes And Protect Privacy 0
Account Aggregators(AA) are financial entities belonging to a new class of NBFCs introduced by the Reserve Bank of India(RBI) in 2016. With consent, NBFC-AAs consolidate, organize, and retrieve customers’ financial data when required by Financial Information Users(FIU) constituted mostly of NBFCs for a fee or otherwise. The mechanism must mandatorily follow consent architecture as prescribed by RBI. In a far simplified tone,

NBFC-AAs make a requirement like a loan application easier for customers by providing financial access to their data with consent.

Even though the introduction of NBFC-AA was in 2016, the concept existed prior as well. Account aggregators like Perfios and Yodlee were engaged in consolidating financial data and analysing it for customers or institutions. Recently the Government decided to bring into effect entities that keep track of scattered financial data. These entities are scrutinised by multiple financial regulators(like RBI, SEBI, IRDAI). This was an official statement of transparency.

Why are Account Aggregators needed?

Most of an individual’s financial data is scattered due to accessing multiple financial products from multiple financial institutions. The customer herself would be confused about her financial data.

Another significant factor relates to data security. For the customers, there is no way to provision data securely to distinct entities. Current modes include:

  • Account credentials are shared through third-parties.
  • Data is provided as hard copies.
  • Limited exchange of data through paperless transactions.

These modes are highly volatile as secure data acquirement and privacy can be compromised to a greater extent.

Thus the purpose of an NBFC-AA becomes to give a collective idea of the customers’ holdings and products. It provides information on multiple accounts held by the customer in a consolidated, organised and retrievable format. This will be exclusively voluntary and would not be done without the consent of the customer.

An NBFC is usually associated with transactions in financial assets by the customer. But An NBFC-AA does not have such a role in the process. It’s the only role is in account aggregation avoiding all financial transaction-oriented involvement.

NBFC-AA’s services are backed by necessary authorisations among customer, aggregator and financial service provider(FIP). This restriction along with most others have been introduced by the Financial Stability and Development Council (FSDC). This is where the part of an NBFC-AA covers not just the sphere of financial data but extends into other domains.

How does NBFC-AAs ease financial transactions?

NBFC-AAs can retrieve financial data of a customer from any financial regulator. This is consolidated and organised in a single portal. It can be shared with an FIU(Financial Information User), who must be regulated by a financial sector regulator like RBI, SEBI, IRDAI, etc. All data transfers should be consented by the customer without which no action will occur. For this, a detailed ‘Consent Architecture’ is to be implemented by the NBFC-AA.

In the pragmatic speech, this plethora of information is a gold mine for the FIUs(NBFCs) as it allows them to retrieve, with consent the customer’s data from the NBFC-AA. But, RBI had ruled that account aggregators can access customer data, but not store them.

The process is explained with the following illustration –[reference. Image 1]

 

Source- http://vinodkothari.com/2020/02/nbfc-aa-consent-gateways/

Some aspects of the process:

  • If a customer’s loan application is through a digital lending app, the NBFC requires the applicant’s financial data to execute a credit evaluation and determine its approval or denial.
  • NBFC-AAs would ease the process by not demanding all financial holdings data individually and in hard copy. Instead, the customer can provide consent allowing data to be revealed from the NBFC-AA to the NBFC involved(customer can even determine to what extent in time this data is to be shared). This process takes a minuscule period, usually merely seconds.
  • More than the time this saves, the information sharing impedances are considerably reduced while not compromising security.

What about when the Fintech Company is involved?

There are two partners and an entity in the process:

  • The Sourcing Partner- a fintech company
  • The Funding Partner- Usually an NBFC that provides the funds
  • The Third entity- Account Aggregators(NBFC-AA) that provide the information required with consent.

The role of a fintech entity in the triangle would be its capacity to apply for an NBFC-AA license by itself or incorporate a new entity who has applied for the license and is capable of carrying out the role of an NBFC-AA in the proceedings. The former option will require the fintech company to maintain Rs. 2 crores as Net Owned Fund (NOF) for eligibility and registration.

This image illustrates the process with a fintech entity — [reference. Image 2]

 

Source- http://vinodkothari.com/2020/02/nbfc-aa-consent-gateways/

Why is Consent Architecture the most important aspect of NBFC-AAs?

It is the most significant part of an NBFC-AA. An absence of customer’s consent will render the NBFC-AA’s capacity void. The obtainment, submission and managing of consent should strictly be consonant with the Master Directions offered by the RBI. The prescription has specifically denoted the consent to be a standardized consent artefact containing:

  • Customer’s identity.
  • Contact information.
  • Requested financial information’s nature.
  • Specified purpose of obtaining such information.
  • The identity of information recipients.
  • URL or other address to be notified every time the consent artefact is utilised to access the information
  • Consent creation date and expiry date.
  • Account Aggregator’s identity and signature/ digital signature.
  • Any other attributes prescribed by RBI.

The artefact can also be in an electronic form capable of being logged, audited and verified.

The customer can revoke the consent any time she desires rendering the artefact utility null. Once revoked, a fresh consent artefact is shared with the FIP.

Which are The Prevalent NBFC-AAs

RBI provided operating licenses to four AAs in 2016:

  • CAMS FinServ
  • Cookiejar Technologies Pvt Ltd. (Product titled Finvu)
  • FinSec AA Solutions Private Limited (The Product titled OneMoney)
  • NESL Asset Data Limited

RBI provided in-principle approvals to three AAs in 2016:

  • Jio Information Solutions Limited
  • Perfios Account Aggregation Services Pvt Ltd
  • Yodlee Finsoft Pvt Limited

Sahamati, a collective of the AA ecosystem has reported that currently, Axis Bank, Bajaj Finserv, Bank, Kotak Mahindra Bank, ICICI Bank, IDFC First Bank, HDFC Bank, and State Bank of India are developing their FIP/FIU implementation. Of these, Indusind Bank has already gone live. The reluctance exhibited by FIPs to share data with consent is considerably reducing with the evolving account aggregation domain.

BG Mahesh (Co-founder of Sahamati) said that AA platforms are in the final stage of the ‘wave one marathon. They passed the proof-of-concept stage last year. State Bank of India and a few big private banks are in the pre-production stage. In the next month, they will go into production,”

FIPs like GST, CBDT and TRAI are expected to join the ecosystem once the framework is implemented to success. The total AAs are expected to increase in number in the coming years with tech giants keeping a close eye to join in on the next wave of this evolution.

What is Sahamati and how does it further help NBFC-AAs?

DigiSahamati Foundation (Sahamati) is a not-for-profit collective of account aggregators established as a private limited company under Section 8 (of the new Companies Act of India). Sahamati came into existence as a response to the massively scattered financial data of customers and its need to be consolidated and organised.

Sahamati seeks to bring together people with versatile backgrounds in finance and technology to determine and achieve India’s Account Aggregator network, Protection Architecture and Data Empowerment. These goals and actions include examples such as ensuring banks implement proper consent architecture, FIP certifications to be robust or design novel methods for data sharing without compromise.

How do we register an AA license from RBI?

Companies with Net Owned Fund (NOF) more than 2 crores are eligible to apply for an AA license. AAs regulated by other sector regulators can not obtain a license from RBI if they are aggregating accounts and consolidating information on customers of only that sector.

Procedure for obtaining the NBFC-AA license — [reference. Image 3]

 

How NBFC-AAs Led to The Formation of DEPA

After the establishment of NBFC-AAs, an entity for a collective of Account Aggregators was expected. DigiSahamati Foundation(Sahamati) fulfilled this. Started as a private non-profit organisation, with the advice of RBI and other regulatory bodies, Sahamati was also one of the pioneers of new data architecture. This led to a more tight-knit and secure form of data architecture to be developed. This was later strategized and formulated as DEPA(Data Empowerment and Protection Architecture) in 2020.

DEPA, introduced as a draft policy by NITI Aayog is an approach or paradigm shift in managing personal data. It proposes a framework for consent approval that permits users to access and share data with third-party institutions. The policy involves RBI, SEBI, IRDAI, PFRDA and the Ministry of Finance operating together for implementation.

DEPA puts forth the concept of User Consent Managers in the data architecture. They are entities that manage consent for data sharing. They work to protect data rights. They obtain selected data from FIPs and deliver it to FIUs for a specified time. What data is to be shared and for what time it is to be shared is determined by the customer. Without the customer’s consent, no process will start.

Under DEPA, the individual, potential user and the institution holding the individual’s data will interact through consent managers. These consent managers are ‘data blind’ and can not view or use the individuals’ data themselves. All information is encrypted.

How Will NBFC-AA Help Users and Their Privacy?

The idea to collate and transfer data with strict consent architecture will help a data-rich country like India towards becoming more economically rich. As interactions like verification and lending become quicker and simpler with the help of Account Aggregators, the economy with increased motion will be churned to an essence.

The major concern regarding NBFC-AAs was the issue of privacy. How safe were we with transferring data through a data manager? Once the proper structure of DEPA and how the privacy will be protected was elaborate, more companies and organizations have initiated their FIU plans. The real trust comes from the fact that none of the NBFC-AAs can breach the privacy of the user even if they collate and transfer user data. This is because:

  • No action can be initiated without the consent of the customer.
  • Customers can determine the specific data to be transferred.
  • Customer can determine the Specified time for the data to be transferred( be it a week, a month or the time he prefers).
  • The content is not revealed to NBFC-AAs.
  • The transfer is directly from FIP to FIU and NBFC-AA merely organises the interaction for a specified fee or otherwise.
  • With the help of Collectives like Sahamati grievances of all parties can be swiftly addressed.
  • Oversight by regulators provides superintendence.

The Verdict

Most modern NBFCs prefer to acquire the license or avail the services of an NBFC-AA as this would enable them to provide easier and quicker services for the customer and help themselves cut down on the expenses and manpower required, otherwise. The customer not requiring to even exit an app on her phone increases her affinity towards an institution that provides such a facility.

Nonetheless, it must be ensured that the revenue model should be constructed for the NBFC-AA to benefit from the services it would provide to other NBFCs. This would include easier approval and sanction methodology for lending.

The recent steep increase in interest for acquiring an NBFC-AA license provides sufficient evidence as to how this relatively new entity would change the financial transactions in this era.

The concerns of privacy being breached and other malpractices occurring due to the easy accessibility of personal financial data need to be considered. But one must keep in mind that the data is accessed easily, the operative word being ‘Easily’. This does not imply that it will be accessible unsafely or irresponsibly. With an impeccable consent architecture, the data accessibility is exclusive for selected entities for a selected time. The final call for all of this is for the customer.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

Indian PDP Bill’s Impact on Lending

Posted on | by Signzian

As laws to protect personal data are debated, rejected, and adopted across the globe, individuals are becoming aware of their data rights. Privacy of data has become a source of company competitiveness with consumers seeking to engage with organizations that give them a semblance of control over their data. If that wasn’t enough, India is set to pass a regulation governing personal data this year.

The context for compliance

Inferring from the soon to be passed Personal Data Protection Bill 2019, lending is an area that is bound to be hit by a combination of compliance clauses. Data is central to the lending operation. Lenders collect, process and analyze a host of customer data throughout the lifecycle of a loan. This helps the loan granting entity to gauge risk and offer personalized services adapted to the individual’s needs.

To remain compliant these data fiduciaries must ensure they understand the compliance norms and the rights of the data principals. This blog explores the data rights that translate into areas of compliance across the lending process.

The primary rights which affect compliance for lenders are explained below:

 

These rights have a bearing on the different types of data collected at different steps of the lending process. Although the RBI and SEBI are yet to release separate, detailed guidelines for the fintech sector, here is my take on the PDP’s impact on compliance:

  1. KYC process

The preliminary step of any lending operation is the Know-Your-Customer (KYC) process. The basic documents required for this are (a) Identity proof and (b) Address proof. This is already a consent-based process.

The clauses that have some bearing on this step are:

  • Storage Limitation: after the loan has been repaid, the data principal can request the erasure of all the KYC data.
  • Data Portability: with eKYC and VideoKYC being adopted, automated processing is becoming common. The data fiduciary must keep a copy of the data in case it is requested by the data principal.

2. Credit Underwriting

A number of data sources are inspected as a part of the credit underwriting process. These can be divided into:

a. Public sources

This includes news articles about a customer, public social media profiles etc. Since this category of personal data is public, lenders do not have to worry about non-compliance.

b. Private sources

There are a number of private sources that can be scraped for credit underwriting. Here we discuss a few of them that bring up the concern of compliance.

i. SMS reading

This considerably new method of credit assessment would require explicit consent for processing. It is yet to be determined whether consent would have to be taken from both parties associated with the SMS exchange.

ii. Bank login based pull

To evaluate a person’s financial history, lenders perform a bank login based pull. Apart from the fact that explicit consent is required to access this data source, the question here is whether this would be a breach of the data fiduciary’s (bank) trust and if consent would be required from them as well.

iii. Email login based pull

Sometimes applicants are required to provide login credentials to a data source such as a personal email account. Till now explicit permission was usually sought for this to follow through, but not always. With the bill in place, email login based scaping would need to be 100% consent-based.

3. Credit Bureau Access

To ensure effective debt management, lenders share a customer’s personal data with credit bureaus and other third parties when servicing a loan. The transactions, details of the companies involved and justification for the data transfer must be explained to customers. Although credit scoring is a “reasonable purpose exception” in the bill which allows personal data to be processed without consent, it is not certain if it grants an exception from the right to data erasure. The storage of personally identifiable information (PII), implies that a data principal can request it be completely erased.

4. Non-traditional types of data

Bureau companies were previously mandated by the Credit Information Companies (Regulation) Act (CIC Act), which doesn’t allow credit bureaus to use alternative data in generating credit scores. Only loan account data from the core banking system could be used by the credit bureaus. This included default history, size of defaults and repayment time of loans. With an increasing number of data sources, it is yet to be determined if alternative sources are allowed under the new bill. And, how compliance norms would apply to their processing. Potentially, such sources could be:

a. Google Places/ Yelp

b. Payment processors

c. E-commerce platforms

d. Shippers

Privacy by design

The bill mandates that every data fiduciary build a robust privacy system for storing and processing of personal data. A data protection system should be implemented from the outset. This “Privacy by Design” policy is a mandatory requirement and must be certified by the Data Protection Authority. The policy is to be published on the organization and the authority’s website.

Penalties

Non-compliance is liable to a penalty. This penalty could go up to 15 crore rupees or 4% of a data fiduciary’s total worldwide turnover of the preceding financial year, whichever is higher. It is thus imperative for fintechs and banks to start prepping for these compliance measures.

Dissent from lenders

The bill in its current form recognizes all forms of personal financial data as ‘sensitive personal data’. This definition of sensitive personal data in the bill is restrictive and brings up concerns for lenders. The Digital Lenders Association of India (DLAI) had submitted recommendations to reduce potential restrictions that the bill enforces. To make the lending process less prone to frauds, lenders need to access aspects of consumer data. This includes credit history, financial position and some alternative data of customers. With the current bill in place, this would become tedious. While compliance norms are necessary for personal data protection, such a definition will inadvertently hurt the lending operation.

Conclusion

The banking and fintech industry needs a clear compliance checklist. There is a dearth of understanding when it comes to how the current bill will affect compliance for data-centric processes like lending. This is because specific norms have not been released for the fintech space yet. The RBI and the government will need to come up with guidelines for the sector to ensure that function and compliance are not at odds.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Making KYC Digital For Mutual Funds In India — Landmark SEBI Guidelines & The Way Forward

Posted on | by Signzian

The onboarding process for Asset Management Companies (AMCs) is among the most complex of all client-facing activities. Reams of documentation are exchanged between a client and the investment management firm. It is then distributed throughout the organization. Most of this requires approvals, signatures, and validations.

Digital onboarding requires finalizing legal agreements, Know Your Customer (KYC) and Anti Money Laundering (AML) activities. It also involves opening client accounts on multiple systems and transitioning incoming assets. Each of these activities engages multiple groups throughout the organization. Examples include client service, legal, compliance, and operations. Without well-defined and coordinated procedures, this could lead to errors. Ex: misplaced information, breakdowns in communication, and duplicated efforts are likely. The right-hand needs to know what the left hand is doing in order to properly manage all the hand-offs and moving parts.

Benefits of improving onboarding:-

  • Ability to generate fees sooner.
  • Increased potential to cross-sell, additional products, and services.
  • More referrals from clients due to a positive experience.
  • Reduced client turnover.
  • More efficient resource allocation.
  • Better views into process status.
  • Fewer mishandled communications and handoffs between the team.
  • Measurable efficiency through metrics.
  • Faster addition of new products and services.

Why Digital KYC? The Need For Digitization Of KYC In Mutual Funds

  • At present, investing in a mutual fund requires a second round of KYC. This is also true even for customers who have completed KYC in their bank accounts. The procedure involves the submission of identification and address proofs along with photographs. The distributor or adviser must physically meet the customer to conduct ‘in-person verification’ for him/her. This requirement greatly hampers the growth of mutual funds online.
  • It also affects access to mutual fund investments for those in remote areas. In 2019, the Nilekani committee proposed that there should be a simple KYC procedure for opening a mutual fund account funded from a KYC-verified bank account. However, inflows into such a folio and redemptions to it must be restricted to this account.

This leads to the digitization of KYC. Among the many advantages of getting paperless KYC done, the following benefits are most important:

  • Personal Details are Secure: All information is stored and transmitted on the website with a special configuration. Whether it is your Account Information, Demographic Data, Biometric Data, etc. The KRA, Fund House, or AMC’s Portal is maintained with the highest level of Security. It reduces illegal activities of money laundering, loan scams, identity theft, and fraud.
  • You are the Boss: The option to invest will always be yours. The digital KYC mechanism is completely dependent on your decision. Not only that, you have the choice of providing access to your details to whomsoever you want. In some cases, if you change your mind. You may not want to invest in Mutual Funds. Whereas, if you opt for offline KYC. It is possible that your self-attested documents end up with unauthorized parties. This risk gets reduced to a large extent by taking the online KYC mode.
  • Instant Process: No Human element is involved that means no Red Tape is involved. The efficiency in the digital process ensures no delays. Comparatively, the offline process would take at least a few days.
  • Transparency: Incidents of the KYC documents in illegal and illegitimate persons occurred commonly. Opting for Online KYC, you can avoid such an event. The websites store the data in encrypted servers. It makes the possibility of a breach highly unlikely. Besides, the trespasser or the source of the breach can be traced in online transactions. They can be brought to legal authority with proof.
  • No Hidden Costs: Some Mutual Funds agents may charge extra amount as KYC Registration fees. And investors need to pay to avoid the hassle of taking time off from work and visiting the Government Agency in person. With eKYC, you do not need to pay in addition to the investment amount.
  • Compliance: Your data gets validated using the latest technologies. This increases the overall security of the system. It also ensures that the digitally transferred document is legally valid.

The Road To Digitization Of KYC

As per regulatory developments from January 1, 2011, KYC is mandatory for investors wanting to transact in Mutual Funds. This is regardless of the transaction amount. It implies that you will not be able to process any fresh MF purchases post January 1, 2011. This is true except when you are MF KYC compliant as per CDSL Ventures Limited (CVL) norms.

This implies that you can always ask your broker to provide you forms for submission to your KYC. Since there are no charges for mutual funds they may not be useful. As such, it is better you also understand you can get your KYC done. Follow these steps:

1. Get the Form

The KYC application form can be availed from the investor service centers for the particular Fund, CAMS or at any specified ‘Points of Service’ (POS) of CDSL Ventures Ltd. You can also download it from your broker, advisor or AMC.

2. Documents

The following lists the set of documents which are required for submission with the KYC application form:

1. A recent passport size photograph

2. PAN card copy

3. Address proof (Recent bank statement will work but if you have to get your bank statement in the email you need to visit your bank branch to get an original one.)

The document submission can be done at the CAMS Online office in your city. Ensure you carry the originals along with a photocopy of the documents because at times they might need to verify with the originals.

3. Verification

Once the KYC application form and supporting documents are verified, the investors will receive a letter authenticating their KYC compliance. They normally give you the letter in a few hours to a max of 24 hours for this identity verification api .

You can verify your KYC status online. You should verify on the day of form submission that your status is processing. Once it is done, your status should change to VERIFIED.

Actually KYC need not be done at your broker’s end. But some online systems do not accept the order. This can happen if they don’t have the data in their own system and so it is better to get that done as well.

KRA and K-IPV In KYC Collection

SEBI had initiated the usage of uniform KYC by all SEBI registered intermediaries (RIs). This was done to bring uniformity in the KYC requirements for the securities markets. In this regard, SEBI had issued the SEBI KYC Registration Agency (KRA), Regulations, 2011.

KRA is the authority for the centralization of all KYC records and details in the securities market. The client who wishes to open an account with a broker shall submit the KYC details. They can be submitted through the KYC Registration form with supporting documents. The Intermediary is responsible for conducting the initial KYC. The RI should also upload the details to the KRA system. The KYC details are accessible to all SEBI RIs for the same client. So once the client has undergone KYC with an RI, it is not necessary to repeat the same process again with other RIs.

It is compulsory for each client to be registered with any one of the various KRA registered intermediaries. This should be done before availing the benefits of any intermediary. Such benefits include Stock Broker, Mutual Fund Companies, Depository Participant, Portfolio Management Services (PMS) etc.

In-Person Verification (IPV) is part of the process of doing KRA-KYC registration of clients. KRA compliant clients are not required to undergo this process.

Importance Of IPV

The Prevention of Money Laundering Act, 2002 (PMLA), came into effect from 1 July 2005. The Act enforces that no one could use investment tools to hide their illegal wealth. Soon after, SEBI mandated that all intermediaries should adopt the KYC policy. It was also necessary to plan and install certain policies. The policies should follow vis-a-vis the guidelines on anti-money laundering measures.

Since 1 January 2011, KYC compliance has been made mandatory for all investors. This is irrespective of the amount invested and includes the following transactions:

a. New / Additional Purchases

b. Switching Transactions

c. First-time Registrations for SIP/ STP/ Flex STP/ FlexIndex/ DTP

d. Any SIP/STP/trigger-related products which were introduced after the enactment of the act

e-KYC (Know Your Customer) is a value-added feature that is offered by many financial institutions. E-kyc is useful for making the application process convenient. Investors can access it and upload the necessary documents. It can be done from the comfort of their home or office. As previously discussed, this is applicable to only SEBI-approved KRAs. For ex: CVL and CAMS can complete the e-KYC process. This means that Digital KYC can be used for IPV as well.

EKYC — The Miracle Turned Myth

To remove the repetitive submission of documents, SEBI launched the concept of common KYC in 2011. With this move, the first intermediary processes the KYC-related information and sends them to the KYC Registration Agency (KRA). Once your account is created, any other intermediary can make use of the same details in the future for new accounts.

Why eKYC?

The concept of common KYC smoothened things for retail investors, However, it was still a time-consuming process (8–10 days). It also included the problem of in-person verification. This also increased the cost of servicing small investors while preventing immediate on-boarding of new customers.

SEBI launched eKYC in order to make the procedure more investor-friendly. It enabled customers to verify their identity and upload documents digitally. To get started, you only needed to quote your Aadhaar number, PAN number, e-mail id, and mobile number. Once you type in the details, you will receive a one-time password (OTP) in your Aadhaar-registered mobile number. After entering the OTP, the eKYC process would be completed and you could start investing in mutual funds within minutes.

While Aadhaar based eKYC had been introduced as a means for onboarding, there were a lot of discrepancies. This was especially after the Supreme court judgement on the use of Aadhaar based eKYC. It was later reintroduced. This had left a state of confusion and many AMCs continued traditional methods of KYC collection for onboarding. Physical KYCs are more time-consuming. The distributor has to submit the documents to KYC Registration Agencies or KRAs. The KRA nodal agencies have to manually fill in the data in their systems from the applications. If the handwriting is illegible, capturing the KYC data could lead to errors. This would delay the process further.

The SEBI Way Of Digital KYC

In a recent move on April 24, 2020, the Securities & Exchange Board Of India (SEBI) has issued the latest guidelines on the digitization of the KYC process. Some of the highlights are mentioned below:

1. Know Your Customer (KYC) and Customer Due Diligence (CDD) policies form a part of KYC. They are the foundations of an effective Anti-Money Laundering process. The KYC process requires every SEBI registered intermediary (also known as ‘RI’) to collect and verify the Proof of Identity (PoI) and Proof of Address (PoA) from the investor.

2. The provisions as laid down under the Prevention of Money-Laundering Act, 2002, Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, SEBI Master Circular on Anti Money Laundering (AML) dated October 15, 2019 and relevant KYC / AML circulars issued from time to time shall continue to remain applicable. Further, the SEBI registered intermediary will continue to ensure to obtain the express consent of the investor. This should be done before undertaking online KYC.

3. SEBI, from time to time has issued various circulars to simplify the process of KYC by investors / RIs. Constant technology evolution has led to multiple innovative platforms being created. These allow investors to complete the KYC process online. SEBI held discussions with various market participants and based on their feedback, technology like Aadhar-based e-Sign service which can facilitate online KYC will now be used. This is done with a view to allow ease of doing business in the securities market.

4. New regulations allow Investor’s KYC to be completed through an online / App-based KYC. There is also provision for in-person verification through video, online submission of Officially Valid Document (OVD) / other documents under eSign. It allows the introduction of VideoKYC, which was also allowed by RBI for the banking sector earlier this year. (Click here< to read more about RBI Guidelines for VideoKYC)

5. SEBI registered intermediary may implement their own Application (App) for undertaking online KYC of investors. The App shall facilitate taking photographs, scanning, acceptance of OVD through Digilocker, video capturing in a live environment, usage of the App only by authorized persons of the RI.

6. The guidelines also allow RIs to undertake the VIPV(Video In-Person Verification) of an individual investor through their App. This is done to ease investor onboarding.

Digital KYC For The New Era

Signzy has developed an AI-based electronic KYC solution called RealKYC. It consists of a host of microservices that provide the following benefits to AMCs

  • Reduction of TAT: During investor onboarding, the traditional method of KYC collection involves the submission of a lot of documents and processing that is done by several departments and their officers. This can be a time-consuming process but with VideoKYC, the entire process is automated and can be done in a matter of minutes in real-time.
  • Lower Operational Costs: The onboarding process for a new investor can require several checkpoints that are cost-effective. There is significant manpower involved as well which also raises the cost of onboarding. All these factors can be automated with RealKYC, thereby reducing operational expenses.
  • Remote Onboarding: With RealKYC, there is no need for investors/entities to pay multiple visits to the physical branch for the processing of KYC. They can simply visit the website and submit all their documents as well as get the verification done, online.

Signzy’s VideoKYC solution offers a simple, secure KYC collection process that is 100% compliant with the latest SEBI Guidelines. The benefits include:

  • Compatibility With Most User Devices: This solution has matured over dialects, browsers and low-internet scenarios. This means that most users can undergo VideoKYC without any technical pain points.
  • Improved BackOps; Our Patented AI reduces 90% Backops effort, making onboarding of investors a smooth process.

Conclusion

KYC or Know Your Customer is a compulsory requirement for those wishing to invest in Mutual Funds. It is mandatorily needed by the Market Regulator SEBI (Securities and Exchange Board of India). This identification process needs to be undertaken only once. KYC was introduced to avoid fraudulent activities. eKYC for Mutual Fund was launched for the ease of investors.Digitization of KYC merely changes the mode of KYC collection and not the process.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

PDP Skepticism: Big Brother, Big Tech and a Sandbox

Posted on | by Signzian

The politics of data protection can be seen through three lenses. That of the government, the individual, and private companies. The concerns of all three have to be addressed to devise an effective data regulation framework. For the government, pressure is mounting to safeguard citizens’ personal data. However, it is their prerogative to preserve national security. This may require access to personal data to combat illegal activities like trafficking. Companies are grappling to strike a balance between compliance, personalization and interoperability. It then becomes the data regulator’s responsibility to safeguard personal data. But, without risking national security or hampering innovation and economic growth.

The Indian Personal Data Protection Bill (PDP) of 2019 is on the verge of becoming a law. So, questions on it’s power and compliance are at the fore. This blog addresses prominent questions on the bill in the global & national context:

  1. Would PDP compliance result in GDPR (General Data Protection Regulation of the European Union) violation?
  2. Does the bill itself threaten global cybersecurity?
  3. Will government mission creep grow as a side effect?
  4. Is innovation stagnancy a real possibility stemming from the bill?

A preliminary understanding of the data protection regulations in place in the EU and India is helpful. You can take a look at our article comparing the GDPR and PDP Bill.

Will complying with India’s PDP Bill mean violating the GDPR?

The intent of the regulations is identical. Both were created to safeguard data and privacy. But, their criteria for compliance is not. This means that if a company’s operation is compliant to the GDPR, it won’t necessarily be PDP compliant. To remain compliant the data fiduciaries will have to chart their course according to the standards of each framework. Both regulations have different requirements and prerequisites. The question is if compliance to any provision in the PDP is contradictory to the needs of the GDPR.

  • Many obligations overlap or are at different degrees on the same spectrum. But, the International Association of Privacy Professionals (IAPP) points out a problem. Indian companies may find themselves at a crossroads when processing data under the purview of the GDPR. If the data they collected was only on the basis of “contractual performance”.
  • This is one of the lawful bases that permits an entity to process data under the GDPR. The PDP does not list “contractual necessity” as a legal basis for processing. This is why the confusion arises. Many businesses in the online services environment heavily rely on this criteria to process personal data. It allows an entity to transfer data to another entity as a contractual obligation. For example, shipping a product requires the data to be shared with the deliverers and customs officials. Travel agents require the data be shared with the hotel or airlines.
  • This creates a grey area. Complying with one regulation may make it difficult not to violate the other. This is because swapping the lawful bases (to comply with the PDP) is not allowed under the GDPR.

It can be assumed that the data fiduciaries/ data controllers are not violating the GDPR when they change the lawful basis. Even then it will be a challenge for larger entities. For example: Companies with several foreign subdivisions. They will have to redefine, re-communicate, and re-implement processes. In particular, data collection, usage, & protection protocols for all parties involved in the data flow.

Does the Indian Personal Data Protection Bill threaten global cybersecurity?

PDP proposes banning re-identification of data. Cybersecurity and privacy researchers have revealed that this discourages researchers. They cannot thoroughly investigate security weaknesses, thereby encouraging cybercriminals to exploit them.

But, what is re-identification? First it’s important to define de-identification and its necessity.

When a company processes an individual’s data, algorithms are used to decouple sensitive details from identifying information. For example: medical records and traces of location separated from phone numbers and email addresses . This is de-identification.

Organizations can recover the link between the users’ identities and their data when required. The reverse process is called re-identification. This is a routine practice when done in a controlled environment designed for security by legitimate entities.

The risk is of malicious parties getting their hands on a de-identified database and re-identifying it. Data breaches and leaks are an increasing concern in our data-fied world. The PDP proposes to criminalize the process of re-identification without consent of user data. It’s called illegitimate re-identification. While this seems only logical, it may threaten global cybersecurity.

Researchers often perform meticulous cybersecurity tests and privacy guarantees without knowledge or consent of an organization. They act with public interest in mind and their work makes the digital world a safer place. The blanket ban could hamper research altogether. With risk of penalties and even jail time, security researchers would not partake in this testing for social good. Worse yet, software vendors might be tempted to instigate legal action against such researchers.

At India’s scale, impeding cybersecurity and privacy research could leave the cyber realm at large to malicious forces. This threatens global cybersecurity.

What exceptions are given to the government and what does this mean?

The bill gives the central government the power to exempt its agencies from the purview of this act. The purpose of revoking the regulations are vaguely defined. It can be

  1. In the interest of sovereignty and integrity of India or
  2. To preserve national security

This thereby eliminates the obligations of consent, accountability and transparency to ensure just processing of data. A regulation drafted for the protection of personal data can rid the government it’s duties and result in mission creep. This can give rise to a Big Brother like situation with the government morphing into a surveillance state under the guise of national interest. In the absence of a privacy law, it can be dangerous for the State to have access to all our personal data.

Are there any provisions for companies working on innovative data driven tech?

Companies are preparing to adapt to the new compliance requirements. But, there are growing concerns for tech companies:

  • Mounting operational expenses
  • Compliance constraints
  • Rising cost of doing business
  • Increase in barriers to entry

This could limit the ability of new competitors to enter the market. Restrictions on sharing data with third parties could make it difficult for companies to collaborate on data-driven innovation.

There is a massive flux of data across borders. Governments are increasingly considering data and digital infrastructure as integral to national security and economic growth. Developing economies in the past wanted to foster domestic auto production. Today, governments are focusing on endeavors to make their domestic tech industries thrive.

Governments are drafting policies on data infrastructure and technology. This includes data localization constraints, and limits on foreign investment on technology. The aim here by this is to foster innovation at a local level. Barriers and constraints have the tendency to prioritize national goals over global innovation. And so it is important to find the right balance between multiple objectives.

As a welcome counter to such provisions, the PDP introduces the concept of a “sandbox”. It gives the Data Protection Authority the power to modify provisions for certain data fiduciaries. Those that work for “innovation in artificial intelligence, machine-learning or any other emerging technology in public interest”. Under Section 40 of the PDP bill exemptions may be given as part of the sandbox. This includes relaxations. Specifying a clear purpose for data processing and collection may be relaxed. The limits to the period of data retention can be revoked.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Ankit Ratan, CEO-Signzy

 

1 6 7 8 9 10 11