A Guide to EU’s New AI Guidelines

The data economy can be a Catch-22. It can succumb to corporate surveillance capitalism on the one hand and an authoritarian digital “welfare” state on the other. The European Union (EU) places itself as the alternative to both. Its strategy to regulate technology over the next decade is to set that precedence. Whether it is successful is up for interpretation. On 19th February 2020, the European Commission (executive branch of the European Union) published a 26-page whitepaper on Artificial Intelligence (AI). The paper titled a European Approach to Excellence and Trust states the EC’s intent to regulate and advance AI.

This blog will explore the reach, requirements, and reservations of the guidelines the whitepaper introduces.

Reach: A Risk Barometer Approach

The whitepaper will have consequences for those using and developing AI. To be specific, businesses that are participants of the data economy. It’s drafted to effectively regulate AI while not being dictatorial. Strict measures could create a disproportionate burden for SMEs.

The paper defines AI as

“Systems that display intelligent behavior by analyzing their environment and taking actions — with some degree of autonomy — to achieve specific goals.”

However, the proposed requirements will mainly affect AI which is deemed “high-risk”. This is enumerated by the EC as:

“…deployed in health care, transport, energy and parts of the public sector, or if it is used in the employment sphere (for recruitment puposes or in situations impacting worker’s rights), or for remote biometric identification and other intrusive surveillance technologies.”

Due to this definition and set scope, the suggestions would not apply to advertising technology or consumer privacy. The assumption here is that risk can be finitely calculated. This leaves many contentious issues outside of the purview of the guidelines. For example, data brokers that leverage AI to predict identities and hyper-targeted advertising.

It is anticipated that the new framework will have extraterritorial impact, like the GDPR.

Requirements: The Precursor to Compliance

The AI applications classified as high-risk would be regulated by the following key features. These center on safety, security, fairness and transparency:

  • Training data
    The paper reiterates that if there is no data, there is no AI. The decisions and performance of an AI are dependent on the data sets it has been fed and trained on. To ensure that the services or products that the AI system enables are safe, the requirements dictate that it must be trained on a broad enough data set. The training data must also be representation to avoid inadvertent coded discrimination. The data collected to adhere to privacy and data protection standards i.e. the GDPR. (Interested in reading more on the data protection regulations in place in the EU and India? Take a look at our article comparing the GDPR and PDP Bill)
  • Data and record-keeping
    Considering the opacity and complexity of many AI systems, certain requirements are put forth to verify compliance. It could allow potentially problematic decisions or actions by the AI to be traced back. The regulatory framework proposes that the following records can be kept:
    a. Records related to the programming of the algorithm
    b. Data sets used to train and test the high-risk AI systems (when justified) along with a description of their main characteristic and the reason for their selection
    c. Documentation on the algorithm and the training methodologies adopted to build, test, and validate the AI
  • Information to be provided
    Apart from the above information, the AI system’s limitations and capabilities must be proactively provided. It should also mention the degree of accuracy to which the system can achieve a specific purpose. This information could be useful to those deploying the AI application. The whitepaper reiterates that citizens should be duly informed when they are interacting with an AI and not a real person. The details should be easy to understand, concise and objective.
  • Robustness and accuracy
    Across the AI system’s life cycle, it must correctly reflect its own degree of accuracy. The whitepaper mentions that the outcomes should be reproducible. The AI system must be able to deal with errors and inconsistencies. It should endure overt attacks, and be resilient against manipulated data.
  • Human oversight
    The AI system must be ethical and trustworthy. To not undermine human autonomy, the whitepaper insists on the AI being human-centric. This could manifest in different ways depending on the system’s purpose and functioning:
    a. Output is reviewed and validated by a human before it becomes effective. For example, human intervention needed to approve a person’s KYC.
    b. Human intervention post the output being effective. For example, reviewing why the AI rejected a credit application, after the decision was put into effect.
    c. Monitoring the operation of the AI system. This is with the possibility to intervene and stop its functioning in real time. For example, a deactivate button in a driverless car.
    d. Constraints integrated during the design phase. For example, a driverless car will stop when visibility is low.
  • Specific requirements (Example: For AI applications used for remote biometric identification)
    The application of AI systems for functions such as facial recognition affects the fundamental rights of a citizen. For example the right to a private life and the protection of one’s personal data. Processing of biometric data is to uniquely identify a person. This can only be done in special circumstances with adequate safeguards. The whitepaper declares that the EC will begin a “broad European debate”- on what these circumstances are and their justification.

Reservations: Missing the Mark

The proposed guidelines address issues of personal data protection and pivacy rights, non-discrimination, and cybersecurity. But, it seems to miss the perils of “low-risk” technologies with weakened guidelines.

The whitepaper overlooks that the classification of low risk is not absolute. This could actually be very risky for some. The harms of technology are often amplified to disproportionately affect the marginalized.

A draft version of the whitepaper was leaked in January. Held against that, the new criteria are feeble attempts to regulate the possible adverse implementations of AI. Here, the draft proposed a prohibition or what is called a “moratorium” on facial recognition in public spaces for 5 years. But, the released guidelines are merely a call for a “broad European debate” on the facial recognition policy.

Stakeholders can give their insights on the whitepaper by 31st May 2020. The EC will start drafting legislation based on the proposal and feedback at the end of 2020.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Ease Customer Onboarding with the New Offline KYC Rules

RBI has unveiled the guidelines for ‘offline KYC’- a significant move towards reducing the woes for fintech companies and easing the customer onboarding process. These regulations have opened up new avenues for fintech companies to innovate their leverage of the Aadhaar database.

Fintech startups have been desperate for modifications to the KYC to make it easier to onboard customers remotely. In a statement from RBI, “Banks have been allowed to carry out online verification using Aadhaar identification of an individual who voluntarily uses their Aadhaar number for identification purposes.

For offline KYC, companies can capture customer details using a QR code or an XML-based process laid out by the Unique Identification Authority of India which manages Aadhaar- the biometric database of residents.

After this move, RBI has added ‘proof of possession of Aadhaar number’ to the list of OVDs (Officially Valid Documents).

Let’s explore in depth what this move means for the consumers and the financial institutions.

Why Use Aadhaar Offline Paperless e-KYC?

Through Aadhaar offline KYC, UIDAI provides a mechanism to verify the identity of an Aadhaar card holder through an online electronic service. This e-KYC method facilitates an authenticated instant verification of identity and substantially lowers the cost of paper-based manual KYC.

This method is usable by all agencies who have the following:

  • Reliable internet connectivity.
  • The right technical infrastructure to call online e-KYC service and deploy services at their end (as and when necessary).
  • A method to capture the biometrics of a resident.

UIDAI maintains each KYC request in a record to carry out audits.

The Merits of Aadhaar Paperless Offline e-KYC

Here are a few reasons why offline e-KYC is the right move toward a digital future:

Privacy of information

  • KYC data can be shared by the cardholders without the knowledge of UIDAI.
  • The Aadhaar number of the resident is not revealed. Only a reference ID is shared with the agency.
  • This offline verification method does not need any of the core biometrics, such as fingerprints or iris detection.
  • The Aadhaar cardholders get a choice of the data (within the demographics data and their photo) they want to share.

Security

  • When the Aadhar number holders download their Aadhaar KYC data, it is digitally signed by the UIDAI to detect fraud and tampering to authorize the use of that data.
  • Any agency can validate the data with their own OTP or face authentication methods.
  • The Aadhaar number holders provide a phrase which is then used to encrypt their KYC data- allowing consumers more control over their data.

Inclusion

  • Aadhaar paperless offline e-KYC is a voluntary, number holder driven method.
  • Any agency can use this method for identification and verification with the approval of cardholders allowing wide usage of the technology.

Any agency with the right infrastructure to support face identification using facial recognition, AI, and ML will be able to leverage this opportunity for its full potential to improve customer onboarding for remote customers.

How does Aadhaar Paperless e-KYC Work?

  • Aadhaar paperless e-KYC eliminates the need for cardholders to make a copy of their Aadhar letter. Instead, they can download the KYC XML and provide that to the agency wanting to do their identity verification.
  • The agency will have to go step-by-step with a detailed procedure to verify the KYC details given by a resident.
  • The KYC details are captured and shared in a machine-readable XML format which is digitally signed by UIDAI to verify its authenticity.
  • The agency can choose to verify the customer through their own facial verification software.

The following fields are included in the KYC data when customers download it:

  • Resident name
  • Reference number for download
  • Address
  • Photo
  • Gender
  • Dob
  • Mobile number in a hashed format
  • Email in a hashed format

Aadhaar offline KYC data is encrypted using a ‘Share Phrase’ given by the customer at the time of downloading data which they need to share with an agency for them to read and access that data.

Read on here to learn the simple steps of downloading and accessing Aadhaar e-KYC data.

Adoption of e-KYC

The incorporation of offline KYC is a welcome step for fintech companies. However, some digital payment companies think the process is a bit complex compared with the biometrics or OTP based KYC that has been the present norm for authentication and validation.

Thus, companies believe the method could be difficult to scale.the guidelines, however, show a way to encourage mass adoption of offline KYC, in three steps:

  • Paperless XML
  • eAadhaar PDF
  • Secure QR code scan

Now, the payments industry is waiting for the incorporation of e-KYC norms for non-banks, concerning an order by the Department of Revenue on May 9. As of the current regulations, RBI prohibits e-KYC for any non-DBT (Direct Benefit Transfer or subsidy-linked) accounts.

For carrying out the customer identification of non-DBT beneficiaries, the REs should obtain a certified copy of any OVD containing the details of his identity and address along with one recent photograph.

Following the Supreme Court judgement on Aadhaar in 2018 and in order to address privacy concerns and limit data sharing,The use of offline KYC can surely be an innovative solution for identity verification wherein verification can be done without sharing biometrics or even Aadhaar number.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Moni Gupta

 

Impact of RBI’s NSFI report on Different Indian Business Sectors

Need For Financial Inclusion

The Reserve Bank of India (RBI) has intricately planned out an ambitious strategy for financial inclusion till 2024. The National Strategy for Financial Inclusion report aims to fortify the ecosystem for various modes of digital financial services in order to create the necessary infrastructure to move towards a less-cash society by March 2022. While charting out the report for the period 2019–2024, RBI said, “Financial inclusion is increasingly being recognized as a key driver of economic growth and poverty alleviation the world over.”

Similar to the conventional banks, other institutions like payments banks, small finance banks, co-operative banks and other entities such as fertilizer shops, fair price shops, should encourage the use of digital transactions to uphold efficiency and transparency. The NSFI report outlines the need for increasing the reach of banking outlets of scheduled commercial banks, payment banks, etc to provide banking access to every village within a 5 km radius and at least 500 households in hilly areas by March 2020.

The increased global recognition and United Nations Sustainable Development Goals (SDGs) empower financial inclusion as a pivot for achieving sustainable development across the globe, countries are developing strategic policies to increase access and usage of formal financial services.

One of the key objectives of the World Bank is to achieve Universal Financial Access by 2020 (UFA 2020). The intent behind this is to provide adults who currently aren’t part of the formal financial system, with access to a transaction account to store money, send and receive payments to manage their financial lives. (Universal Financial Access 2020, 2018)

To achieve this ambitious goal, the World Bank Group has committed to enable one billion people to gain access to a transaction account through targeted interventions.It also works with countries to fortify the following primary building blocks:

  • public and private sector commitment
  • initiation of legal and regulatory framework
  • strengthening financial infrastructure
  • interaction with regulatory bodies on a global scale to provide guidelines that will enable access to transaction accounts.

Objectives of Financial Inclusion:

  • To provide awareness and enlighten customers on financial services, procuring various types of products and their highlights.
  • An objective has been defined where every eligible & consenting adult enrolled under the Prime Minister Jan Dhan Yojana, will be provided with an insurance scheme and a pension scheme by March 2020.
  • Change attitudes to translate knowledge into behavior.
  • Help consumers get a clear understanding of their rights and responsibilities as consumers of financial services.
  • Enhance the reach of banking outlets to provide banking access to every village within a 5-km radius or a hamlet of 500 households in hilly areas by March 2020.
  • By March 2024, every adult should have access to a financial service provider through a mobile device.

Application of Financial Inclusion Across Various Business Sectors

The RBI has drafted the NSFI 2019–24 under the supervision of the Financial Inclusion Advisory Committee (FIAC). The report has been created on the basis of inputs and suggestions from the Government of India as well as other Financial Sector Regulators. The report has also been approved by the Financial Stability Development Council (FSDC).

The NSFI 2019–24 outlines the vision and primary objectives for financial inclusion policies in India to help expand and sustain the process on a national scale. This can be done through a broad convergence of action which includes all the major constituents of the financial sector. As such, certain focus areas have been identified across various business sectors which we will discuss below.

Micro, Small and Medium Enterprises (MSMEs):

  • MSMEs are the primary catalysts that drive the growth of the Indian economy. They contribute nearly 31% to India’s GDP, 45% to exports and provide employment opportunities to more than 11.1 crore skilled and semi-skilled people.
  • An estimated presence of 6.33 crore MSMEs can be located in the country. Several initiatives have been undertaken to enable credit off take in this industrial sector.
  • A special capacity building programme named ‘National Mission for Capacity Building of Bankers for financing MSME Sector’ (NAMCABS) has been devised to familiarise bankers with the entire gamut of credit related issues of the MSME sector.
  • Web portals like the ‘Udyami Mitra’ and ‘psb loan in 59minutes’ have also been launched to provide easy access to credit. Trade Receivables Discounting System (TReDS) platforms have been set up to address the problem of delayed payments to MSMEs. In April 2015, the Pradhan Mantri Mudra Yojana (PMMY), an initiative to finance small business enterprises, was introduced. This was to ensure lending institutions would finance micro entrepreneurs up to ₹10 lakh. The interest subvention initiative has been launched for MSMEs to alleviate the cost of borrowings..

Agriculture:

  • In India, agriculture serves as the source of around 15 percent of GDP, 11 percent of exports and livelihood for about half of the Indian population. The importance of the sector from a macroeconomic perspective is also reflected in the form of bank credit to finance agricultural and allied activities relative to other sectors of the economy.
  • Banks have been mandated specific targets under priority sector schemes to give a thrust to agriculture financing from the formal sector, Currently the target for agriculture lending under priority sector for all domestic scheduled commercial banks and foreign banks having more than 20 branches is 18% of Adjusted Net Bank Credit (ANBC) or Credit Equivalent Amount of Off-Balance Sheet Exposure (CEAOBE), whichever is higher.
  • Within the 18 per cent target for agriculture, a sub-target of 8 percent of ANBC or Credit Equivalent Amount of Off-Balance Sheet Exposure, whichever is higher is prescribed for Small and Marginal Farmers. The banks have been advised to extend collateral free loans to small and marginal farmers upto ₹1.6 lakh. To provide adequate and timely credit support from the banking system under a single window to the farmers for their cultivation & other needs, an innovative product called the Kisan Credit Card Scheme (KCC) was launched in August 1998 as a flexible source of cash credit for easy access and delivery.

Banking:

  • RBI has adopted a bank oriented system to strengthen financial inclusion. The banks were mandated to open branches nationwide especially in under-banked pockets which led to a considerable increase in bank branches and later Automated Teller Machines (ATMs) in the 1990s to early 2000.
  • The banks were instructed to draw up a road map for having banking outlets in villages with population more than 2000 (in 2009) and less than 2000 (in 2012). Consequently, the banks were advised to open brick and mortar branches in villages with populations of more than 5000. The banks were also advised to prepare Financial Inclusion Plans for a period of three years comprising key parameters viz., modes of delivery of financial services, access to Basic Savings Bank Deposit Accounts (BSBDAs) as well as transactions via the BC Channel.
  • To fortify financial inclusion, RBI has relaxed the branch authorization guidelines in 2017 wherein fixed-point Business Correspondent(BC) outlets serving for more than 4 hours a day and five days a week are treated in a similar fashion to branches with physical infrastructure. An exclusive fund viz., Financial Inclusion Fund (FIF) has been created to support adoption of technology and capacity building with an initial corpus of ₹2000 crore.
  • As a measure to improve financial inclusion, RBI has issued differentiated banking license viz., Small Finance Banks (SFBs) and Payments Banks in 2015. The objective of setting up of SFBs was to further financial inclusion by provision of a savings vehicle and supply of credit to small business units, small and marginal farmers, micro and small industries as well as other unorganized sector constituents. This can be done with high technology-low cost operations. Payments Banks have been set up to provide small savings accounts and payments/remittance services to migrant labor workforce, low income households, small businesses and other unorganized sector entities / other users.
  • In order to strengthen the business correspondents(BC) model of delivery and help prospective users to identify BCs having good service track record, the BC Registry has been launched under the aegis of Indian Banks’ Association (IBA). For capacity building and to ensure certain minimum standards of service rendered by the BCs, a BC Certification course through Indian Institute of Banking and Finance (IIBF) has also been introduced.

Insurance:

  • The key initiatives undertaken in the insurance sector include increasing awareness among citizens on the benefits and appropriateness of insurance and enabling greater availability of insurance products (including micro-insurance). This can be done by increasing the number of delivery channels which consist of corporate agents as well as Common Service Centers.
  • Further, with the use of technology, Web Aggregators and Insurance Repositories have been erected to provide ease of access and storage of insurance policy details to enable issuance of insurance policies in an electronic form.
  • Towards the interests of policyholders and also in building their confidence in the system, the institution of Insurance Ombudsman has been created. The objective is to quickly dispose of grievances of the insured customers and also mitigate their problems involved in redressal of their grievances. To protect the interests of policyholders and customers catered to by the insurance companies / intermediaries under the Health insurance segment, separate guidelines have been issued.

Pension:

To monitor and control the National Pension System (NPS) and other pension schemes which are not subject to any other enactment, the Pension Fund Regulatory and Development Authority (PFRDA) was set up under the PFRDA Act, 2013. Some of the key initiatives undertaken in the pension sector include expansion of NPS via increased channels of distribution, developing efficiency of the officials of its intermediaries and increasing the awareness on old age income security and retirement planning. The regulatory authority has also leveraged technology in an effort to drive efficiencies & improve ease of access to NPS for the subscribers and service providers.

Future Scope of Fintechs in NSFI

The policies on financial inclusion would be incomplete if digital financial inclusion and the role of fintechs is not meaningfully integrated. While the Jan Dhan-Aadhaar — Mobile trinity has been a benefactor to Indian economy over the last few years, adequate measures are needed to strengthen the ecosystem for digital financial services, including increased awareness on usage of digital modes of transactions, increased access points/ acceptance infrastructure and a safe environment incorporating the principles of consent and privacy.

Based on the report, it is expected that over the next few years, the fintech space may evolve from its present structure, calling for adequate understanding among regulators, financial service providers and most importantly the customers availing financial services through the digital mode. It is important to primarily address the newly-included digital customers through sufficient awareness and literacy.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Data privacy: the debacle & the debate (GDPR vs PDP)

In an increasingly data driven digital economy, Big Tech companies have an eye, ear, and finger on the pulse of billions.

Depending on how deep you’ve let Amazon, Facebook, and Google sync into your life (pun intended), the data these companies have access to has reached an increasing level of detail. The digital era has molded us into great liars when it comes to signing up to online sites. While complaining about how ridiculous it seems to identify traffic lights to prove we’re not robots, we mechanically lie about reading all the Terms and Conditions. By agreeing to the T&C we may have inadvertently let the company use and sell our data for reasons we weren’t aware of.

Contextualizing the need for personal data protection

In the past few years, the headlines have been replete with worrying instances from the digital world. From large scale data breaches to controversial targeted political ad policies and inconclusive investigative hearings on privacy. The Facebook–Cambridge Analytica data scandal of 2018 exposed how unethically sourced personal data could be used for thought manipulation. Data of about 87 million Facebook users was inappropriately harvested by the political consulting firm, Cambridge Analytica, and was used for electoral advertising.

The mammoth scale and global repercussions of this scandal altered the history of the privacy debate. It revealed the imperative need to have wide-scale legal mechanisms. A system needed to be enforced to regulate what data will be collected, what it will be used for, and how permission should be sought from its owners. Organizations would have to be held accountable to such provisions through a transparent legal process. These regulations were to be designed to protect the privacy and personal data of netizens and perhaps rein in the power and influence of giant tech companies.

Introducing EU’s GDPR and India’s PDP

The European Union set precedence with the European General Data Protection Regulation (GDPR). The GDPR was adopted in 2016 and enforced on 25 May 2018. It is not a mere directive, but a regulation. This implies that it is directly binding and applicable although it does allow for some flexibility to individual member nations to adjust the provisions. The GDPR is also not an Act, which means that its members have passed their own legislations based on the regulation.

In India, a regulation governing data privacy and data protection is set to be passed this year. The need stemmed from the 2017 Supreme Court judgement on the Right to Privacy. (Read our article on how the judgment impacted the digital world and the financial sector here.) A draft data protection bill was then composed by a committee headed by Justice B. N. Srikrishna. After about 2 years of contentious debate on the bill, during which it was floated for public feedback from stakeholders, it was tabled in the Indian Parliament on 11 December 2019. Currently, a joint parliamentary committee is scrutinizing the revised draft of the bill, codified as the Personal Data Protection Bill (PDP Bill). Post this, it will be debated in the Indian Parliament and finally passed.

It is yet to be determined whether the Indian PDP Bill is closer to the EU’s progressive GDPR or to China’s policy of control. Either way, it has managed to irk both Big Tech companies and privacy advocates alike. Companies with data banks aren’t happy with the cost and hassle of compliance. They deem the bill as isolationist due to its restrictive certification requirements to operate in India. Privacy advocates highlight how the exceptions in the bill can lead to State excesses of control over our data. They warn of government mission creep. Mission creep is the gradual expansion of an intervention, here, it implies the dangerous possibility of the State having access to all our data in the absence of a Privacy Law.

This blog is an exploration of how the GDPR and PDP Bill are similar, yet different in various ways.

Coming to terms with the terminology

Before delving into specifics, it’s important to be acquainted with the terminology used in the legal mechanisms for data privacy. The two regulations also use different terms for the same entity:

 

  • Data processor: Any person or legal entity including the State who processes the data. This may consist of the data controller or data fiduciary itself or a third party.
  • Interestingly, the PDP Bill’s definition of personal data differs from the international definition in the GDPR.

Thematic classification of differences

The underlying principles and intent of the PDP Bill resemble the provisions enshrined in the GDPR. Aspects such as the need to have a clear purpose of processing personal data, consent requirements, personal rights, and the appointment of Data Protection Officers in organizations are closely adapted from the GDPR.

However, there are a range of differences between these two instruments of privacy. Here, the language and enforcement provisions aren’t compared, but the stance both mechanisms take on different issues.

These have been classified into the following themes:

1. Classification of data

 

Critical data has not yet been defined by the Indian government. Although the category resembles the list of “special categories” in the GDPR, the EU’s regulation has defined what the category entails while in India the government has the power to declare any data as critical data. The GDPR does not have separate localization rules for this type of data, unlike India. This is explained ahead.

2. Data localization and cross border data flows

Data localisation requires the collection, processing, or storage of certain types of data within the borders of the nation where the data was generated, before being internationally transferred.

GDPR stance

The aim of data protection frameworks is to protect the data while safeguarding its free flow. The GDPR has no hard data localization conditions. It allows for cross-border transfer of all types of data if the country of data transfer has an adequate framework of data protection.

PDP Bill stance

On the other hand, the Indian regulation’s requirements seem to restrict data’s free flow.

  • Sensitive personal data: This category of data when collected, shared or disclosed to the data fiduciary in India has to be stored only within the borders of the State. It may be transferred beyond the territory of India for processing, subject to explicit consent and conditions.
  • Critical personal data: Strict data localization norms exist for this category of data. It can only be processed within the borders of India. The problem arises since this type of data has not even been defined yet.

Due to firm opposition, the 2018 draft was amended to dilute data localisation requirements (such as storing a mirror copy of all personal data in India). Yet, the GDPR’s approach to handling data is considered more pragmatic since it ensures data gets similar protection once it moves out of the jurisdiction of the regulation.

3. Right to restrict processing

The GDPR grants the data subject the right to limit the processing of their data. This means that the processing of personal data can be stalled at an intermittent stage. This can be requested on the grounds of unlawful processing, data inaccuracy etc. The PDP Bill doesn’t enshrine any such right to the data subject.

4. Right to not be subjected to automated decisions

The GDPR grants the right to not be subjected to automated decision-making, such as profiling. Profiling is the automated processing of personal data to assess certain things about an individual. This right gives the data subject the recourse of obtaining human intervention. This is when such data is solely automatically processed to make an important decision, has legal consequences or significantly affects the individual.

For example, automated processing can be used to profile potential behaviour of an individual in a faster way. It is possible that the individual will not behave in the manner the results project. In that case, if such profiling affects the legal rights of the individual, the person can legally request human intervention.

The PDP Bill does not ascertain this right. While it encourages individuals to seek remedy through courts in case of such discrimination, it does not empower an individual to decide how their data should be processed.

5. Storage limitation

The GDPR lays down specific exceptions for increasing the storage period of collected data. These exceptions include public interest, historical, scientific, and statistical reasons.

On the other hand, the PDP Bill mandates the explicit consent of the data principal to store data for a longer duration of time than is needed to satisfy the purpose for which it is collected. The GDPR does not necessitate this consent.

What does this mean for your organization?

The most contentious question is whether GDPR compliance implies PDP compliance. It is briefly addressed in this section to understand how these bills affect an organization’s compliance needs.

  • Areas such as the anonymization standards differ between the PDP Bill and the GDPR.
  • With no parallel of ‘critical personal data’ in the GDPR, companies will have to be careful with their processing of this classification for India.
  • Unlike the GDPR, the PDP Bill also mandates the explicit consent of the data principal to store data for a longer duration of time.

Such differences and more, warrant that companies pay close attention to the compliance needs of the PDP Bill, even if they meet the requirements of the GDPR.

Other interesting follow-up questions will be explored in our next blog in the PDP Bill series.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Crypto attacks

How to Safeguard Against Crypto Attacks?

Crypto attacks have surged in tandem with the rising popularity of digital currencies, emphasizing the need for robust security measures. To safeguard against these threats, users must employ multi-factor authentication, maintain updated software and wallets, and be cautious of phishing attempts. Educating oneself on the latest types of attacks and remaining vigilant while conducting transactions is crucial.

We’re just two months into 2018 and $2,653,302,364+ of real money has already been spent to buy virtual money. Cryptocurrencies — whether regulated or not — have buyers all over the world, even in countries where their status lies in the limbo.

However, just like real money, virtual money is also being stolen. And just like real money investment scams, the virtual currency space, too, has its share of investment scams with cheats floating schemes promising lucrative returns and running away with all the money.

Let’s look at some of the most common crypto attacks and how regulation can bring them down.

ICOs and the Disappearing Act

ICOs (or Initial Coin Offerings) is a means of crowdfunding that allows new ventures/startups to raise capital without following the regulated processes and compliance needed by venture capitalists, stock exchanges, and banks.

While cryptocurrency ICOs intend to raise money for building the proposed ground-breaking blockchain solutions, scamsters only use them to loot. Their modus operandi is the same: Announce an ICO. Lure investors. Collect the cash and disappear.

The Benebit scam is one such recent ICO scam. In its whitepaper, Benebit had proposed a revolutionary customer loyalty blockchain solution. But it did a runner with about 4M USD when someone reported that Benebit’s website’s photos were stolen from some school’s website.

Phishing and Crypto Attacks & Thefts

When dealing with virtual currencies, customers face the same risks as they face when doing net banking. Cryptocurrency users are prone to all kinds of cyber attacks like phishing, password hacking, trojan software and others.

IBM’s X-Force research group states how cyber criminals have modified TrickBot, a banking trojan, to target cryptocurrency trading platforms by redirecting the virtual currency to their wallets during transactions.

Coincheck, a cryptocurrency exchange from Japan, was a victim of a cyber stealing attack and lost $530 million of its users money. Another Japan-based bitcoin exchange company, Mt. Gox, had in 2014 lost $400 million of its users’ funds. Although it promised to return the lost money, it ended up filing for bankruptcy.

Unlike traditional banks or card processing companies, cryptocurrency exchanges can’t do much to recover virtual currency.

Crypto Attack: ‘Cashing’ in on the Hype

When a technology is so new and disruptive as blockchain, it creates hype. A stream of scamsters use nothing but this hype and lure unsuspecting victims into investing their money.

The Suppoman scam is one such scam. A youtuber scammed hundreds of his viewers by promising information on a “secret ICO” if they bought one of his Udemy’s paid courses and joined his Facebook mastermind group. To join this group and get access to the password, the viewers were required to pay 10$.

Suppoman succeeded in creating such hype around the “secret ICO” that people started buying even his old Udemy courses so they could get the password. To the disappointment of the buyers, the secret ICO turned out to be: Seele, which is a very popular ICO everyone knows of.

There are also instances where scamsters rebranded old cryptocurrencies and raised funds all over again, only to run away with the money.

Countries that accept (or the ones that haven’t banned) cryptocurrencies are working on creating regulations to protect the investors against such attacks.

Regulatory Red Tape on Cryptocurrencies

Treating cryptocurrency companies like any other financial institutions and forming regulations for the same will clamp down — if not eliminate — most of the different crypto attacks.

Regulating to avoid tax evasion and ensure the money isn’t used for sponsoring shady activities: Subjecting cryptocurrency trading companies to stringent KYC, AML, user data privacy and other financial norms will help monitor the flow of fiat currency to crypto and vice-versa. This will also impose checks on issues like tax evasion.

In US (where cryptocurrencies are undergoing rapid regulation), virtual currency trading companies are required to register as money services businesses with the Financial Crimes Enforcement Network, a part of the U.S. Treasury Department.

Regulating to avoid fraud ICOs from raising funds: Regulating how ICOs are released and what happens to the money in the case of a non-delivery will protect investors from ponzi virtual currency schemes.

Gibraltar is working on a law that will regulate Initial Coin Offerings (ICOs) in the British overseas territory. This law aims to regulate how ICO tokens are promoted, sold, and distributed. Sian Jones, a senior GFSC advisor, says the regulation will introduce the concept of “authorized sponsors,” who’d be “responsible for assuring compliance with disclosure and financial crime rules.”

Regulating to strengthen the security norms of cryptocurrency makers and trading companies: Regulating the security standards for companies that deal with cryptocurrencies will help prevent thefts.

When it comes to securing users’ money in banks, RBI has given as many as 24 best practices on user, software, asset, environment, and security management. It would be interesting to see if RBI could introduce comparable standards for the cryptocurrency companies as well.

Regulation can pave the way for a safer and more secure cryptocurrency trading environment. Regulation will also handle the government’s key concerns such as financing illegitimate activities, money laundering, and terrorist financing related to crypto trading.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

1 7 8 9 10 11