Category: Security

Welcome to our Security category, a specialized space dedicated to delving into the critical aspects of data protection and security in the financial technology industry. We live in an era of digital finance where data breaches and cyber threats have become common occurrences, prompting to become a paramount priority for businesses and customers alike.

Our insightful articles deep-dive into the multifaceted world of fintech, shedding light on the most recent trends in data protection, the challenges inherent in securing digital transactions, and the emerging solutions to these challenges. Our objective is to offer a holistic view of the secure landscape, underlining the significance of solid security measures and the transformative role of technology in amplifying data protection.

At Signzy, our commitment to maintaining the highest echelons of security is unwavering. We design our innovative solutions with a strong foundation to ensure the safeguarding of sensitive data, providing our clients with a sense of assured security and peace of mind.

Whether you’re a fintech professional immersed in the industry, a business leader steering your company through the digital landscape, or just an individual keen on understanding the intricacies of data security, our this category offers a wealth of valuable insights.

We cordially invite you to join us as we embark on an exploration of the fintech domain, discussing the pressing importance of data protection in today’s digital age. This journey will illuminate the challenges, showcase the advancements, and highlight the preventative measures shaping the world of fintech security. Unravel the complexities of securing digital finance with us, and gain a deep understanding of why robust data protection is the bedrock of the digital finance industry.

What is GRC_India

What is Governance, Risk, Compliance (GRC)? Setup + Best Practices

Posted on | by Agrima Dwivedi
🗒️  Key Highlights
  • GRC stands for Governance, Risk, and Compliance. It refers to how a business defines decision rules, manages risks, and ensures it follows relevant laws and internal standards.
  • KYC and onboarding are compliance-heavy workflows. GRC ensures those flows follow the rules, store the correct data, and flag risks early, primarily when handled through APIs or digital tools.
  • You don’t need a single paid software to start GRC. You can use spreadsheets and task tools. But as you scale, the software helps automate tracking, reporting, access logs, and audit trails.

Every fast-moving finance business runs on one simple mechanism: decisions, actions, and consequences.

  • Who approved that payout?
  • Why was that vendor cleared?
  • Was that onboarding flow compliant? 

These questions don’t come up when things go right. 

…But they define everything when things don’t.

That’s where GRC steps in. 

Not as a cost center, not as a corporate ritual, but as a system that ensures critical decisions don’t rely on memory, mood, or muscle memory.

If you want to know how to structure it, run it, and make it part of your operations without slowing down what matters, this guide has everything you need to know and take-home trackers. 

Let’s start with nuts and bolts first.

💡 Related Blog: Data Breach API

Governance, Risk, Compliance (GRC), Explained

If you’re building in fintech, crypto, or anything that touches money, you can’t afford loose ends.

Not just in code or design but in how your company works behind the scenes. Who’s making decisions? What happens when things break? Whether you’re following the rules that apply to you.

That’s GRC. Governance, Risk, Compliance. It’s more like the spine that keeps everything straight as you grow.

  • Governance → Defines who has the authority to make decisions, approve changes, sign contracts, manage funds, and access sensitive systems. Prevents overlap, confusion, and unauthorized actions.
  • Risk It detects threats like fraud, regulatory action, system downtime, and third-party failure and sets up controls to reduce or respond to them.
  • Compliance → Tracks which laws, regulations, and standards apply (like RBI, SEBI, FATF, GDPR) and ensures internal processes, documentation, and product features meet those requirements. Includes audit readiness.

GRC is built so your team doesn’t get stuck fixing preventable problems. It’s what lets you move fast without crossing lines you didn’t even know existed.

Without GRC, you fix things when they break. With GRC, you avoid most breaks to begin with. Especially as you grow, it keeps operations stable while everything else scales. It is not a visible feature, but it keeps the engine clean.

How to Implement GRC in an Organization?

You do not need to over-architect the system, but it has to be deliberate. GRC is not something that happens in the background. It is something you set up intentionally. 

Here’s a comprehensive 6-step process to get running.

Step 1: Assign Clear Ownership

GRC does not work unless each component has a responsible owner. 

  • Governance is typically handled by senior leadership, such as the COO or board members since it involves decision-making rules, oversight mechanisms, and accountability. 
  • Risk should be owned by operations or a product-risk team, depending on the business model. 
  • Compliance usually falls under legal or finance, especially in regulated sectors. 

These roles should be fixed, documented, and visible to the entire leadership team.

Step 2: Build a Live Compliance Inventory

The first tactical step is building a compliance inventory. This is a single document that lists every regulatory, legal, and operational requirement your company must follow. It should include authorities like RBI, SEBI, FIU-IND, income tax, and any self-imposed obligations like contractual requirements from partners or investors. 

For each item, document the frequency, responsible owner, due date, and status. This should be reviewed every month and updated as rules evolve.

Look at this tracker, for example:

You can get this tracker template – HERE. Please read the disclaimer carefully before using it.

Step 3: Maintain a Risk Register

This register is a working document that makes your leadership aware of what could go wrong, how prepared you are, and where you need to act next.

In this, create a structured register of risks across the business. Include legal, operational, financial, cybersecurity, vendor, and reputational risks. Each risk entry should include a short description, its likelihood and impact rating, an owner, and the mitigation plan. Refer the example below for better idea.

Grab tracker – HERE (check second sheet). Once again, please read the disclaimer carefully before using it.

If a risk materializes, the register should also track the incident history and recovery steps.

Step 4: Apply Access and Change Controls

Every tool or system that handles data, money, or sensitive workflows must have permission layers. 

No one should get admin access without documented approval, and no access should go unmonitored. 

You should be able to review logs showing who accessed what and when. For workflows that involve financial decisions, refunds, reconciliations, or reporting, enforce a maker-checker system. One person performs, and another person verifies. 

This prevents internal fraud, misuse, and unintentional errors from going unnoticed.

Step 5: Define Protocols for Incidents

You need a basic response plan for the most common categories like: data breaches, financial errors, system outages, regulatory notices, or internal fraud. These plans should define who is responsible, what steps are taken immediately, who is informed, and whether reporting to regulators or partners is required.

This can be stored in a simple internal document. Everyone involved in operations, tech, or compliance should be trained on it once per quarter. The aim is to avoid delays and miscommunication during high-pressure events.

Step 6: Conduct Internal Reviews Quarterly

Set a fixed schedule to review GRC functioning across departments. 

Each quarter, review the compliance tracker, governance logs, risk register, and access controls. 

  • Check what was missed, what got delayed, and what changed. 
  • Document the gaps. Assign fix owners. 
  • Set a 30-day resolution period for anything that affects compliance or customer trust.

These reviews don’t need to be formal audits. But they need to be routine, structured and followed through. GRC stays strong only when it’s maintained, such as in infrastructure.

Best Practices to Implement GRC

A structured GRC system is good. But what keeps it working week after week is operational hygiene. Beyond the core setup, there are specific habits and decisions that make the difference between a GRC program that exists on paper and one that actually holds up under pressure.

Read these four best practices we’ve compiled. 

  1. Regulations should live close to your product, not just in legal docs: Maintain a product-to-regulation mapping. For every customer-facing flow (like onboarding, lending, payments), clearly link the governing rule, circular, or internal policy. Update this during every major release cycle. This avoids accidental non-compliance with product updates.
  2. Regulatory updates should be treated as version changes, not alerts. Set a fixed monthly slot to review new circulars, enforcement trends, and legal shifts. Assign a team member to summarize what changed, what’s relevant, and what needs action. Tag affected workflows and assign follow-ups.
  3. Compliance tasks need to show up where work happens, not in static files: Use task management tools like ClickUp, Notion, or Trello to assign and track compliance activities. Each task must have an owner, deadline, and proof-of-work link. Reminders and missed-task visibility should be built in by default.
  4. Vendor risks should be logged and monitored like internal ones: For every third-party tool, partner, or contractor with access to sensitive data or systems, maintain a basic vendor risk profile. Note compliance clauses, data handling risks, and SLA violations. Review high-risk vendors quarterly. Keep contracts easily retrievable.

The tighter your internal processes get, the more your external systems need to keep pace. When workflows like onboarding, Video KYC, and risk checks become routine, they should not rely on manual checks or scattered tools. That’s where APIs step in for consistency and control.

Whether it’s checking if your information is compromised in data breaches or verifying identities during onboarding, these compliance checks are foundational steps in how trust is built, and risk is managed.

Signzy’s suite of APIs is designed to support that shift. Quietly, in the background, where structure matters most.

RBI

Complying RBI’s New MNRL Guidelines: 11 Key Questions Answered

Posted on | by Agrima Dwivedi
🗒️  Key Highlights
  • When financial institutions verify a number against MNRL, they can detect if it has been compromised and prevent fraud before it happens.
  • Without this check, banks might unknowingly send OTP codes and account reset links to fraudsters instead of legitimate customers.
  • If your business processes transactions, credit approvals, or KYC using mobile numbers, MNRL compliance is a must.

A mobile number is supposed to be personal. But what happens when it isn’t?

A number gets deactivated. The telecom provider reassigns it. Now, someone else has access to messages, calls, and possibly sensitive financial details that weren’t meant for them. 

Meanwhile, banks and fintechs continue sending OTPs, approving transactions, and verifying users, without realizing the number is no longer in the right hands.

This is why RBI released the new MNRL guidelines on January 17, 2025.

If your operations rely on mobile numbers for customer verification, onboarding, or transactions, you need to comply with these guidelines by March 31, 2025.

If you’re still unsure about what this means, we’ve answered the 11 most common questions below.

Let’s dive in.

1.

What is the Mobile Number Revocation List (MNRL)?

The Mobile Number Revocation List (MNRL) is a database of permanently deactivated numbers that financial institutions must check before linking to customer accounts. It’s published on TRAI’s platform every month, with data sourced from telecom operators under DoT’s guidelines.

Think of it as a reference list of numbers that should not be used for financial transactions because they were permanently deactivated. 

Banks, NBFCs, and fintechs must cross-check their customer numbers against MNRL to avoid fraudsters sneaking into their systems.

Ignoring this list means taking a huge risk (e.g., unauthorized transactions, money mules, and regulatory penalties). Financial businesses that rely on mobile authentication can’t afford to skip this check.

2.

Why has RBI made MNRL compliance mandatory?

Fraudsters have too many tricks when it comes to mobile numbers. Some use SIM swap fraud to intercept OTPs, others register fake numbers with banks, and some exploit old, reassigned numbers to access financial accounts.

Until now, financial institutions had no standardized way to check if a number was permanently deactivated. MNRL provides a centralized list to help them clean up outdated records.

If a bank sends an OTP to a number that has changed hands, the risk of unauthorized access increases. Money moves fast, and reversing fraudulent transactions is nearly impossible.

So, the RBI stepped in. MNRL is now a hard requirement. Financial institutions must verify numbers against MNRL to prevent fraudulent activity and remove flagged numbers from their database.

3.

Which businesses must follow MNRL regulations?

Anyone handling financial transactions linked to mobile numbers. That includes:

  1. Banks (Commercial, Small Finance, Payment Banks, Cooperative Banks)
  2. NBFCs (Including lending startups, housing finance, and microfinance companies)
  3. Payment Aggregators & Wallets
  4. Credit Information Companies
  5. Loan and BNPL providers

If mobile numbers are part of customer onboarding, transaction verification, or fraud prevention, MNRL compliance is non-negotiable. 

Even fintech startups running KYC checks must integrate this.

And no, it doesn’t matter if a company is big or small, if it holds a financial license, it must comply.

💡 Related Blog: Combating Subscription Fraud in Telecom
4.

How can banks and fintechs access the MNRL database?

There are two ways to check numbers against MNRL:

  1. Manual lookup: Financial institutions can log into the Digital Intelligence Platform (DIP) and check numbers one by one. Not ideal for businesses with large customer bases. It’s slow and requires constant updates.
  2. Automated API integration: The smarter option. Signzy offers an MNRL API that instantly verifies numbers in real time. This lets businesses automate the process and flag risky numbers before they cause trouble.

For high-volume businesses, manual checking isn’t practical. Fraud prevention needs speed, and an API integration removes the human delay.

5.

What is the deadline for MNRL compliance?

RBI has set March 31, 2025, as the deadline for financial institutions to implement MNRL compliance. By this date, banks, NBFCs, fintechs, and Payment aggregators should integrate MNRL checks to ensure they are not processing transactions or sending OTPs to deactivated numbers, reducing the chances of account misuse.

6.

What’s the fastest way to meet MNRL compliance before the deadline?

The March 31, 2025 deadline is fast approaching, and businesses must act immediately. The quickest way to get everything in place is to automate the process with an API instead of relying on manual checks.

Here’s how to speed things up:

  1. Integrate an MNRL API: Use Signzy’s MNRL API to eliminate manual verifications and automatically screen numbers in real time. This ensures flagged or deactivated numbers don’t slip through during customer onboarding or transactions.
  2. Run a bulk database check: Cross-check all existing customer numbers against MNRL to remove flagged entries.
  3. Update internal workflows: Ensure new customer onboarding and transaction approvals include automatic MNRL checks.
  4. Remove disconnected numbers: Fraud and risk teams need to know how to handle flagged numbers and prevent misuse.

Rushing compliance at the last minute creates operational bottlenecks and increases risks. Automating verification now ensures seamless compliance without disrupting business.

7.

How does MNRL actually prevent fraud?

Most fraudsters don’t use their real names or IDs. They rely on burner numbers and stolen identities to trick financial institutions.

MNRL helps prevent misuse by ensuring financial institutions do not process transactions using:

  • Deactivated numbers that may have been reassigned
  • Long-inactive numbers that could be exploited for fraudulent activities

For financial institutions, this means fewer fake KYC approvals, fewer hacked accounts, and fewer fraudulent transactions.

A flagged number should be immediately blocked from being used for banking, credit applications, or payments. Without this check, businesses are basically inviting fraudsters to exploit their system.

8.

What happens if a bank or NBFC doesn’t comply with MNRL regulations?

RBI has set strict penalties, and financial institutions that ignore MNRL risk:

  • Telecom restrictions: Banks or fintechs that keep using risky mobile numbers may have their telecom resources (SMS/call services) suspended for up to 2 years, per  TRAI’s commercial communication rules. That means no customer outreach, no OTPs, no transaction alerts.
  • Regulatory action: Institutions that fail to clean up their databases may face audits, penalties, or even restrictions on business operations.
  • Fraud liability: If a fraud happens due to an unverified number, the institution could be held responsible. This includes legal consequences, financial losses, and brand damage.

Most fintechs and banks run on trust. Customers won’t think twice before switching if they feel their data or transactions aren’t secure. As a result, MNRL compliance becomes necessary.

9.

Can financial institutions still call customers using regular phone numbers?

No. RBI has enforced strict numbering rules to eliminate fraud calls and scams. Banks and NBFCs can no longer make transactional or promotional calls from random 10-digit mobile numbers.

Here’s how calls must be handled:

  • Service & Transactional Calls: Must come from the ‘1600xx’ series (this will be activated soon).
  • Promotional Calls: Must use ‘140xx’ series.
  • No regular 10-digit mobile or fixed-line numbers should be used for any official communication.

This prevents fraudsters from spoofing customer care numbers and tricking people into revealing sensitive details.

10.

Does MNRL only apply to banks, or do fintech startups need to comply too?

Every financial institution that relies on mobile numbers for authentication or transactions must comply, including fintechs, lending startups, and payment service providers.

A common misconception is that only large banks are affected. That’s not the case. Even startups offering BNPL (Buy Now Pay Later), microloans, or prepaid wallets need to check customer numbers against MNRL.

This regulation is especially relevant for fintechs, since many of them onboard customers using digital KYC, where fraudsters often exploit loopholes. Many also depend on SMS and call-based authentication, which can be hijacked if numbers aren’t verified. Therefore, yes, MNRL compliance is a must even if you are fintech.

11.

Can businesses manually verify numbers instead of using an API?

Technically, yes. Practically, it’s a nightmare.

Manual verification involves logging into the DIP platform and checking numbers one by one. This might work for small businesses with a few dozen customers, but for banks, NBFCs, and fintechs handling thousands or millions of transactions, manual checks don’t scale.

Here’s why API integration is the only logical choice:

  • Verification checks: API solutions validate numbers before transactions or onboarding.
  • Automated monitoring: The system can continuously screen customer databases for newly flagged numbers.
  • Faster fraud prevention: Fraudsters move fast. An automated system catches them before they cause damage.

For high-volume businesses, manual checks are slow, error-prone, and impossible to maintain at scale. An API automates this seamlessly, running checks in real time without disrupting operations. 

Signzy’s MNRL API enables financial institutions to automate verification, ensuring customer numbers are screened against the latest MNRL dataset. This helps businesses prevent fraud, maintain clean databases, and stay compliant without manual intervention.

To know more about Signzy’s Mobile Number Revocation List API, book a demo here.

New VPN Norms – Government’s Take On Privacy

Posted on | by Signzian

VPN has always been a subject of debate in India. 

As per AtlasVPN’s report, India had over 348 million VPN downloads in 2021. Despite having such popularity in 2021, the government recommended a VPN ban in India for privacy concerns. Although the ban didn’t occur, the Indian government has introduced some new VPN norms or regulations for users, mainly for VPN companies. 

In April 2022, India’s Computer Emergency Response Team (CERT) announced a new regulation that VPN companies in India will have to collect and store customers’ data for at least five or more years. 

Unsurprisingly, these new VPN Norms are creating a lot of buzzes. How will this new law affect VPNs? How will it impact users? Are VPNs illegal in India? There are lots of questions arising. 

To answer all your questions, we’ve compiled everything you need to know about the new VPN norms in India. But before digging deeper, let’s start with the basics: What is a VPN? 

What Is A VPN?

A virtual private network (VPN) is a technology that allows you to connect securely to private networks over public networks. It creates an encrypted connection between your computer and a server so that your internet traffic is encrypted and can’t be intercepted by anyone else.

With a VPN, you can access websites in countries where they might not be available, or you can use it to get around censorship (a lot of countries have strict firewalls that block specific sites), secure remote work, and browse the internet anonymously.

What Are The New VPN Norms?

The key takeaways from the new VPN rules are:

  • According to the new law, all VPNs must gather and store user data (user names, physical address, email address, and phone numbers) for five or more years. 
  • VPN companies also have to keep a log of the reason behind using the service. 
  • VPNs should record all the IP addresses used by users to register. 
  • Along with VPN services, virtual service network providers, data centers, and cloud service providers have also been requested to keep track and store similar user data. 
  • VPN services must report cybersecurity incidents to CERT within six hours of becoming aware of them. 

What Is the Government’s Take On These New VPN Norms?

The main purpose of the government behind imposing these new VPN rules is to improve the “cyber security posture” and ensure people have access to a “safe and trusted internet”.

The CERT also informed that they had identified gaps in safeguarding against online threats. That’s why they’ve published the new norms to prevent cyber attacks. 

“If you are a VPN provider, if you are a data centre operator, if you are a cloud provider, and if you’re an enterprise, you have an obligation to know who’s using your VPN infrastructure… If there is a detected cyber incident or cyber breach — from one of the people using your VPN or your cloud or your data centre, it is your obligation to produce the data,”Rajeev Chandrasekhar,  Union Minister of State for Electronics and Information Technology

How The New VPN Norms Impact Users & Companies 

The new rules received a lot of backlashes from the VPN companies. After all, the primary goal of VPN services is not to collect users’ personal information. 

The new norms will force these companies to store customer data which will increase costs and affect user privacy. 

India is among the top 10 VPN users around the globe. Various companies and individuals use VPN services to safely access private WiFi networks, remain anonymous, and many more. 

Several techies, students, and companies use VPNs to protect their data from third-party apps.

But with the new norms, they must go through a KYC process while registering a VPN. So, all VPN users will have their private data exposed to the government. 

It is also unclear how the government may use this data in the future. This raises a concern about the right to privacy for every individual. 

The Internet Freedom Foundation said the new norms lead to more concerns, such as the private enterprises and government “having more data than necessary”.

Several VPN companies like NordVPN, ProtonVPN, SurfShark, and ExpressVPN, have said that they are planning not to follow the newly imposed rules of India. After all, privacy is the main reason behind users investing in their premium plans. 

As per several VPN companies, they’ll continue to offer their no-logs policy to the users and threaten to pull back their service from India. 

The Bottom Line 

Despite all the backlashes from cybersecurity experts, stakeholder companies, and business advisory groups, the Indian government is pretty much firm on their new VPN norms. 

“If you don’t want to go by these rules, and if you want to pull out, then frankly … you have to pull out.” – Rajeev Chandrasekhar,  Union Minister of State for Electronics and Information Technology

The privacy experts have sought public consultation on this matter, asking for more tech industry involvement to find a solution that suits every individual. Lastly, it’s needless to say that it will be interesting to see if the VPN companies manage to implement the new norms before the deadline of September 25, 2022.   

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs, easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.
You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

What’s All The Fuss About The Digital Personal Data Protection Bill 2022?

Posted on | by Signzian

The Ministry of Electronics and IT(MeitY) has released the Digital Personal Data Protection Bill 2022, and the government is currently seeking public feedback and consultations. The measure is intended to lay out the procedures and guidelines for data collecting for businesses and the rights and obligations of “digital nagriks,” or citizens.

The measure also establishes severe penalties for breaking any law’s rules, and the Data Protection Board of India—which the new law has set up—will make these determinations. However, board orders may be contested in a High Court.

 

The Data Protection Bill Focuses On Seven Fundamental Principles

The Bill’s explanatory note states that it is founded on seven principles. The first is that organizations must use personal data in a way that is legitimate, fair to the individuals involved, and transparent to individuals.  The second principle states that personal data must only be used for the purposes for which it was collected. The third principle discusses data minimization, while the fourth principle emphasizes data accuracy when it comes to collection.

The fifth principle states that personal information cannot be stored perpetually by default and should only be kept for a specific time. According to the sixth principle, there should be enough protections to guarantee that no unauthorized collection or use of personal data occurs.

Seventh principle: The person who determines the nature, scope, and means of personal processing data shall be liable for such processing.

 

Defining Definitions- What Data Principal And Data Fiduciary Implies

The person whose data is being gathered is referred to throughout the Bill as the “Data Principal.”

The purpose and means of processing an individual’s data are determined by the “Data Fiduciary,” which may be a person, business, government agency, or other entity.

The law also acknowledges that parents or legal guardians will be regarded as children’s Data Principals in cases where they are children, defined as all users under 18.

According to the law, all data by or in connection to which an individual can be identified is considered personal data. Processing is the full range of processes that may be applied to personal data. According to the Bill, data processing would include data collection and storage.

The measure also guarantees that people should have access to essential information in the languages included in the Indian Constitution’s eighth schedule. Furthermore, the Bill stipulates that consent must be obtained from the subject before their data is processed and that each individual should be aware of the specific personal data that a Data Fiduciary wishes to collect and the purposes for such collection and further processing.

Additionally, the notification of data collection must be written in language that is both explicit and understandable. Additionally, people can revoke their consent from a data fiduciary.

 

Two Rights Of Action- The Rights To Erase Data And To Nominate

Data principals can request the deletion and updating of data that the data fiduciary has acquired. If the data principal passes away or becomes incapable, they can also designate a person to act on their behalf.

The measure also grants customers the ability to protest to the Data Protection Board about a Data Fiduciary if they do not receive a sufficient response from the business.

 

What Are The Relevant Data Fiduciaries In Data Protection?

Furthermore, the Bill refers to Significant Data Fiduciaries, who handle a sizable amount of personal data. The Central government will decide who falls under this group based on various considerations, including the amount of personal data collected, the risk of harm, and the potential impact on India’s sovereignty and integrity.

The Bill’s explanatory note states that this category must fulfill additional duties to permit wider scrutiny of its actions.

Such organizations will be required to designate a “Data protection officer” to act on their behalf. They will serve as the focal point for grievance redress. They must also choose an impartial data auditor to assess their compliance with the statute.

 

Financial Punishments And Penalties

The draught also suggests that businesses that experience data breaches or fail to notify customers when breaches occur face harsh penalties. Entities that do not implement “reasonable security safeguards” to prevent personal data violations could face fines of Rs 250 crore.

 

Data Protection For Data Transfer Across International Borders

The measure also permits storing and transferring data across international borders to certain notified countries and territories. 

The memo further states that the Central Government would consider essential criteria before such notification.

Bottomline

The government may also exempt specific enterprises from complying with the Bill’s provisions based on the number of users and the volume of personal data collected by the firm. When doing this, the national startups that complained that the prior version of the Bill was compliance intensive have been taken into account.

 

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

 

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com.

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

 

 

 

 

 

KYC And Cybersecurity: Protecting Data From Cyber Fraud

Posted on | by Signzian

Traditionally, cyberthreats have been largely isolated to attacks on computer systems and networks. However, with the advent of digital transformation, cyberattacks are now targeting people and businesses at an unprecedented rate.

According to a report from Accenture’s State of Cybersecurity Resilience 2021, cyber threats have increased by over 30% from 2020 to 2021. Cyber fraud is fast becoming one of the biggest threats to today’s businesses, with the cost of cybercrime predicted to hit $10.5 trillion by 2025.

KYC And Cyber Fraud

KYC fraud occurs when a cybercriminal uses stolen or fake identity documents to open an account or obtain credit in someone else’s name. This type of fraud can have devastating consequences for both the individual and the business involved.

Fraudsters can trap customers easily by offering services that are too good to be true or by using phishing techniques to obtain sensitive information such as login credentials or financial data. Once they have this information, they can use it to commit identity theft, take out loans in the victim’s name, or make unauthorized purchases.

Types Of KYC Frauds

  • Phishing: Phishing is one of the most common types of cyberattacks. It involves fraudsters masquerading as legitimate entities in order to trick victims into divulging sensitive information.
  • Identity Theft: Identity theft occurs when a criminal obtains and uses someone else’s personal information, including their name and address, to take out loans, make purchases, or apply for credit.
  • Smishing: Smishing is a type of social engineering fraud that involves sending phishing text messages to unsuspecting recipients. This technique can be used to trick people into revealing their login credentials, banking details, or other sensitive information.
  • Fake Re-KYC: Fake re-KYC scams are becoming increasingly common as businesses are required to update their customer records on a regular basis. In this type of fraud, fraudsters pose as representatives from a legitimate organization and request that customers provide updated KYC information, such as their passport or driver’s licence details.

KYC Data Breach

Despite the importance of KYC in cybersecurity, data breaches are still a very real threat. Recent instances of KYC data breaches include the CDSL’s KYC arm which reportedly exposed the personal and financial data of more than 40 million investors twice within just 10 days.

Additionally, the Upstox data breach exposed the personal data of about 2.5 million customers, leading to a probe by the RBI’s cybersecurity team. To protect the data from cyber fraud and cyberattacks, it is important to implement robust KYC procedures and invest in state-of-the-art cybersecurity tools and systems.

Following the incident, Ravi Kumar – the co-founder and CEO of Upstox (India’s largest brokerage firm), stated on the company’s website: “We would like to assure you that your funds and securities are protected and remain safe. Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP.” 

KYC And Cybersecurity

Know Your Customer (KYC) has become a vital part of any business’ cybersecurity strategy, as it helps to weed out potential cyber fraudsters and protect customer data. Consumers are vital stakeholders in any cybersecurity strategy, and businesses must take steps to help them protect their personal information online.

There are many KYC best practices that businesses can implement to help protect themselves from cyberattacks, including:

  • Implementing multi-factor authentication (MFA)
  • Conducting regular background checks on employees
  • Keeping up-to-date with the latest security threats
  • Educating employees on cybersecurity risks
  • Implementing strong password policies
  • Monitoring employee activity for suspicious behavior
  • Restricting access to sensitive data
  • Encrypting customer data
  • Backing up

Gaining Trust Of All Stakeholders

According to research, 88% of the customers say that their trust in any business is based on how they handle their data and offer security.

Anil Advani, from Pure VPN, believes that cybersecurity is the means to gain the trust of customers and stakeholders alike. By implementing strong KYC policies and best practices, businesses can help protect their customers from the growing threat of cyber fraud and data breaches.

He quotes, “Due diligence is a routine part of any acquisition. Identity verification is very important these days due to an increase in cybercrime. Customers, partners, shareholders, and prospective employees want evidence that the organization can protect its sensitive data. Without a cybersecurity policy, an organization may not be able to provide such evidence.

Pairing Cybersecurity With Regulatory Requirements

Dan Blum, Principal Consultant at Security Architects Partner, believes that businesses must pair their cybersecurity efforts with regulatory requirements to be fully compliant.

“Service providers must protect the value of customer’s information systems or data, as well as customer privacy rights using sound, risk-based cybersecurity practices as a matter of due diligence. KYC requirements must be aligned and balanced with a good understanding of the laws and business requirements,” he stated.

He believes that organizations should also consider conducting independent security audits regularly to identify potential vulnerabilities. These audits can help organizations understand where they need to improve their cybersecurity posture and make the necessary changes to mitigate risk.

The Bottomline

In conclusion, as data breaches continue to plague businesses of all sizes, it is more important than ever for organizations to implement robust KYC procedures and invest in state-of-the-art cybersecurity tools and systems. By following the best practices outlined above, businesses can help protect their customers’ personal information online and gain the trust of all stakeholders.

About Signzy

Signzy is a market-leading platform that is redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering totally customizable workflows. It gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru, and it has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

1 2 3 4