Welcome to our Regulations category, a comprehensive resource meticulously designed to assist you in navigating the intricately woven tapestry of regulatory norms governing the fintech industry. With regulatory frameworks being in a state of constant evolution, staying abreast of the latest changes is crucial for businesses and professionals operating within the financial sector.
The articles housed within this category delve deeply into an expansive range of regulatory topics. We explore everything from the shifts in KYC/AML guidelines to the influence of data privacy legislations on financial institutions. Our aim is to provide a multi-faceted understanding of these regulatory transitions and the implications they carry for businesses.
At Signzy, we recognize the significant role regulatory compliance plays in the financial industry. Our innovative solutions are crafted with a keen eye on the most recent regulatory requisites. Our aim is to help businesses remain compliant without having to sacrifice efficiency or compromise on delivering exceptional customer experiences.
Whether you’re a compliance officer diligently ensuring that operations align with regulations, a fintech entrepreneur navigating the challenging waters of the industry, or a professional immersed in the financial sector, our Regulations category offers invaluable insights into the ever-changing regulatory landscape.
We cordially invite you to join us as we embark on an exploration of the world of fintech regulations. Through our articles, we aim to provoke thought, spark discussion, and provide guidance on how to navigate the complex regulatory environment effectively. Join us on this enlightening journey as we untangle the intricate web of regulatory norms shaping the world of fintech.
The Reserve Bank has always tried to remain adaptable in changing times. Its directive to utilize a video-based customer identification process(V-CIP) for know your customer (KYC) procedures is the latest evidence for this. The announcement came as an amendment in its master direction on the 10th of May 2021.
V-CIP utilizes facial recognition technology to identify the customer. It can also include an authorised official from the regulated entity (usually an RM) performing the live customer due diligence with informed consent for verification. This is far more convenient, secure, and seamless since the whole process is an audio-visual interaction between the RM and the customer.
What Is The RBI’s Directive?
The Reserve Bank stipulates regulated entities(RE) to use V-CIP in Customer Due Diligence(CDD) for:
New individual customer onboarding.
Proprietors(Proprietorship Firms)
Beneficial Owners(BOs) and authorised signatories among legal entity customers.
The directive is also for other RBI regulated entities including banks, payment system operators and NBFCs. Updation of KYC for existing customers and customers who had opened accounts through non-face-to-face modes( Using Aadhar OTP based e-KYC verification) is also to be done with V-CIP.
The RBI provides guidelines for a minimum standard for all REs to maintain baseline cybersecurity for banks and financial institutions. These include them:
House all technology infrastructure in the RE’s premises.
Use secured network domains for V-CIP connection origins.
Ensure all outsourcing of technology associated with the process to be compliant with respective RBI guidelines.
Maintain end-to-end encryption of information between V-CIP hosting point and customer’s device.
Obtain auditable and alteration proof customer consent.
Create a transparent workflow and SOP(standard operating procedure) for all V-CIP related processing.
REs should appoint specially trained officials for operating the V-CIP process. These officials would record audio-video and obtain photographs(mostly real-time) of customers whose identification is to be verified.
These officials can obtain the customer identification information with an Offline or OTP based Aadhaar e-KYC verification. They can also retrieve the required information from CKYCR or equivalent OVD e-document repository through DigiLocker.
How Will It Impact The Sector?
Many financial institutions have already taken up V-CIP as an additional armour of protection against fraudsters and scammers. The RBI’s amendment of the master direction will further encourage more institutions and REs to adopt V-CIP. The usually hesitant players will adopt this mode of technology for their benefit. Even the traditionally slow to adapt government sector banks and NBFCs will also follow suit.
The change would not only affect the REs and institutions, but also the customers in a rather positive fashion. With the pandemic looming over the country, every individual desire to be safe and avoid all in-person interactions. With this directive, the REs and financial institutions are compelled to help solve this issue. With remote V-CIP methods, all customers will be at zero health risk.
Additionally, no customer prefers the extra time commuting and the plethora of documentation formalities that may follow in legacy systems of CDD. V-CIP makes the journey easier, preferable and convenient for the customer, all while saving the REs and their employees time and resources.
But it is important to be aware of how REs avail V-CIP services from Regtech firms. When it comes to such crucial aspects it is always safe to bet on reliable and supportive companies for assistance.
Why Signzy?
Signzy is a ‘no-code AI platform’ for financial services. No matter how complex a workflow or an operation, Signzy can completely automate the back-office operations and decision-making processes into a real-time API. Signzy’s pantheon of V-CIP related products is efficient and reliable to another class.
Some of the features Signzy’s V-CIP and Video KYC products have are:
Real-time OVD verification
Matching face on ID with face in the video (with % confidence score)
Unlimited video storage and instant retrieval
Geo-location capture and IP check
End-to-end encryption for video, channel, and communication
Video forensics for pre-recorded risk and spoof detection
Digital forgery check on the displayed ID proof
Customer identity verification through offline Aadhaar XML
Seamless and interactive UI for live video interaction
Timestamp and audit trail for every application and video interaction
Signzy’s V-CIP services and products are 100% in compliance with all the RBI regulatory guidelines and directives. This is essential as all REs are supervised for the right compliance practices and Signzy offers to negate all possible complications. Signzy’s solutions are easy to use with immediate responses which make it fast and efficient.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
The base for data privacy and protection is crucial for an upcoming data-driven economy like India. India hosts almost 450 million Internet users and a consistent growth rate of 7–8%, as per Forbes. The transition to a digital economy is radically underway. However, this implies that the processing of personal data is already on the verge of becoming universal.
The population of mobile phone users in India has already crossed the 750 million mark. This number is expected to reach 490 million by 2022. Therefore, personal data and information become available in the public domain. Sources estimate that India has about 390 million millennials and about 440 million generation Z that follows millennials.
The Gen Z generation processes data faster. The most common use of this data is for mobile applications like Snapchat, Vine, and so on, apart from the usual popular social media apps. This leads to the creation of huge amounts of personal data for an individual — be it personal, behavioral, attitudinal, and financial. Which can essentially be used for both illegal and nefarious purposes, like what happened with Cambridge Analytica; Hence, data privacy will be of paramount importance in the coming years for governments across the world specifically to protect their citizens.
The IT Act 2000 — The First Ancestor Of Data Privacy
Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing, or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected.
The Government of India has ratified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules provide guidance against protection of “Sensitive personal data or information of a person”. This consists of such personal information which has information relating: –
Passwords
Financial information — Bank account or credit/debit card or other payment instrument information;
Physical, physiological, and psychological health conditions;
Sexual orientation
Medical records and history;
Biometric data.
Section 72 of the IT Act highlights the penalty for breach of confidentiality privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document, or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.
While the IT Act 2000 was not officially cleared for regulating data privacy in India. It can be considered as the stepping stone which laid the foundation for future legislature.
The Supreme Court Ruling of 2016- Amendment Of Data Privacy In Aadhaar Act
In 2016, India amended its biometric identification system, known as Aadhaar. This enabled both the government and private entities to collect an individual’s ID number for any purpose. Human rights advocates had decried this as a violation of privacy. There was a lot of concern and growing uncertainty surrounding this authorization. However, businesses in India continued to require ID numbers for certain services. It was also used for the ID numbers for consumer profiling and targeted advertisements.
The Supreme Court of India amended the 2016 Act which enabled private businesses to ask for customer ID numbers for any purpose. The Supreme Court was required to ascertain the validity of the provisions of the Aadhaar Act. The objective was to verify if the act was contrary to the right to privacy. This was later established as a fundamental right by the Supreme Court in 2017.
Key Findings in the Judgement
The judgment was unanimous with all nine judges concurring with the final order. However, six judges — Justice Chandrachud, Justice Nariman, Justice Chimaleshwar, Justice Kaul, Justice Sapre, and Justice Bobde, wrote separate opinions covering a wide range of issues.
The key points of the judgment are summarized below:
(a) Privacy — A Fundamental Right
The Supreme Court confirmed that the privacy rights of an individual are a fundamental right. It does not need to be separately articulated. It can be considered as a derivative of articles 14, 19, and 21 as mentioned in the Constitution of India. It is a right that subsists as a fundamental consequence of the right to life and liberty. It protects a person from the scrutiny of the State in their home, of their whereabouts, etc.
The same applies to more personal choices like reproductive choices, food habits, etc.
(b) Necessary But Not Absolute Right
The Supreme Court also highlighted that the fundamental right to privacy is not absolute. It will always be subject to considerable restrictions. The State can declare restrictions on the right to privacy to protect justifiable State interests. This can only be done by following the three-pronged method summarized below:
Establishment of a law that rationalizes an encroachment on privacy
A legitimate State aim or requirement which ensures that the nature of the composition of this law falls is reasonably valid. It should also operate to guard against arbitrary State action.
The measures taken by the State are in tune with the objectives sought to be fulfilled by the law.
The Personal Data Protection Bill — India’s First Step To Legalize Data Privacy
Backdrop of The PDP Bill — How it came about
The Supreme Court observed during its judgment that privacy of personal data and facts is an essential aspect of the right to privacy.
Based on this, the Ministry of Electronics and Information Technology (MeitY) formed a 10-member committee led by retired Supreme Court judge B.N. Srikrishna. This committee was hence named the Srikrishna Committee. On 27 July 2018, the committee submitted an extensive draft which is now known as the Personal Data Protection Bill. India is now set to have a comprehensive personal data protection law. On 11.12.2019, MEITY introduced the Personal Data Protection Bill (PDP Bill) in Lok Sabha as Bill №373 of 2019.
The Birth Of PDP — India’s Data Privacy Bill
The PDP Bill seeks to provide for the protection of the personal data of individuals. It also intends to create a framework for processing such personal data. To do so, the bill proposes the establishment of a Data Protection Authority.
Key Takeaways of The PDP Bill
The following are the salient features of the Bill:
The PDP Bill is meant to improve data handling and data privacy in a way that is similar to the European Union’s GDPR.
The PDP Bill emphasizes the need to create a Data Protection Authority (DPA). This will be similar in fashion to the organizations present as part of the members of the European Union. The bill also defines the categories of sensitive personal data that require protection.
The PDP Bill defines ‘data fiduciary’. It also proclaims the various obligations for them. These are based on how they shall obtain, deal/process, and retain personal data.
If the PDP Bill becomes official, businesses would be required to inform users about their data collection practices. They would need the customers’ consent for the same as well. It would be their responsibility have to collect and store evidence of the fact that such notice was given and consent was received. The consumers would have the ability to withdraw their consent. This means that the businesses would have to design systems to allow clients to withdraw their consent on the same.
The PDP Bill gives consumers the power to access, edit, and delete their data after the same is processed to fulfill its objective. As such, the businesses would have to create ways to allow consumers to do so.
The PDP Bill enables clients to transfer their personal data. This can include any inferences made by businesses based on such data, to other businesses.
The PDP Bill mandates all businesses to make changes on an organizational level to protect data better.
How PDP Inevitably Led To NPD
The PDP Bill stipulates that the Central Government can direct a data fiduciary or a data processor to provide anonymized personal data or non-personal data.
This can be done “to enable better targeting of delivery of services or formulation of evidence-based policies by Central Government”.
It was based on this that in September 2019, MeitY formed a committee of experts led by the co-founder of Infosys — Kris Gopalakrishnan. The purpose of the committee was to draft a framework to regulate non-personal data (NPD).
The NPD Framework
As stated above, the Indian government is considering a framework to regulate non-personal data (NPD). The Committee released its report on 12 July 2020 for public consultation/feedback.
A Brief Overview
The NPD framework could affect the entire value chain just like PDP. The impact could range from creators of tech services and products to enablers and consumers. The NPD framework will require companies to obtain user consent. This has to be done before anonymizing data and using it.
NPD includes data generated through online transactions. These can be orders through delivery platforms or any online service. The data is anonymized and all personal identifiers are removed. This data is then harnessed to enhance the quality of service, ML algorithms, and other technologies.
Non-Personal Data Authority — The New Player
There is an apparent need to regulate the collection, processing, storage, and sharing of NPD. For this, the Committee recommends the formation of a separate NPDA authority. The details on the constitution of the NPDA need to be figured out.
As of now, the Committee has highlighted that the NPDA should have some members with relevant industry experience. The Data Protection Authority (DPA) under the PDP Bill protects personal data. Similarly, the NPDA is meant to protect the value of NPD.
The NPDA should work simultaneously with the DPA. The same applies to other sectoral regulators like the Competition Commission of India. The Committee also advises that NPDA should play the roles of both enabler and enforcer.
As an enabler, the NPDA should ensure that NPD is available for various social, public, and economic purposes. This applies highly to legitimate NPD sharing requests. Other areas include:
Regulate and supervise NPD sharing agreements between relevant stakeholders
Supervise the market for NPD.
As an enforcer, the NPDA should overlook the provisions for the proposed NPD legislative affairs. This will include:
Regulating Data Businesses
Mandating the sharing of NPD in certain circumstances
Setting standards and certifying frameworks, including for NPD sharing
NPD safety
Anonymization of PD.
Introduction Of “Data Business”
Under the NPD framework, the Committee advises that private and public sector entities who collect NPD be required to register as a Data Business. This will be dependent upon meeting certain criteria as per the guidelines of NPDA. For entities that do not meet these criteria, this registration will be voluntary. The Committee further recommended that this will be a one-time event. The process for registration will be lightweight and fully digital. The entities must provide details regarding their function. This includes the type of data they collect, process, and use. It also highlights the manner and purpose. To enhance the process, these disclosures will be made with respect to those relating to PD under the PDP Bill, if at all applicable.
PDP and NPD — Similar Grounds
Similar to the classification of personal data under the PDP Bill, the committee classifies NPD into 3 categories namely general, sensitive, and critical categories. The framework also necessitates businesses to obtain user consent before anonymizing even NPD. For example, A cab aggregator wants to aggregate rider travel data from a section of the user base to derive insights. In this case, it would need consent from each rider in the cohort. Execution of this is bound to create practical challenges for companies. It will make analytics a lot more complicated for tech companies as well.
To know more about PDP stakeholders and details, click here
Key Stakeholders of NPD — An Elaborate Overview
The Report lists the following roles for potential players within the NPD framework:
(i) Data Principal — In the case of Public NPD and Private NPD, this is the person (individuals, companies, communities) to whom the data relates. In the case of Community NPD, the community that is the source of the NPD would be the Data Principal. This is similar to the categorization of a data principal under the PDP Bill, in relation to PD, with Data Principals being allowed to exercise significant control and economic rights over their NPD.
(ii) Data Custodian — This is the person who undertakes collection, storage, processing, and use of NPD. Data Custodians may be public or private sector entities who process NPD such as government ministries, telecom companies, or e-commerce entities. Data Custodians must comply with requirements under the NPD Legislation, such as adopting prescribed anonymization standards. NPD must be used by Data Custodians in a manner that is in the ‘best interest’ of the Data Principal. They have a ‘duty of care to the individual or community from which NPD has been collected. This principle is similar to that of a data fiduciary under the PDP Bill, which lays down specific obligations to be undertaken by the data fiduciary with respect to the data rights of the Data Principal.
(iii) Data Trustee — This is the person through which a community exercises its data rights and who takes action to protect the community against any collective harm arising from the use of Community NPD. In most instances, the Data Trustee will be the closest and most appropriate representative body for a community and maybe a government agency at any level (such as the Ministry of Health for data on diabetes in India). However, it could also be citizens’ groups (such as residents’ welfare associations for local data), or civil society organizations. However, there is no clarity provided as to how a Data Trustee would be identified, the eligibility criteria for such an entity, or whether the community data principals play a role in identifying the Data Trustee, and this is to be provided under the NPD Legislation.
(iv) Data Trust — This is an institutional structure bound by rules for handling a specific set of NPD. Such trusts may hold NPD which may be voluntarily shared by Data Custodians, or mandatorily shared NPD on the basis of orders from the government or Data Trustees (as described below in Section 8). However, the Committee has provided very little insight as to how Data Trusts will function, including how such trusts will be constituted, who determines its members, and its role in the NPD ecosystem.
Impact Of NPD — What This Means For Businesses
Tech companies or organizations that meet the currently undefined threshold of collected or processed data will be considered ‘data businesses’ under the proposed framework.
Such businesses will be subject to a host of compliance requirements, including registration, monitoring of operations, and disclosure obligations. They will have to submit metadata about the data they collect to open-access ‘meta-data directories — essentially sharing data on the data they collect.
Based on the above, anyone can query the business for their dataset. Quite obviously, there is a fear that even small companies and startups processing data could qualify as data businesses. Another point of concern is that they will be subject to excessive compliance and data-sharing framework. This will increase operational and data storage costs and hinder the ability of startups to develop their services.
The proposed framework could hamper business prospects by imposing mandatory sharing and a higher compliance burden. Given the absence of a global benchmark for NPD regulation, proposing specific legislation and a regulatory body for NPD without adequate consultation may be premature.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
KYC regulations have critical implications for consumers in the financial space. Banks need to comply with KYC to limit fraud. However, KYC requirements for banks are often passed down to those with whom the banks do business.
KYC In Banking — The Base At The Banking Secrecy Act”?
KYC requirements for banks help them verify the identities of their clients. It is also a way to assess any potential risks of forming a business relationship with them. The goal of KYC is to prevent banks from being used, intentionally or not, for money laundering and other illegal activities.
In 1950, the Federal Deposit Insurance Act was passed to monitor the Federal Deposit Insurance Corporation (FDIC). The bill included a list of regulations that banks must comply with in order to remain insured by the FDIC. This event was crucial to forming the foundation of modern KYC laws.
In 1970, the U.S. Congress introduced the Bank Secrecy Act. The BSA is an amendment to the Federal Deposit Insurance Act. It requires banks to produce 5 types of reports to FinCEN and the Treasury Department:
Currency Transaction Reports (CTR): This contains any cash transaction that exceeds $10,000 in one business day. It can include multiple transactions.
Suspicious Activity Reports (SAR): This report shows any cash transaction where a customer violates BSA reporting requirements.
Foreign Bank Account Report (FBAR): Any U.S. citizen/resident with a foreign bank account of at least $10,000 is required to file an FBAR report each year.
Monetary Instrument Log (MIL): Banks must keep a record of all cash purchases of monetary instruments. This includes money orders, cashier’s checks, traveler’s checks, etc.
Currency and Monetary Instrument Report (CMIR): Anytime a person or institution physically transfers monetary instruments in excess of $10,000 into/outside of the United States must file a CMIR.
The ABCs of KYC — The Major Focus Of Patriot Act
KYC laws were launched in 2001 as part of the US Patriot Act. The law was passed after 9/11 to provide a means to hamper terrorist behavior.
The particular section of the Act that pertained specifically to financial transactions added requirements and enforcement policies to the Bank Secrecy Act of 1970 that had thus far regulated banks and other institutions. These changes had been in the works for years before 9/11. The terrorist attacks finally provided the thrust needed to enforce them.
Thus, Title III of the Patriot Act requires that financial institutions deliver on two requirements for stricter KYC. These two are the Customer Identification Program (CIP) and Customer Due Diligence (CDD).
CIP — The First Pillar Of The Patriot Act
CIP is the more straightforward of the two components, and likely more familiar.
To comply with CIP, a bank asks the customer for identifying information. Each bank conducts its own CIP process, so a customer may be asked for different information depending on the institution. An individual is generally asked for a driver’s license or a passport.
Information requested for a company might include:
Certified articles of incorporation
Government-issued business license
Partnership agreement
Trust instrument
For either a business or an individual, further verifying information might include:
Financial references
Information from a consumer reporting agency or public database
A financial statement
Nonetheless, every bank is required to verify their customers’ identity and make sure a person or business is real.
CDD — The Second Pillar of The Patriot Act
The second component, CDD, is more nuanced.
In conducting due diligence, banks aim to predict the types of transactions a customer will make.
This is done in order to be able to detect anomalous (or suspicious) behavior.
This also helps assign the customer a risk rating that will determine how much and how often the account is monitored.
Finally, it also helps identify customers whose risk is too great to do business with.
Banks may ask the customer for a lot more information. This can include the source of funds, the purpose of the account, occupation, financial statements, banking references, description of business operations, and others. There’s no standard procedure for conducting due diligence. This means banks are often left up to their own devices.
In fact, the Patriot Act doesn’t even directly highlight a CDD requirement. On the contrary, it denotes that a bank is required to file a suspicious activity report if it suspects or has reason to suspect such activity. But without knowing about its clients, a bank won’t be able to meet this requirement — hence the CDD.
The Financial Crimes Enforcement Network (FinCEN) regulates and strictly enforces KYC. FinCEN also manages other regulators for banks. It also manages the Fed’s Board of Governors, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency of the U.S. Treasury. Other financial institutions can be regulated by the SEC, the U.S. Treasury, the IRS, or the National Credit Union Administration, among others.
As a result of due diligence, a bank might flag certain risk factors. These are like frequent wire transfers, international transactions, and interactions with off-shore financial centers. A “high-risk” account is then monitored more frequently. In such cases, the customer might be asked more often to explain his transactions or provide other information periodically.
KYC requirements for banks in the Digital Age
Today, banks and their fintech counterparts can go to great lengths to assure compliance with KYC standards. As a result, more money is poured into new KYC technologies constantly. This was found as a study of the CEB TowerGroup. Currently, KYC solutions rank amongst the most valuable banking technologies. More than 62 percent of executives are certain, KYC investments will grow even more in the future.
In the modern context of digital, border-free and contactless payments, AML and KYC cannot deny their beginnings. Many KYC procedures still derive from a time when financial services were stationary. Back then, the client had to be physically present in a banking branch to access them. Identity verification was a simple matter of seeing the client physically. This was usually followed with collating the paper documents and ID with official records. The client databases had to be updated manually.
Users supply bank account data, social security numbers, etc to fulfil the KYC requirements for banks. They may also provide hard physical proofs of identity like a valid passport and utility bills (water or electricity bills). Should the customer deliberately hand over false information, the reviewing company will have the case investigated. This may ultimately lead to legal action. Modern technologies help alleviate the human factor. AML procedures today are more about lines of code on a server than types of seals on paper documents.
Yet, in many cases, banks and fintech businesses don’t settle for the state-of-the-art in regulatory tech. A KYC Market Report by CEB states that the systems by which banks identify their customers are often outdated. With general anti-money laundering technology, the situation gets even worse.
This is why banks and financial institutions are invited to rethink the KYC requirements for banks in light of modern software solutions and technologies like:
Blockchain: Sharing of KYC related data without intermediaries
Artificial intelligence: Approvement of documents via self-learning algorithms
Biometrics: Identification through biometrical features
CDD and EDD by evaluation of social media activity
Streaming: Voice and face identification via video chat
Regulatory technology (or RegTech) like this has the potential to make processes a lot faster, more accurate and transparent withdigital kyc.
Conclusion
In our current time of digital disruption, KYC and AML are in a constant state of change. The online market for financial services and products is growing and so are the risks for customers engaging with them. The international banking and fintech scene keeps changes this will keep regulators occupied. Innovative technologies and flexible software give businesses an edge, allowing them to stay compliant and to adapt to new forms of cybercrime.
But within this period of change, one thing remains firm:
There will always be customers. And knowing whattheyare up to, will always be a key factor for corporate success.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
“India needs a paradigm shift in personal data management” — stated in the NITI Aayog draft on DEPA architecture. With the introduction of the PDP Bill, the argument holds rightfully so. We already have the blueprint, so isn’t it time we get started on the building architecture itself? So the DEPA was just a matter of time.
The DEPA framework is robust and unique to Indian data privacy laws. Anyone who goes through the proposal will agree that it overlays some areas which are not unique. These areas can be found in the data privacy framework of other nations as well. Let us take examples of the two prominent ones — Europe’s GDPR and California’s CCPA.
CCPA — Popularity Of Privacy In California
There is no single authority for oversight on data privacy in the U.S.
Instead, the country maintains a sectoral approach. It is dependent on a collective of sector-specific laws and state laws.
There are almost 20 industry — or sector-specific federal laws. on the state level, more than 100 privacy laws exist (in fact, there are 25 privacy-related laws in California alone) .
The California Consumer Privacy Act (CCPA) provides citizens of California with 4 rights for power over personal data:
– right to notice
– right to access
– right to opt-in (or out) and
– right to equal services.
Any organization which gathers the personal data of California residents must adhere to CCPA.
Personal Data Classification in CCPA
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In other words, the State recognizes a “broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information” that can be used to identify an individual. Examples of covered personal information include:
Personally identifiable information (PII) . This can be name, address, phone number, email address, social security number, driver’s license number, etc.
Biometric information, such as DNA or fingerprints.
Internet or similar electronic network-based activity information. This can be browsing history, search history, and information regarding a consumer’s Internet activity.
Geolocation data
Audio, electronic, visual, thermal, olfactory, data or similar format of data.
Professional or employment-related information.
Education information, defined as information not readily available for the public.
Inferences drawn from any of the above examples that can create a profile about a consumer. This reflects the consumer’s preferences, characteristics, psychological trends. It also displays predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
GDPR — The European Breakthrough In Privacy
GDPR is an EU regulation that has been designed to protect user’s personally identifiable information (PII). It also enables businesses to hold a higher standard in terms of how they collect, store, and use this data.
Similar to CCPA above, GDPR gives EU citizens control over their personal data. It also assists in changing the data privacy approach of global organizations.
Key Highlights
GDPR is applicable to all who process “personal data”. Most obviously, these are names, email addresses, and other types of PII
It creates significant new responsibilities. Processing personal data makes you responsible and accountable for its security and use.
It has a global reach. Despite being an EU law, it applies to all, regardless of their location.
It doesn’t just apply to traditional businesses. The principles are concerned with what you do with other people’s data, not who you are or why you do it;
There are hefty fines for non-compliance. These can go up to €20 million ($24m) or 4% of global revenue, whichever is higher.
What are the common denominators?
The CCPA is about increasing transparency for California residents. It allows them to discover and change how their data is collected and transacted. Meanwhile, the GDPR is a binding regulation. It monitors data privacy across the E.U., replacing dozens of national privacy laws with a single framework. However, GDPR does have implications for businesses in the US, despite originating in Europe.
Side by side, here’s how they compare:
Both regulations arose to protect people in a world of increasing global interconnectivity. This is in a world where international transfers of personal data are more frequent and elaborate. Regrettably, advances in technology have resulted in data misuse scandals & sophisticated cyber attacks.
CCPA and GDPR apply to individual organizations in different ways. While there are some nuances in scope that distinguish both sets of legislation, they share similar goals.
How do the laws define personal information?
Personal information (CCPA) vs. personal data (GDPR)
CCPA deals with the collection and sale of personal information. GDPR on the other hand addresses personal data processing.
The CCPA defines personal information as any information that identifies, describes, relates to, or can be linked with a consumer or household. This includes PII as previously discussed.
Under the GDPR, personal data refers to any information that directly or indirectly identifies someone. While this doesn’t include household identifiers, any identifying personal data that is not anonymized falls under the GDPR. The CCPA, however, exempts specific categories of medical and personal information from its scope.
Contributions of CCPA & GDPR:
The two regulations overlap when it comes to some rights — so if you’re already compliant with GDPR, you’re well on your way to meeting CCPA requirements.
Here’s what the CCPA and GDPR have in common:
The right to know: Under the CCPA, businesses must disclose to consumers (upon request) the information that is collected, used, disclosed, and sold. Organizations under the GDPR must notify individuals at the time of collection and inform them of the purpose. They must also inform how long they’ll retain this data, and who it will be shared with.
The right to access: Individuals are entitled to access their personal data. They can request copies of their personal information verbally or in writing. Businesses have a month to respond to requests under the GDPR and — most of the time — can’t charge fees to deal with them.
The right to portability: Individuals protected by the CCPA and GDPR have the right to request their personal information. This can be inaccessible, machine-readable formats such as CSV, XML, and JSON.
The right to erasure: Consumers have the right to request the deletion of any personal information. This can be to an organization has collected or stored under a variety of circumstances.
DEPA — How Laws Like GDPR and CCPA laid the groundwork?
The PDP Bill introduces the construct of consent managers. They are data fiduciaries registered with the DPA. They provide interoperable platforms that aggregate consent from a data principal. This is similar in many ways to the GDPR Data Controllers. As mentioned above, personal data identification is also similarly reflected by the CCPA. The assigning of key stakeholders is also the same here.
Data principals may provide their consent to these consent managers. The consent is for the purpose of sharing their information with various data fiduciaries. They may even withdraw their consent through these consent managers. This is a unique construct. This concept has been introduced to support the Data Empowerment and Protection Architecture (DEPA) for financial and telecom data. This currently powers the Account Aggregators licensed by the RBI.
DEPA — Building From The Data Privacy Blueprint
NITI Aayog has presented a draft policy highlighting DEPA. DEPA stands for Data Empowerement and Protection Architecture. It allows individuals to “seamlessly and securely access their data. This can be shared with third-party institutions.
The report looks into assisting organizations with sharing the personal data of an individual with one another. This can be done through the concept of “consent managers”. They will manage people’s consent for data sharing.
The policy constitutes this new data governance model in light of ‘individual empowerment’. This is done by enabling the seamless exchange of personal data among institutions. The process is secure and minimizes privacy harms.
This draft policy follows the myriad of other data-related policies in India. These include the Non-Personal Data Governance Framework and the National Digital Health Mission. NITI Aayog has stated that the policy will be publicly launched and operationalized in 2020 itself.
Features:
DEPA will authorize individuals with control over their personal data. This will be done by implementing a regulatory, institutional, and technology design for secure data sharing.
DEPA is designed as an evolvable and agile framework for good data governance.
DEPA empowers people to seamlessly and securely access their data. It can be shared with third-party institutions.
The consent given under DEPA will be free, informed, specific, clear, and revocable.
Consent Managers: DEPA will involve the introduction of new stakeholders — User Consent Managers. They will ensure that individuals can provide consent for all data shared. These Consent Managers will also work to protect data rights.
Account Aggregators: Reserve Bank of India (RBI) had earlier issued a Master Directive for creating Consent Managers in the financial sector. They are to be known as Account Aggregators (AAs). A non-profit collective or grouping of these stakeholders form the DigiSahamati Foundation.
Open APIs: These enable the seamless and encrypted flow of data between data providers and data users through a consent manager.
Implementation: RBI, SEBI, IRDAI, PFRDA, and the Ministry of Finance are set to adopt and execute this model. This regulatory foundation will eventually evolve with the onset of new legislation (eg. with the forthcoming Data Protection Authority envisaged under Personal Data Protection Bill, 2019).
Background:
The regulatory direction on data privacy, protection, consent, and the new financial institutions required for DEPA’s application in the financial sector was provided through the following sequence of events:
Supreme Court Judgement on the Fundamental Right to Privacy in 2017.
Personal Data Protection Bill (PDP), 2019.
Justice Srikrishna Committee Report, 2018.
RBI Master Direction on NBFC-Account Aggregators, 2016 (for the financial sector).
Impact On Financial sector:
Individuals and Micro, Small and Medium Enterprises (MSMEs) can use their digital footprints with DEPA. They can also access not affordable loans. Other amenities include insurance, savings, and better financial management products.
The framework is expected to become functional for the financial sector starting fall 2020.
It will help in greater financial inclusion and economic growth.
Flow-based lending: DEPA can provide portability and control of data. This could allow an MSME owner to digitally share proof of the business’ regular tax (GST) payments or receivables invoices easily. On the other hand, a bank could design and offer working capital loans. This can be based on the demonstrated ability to repay. (This is known as flow-based lending). This is suitable for offering bank loans backed by assets or collateral.
Conclusion
This is the beginning of a new uniquely Indian journey on data empowerment and financial inclusion. An open and vibrant data democracy can be created. But this is only if we can enable a billion individuals to thrive in an increasingly digital economy.
The digital economy should comprise digital public goods. These should be designed to scale to meet the needs of a diverse population. Moreover, the technology standards constituting DEPA are open and publicly available. This also means that the technical and institutional architecture can also be applied to other countries. An institutional body could even be designed to help globalize this standard. This will help apply it to other nations facing similar challenges as appropriate.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Consumers’ personal data is used by companies to sell their products and services, but when this data is personal or private, discretion and safety are essential. In some of the US states, there are personal data regulations that keep an eye on companies processing and using consumers’ data. A good example of this is the California Consumer Privacy Act(CCPA). A relatively new law, CCPA came into effect on June 28, 2018, as part of the California Civil Code. It has been praised as a step in the right direction for data regulations by industry pundits, as it solidly defines how data can be protected and how its misuse will result in dire consequences.
But one of the questions that returned to the spotlight after it’s introduction was, ‘Why isn’t there a federal body like this to regulate data privacy all over the country?’ This is where the US can benefit from a step for Unified Data Protection, a central regulation from the Federal Government that oversees and regulates all handling of consumer data. It will give control to the consumers over their personal data while unifying data privacy laws for all states in the US and simplify regulations for international companies. A Unified Data Protection Regulation will have provisions to process US consumer’s data regardless of the location of the company.
Such a body will force the companies to disclose how the data is processed making the purpose, tenure, and sharing of data transparent to the consumer. The Government will impose heavy fines on companies that violate the regulations making the consent of the consumer irrevocably mandatory. This article focuses on how such a unified regulation would impact the different levels of banking and the types of banks in the US.
What Is The Current System Of Banking In The US And How Does It Handle Data Privacy?
Unlike most countries, banking in the US is regulated at state and federal levels, and depending on the class of the bank it is subject to state or federal regulations. The central banking system which regulates all other banks is called the Federal Reserve and was established in 1913.
Duties of the Federal Reserve include:
Conduct the national monetary policy
Regulate and supervise banking institutions
Sustain the stability of the financial system
Financial services to the U.S. government, depository institutions, and foreign official institutions.
Banks in the US are regulated by the Federal Reserve and overseen by the Federal Deposit Insurance Corporation(FDIC) and the Office of the Comptroller of the Currency(OCC). The banks are classified into:
National Banks It includes all federally chartered banks and has permission to operate in any part of the country. It is not subject to state laws barring a few exceptions. Even though these banks fall under federal jurisdiction, they must comply with state regulations too, if there are any making it a burden for them.
Depending on the type of charter and structural organization, a bank may be subject to many federal and state regulations and is specifically supervised by the OCC. It is important to note that not all national banks possess nationwide operations as some of them have operations in only one city, county, or state. A common misconception is that the Federal Reserve is a national bank, but this is untrue as it is a system of institutions chartered by Congress for financial oversight.
Banks from other countries that have established a presence in the US are called International Banks. Even though they fall under the category of National Banks, It is noteworthy to consider them as a third category for easier understanding. Some of them have exceptions with the national status and a few of them already follow protocols from other countries’ financial regulatory bodies. Many of these banks are European and already follow GDPR regulations even in the US. Sometimes these are not direct implementations.
State banks State banks are state-chartered and are permitted to operate within the state where they are chartered. They can acquire customers from other states, but they can not open branches in other states unless they acquire the respective state’s charter or a national charter from the federal government. It is also mandatory for them not to have “National” or “Federal” in their names and nomenclature.
Is Data Privacy Safe in This System of Banking?
Information security and banking privacy in the US is not protected through a singular law rendering the regulation of privacy sector-based. Thus regulations are different in different states and all states do not possess sufficient research data or machinery for good regulation. This leads to risk and data breaches.
Gramm-Leach-Bliley Act (GLB) regulates the collection, disclosure, and use of personal /non-public information by banks. Federal Trade Commission (FTC) with guidelines from GLB act as the primary protector of banking privacy. It fines violators of state and federal banking privacy laws and these violations are treated as civil offenses in contradiction to other countries where they are usually considered criminal offenses. Nonetheless, there are too many discrepancies and contradictions in these laws that create loopholes and increase risk.
Cyber attacks cost an average of $18.3 million annually per company in 2019 making the total cost $164.6 million. This was through more than 1,473 cyberattacks over the year. The risk is clear from this data and a change for the better is inevitable.
How Has Unified Data Protection Been Implemented In Other Regions?
The most relevant implementation of Unified Data Protection regulation is in the European Union which is the General Data Protection Regulation(GDPR). It sets the guidelines for the collation and processing of personal data, exclusive for consumers from the EU. GDPR instructs companies to give proper data disclosures to their consumers while not compromising any privacy and protection they are entitled to. For example, timely notification of any personal data breach to the consumer is mandatory while making sure this information can not be misused by any third parties.
GDPR succeeded the first Unified Data Protection initiative in Europe, Data Protection Directive 95/46/EC which was created on 24 October 1995. Major banks in the EU encouraged it because it brought more security and credibility for the financial sector. But with advancing technology it became outdated by the late 2000s forcing the EU to consider a new unified data protection framework for 4 years before sanctioning it on 14 April 2016. GDPR came into complete effect on 25 May 2018.
Even though GDPR is for consumers and companies in Europe it affects international entities too. Any company which uses the personal data of a consumer from the EU must follow the regulations which strictly include overseas companies. A bank from the US will have to reframe their process to comply with the regulation. This is important because international US banks already have to comply with data protection regulations rendering them more preferable for consumers.
Notable privileges prescribed for consumers:
Right to Access Consumers have the right to access their personal data and information. They should be aware of how this personal data is processed and who all will have access to it. Data must be treated as a resource that belongs to its respective owner, the consumer.
Right to Erasure/Be Forgotten Consumers or customers have the right to request the erasure of personal data. This can be on any one of a number of grounds prescribed. This has certain regulations provided by GDPR, but it still lets the option to be forgotten open to the customer.
Right to Object and Automated Decisions This allows a consumer to object to processing personal information for non-service related reasons. This includes marketing or sales. Data controllers must allow a consumer the right to stop controllers from processing their data any time they prefer.
Notable guidelines to companies:
Data Controller and Processor The processing of data has two entities involved- a data controller and a data processor. A data controller is an entity (person, organization, etc. that establishes the why and the how of processing data). A data processor is an entity that performs the data processing overseen by the controller.
Pseudonymization Pseudonymisation is a needed process for stored data that transforms personal data. The resulting data is not attributed to a subject without the use of additional information. Examples include encryption, tokenization, etc. This renders the consumer data accessible while keeping it partially anonymous.
Notification The data controller must notify the supervisory authority without delay, especially in cases of discrepancies and malpractices. In Normal functioning, there is an exception if the breach is unlikely to compromise the rights and freedoms of the consumers.
Data Protection Officer The companies must appoint a data protection officer to oversee the processes.
Penalties to Companies Penalties will be charged from companies for not sticking to the regulations. a fine up to €10 million or 2% of the annual turnover of the company is issued This may go as high as the authority deems necessary under a set guideline.
How Will Unified Data Protection Affect The Us Banking Sector?
The US is a considerable volatile environment for financial data privacy. 71% of all data breaches in the country are financially motivated which means that almost every 3 in 4 data breaches in the US is in the financial sector. The FBI reported that the amount lost to financial scammers is nearly $1 billion per year and the primary reason for this is the easy access scammers have to private data. Banks do not commercialize and misuse personal data like IT giants, but they do overuse it at times. There have been instances where financial institutions sold consumer data to third parties. Such practices need to be stopped, or at the least regulated.
In 2018 more than 67% of financial institutions reported increased cyber attacks. It was also noted that these cyber attacks are 300 times more likely to hit the banking sector than others. 65% of the top-ranked 100 banks failed web security testing in 2017. This was reported by Carbon Black; Markets Insider, Independent, and IBS Intelligence.
A Unified Data Protection Regulation will bring more clarity to the industry and other regulatory bodies will get defined guidelines and protocols. Banks will have a better understanding of consumer databases while maintaining privacy. Overall, the Unified Data Protection Regulation will have a major impact on the financial sector. Let’s look at how it will affect the three different tiers of the 5,177 banks and savings institutions in the country.
How Will It Affect State Chartered Banks? Relatively, state banks will have to adapt more to the new mechanics. This is especially for banks in states with undefined regulations as they will need additional machinery and manpower. They will also have to dive deeper into automation banking and advanced technology, prima facie making this seem cumbersome. But in the long run, this will help the bank dwell in an advancing industry, and more importantly, this will give the consumer immeasurable authority over her personal data. That is the primary objective of Unified Data Protection.
The overall functioning level of state banks will upgrade with an exceptional increase in the standard of services. This includes more user-friendly online services, on-time notifications, and reduced delays.
Study shows 5,400 banks in the U.S. compete to sustain customer satisfaction. They need to attract new deposits. Local banks must exhibit their advantages in the fields of accessibility, customer service, and financial advice. To an extent, this would level the playing field.
How Will It Affect Federally Chartered Banks (National Banks)? The capital to be spent on implementation for NationalBanks will be high but in the long term, it will help them establish an international standard in banking. It would make it easier for them to attain international bank status and branching out to Europe will be much easier as they will not have too many regulatory novelties from GDPR.
The biggest relief for National Banks is that they do not have to satisfy multiple regulatory bodies. JPMorgan Chase had reported the extra work going into adjusting data privacy regulation depending on each state. This is reduced with the introduction of a federal system.
How Will It Affect International Banks? Most International Banks operating in the USA have a considerable presence in Europe and many of them are already following GDPR protocols. A similar system in the US would benefit them. As they have the most number of customers they will contribute the most to changing the financial landscape. International data breaches are most likely to occur and data protection at this level will reduce that risk. Even more dangerous aspects like money laundering and terrorist funding can be limited with such steps.
Banks will be aware of consumer information and will process it with better care as they are not allowed to provide data to third parties. This will give privacy to the consumer while maintaining a keen eye for malpractices. This is essential as the international economy is a sandbox for financial scams and regulations will reduce this.
Banks like HSBC and Deutsche Bank will have a more even battleground while competing with other National banks as they are already under the scrutiny of other international bodies of regulation. With a unified regulatory body, all banks will have to stick to the same rules and compete on the same track. This will benefit the consumer with better options and opportunities.
What Are The Boons And Banes That Follow?
Significant advantages of Unified Data Privacy include:
Improved Cybersecurity- It will directly impact data privacy and security improvements encourage banks to develop better security measures reducing risk.
Standardization of Data Protection– Its compliance will be assessed by state wise agencies cementing the credibility of each bank as they must stick to the same rule book.
Sustainable Reputation- The banks will have a better reputation as a single breach can bring down a financial Goliath. Regulations will render safety not just for the customer, but for the bank too.
Enhanced Trust- It will encourage consumers to genuinely share their data with the bank. They are aware of how safe their data will be handled giving them a sense of satisfaction to be in control.
Loyal Customers- The trust built fuels the customers’ loyalty making them prefer the services of the banks that provide the best service. Sustained credibility enhances loyalty.
Significant concerns may include:
Non-Compliance Penalties- Severe penalties are imposed on non-compliant participants because, without strong consequences, compliance will not be effective. Sometimes the magnitude of fines would be overwhelming but this is an avoidable responsibility for the banks. A good example of this is the fines imposed by GDPR for non-compliance. Google was imposed a fine of €50 million for breach of GDPR protocols by the French regulator CNIl.
The Cost of Compliance- The capital and machinery required for implementation will be considerable for banks. Especially for small banks. Though long term benefits outweigh this, it is still a concern.
Overregulation- If not properly implemented, it will backfire. Overregulation will add more complications to the banking process as too many formalities will tire the consumer and the bank. A delay in time could also occur due to the extra steps added for regulation. All of this is avoided with apt regulatory sanctions. Nonetheless, it is difficult to define them.
Conclusion
There is no doubt in saying that data has become a resource and companies are selling their customer’s data for profit. In such times it is necessary to keep personal data secure. In this perspective, the banking sector to data is what the judiciary is to governance- something that can never be tainted or compromised.
Banks contain a plethora of sensitive information and strict regulation on this is inevitable and precedent. As we are moving towards a global economy, it is only sensible to unify scattered sectors. The innovators in the financial sector should always keep in mind that all the short term discomforts will breed greater benefits for the industry and consumers.
Unified Data Protection regulations will enhance the safety of the consumers’ data. It will build the trust people are losing in companies and their handling of personal data. But furthermore, the significant aspect is that Unified Data Protection is merely the embracing of the coming. We are accelerating our advancements to the future where there is no doubt it holds multitudes of data resources. We are simply trying to protect that future with such strides.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok
