Blog

Full KYC Compliance Deadline, Interoperability, a Min 5 Crore Net Value and More — All You Need to Know About RBI’s New PPI Guidelines

The RBI has recently released a revised set of directions in the PPI regulator framework. In its 20-point notification, RBI has asked all the PPIs (Prepaid Payment Instruments) to improve how they operate. With the latest regulations, in effect already, RBI will treat PPIs more or less like banks subjecting them to full compliance in the provisions like Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT), and more.

In this article, we’ll look at the most significant changes that the RBI has introduced to the PPI framework.

But before that, we’ll see how the world has fought money laundering with a powerful tool called “KYC” because the biggest change that the updated RBI regulations bring to the PPI players is a mandatory full KYC.

Fighting money laundering with KYC

The UN General Assembly declaration in 1990 (precursor to the PMLA) — which was the first constructive global step against money laundering — focused on prevention of financing to illicit drug trade. Today the objective of the legislation is to stop money earned through illegal means from coming into traditional financial system and getting converted into legitimate money. Also, the same being used to fund such illegal activities including terrorism.

In pursuance of this noble objective, regulators have defined a KYC regime for financial institutions to follow. The Financial Action Task Force (FATF) is an intergovernmental body which recommends to countries regulatory regime for prevention of money laundering. Very recently FATF has defined a more risk based approach to counter money laundering.

One of the most important functions of financial regulators is to manage the risk within the financial system. This function manifests into a massive regulatory regime of KYC, which quite literally means know your customer and in essence know if he is a fraud, a money launderer or a terrorist.

Adopting KYCs as an AML measure in India

With a view to curb money laundering, terrorist financing, and fraudulent activities, RBI introduced KYC norms for banking institutions in 2002. These norms directed banking authorities to carry out tests and audits and freeze any accounts with suspicious activities (transactions).

RBI has always stressed on strict compliance of these guidelines and several big banks like Bank of Maharashtra, Dena Bank and the Oriental Bank of Commerce faced heavy penalties (1.5 crore each) for violation and non-compliance of certain KYC regulations and Anti Money Laundering (AML) norms.

Until now, October 2017, the RBI’s KYC guidelines were only applicable to banks. However, the latest regulation brings PPI players into its ambit.

A quick note about PPIs

In 2009, RBI paved the way for a new payment instrument which would not require the two factor authentication for small payments and will help in easier acceptance of payments by merchants. These pre-paid instrument (“PPI”) could be recharged with money and then used upto the recharged amount.

The initial PPI had allowed PPI to be issued for upto Rs. 1000 by accepting any customer identity document and upto Rs. 5000 by accepting an Officially Valid Document (OVD). This went through a transformation and in 2014 was relaxed by allowing PPI upto Rs. 10,000/- (total usage in a month) by accepting “minimum details of the customer”. Which transformed the PPI industry into what it is today and led to opening of wallets through mobiles and emails. Somehow though this was a boon for the industry, it did not go down well with the regulator.

In October 2016, an RBI senior official Nanda Dave stated that PPIs have been very lax in following KYC norms: “The customer is being identified by his or her mobile number, period. And such wallets have been used for routing money which has been fraudulently taken from bank accounts,” said Dave. “When we have no details of customers with us, it is very difficult to even trace where that money has gone,” she said.

The framework for regulation, authorisation, and supervision of the PPIs are governed by RBI’s “Issuance and Operation of PPIs”. These were issued in April 2009 and thereafter amended from time to time.

Since regulations on PPIs have been very light with low entry barriers, it was necessary for RBI to impose stiff and stringent norms on them.

To address the same, RBI released a Draft Circular called the “Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India” in March last year. The circular was issued following the growing usage of PPIs for buying goods/services and for transferring money. In the circular, RBI recognized requests from stakeholders for relaxations in certain areas and also considered aspects that would strengthen the security and safety norms, mitigate risk, and protect customers using PPIs.

RBI took inputs from the different stakeholders on the provisions of the circular, following which, in a major step forward in this direction, RBI passed fresh rules for all prepaid payment licence and wallet companies. These include improved standards for safety, security, and flexibility of online transactions, interoperability of PPIs (and banks), full KYC, and more.

Let’s now take a look at a brief summary of these regulations.

The Updated Regulation Summary

  • Mandatory full KYC: As per the new directions, PPIs have to become full KYC compliant within 12 months. “The amount loaded in such PPIs during any month shall not exceed Rs 10,000 and the total amount loaded during the financial year shall not exceed Rs 100,000,” RBI said. If the compliance is not made further credit will be disallowed.
  • Interoperability: Interoperability can be enabled in only Full KYC (banking and non-banking) PPIs. This time-consuming process will be applied in phases with the first phase (spanning across the first 6 months) bringing interoperability between wallets, and the subsequent phases working on the interoperability between wallets and bank accounts, followed by the enabling of interoperability in PPI cards.
  • New capital requirements of Rs 15 crore for non-banks: For non-banking PPIs, new capital requirement is of Rs 15 crore (5 crore at the time of application and 15 crores within the next 3 financial years).
  • Cross border inward and outward remittances: Fully KYC complaint Wallets will now be able to undertake cross-border inward remittances. However, transaction limit can’t exceed Rs 5000 per cross-border transaction and the maximum wallet limit shouldn’t exceed Rs 50,000.
  • PPI issuers need to maintain records of transactions: PPI Issuers to maintain a record of all the transactions undertaken using the PPIs issued by them. They should also file Suspicious Transaction Report (STR) to Financial Intelligence Unit — India (FIU-IND).

Along with the new guidelines, RBI has also released a new Security Framework for PPI Issuers to prevent fraudulent activities and ensure user security.

The Newly Introduced Security Framework for PPI Issuers

  • Separate login for the PPI account: PPI issuers should maintain a separate login for PPI accounts and it should not be used to access any other services offered by the PPI Issuer or its associate/parent/group company etc.
  • Timeout features: PPI issuers should prevent invalid sign-in attempts and add inactivity timeout features.
  • Capping: PPI issuers should implement customer-enforced transaction caps on their users’ wallet transactions. The users should however be allowed to increase/exceed the caps with additional authentication and validation.
  • Cooling period for funds transfer: While opening an account/ loading funds/ adding a beneficiary, PPI issuers should place a cooling period for transfer of funds to prevent the fraudulent use of PPIs.
  • Other mechanisms: Issuers should place internal and external escalation mechanisms to prevent suspicious operations, loading and reloading of funds into the PPI and also alert the customer in case of such transactions.
  • Reporting frauds: PPI issuers should report frauds on a monthly/quarterly basis to the concerned Regional Office as per the directions. They should also monitor, handle, and follow-up on cyber security incidents and breaches immediately with the concerned authorities.

These updated regulations have raised a number of challenges for the wallet companies. Here’s a quick look into the most challenging aspects of the new norms.

The Key Challenges Wallet Companies Face Because of the New Norms

1. Full KYC compliance within 60 days

Complete KYC compliance will increase acquisition costs for wallet companies as it introduces tons of documentations and the paperwork. Cost of KYC per customer is estimated at nearly 150–200 Rs per customer by the industry.

2. Mobile wallet companies are required to have a minimum net worth of Rs 5 crore, hence will need fresh funding.

As per earlier guidelines, a minimum net worth of Rs 2 crore was required for mobile wallets. This net worth is now raised to Rs 5 crore at the time of application and Rs 15 Cr within 3 financial years after getting the authorization. This means, smaller wallet companies will need fundings to comply with the directions of RBI.

3. A one-year validity of the wallets. Also, auto-closing of wallets with zero balance.

Users’ wallets will be closed automatically if they continue to have zero balance for a year. A notice, however, will be issued to all such users before closure of their wallets.

“There are a large number of inactive wallets with no money in them,” said Gupta. “By enforcing this rule, RBI is all set to weed out those numbers and bring out actual figures around how many wallets are there in the system.

4. Implementing interoperability.

At present interoperability is limited to only UPI-based banks. However, with the new requirement of interoperability, PPIs will have to deal with a lot of technical and operational requirements of safety, security, and risk mitigation. The implementation is very complicated.

How the industry is gearing up to comply with the new PPI Guidelines

From the reactions that are coming in from the different payment players, it’s clear that they’ve already begun working on their KYC.

Bhavik Vasa, chief growth officer, EbixCash says:

“ Interoperability with KYC is a great leveller and catalyst towards Collaborative Innovation for the ecosystem. We commend the RBI for its proactive stride and look forward to ongoing progressive regulations also for micro-payments use-cases with minimum or risk-based compliances. Especially if we need to transition to less-cash the digital alternatives need to be as seamless, frictionless and at par with other sectors like gold purchases which are completely anonymous up to Rs. 2 Lacs. Additionally the Finance Ministry and RBI have commissioned noteworthy committees like the Watal Committee on Digital Payments and Ramadorai Panel on Household Finance with apt findings and recommendations that as they get incorporated into regulations would fast forward in achieving the India FinTech potential.”

MobiKwik, another popular digital payments company, is also planning to increase its agent strength for the same and also trying for Aadhaar-based KYC through a one-time password.

We have set a target of achieving 20 million full KYC wallets within the next one year and we are expecting an expenditure of around Rs 50 per customer,“ said Bipin Preet Singh, founder of MobiKwik wallet. “Though we have 65 million users, KYC formalities cannot be done with all of them.”

Oxigen Services, will give incentives to it’s retailers to look after the KYC process of the customers.

The long-term approach payment wallets must take (as RBI expects bank-level preparedness from them when dealing with money laundering)

Bringing at Par with Banks

The updated KYC norms for PPIs have made their KYC regime at par with banks. Therefore, there needs to be greater focus on compliance and audit. This move by RBI also indicates that wallet companies will now face KYC and AML audits like banks and may have to face heavy fines and penalties in case of non-compliance, thus necessitating more investment toward customer KYC.

The current wallet onboarding only includes email and mobile number verification. This will now have to upgrade to systems that can capture KYC documentation and data. Not only that, it will also need to have a risk and compliance check inbuilt for AML/CFT risk of the customer as well as a backend operations team to process these applications. The cost of customer onboarding for wallets will also raise as a result of this full KYC process.

The way forward for wallet providers is to find and use modern KYC solutions that will not only help them overcome this challenge but also ensure that they are able to scale operations without incurring heavy costs. Failing to do so would mean even these wallets will face the same challenges as banks face when scaling their KYC operations.

Investing in security and laundering protocols

In the long run, wallet companies, too, should aim for the same degree of security that banks offer. This includes:

Performing due diligence. Due diligence should be performed on the initiator and recipient who make/receive payments to ensure compliance of transactions with the anti-money laundering (AML) and counter-terrorism financing checks. Frequent screening that identifies accounts with unauthorised and unusual transactions should also be conducted and such accounts should be freezed.

Implementing transaction monitoring. To view transaction patterns of the customer base, machine learning models should be used. With the help of such AI, shady transactions can be detected. Moreover, transaction monitoring should be combined with AML and KYC screening to alert against suspicious financial activities of the customers. Transaction profiles should be maintained with all the account details of the customers such as cash deposits, withdrawals, transfers and payments.

User and data security- Multiple authentication factors such as passwords, OTPs, and biometric should be used to protect the users against security breaches. A mix of authentication factors goes a long way in providing an extra layer of security that helps prevent fraud instances. Read our in-depth article on how financial institutions can design safe authentication processes using the different authentication factors.

How the end-user can use wallet apps responsibly

Wallet apps have become a mainstream payment method as they offer convenience and value (by offering several coupons, membership cards, event passes, loyalty points, cashback and more) Customers can indeed save a lot of time and resources by using these wallet apps. However, instead of signing up for 10s of e-wallets with nil balances in each, users must use just one or two that support maximum apps/payments and keep them active. Also, the money transfer feature these wallets offer must also be used responsibly.

Wrapping it up…

Thanks to the growing government initiatives to push toward a cashless economy and the acceptance from the masses, the PPI space has grown exponentially in India. So there’s no doubt we need better regulation over PPIs. This update in the regulation — however strict it may seem — is needed, because even PPIs wouldn’t want their users to engage in money laundering or terror funding activities.

By bringing the PPI market tightly under the ambit of the more serious financial regulations, RBI has taken a big step toward a safer, cashless economy. So while the updated PPI norms do challenge several smaller companies in the short term, they will pave way for a safer, more user-friendly wallet experience eventually. Also, the security framework laid out by RBI is a big step toward ensuring the security of crores of Indians who are now actively opening up to the possibilities of a cashless economy.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Security in a digital world — Passwords, Biometrics and OTPs (and why secrets are core to safety)

Bashing passwords as vulnerable means of online security is quite common these days. Sure — authentication means like biometrics, OTP, mobile, etc., do sound fancy and are touted as cornerstones in future security practices. But fundamentally there is nothing wrong with a password paradigm. Infact, it’s the weakness of individual passwords that leads to a security risk.

In this article, we are going to give you a background to passwords, their philosophical underpinning, and also evaluate the other possible options we have.

Passwords have a long history. They are used to access private accounts, applications, documents, databases, websites and more since long. Even the treasure den in the fabled tale of Ali Baba and the Forty Thieves had a password! The other way to access such secrets was through some body tattoo or possession of a unique seal.

Interestingly, these three ancient methods of verification still do represent the fundamental principles of modern authentication practices:

  1. What you know — Passwords/PIN
  2. What you have — Seal/OTP/Credit Card/Tokens
  3. Who you are — Biometrics/Body tattoos

The combination of these three factors (3FA) is seen to represent an authentication framework for accessing information or doing risky transactions. Take an example of a Credit Card swipe. The card represents “what you have” and the pin represents “what you know”. Combining the two provides greater security than any one method alone. When any two of these are used, it’s called two-factor authentication. More factors imply higher security.

What is often not discussed is which factors are safer in which contexts. Given we are moving into rapid digitization it might be important to discuss the three factors, their types and when should they be used.

Let us trace this movement from password based to other factors and see what maybe a good framework to keep consumers and systems safe.

How passwords work

Passwords are stored in a system as hashes.

A hash is a one-way pseudo-random function, which means that it can produce a random text from a password.

But the random text can’t reproduce the original password.

Let’s take an example of SHA-2 Hash algorithm.When we feed it a password, say “ankit8388”, it produces a random text like “96c32e63d785c77d8de8089523a346210d2299a25c349c518dc8bf0181ff911b”. This hash is now stored in the database and with it the website can authenticate me without ever storing my original password.

(Even when the database is hacked, my password doesn’t get leaked because the original data is never saved in a database.)

How hackers hack passwords

To hack passwords, hackers create pre-created hash tables for all possible password combinations.

For the “ankit8388” password, a hash table of small letters and numbers of length 9 would be able to find a match.

This means the hacker will need to process all the possible permutations and combinations of small letters (26) and numbers (10) for 9 places. In mathematical terms this would be (10+26)⁹ combinations. This is a highly intensive task and a single computer might still take 50 years to do this.

But hackers work together and pool resources, which means 50 hackers with their computers can create such a table in less than a year.

Further, it’s possible that they will find a match at a half-way stage or within 6 months.

The point is this:

A password becomes unsafe when it’s too short and simple to guess or crack.

Alternatively, if a user sets a complex, multi-character long password, there’s a risk the user will keep it noted somewhere (and this note might reach unsafe hands and cause a vulnerability).

So passwords (either too simple or too complex) can be unsafe in their own ways. That said, the other authentication means available, too, aren’t foolproof. Lets get a bit more understanding on other authentication methods.

Why biometrics and OTPs can’t be the foolproof solutions of the future

The two emerging contenders for future digital authentication are biometrics and OTPs.

Biometrics, along with a password, would indeed enhance security by providing a two-factor authentication. But when used alone, it’s not the best bet for the future because it comes with three big problems:

  1. Unlike passwords, biometric data cannot be stored as a hash. This means that the web application will need to store your biometric data as is. This is a very risky proposition as, in case of a hack, your actual biometric data (or its mathematical representation, in some cases) is revealed. In one of the biggest data breaches in the US, 5.6 million fingerprints of government employees got hacked from the the U.S. POM (Office of Personnel and Management), which gave the hackers access to raw biometric data.
  2. In case biometric data is ever compromised, there is no resetting like a password. This means, you would forever be prevented from using your biometric authentication during your lifetime.
  3. Biometric systems are extremely susceptible to spoofing. In spoofing, a stolen digital template of a biometric trait could be inserted into the authentication process to authenticate the wrong user. In 2013, Jan Krissler, a famous German hacker spoofed Apple’s Touch ID (iPhone 5S) on the other day of it’s release. He used the smudge on the screen of an iPhone to print a dummy finger using wood glue and sprayable graphene. He then used this print to successfully unlock a phone registered to someone else’s thumb. The same hacker then used high-resolution photos of Ursula von der Leyen, Germany’s Minister of Defence, to beat fingerprint authentication technology.

OTP, as an alternate authentication means, has its own set of risks:

An OTP is a one time password consisting of characters, numbers or symbols that’s used to authenticate a user for a single login session. And it becomes invalid after a few seconds.

Take an example of a credit card swipe as I’ve explained earlier. (The card represents “what you have” and the pin represents “what you know”). When you swipe the card you get a code ( an OTP) and you aren’t authenticated until you enter the code and are verified.

So, here two authentication methods are being used for authentication (two factor authentication) which ensures more security. But still they can’t be considered as the best security solution.

  1. The biggest challenge to the OTP authentication factor comes from trojan software.

Hackers show their victims a browser pop-up box or ad that looks like an authentic message from the bank and prompts the user to download a “security application” or a “mobile banking application” on their phones.

Once a user downloads such fake applications, hackers can easily intercept their SMSes. Which allows the hackers to read the OTPs sent on the mobiles.

Security expert, Brian Krebs, tells how an Android botnet targeting banks in the Middle East could infect more than 2,700 phones and intercept at least 28,000 text messages:

This attack affected customers from various banks including the ones from the Riyad Bank, SAAB, AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.

 

2. SIM swap/cloning: By procuring a duplicate SIM card in a user’s name, hackers can use it to receive communication from the banks (including the OTPs).

3. Social engineering: Hackers also call users claiming to be from the bank. And during the call, they ask for the OTP. Unsuspecting users are usually easy victims to such attacks.

4. SS7 Attacks: Using flaws in Signaling System 7 (SS7) hackers can listen to private phone calls and read text messages of the users. According to a report from German-language newspapers Süddeutsche Zeitung, in a cyber attack in Germany hackers intercepted OTP’s using SS7 flaws and stole customer’s money from their accounts.

As you just saw, all the three authentication factors — passwords, biometrics, and OTPs — have their set of risks. However, passwords stand out because users can exponentially strengthen their passwords (while also keeping them easy to remember). So let’s re-examine passwords and see how we can improve them, and then explore the Password 2.0 approach.

How passwords can be made more secure

As we discussed earlier hackers have been able to pool resources and pre-create hash tables hence making guessing of simple passwords really easy. Then what could be the way to make their life hard? Increase the combinations, of course. And the usual way of doing it has been to increase possible inputs:

  • Alphabet (Small letters and caps) — 52
  • Numbers — 10
  • Special characters — 33

So this gives a total combination of 95 characters. Cracking this is so hard that it would take the same hacker group over 6000 years to hack password in the same way. And at that point, I obviously don’t care (unless AI leads to afterlife; another topic for another blog :))

Therefore, from a security guy’s point of view, all these rules of having multiple combinations is really helpful because it keeps you safe. But at the time of signing up or using a service, this becomes a huge pain and a turn off. Also, it’s an eventual security risk as people keep forgetting such tough passwords and hence often note it down in insecure places, such as desktop files or random pieces of paper.

Introducing Password 2.0 — the Paraphrasing Approach (the security and user-friendly password solution)

Now, there is another way to do this, which seemed to have been neglected until now: the length of the password. I could have achieved a similar tough password by simply having 4 more characters, i.e., a 13-letter-long password, without any restriction on small letters, caps, numbers, special characters, etc.

This new paradigm is what I call Password 2.0: the passphrase approach. It’s easy to remember a passphrase, such as “thisisacoolpassphraseforthiswebsite”. Such passphrases can provide a better user experience at the time of signing up and also during authentication.

Also, at its length (35 characters), hash tables will be almost impossible to compute. Thus we can build passwords that are convenient yet secure.

Why passwords are crucial

One principle that has to be accepted in a security paradigm is — you will get hacked. This principle is important to remember when choosing one or a combination of the three authentication factors (passwords, biometric or an OTP).

The property of biometrics in this context is really risky. As biometrics can never be changed, once hacked they become vulnerable for that person for their lifetime. So in a biometric auth world, over time more and more people would get vulnerable. Thus you would inevitably reach a stage where, for a certain population, biometric will not be a valid authentication mechanism.

Mobile phones, or number can also not be changed very frequently or easily and hence make changing of the auth factor difficult.

Unlike biometrics and mobile numbers (or handsets), passwords can be changed if they get hacked. That too quite easily. Hence they have no permanent vulnerability. Another great property they have is the ability to protect the actual password at each authentication. This paradigm is akin to knowing a secret that you will never reveal but are able to prove you know it.

So while biometric and OTP authentication breaches leave their users vulnerable (for life), passwords breaches always give the users a way to “reset”. Because of their simplicity and cryptographic beauty, passwords will continue to dominate as the higher security layer. And when you add an additional layer of authentication to a password (like biometric or an OTP), you can probably design a more secure system. (In a further article we will go through the best combination given a business use-case)

The password 2.0 approach — of creating complex but easy-to-remember “secret-style” passwords — can be a useful tool in such a scenario where the password is a mainstay in the security authentication mix. So, start thinking of a secure passphrase because in a modern digital world, “a strong secret” will be worth more than any other assets you own.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Indian Supreme Court Judgement and the Re-birth of Privacy

In a recent judgement, a nine-judge Supreme Court Bench unanimously ruled that individual privacy is a fundamental right. The court noted that the “Right to Privacy is an integral part of Right to Life and Personal Liberty guaranteed in Article 21 of the Constitution.” The right to privacy verdict, although primarily passed on a petition filed about the Aadhar Card scheme, will impact every company that collects and handles user data.

In its 547-page judgment, the Supreme Court touched upon the different aspects of informational privacy — and explained how collecting data could threaten an individual’s privacy.

This Supreme Court ruling is a check: For both the government (against which the case was mainly fought) as well as the non-state actors or private companies because it doesn’t just oppose any privacy invasive practices employed by the government but also applies to private companies that collect user data.

In this article we will give a short description of court’s view on what is private and their concerns in a digital world. Then we will look at the new rulings impact on the financial sector with a 7-point framework. We will be looking at areas like cross-selling, credit history, SMS scraping, Aadhar KYC, Payments, Banking Agents, Social behavioral data among others. Now lets start with the basics.

Defining what is “personal and confidential”

The information must be “personal and confidential” to be protected by right to privacy. One of the points raised by the opposing counsel during the trial was that privacy was vague and ill-defined. The judges patiently tried defining what is “private” data, to carve out the scope of law.

For example, the Court pointed out that data about electricity consumption pattern of a person is NOT personal or confidential, and couldn’t be protected as “private information”. That said, the Court also cited a UK judgement that stated the storing of the biometric data indefinitely of individuals no longer suspect of criminal activities would be an invasion of privacy. Clearly, a person’s biometric data is both “personal and confidential”.

The Supreme Court used an infographic (from Bert-Jaap Koops et al., “A Typology of Privacy”) in its judgement to depict the nature of data and its classification. This is extremely rare and hence also shows how judges understood the importance of the judgement and that it would be read by people who might need simpler language and symbols to understand the implications:

 

Privacy in the Digital World

While the court had a broader mandate and covered privacy from all aspects,they did cover digital privacy in detail. At some level they felt the real challenge to privacy is coming from this rapid transformation of processes from offline to digital. They also gave an intriguing example of a travel agent, which illustrates this point well:

“The old-fashioned travel agent has been rendered redundant by web portals which provide everything from restaurants to rest houses, airline tickets to art galleries, museum tickets to music shows. These are but a few of the reasons people access the internet each day of their lives. Yet every transaction of an individual user and every site that she visits, leaves electronic tracks generally without her knowledge. These electronic tracks contain powerful means of information which provide knowledge of the sort of person that the user is and her interests. Individually, these information silos may seem inconsequential. In aggregation, they disclose the nature of the personality: food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation. In aggregation, information provides a picture of the being: of things which matter and those that don’t, of things to be disclosed and those best hidden.”

Expressing privacy concerns about how tracking happens in the digital world, the Court hinted at the possibility of scrutinizing activities carried on by companies like reading/analyzing/tracking emails, messages, other social behaviour.

Further the court stressed upon properties of the digital world that make it difficult to detect privacy invasion and hence heighten privacy concerns:

  • Non-rivalrous — simultaneous use by multiple users
  • Invisible — invasions of data privacy are difficult to detect — and it travels at speed of light making it further difficult to trace any breach of privacy. Data can be accessed, stored and transmitted without notice
  • Recombinant — data collected can be used, analysed and combined to create more data output which is unseen earlier

Expanding on these principles the order stated that owing to the nature of digital data, it becomes possible to combine data from social profiles and IoT devices to create information about the individual which did not exist. Secondly, while collecting the behaviour of one person it could also be possible to gather information about other individuals around him. The Court noted that these concerns are from both State and Private entities as both use Big Data to analyse data about individuals which is a concern to privacy.

Easily one of the most tech-savvy orders ever, this Supreme Court judgement took into account various technical intricacies of the digital world and cited specific instances:

  • Cookies used for tagging IP
  • Browsing information to create profiles using algorithms
  • Automated content analysis of emails for targeted marketing
  • Online purchases like books, airlines, book taxi etc. and their history for user behaviour and doing income analysis
  • Metadata and IoT — used to collect information about a person’s behaviour

It is refreshing to see such technical detail quoted in the judgement.

The court also gave details on what can be the future of digital privacy and principles of the new law. We have tried to summarize it below in a simple framework. But for any legal geeks out there we have also created another article which details out laws examined by the court and their approach in reaching to this conclusion.

A 7-point framework to guide companies’ data policies (based on the privacy case judgement)

We’ve analyzed the judgement in extensive detail and have come up with a simple 7-point framework that shows the key points that organizations need to think about when framing their data policies :

Personal vs Private: Every data that is personal is not necessarily private. A user’s name, for example. Because a person’s name is used in public communication, name can be considered to be non-private personal information. Also any information that is anonymized is neither personal or private and exempt from purview of the law.

Explicit Consent in plain words: User’s consent has to be taken explicitly and cannot be hidden inside lengthy terms of service or agreements.

Consent alone is insufficient: Court has also opined that in certain situations, even a consent based mechanism may not be able to protect the customer and hence encroachment of privacy shouldn’t be a preferred option.

Necessity: This is a simple principle which asks the question if collecting it is really necessary to invade privacy to achieve the outcome.

Proportionate benefit or risk: Whenever it is necessary it should be weighed against proportionate benefits and risks. Privacy should not be encroached unless there is some proportionate good possible or some bad that is preventable.

Right to Forget: Eventually the user should have the right to revoke access to his/her data

Access and Correction: The ownership of data is with the individual whose private data is collected. Therefore he has a right to access and correct the data or delete as given above.

Note: We hope this will help businesses make sound and compliant judgement around their data, but do take professional help to make sure you are fully compliant.

Few instances of impact in the financial world

The right to privacy might initiate changes in current processes and hence some of the current and emerging areas may need a relook:

Credit History under Credit Information Act

  • Collection of credit data: Collection of credit data by the creditor is completely ok as it is consent-driven private data between the two parties.
  • Exchange of credit data: Banks report credit data to licensed agencies. These agencies then exchange this data with other banks as requested by the bank. This might require clear exceptions made in the privacy act or a re-look into how credit reports are requested, what kind of information can be shared and what is to be hidden.
  • Access and control over credit history: Currently consumers cannot easily request credit history to be forgotten or edited. Going further there would need to be an option to have greater control and access of one’s own credit history.

Pulling data of a customer from KRA by Mutual Fund and AMCs

  • Collection of data: Currently the agency that collects the data and the one that stores the data are different. Clear consent and declarations hence maybe needed.
  • Current practice of data pull from PAN, without an appropriate consent layer may also need a relook.

Account Details

  • Login based scraping: Account username and password definitely fall into the domain of private data. And the reason in many cases is convenience, as it might be more difficult for the user to submit a copy of bank statement himself. Thus this encroachment may not meet the principle of necessity or proportionate benefit.
  • Account Aggregator: The new RBI guidelines provide for a consent layer and a lot of regulation around security of such data. The data does not remain with the aggregator post-completion of the purpose and therefore the guidelines seemed to have given protection to privacy and may not be greatly affected by the judgment.

Mobile data collection during application download

Following are few of affected the categories and let’s go through them one by one:

  • Malware or Security risk: The data collected to assess malware risk may not fall within privacy parameter. Specially if it can be anonymized enough to be unlinked to the individual himself. But current assessment tools and processes might need to ensure they follow this principle.
  • SMS reading: This is being seen as a new innovative way to provide credit assessment. But within the new privacy regime, this maybe really tricky. Let us explain: SMS reading is a clear invasion into privacy and hence would require explicit consent. But where it gets really tricky is that SMS is usually a private conversation between two parties and hence you would need consent of both the parties to read SMS. It will be interesting to see how the innovation can be enabled without being unlawful.
  • Reading personal contacts to use later for collection: Like SMS reading this may also need consent of two parties and hence should be seen in the same light. (Signzy would be coming up with another article on multi-party conversations including email, sms, call etc. We will examine in detail the implications under a privacy law.)

Aadhar based KYC regime

  • There are two KYC possibilities in Aadhar A) Demo Auth B) eKYC — biometric or OTP. As the Aadhar regime has a robust consent architecture in place it should hold good even in the present regime. The only concern raised by the court was on biometrics being private. Hence the nature of benefit should be proportionate as consent alone, as noted by the court may not be enough protection. Hence biometric based KYC for account opening, new SIM or other risky scenario might be acceptable. Biometric based KYC for non-risky scenarios such as event registration might need a relook.
  • The other more grave change maybe the need for an alternate option. While the financial regulators in line with government view had been pushing a biometric KYC, the current law would require the financial system to provide alternatives. This is especially true for cases where there maybe no real risk or proportionate benefit of forcing biometric KYC.

Users financial transaction history

  • Cross-sell: Financial data mining for targeting for another product might definitely fall under invasion of privacy. The judges have clearly defined “financial information” as private. And such targeting in no ways provides “proportionate” benefit. Hence banks will need to take explicit consent in the original account opening form, even then it’s best that such analysis and targeting is totally automated. Closer on the lines of Google’s approach where a Google employee at no point has access to your records even though you are targeted based on your personal data. This will make sure that there is no leakage or profiling and hence the principles are being adhered to. But there would need to be clear regulation to define such actions by the bank.
  • AML/CFT risk assessment: This is one use case where the risk may justify privacy invasion. But we need to weigh it against the principle of necessity. Again as it stands out it might not be necessary to invade privacy. The court has enunciated how “anonymity” does provide privacy, and hence analysis of data that has been “anonymized” will not be a breach of privacy. Only when suspect transactions are found, should the bank de-anonymize the data an identify the actual account holder. (We understand this might need much more detailed explanation, rest assured we will be writing a longer post on the impact on AML/CFT processes)
  • Credit Risk monitoring: Unless the risk is large it might be very difficult to justify reading of transactions. The Financial Institution will have to provide the borrower a mechanism to provide consent each time such an assessment is made. This might defeat the whole purpose as someone with a risk may actually deny consent every-time. Thus it would be interesting to see how this part of the system pans out and what regulations are framed to balance risk and privacy concerns.

Banking Agents

  • Collection of data: Even current regulations require Banks to ensure that agents are registered and a clear trail can be established which ensure zero data leakage. This might now fall under a clear law or regulation, further not only Banks but all financial institutions (FIs) might need to have stricter regulations for agent models.
  • Storage of data: The storage of data will strictly require physical or digital records to be destroyed by the agents post transaction. Unless there is explicit consent by the consumer for such storage.
  • Sharing of data with other parties: Many a times agents do end up sharing data with parties who at the time of consent were not in the picture. As an example if the intended Bank doesn’t give a loan, data might be shared with other parties as well. Now one will need to take clear consent to ensure that this sharing is agreed by the user.

Payments

  • Aadhar Pay: Biometric has been considered by the court as a core private space. And it has also opined that at times consent may not be enough as the users may not understand the risks. In this light, Aadhar Pay might not have “proportionate” good. As while KYC carries risk to financial system and hence proportionate good, mere payments might not be an ideal scenario to invade individual privacy.
  • Cards based payments: Current cards eco-system relies on a “card” and PIN and no specific private data, at least from our point of view it doesn’t encroach privacy during payments. Fraud rules are also generally based on aggregated behavior and hence might also not carry any risk of privacy encroachment.
  • Mobile wallets: Since it is based on a standalone wallet that I recharge it has no personal data about me other than my basic KYC, phone number, email and my transaction details. Therefore no private information is shared with wallets. But wallets would not be able to leverage on my digital footprint for credit assessment without clear consent.

Social behavioral data

  • Social media: Google and Facebook have recently shown interest in using customer data gathered over a period of time as credit decision tools. This data has clearly been stated to be private. Thus this too would fall under the gambit of future regulation
  • Application’s own data: Even if the data is not coming from a third party but reflects user behavior on the same platform, such as Amazon, Uber etc. It will still be considered within the domain of privacy and needs to be regulated

As social behavior data is rich and possibly being seen as an alternative to many traditional data stores it important to share another case regarding Whatsapp’s decision to share its data with Facebook (its parent company). The matter concerns the privacy of 160 million Indian Whatsapp users. Such data has expressedly been considered to be private — and Judge’s comments left no room for imagining what their views were:

Recently, it was pointed out that “‘Uber’, the world’s largest taxi company, owns no vehicles. ‘Facebook’, the world’s most popular media owner, creates no content. ‘Alibaba’, the most valuable retailer, has no inventory. And ‘Airbnb’, the world’s largest accommodation provider, owns no real estate. Something interesting is happening. […]

Uber’ knows our whereabouts and the places we frequent. ‘Facebook’ at the least, knows who we are friends with. ‘Alibaba’ knows our shopping habits. ‘Airbnb’ knows where we are travelling to.

Social networks providers, search engines, e-mail service providers, messaging applications are all further examples of non-state actors that have extensive knowledge of our movements, financial transactions, conversations — both personal and professional, health, mental state, interest, travel locations, fares and shopping habits […]

Large number of people would like to keep such search history private, but it rarely remains private, and is collected, sold and analysed for purposes such as targeted advertising[…]

Thus, there is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors. There is also a need for protection of such information from the State”

These are just some of the instances that maybe impacted by this judgement. We will be happy if you can share any areas we may have missed and we will add them here.

Way Forward

This is certainly a landmark judgement and in some ways can claim to be the re-birth of privacy. In a digital world it was assumed that privacy has been sacrificed at the altar of convenience. But the court has upheld an individual’s right to his privacy providing him means to protect it and hence re-introduced a principle which seemed lost in the digital world. As the next steps, it’s incumbent upon the legislature to create clear law regarding this concern. But it’s safe to assume that usage of such data would be become much more regulated than it is now.

We are hoping that this article would be useful to you and also help you make sound business decisions. We might not have been able to go into depths of few topics which need much more deliberation. Hence we would be coming up with few more articles going in depth into some of these topics. We will be happy to receive feedback and also get to know which areas would you want much more in-depth analysis.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Electronic Petitions and Legal Minimalism

The need for technological developments to be incorporated into the procedure and paperwork of litigation petitions.

Problem in Status Quo

A standard process of litigation is known to be very cumbersome. Everyone has to deal with innumerable visits to court and endless paperwork. The process of litigation is intertwined with inefficient administration in Courts as well. For a simple litigation, all parties involved have to go through countless stacks of paper in the form or orders, plaints, written statements etc. A single case has various stages to it and each stage leads to a multiplicity of paper and excessive documentation. A paperless system of filing of petitions would ensure an environmental friendly judiciary and a substantial amount of time saved, not to mention bringing additional transparency and efficiency.

Applying Minimalism to the Process of E-Filing

The judiciary has already shown that it is willing to embrace minimalism and move towards a digitised system. Instances like electronic recording of witness statements, a digital FIR process being envisioned; are indicators of change. Thus, it is obvious to see that the Government is already taking steps towards a minimalist approach and is keen on digitisation. Hopefully this will make the potential change quicker.

Implementation

a. Technology

Implementation of a process where petitions can be filed is not as hard as it sounds. Various tech companies across the world have proven to be proficient in generating a system where e-filing can be achieved, as can be seen by the following case study:

The Government of Brazil decided to address the critical problem of overloading of litigations in the court, as it was burdened with approximately 2 million cases per year. The Government wanted to address the need of speedy justice. Microsoft came up with an integrated set of technologies which served as a solution to the specific problems at hand. The software company focused on making the system easy to use and driven by consumer need and demand. The system is capable of handling about 30,000 processes a day, which adds up to an estimated 7 million different litigations a year.

The digitization and usage of ICT by courts in Brazil has gained legitimacy after a federal law was passed to that effect in 2006. The judiciary is to achieve the efficiency that electronic filing promises.

b. Security of Identity

A possible obstacle may arise in cases of fraud or other problems but given that the process is online, the verification of identity of a person is made easy. The idea of a Digital India is to make online copies of documents available and this can be achieved by adapting minimalism.

c. Certification of Documents

Documents like say, written statements, affidavits etc. are required to be certified in court for the purposes of admissibility of the same. The same can easily be done online at the time of submission of the documents electronically to vouch for their authenticity.

Benefits of Electronic- Filing

E-Filing and other information and technology sharing initiatives are extremely beneficial to the public as it reduces congestion and delay by doing away with cumbersome processes. It facilitates a unique model of justice which allows an aggrieved party to obtain justice whilst in the comfort of his/her four walls. A large number of judicial processes and justice systems can become well connected if they use electronic systems efficiently.

Conclusion

The electronic system (with special reference to the E-filing of petitions) is one that is achievable and practically implementable as well, as seen by the Government’s efforts to digitise the judiciary. All that is needed is a concrete step toward complete digitisation of processes, which will greatly benefit the judicial system in India.

Originally published at legalminimalist.org on February 23, 2017.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Malicious Prosecution: An Effective Tool to Achieve Minimalism in Pendency of Cases

Analysing the scope of malicious prosecution in the light of the precedential and legal set up.

In India, when a person is prosecuted by the criminal justice system, all he can do is defend himself. In the event of successfully coming out clean from the due process of law, he is just left with the order of the Court. The mental stress and agony, the loss of reputation, the loss of personal liberty in case of arrest and detention, loss of livelihood and earning, the costs of defending the prosecution, the physical hardships etc are not accounted for. The victim of vexatious or malicious litigation has no legal recourse to protect himself against such abuse of process of law.

Supreme Court Precedent on Reputation and Allied Concepts

The Supreme Court of India has said that Right to Reputation is part and parcel of Right to Life and Personal Liberty guaranteed by the Constitution of India[1]. The same was reiterated by the Hon’ble Supreme Court in 2014 in the case of Umesh Kumar v. State of Andhra Pradesh[2]. Also in January, 2014, the Apex Court while deciding a case observed that instances of police machinery filing false charges is increasing day by day, and such cops should be punished[3].

The Supreme Court reiterated in July, 2014 that there is a rising trend amongst the women to file false cases under Sec. 498A of Indian Penal Code, and that the police should not make automatic arrests in such cases as it permanently scars the reputation of the person.[4] In Subroto Roy Sahara v. Union of India & Ors.[5], the Hon’ble Apex Court made a suggestion to the legislature to formulate mechanism that one who initiates and continues senseless litigation should pay for the same. From this, it is very apparent, that even the judiciary of our country is feeling the need to curb malicious prosecution.

Failure of Criminal Justice System

The basic purpose and the soul of the criminal justice system of our country was to punish the criminals, and create deterrence among them, so as to provide for a law abiding society for the common man. However, over the years, the very soul of this justice system has been lost. It is no longer effective in punishing the culprits. Instead it is increasingly being used to harass the common man.

There are endless citizens in our country who face the judicial system and prosecution for years together, and in the end it turns out that there was no merit in the case. For a matter of fact, as of today, in countless cases recourse is taken to criminal proceedings only as a way of ‘pressure tactic’ or to illicit a ‘compromise’. In the end, the real victim turns out to be the accused, as he has to face the complicated and time consuming justice delivery system of India. Action for malicious prosecution will be the apt tool to fight this menace.

Concept of Malicious Prosecution

The concept of malicious prosecution recognises the individual’s interest in not being subjected to unjustified litigation. Litigation, especially criminal, brings along with it great humiliation, harassment, annoyance, loss of reputation and loss of livelihood amongst other things. In order to curb the unjust litigation, malicious prosecution plays an important role.

One of the earliest cases to be decided on the concept of Malicious Prosecution was Savil v. Roberts [6]. The said case laid down a three-part test for malicious prosecution: damage to the person, damage to the property and damage to the man’s fame. Any litigation which has been intentionally initiated to accomplish either of these three tasks, would be a malicious prosecution. An action, for damages for being subjected to such a litigation, is called an action for malicious prosecution.

What can be Done

It is the need of the hour to address this issue. It is necessary to add legal provisions which act as an effective deterrent for such ‘malicious prosecution’ and compensates the people for their loss of reputation, earnings, livelihood, and the trauma. This could possibly be achieved by adding a chapter dedicated to malicious prosecution by way of amendments to the Code of Criminal Procedure, or promulgating a new legislature on the following lines –

  • The person initiating malicious prosecution (aggresor) is punished with imprisonment term and/or fine, equivalent to the punishment mentioned for the charges levelled by him in the malicious prosecution.
  • Loss of reputation and livelihood be compensated by imposing additional fine on the aggresor by computing the amount after taking into consideration the income, qualification and social status of the victim of malicious prosecution. The said amount can be secured by attaching the bank accounts or property of the aggresor, if the payment is not made forthwith.
  • Immunity should not be given to the prosecuting and investigation agencies who falsely prosecute any person. In a country like ours, where even the highest judicial courts are held accountable for their actions, this is the least we can do.

Malicious Prosecution: A Tool to Achieve Minimalism

Various governments over the years in India have promised to curb the pendency of cases in our courts. However, none have been successful in delivering on this promise. The essential reason for the pendency is the complexity on one hand, and the easy and free initiation of criminal proceedings without any penal or punitive action for false initiation of proceedings on the other hand. Formulation and strict implementation of provisions of Malicious Prosecution would aid in reducing the pendency to a great extent, as people would be very cautious before initiating criminal proceedings. As a result, a great percentage of cases would never be filed thereby reducing the burden of the judiciary. In return, the judiciary can focus all its resources on genuine cases due to which the disposal of the same would be much quicker.

Malicious Prosecution has been largely implemented effectively in countries like Canada and United States of America to curb malicious litigations. Specifically in United States of America, the implementation of the law of Malicious Prosecution is so stringent, that damages amounting to millions of dollars are to be paid if a person initiates a malicious prosecution. As a result, people think twice before initiating any legal proceeding thereby protecting innocent citizens as well as saving the precious time of the judiciary. This ensures that no superfluous and redundant litigations flood the court, thus proving to be truly minimalistic in nature.

Originally published at legalminimalist.org on February 23, 2017.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

How to get Certified Copies and Legal Minimalism

Certification process, effects due to delays and the scope for legal minimalism in the domain.

Government of India recently announced that they are going to stop physical publishing of the Official Gazette, which is the official press/media of the Government. Any law or rules which are made by the government need to be published in this Gazette for them to become operational. The Government has recently proposed to convert the Gazette into an electronic form. Indian government estimates that this move will save Rs. 40 crores and 90 tonnes of paper annually, thus proving a commendable measure reflecting minimalism by the government of India. This brings us to another aspect of publishing by a government agency- Courts.

Process of Obtaining Certified Copies

Taking out official copies of court orders as per todays procedure is a task in itself. The process is so cumbersome that there are specialized agents in court to just take out certified copies. Several orders are passed during the tenure of a case. The only way to know the order is to either inspect and read it from the court file or apply and get a ‘certified copy’ of the order. Even the parties to a case are not given copies of the court order without applying for a ‘certified copy’.

Typically, the process for a certified copy (“CC”) is as follows –

  • An order is dictated by the judge to a typist, who types it on a computer (typewriters were used earlier).
  • The order is then printed through a computer and signed by judge.
  • The same is then kept in the case file.
  • Applicant makes an application to Court Registry for CC.
  • Court Registry takes the application to the Judge.
  • Judge approves the application for CC.
  • The application comes back to Registry.
  • Registry initiates photocopy of the order from the court file.
  • The copies come back from photocopy section.
  • The copies are stamped by court seal and signed.
  • Applicant then needs to follow-up and receives the CC after it is ready.

Usually, it takes around 3–5 days to get this CC. In some courts (because of pendency) it might even take around 30 days to get CC. These orders are nothing but a publication by a government arm, but the process and method adopted takes us back to the 18th century.

Online Judgements as Example

Today all Supreme Court judgments are published online. Some High Courts and Tribunals have also started online publishing. However, these online orders are not given the status of ‘Certified Copy’ and you will still have to follow the 18th century method to get a CC from these courts.

Substantial Injustice due to delay in obtaining CC –

Sometimes, the mechanical procedure of procuring a CC through the lethargic administrative system of the Courts can lead to gross injustice to ordinary citizens.

Illustration: Law provides that in case a person is arrested by the police he can apply to the court for bail (i.e. his release). In case he makes this application in the first court (i.e. Magistrate) and is rejected, he can challenge this order of the Magistrate before a higher court (i.e. Court of Sessions). But to be able to challenge this first order from Magistrate before the higher court, he would need to get a CC. However, because of the overburdened court machinery, he may not get CC the same day and will not be able to approach the higher court immediately. Which means a person would have to spend time in jail only because the CC was not received in time. Thus. as CC is the only authentic proof of an order being passed. Any delay in obtaining it can result in immense hardship for litigants.

Applying Minimalism to this process of court orders

The Judiciary can take a cue from the government of India which has chosen online platform to publish laws. If laws can be published online, then court orders which are based on those laws can also be published online.

Few things that need to be taken care of –

a. Authentication

The court orders today are authentic only when signed by the judge and then stamped with his seal. How do we ensure this for online judgments?

The Ministry of Corporate Affairs can serve as good guidance that respect. It has completely digitised its process of company incorporation sound compliance. A certificate of incorporation (i.e. a government approval to formation of a company) is no longer physical but only digital. It is signed via digital signature of the Registrar of Companies and the original is uploaded on the Ministry website.

 

In the same way, judges can authenticate their orders by attesting their digital signatures as done by the Registrar of Companies.

a. Fraud and Forgery

Digital media like a ‘pdf’ can be edited and therefore it may be argued that the same cannot be relied upon. The idea in a digital India would be to rely only on a digital copy and hence instead of a paper order what the authorities should insist on is the web link on which the order is uploaded. Any action to be taken by any authority should be only after verification online.

In fact, an online order provides immediate opportunity to verify a court order. There are cases where forged court orders are circulated and have been used. The only way for verification of such orders would be to go and inspect the court file and see if they match. Thus an online order takes care of such cumbersome verification procedure as well.

b. Revenue earned by CC

A nominal fee is charged for issuing CC. The same is done considering the manpower involved for physically photocopying large files and huge number of documents. In case of a digital order such costs will be substantially reduced.

A nominal fee though, may be charged for accessing these orders as are charged by the Ministry of Corporate Affairs in case you want to inspect any company documents.

Implementation:

This does not require any major innovation for courts as today most of the orders are typed on a computer. Case statuses are also regularly updated on the district court website by the court office. Therefore, the court office can at the same time of updating the next date upload the pdf copy of the judgment along with the digital signature of the judge.

The Supreme Court, many High Courts, Tribunals and some of the District Courts are already uploading the orders on their websites daily. All that needs to be done is to give these orders the status of Certified Copies. Other courts can slowly follow suit.

Law Commission Report:

The Law Commission in its 188th Report published way back in 2003 had in fact made this suggestion and observed that once the digital signatures are valid, certified copies can be issued to the litigants on Internet under the court’s Digital Signature Certificates.

But Alas! Even after a period of 12 years from the publishing of the report, the archaic methods of obtaining CC still remains.

Conclusion

Adopting a process of obtaining Certified Copies online would save a huge chunk of time for lawyers, litigants, court clerks and the entire machinery. It will also go a long way in saving paper. Publishing them online is an easy task as most orders are typed and printed from a computer anyway.

Originally published at legalminimalist.org on February 23, 2017.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Cryptography: The Vault for Today’s Banks

Analyzing the importance of cryptography in ensuring online security.

When recently Edgartown bank in Massachusetts, USA needed more space they made a decision to do away with their steel enforced vault built in 1850. What seemed to be a simple re-furnishing task turned into a mammoth demolition exercise! Its only when they started digging deep, did they realise that it wasn’t that the vault was put in the Bank. But The bank was built, around the vault. Thus removing the vault meant destabilizing the complete infrastructure.

This small instance reveals a very important aspect of Banking. Safety is paramount. Banks have constantly been the biggest buyers of safe and vaults. Even today, banks pay tremendous attention to detail as regards safety and vaults, like the Federal Reserve Bank of New York, which claims to possess one of the world’s safest vaults. [1] The vault in New York is safeguarded by a comprehensive multi-layered security system, highlighted by a 90-ton steel cylinder protecting the only entry into the vault. The nine-foot-tall cylinder is set within a 140-ton steel-and-concrete frame that, when closed, creates an airtight and watertight seal. [2] In light of prevalent practices such as net banking, e-wallets and digital payment systems, the importance of security is further amplified.

Banks have always thrived (and done maximum business) on the notion of trust that customers place in them. Direct evidence of this principle can be found in the fact that banks act as trustees and guardians of the currency of their customers. Customers deposit large sums of money and are led to believe that a similar value of currency (as regards their bank balance) is present at the bank, despite the fact that it is common knowledge that banks often deal with monetary values and transaction amounts which are far greater than the actual amount of currency present at the bank at a particular point of time.

Need for Security

When the infamous thief Willie Sutton was asked why he robbed banks, he answered, “Because that’s where the money is.” While the witty comeback still “holds up” today, the weapon of choice now is more likely to be a pen/computer than a gun. The business of a bank/financial institution is constantly under threat from menaces of robbery, or even fraud. What is pertinent to note, is that banks have always placed tremendous value on security and will leave no stone unturned to ensure that safety standards remain high. [3]

The advent of technology has made fraud-inducing practices more prevalent and sophisticated, with them being at an all-time rise.[4] A survey on financial trends made by Assocham and PwC said that financial frauds led to approximately $20 billion (Rs 1.26 lakh crore) in direct losses annually. D S Rawat, Secretary-General, Assocham stated that “Financial fraud is big business, contributing to an estimated $20 billion in direct losses annually. Industry experts suspect that this figure is actually much higher, as firms cannot accurately identify and measure losses due to fraud. The worst effect of financial frauds is on FDI (foreign direct investment) inflows into India.” [5]

The report states that as 75% of the population of India has a mobile phone, ‘banking on the go’ has become the norm, so as to increase the convenience to the consumer. Which reflects in the Reserve Bank of India’s data which states that from a meagre INR 1819 crore in 2012, the volume of mobile banking transactions has risen to INR 1,01,851 crore in 2015.

Technology continues in the race with bank robbers, coming up with new devices such as heat sensors, motion detectors, and alarms. Bank robbers have in turn developed even more technological tools to find ways around these systems. Although the number of bank robberies has been cut dramatically, they are still attempted. [6]

Cryptography

As the world moves digital there is a corresponding need of similar safety and security in the digital world. Cryptography plays a crucial role in ensuring complete safety in areas like e-mail to cellular communications, secure Web access and digital cash. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. [7]

Cryptography secures the global information infrastructure by encrypting data flows and protecting data from third-party interception. Nowadays, cryptography secures data in transit and at rest, protects personal information and communications, and ensures the integrity of every online purchase. Cryptography has four key attributes:

1. Confidentiality: The protection of information and prevention of unauthorized access;

2. Privacy: Protecting the personal information of individuals;

3. Non-repudiation: The inability to deny an action took place; and

4. Integrity: Assurance that information cannot be manipulated. [8]

Cryptography also powers one of the most rapidly rising finance technology — Blockchain.

It has driven businesses to reimagine how their networks operate and has become synonymous with alternative business models. At its core, however, blockchain leverages a vast amount of public key cryptography to enable confidentiality, privacy and security of data and user identities. [11] Apart from its security benefits, blockchain also increases the speeds of different transactions. Instead of waiting days for a check to clear, a payment can be verified in seconds. There’s also less risk that payments will have to be denied because funds are unavailable. There’s no more “playing the float” since account debits and credits are instantaneous. [12]

Conclusion

Banks in India have started realizing that consumer experience and ease of banking are very important. This has led to several collaborations between the fin-tech start-ups and Banks. What would probably be the next wave in this collaboration is startups that focus on digital security helping banks bring the “offline” trust to the online world. Banks which focus on security and safety of digital consumers are more likely to build trust in the long run, and would most probably be the winners in the digital world.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Ankit Ratan, [ CEO, Signzy ]

 

Smart Contracts — An Indian Perspective

Understanding the emergence of smart contract technology and its legality and feasibility from an Indian perspective.

Demonetization in India has placed Blockchain-based Smart Contracts in a visible space. Blockchain technology has enabled the smooth transition from traditional to smart contracts by making them simpler and less expensive. Smart contracts are a vital step forward in automating the terms of an agreement between two parties.

For smart contracts to completely penetrate the Indian business circuit, the following aspects need to be focused upon:

  • The myth of smart contracts not being analogous to traditional contracts, needs to be addressed.
  • The legal clarification on status of Digital Currency is vital. Adequate regulation in the sphere of digital currency and smart contracts, will help in integration of digital contracts into present industrial standards. But, this transition needs the regulatory and logistical help of the RBI and Government structures.

What are Smart Contracts?

Smart contracts are computer protocols that embed the terms and conditions of a contract. The human readable terms of a contract are fed into an executable computer code that can run on a network. Many contractual clauses are made partially or fully self-executing, self-enforcing, or both.

Understanding Smart Contracts and Blockchain Technology

  • Smart contracts are self-performing and operate in combination with blockchain. This enables them to move information of value on the blockchain between parties.
  • Blockchain forms the backbone of all digital contracts and currency like the Bitcoin. It creates a transaction database that is shared by all nodes participating in a system based on the Bitcoin protocol.

Smart Contracts vs. Traditional Contracts

Contracts can be understood as agreements which are legally enforceable. The rights and obligations created by this agreement are recognised by law.

The idea of smart contracts is compatible with our understanding of traditional contract principles. Since, smart contracts also have legal backing, they fulfil the requirements of traditional contract law.

An important distinction between traditional and smart contracts is the medium on which the contract is formed. Commerce depends on individuals being able to form stable, predictable agreements with one another. Communication and physical ratification are the primary ways of creating a legal relationship. This infuses confidence of enforceability into the parties. The legal legitimacy and confidence of enforceability make traditional contracts a preferred way of forming contractual relations.

In smart contracts, the terms and conditions of contractual agreement are entered into the software code. But, this does not take away from the original character of the agreement. As long as the agreement creates a set of rights and duties or obligation, it is a valid contract.

Smart contract comprises of a new set of tools to articulate terms. The process of formation and articulation of contract is now embedded in a self-enforcing automated contract. Hence blockchain technology-based-smart contracts are a way to complement or replace, existing legal contracts.

For a wide range of potential applications, blockchain-based-smart contracts offer many benefits:

  • Speed — Smart contracts use software code. These codes automate tasks that are typically accomplished manually. Hence, they can increase the speed of a wide variety of business processes.
  • Accuracy — The probability of manual error is reduced due to automated transactions.
  • Lower cost — Smart Contracts need less human intervention, fewer intermediaries and thus reduce costs.
  • Auto-enforcement — Smart contracts are unique in their enforceability since these clauses are embedded in the applicable software itself.

Despite these benefits, there is hesitancy to participate in transactions involving smart contracts. This is because the status of digital currency is still ambiguous in India. Unlike traditional contracts, the legal position on enforcement, jurisdiction etc. is unsettled.

Yet, it can be seen that smart contract based transactions are much more popular in international parlance. Recognition for such transactions in major international commercial law statute have a profound impact.

Current Legal Scenario in India

Opponents of smart contracts in India argue that cryptocurrencies do not have the legal status as a currency in India. Hence, there is ambiguity about whether they constitute a ‘valid consideration’ as per traditional contractual principles.

  • Cryptocurrency is undefined under the FEMA, RBI Act or Coinage Act.
  • It is uncertain as to how Cryptocurrencies will be taxed and whether such tax will be a central or state subject.
  • Recently, a multi-stakeholder panel comprising of members from the RBI and the IDRBT looked into the implications of blockchain technology.[1]
  • Since all transactions take place over the internet, the dispute resolution or clause reposing jurisdiction to courts or excluding jurisdiction of courts needs to be clearly spelt out. “Smart contract itself should envisage a dispute resolution mechanism involving external arbitrators and/or courts, where the contract is frozen pending proceedings, and the award of the court is incorporated into the terms of the smart contract. With regards to evidence, a dual-integration mechanism comprising hybrid ‘code + paper’ contracts can be presented in court.”[2]

Commercial agreements comprise of clauses that protect parties from various liabilities. They are not always suitable for representation and execution through code. Hence it can be concluded that smart legal contracts will need a blend of code and natural language.

Smart contracts in the commercial realm are at a nascent stage. Hence, regulation in this regard will render adequate clarity to the functioning of smart contracts. This would ensure a smooth transition from traditional contracts to smart contracts in the near future.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

The Synergistic Match of FinTech and Banking Institutions

A revelation on growth prospects for fintech firms in India and the challenges in financial sector.

The global economic crises brought the world economy to its knees a decade ago. Still, the world’s largest banks operated and continue to operate, almost as if they were too big to fall. This feeling was echoed by Governments the world over. Their steadfast foundation among consumers has now been challenged by a different type of institution. This is the financial technology start-ups. (fin-techs.)

A compelling argument elucidates the whirlwind-like effect that fin-tech start-ups have on banking. The shift of priorities towards a consumer-convenience model gives incentive to banks to collaborate with fin-tech companies. These fin-techs make banking processes quicker and easier. They continuously innovate in the field to ensure greatest satisfaction of the consumer.

Fin-Techs – a Growing Force Internationally

The growth of fin-techs has been exponential, making them a true force to be reckoned with. Venture capitalists, private equity firms, corporates etc have poured an unprecedented amount of money into global financial technology start-ups. More than $50 billion has been invested in almost 2,500 companies since 2010. These innovators redefine the way we store, save, borrow, invest, move, spend and protect money. Leading financial analysts and experts like KPMG have estimated that the investment in fin-techs will increase by a whopping 36% in 2016.

 

There are various instances of success when it comes to fin-techs across the globe. Fin techs realize that consumer desire is paramount. They have persevered to provide quality digital service to thousands of consumers across the globe. M-Pesa is a case in point. M- Pesa is mobile money platform created by Vodafone and functional in Kenya. It capitalized on the realization that phones can be used to not only make calls, but also execute financial transactions. The premise of the M-Pesa is that most people in emerging and frontier markets don’t have bank accounts. They can use the platform via their mobile phones to make payments and ease money transfers. Estimates suggest that nearly 43 percent of the gross domestic product of Kenya takes place on the M-Pesa platform. The upward trajectory of investment in fin-techs is due to the satisfaction they provide to consumers worldwide. This has ensured that they become a strong global force.

Fin-Techs and India

The Modi regime in India has been particularly supportive of the start-up culture in India. There has been consistent lobbying for foreign direct investment into the entrepreneurship sector. There have been initiatives such as Start-up India, Stand up India’. India is among the first five largest start-up communities in the world. with the number of start-ups crossing 4,200 (at a growth of 40%) by the end of 2015. A Microsoft Ventures report states that the number of start-ups is expected to zoom from 3,100 in 2015 to an expected 11,500 start-ups by 2020.

The recent demonetization has encouraged ideas of a cashless and an e-wallet friendly economy. It has further prioritized the necessity of secure enablers and other platforms, such as Signzy Technologies Pvt. Ltd. They ensure a simple, secure and legal way of making payments. They also help to execute other necessary due diligence through their products like RealKYCTM, ARITM (Algorithmic Risk Intelligence) and Digital Contracts. This provide safety and security of parties to an online/diligence related transaction.

Flipkart CEO Binny Bansal and Snapdeal (and Freecharge) CEO Kunal Bahl acknowledged demonetisation as a game-changer. They labelled it as a move which will usher in the era of digital growth in India’s economy. The economy currently needs a stable and reliable platform to ease payments and related transactions now. This is where fin-techs step in. They bridge the gap between security and dependability. These are two key considerations that consumers in this new-look economy will have.

Services which Fin-Techs Can Offer

  • Mobile Payments

Payment security is a key concern in today’s risk-loaded environment. Innovation is essential to ensure risk mitigation and consumer responsiveness in the sector.[6] Fin-techs enable convenient and quick payments for various services, goods and other transactions through mobile wallets. Tokenisation and biometric data have developed to a great extent. This ensures authorization of payments through ‘mobile wallets’. There is no need to go through elaborate documentation and technicalities anymore.

  • P2P Payments

Fin-techs also enable the transfer of value of currency between to persons, thus enabling person to person (P2P) payments. The same transactions can be made between institutions and persons also.

 

The picture above is a representation of a report by BI Intelligence. It shows the growing popularity of P2P payments using mobiles. It also explains how they may serve as a bridge to widen use of smartphones to complete in-person “wallet-less transactions”.

Collaborative Actions between Fin-techs and Banks in India

Banks have realized that the way forward is to embrace digitized processes. It is essential to collaborate with fin-tech start-ups to maximize consumer satisfaction. Various Indian banks have taken active steps to partner with start-ups to make banking processes easier.

  • HDFC Bank

HDFC has partnered with a Bangalore-based start-up called “Tone Tag”. It provides phone-based proximity payment services to its customers. it had also tied up with Chillr — an app-based payments platform which transfers funds from account to account without having to fill in any account numbers or bank codes. The bank is also known to host start-up competitions in the form of digital innovation summits.

  • Axis Bank

Axis bank partnered with Vayana Network. Together. Together, they launched “Invoice to Payment,” an end-to-end digital invoicing and payment solution. The solution aims to simplify B2B payments in India. Currently B2B payment is estimated at over $95 billion annually. It offers digital invoicing, electronic workflow approval and instant payment processing for businesses in India.

  • ICICI Bank

ICICI Bank is partners with Paytm. Paytm is India’s largest mobile payment firm to launch virtual prepaid cards. This idea has now evolved into the Paytm wallet. It can be used for purposes such as purchasing supplies, usage of public transport etc.

  • YES Bank

YES Bank has partnered with some exciting fin-tech start-ups like Ultracash Technologies. They have launched payments processing through sound waves and TimesofMoney. They also plan on launching their own online remittance solution called YES Remit. YES Remit will allow non-resident Indians (NRIs) to send money to any YES BANK account or other bank accounts in India.

Bill Gates once said that banking would remain essential to the world, but banks wouldn’t. Fin-tech companies are looking to take over the market. Hence, NBFCs and financial institutions need to remember is that collaboration is key. It is high time that these institutions look inwards and identify key weaknesses that these fin-techs can fill proficiently. Fin-techs and undeniably exciting. They also own the brightest and most innovative minds in the country and have enough funding. Yet taking lessons in market expertise, brand image, expensive licensing, brand name and image etc. from banks is the only way for them to progress. A combination of digitally aware customers and a symbiotic synergy between fin-techs and financial institutions is indicative of the birth of a new system of global finance.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

Peer to Peer Lending: An Overview

Peer to Peer Lending and the role of regulatory bodies like RBI and the SEBI.

After Securities Exchange Board of India (SEBI) released its Discussion Paper on Crowdfunding, the Reserve Bank of India (RBI) also has decided to regulate the online lending and borrowing market. While it is easy to digest the thought and attempt made by SEBI through its discussion paper considering the involvement of “securities” and “public” in the whole process of crowdfunding, the same is not the case with RBI’s consultation paper (“the paper”). One fundamental point of difference between these two regulatory bodies is that SEBI comes into the picture whenever there is involvement of “securities” and “public” but RBI does not get involved in every activity when there is “money” and “transaction” involved because there are several other enactments which deal with other aspects of transactions which take place in money. One such activity is money lending which is a State subject and it is to be governed by the individual states, leaving RBI with no role to play.

Keeping that in mind, this article will further analyze how, at several instances, RBI is trying to regulate P2P lending platforms by exceeding its jurisdiction.

Nature of P2P Lending

Firstly, one needs to understand that P2P lending is not just something to do only with start-ups but is in fact a much bigger idea than that. Here the borrower can either be an individual or a legal person requiring a loan and hence this new area has the capability to satisfy temporary monetary needs of individuals as well.

Proposed Regulations

(i) Permitted Activity: The P2P Lending Platform will only act as a facilitator for borrower and lender. Various requirements need to be met by the platform, such as:

  • Display of the amount of lending and borrowing on balance sheet.
  • No ‘financial activity’ can be carried out on its own, and compliance to The Reserve Bank of India Act, 1934 is necessary.
  • Assurances of any returns cannot be given/made.
  • Information about suitability of a lender and creditworthiness, reliability of a borrower can be given on the platform.
  • Advertisement will be regulated.
  • The platform cannot take part in the financial transaction between lender and borrower and move through banking channels between the two.
  • No cross-border transaction will be allowed.

(ii) Prudential Requirements: The prudential requirements will include a minimum capital of Rs 2 crore. Also, leverage ratio may be prescribed. There can also be a cap on the total investment by a Lender.

(iii) Governance Requirements: The management and operational personnel of the platform would need to be stationed within the country and a financial background of promoters and board needs to be thoroughly conducted.

(iv) Business Continuity Plan (BCP): There must be an arrangement like a ‘living will’ or alternative arrangement in the form of an agreement for continuation of its operations. The Platform must also contain risk management systems and a Business Continuity Plan. There should be a back-up for the data since the Platform acts as a custodian of cheques, agreements and other details.

(v) Customer Interface: Confidentiality of the customer data and data security would be the responsibility of the Platform. It will also need to provide to borrowers and lenders transparency, data confidentiality, minimum disclosures and proper grievance redress mechanism.

(vi) Reporting Requirements: Basic reporting requirements may be prescribed.

Dissecting the paper and analysing RBI Responsibility

1. Para 1.6 of the paper inter-alia states that:

“The platform provides the service of collecting loan repayments and doing preliminary assessment on the borrower’s creditworthiness.”

The question arises in a situation where both these functions i.e. of collecting loan repayments and doing preliminary assessment on the borrower’s creditworthiness are outsourced by the P2P platform as both of these activities though important are not core to the platform and not something that cannot be outsourced.

2. Para 1.6 of the paper further inter-alia states that:

“The fees go towards the cost of these services as well as the general business costs. The platforms do the credit scoring and make a profit from arrangement fees and not from the spread between lending and deposit rates as is the case with normal financial intermediation.”

Here RBI itself has made a fundamental classification of business activities undertaken by a financial intermediary and that of a P2P platform.

3. Para 5.4 of the paper which deals with the scope of RBI’s regulations also inter-alia state that:

“The notification can therefore specify that no entity other than a company can undertake this activity. This will render such services provided under any other organizational structure illegal. Alternatively, the other forms of structure may be regulated by the State Governments.”

RBI recognizes here that money lending activity is an activity which is not completely an unregulated space but can be regulated by the State Governments.

4. Para 4.3 of the paper which puts forth the arguments in support of regulating the activity is as follows:

  • Considering the significance of the online industry and the impact which it can have on the traditional banking channels/NBFC sector.

“Impact on something that RBI regulates” cannot qualify as a reason for RBI to regulate something which it is not supposes to regulate. If this rationale were to be followed, RBI should also have power to regulate the securities market considering the situation that would have been in existence for the Banks & NBFCs had there not been any securities market and Stock Exchanges.

  • If properly regulated, the P2P lending platforms can do this more effectively.

Making something more effective can only be done if the RBI is statutorily permitted to do so, and it is clear that is not the case.

5. For better understanding let us divide para 4.3. (iv) of the paper, because here RBI has tried to establish its jurisdiction.

a. Section 45S of RBI Act prohibits an individual or a firm or an unincorporated association of individuals from accepting deposits, if his or its business wholly or partly includes any of the activities specified in clause © of section 45-I (i.e. activities of a financial institution);

Attention must be paid to the fact that the providing platform for lenders and borrowers does not fall under the functions carried on by financial institutions.

b. if his or its principal business is that of receiving of deposits under any scheme or arrangement or in any other manner, or lending in any manner

It is important to note that there is no receiving of deposits done by the platform providers.

c. As per the Act, ‘‘deposit’’ includes and shall be deemed always to have included any receipt of money by way of deposit or loan or in any other form, but does not include any amount received from an individual or a firm or an association of individuals not being a body corporate, registered under any enactment relating to money lending which is for the time being in force in any State.

The RBI Act once again has recognized that the money lending activity is to be regulated at the state level.

d. Since the borrowers and lenders brought together by a P2P platform could fall within these prohibitions, absence of regulation may lead to perpetrating an illegality.

At the end RBI has also accepted that borrowers and lenders are the persons which come under the purview of the RBI and not the platform itself. However, going by this logic, RBI should have power to regulate the money lenders also under the Money Lenders enactments of states.

In this whole clause the justification given by RBI has only shown how remote this industry is from its ambit and has failed to substantiate a solid claim for regulation.

Regulatory Space- State Governments

RBI’s own paper expresses doubts over the legality of these regulations over P2P lending platforms in Para 5.4 of the Paper, as money lending through money lenders is a state subject any regulations over P2P may need a legislative backing. Currently, it seems that the two regulators SEBI and RBI are trying to draw boundaries between themselves over crowdfunding and P2P lending.

Conclusion:

The consultation paper in its present form if developed into any regulations may provide for an easier entry for the large NBFCs to set up a P2P platform which might create an entry barrier for the new players willing to enter into this space and eventually few of these NBFCs might grab up substantial part of the future market of P2P lending by availing the early bird benefit and undertaking aggressive marketing, which eventually leads to brand recognition.

Originally published at legalminimalist.org on January 26, 2017.

About Signzy

Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.

Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.

Visit www.signzy.com for more information about us.

You can reach out to our team at reachout@signzy.com

Written By:

Signzy

Written by an insightful Signzian intent on learning and sharing knowledge.

 

1 15 16 17 18