With the help of information security, the security and confidentiality of important data such as financial data or intellectual property can be ensured.
In January 2023, the Reserve Bank of India laid down its rules for the NBFC sector, which include maintenance of records, returns and filings under the Prevention of Money Laundering Act, 2002, Prevention of Money Laundering (Maintenance of Records) Rules, 2005. and RBI Guidelines on Fair Practices Code for NBFCs, among others.
In addition, the corporate affairs ministry in April piloted an IT-heavy architecture designed to streamline compliance management for limited liability partnerships. With this, more than 260,000 active LLPs will soon start receiving auto-generated alerts and emails for defaulted and missed deadlines, it added.
With issues such as information security, compliance management, regulatory burden and regulatory fines becoming fatigued for firms, information security company Scrut Automation recently launched ReguSense – a platform that provides information security solutions to startups, especially fintechs. Will do
speaking with PeppermintCEO and co-founder Ayush Ghosh Chowdhury claimed that its ‘Regusense’ would reduce fintech effort by 60-70% to resolve issues related to compliance management. Edited excerpts:
1) What is the first thing that comes to your mind when you hear the word Compliance Management?
Ayush: I’m talking about compliance in the context of information security. At the highest level, what is fatigue in a nutshell, and why I say that is because when you look at companies around the world today, there are a lot of privacy laws. Then there are security standards like SOC2, ISO 27001 or PCIDSS. RBI in India has made payments mandatory, as well as insuretech and transaction companies have to comply with a lot of System Audit Report (SAR) audits around tokenization, localization etc. This means that while there are common controls across all of these standards and laws, there are intersecting controls, which are effectively the same controls, but expressed differently. So how do you reduce that fatigue, and that’s the biggest problem in compliance today.
2) What is your take on the compliance obligations for firms, especially when it is often discussed with regard to the number of regulations, regulatory fines, its automation and cost.
Ayush: In terms of regulatory burden to comply with the framework, the regulatory burden has increased over the years and continues to increase. Earlier there were base standards like ISO 27001 or SOC2 which would be enough, then we started having vertical specific standards like PCIDSS and even within PCIDSS there are 3 or 4 different variants that have come up and recently RBI has given permission to fintech companies in India made mandatory. For example to comply with SARs. And they also have different forms – data localization, tokenization, etc., all of which are different. So the regulatory burden to comply with these controls is increasing, and for good reason.
As the pace at which fintech companies grow in APAC, and especially in India, security controls need to keep pace with it. And creating the right set of regulatory guards is of utmost importance because this is the most sensitive type of data being handled. So for good reason these standards are in place, but the complaint burden has definitely increased. And it also increases the cost of complaint because you have to manage multiple artifacts, put teams in place which are GRC teams in these companies. You will have to pay more to get audited every year.
Read also: Center prepares automated compliance system for LLPs
However, you cannot get rid of audit cost as it is essential cost that you will have to go through. You have to pay the auditor. But you can certainly avoid a bloated team which is a reactive measure to follow multiple stands. And if done correctly you can actually save 60-70% of human effort.
3) How aware are the firms that approach you regarding compliance management? And what fundamental issues do they discuss?
Ayush: The rules apply to all companies irrespective of size, whether you have less data or more data doesn’t matter. Small companies – 20-25 employees, less than 50 employees – usually have a poor security baseline. They haven’t started with their infosec controls and the awareness level for compliance standards is generally very low. Whereas, the choice for the mid-market enterprise customer cashfree For example, we see a very high level of understanding in terms of understanding information security, understanding what compliance means. In summary, we see a significant variation in terms of both the security baseline as well as the level of awareness of compliance standards, depending on company size and maturity.
4) In January 2023, the RBI laid down its rules specifically for the NBFC sector. The government also said that over 260,000 active LLPs will soon start receiving auto-generated alerts and emails for defaults and missed deadlines. How much of this will help?
Ayush: So this kind of significant increase in compliance overhead has two consequences. RBI’s intention is very welcome, it is very correct as companies need to feel the heat for managing data properly.
The point I’m trying to make is that this has created a significant amount of fragmentation within companies in how they manage infosec controls. And RBI is taking adequate safeguards to ensure that the reports pass through very stringent quality control checks. We have seen many companies submitting SAR reports (for example) and getting follow-up queries from RBI – two or three times – before the report is accepted. I think RBI has done a pretty good job, like maintaining a high level of quality of reports and weeding out potentially fewer auditors. Given the speed at which fintech and financial services are moving in India, we would be heavily served that the situation is about to get more aggressive.
Read also: NBFCs struggle to manage compliance obligations. Here is a guideline to get rid of it
5) Are RBI rules too strict?
Ayush: No, we get it right. If you look at the kinds of controls that they mandate, they’re on par with the best InfoSec (information security) standards out there.
6) Your firm (Scrut Automation) is launching ‘ReguSense’ and is even claiming it to be a game changer for corporations in compliance management. What is it, how can it be a game changer and why should firms trust you with this?
Ayush: If you look at the most common RBI requirements, the controls are very similar to what you would find in conjunction with, say, ISO 27001 or GDPR or ISO 27017, ISO 27018 or PCIDSS for that matter. Let’s say SAR data localization, SAR tokenization, SAR payment aggregators, SAR payment gateways, SAR PPI audits, if you look at the aggregation of all of these, the controls are very similar to what you would find implementing ISO 27001, specifically As per latest ISO 27001-2022. But then the audit and filing have to be separate, which means companies end up duplicating effort trying to implement the same controls, but expressed differently on different standards. Is. This leads to a lot of fatigue, duplication of efforts, either bloated teams to manage all that extra paperwork or it leads to a situation where companies have to work with outside consultants. A lot of money has to be spent.
We’re doing this (through ReguSense), essentially what’s important to you as a fintech company – especially in India – is to have a sanitized security environment and we’re trying to create one.
Why are we calling it (ReguSense) a game changer as we will in turn ensure that the controls are mapped to the relevant parameters in the backend. So on a day-to-day basis, you (the CSO of a fintech company, or the VP of Inforsec) don’t have to worry about the articulation of controls within those many frameworks. You will essentially have to undergo an audit that ensures you meet the requirements in multiple frameworks. And it reduces your effort by 60-70%. You may have a small team, with very few to supervise or monitor.
7) Are you too early or too late to launch Regusens?
Ayush: From a timing perspective, I would consider myself at exactly the right time.
catch ’em all corporate news And updates on Live Mint. download mint news app to receive daily market update & Live business News,