The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 11.
User Experiences of Digital Financial Risks and Harms
http://editors.cis-india.org/raw/user-experiences-of-digital-financial-risks-and-harms
<b>The reach and use of digital financial services has risen in recent years without a commensurate increase in digital literacy and access. Through this project, supported by a grant from Google(.)org, we will examine the landscape of potential risks and harms posed by digital financial services, and the disproportionate risk that information asymmetry and barriers to access pose for users, especially certain marginalised communities. </b>
<h3>Project Background</h3>
<p style="text-align: justify;"><strong> </strong>There is a big evidence gap in the understanding of the financial risks and harms experienced by users of digital financial services. Consequently, adequate consumer protection frameworks and processes to address these harms have been lagging. A survey of 32,000 Indian consumers found <a href="https://www.businessinsider.in/india/news/42-indians-experienced-financial-fraud-in-last-3-years-report/articleshow/93341725.cms">only 17%</a> who lost money through banking frauds were able to recoup their funds. Filling this gap is crucial to inform responsive policy making, platform design and data governance.</p>
<p><strong> </strong></p>
<p style="text-align: justify;" dir="ltr">While a lot more attention is paid to financial frauds and scams, through this study, we aim to situate these alongside experiences of harms that are understudied and sometimes overlooked. Users may also experience financial harm, when negatively impacted by:</p>
<ol>
<li>Financial misinformation</li>
<li>Loss of control over their assets</li>
<li>Loss of potential income</li>
<li>Difficulty accessing social protection</li>
<li>Financial abuse perpetrated alongside other forms of domestic and family abuse </li>
<li>Unsustainable levels of debt, i.e. over-indebtedness, and </li>
<li>Exclusion from financial services</li></ol>
<ol dir="ltr"></ol>
<p dir="ltr">The Centre for Internet and Society is undertaking a mixed methods study to better understand user awareness, perceptions and experiences of digital financial risks and harms.</p>
<p style="text-align: justify;" dir="ltr">For this study, we will survey nearly 4000 users, with differing levels of access to digital devices, digital services and the internet, and undertake semi-structured interviews and focus group discussions with specific target groups and stakeholders. We aim to highlight the experiences of persons with disabilities, gender and sexual minorities, the elderly, women, and regional language first users; to better understand how discrimination and exclusion may increase their burden of risk when using digital financial services.</p>
<p style="text-align: justify;" dir="ltr"><strong>Key research questions guiding our project are:</strong></p>
<ol>
<li style="text-align: justify;">How are digital financial risks understood and experienced by users of digital financial services? Which socioeconomic factors amplify risks for different user groups?</li>
<li style="text-align: justify;">What concerns have emerged relating to data privacy, misinformation, identity theft and other forms of social engineering and mobile app based fraud?</li>
<li>How accessible are providers’ and government’s platform based reporting and grievance redressal systems?</li>
<li style="text-align: justify;">What role can fintech platforms, social media platforms, banking institutions, and regulatory bodies play in reducing digital financial risks across the ecosystem?</li></ol>
<h3 style="text-align: justify;" dir="ltr">Project Aims</h3>
<p style="text-align: justify;" dir="ltr">Through this study, we aim to:</p>
<ol>
<li style="text-align: justify;">Assess the financial risks and harms users are exposed to when using social media, digital banking, and fintech platforms. While looking at general users, we will also specifically explore this experience for the elderly, gender and sexual minorities, regional language users and persons with visual disabilities.</li>
<li>Develop a framework to categorise the nature of vulnerabilities, risks and harms faced by the concerned user groups</li>
<li>Create a credible evidence base for key stakeholders with regards to experiences of digital financial risks and harm.</li>
<li style="text-align: justify;">Provide recommendations for better policy and platform design to address harms, specifically those arising from lack of accessibility and information asymmetry.</li>
<li>Identify best practices to respond to digital risks and foster safety and equity in digital financial services</li></ol>
<h3 style="text-align: justify;" dir="ltr">Come Talk to Us:</h3>
<p style="text-align: justify;" dir="ltr">If you have experiences or insights to share, or if you're interested in learning more about our study, please reach out.<br /><br />We also invite researchers, financial service providers, developers and designers of fintech platforms, and civil society organisations working on digital safety, to speak to us and help inform the study. You may contact <a class="mail-link" href="mailto:garima@cis-india.org">garima@cis-india.org</a></p>
<hr />
<p><strong>Research Team</strong>: Amrita Sengupta, Chiara Furtado, Garima Agrawal, Nishkala Sekhar, Puthiya Purayil Sneha, and Yesha Tshering Paul</p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/user-experiences-of-digital-financial-risks-and-harms'>http://editors.cis-india.org/raw/user-experiences-of-digital-financial-risks-and-harms</a>
</p>
No publisherAmrita Sengupta, Chiara Furtado, Garima Agrawal, Nishkala Sekhar, Puthiya Purayil Sneha, and Yesha Tshering PaulFinancial TechnologyFinancial PlatformsDigital Financial HarmsResearchers at WorkFeaturedRAW BlogAccessibilityDigital LendingRAW ResearchResearchHomepage2023-12-22T16:05:26ZBlog EntryWhat does the 2022 Finance Bill mean for crypto-assets in India?
http://editors.cis-india.org/internet-governance/blog/what-does-the-2022-finance-bill-mean-for-crypto-assets-in-india
<b></b>
<p style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">The recent budget speech saw the Finance Minister propose a slew of measures that seek to clarify the taxation regime with regards to crypto-assets in India. The speech, and the proposed measures, have led to significant discussion and debate within the domestic crypto-ecosystem as questions continue to be raised about the ambiguous legality of crypto-assets in the absence of any dedicated crypto legislation. In the face of this uncertainty, this blog post looks to contextualise the proposals put forth by the Finance Minister in her speech and clarify what they mean for crypto-asset regulation and use in India. </p>
<h3 style="text-align: justify;">Crypto-assets defined as a virtual digital asset and taxed at 30% </h3>
<p style="text-align: justify;" dir="ltr">The <a href="https://www.indiabudget.gov.in/doc/Finance_Bill.pdf">2022 Finance Bill</a>, introduces the definition of a ‘virtual digital asset’ as an amendment to the 1961 Income Tax Act. The government defines a virtual digital asset as: </p>
<ol><li style="list-style-type: lower-alpha;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Any information or code or number or token (not being Indian currency or foreign currency), generated through cryptographic means or otherwise, by whatever name called, providing a digital representation of value exchanged with or without consideration, with the promise or representation of having inherent value, or functions as a store of value or a unit of account including its use in any financial transaction or investment, but not limited to investment scheme; and can be transferred, stored or traded electronically; </p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p style="text-align: justify;" dir="ltr">A non-fungible token or any other token of similar nature, by whatever name called;</p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Any other digital asset, as the Central Government may, by notification in the Official Gazette specify</p>
</li></ol>
<p style="text-align: justify;" dir="ltr">Furthermore, the bill also introduces section 115BBH to the Income Tax Act, according to which income or profits generated from the transfer of ‘virtual digital assets’ would be taxed at the rate of 30%. The Finance Minister further clarified that any expenses incurred in carrying out such trades cannot be set-off or deducted from the profits generated, except the amount spent on buying the crypto-asset in the first place. Further in case of losses incurred from crypto-asset trading, such losses cannot be carried over to subsequent financial years.</p>
<p style="text-align: justify;" dir="ltr">While this clarification of the provisions relating to crypto-assets under the Income Tax Act, 1961 drew much attention for their potential impact, it is important to note that this measure is far from a departure from the government’s pre-existing stance. In responses to parliamentary questions on <a href="https://pqars.nic.in/annex/255/AS30.pdf">30th November 2021</a> and <a href="https://pqars.nic.in/annex/253/AU3105.pdf">23rd March 2021</a>, the Minister of Finance has repeatedly stressed the liability to pay taxes on any profits arising out of crypto trading under Indian tax law. </p>
<p style="text-align: justify;" dir="ltr">The budget speech merely clarified the provisions under which profits from crypto trading shall be taxed. Prior to this, there had been a fair amount of debate as to whether profits from crypto trading would be included as part of the regular income, income from other sources, or if they would be taxed as capital gains. This distinction and categorisation was critical as it determined the rate of tax applicable to crypto profits. However with the proposed section 115BBH, the government has made the taxation regime clearer on how these profits are to be taxed. </p>
<h3 style="text-align: justify;">Introduction of TDS onto crypto-asset transactions and transfers </h3>
<p style="text-align: justify;" dir="ltr">Another provision that this budget has proposed is the introduction of a 1% TDS (Tax Deducted at Source) on any transfer of a crypto-asset, provided that other conditions in relation to aggregate sales specified in the proposed section 194-S are satisfied. It must be noted that this TDS shall be payable not only on cash transfers, but even on trades where one cryptocurrency has been traded for another cryptocurrency. Thus trades where Bitcoin is bought using Tether would also be liable to such TDS deduction. Interestingly, the way the provision is currently drafted, if any person accepts payment for any goods or services in cryptocurrency, then such a person would be liable to pay TDS at 1%. This is because the Income Tax Act treats the cryptocurrency as the asset being bought or sold and treats the good or service being provided by the “seller” as the consideration. Thus instead of it being looked at as a transaction where one person is paying for something by using cryptocurrency, it is looked at as a transaction where the other person is buying the cryptocurrency and paying for it in kind (through the goods or services of the “seller”).</p>
<h3 style="text-align: justify;">Questions of enforcement still remain</h3>
<p> <span style="text-align: justify;">While these measures do bring a certain level of clarity and stability in the taxation regime with regard to crypto-assets, one still needs to grapple with the issue of their implementation. News reports suggest that about 15-20 percent of the investors in crypto assets are in the </span><a style="text-align: justify;" href="https://economictimes.indiatimes.com/tech/technology/students-hop-on-to-the-cryptocurrency-bandwagon/articleshow/86980964.cms">18-20 year age group</a><span style="text-align: justify;">. A number of such investors do not file tax returns since they are mainly students investing their extra savings or “pocket money” to make a quick profit. Ensuring that this demographic actually follows the letter of the law may be a challenge for the revenue authorities and it would be interesting to see how they overcome it.</span></p>
<div> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/what-does-the-2022-finance-bill-mean-for-crypto-assets-in-india'>http://editors.cis-india.org/internet-governance/blog/what-does-the-2022-finance-bill-mean-for-crypto-assets-in-india</a>
</p>
No publisherVipul Kharbanda, Aman NairFinancial TechnologyCrypto PartyBitcoinCryptocurrencies2022-02-03T06:31:54ZBlog EntryA Comparative Analysis of Cryptocurrency Reporting in Financial Statements
http://editors.cis-india.org/internet-governance/blog/a-comparative-analysis-of-cryptocurrency-reporting-in-financial-statements
<b></b>
<div><span style="text-align: justify;"><br />The Ministry of Corporate Affairs (MCA) on March 24, 2021, came out with a notification inter alia mandating disclosures of cryptocurrency holdings by companies in their balance sheets. These changes have been effectuated by making requisite amendments to Schedule III of the Companies Act, 2013. The notification specified that companies are now required to report the profit or loss accrued due to trade or investment in any type of cryptocurrency or virtual currency, the amount of cryptocurrency that the company holds on the reporting date, and the deposits or advances from any person that have been made for the purposes of trading or investing in cryptocurrencies or virtual currencies.</span></div>
<div><span id="docs-internal-guid-68f65050-7fff-d2c4-984e-7347eb46250f">
<p dir="ltr"><span style="text-align: justify;"><br />The decision on new disclosure requirements comes amidst parliamentary discussions on cryptocurrency and speculations of another attempt at prohibition. Meanwhile, this step has been welcomed by the cryptocurrency industry in India as it signals towards a more positive approach being taken by the government with regards to corporate cryptocurrency transactions in India. Moreover, while it opens up new possibilities of scrutiny of such transactions, this measure will also be beneficial in identifying key policy gaps in cryptocurrency regulation in India when we look at corresponding requirements in foreign jurisdictions.</span></p>
<p dir="ltr"><span style="text-align: justify;"><br />In this Issue Brief, the policy landscape in the United States of America (USA), United Kingdom (UK), and Japan is discussed and particular emphasis is placed upon definition, accounting practices, and taxation, with respect to cryptocurrencies. It is thus identified that such jurisdictions have taken concrete steps in this regard by providing clear guidance (such as through HMRC’s Cryptoassets Manual and ASBJ’s advisory notification on accounting for cryptocurrencies). </span></p>
<p dir="ltr"><span style="text-align: justify;"><br />Then, the regulations in India are looked into comprehensively and specific policy recommendations are made, as it is ascertained that no clear steps have been taken in the aspects that have been mentioned above. Although the March MCA Notification is a positive step on corporate cryptocurrency transactions, the following steps are needed further: firstly, a clear and comprehensive definition of cryptocurrency and cryptoassets must be laid down, preferably through a central legislation; secondly, a separate category for cryptocurrencies under the Indian Accounting Standards (Ind AS) should be created; and thirdly, complete guidance on applicable taxes on cryptocurrency transactions, by individuals and corporates, must be provided. </span></p>
<p dir="ltr"><br /> <span style="text-align: justify;">It is thus concluded that while the government is willing to engage with various stakeholders, with positive intent, comprehensive and definitive steps are the need of the hour. This is essential to safeguard the large number of cryptocurrency investors in India, and to quell the uncertainty that is created by speculative measures such as banks declining services for cryptocurrency transactions.</span></p>
<span id="docs-internal-guid-e484f19a-7fff-840b-98cb-59a46421d4ae">
<p dir="ltr"><br /> The full issue brief can be read <a href="http://editors.cis-india.org/internet-governance/blog/cryptocurrency-in-financial-statements/at_download/file">here</a></p>
<div> </div>
</span>
<p dir="ltr"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p dir="ltr"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p dir="ltr"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<p dir="ltr"><span class="Apple-tab-span"> </span><span class="Apple-tab-span"> </span></p>
<br /></span></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/a-comparative-analysis-of-cryptocurrency-reporting-in-financial-statements'>http://editors.cis-india.org/internet-governance/blog/a-comparative-analysis-of-cryptocurrency-reporting-in-financial-statements</a>
</p>
No publisherAryan GuptaFinancial TechnologyCryptocurrencies2021-06-15T05:25:39ZBlog EntryCall for Comments: Model Security Standards for the Indian Fintech Industry
http://editors.cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry
<b></b>
<p>The Centre for Internet and Society is pleased to make available the Draft document of Model Security Standards for the Indian Fintech Industry, for feedback and comments from all stakeholders. The objective of this document which was first published in November 2019, is to ensure that the data of users is dealt with in a secure and safe manner by the Fintech Industry, and that smaller businesses in the Fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches. <br /><br />We invite any parties interested in the field of technology policy, including but not limited to lawyers, policy researchers, and engineers, to send in your feedback/comments on the draft document by the 16th of January 2020. We intend to publish our final draft by the end of January 2020. We look forward to receiving your contributions to make this document more comprehensive and effective. Please find a copy of the draft document <a href="http://editors.cis-india.org/internet-governance/resources/security-standards-for-the-financial-technology-sector-in-india" class="internal-link" title="Security Standards for the Financial Technology Sector in India">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry'>http://editors.cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry</a>
</p>
No publisherpranavFinancial TechnologyCybersecurityinternet governanceInternet GovernanceCyber Security2019-12-16T13:16:25ZBlog EntryDraft Security Standards for The Financial Technology Sector in India
http://editors.cis-india.org/internet-governance/blog/draft-security-standards-for-the-financial-technology-sector-in-india
<b>Information security standards provide a framework for the secure development, implementation and maintenance of information systems and technology architecture. This document includes draft information security standards, which seek to ensure that not only the data of users is dealt with in a secure and safe manner but also that the smaller businesses in the fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches.
</b>
<p id="docs-internal-guid-d14bad43-7fff-1d2b-c873-9850851b223a" dir="ltr"> </p>
<p dir="ltr">By: <strong>Vipul Kharbanda</strong></p>
with inputs from: <strong>Prem Sylvester
</strong>
<p> </p>
<hr />
<p id="docs-internal-guid-47476e0d-7fff-b341-0372-b39d8cd99bcb" style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">Information security standards provide a framework for the secure development, implementation and maintenance of information systems and technology architecture. Regulatory policies often cite several information security standards as a baseline that is to be complied with in order to ensure the adequate protection of information systems as well as associated architecture. Information security standards for the financial industry provide consideration to the specific risks and threats that financial institutions may face, making them an integral part of the process of ensuring business and operational sanctity.</p>
<p> </p>
<p style="text-align: justify;" dir="ltr">There is an urgent economic interest in ensuring robust security of the financial technology sector within the country. This interest is amplified considerably due to the policy push seeking to shift India towards the realisation of a ‘cashless society’. This recent policy push has in part led to the ubiquitous adoption of technology-centric financial services such as PayTM, PhonePe, Mobikwik and others. The current landscape with respect to security standards for financial institutions in India appears to be multi-pronged; with multiple standards in place for companies to implement.</p>
<hr />
<p><br /><strong>The report can be accessed in full <a href="https://cis-india.org/internet-governance/resources/security-standards-for-the-financial-technology-sector-in-india">here.</a></strong></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/draft-security-standards-for-the-financial-technology-sector-in-india'>http://editors.cis-india.org/internet-governance/blog/draft-security-standards-for-the-financial-technology-sector-in-india</a>
</p>
No publisherVipul KharbandaCyber SecuritySecurity StandardsFinancial Technology2019-11-18T09:51:36ZBlog EntryEvent Report: Consultation on Draft Information Technology (Fintech Security Standards) Rules
http://editors.cis-india.org/internet-governance/blog/event-report-consultation-on-draft-information-technology-fintech-security-standards-rules
<b>The Centre for Internet and Society is in the process of drafting certain data security standards for Fintech entities. As part of the process of drafting, a consultation roundtable was organized to get inputs from industry executives, lawyers and policy experts working in this field. </b>
<p id="docs-internal-guid-df36a532-7fff-be8d-232e-dec7d8e393f5" style="text-align: justify;" dir="ltr"> </p>
<p id="docs-internal-guid-354c2536-7fff-e363-f690-23b8a1e55db5" style="text-align: justify;" dir="ltr">By: <strong>Anindya Kanan</strong></p>
<p style="text-align: justify;" dir="ltr">Reviewed and Edited by: <strong>Vipul Kharbanda </strong>and<strong> Elonnai Hickok</strong></p>
<p style="text-align: justify;" dir="ltr">Edited by: <strong>Arindrajit Basu</strong><br /><br /></p>
<h2 id="docs-internal-guid-df36a532-7fff-be8d-232e-dec7d8e393f5" style="text-align: justify;" dir="ltr">Introduction</h2>
<p style="text-align: justify;" dir="ltr">The Centre for Internet and Society is in the process of drafting certain data security standards for Fintech entities. As part of the process of drafting, a consultation roundtable was organized to get inputs from industry executives, lawyers and policy experts working in this field. Their industry knowledge and experience of dealing with these regulatory issues. The regulatory framework for data protection by Fintech entities is currently governed by the generic data protection laws of India enumerated in section 43A of the Information Technology Act, 2000, as well as the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules) issued under it. The problem is that the SPDI Rules lack any specific protocols to be followed by Fintech entities, whereby they can satisfy their obligations under section 43A of the IT Act. </p>
<p style="text-align: justify;" dir="ltr">Thus there is a need for a concrete framework for information security which can be used by entities working in this space. The SPDI rules refer ISO 27001 as one possible standard but certification under it isn't economically feasible for most small businesses to implement. The Draft Information Technology (Fintech Security Standards) Rules (“Fintech Rules”) being proposed by CIS is meant specifically to provide a mechanism for compliance to the smaller businesses in the fintech space. The schedule to the Draft fintech rules provides clear guidelines to be followed by a fintech entity to deem it to be in compliance with section 43A of the IT Act. As mentioned, the roundtable consultation was an effort to get inputs from independent sources including legal experts, academics and those working in the industry.</p>
<h3 style="text-align: justify;" dir="ltr">Session 1</h3>
<p style="text-align: justify;" dir="ltr">This session dealt with the need for these fin-tech rules and how they address the shortcomings in the law as mentioned above. The session started with the drafter giving a brief introduction on the scope and objective of these rules as well as their importance. Then they went ahead with the reading of the rules with discussion on every section. The drafter then explained the objective behind that section and the participants gave their inputs on it. The various concerns raised by the participants during the session are given below.</p>
<p style="text-align: justify;" dir="ltr"><strong>Scope of Data protected by the draft fintech rules</strong></p>
<p style="text-align: justify;" dir="ltr">The participants raised concerns that the draft Fintech Rules proposed by CIS only safeguard the confidentiality of sensitive personal data and information as defined in section 3(1) of the SPDI rules and not other data that may be in possession of a fintech entity. Thus they expressed a need to bring not just sensitive personal data within the ambit of these security standards but to expand the definition in the interest of data privacy of the users. It was clarified that though the review of the definition of sensitive personal data and information is outside the scope of the draft fintech rules ,the drafters have tried to include a wider ambit of data under it as Section 3(2) puts an obligation to also protect vital data and information. The drafters agreed to take this under review for future drafts.</p>
<p style="text-align: justify;" dir="ltr"><strong>Updation of the security standards</strong></p>
<p style="text-align: justify;" dir="ltr">The schedule to the fintech rules drafted by CIS provides Information security practices which would provide reasonable levels of security from the currently known threats. But the threat environment is ever-changing as thousands of new malware are created each day and malicious actors are looking for vulnerabilities in every security infrastructure. Thus, even though the information security practices are adequate in the present day there is a real risk of them getting obsolete very fast. To counter this risk section Section 3(2)[1] provides for updation of these security standards from time to time. A concern was thus raised at this juncture about there not being a fixed timeline for upgradation to a new standard by the fin-tech entities. Further it was pointed out that there was no provision for a periodic audit and certification of the security practices unlike the SPDI rules{Section 8(4)} which are meant to ensure government oversight on the fin-tech firms.</p>
<p style="text-align: justify;" dir="ltr">The drafters then explained that these rules are meant as a positive obligation for the fin-tech entities to adopt on their own free will so as to show compliance with “reasonable security practices and procedures” and thus limit their liability in case of an action under 43A of the IT act. Thus oversight by the government through audits are excluded by design, further the individual companies have to decide on the time-frame for upgradation of their security practices based on the latest standards when they think is reasonable or expedient for them to do based on their individual case.</p>
<p style="text-align: justify;" dir="ltr">Example - Say there were two security standards one enacted in 2011 and the other in 2016 now a fin-tech entity in 2019 has to decide which one of the two would be reasonable to comply with to ensure effective data security. The reasonableness would also depend upon the specific technologies used or the type of information the firm handles or the type of users they have to name a few factors. Finally it would be up to the court to decide whether a firm’s practice was reasonable or not based on the individual case of that fintech entity. This was opposed by the industry executives as they wanted to have a fixed standard for compliance as later the interpretation of the court could go either way when deciding the case. Further the legal experts also favoured having fixed standards rather than one based on reasonableness. They felt that the courts would need an authoritative source and these rules could be that authoritative source for the courts to base their decisions on. This point was then taken under review for later drafts.</p>
<p style="text-align: justify;" dir="ltr"><strong>Miscellaneous</strong></p>
<p style="text-align: justify;" dir="ltr">A concern was raised about there being no timeline for reporting the breach to the user but only for reporting it to CERT. The drafter replied with the standard being ”without undue delay” which would though based on this input be reviewed for later drafts. Another reason for not providing a firm time limit is so that fintech entities have the time to investigate the causes for the breach and are able to give a more complete picture to their customers when they are notified, so as not to cause undue panic amongst them. However, the drafters said that they would review this provision so that it is not misused.</p>
<p style="text-align: justify;" dir="ltr">A clarification was asked about the stage at which the rules became applicable (does this include beta testing as well?). The rules are extremely clear with their application being to any fintech entity handling sensitive personal data and information and thus would apply at all stages when any user data is used (including beta testing). </p>
<p style="text-align: justify;" dir="ltr">The participants also made suggestions with regards to introducing penalties and defining wrongful gain and wrongful loss in the specific context of data loss or misuse to bring more clarity on this issue.</p>
<p style="text-align: justify;" dir="ltr">The session came to a close with reiteration of the fact that these draft fintech rules are only an enabling provision to improve compliance rates by making it economically feasible for smaller fin-tech entities. This helps foster growth in a new and emerging field like fin-tech while also safeguarding user interests of privacy and data security.</p>
<h3 style="text-align: justify;" dir="ltr">Session 2</h3>
<p style="text-align: justify;" dir="ltr">Session 2 dealt with the schedule of the Draft fintech rules which specified the actual technical requirements which the fin-tech entities would have to fulfil to comply with the rules. The session started with the drafters explaining how these rules would less onerous on the fin-tech entities as compared to ISO standards. The Draft security standards have simpler technical guidelines that place a lower and less granular threshold of technical compliance on the fintech entity, in addition to not requiring external ISO certification which comes with a prohibitively high financial cost. The session progressed with the drafter and the participants discussing each of the sections of the schedule. The concerns raised and the discussions following them are given below. </p>
<p style="text-align: justify;" dir="ltr"><strong>Limitation of scope to Information Security</strong></p>
<p style="text-align: justify;" dir="ltr">A clarification was asked for the reason for limiting the scope of the rules to only infosec and not the whole of cybersecurity. The drafters said that as the rules specifically deal with compliance under section 43A of the IT Act which penalises entities in case of negligence in handling of data. Thus security standards for information security were thought to be adequate to fulfil this requirement and cybersecurity was deemed to thus be out of the scope of these draft fintech rules. </p>
<div><strong>Physical security compliance in case of Cloud storage</strong></div>
<div> </div>
<p style="text-align: justify;" dir="ltr">A concern was raised with regards to the physical security requirement under the schedule. Increasingly fintech entities are using commercial cloud storage providers for their data storage needs and thus are not in control of the physical premises where their data is stored and thus firms would be unable to comply with these requirements. After some discussion the consensus that was reached was that the fintech entity would have to indirectly ensure compliance by only opting for reputed or properly certified cloud providers but even in the case of a data breach on their end the fintech entity will have to prove in the court that it wasn’t negligent in choosing the cloud provider. A recommendation was floated to include the phrase “where applicable” in the clause for physical safety that only when a fintech entity has control over the physical infrastructure of its data storage systems would it be required to fulfil this obligation. This recommendation was taken for review for later drafts. </p>
<p style="text-align: justify;" dir="ltr">Based on the recommendations of the industry executives some parts of the schedule were omitted due to the requirements under them already being fulfilled through SPDI rules. For instance rules relating to Migration controls which deal with transfer of data from one system to another were omitted as they were thought to have been adequately dealt within SPDI rules.</p>
<p style="text-align: justify;" dir="ltr"><strong>Maintenance of standardised logs</strong></p>
<p style="text-align: justify;" dir="ltr">Another concern was raised on the requirement of standardised Log entries by the industry executives. They pointed out that in general logging is a good practice to ensure that unauthorized access or malicious activity can be traced but the form of the logs would depend a lot on the system or the software one was using and thus having a standardised log for such different systems would not be possible. This suggestion was taken under review for later drafts. Further concerns were raised about the time period for log-retention and the drafters decided that they would address this issue in later drafts. It was recommended that access logs as well as end-user logs also be included under this requirements which was then flagged for review by the drafters.</p>
<p style="text-align: justify;" dir="ltr"><strong>Compliance with requirements for malware protection and wireless security </strong></p>
<p style="text-align: justify;" dir="ltr">With regards to the requirements for malware protection and wireless security, the industry experts felt that the rules were very specific and inapplicable to a lot of systems that people in different parts of the fintech industry use. They also were of the view that these practices would get outdated pretty soon. </p>
<p style="text-align: justify;" dir="ltr">They further pointed out that the compliance standards in the draft were impractical especially for fintech entities working in co-working spaces or decentralised networks as the fintech entity would not be in control of the network hardware. The drafters explained that the draft fintech rules could be updated from time to time to tackle these issues. Alternatively, it was suggested that for niche areas like wireless security and malware protection, the rules can refer to a widely accepted standard or practices in the tech industry (FIPS and OWASP guidelines for secure coding practices were given as examples). </p>
<p style="text-align: justify;" dir="ltr">A general consensus was reached that the guidelines should focus more on concepts/abstractions of security practices rather than the specific mechanisms. However,the specific security mechanisms were considered to have their own benefits in the form of crystallizing the steps required to be taken for compliance. </p>
<h3 style="text-align: justify;" dir="ltr">Conclusion</h3>
<p style="text-align: justify;" dir="ltr">The discussion was concluded with a note of thanks to all participants for their invaluable contribution to further the development of these security standards. The participants raised pertinent concerns about the structure as well as the framework of these rules and various parts of the draft which were welcomed by the drafters who flagged them for review for future versions. Furthermore participants gave crucial inputs on the changing nature of the industry and the need to have a more principle based approach to the technical framework. The discussion concluded on the consensus that there was a need for flexible guidelines which take into account the fast-changing nature the fintech industry as a whole and the unique nature of work that any entity does under it so as to not stifle growth but without compromising on the need for data security for the users of these services.</p>
<p style="text-align: justify;" dir="ltr">CIS will be circulating the draft guidelines publicly for wider stakeholder inputs.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/event-report-consultation-on-draft-information-technology-fintech-security-standards-rules'>http://editors.cis-india.org/internet-governance/blog/event-report-consultation-on-draft-information-technology-fintech-security-standards-rules</a>
</p>
No publisherAnindya KananInformation SecurityFinancial TechnologyEvent Report2019-11-12T06:38:37ZBlog EntryDiscussion at CyFy on Technology, Policy and National Security: Building 21st Century Curricula in India’s Law Schools
http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools
<b>Arindrajit Basu attended the session and gave comments on the course outline which included thoughts on:</b>
<ol>
<li>Threshold of technical knowledge-comparison with WTO law</li>
<li>Need for India-centric approaches both in domestic and foreign policy</li>
<li>Possibility of executive training of senior diplomats</li>
<li>Need to include fintech security in the syllabus</li>
<li>Necessity of international law as a tool of conflict 6. Sustained collaboration between think-tanks and universities</li>
</ol>
<p> </p>
<p style="text-align: justify; ">The event was organized by Centre for Communication Governance at National Law University Delhi and Observer Research Foundation at Villa Medici, Taja Mahal Hotel, Man Singh Road, New Delhi.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools'>http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools</a>
</p>
No publisherAdminCyber SecurityInternet GovernanceFinancial Technology2019-10-20T07:23:11ZNews ItemRegulating Bitcoin in India
http://editors.cis-india.org/internet-governance/blog/regulating-bitcoin-in-india
<b>The article discusses the possible contours of future bitcoin regulation in India. Bitcoin, often considered a ‘notorious’ virtual currency limited only to techies or speculators, is currently fighting a battle to become a bona fide mainstream means of exchange.</b>
<p style="text-align: justify; ">While most currencies in the real world have the backing of a central authority of some kind (such as a sovereign or a Central Bank) infusing them with an air of legitimacy, Bitcoin has no such central authority which issues or controls it. Additionally, the distributed and decentralised nature of the Bitcoin network makes regulation a tricky issue. This article seeks to touch upon the issue of Bitcoin regulation and makes certain broad suggestions for the future. It is a follow-up to a previous article by this author discussing the legal treatment of Bitcoin under Indian law, available at <a href="http://cis-india.org/internet-governance/bitcoin-legal-regulation-india">http://cis-india.org/internet-governance/bitcoin-legal-regulation-india</a>.</p>
<p style="text-align: justify; ">The Reserve Bank of India (<b>RBI</b>) has not exactly been shy in recognising and even regulating technological advances in the financial sector as is evident from their detailed guidelines on Internet Banking,<a href="#_ftn1" name="_ftnref1">[1]</a> Prepaid Payment Instruments<a href="#_ftn2" name="_ftnref2">[2]</a> Account Aggregator Regulations,<a href="#_ftn3" name="_ftnref3">[3]</a> and the consultation paper on proposed regulations for P2P lending platforms,<a href="#_ftn4" name="_ftnref4">[4]</a> etc. However, though the RBI has acknowledged the existence of Bitcoin (it issued a note cautioning the public against dealing in virtual currencies including Bitcoin way back in 2013<a href="#_ftn5" name="_ftnref5">[5]</a> and again in 2017<a href="#_ftn6" name="_ftnref6">[6]</a>), there have been no clear guidelines regarding the same. Nevertheless, Bitcoin has come a long way since its inception and a consensus is emerging amongst the more technically inclined individuals that Bitcoin is infact here to stay.</p>
<p style="text-align: justify; ">Even if a sceptical view is taken that Bitcoin may not last for a long time, that does not mean that regulation is useless as there is already a large amount of money invested in Bitcoin entities in India and Bitcoin exchanges seem to be betting big on this sector really taking off - especially in the backdrop of the government’s recent push towards a more digital and less cash dependent economy.</p>
<p style="text-align: justify; ">While the Indian government is trying to hard sell the idea of digital payments, primarily using existing banking channels as well as the relatively new National Payments Corporation of India (<b>NPCI</b>) and the various applications that are cropping up around the NPCI’s UPI platform, one must note that going digital could involve high administrative costs. These costs are typically charged by banks and intermediary merchants, and may not be palatable to all stakeholders, as was evident in the recent fracas between petrol pump owners and banks over proposed transactional charges on card payments.<a href="#_ftn7" name="_ftnref7">[7]</a></p>
<p style="text-align: justify; ">It is this vacuum that alternatives such as prepaid payment instruments and virtual currencies can fill while addressing the concern of high administrative charges, which is likely to be a major hurdle in going digital. Administrative charges for most of these instruments are significantly lower than what existing payment channels charge for digital transactions.<a href="#_ftn8" name="_ftnref8">[8]</a></p>
<p style="text-align: justify; "><b>Legality of Bitcoin and the need for Regulation</b></p>
<p style="text-align: justify; ">Bitcoin technology is being widely embraced all over the world, including neighbouring China which has become one of the biggest markets for the uniquely decentralised currency. However the biggest hurdle that Bitcoin enthusiasts see in mainstreaming this technology is the fact that most countries are treading too cautiously around Bitcoin and therefore do not have regulation governing them.</p>
<p style="text-align: justify; ">The creation and transfer of Bitcoin is based on an open source cryptographic protocol and is not managed by any central authority.<a href="#_ftn9" name="_ftnref9">[9]</a> It is the decentralized nature of this virtual currency that makes regulation a major challenge. This does not mean that regulators are not capable of regulating Bitcoin, in fact attempts have been made in several jurisdictions but these are mostly in the discussion stage, for eg. the Washington Department of Financial Institutions (“DFI”) introduced a bill in December, 2016 which proposes amendments to certain portions of the Washington Uniform Money Services Act and includes provisions specific to digital currencies;<a href="#_ftn10" name="_ftnref10">[10]</a> the U.S. District Court for the Southern District of New York has in a decision in September, 2016 taken the view that Bitcoin is money under the plain meaning of Section 1960, the federal money transmission statute.<a href="#_ftn11" name="_ftnref11">[11]</a></p>
<p style="text-align: justify; ">This article does not intend to undertake a discussion on how Bitcoin is dealt with in various jurisdictions, but instead is aimed at suggesting a possible way forward for Indian regulators to regulate Bitcoin in a manner that satisfies the regulatory zeal towards security as well as ensures that the technology does not get stifled through overregulation. It is important that the regulators create a balanced regulation because an impractical ecosystem for Bitcoin exchanges and their users, may lead to traders seeking alternative methods of purchasing Bitcoin such as P2P trading, over-the-counter (OTC) markets and underground trading platforms, which are significantly more difficult to regulate.<a href="#_ftn12" name="_ftnref12">[12]</a></p>
<p style="text-align: justify; "><b>Suggestions for Regulation</b></p>
<p style="text-align: justify; ">Since Bitcoin is a decentralised cryptocurrency, it is impossible to regulate it through one single centralised point for all transactions. Neither is it feasible to regulate each and every Bitcoin user. A pragmatic compromise between these two extremes could be to regulate the points at which fiat currency or valuable goods enter the Bitcoin system, i.e. the Bitcoin exchanges where people may buy and sell Bitcoin for actual real world money, or websites which offer Bitcoin as a means of payment. Such an approach would reduce the number of points of supervision and lead to effective enforcement of the regulations. The regulations may require any entity providing services such as buying and selling of Bitcoin for actual money, trading in Bitcoin (such as non-cash exchanges) or providing other Bitcoin related services (such as Bitcoin wallets, merchant gateways, remittance facilities, etc.) to be registered with a central government agency, preferably the Reserve Bank of India.</p>
<p style="text-align: justify; ">One legal issue regarding the regulation of companies transacting in Bitcoin is whether the RBI has the authority or jurisdiction to regulate Bitcoin in the first place. Without getting into the arguments regarding whether it is a dangerous trend or not, an easy way in which the RBI could ensure it has the authority to regulate Bitcoin would be to follow the path that the RBI adopted while regulating Account Aggregators under the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 wherein the RBI declared Account Aggregators as Non Banking Finance Companies under section 45-I(f)(iii) thereby getting the authority to regulate and supervise them under section 45JA of the Reserve Bank of India Act, 1934.</p>
<p style="text-align: justify; ">The Regulations, once issued by the Reserve Bank of India, can prescribe mandatory registration, capital adequacy provisions, corporate governance conditions, minimum security protocols, Know Your Customer (KYC) requirements and most importantly provide for regular and ongoing reporting requirements as well as supervision of the Reserve Bank of India over the activities of Bitcoin companies.</p>
<p style="text-align: justify; ">Any proposed Bitcoin regulatory framework would seek to address certain issues; for the purposes of this article, we will assume that the following three issues are the ones that must necessarily be addressed by a regulatory framework:</p>
<ul style="text-align: justify; ">
<li>Security of the consumer’s property and prevention of fraud on the consumer. In the technology sector this translates into specific emphasis on increased security (against hacking) for accounts that the consumers maintain with the service provider.</li>
<li>India has robust exchange control laws and the inherently decentralised and digital nature of Bitcoin can enable transfer of value from one jurisdiction to another without any oversight by a central agency, potentially violating the exchange control laws of India.</li>
<li>Bitcoin has for long been associated with criminal and nefarious activities, infact many believe that the famous black market website “Silk Road” played a big role in making Bitcoin famous<a href="#_ftn13" name="_ftnref13">[13]</a> and therefore preventing Bitcoin from being used for illegal activities (or creating a mechanism to ensure a digital trail to help investigations post facto) would be a major issue that the regulations would seek to tackle.</li>
</ul>
<p style="text-align: justify; ">Given the above assumptions, let us examine whether the Regulations suggested above can satisfactorily address the concerns of security of consumers, exchange control, and keeping a tab on criminal activities.</p>
<p style="text-align: justify; ">If the regulations provide for minimum capital adequacy requirements as well as registration by the RBI or some other central agency, then the chances of consumers being duped by “fly-by-night” operators would be significantly reduced. The Regulations can also provide for minimum security protocols to be maintained by the companies, which protocols can themselves be developed in concert with Bitcoin experts. Critics may point to the hacking of various Bitcoin exchanges in the recent past, including that of MtGox, in which Bitcoin worth millions of dollars were siphoned off, and argue that the security protocols may not be enough to prevent future instances of hacking. But that is true even for the current security protocols for online banking; and that has not prevented a large number of banks from providing online banking facilities and the RBI regulating the same. The other vital issue that legally mandated security protocols would address (and potentially solve) is the issue of liability in case of hackings. Regulations may provide clarity on this issue and protect innocent customers from negligent companies while at the same time protecting entrepreneurs by defining and limiting the liability for <i>bona fide</i> and vigilant companies.</p>
<p style="text-align: justify; ">The other issue that may be of major concern to the authorities is exchange control. India has extremely specific exchange control laws, and if any person in India wants to transfer any amount to any person overseas, the only legal way to do so is through a bank transfer, which requires filling paperwork giving the reason for the transfer (although the RBI and banks usually don’t ask for any proof for small amounts upto a few lakhs). This means that all transfers outside India are done through proper banking channels and are therefore under the supervision of the RBI. However the decentralised nature of Bitcoin enables individuals to transfer money outside the borders of India without going through any banking channels and hence stay completely outside the purview of the RBI’s supervision. Such a system which lets users transfer money beyond national borders outside legal banking channels could be easily misused by nefarious actors and this is exactly what happened as international drug cartels turned to Bitcoin and other digital currencies to move their ill gotten wealth beyond the borders of various countries.<a href="#_ftn14" name="_ftnref14">[14]</a> Regulating the entities which provide Bitcoin wallets and Bitcoin exchanges will ensure that the RBI can exercise its supervisory jurisdiction over Bitcoin transactions of individual customers even though these transactions do not go through the regular banking channels. The Regulations could impose an obligation on the companies to provide information on any suspicious activities or provide greater information about accounts which see very high volumes, etc. to ensure that Bitcoin is not used to finance organised crime. Thus, the regulations could have provisions that would require the companies providing the Bitcoin wallets or exchanges to flag and monitor customers whose trading accounts or Bitcoin wallets have transactions of an amount greater than a specified limit. This would provide the RBI with the ability to enquire as to the reasons for such high volumes and weed out illegal transactions while at the same time allowing bona fide transactions to continue.</p>
<p style="text-align: justify; ">Very closely linked to the issue of exchange control and supervision of transactions is the issue of checking the furtherance of criminal activities using the apparent anonymity offered by Bitcoin. However if the RBI has regulatory oversight over all the Bitcoin companies that are operating in India, then it would be possible for it to keep an eye on most Bitcoin transactions in India as long as the wallet that originates or terminates the transaction has been provided by a Bitcoin service provider located in India. An argument may be made that a criminal may use the services of Bitcoin wallet services provided by companies outside India and therefore outside the purview of the RBI and its regulations. However this argument may not be as plausible as it may seem at first look; if we assume that for any criminal activity the ultimate goal is to get the money in the form of recognizable legal tender (preferably cash or money in a bank account) then it stands to reason that the Bitcoin in the wallet would be exchanged for currency at some point or the other in the chain, which can only be done through a Bitcoin exchange if the transaction is of a fairly high value (which most criminal transactions are) and these exchanges as well as the accounts maintained by them will be under the purview of the RBI, thus providing the law enforcement agencies with the final link in the chain of transactions. Further, the public nature of the blockchain (the ledger where each Bitcoin trade is registered and verified) also makes it possible for the enforcement agencies to follow the trail of money for each and every Bitcoin or part thereof.</p>
<p style="text-align: justify; "><b>Conclusion</b></p>
<p style="text-align: justify; ">From the discussion above, we see that the major arguments that have been given by sceptics regarding Bitcoin and its attractiveness to criminals due to its decentralised nature are actually not very viable on a closer look. Bitcoin and the blockchain technology are extremely important steps in the direction of better and more efficient financial transactions in the global economy, which is why a number of mainstream banks are also showing a keen interest in the blockchain technology.<a href="#_ftn15" name="_ftnref15">[15]</a> Regulations governing Bitcoin or virtual currencies would clear the air regarding their legal status so that consumers as well as entrepreneurs and investors can invest more money in this technology which could potentially change the way financial transactions are carried out across jurisdictions.</p>
<hr />
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0">https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414&Mode=0</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2">[2]</a> <a href="https://rbi.org.in/scripts/NotificationUser.aspx?Id=10799&Mode=0">https://rbi.org.in/scripts/NotificationUser.aspx?Id=10799&Mode=0</a></p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3">[3]</a> <a href="https://www.rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=10598">https://www.rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=10598</a></p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4">[4]</a> <a href="https://rbidocs.rbi.org.in/rdocs/content/pdfs/CPERR280416.pdf">https://rbidocs.rbi.org.in/rdocs/content/pdfs/CPERR280416.pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a> <a href="https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=30247">https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=30247</a></p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6">[6]</a> <a href="https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=39435">https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=39435</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7">[7]</a> <a href="http://timesofindia.indiatimes.com/business/india-business/petrol-pumps-wont-accept-cards-from-monday-to-protest-banks-transaction-fee/articleshow/56402253.cms">http://timesofindia.indiatimes.com/business/india-business/petrol-pumps-wont-accept-cards-from-monday-to-protest-banks-transaction-fee/articleshow/56402253.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref8" name="_ftn8">[8]</a> For example, currently the network fee for a person to person Bitcoin transfer is 0.0001 Bitcoin, which comes to roughly Rs. 6 per transaction irrespective of the amount involved.</p>
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9">[9]</a> The processing of Bitcoin transactions is secured by servers called Bitcoin “miners”. These servers communicate over an internet-based network and confirm transactions by adding them to a ledger which is updated and archived periodically using peer-to-peer filesharing technology, also known as the “blockchain”. The integrity and chronological order of the blockchain is enforced with cryptography. In addition to archiving transactions, each new ledger update creates some newly-minted Bitcoins.</p>
<p style="text-align: justify; "><a href="#_ftnref10" name="_ftn10">[10]</a> <a href="https://www.virtualcurrencyreport.com/2017/01/washington-department-of-financial-institutions-proposes-virtual-currency-regulation/">https://www.virtualcurrencyreport.com/2017/01/washington-department-of-financial-institutions-proposes-virtual-currency-regulation/</a></p>
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11">[11]</a> <a href="https://www.virtualcurrencyreport.com/2016/09/sdny-opinion-re-bitcoin/">https://www.virtualcurrencyreport.com/2016/09/sdny-opinion-re-bitcoin/</a>. For a discussion on how different States and agencies in the United States deal with Bitcoin, please see Misha Tsukerman, “THE BLOCK IS HOT: A SURVEY OF THE STATE OF BITCOIN REGULATION AND SUGGESTIONS FOR THE FUTURE, Berkeley Technology Law Journal, Vol. 30:385, 2015, p. 1127, available at <a href="http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=2084&context=btlj">http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=2084&context=btlj</a> .</p>
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12">[12]</a> <a href="http://themerkle.com/why-china-isnt-interested-in-banning-bitcoin-importance-of-regulation/">http://themerkle.com/why-china-isnt-interested-in-banning-bitcoin-importance-of-regulation/</a></p>
<p style="text-align: justify; "><a href="#_ftnref13" name="_ftn13">[13]</a> See generally, Nathaniel Popper, “Digital Gold: Bitcoin and the Inside Story of the Misfits and Millionaires Trying to Reinvent Money”, Harper Collins, 2015.</p>
<p style="text-align: justify; "><a href="#_ftnref14" name="_ftn14">[14]</a> <a href="https://www.bloomberg.com/view/articles/2013-11-18/are-bitcoins-the-criminal-s-best-friend-">https://www.bloomberg.com/view/articles/2013-11-18/are-bitcoins-the-criminal-s-best-friend-</a></p>
<p style="text-align: justify; "><a href="#_ftnref15" name="_ftn15">[15]</a> <a href="http://www.morganstanley.com/ideas/big-banks-try-to-harness-blockchain">http://www.morganstanley.com/ideas/big-banks-try-to-harness-blockchain</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/regulating-bitcoin-in-india'>http://editors.cis-india.org/internet-governance/blog/regulating-bitcoin-in-india</a>
</p>
No publishervipulFinancial TechnologyDigital PaymentBitcoinInternet GovernanceDigital IndiaVirtual Currencies2017-04-20T13:17:37ZBlog Entry50p and Digital Payments Masterclass Learning - CIS
http://editors.cis-india.org/internet-governance/50p-and-digital-payments-masterclass-learning-cis
<b>Sunil Abraham, Saikat Dutta and Udbhav Tiwari from the CIS team attended 50p on the 24 and 25 of January 2017 in Bangalore, India. We had the following learnings from the event, which will shape our work in the digital finance and payments space in the future. </b>
<p style="text-align: justify;" dir="ltr">Sunil Abraham, Saikat Dutta and Udbhav Tiwari from the CIS team attended 50p on the 24 and 25 of January 2017 in Bangalore, India. We had the following learnings from the event, which will shape our work in the digital finance and payments space in the future.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Historical Developments of Digital Payments Regulation in India - The historical development of the digital payments ecosystem in India, starting with mobile/SMS banking around 2004, focusing mostly on high-end consumers. The widely varying implementations across banks led to the RBI taking an active regulatory approach, beginning with the introduction of compulsory two factor authentication in the form of mandatory PIN usage for credit and debit cards. This move helped secure “card not present” (CNP) transactions, which in turn allowed the e commerce, online streaming services and other digital services to rapidly gain customers. This serves as an example of how simple, targeted and uniformly imposed regulations can help secure widely used digital payment modes, securing customers while expanding opportunities for businesses. The Watal Committee report has also stressed on how the the industry and consumers alike, in the medium term, will benefit from focused sectoral regulation for the FinTech industry.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> </p>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Expansion in the Modern Digital Payments Industry - The digital payments industry has expanded from having three main stakeholders (banks, card issuing agencies and customers) in mid 2000s to over eight distinct entities who take part in the same payments chain. These include Digital Wallet Providers, Payment Gateways, Payment Processors, Ticketing or Payment Service Providers Billers, all of which are operate with millions of transactions per day. This not only increases the potential attack surface for possible attempts at compromising them but also governance under traditional banking regulations difficult for the regulatory authority. The introduction of BBPS (Bharat Bill Pay System) to integrate the thousands of local utility bill payment system in India, into one centrally administered programme, is just one example of the vast amounts of data being generated (and integrated) by the digital payments industry. Therefore, the need for unique FinTech regulations and standards (maybe even a regulator) to handle the rapidly expanding and critical industry is quite strong in the booming space in India.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> </p>
<ol start="3"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">UPI - The Unified Payments Interface (UPI) is a set of standards that allow for a single application to connect to and control multiple bank accounts (of participating banks), allowing users to use several banking services such as funds transfer (P2P), merchant payments, etc. Initially launched in August, 2016 with support from 16 banks and is gaining rapid acceptance among users, businesses and payment providers alike. While built on the same technological underpinnings as the IMPS system, the UPI standard allows for a wide variety of data, including credit scores, Aadhaar numbers and geographical location to be transmitted. While the standard itself seems reasonably secure, its diverse and closed source implementation allow for the usual closed source development risks of security and unresolved bugs. It is stipulated to become the most widely used digital transaction protocol in India and the backbone of the FinTech industry due to its interoperability and regulatory acceptance. A set of security guidelines and practices that allow for a uniform, secure and auditable implementation of the UPI standard as well as its operational usage will aid in faster and more secure development of the standard while simultaneously protecting consumer interest.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> </p>
<ol start="4"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Need for Consumer Advocacy - The need for educating consumers about the technical operations of the digital payments industry, best practices to maximise user facing security and strategies for effective dispute redressal were tagged as key focus areas by various groups. The inadequacy of the Consumer Protection Act to deal with the labyrinth of digital payments and the relative lack of liability and breach notification laws (especially in the non-banking finance companies sector) have lead to bargaining power in consumer contracts to fall in the favour of the digital payments industry. While initiatives such as Cashless Consumer are attempting to rectify this, sustained and well planned initiatives implemented in a diverse and multi-lingual manner will be needed to keep up with the rapid pace of expansion in the industry and is burgeoning user base. Incidental benefits of such programmes (an increase in the demand for data protection and privacy aware practices) will also serve to further consumer interest in a manner that will have a positive impact outside the FinTech industry.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> </p>
<p><span id="docs-internal-guid-a0d03bdc-abb4-587e-0c9f-186a5b07117c"></span></p>
<ol start="5"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">USSD - The recent push towards USSD based banking, which allows banking transactions to be carried using feature phones, has led to various concerns regarding its security, reliability and implementation. The varying levels of GSM encryption in the providers in India, the lack of open standards (such as HTTPS for Internet Banking) that allow consumers to verify security and the rapid but untested implementation by most banks have led to some players raising doubts about the possibility of exploitation of the particularly vulnerable section of users that will use USSD banking. The need for a detailed investigation into current practices, open and auditable standards unique to USSD banking in India and regulations that mandate a minimum level of compliance was expressed by multiple stakeholders.</p>
</li></ol>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/50p-and-digital-payments-masterclass-learning-cis'>http://editors.cis-india.org/internet-governance/50p-and-digital-payments-masterclass-learning-cis</a>
</p>
No publisherUdbhav TiwariFinancial TechnologyDigital PaymentBankingBitcoinDigital MoneyCyber Security2017-06-15T12:29:52ZBlog EntrySeminar on Understanding Financial Technology, Cashless India, and Forced Digitalisation (Delhi, January 24)
http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017
<b>The Centre for Financial Accountability is organising a seminar on "Understanding Financial Technology, Cashless India, and Forced Digitalisation" on Tuesday, January 24, at YWCA, Ashoka Road, New Delhi. Sumandro Chattapadhyay will participate in the seminar and speak on the emerging architecture of FinTech in India, as being developed and deployed by UIDAI and NPCI.</b>
<p> </p>
<p><em>Cross-posted from <a href="https://letstalkfinancialaccountability.wordpress.com/2017/01/20/understanding-financial-technology-cashless-india-forced-digitalisation/">Centre for Financial Accountability</a>.</em></p>
<hr />
<h2>Programme Schedule</h2>
<h4>09.30 - Registration</h4>
<h4>10:00 - Introduction to the Seminar & Setting the Context</h4>
<p>Madhuresh Kumar, National Alliance of People’s Movements</p>
<h4>10:15–11:30 - Session 1 - Understanding the Political Context of FinTech</h4>
<p>B P Mathur, Former Dy CAG</p>
<p>Prabir Purkayastha, Free Software Movement of India and Knowledge Commons</p>
<p>C P Chandrasekhar, Centre for Economic Studies and Planning, JNU</p>
<h4>11:30-11:45 – Tea / Coffee break</h4>
<h4>11:45-13:15 - Session 2 - How will FinTech Impact the Poor, and Labour and Banking Sector?</h4>
<p>Ashim Roy, New Trade Union of India</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Ravinder Gupta, General Secretary, State Bank of India Officers Association</p>
<h4>13:15-14:00 – Lunch</h4>
<h4>14:00-15:30 - Session 3 - Understanding the Economic Context of FinTech</h4>
<p>Indira Rajaraman, Former Director, RBI</p>
<p>Tony Joseph, Sr. Journalist</p>
<h4>15:30-17:00 - Session 4 - Understanding the Architecture of FinTech: Linkages to Aadhaar, IndiaStack etc</h4>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Gopal Krishna, ToxicsWatch</p>
<h4>17:00 – Tea</h4>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017'>http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017</a>
</p>
No publishersumandroUnified Payments InterfaceFinancial TechnologyDigital IDBig DataDigital EconomyUIDInternet GovernanceDigital IndiaAadhaarFinancial InclusionBiometricsDigital Payment2017-01-23T13:17:19ZBlog EntryCFI-ACCION - Panel Discussion on 'Big Data: Challenge or Opportunity?' (Delhi, December 06)
http://editors.cis-india.org/internet-governance/news/cfi-accion-panel-discussion-on-big-data-delhi-dec-06
<b>The Centre for Financial Inclusion of ACCION International is organising a panel discussion on "Big Data: Challenge or Opportunity?" as an associated event of the Inclusive Finance India Summit 2016, Hotel Ashok, Delhi, December 05-06. The discussion will be held at 12:30 on Tuesday, December 06. It will be moderated by Amy Jensen Mowl, CFI Fellow at IFMR, and M.S. Sriram, Distinguished Fellow at the Institute for Development of Research in Banking Technology. Sumandro Chattapadhyay will participate as a panelist.</b>
<p> </p>
<h4>Inclusive Finance India Summit: <a href="http://inclusivefinanceindia.org/">http://inclusivefinanceindia.org/</a>.</h4>
<hr />
<img src="https://github.com/cis-india/website/raw/master/img/CFI-ACCION_Discussion-Poster_20161206.jpg" />
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cfi-accion-panel-discussion-on-big-data-delhi-dec-06'>http://editors.cis-india.org/internet-governance/news/cfi-accion-panel-discussion-on-big-data-delhi-dec-06</a>
</p>
No publishersumandroFinancial TechnologyBig DataData SystemsBig Data for DevelopmentFinancial InclusionResearchers at Work2019-03-16T04:41:52ZBlog Entry