Simplified Control Mapping Need Of Hour For Fintechs In India: Aayush Ghosh Choudhary

With the help of information security, safety and privacy of critical data like financial data or intellectual property can be ensured.

In January 2023, the Reserve Bank of India laid down its rules for the NBFC sector, including maintenance of records, returns, and filings under the Prevention of Money Laundering Act, 2002, Prevention of Money Laundering (Maintenance of Records) Rules, 2005, and RBI Guidelines on Fair Practices Code for NBFCs, among others.

Apart from this, in April, the corporate affairs ministry piloted the IT-heavy architecture designed to streamline compliance management for limited liability partnerships. It said that with this, over 260,000 active LLPs will soon start receiving auto-generated alerts and emails for default and missed deadlines.

With issues like information security, compliance management, regulatory burden and regulatory fines becoming acronym fatigue for firms, information security company Scrut Automation recently launched ReguSense – a platform that will provide information security solutions to startups, especially fintechs.

Speaking with Mint, CEO and Co-founder Aayush Ghosh Choudhary claimed it's ‘ReguSense’ would significantly reduce fintech's effort by 60-70% to sort out issues related to compliance management. Edited excerpts:

1) What is the first thing that clicks you when you hear the word compliance management?

Aayush: I am talking about compliance in the context of information security. At the highest level, what takes in is the acronym fatigue, and why do I say so because today when you look at companies across the globe, there are so many privacy laws. Then there are security standards like SOC2, ISO 27001 or like PCIDSS. RBI in India has mandated payments, as well as insuretech and transaction companies have to comply with a lot of system audit reports (SAR) audits around tokenization, localisations etc. This means that across all these standards and laws, there are common controls, there are intersecting controls, which are effectively the same control, but articulated differently. So how do you minimise that fatigue, and that is one of the biggest problem in compliance today.

2) What's your take on the compliance obligations for firms, especially when it's often discussed in relation to the numbers of regulations, regulatory fines, its automation and costs.

Aayush: In terms of regulatory burden to comply with the frameworks, the regulatory burden has increased over the couple of years and it continues to grow. Earlier there were the base standards like ISO 27001 or a SOC2 that would suffice, then we started having vertical specific standards like PCIDSS and within PCIDSS also there are 3 or 4 different variants that have come in and, recently RBI has mandated fintech companies in India for example to comply with SARs. And they also have their different variants – data localisation, tokenization, etc, all of these are different. So the regulatory burden around complying with these controls is increasing, and for good reasons by the way.

Because the volume or the pace at which fintech companies have grown in APAC and specifically in India, security controls need to keep pace with it. And creating the right set of regulatory guard is absolutely important as that's the most sensitive kind of data being handled. So for good reasons these standards have existed, but complaince burden is definitely increased. And that has also increased the cost of complaince because you have to manage multiple artefacts, teams have to be put in place which are the GRC teams across these companies. You will have to pay more for carrying out audit every year.

ALSO READ: Centre readies automated compliance system for LLPs

However, you can't do away with the audit cost because that's the necessary cost that you need to go through. You will have to pay the auditor. But you can definately avoid is having a bloated team which is a reactionary measure to having to comply with multiple stand. And you can actually save on 60-70% manual effort if done right.

3) How aware are the firms that reach you in relations with compliance management? And what are the basic issues they discuss?

Aayush: The regulations apply to all companies irrespective of the size, whether you hold less data or more data it doesn't matter. Smaller companies – 20-25 employees, less than 50 employees – typically have a poor security baseline. They haven't got started with their infosec controls and the level of awareness typically for compliance standards is also fairly low. While, for mid-market enterprise customer like Cashfree for example, we see a very high degree of savviness in terms of understanding information security, understanding what compliance means. Summarily, we see a significant variation in terms of both the security baseline as well as level of awareness around the compliance standards depending on the size and maturity of the company.

4) In January 2023, RBI specifically laid down its rules for the NBFC sector. The government also said over 260,000 active LLPs will soon start receiving auto-generated alerts and emails for default and missed deadlines. How much of it will help?

Aayush: So there are two consequences to this kind of a significant increase of compliance overhead. The intent from RBI is very welcome, it is very right because the companies need to feel the heat around managing the data properly.

The point I'm trying to make is that it has created significant amount of fragmentation within the companies in terms how they manage infosec controls. And RBI is placing enough guardrails to ensure that the reports go through a very stringent quality control check. We have seen several companies submitting SAR reports (for example) and getting follow-up questions from RBI – twice or thrice – before the report is being accepted. I think RBI has done a fairly good job of maintaining a high bar of the quality of reports are like and weeding out the potential not so great auditors out there. We would very heavily service that the situation is going to become more aggressive, given the pace at which fintech and financial services are going in India.

ALSO READ: NBFCs struggle to manage compliance obligations. Here's a guideline to get rid of it

5) Are RBI regulations too strict?

Aayush: No. We believe its just right. If you look at the kinds of controls they mandate, they are pretty much in line with the best of infosec (information security) standards out there.

6) Your firm (Scrut Automation) is launching 'ReguSense' and even claiming it to be a game changer for corporations in compliance management. What is it, how can it be a game changer and why should firms trust you on this?

Aayush: If you look at the most common RBI requirements, the controls per se are very similar to what you would find in a combination of, lets say ISO 27001 or GDPR or ISO 27017, ISO 27018 or PCIDSS for that matter. Lets say SAR data localization, SAR tokenisation, SAR payment aggregator, SAR payment gateway, SAR PPI audit, if you look at cumulation of all these, the controls would be very similar to what you will find if you are to implement ISO 27001, particularly the latest one ISO 27001-2022. But then the audits and filings have to be done separately, which means companies have to end up duplicating effort in trying to implement the same control but articulated differently across to different standards. This leads to lot of fatigue, duplication of efforts, either teams being bloated to manage that additional paper work or it leads to a situation where companies have to spend a lot of money to work with external consultants.

We are doing it (through ReguSense), essentially is what is important for you as a fintech company – particularly in India – is to have a hygiene security environment and we are trying to create one.

Why we are calling this (ReguSense) a game changer as we will do in turn is make sure that the controls are mapped to the relevant standards in the backend. So on a day to day basis, you (fintech company CSO, or VP of inforsec) don't have to worry about the articulations of controls within those multiple frameworks. You essentially have to go through one audit that makes you satisfy requirements across multiple frameworks. And that significantly reduces your effort by 60-70%. You can have a smaller team, a lot less to observe or monitor.

7) Are you too early or too late in launching 'ReguSense'?

Aayush: From a timing perspective, I would consider ourselves to be exactly at the right time.