Financial RegTech Newsletter

(1)

September 2019

(2)

Financial RegTech Newsletter - September 2019 2 PwC

Data privacy -

Ramifications on your operating model

Regulatory news Other regulatory news Global regulatory news Contact us

Over the past few years, data privacy has been in limelight due to emergence of different data regulations such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) across the world. In 2018, India joined the data privacy consortium by releasing the first draft of an Indian data privacy law, titled The Personal Data Protection Bill, 2018.¹ As per the proposed draft, it is mandated that every organisation should obtain consent from data principals for processing of personal data, under reasonable circumstances. The bill also has provisions for taking stringent actions for un-authorised collection

and processing of sensitive personal information of Indian citizens by Indian or foreign firms for business purposes. This means that organisations must be accountable for data flow management across their system. The regulations will help in building trust among different stakeholders, which include data principals, data fiduciaries, data processors, regulatory authorities and the government.

In this article, we will cover the key highlights of the draft bill and major areas of concern which need to be addressed by an organisation.

1. https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf

Data privacy - Ramifications on your operating model

(3)

Data privacy -

Key takeaways from the bill

The primary objective of the data protection bill is to give back citizens control of their personal data.

To enforce the provisions proposed in the bill, tough penalties have been incorporated. Organisations flouting regulations can be fined up to 2–4% of their total worldwide turnover or INR 5-15 crores, whichever is greater. It also identifies the presence of data fiduciaries, as “significant” based on the volume of personal data a fiduciary possesses, sensitivity of personal data processed and its turnover. Other factors that can cause potential harm to any data principal because of processing may classify the data fiduciary as significant. Following are few actions an organisation needs to consider while processing personal data:

Grounds of processing personal data without consent

Personal data may only be processed without the consent of the data principal on the grounds of employment and in compliance with the law or order of court, or for the purpose of the state, processing of personal data is necessary for prompt action and for reasonable purposes.

Data audits

If an organisation is defined as a significant data

Data protection officer (DPO)

Every organisation must appoint a DPO, as per the data processing activity of the organisation.

Guardian data fiduciary

Fiduciaries notified as guardian data fiduciaries should be barred from profiling, tracking, behavioural monitoring or targeted advertising directed at children.

Data privacy - Ramifications on your operating model

(4)

Data privacy -

Regulatory news Other regulatory news Global regulatory news Contact us

Expansion in definition of personal data

The definition of sensitive personal data, under the draft Personal Data Protection Bill, 2018 has been expanded to include intersex status, in addition to caste or tribe, religious beliefs, passwords, financial data and political beliefs.

The bill defines a new category of data called ‘critical data’, which must be stored only in India.

Data localisation

Data fiduciaries will need to store at least one copy of the personal data acquired by data principals in India.

Data breach management

The draft bill mandates that data fiduciaries inform the Data Protection Authority (DPA) of any personal data breach, that is likely to cause harm to any data principal. Failure to notify the data principal about a breach will make the organisation liable to penalties under the provisions of this bill.

(5)

Data privacy -

Regulatory news Other regulatory news Global regulatory news Contact us

Challenges faced by the industry How organisations can be compliant

Organisations in India are already plagued with serious challenges in managing personal data. With the introduction of the new privacy bill, they will need to adapt new technologies to accommodate the shift in data flow, for transparency and trust. The method of securing personal data by organisations needs to undergo radical changes. The process needs to be overseen by a DPO in the form of audit trails, to ensure that the process is compliant with regulations.

Organisations also need to re-engineer their privacy governance by incorporating privacy by design and subsequently build a trust-based environment.

Knowing the location of and identifying the data held

Building trust by transparency with customers Using data ethically and managing new technologies Securing personal data

Bringing a cultural shift in organisations dealing with data

(6)

Data privacy -

Organisations now need to adapt a multi-prong approach to address the pertinent data protection requirements, as pointed out in the bill. It needs to align its strategy, current systems and its operations to be compliant with the proposed law. The details of these multi-prong approaches are covered in the following three phases:

Strategy and assessment

Organisations should assess their collection and utilisation of data through various lenses of privacy, which will lead to development of customised solutions.

• Privacy awareness: Workshops on data privacy and regulations to be conducted to create awareness in the organisation, which can be followed by learning sessions and employees completing e-learning modules on data privacy.

• Creation of privacy strategy:Organisations must develop a roadmap to execute the data privacy regulations, based on the structure of the organisation. The roles and responsibilities of different personas responsible for handling data in an organisation should be classified, based on data ownership and accountability.

• Privacy discovery inventory: Flow of personal across an organisation has to be channelised across the organisation, using privacy framework. This requires personal data discovery, classification, data-flow mapping, inventory cataloguing and purpose categorisation.

• Legal and contractual privacy alignment: Legal obligations in data privacy are to be taken care of by managing the contracts for third-party data transfers. Data retention, archival, storage policies and data-sharing control rules are to be strategised as per requirements of data privacy laws.

Design and build

Once the strategy and framework for privacy is identified and designed, it needs to be implemented through changes in technology, people and process.

• Privacy protection and security: Organisations should implement data protection software like tokenisation, anonymisation, pseudo-anonymisation to protect personal information in possession of a data fiduciary.

• Privacy life-cycle governance: Information life cycle management is a pre-requisite to maintain transparency in data flowing across an organisation.

Various measures are to be adopted to maintain data privacy, from data collection, processing, storage, archival, retention, sharing to data deletion through data profiling and designing a compatible interface for user experience.

• Privacy rights and consent Management:

Organisations need to build a consent management system for dealing with data, by including various sub-systems, like identification and verification services, grievance handling system and principal data request handling modules.

Data privacy - Ramifications on your operating model

(7)

Data privacy -

• Privacy breach and notification: Privacy breach must be notified to the data principal and it’s the responsibility of the data fiduciary to design a breach management service, by incorporating reporting and notification services.

Operate and assure

After designing and building a suitable privacy management system, it is imperative to assure that there is adequate room for data privacy management across all the levels.

• Continuous privacy evaluation: By incorporating privacy maturity assessments in different sub- units of an organisation, privacy of data can be evaluated and measured. This can be done using various techniques like global privacy compliance assessment, data protection impact assessment (DPIA) and risk management.

• Privacy assurance: The next step after privacy evaluation is to rectify flaws and loopholes. That could be done by conducting data localisation audits, privacy audits and vendor audits. Audit results are used to generate data trust maturity scores for each unit in an organisation.

• Privacy by design: Organisations must include

‘privacy by design’ principal for all the products they build, the websites through which they connect with users and different platforms through which users connect to an organisation’s technology systems.

• Privacy as a support: Organisations can also outsource privacy services by consulting data protection officers for privacy management, enhance operational governance through support services and external privacy stewardship

programmes.

Data privacy - Ramifications on your operating model

(8)

Data privacy -

Lessons learnt from GDPR compliance

A data privacy law has been recently implemented in the European Union, which gave us an opportunity to learn from their experience and fasten the process of adopting adequate data security measures. Leveraging the knowledge of GDPR adoption in EU will also help in smooth implementation of several provisions of the data protection bill. The following are the key lessons from the data privacy law implemented in the EU:

C-level endorsement for privacy

The involvement of C-level executives in establishing data privacy compliance is mandatory from both an organisational and a regulatory perspective. Such executives have a top view of the organisational framework, with a clear idea about stakeholder involvement. They can provide holistic view about the necessity of data privacy by establishing connections with the organisation’s technical, advisory and

regulatory departments.

Establishing strong framework for data privacy

Many organisations have designed a centralised multi- layer framework for GDPR compliance. The framework provides a standard platform for the privacy network to establish connections between different layers of the organisations. It emphasises the importance of transparency and accountability of data through a single integrated system.

Collaborative environment with prime focus on communication

A centralised network requires the involvement of stakeholders at all levels to establish proper communication so that the common goal of data privacy can be achieved. By adhering to data privacy compliance, firms have set a standard communication protocol to become pro-active with data privacy and enhance the current eco-system to become more compliant.

Build a privacy culture within the organisation

Privacy culture in an organisation can be implemented by identifying all stakeholders involved in data privacy across all the sub-units of the organisation and training them. Categorising each user under different privacy personas can help organisations to move one step closer to privacy compliance.

(9)

Data privacy -

Conclusion

Once the Personal Data Protection Bill is approved by the legislature, it would be mandatory for organisations to have more accountability on data protection. Each stakeholder of an organisation would be responsible for compliance with data privacy regulations.

Instead of looking at this privacy bill as a setback or another regulatory hindrance, organisations should make the most of this opportunity to evolve and be more efficient in handling data. For example, to be compliant with the proposed regulation, creating data lineage of personally identifiable information (PII) data is a requirement and so is collection and storage of consent of data principals. This information can be used to grow businesses by making analytical and segmentation models more effective. The consent collected can help provide insights to identify and target prospective customers more accurately, thereby increasing the probability of converting potential leads. Having well-defined consent management and secured management of data systems would create an environment of trust among customers. Having such systems in place gives an organisation a competitive edge over others, as it becomes a transparent and trustworthy market player.

(10)

Data privacy -

Regulatory news

Sovereign gold bond (SGB) scheme 2019

The RBI has issued an operational guideline to all scheduled commercial banks regarding the Sovereign gold bonds scheme. It has details around application, joint holding and nomination, Know Your Customer (KYC) requirements,

cancellation policy, agency arrangements, processing through RBI’s e-kuber system,

tradability etc. The key guidelines include provision to have joint holding pattern and nominations and furnishing of PAN details for KYC purposes.

The detailed notification can be accessed here.

Priority sector lending (PSL) – classification of exports under priority sector

The RBI has made changes pertaining to export credit for enhancing credit to the export sector.

To classify export credit under PSL, the sanction limit has been enhanced from INR 250 million per borrower to INR 400 million per borrower. For foreign banks, there are no changes in the existing instructions.

Implementation of section 51-A of the Unlawful Activities Prevention Act (UAPA)

The RBI has prescribed amendments in the Master Direction of Know Your Customer (KYC) terms, in account of addition of ISIL (Da’esh) & Al-Qaeda to the Sanctions List by the United Nations Security Council (UNSC). In view of the changes, the regulated entities (REs) are recommended to comply with the updated guidelines and ascertain ensure accounts in the name of individual/entities’

do not have suspicious terrorist links.

The detailed notification can be accessed here.

(11)

Data privacy -

Authorised payment systems – harmonisation of turnaround time (TAT) and customer compensation

With a view to provide quicker resolution of customer complaints, the RBI has come up with a framework on TAT for failed transactions and compensation, which will focus on customer confidence and bring in uniformity in processing of failed transactions due to reasons not attributable to the customer, such as non-availability of cash in ATMs. The customer would also be immediately compensated without a complaint or claim from the customer. Customer grievances can be registered by raising a complaint to the banking ombudsman of the RBI.

The detailed framework on TAT can be can be accessed here.

Bharat Bill Payment System – expansion of biller categories

The RBI has issued a directive to expand the scope of billers under Bharat Bill Payment System (BBPS). The updated scope and coverage of BBPS will be inclusive of all billers who raise recurring

bills, except prepaid recharges. BBPS is a platform for repetitive bill payments and its earlier scope included segments such as direct to home (DTH) services, electricity, water, gas and telecom.

Auction of Government of India dated securities

The Government of India (GoI) has notified the terms and conditions for the sale (issue/re-issue) of government stock (GS). The stock will be sold through Reserve Bank of India (RBI), Mumbai Office. For the total notified amount, with the limit of ₹16000 crore, GoI will can retain additional subscription of up to ₹1000 crore each, against any one or more of the securities.

The auction would be yield-based (for new securities) and price-based (for other securities), using multiple pricing method. Trading would be in accordance to the guidelines issued by the RBI.

Payment of interest and re-payment of stock were mentioned in the notification.

Regulatory news

(12)

Data privacy -

Other regulatory news

Risk management framework for liquid and overnight funds

In risk management framework for liquid and overnight funds, the Securities and Exchange Board of India (SEBI) has advised that liquid funds should be at least 20% of its net assets in liquid assets. Cash, government securities, t-bills and repo on government securities belong to liquid assets. Liquid funds and overnight funds will neither be part of funds deployed in the short- term deposits nor in debt securities. But it can be invested in debt securities with government guarantees.

SEBI has directed that asset management companies (AMCs) should not levy charges for investment management and advisory fees on the funds part of short-term deposits of the scheduled commercial banks.

Valuation of money market and debt securities

SEBI has prescribed the guidelines on valuation of money market and debt securities which are to be aligned with the best market practices that eventually increase the robustness of their valuation. According to this, money-market and debt securities will be considered traded, in case trades are reported on the trading platform of recognised stock exchanges or the Clearing Corporation of India Ltd (CCIL).

It has been decided that valuation of money market and debt securities will follow the waterfall model approach to arrive at security-level pricing. SEBI has directed that mutual funds will not use their own trades for valuation of debt and money market securities, and for inter-scheme transfers.

The detailed notification can be accessed here.

(13)

Data privacy -

Additional commodities as eligible liquid assets for commodity derivatives segment

SEBI has directed to consider diamond, base metals and alloys to be part of permissible liquid assets which would be subjected to non-bullion collaterals concentration limits. At present, bullion, steel and agricultural commodities are considered as liquid assets.

The quality specification of commodities should match with the contract specification of the commodity derivatives traded on exchange. Then those commodities will be recognised as collateral.

Other regulatory news

(14)

Data privacy -

Global regulatory news

ECB introduces two-tier system for remunerating excess liquidity holdings

The European Central Bank (ECB) has decided to have a two-tier system for reserve renumeration, which will exempt part of excess liquid holding of credit institutions.

All credit institutions having minimum reserve

requirements will be eligible for the two-tier system.

This system will be applicable to excess liquidity of the current accounts in the Eurosystem. At 0%

annual rate, exempt tier of excess liquid holdings will be remunerated.

The detailed notification can be accessed here.

ECB enhances reporting on FX interventions

To enhance the communication and transparency in its accountability practices, the ECB has decided to issue additional data on its foreign exchange interventions (FXI). From April 2020 onwards FXI data will be available on the website and ECB’s annual report.

Currently, ECB is using different channels like weekly financial statements, annual reports to reveal FXI information.

The European Securities and

Markets Authority (ESMA) updates its financial instrument reference database

The ESMA has come up with a new version of its financial instrument reference database. The updated system accepts XML schemas v1.1.0 and updates to the classification of financial instrument (CFI) validation rules.

Notably, financial instruments reference data system (FIRDS) was launched in July 2017 in order to support requirements for reference data collection and publication. Since then, there were different releases for its enhancement and maintenance.

(15)

Data privacy -

This newsletter has been researched and authored by

Maheswari Mahesh

and

Abhishek Chaurasia

. And reviewed by

Amit Lundia

, Data Governance & Privacy SME.

Contacts

Acknowledgements

Vivek Belgavi

Partner

[email protected] +91 9820280199

Abhishek Chaurasia

Principal Consultant

Vishal Motwani

Director

Sayan Maiti

Principal Consultant [email protected] +91 7411019947

Hardik Gandhi

Associate Director

[email protected]

+91 9819379703

(16)

16 PwC

Data privacy -

About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with over 276,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Bhopal, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai, Pune and Raipur.

For more information about PwC India’s service offerings, visit www.pwc.in

PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

pwc.in

Data Classification: DC0

This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.

© 2019 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.

SUB/September2019-M&C 3109