Compliance is beyond a matter of ticking boxes, it requires a deep understanding of the underlying reasons

A conference titled “Simplifying Compliance for the Indian Fintech Ecosystem ” was organized by Dataquest in association with  Scrut Automation, a SaaS-based GRC tool that helps companies enhance their information security posture. 

Security experts spoke at the conference about how the Fintech sector is growing at an exponential rate and so are the compliances and the regulatory policies. Now the typical challenge is that there are many standards that the organization needs to comply with, and this is becoming challenging to track. There is not only a high level of duplication, but it is also resource intensive and eats into productivity and efficiency. And it also poses a security challenge. Moving on to the pressing need of having a unified approach/window to tackle the problem at hand. 

In his opening session, Ayush Choudhury, the Co-Founder/CEO of Scrut Automation, shared insights into their journey of working with various companies, including startups and well-established ones. They found that more than 30% of their customers were from the Fintech and financial services industries. This led them to investigate the reasons behind this trend and speak to their customers.

Their findings revealed that the Fintech and BFSI industries are subject to stricter regulatory requirements than many other industries. Notably, the Indian financial services ecosystem has witnessed a remarkable transformation, with both legacy traditional companies and newer Fintech companies embracing digitization as a mode of distribution. In response, the government has been investing in infrastructure to democratize access to technology.

However, the pace at which technology is advancing and being adopted is outpacing the development of cybersecurity models to a significant extent. This is a significant challenge, given that cybersecurity is critical for ensuring the safety and security of financial transactions and sensitive data. Choudhury's insights shed light on the urgent need for the Fintech and BFSI industries to prioritize cybersecurity and stay ahead of the rapidly evolving technological landscape.

Ayush further highlighted the grave risks of ignoring the need for cybersecurity in the Fintech and BFSI industries, stating that it could lead to an implosion that would cause the entire edifice to come crashing down.

To address this, Scrut Automation, in partnership with Dataquest, is striving to reduce the information asymmetry surrounding compliance standards in the Fintech sector. By engaging with the community, creating artefacts and collaterals, and facilitating expert discussions, they aim to simplify and streamline the compliance process, making it as easy and sanitized as possible.

Choudhury emphasized the importance of collectively improving our understanding of the compliance challenges facing the Fintech sector, and the need to get to the root of the problem. In terms of a typical Fintech it has to comply with the usual standards like an ISO 27,002, but also more vertical-specific ones, like a PCI uses, and now most recently the SAR audits by RBI. data localization to mention etc. 

This requires the involvement of experts from diverse backgrounds who can bring their expertise and focus to bear on the target issues. The gathering, while not large, represents a gathering of small yet highly experienced and focused individuals committed to tackling these challenges head-on.

The balance between Compliance and Agility

Minu Sirsalewala, Executive Editor, Special Projects at Dataquest, emphasized that achieving compliance is not just a matter of ticking boxes. It requires a deep understanding of the underlying reasons and the ability to implement it to balance achieving compliance, maintaining agility, innovation and best practices.

Manoj Agarwal, Head Legal & Compliance, Upstox agreed and presented global data on Fintech adoption, highlighting that India's adoption rate is 87% compared to the world's average of 64%, according to a Deloitte report. He also mentioned that the government and businesses are putting efforts into digitalizing the economy through Fintech companies, as evident from the increase in digital transactions and the adoption of QR codes.

Agarwal emphasized the need to reduce risks while enabling business objectives by staying informed about global trends and adopting appropriate technology such as biometrics, OTP, and fingerprint controls. He stressed the importance of automation and collaboration with regulators, who are driving compliance requirements in the era of digitization.

Innovate the compliance Process

Dr. Deepak Kalambkar, CISO at SafexPay, emphasized the importance of conducting regular internal audits to meet compliance requirements. He suggested that organizations should focus on user awareness training and ensure that customer data is secure through data localization.

Kush Kaushik, Co-Founder of Scrut Automation, agreed with Dr. Kalambkar and stressed the need to innovate the compliance process. He highlighted the importance of equipping the compliance team with the right tools and technologies to work efficiently and face audits with less effort. Kaushik further emphasized the significance of innovation in saving time in the compliance process.

Apurva Malviya, Head Of Global Sales at Panacea Infosec Pvt Ltd echoed the sentiments of the previous speakers and emphasized the complexity of dealing with multiple compliance requirements in the Fintech industry. He highlighted that each business arm, such as payment gateways, payment aggregators, PPI license, lending business, mutual funds, are regulated by different organizations, such as RBI, NPCI, and IRDA. Despite these differences, the evidence requirements for each compliance audit remain similar. Therefore, he suggested the concept of having one audit and using automation tools, to review the audits.

According to Shankar Ramrakhiani, CISO, IIFL, the compliance landscape has significantly changed, and it's no longer just a tick-box exercise. Regulators like SEBI release new circulars every week, and in the last six months, they have come out with several stringent circulars covering technical glitches, the adoption of cloud security frameworks, and cybersecurity guidelines. Automation is crucial in meeting compliance requirements as regulators have the power to scrutinize businesses, and the threat landscape is continually evolving. Shankar emphasizes the need to prioritize risk areas to effectively manage compliance.

Deepak Kothari from ftCash also believes that businesses dealing with multiple regulators should adopt a single audit approach. Compliance is no longer a mere tick-box activity, and businesses should align their compliance efforts with their overall business objectives.

Sanjivan Shirke, Head of Information Security and SVP (Information Technology) at UTI Asset Management, mentions the SEBI circular that mandates mapping of ISO 27001. He emphasizes that it's time to structure audits to effectively manage compliance.

Technology to break the monotony 

In the ever-evolving landscape of Indian Fintech, regulatory bodies such as RBI, IRDA, and SEBI have enforced new guidelines on Data Localization, P2P Lending, Payments, Tokenization, Cyber Security Audits, and PCI-DSS. Minu raises the question of what shifts in trends can be expected in risk and security compliance practices. Melwyn Rebeiro, Head of IT Security, AEON Credit Service India emphasizes the importance of adopting a software-building approach that complements SecOps, while Shanker highlights the need for strong collaboration between technology and security teams with clear objectives and consistent improvement of controls. Deepak Kothari stresses the fiduciary duty to secure data and compliance's role in eliminating risks, especially in a technology-dependent environment. 

In addition, Apurva points out the complexity of RBI's regulations and suggests adopting security, compliance, and privacy by design approach while promoting a dialogue between regulators, consumers, and external auditors. To reduce the audit effort, Apurva recommends the automation of data collection for evidence. Sanjivan Shirke proposes that audits should focus on process and operational audits to solve the pain points of navigating complex regulatory requirements. 

Revolutionizing Compliance: The Future of Enterprise Risk Governance

Aayush summarized that as the world becomes increasingly digital, the importance of Enterprise Risk Management (ERM) has transcended beyond just financial governance. Now, it has encompassed security, infrastructure, and third-party integrations into its checklist. In India, where 37% of firms have experienced cloud data breaches in the past 12 months, ERM technologies will be leaning more towards governance risk and compliance (GRC). This will help enterprises assess risk posture, identify compliance gaps, manage incidents and policies, and automate internal audit activities.

To refine enterprise risk governance strategies, all-in-one GRC platforms that integrate intelligent risk analytics with the enterprise's application and infrastructure landscape will play a vital role. They will be able to monitor security controls and provide a single-pane view of the complex security ecosystem, which will help offer quick insights into security and compliance posture through intuitive dashboards. This will help enterprises make data-driven security decisions.

Furthermore, security tools that offer deep integrations with commonly-used applications and provide collaborative workflows between teams, auditors, and pen-testers will become indispensable. They will assist cyber teams in managing daily compliance, execute multiple compliance audits simultaneously, and meet the protocols of SOC 2, ISO 27001, FedRamp, CMMC, NIST, and others, along with regulatory requirements from privacy laws like GDPR, HIPAA, PCI DSS, CCPA (to name a few) for efficient risk governance against cyber terrorism. In summary, adopting GRC platforms and security tools will enable enterprises to have a more comprehensive approach to risk governance, thereby ensuring that their operations remain secure and compliant.