Arun Poddar, CEO, Choice International & Vikas Gupta, Chief Compliance Officer at Canara HSBC Life Insurance, reveal the various challenges of compliance relating to data governance, training programs & new developments:
Ravi Lalwani: With an increasing number of fintech playing crucial roles in financial services, what do you focus on while researching about them to ensure that the partnerships will have minimum friction in the future?
Arun: As one of the leading stockbrokers in India, we understand the significance of conducting research before entering partnerships with fintech companies. One of the main areas of our focus is the technical capabilities of fintech firms. We evaluate their data management systems, security protocols and the compatibility of their systems with ours to ensure that any technology integration is seamless and secure, safeguarding our clients’ data.
Compliance is one of the important aspects which focuses on adherence to rules and regulations and establishing good corporate governance. Keeping this in mind, we also emphasize regulatory compliance, ensuring that fintech companies comply with all the necessary financial services industry regulations in India. We assess their knowledge and understanding of the regulatory landscape to avoid any risks that may affect our client’s investments.
Another crucial aspect of our research is examining the company’s track record and reputation in the industry. This involves analyzing their market share, customer reviews, past partnerships, necessary certifications, licenses, and regulatory compliances to evaluate their credibility and reliability. It is essential to partner with a fintech company that has a history of ethical practices and exceptional service to maintain our client’s trust and satisfaction.
Vikas: We look at the leadership team, their expertise, and the investor profile. It is important to assess whether the entity can withstand seasonality and volumes. Today there are several fintech services, but life insurance is a long-term proposition. So the partner and their solutions should be able to fulfil our long-term requirements. We have seen that sometimes when the solution is good, there can be a sudden rise in demand and the service provider at that time struggles to cater to multiple clients. The ability to deliver, scalability, and agility are important in a long-term relationship which also leads to less friction and more calibrated work.
What are the various points where you come in on technology projects? What kind of guidance do you give most frequently?
Arun: Technology projects are crucial for business success, and hence, we are involved in multiple stages throughout the project’s life cycle. In the planning phase, we closely collaborate with the fintech team to ensure that the project aligns with our business goals and objectives. This involves developing a detailed project plan that outlines the scope, timelines, and budget to ensure the project’s timely completion within the budget. During the development phase, our primary focus is on providing feedback and guidance to meet our quality standards. We periodically review the project to refine and enhance its functionality and usability. In the testing phase, we work together with the fintech team to identify and resolve any issues that may occur during testing to ensure the project’s reliability, scalability, and client satisfaction.
Here are some key areas where we come in on technology projects. We prioritize developing scalable technology solutions that can adapt to changes in demand. For this, we collaborate closely with our technology team to plan for increased traffic, expand infrastructure, and optimize software architecture as needed.
To ensure customer data security and privacy, we implement robust measures, including encryption, access controls, and monitoring tools. Keeping up to date with the latest technologies is a must. We research emerging technologies, experiment with new software tools, and collaborate with external vendors.
We advocate a culture of rapid prototyping, testing, and iteration in our technology projects. We do detailed checks on whether the companies comply with the criteria as prescribed by the financial services industry regulations in India to avoid frictions in the future.
Vikas: Technology project essentially means it is making some existing processes simple and automated. Hence the logic built into it is very crucial along with the platform. We insist on reviewing the process end to end to ensure that it is built by keeping customer centricity at the centre and at the same time ensure that principles and intent of regulations are not compromised. Moving the data and process in a cloud environment brings more efficiency and scalability. However Indian law as of now restricts customer data in any jurisdiction other than India. We must ensure that all these requirements are adhered to with due attention. My guidance has always been to involve the compliance team from the very beginning of any project. There are various nuances and interlinkages which can be best addressed if the team is involved from scratch in the project.
What are the difficulties you encounter in ensuring the rising data compliance requirements? How have you resolved most of these difficulties?
Arun: Ensuring compliance with legal and regulatory requirements can be challenging for many organizations due to a variety of factors. Today, data is everywhere. With ecosystems and infrastructures going digital, access to personal and sensitive data has proliferated across the board, giving rise to the need for adherence to data compliance standards.
Difficulties are resolved by:
- Proper workflow and structure to deal with compliance requirements which ensure continuous checks at all levels.
- Enforcing access control to ensure that only authorized individuals have access to sensitive data or IT systems and processes. We regularly review and ensure that access is granted on an evaluation basis on a need-to-know principle. Also, we make sure that employees follow the practice of password protection.
- We regularly conduct security assessments to ensure that our organization is meeting regulatory requirements related to data protection and network security. These assessments include vulnerability scans, penetration testing, and security audits.
To achieve business continuity in the event of any disruption, we have a primary site and a DR site in a fully functioning state.
Vikas: One of the primary challenges of data compliance relates to data governance. The data format is not consistent across the environment. We have initiated projects to streamline it and create a uniform format at all levels. The other major issue is ‘data leakage’. This is usually addressed in 2 parts – one is the control within the company and the other is the attack from outside. Within the company, we have installed Data Leak Prevention Solution (DLP) and blocked removable media access. Any digression is easily identifiable. For external attacks, we have Intrusion Prevention System and other similar software in place. The dedicated team monitors it continuously and any arising threats are blocked at the perimeter level. For end users, we have deployed hard disk encryption and antivirus to prevent any end-user data theft or malware attack. Additionally, we have a strong vendor governance process to ensure that data remain safe, and we adhere to various data compliance requirements.
What newer compliance training programs are you arranging for compliance teams and other teams?
Arun: ‘Compliance’ in itself is an ‘inclusive’ definition which as a whole includes various kinds of compliances namely compliances by the companies consisting of timely disclosures, income tax & audit compliances, human resource compliances, it (data management, security) compliances. At Choice, we undertake the following training programs as a part of compliance management:
- Communication skills workshop for employees to break the barriers of communication at the time of performing compliance-related activities.
- Leadership workshop to improve leadership skills on team management.
- Compliance software training sessions for heads of the departments conducted by the owners of the software.
- Cybersecurity awareness training conducted by the IT Head to make the employees aware of cyber-attacks and data loss prevention.
- Awareness campaigns for our employees through emails and challenging programs.
Vikas: Interpersonal skills and soft skills using behavioral and theatre techniques rather than standard presentation modes are something that we are implementing at the ground level. The compliance team already has basic skill sets and domain knowledge in the given context. In a fast-developing industry the requirement today is adaptability, working with cross-functional teams, and most importantly speed of delivery. Additionally, we do regular training for the team on technical areas including knowledge-sharing sessions on products, cyber security requirements, and IFRS requirements.
Compliance is a subject of growing complexity. How are you simplifying it so that more and more people in the organization can understand it effectively?
Arun: To cope with ongoing data compliance requirements, it makes sense to introduce a tool that covers integrated governance, risk and compliance management platform. It should be multifaceted, powering compliance management, policy management, risk management, audit and assurance, and more, all through an agile, online platform.
We do 4 things to simplify compliance. (i) We maintain well-established compliance software. We have established compliance software ‘KOMRISK’ that helps every department to function and stay updated with the various laws, rules, and regulations applicable to their sector of work. (ii) Schedule compliance audits regularly (on a quarterly and yearly basis) (iii) Keep a check on work allocation. (iv) We regularly review change management processes. As we all know, IT systems are in a constant state of change, with updates and upgrades happening frequently. Change management processes guarantee that changes are implemented in a controlled and secure way.
Vikas: ‘Let’s Simplify’ is my motto. Whenever anything new comes, we analyse the implications and then send out the communication to relevant teams in the most simplified language along with the impact on our company and processes. This makes it easy and accessible for the concerned person to understand the implication of the new regulation/circular. I also believe in getting involved in the design stage or process creation stage so that complexity can be reduced at the time of delivery and users are aligned with the requirements from the beginning.
What is the profile of people getting into the field of compliance these days?
Arun: A Company Secretary (CS), Chartered Accountant (CA) and Advocate are the 3 professions that are an ideal fit to be a good compliance officer whose role involves keeping regular checks on the legal, secretarial, and compliance aspects of the company. To complete the compliance circle in all the possible spheres we also have a separate role of a chief technology officer who manages the data and its security.
In today’s world, a compliance officer is an ideal asset and a well-matched profile to the field of compliance for any business. A compliance officer will guarantee that a company’s external regulatory requirements and internal policies are met. Following 2002, the position and need for a compliance officer increased due to the various challenges and disadvantages faced by several organizations that lacked the presence of a person in this role.
As our economy continues to grow, we must prioritize good governance practices in all sectors. We should not only appreciate but also support the efforts of regulators to enforce compliance rules. This will ensure that only those organizations that prioritize good governance will sustain themselves in the long run. As a result, the industry will benefit from increased trust, accountability, and sustainability, leading to a stronger and more prosperous economy.
Vikas: The compliance team of our company comprises diverse profiles, while mostly it is dominated by people with a professional background of CA, CS, and lawyers. However, we have employees from operations and even sales in the compliance team making it a healthy mix of various domain experts. Diversity brings in an insider perspective which is very crucial for compliance professionals. Rules and regulations are in the public domain, and knowledge and understanding of business for effective implementation is a rare mix.