Cash pick-up & delivery at Small Finance Bank branches

Even with all the euphoria around people moving towards cashless transactions, bulk of all transactions continue to be in cash. Cash still rules in rural and urban areas, though, there is better adoption of cashless mode by city folks.

Bank’s major role in rural area continues to be cash dispensing and accepting unit. For small finance banks, it is all the more challenging to manage cash in absence of any sizeable presence in one geography making the currency chest unviable. Thus, Small Finance Banks(SFBs) have to depend on other scheduled commercial Banks for their cash needs. Small Finance Banks(SFBs) also have to make sure that the branch do not store cash beyond the cash retention limit set and hence both cash delivery and pick up processes are to be defined and controls need to be built in for both the processes for optimum utilization of cash.

Following are some of the key controls that can be included in cash management manual for SFBs:

• Branch team needs to make sure that they are aware of cash retention limits(CRL) of their branches. Any indent for cash needs to be done basis CRL and projected cash demand for assets disbursements, cash repayments, average cash deposits and cash withdrawal at branches.
• Branch team needs to ensure that they accept cash from only authorized individuals as per the communication received from their Cash management team/central team. Branch team should necessarily check for original ID cards, match the slips (if applicable) at each instance even if the cash delivery staff is regular or the staff is same.
• All the cash received should be counted i.e. cash bundles as well as cash in the cash bundles should be counted.
• Branch team should also check for torn/soiled/mutilated and suspect/fake notes and should escalate to the concerned/central team basis the Bank’s policy.
• Cash delivery or pick up should always be done under CCTV coverage.
• The outsourced staff/cash management vendors should never be provided with the access to the branch vault or the cash counter.
• For cash pick up from Branches, branch team should strictly make sure to verify and match the vendor employee details from the authority letter and the list provided by the internal cash management team/central team.
• For cash pick up cases branch should verify the cash remittance entry in system before the vendor employee leaves the branch with the cash bag. This is especially done to safeguard Bank’s interest in case of any adverse incident.

How to be compliant to Aadhar Act regulations: CISA perspective

Aadhar Act stipulates certain norms which are necessarily to be followed by Authentication User Agencies(Au As) and e-KC User Agencies (KUAs). Critical provisions from Information Security Auditor perspective are tabulated below.

• The client application which is being used / or planned to be used for Aadhar authentication needs to be digitally signed

  • With the ever increasing threat from virus, trojans, malwares & ransomware, it is imperative that organizations use Applications/software/executables which are digitally signed. Digitally signed applications ensure two objectives:

    • Origin of the software can be ascertained

    • It can be ascertained that no one has tempered with the application

• The client application should not store biometric data in any circumstances

  • As per Aadhar Act 2016, only Central Identities Data Repository is authorized to collect the Biometric data which is linked to a particular Aadhar number. Hence, other entities including KUAs/AUAs have to ensure that they are not storing any biometric information linked to a particular Aadhar number. Further as per Aadhar Act, no core biometric information collected under this act shall be shared with anyone for any reason whatsoever, and this biometric information can only be used to generate Aadhar number and authentication. Therefore to be compliant with Aadhar Act, entities need to make sure that the applications that they have developed or are using are not storing any biometric information.

• The biometric data should be encrypted before it is transmitted.

  • This norm pertains to data in motion. Data in motion is susceptible to interception/monitoring/access/access and modification by unauthorized person or entity. Encryption is used wherever it is to be ensured that the data is read/received by only the intended recipient and the message which is received by the recipient is exactly same as was sent by the sender. To ensure that authentication services have safeguards of confidentiality, integrity and availability, it is essential that data collected for authentication is transmitted only in encrypted mode.

• Client application should not be able to replay any authentication request with stored biometric data.

  • This condition is an extension of point 2, which bars any entity including AUAs or KUAs to store the biometric data. Further, this also means that even in UAT phase or testing and development phase of application, biometric data linked to any Aadhar cannot be stored and authentication cannot be replayed.

• Name of AUA/KUA should be clearly visible on the authentication applications to the Aadhar number holder.

  • This is more of a Aadhar member safeguarding measure. This ensures that the Aadhar holder is aware which entity is using his biometric information and why.

• AUA/KUA should not perform test transactions on UIDAI’s production environment.

  • This is very important to safeguard the performance of authentication services offered by central information data repository. Test in production(TiP) is generally avoided to prevent performance issues, prevent vulnerabilities to creep in the live environment, loss of data, prevent poor customer experience. Therefore, before allowing access to production environment of UIDAI, the client applications should be tested, digitally signed and certified by auditors.

By following the above key regulations, Banks and other entities can ensure that their licence is not cancelled and they are not in violation of any law.

Handling Secured Stationery @ Bank branches

Stationery at branches helps in the smooth functioning of branches. Proper management of stationery ensures that customers get to access cash withdrawal/deposit slips easily at branches, get to order demand drafts or get loose cheque leaves. Customers can also open accounts, apply for loans and get superior service vis-a vis a branch which is not able to maintain the stationery properly. Though customers can still be serviced through printing the application forms/deposit slips/loan application forms, it generally involves more costs in terms of printing and paper costs and is not sustainable in long run. Hence to efficiently manage the customers, branch should handle its stationery well.

Across the Banking industry, stationery can be broadly classified into two categories- Secured stationery & unsecured stationery. Secured stationery generally are serially numbered though there are some exceptions(e.g letter heads), and are used by Banks to issue payment products like Demand drafts, loose cheque book leaves etc. Loan repayment receipts also come under this category. Unsecured stationery items generally include Account opening forms, cash deposit/withdrawal slips etc.

To have better control over stationery, first of all, one needs to define through a policy/process note what constitutes a secured stationery for the Bank. This helps in devising the controls and their execution. Employees become aware which controls are to be employed for which type of stationery and hence ensures better compliance.

Following are some of the controls that can be included to manage the stationery:

• Define what constitutes a secured stationery and what does not.

• Disseminate the classification to branches and train them on identifying re-order level for stationery indent.

• Branch should always verify the quantity received for the secured stationery items and update the quantity immediately in the designated register/system.

• Secured stationery should always be kept under dual custody either in dual lock almirahs, fire resistant filling cabinets or defender safes.

• All issuance/withdrawals should be duly recorded in the register or/and in designated system by the custodians.

• Inventory verifications should be carried out periodically and in case there is excess/shortfall, an Operational risk incident needs to be reported post taking necessary steps to block/disable the particular stationery instrument to prevent possible misuse.

• Unsecured stationery items should be stored properly with labelling preferably following 5S tools and principles.

• Any excess stationery items be it secured/unsecured should be reported to the central team, and should be sent back to the issuing team or should be handed over to nearest deficient branch post taking proper acknowledgement.

Lodging duplicate keys: Branch Banking

 

Planning for business continuity is very important and more so for Banks. Banks needs to be up and running at all times so that customers have faith in Bank and its services. Lodgement of Branch Keys is therefore a critical factor to ensure that Bank branch will be open for customers during its operational hours and hence will be able to serve customers provided other infrastructure is in place and operational.

RBI through its circular (Ref. RBI/2004-05/420 DBS.CO.IS Audit.No. 19/31.02.03/2004-05) and Working group report on information security, electronic banking, technology risk management and cyber frauds headed by Shri G Gopalkrishna has provided detailed guidance for business continuity. The report elucidates roles & responsibility and organisational structure, BCP methodology, key factors to be considered for BCP design, testing, maintenance and re-assessment of plan other aspects of BCP plans like human, technology, infrastructure etc.

At the branch level, availability branch keys and vault keys is very important to ensure that the branch opens on time and customers can be serviced by accessing the cash and other stationery kept in the branch vault.

Therefore, one set of branch and vault keys is lodged at some other branch of same bank or other bank branch.

Following are the key controls that should be kept in mind for lodgement of duplicate keys:

• Take the inventory of keys essential for branch operations and tabulate the key numbers in duplicate/triplicate.

• A bag needs to be prepared to keep the duplicate set of keys and one copy of key inventory sheet. The key Bag needs to be sealed off suitably.

• An entry needs to be made in the Key movement register and both the custodians should sign it.

• A key lodgement letter needs to be prepared which clearly specifies who can withdraw the keys and how.

• Key bag along with the lodgement letter should be handed over to designated official at the off-site branch and acknowledgement needs to be obtained.

Another important thing that needs to be ensured is to swap the lodged keys with the keys in operation periodically (once in 6 months or year) so that there is uniform wear and tear of all set of keys.

Aadhar Act 2016: Actionable for Banks & Telecom companies to be compliant with the new law

Government has notified the Aadhar Act 2016 and for Banking & telecom industry which heavily use the Aadhaar based authentication for transactions and account opening, it is essential that they are compliant to various norms laid down in the act.

Following are the key actionable that every CISO needs to include in their to do list:

1. The Aadhar Act specifies very clearly what is meant by Biometric Information. Biometric information as per the act includes- Finger print, iris scan, or such other biological attributes of an individual. Photograph of an individual has also been classified as Biometric information

   Implication:

   Even photograph of an individual/customer is part of biometric information and hence its use is governed by Aadhar Act. Banks/Telecom companies will have to take care while dealing with customer photographs. It’s storage and use needs to be as per the law. Customer core biometric data (Iris, fingerprint) cannot be posted, displayed, shared, or used for purpose other than for authentication/ or purpose other than claimed at the time of collection of Biometric data.

2. As per Aadhar Act, authority (UIDAI) shall perform the authentication of Aadhar number basis the request from a requesting entity (Banks, telecom companies etc.).

   The requesting entity has to ensure:

• • Consent of an individual/customer is present on records
  • Ensure that the identity information is only used for submission to central identities data repository for authentication.

Implication:

Application forms, electronic workflows in the applications need to be modified to capture consent of the customer for Aadhar authentication.

Secondly, the data collected during the Aadhar authentication needs to be purged immediately post authentication or transaction completion(data at rest). Banks/requesting entities also need to make sure that no application has access to this biometric data (back door access).

3. Requesting entity/Bank has to inform the individual/customer with respect to authentication namely:

• • The nature of information that may shared upon authentication.
  • The uses to which the information received during authentication may be put by the requesting entity and
  • Alternatives to submission of identity information to the requesting entity.

Implication:

Requesting entity/Bank has to disclose the ‘information’ that it may/will share post the authentication. For example- financial transaction detail etc. Further, the requesting entity / Bank also have to clearly inform the individual the possible usage of customer information post authentication. For example updation in organization’s negative database, cross selling of products etc. Requesting entities also need to inform the customer about the alternatives that they have with respect to sharing of identity information.

Passbooks-Ensuring strong Internal Controls

 

Proper handling of passbooks has become increasingly important in light of:

1. RBI advising Banks to issue the passbooks to the individual customers when a customer demands it.

The account statement are easier for Banks to issue to its customers through specialised software which push an email statement to the registered email ID of the customers. But customers find handling these statements (either on mail/hard copy) mostly cumbersome. In case of account statements, customers has to file them regularly or in case they are soft copies, save them in particular folder. Customers also have to match the opening balance with that of the closing balance of last statement. Most importantly not all customer have access to internet, computers or smartphones.

Hence RBI through its master circular on customer service has directed Banks to offer passbooks to all its individual customers and not charge customers for issuance of the same.

2. Secondly, Photo-passbooks can be accepted as Proof of Address (PoA) under simplified KYC and for issuance of passport.

Therefore it becomes imperative for Banks to have strict control over issuance and storage of passbook stationery.

Following controls may be included for passbook stationery:

1. Passbooks should be pre-printed serially numbered to ensure tracking and accountability.

2. Passbook stationery at the branches should be treated as the secured stationery. This implies that there will be two custodians for its safe storage and issuance. For example a Branch Manager and Branch operations manager.

3. Passbooks should have Bank’s customer care contact number, Bank’s nodal officer name and contact details.

4. Inward mail register of the branch needs to be updated as soon as branch receives the stationery from Head office/central hub.

5. Physical request must be documented from the customer/bearer for issuance of the passbook.

6. Bearer request may be restricted depending upon the customer risk categorization or additional due diligence must be done to issue the passbook on a bearer request. For example, calling the customer on registered contact number.

7. Only printed passbook should be issued to the customer and never a blank one. Before issuance, issuer official should check for printing quality, correct and completeness of information.

8. Acknowledgement needs to be documented from customer at the time of handover of printed passbook.

9. For photo-passbook issuance, customer photograph needs to be matched with the Bank’s records and stamp and signature on photograph needs to be put in a way that the photo is visible and replacement of photo is difficult. For example stamping portion of customer photo and passbook page together.

10. Core Banking Software / other relevant software to be updated so that email statement/physical statement are not mailed to customer and thereby saving costs on account of courier costs. It also helps to avoid repeated request from customers for the same account.

 

Keys Handling at Bank branches: Do’s & Don’ts

Handling of Keys is one of the most critical activity at the branch. Robust control on keys directly reflects the discipline that a branch exudes.

Keys can generally be classified into Critical and Non-critical. Critical keys are generally the keys for Cash Vault, Cash counter, Vault room and Branch keys. Non critical keys could be for the drawers, cupboards etc. Criticality is chiefly governed by the requirement of dual locking/custodians for sensitive storages like Cash Vault, Vault room etc. Non critical keys are keys for single custodians and are for non-sensitive but important storages like workstation drawers, cupboards etc.

Key handling for both critical and non critical keys is important, however, the degree of importance and hence controls differ.

Some of the important controls for Critical Keys are:

• Labelling of keys and bunching them in a set as in Set1 & Set 2 or Set A & Set B.
• Record the key numbers, distinct identifier of key of each set in the Key register and both custodians should sign this in the register.
• Make sure that any movement of keys is recorded in a key movement register, signed by new & old custodians with date and time entry in the register.
• Ideally key movement entry should be done under CCTV recording and post verification of cash or taking inventory of contents of secured storage by the new custodian.
• Set 1/A keys custodian can never have access or hold set 2/B keys and vice versa even at a later date when he/she is no longer handling that particular set.
• Critical keys should never be shared by the custodians to unauthorized custodians/office boys, guards etc.
• Information about custody of keys should be kept discreet by the custodians.
• Key movement register should be reviewed on a periodic basis to ensure that it is properly updated and reflects the correct position in respect of keys held by custodians.

Controls for Non-critical keys are also important to ensure that there is no disruption in branch functioning and customer service is unaffected. Recording the non critical keys and maintaining a key hive box for them is a good enough control. However, branch needs to be make sure that access to key hive box is restricted and keys availability is reviewed periodically e.g once in six months.

Nilekani invokes Bapu

Update on Aadhaar 

Post the honorable Supreme Court interim order on Aadhaar on August 11, 2015, Nandan Nilekani has made an emotional plea for an appeal against it.

He cites Bapu’s words “Whenever you are in doubt, apply the following test. Recall the face of the poorest and the weakest man you may have seen, and ask yourself if the step you contemplate is going to be of any use to him. Will he gain anything by it? Will it restore him to control over his own life and destiny? Will it lead to swaraj for the hungry and spiritually starving millions?”

Let’s go deeper into the arguments provided in the article and their implications for Banks, telecom companies and common people like us.

Brief Re-cap

The key concern on the scheme is that the very collection of such bio-metric data is violative of the “right to privacy”. Petitioners assert that the right to privacy is implied under Article 21 of the Constitution of India, and some petitioners assert that such a right emanates not only from Article 21 but also from various other articles embodying the fundamental rights guaranteed under Part-III of the Constitution of India.

However, as per Government’s reply to the court:

1. Attorney General representing government of India stated to the court that the existence of the fundamental right to privacy is doubtful.
2. There are numerous judgements which touch the topic of Right to Privacy and have had divergent view on the Right to Privacy. Most importantly, all of these judgements were rendered by smaller benches of two or three Judges.

Hence, there is major disconnect with respect to Right to Privacy and hence a larger bench (Constitutional Bench) should take decision for the two key open items:

• Is there any “right to privacy” guaranteed under our Constitution.
• If such a right exists, what is the source and what are the contours of such a right as there is no express provision in the Constitution adumbrating the right to privacy

Court in its Interim Order on August 11 2015, had restricted the usage of Aadhaar data and thus came out this emotional article from Mr. Nilekani

Interim order Vs Nilekani’s arguments

Following is the detailed analysis of his arguments against each component of SC order

S.No.	Court Judgement   –   Nandan Nilekani arguments    –    Implications
1.	Court: The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card Nilekani: Ok Implications: Aadhaar is non-mandatory document. However, already 91% of citizens have Aadhaar number and it is estimated that by March 2016, all the citizens will be enrolled practically defeating any voice against it.
2.	Court: The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen Nilekani: Ok Implications: Since, benefits are sought by the section of society who is illiterate, limited financial means and unable to voice their concerns, the implementation depends solely on intent of government officials.
3.	Court: The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of food grains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme Nilekani: Disagrees. There is no logic of restricting the Aadhaar use to only these schemes. There are numerous other schemes for benefit of poor like-Allowing e-KYC for Bank Account opening, Bio-metric attendance, MNREGA, e-Sign etc. Implications: Benefits of opening up other uses of Aadhaar, and allowing use of Aadhaar data for other government schemes weighs heavier than the potential harms that the leakage of this data presents.
4.	Court : The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation. Nilekani: Aadhaar is voluntary; Data from UIDAI is not shared with any Bank or telecom company; c)UIDAI only registers that a authentication was sought for a particular ID, however, purpose of authentication is not shared with UIDAI i.e. Customer profiling is not done Customer is intimated every time his details are authenticated by an external agency Customer have an option of locking his/her Aadhaar number, blocking authentication attempts by anyone Implications: Government needs to review the privacy concerns related to Aadhaar and take a call. The benefits of Aadhaar can bring in paradigm shift in the way subsidy reaches the target segment; bring in simplification of processes and a major impetus to financial inclusion.

Conclusion

Unique ID for citizens was conceptualized in the aftermath of Kargil war. It was envisaged that the repeat incidence like Kargil intrusion can be prevented by issuing a unique ID to all residents in the border areas. However, in the present scenario, the benefits of Aadhaar are numerous and not just restricted to prevent border intrusions. Telecom penetration and internet reach has opened avenues which were not foreseen before and today Aadhaar promises in manifold benefits and paradigm shift in solving numerous social problems. However, concern for privacy is present among the citizens, which needs to be allayed by government not just through verbal statements but by actions which are transparent and are done in consultation with all stakeholders.

Volkswagen cheats Environmental Protection Agency: What went wrong

The news that Volkswagen, which is the second largest automobile manufacturer and owns luxury brands like Audi, Bentley, Bugatti, Lamborghini and Porsche is involved in fidgeting its emission control system to deceive regulator is appalling.

Volkswagen has been accused of planting software in its popular diesel cars Audi A3, VW Beetle, VW Jetta, VW, Passat and VW Golf which automatically senses if the car is subject to emission testing. As soon as the software senses that the car is undergoing an emission test, it turns on emission control, helping the car to pass the emission test. And deviously, when it notices that the emission test is over and the car is operating in normal condition, it turns off the emission control, which makes its car spew out as much as 40 times the level of pollutants allowed under clean air rules by U.S. environmental Protection Agency (E.P.A).

This is plain fraud, a gross misrepresentation, and a scam which plays havoc with people’s health. It is not clear if the software has been planted in the cars sold in U.S only or to all the countries where these cars are being currently sold. Interestingly, if it becomes clear that the cars do not have the software in other countries where emission control norms are not as stringent as in U.S., it will be apparent that this fraud has been done with due care and with knowledge of senior management.

Consequently, Volkswagen now faces a huge penalty of up to $8 billion which is roughly 70% of its yearly profit of $12.3 billion. This is a huge cost that the shareholders will have to bear for the decisions that the Volkswagen top management undertook, all the while claiming to be “decreasing emissions one tree at a time” and claiming to be technologically advanced and responsible towards environment protection through “Think Blue”.

Why did Volkswagen cheat

Volkswagen is the second largest automobile manufacturer in the world and it aims to become number one. To become number one player in the automobile industry, it needs to be amongst the top 3 auto companies in U.S., the second largest market in the world after China.

Volkswagen has not been able to make a cut in the U.S. market and is presently number four behind Ford, General Motors and Toyota. Martin Winterkorn the Chairman of Volkswagen laid out in 2007, a plan to surpass both General Motors and Toyota and become the largest automobile maker in the world. For this plan to succeed, Volkswagen needed to sell three times as many cars in U.S. as it sold in 2008. This was a very ambitious target.

To crack the tough U.S diesel car market which has one of the stiffest of emission norms, it chose a shortcut rather than doing research and development and coming up with better engines for its cars.

What went wrong

This fraud points towards how weak company’s controls are, and the huge implications related to company’s claimed compliance with Germany’s KonTraG- A German law for Controls and Transparency. As per Volkswagen’s annual report for 2013, company’s Early Warning System (EWS) are in line with the requirements of the Gesetz zur kontrolle und Transparenz im Unternehmensbereich (KonTraG) and meets its requirement.

What is Internal Control

Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to reasonably manage risk affecting the achievement of objectives in the following categories:

• Effectiveness, efficiency, economy and accuracy of operations;
• Reliability and relevance of reporting; and
• Compliance with applicable laws and regulations

Importance of strong internal controls is not just confined to Banking and insurance industry, but is related to all types of organizations be it pharmaceutical company, a supermarket, an e-commerce company, a NGO, a government department or even a small neighborhood store. The level of complexity and sophistication is what changes when we talk about internal controls across industries, scale of operations and geographies.

Enron, Worldcom, Banco Espirito Santo (BES), Lehman Brothers, Arthur Anderson, Barings Bank, Satyam Computers, Seibu Railway’s Co., Kanebo Ltd., have one thing in common-weak internal controls. These high level accounting frauds, excessive and uncontrolled risk taking, weak governance, some of which resulted into total organization collapse, made governments, regulators, corporations and the shareholders particularly concerned about internal controls.

Realizing its importance most of the major economies of the world have specialized law which mandates a strong internal control for organizations. Sarbanes-Oxley Act of 2002 in U.S., Companies (Audit, Investigations and Community Enterprise) Act 2004 in U.K., Indian Company’s Act 2013 in India, financial Instruments and Exchange Act (J-SOX) in Japan, String Economy Act (C-SOX) in Cananda, KonTraG in Germany are the laws enacted in the respective countries to make sure governance and internal controls are robust and interest of shareholders, employees and general public are safeguarded.

Frameworks for Internal Control

To have strong and watertight internal controls, we have some very good internal control frameworks and these are all globally recognized. These are:

1. COSO framework developed in United States by Committee of Sponsoring Organizations of Treadway Commission;
2. The Turnbull Guidance of directors on U.K’s Combined Code on Corporate governance; and
3. COCO Framework developed by Criteria of Control Board, Canada

Out of these, COSO framework is the most widely known and followed world over. Interestingly, even Volkswagen follows COSO’s framework for its risk management.

COSO is based on five components which are like foundation with 17 principles defining these components. These five components are:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information & Communication
5. Monitoring Activities

COSO & Volkswagen: Possible weak areas

S.N	COSO’s Components	Volkswagen
1.	Control Environment The first component is all about setting the tone at the top; establishes expected standards of conduct and reinforces expectations. Standards, procedures, processes and the structures are defined for setting up internal controls. Importance of ethics and integrity are percolated down from top to bottom.	This is possibly where the origin of weak controls lies. When the tone from the top is not able to assert that achieving the largest market share and becoming the largest automobile company in the world is to be achieved without sacrificing ethical standards and compromising integrity of organization.
2.	Risk Assessment Objectives are set for each line of function so that it is clear to all the employees what is the end state that the organization is seeking to achieve. Keeping these objectives in mind, risks are assessed continually and a culture is driven across all the lines of function which makes it a habit with the employees to identify and assess the risks on periodic basis.	Risks of losing face and damaging the reputation are one of the biggest stumbling blocks in achieving the objectives of becoming the largest car maker. Customers who can afford cars are also aware about environmental concerns and when these customers get to know that VW has adopted fraudulent practices, the acceptance of brand goes for a toss. In the highly competitive automobile industry, brand associations are very important. Customer would never want to drive a car which employs dubious policies and fools even government regulators. What is the proof that company is not duping its customers as well?
3	Control Activities These are the actions which help ensure that the risks are managed to achieve the objectives set earlier and in line with the tone from the Top. Control activities can be preventive or detective, or manual or automated. Control activities also include segregation of duties, periodic reviews, authorization matrices etc.	It seems the risks of being seen on the wrong side of law were not assessed. Or possibly, if they were assessed, the mitigants could have been weak detection capabilities at E.P.A and rightly so, it took years to detect these devious means adopted by one of the most respected car makers of the world. Volkswagen may have believed that E.P.A will never be able to detect this software.
4	Information & Communication Information is the thread which keeps the five components of internal control bonded together.  Information between various stakeholders, inter group, intra group, top to down, bottom to top is very critical in ensuring robust internal controls.	Information and communication is important and helps to plug such illegal acts within an organization, provided, information flows freely from top to bottom and vice versa.
5	Monitoring Activities These are periodic reviews to ascertain whether components of internal controls are all functioning and producing desired controls. These reviews can be on-going or periodic with a defined frequency. These result in feedback mechanisms to all the stakeholders on status of internal controls.	Monitoring activities clearly have failed to bring this risk up and flag off at senior most level. Only investigations will be able to reveal if senior management had taken a call to ignore this risk and were aware of this risk all along.

Conclusion

Every time we read the annual reports of these large corporations, we get an assurance from the auditors that the internal controls of the company’s are strong and everything is hunky-dory, but still every now and then we get to hear news pertaining to large corporations like Toshiba in July 2015 and now this latest fraud involving Volkswagen deceiving environmental regulator.

Auditors will need to sharpen their skills and need to be updated about latest technologies including software capabilities which can be hiding in key components and other such modern warfare that executives use to fool governments, regulators, shareholders and also fellow employees.

Strong internal controls help everyone-executives and senior management in achieving their ambitious objectives is sustainable manner, it helps to instil faith in shareholders and regulators about the companies and they in turn listen to industry’s and top management’s genuine constraints and challenges, and finally it helps the customers as well when they purchase company’s products with a confidence that the company has high ethical standards and un-blemished integrity.

Aadhaar: SC Interim order-Implications for Banks & Telecom companies

Background

Government of India is collecting and compiling both the demographic and bio-metric data of all the residents to be used for various purposes. This is being collected and stored under UIDAI (Universal Identification Authority of India).

Several petitions have been filed in various courts against this enrollment, and some of these are clubbed and getting heard by Supreme Court of India.

Key concerns

The key concern on the scheme is that the very collection of such bio-metric data is violative of the “right to privacy”. Petitioners assert that the right to privacy is implied under Article 21 of the Constitution of India, and some petitioners assert that such a right emanates not only from Article 21 but also from various other articles embodying the fundamental rights guaranteed under Part-III of the Constitution of India. However:

• Attorney General representing government of India stated to the court that the existence of the fundamental right to privacy is doubtful.
• There are numerous judgments which touch the topic of Right to Privacy and have had divergent view on the Right to Privacy. Most importantly, all of these judgments were rendered by smaller benches of two or three Judges.

Hence, there is major disconnect with respect to Right to Privacy and hence a larger bench (Constitutional Bench) should take decision for the two key open items:

• Is there any “right to privacy” guaranteed under our Constitution.
• If such a right exists, what is the source and what are the contours of such a right as there is no express provision in the Constitution adumbrating the right to privacy.

There have been two interim orders on this case till now. These are summarized as:

Interim orders

I.  Interim Order – (i) Dated 23 September 2013

No person should suffer for not getting the Aadhaar card and that the Aadhaar card is not mandatory for availing any government scheme.

 

II. Interim order (ii) Dated 11 August 2015 (latest)

The Attorney General has asserted in the court that the government does not share any personal information of an Aadhaar card holder through bio-metrics or otherwise with any other person or authority. Further the Aadhaar card is of great benefit since it ensures an effective implementation of several social benefit schemes of the Government like MNREGA, the distribution of food, ration and kerosene through PDS system and grant of subsidies in the distribution of LPG. He further stated that the Government would ensure that Aadhaar cards would only be issued on a consensual basis after informing the public at large about the fact that the preparation of Aadhaar card involving the parting of bio-metric information of the individual, which shall however not be used for any purpose other than a social benefit schemes.

The court orders that:

1. The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;
2. The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen;
3. The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of food grains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme;
4. The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation.

Conclusion & Impact Analysis

Aadhaar promises a paradigm shift the way citizen information is captured in one database and promises to be one of the most revolutionary channels through which financial inclusion and eradication of poverty will take place in the country. Broadly it has following uses:

• It can be used as a KYC documents as per RBI circular;
• It is a unique number for any individual hence Direct Benefit Transfers can be executed; and
• It has bio-metric and demographic details which can be cross-verified under Authentication Services envisaged by UIDAI

Immediate impact for Banks & telecom companies

S.No	Description	Impact categorization	Remarks
1.	Court has ordered government to make sure that the Aadhaar data is not released to any individual/entity except as directed by court for purpose of criminal investigation.	Limited Impact	At present, government is not giving access to this data to any individual or authority. Authentication services may get impacted and can be delayed.
2.	Courts have categorically ruled that no beneficial service to citizens can be withheld citing absence of Aadhaar	No impact, has compliance implications	Banks & telecom companies cannot refuse any service (Advances,providing liability products, issuance of SIM) citing absence of Aadhaar.
3.	Tagging of all MFI customers  with Aadhaar	No impact	As followed by all registered MFIs, the tagging of MFI customers can continue, helping to enrich the Credit Bureau database, ultimately, providing a key input to judge the leverage of the customers

Possible future outcomes

In future if the court orders that citizens of India have Right to Privacy, it may affect on the following aspects:

S.No	Outcomes	Probability	Impact	Remarks
1.	Aadhaar is termed illegal by the court and is ordered to be scrapped by Supreme Court	Very low	Negative impact	Since the “Right to Privacy” has wider ramifications and this right is not explicitly mentioned in the Constitution, there is a low probability that Aadhaar will be termed illegal. At the very most, safeguards may be put in by SC for safeguarding citizen’s right.
2.	Further enrolments may be stopped	Very low	Will have a limited impact since around 90% of population already has Aadhaar card	NDA government has also continued with the UIDAI project
3.	Government may be constrained to store the Aadhaar data in secured servers located in India	High	Neutral to positive impact	Welcome step since it strengthens the confidence of citizens in their well being; Improves the enrollment figures of privacy conscious customers in cities and customers can provide their Aadhaar number without any fear
4.	Agencies/Individuals may have no or limited access for conducting basic cross verification/authentication of customers	Probable	Negative impact	Cross-verification/authentication of customer details will get impacted
5.	Agencies/Individuals may have basic access which provides a confirmation from UIDAI, which only indicates in Yes or No whether the input present with the agency /authority matches with the enrollment data. E.g. Agencies can get the confirmation for key fields that they enter belonging to customer matches with the UIDAI data.	Likely	Positive Impact	It will provide key confirmation on unique identifiers and hence very useful for Banks and other institutions.
6.	Agencies/Individuals may have sufficient access for conducting basic cross verification of customers with prior documented customer consent. Also, UIDAI number may be linked with external inputs-like loans, salary, tax returns, spending pattern court cases etc.	Unlikely	Positive impact	Will be the most liberal policy and will be positive for Banks and other institutions which require cross verification/authentication of customer details.

The Supreme court’s interim order is a step in right direction, coercing government to come clear on Right to Privacy or at least allay the fears that citizens have about their privacy. No doubt Aadhaar is a panacea in light of massive telecom penetration and availability of internet albeit 2G, the privacy concerns need to be addressed before full-fledged use of Aadhaar can be offered to all its citizens.

20.593684 78.962880