Music on the Block: How Music Artists can Benefit from Blockchain Technology

All of us make use of music streaming services quite frequently. But have we ever stopped to wonder how the creators or artists get paid for their music? More often than not, music artists are forced to settle with modest royalty earnings. Nevertheless, the advent of blockchain technology has ushered in a new era and this technology has the potential to ensure that music artists get adequate compensation for their efforts and talent.

All have enjoyed music throughout the ages. The music industry has evolved from EP records to Cassettes to CDs to MP3s. Currently, music is enjoyed predominantly via digital streaming platforms such as Spotify, and Apple Music, and closer home services such as Airtel Wynk, Times Music, JioSaavn, etc.

However, the growth in streaming services like Spotify has not benefited individual artists who typically receive very little royalty overall because of slowing album sales. Taylor Swift, a famous musician, went to the extent of removing her music from Spotify due to the low per-stream royalty.

The advent of blockchain technology has set the stage for the music industry to undergo another evolution. With the blockchain, artists can create a token-based economy where the value is derived from an artist’s work. When a token is created, the artists convert their intellectual property into a financial asset that all of us can purchase. All holders of this token receive a portion of the artists’ revenue. Hence the more consumers of the content, the higher the token’s value. An artist thus can raise revenue through the launch of a token.

Tokenization of the asset also assists in the removal of the middleman. Currently, recording labels take away the majority of the gains. Recording labels also act as hindrances many a time for the entry of new artists into the business. A system based on blockchain eliminates the middleman, thus putting the power back into the hands of the creators. Funds are raised by fans rather than the recording label via tokenization. The flip side of this model is the lack of users.

A few platforms exist such as Theta.tv,  the YouTube of Web 3.0, or Audius (which is said to be the equivalent of Spotify or Apple Music). Having used these platforms, it is safe to say that though there is a vast scope, their success and similar platforms will depend on the consumers or users.

Artists can also utilize Non-Fungible Tokens (“NFT”) to create a new vertical of revenue generation from their work. Purchasing music as NFTs holds much value for both the creator and the collector. For one, there is a transfer of ownership.

In a world driven by music streaming, the conundrum arises of why a purchase of the rights in music would be required. The answer, as always, lies in the monetization of the asset. The purchaser sees value in buying the rights and reselling them later for a potential profit. Such music NFTs benefit artists at both the initial sale pricing and the secondary sales. Artists can earn from secondary sales in the form of royalties, especially if the underlying smart contract attached to the music NFT is so that they can earn future royalties on such sales.

Platforms such as Async.art help artists mint NFTs of their musical works, and Catalog Works let music fans bid on digital records. Award-winning artist, Ross Golan who has worked with renowned artists like Ariana Grande and Justin Bieber, and rock bands such as Maroon 5 and Linkin Park, also recently minted The World’s First NFT Musical, The Wrong Man.  

There is still much grey area regarding the synergy between blockchain and music. However, the benefits, as well as the various avenues, are something that cannot be denied. In time, we are confident of innovative music-focused NFT projects, which will hopefully allow the creators or artists to get the compensation they deserve for their craft.

Image Credits:

Photo by Matthias Groeneveld: https://www.pexels.com/photo/set-of-retro-vinyl-records-on-table-4200745/

The advent of blockchain technology has set the stage for the music industry to undergo another evolution. With the blockchain, artists can create a token-based economy where the value is derived from an artist’s work. When a token is created, the artists convert their intellectual property into a financial asset that all of us can purchase. All holders of this token receive a portion of the artists’ revenue. Hence the more consumers of the content, the higher the token’s value. An artist thus can raise revenue through the launch of a token.

POST A COMMENT

The Curious Case of the Robolawyer (No, it's not a Perry Mason Novel!)

With the advent of technology, there is a drastic increase in the use of AI (Artificial Intelligence) which has significantly altered the way technology is perceived and will have a far-reaching impact in the future. Hence, it becomes necessary to try to minimize its shortcomings and make prudent use of the technology.

I do not know how many of you have heard of Joshua Browder, the 26-year-old founder of DoNotPay, a US-based venture that has developed a “robolawyer”- essentially an AI-powered bot that helps users in use cases such as appealing vehicle parking tickets, negotiating airline ticket refunds, and contesting service provider bills. Although the app was first released in 2015, to be honest, until recently, I too had not heard of him or the app!

My curiosity was piqued when I recently read the news that his company is willing to pay a million US dollars to any person or lawyer willing to repeat verbatim in front of the Supreme Court judge all that their robolawyer asks them to. It remains to be seen whether someone will take Josh up on that offer, whether the US Supreme Court will grant permission and what the outcome will be. However, it is being reported in the media that the DoNotPay app will help two defendants argue speeding tickets in US courts next month. The company has promised to pay the fines on behalf of the users if the robolawyer loses their appeals.

The app runs on the AI model known as “Generative Pre-trained Transformer” or GPT. This is the same technology that runs ChatGPT, which reportedly hit a million users in less than a week of its launch. AI technologies are constantly improving, and there is now greater emphasis on “ethics” and “explainability.” Essentially, the software must be able to explain how it arrived at a certain conclusion or output. This is important to minimize, if not altogether eliminate, the risk of biases and prejudices that creep into AI software simply because it is trained using hundreds of millions of content elements on the web (articles, images, reports, videos, etc.) that were all created by humans, and as such, carry the individual beliefs, prejudices, convictions, etc. of their original creators.

Over the coming decades, AI will shake up many fields including legal practice, healthcare, finance, etc. Not all fields will be impacted at the same pace or to the same extent but change they will. Already, AI is being used by healthcare professionals in improving the efficacy of diagnosis and confirmation of lines of treatment. Law firms too are beginning to use AI to simplify the tedium of the process of trawling through case laws and legal judgments to identify precedents and the reasoning of the benches involved. Soon, lawyers will simply be able to type in questions into ChatGPT, which will provide well-reasoned answers in a matter of minutes. Of course, the real skill will be to ask the right questions and figure out how sensible the answers are, and decide on further courses of action. Think of it as an advocate briefing a senior lawyer before the latter argues in court.

Half-baked knowledge is dangerous. For many years, patients (and/or caregivers) have used search engines to find information about symptoms, diagnostic tests, and lines of treatment and then argue with qualified medical professionals about their choices, at times forcing doctors to explain their hypotheses and reasoning. It is quite likely that in the foreseeable future, clients of lawyers and law firms too will be tempted to adopt a similar approach, which means lawyers too will end up spending time and effort on educating clients on matters of law and jurisprudence. Maybe it is worth coming up with new pricing models to dissuade frivolous “brainstorming” and “legal strategy” sessions!

Note to myself: Try out ChatGPT to explore the kind of responses it provides and start preparing for a future that will undoubtedly be more closely linked with AI tools.

References:

[1] Design Application Numbers 274917, 274918, 284680, 276736, 260403

[2] 24 U.S.P.Q.2d (BNA) 1614 (BPAI Apr. 2, 1992)

[3] Apple, Inc. v. Samsung Elecs. Co., 926 F. Supp. 2d 1100 (N.D. Cal. 2013) (partially affirming jury damages award).

[4] US6763497B1

[5] US10915243B2

Image Credits:

Photo by cottonbro studio: https://www.pexels.com/photo/person-using-macbook-3584994/

Over the coming decades, AI will shake up many fields including legal practice, healthcare, finance, etc. Not all fields will be impacted at the same pace or to the same extent but change they will. Already, AI is being used by healthcare professionals in improving the efficacy of diagnosis and confirmation of lines of treatment. Law firms too are beginning to use AI to simplify the tedium of the process of trawling through case laws and legal judgments to identify precedents and the reasoning of the benches involved.

POST A COMMENT

Regulating Online Gaming Intermediaries - The Rules and their Implications

The Ministry of Electronics and Information Technology (MeitY) has released the draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules to bring online gaming intermediaries within the ambit of the IT Rules, 2021.

Background

Online gaming is one of the fastest-growing industries in India with the number of gamers expected to increase by 30 million from 2022 to 2023[1]. Following the increase in the number of users, it has become imperative that appropriate laws are introduced to regularize the online gaming industry. On January 02, 2023, the Ministry of Electronics and Information Technology (“MeitY”) proposed an amendment to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”). The IT Rules, in its current structure, provide regulation for social media intermediaries and significant social media intermediaries. The Draft[2] “Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules” (the “Draft”), which is open for consultation from the public, proposes to extend its ambit to ‘online gaming intermediaries’ forming a part of Part II (that relates to other intermediaries).

The Draft defines “online gaming intermediaries” and “online games” but lacks to provide a clear distinction between “games of chance” and “games of skill”, which has been a sticky issue over the years. The Draft further proposes (inter alia) the following changes –

  • All online games would be required to be registered with a ministry-approved self-regulated body by creating a self-regulatory framework, to be registered with MeitY. The self-regulatory body will be responsible for reviewing and registering the online games offered by its members, subject to certain prescribed factors. Games approved by the self-regulatory body may be offered with a visible mark signifying their registration.
  • The proposed rules also mention certain compliances that need to be made by the social media firms such as checking the registration of the online gaming intermediary and consulting the self-regulatory officer before allowing any advertisement on their platform.
  • The online gaming intermediary shall comply with the requirement of due diligence and shall additionally ensure they do not host any online game that does not conform with Indian laws and shall make additional disclosures to the users including the refund and withdrawal policy, financial risks, and other risks associated with gaming, measures that are in place to ensure the safeguarding of deposits, etc.
  • In addition to the above, a new set of due diligence requires compliance with mandatory know-your-customer(KYC) norms for user verification as per Reserve Bank of India norms.
  • Similar to the requirement for social media intermediaries, requirements of appointment of a resident ‘compliance officer’ and ‘grievance officer’ have been mandated along with ‘nodal officers’ for round-the-clock coordination with law enforcement agencies and officers.
  • The online gaming intermediaries need to have a physical address in India and the same is required to be published on their website.

Purpose of the Draft

The purpose of the Draft, if it becomes the law, is to protect the interests of different stakeholders, ensure the safety of players and encourage responsible gaming.  The Draft is also put together to bring about uniformity of laws that online gaming intermediaries may be required to follow by reducing the burden of following state-specific gaming measures making it, not just easier for online gaming intermediaries to comply with the law, but also helps the enforcement agencies since it becomes difficult for the governments of different states to ensure geographical checks are in place. According to the ministry, the final amendments to the IT rules would be notified by April 2023.

Discussions & Implications

While the Draft seems to have been aiming at shaping a burgeoning gaming industry, the concerns around the Draft seem to be supplementing the already existing questions on the existing IT Rules.

At the outset, the question of whether ‘online gaming’ should remain a subject of the ‘States’ (as betting and gambling have traditionally been) or the ‘Centre’, remains unresolved. MeitY had earlier, in affidavits before the High Courts, consistently stated that is not within its purview and power to legislate on the subject and that rests solely on the states. Therefore, the introduction of the Draft without consultation and consensus amongst states seems not quite in line.

The ambiguity further extends to a lack of clarity on whether the Draft bans ‘gambling’. While IT Minister, Rajeev Chandrasekhar stated that “online games that allow wagering on the outcome are effectively a no-go area” there is no clear prohibition on ‘gambling’. The Rules only state, as a part of due diligence, online gaming intermediaries shall make reasonable efforts to ensure that online gaming platforms do not contravene any gambling or betting laws in India, which again differs from state to state.

An online game has been defined in the Draft as a “game that is offered on the Internet and is accessible by a user through a computer resource if he makes a deposit (in cash or in-kind) with the expectation of earning winnings”- In the absence of a definition of “gambling” and “betting” in the Draft and clarity on which category of games are sought to be regulated if the online game for consideration is sought to be regulated on one hand and gambling or betting content is prohibited on the other hand, remains a question[3]. While it may be assumed that the ‘kind’ component in the definition has been introduced to cover ‘non-monetary token’ or ‘online gaming currencies’, it may lead to the consequence where games that do not require any monetary incentive may also be included within the meaning of online games here. The definition can almost broadly cover all ‘gambling games’ within the purview of ‘makes a deposit (in cash or in-kind) with the expectation of earning winnings’. Would that mean that ‘gambling’ is brought within the purview of these Rules?

The Draft classifies online gaming platforms as ‘intermediaries’. Our understanding of the term ‘intermediary’ includes one that acts on behalf of another entity. However, in the case of online gaming platforms, we notice that most of them publish the gaming content themselves and do not host games on behalf of another. In view of the above, in an earlier debate, a government task force submitted a study stating that gaming platforms should be categorized as ‘publishers’ and not as ‘intermediaries’[4]. The question that remains unanswered is why we now bring online platforms within the purview of intermediaries thereby giving them passage to ‘safe harbour protection’ under Section 79 of the IT Act.

Apart from the few above-mentioned points, the Draft may expect push-back from various industry stakeholders on the Government’s over-arching power on issues of revocation of registration of self-regulatory bodies and exercising regulatory power for KYC. It is to be observed therefore how MeitY resolves the already existing issues on the IT Rules pending before the courts and accordingly brings about an amendment to the current online gaming Draft Rules catering to the purpose it mentioned in its notes[5] accompanying the Draft Rules.

An online game has been defined in the Draft as a “game that is offered on the Internet and is accessible by a user through a computer resource if he makes a deposit (in cash or in-kind) with the expectation of earning winnings”- In the absence of a definition of “gambling” and “betting” in the Draft and clarity on which category of games are sought to be regulated if the online game for consideration is sought to be regulated on one hand and gambling or betting content is prohibited on the other hand, remains a question.

POST A COMMENT

Private Sector Fuels India’s Space Economy

The Indian National Space Promotion and Authorization Centre (IN-SPACe) was set up in 2020 as an independent body to oversee regulation of all space related activities in India, including the authorization of private rocket launches. The government’s decision to allow the private sector into India’s space sector was aimed at broad-basing innovation capabilities and speeding up India’s ability to compete in the global market for space technologies- a high-growth market that has historically been dominated by a small number of players from the US and Europe.

This decision seems to be paying off, because India’s private sector has already become quite active across the value chain in the space sector. Nearly 300 entities are already registered with IN-SPACe, of which 30% are startups. On 18th November 2022, Vikram-S, a small single-stage rocket developed by Hyderabad-based startup Skyroot Aerospace, was successfully flight tested. This marks the beginning of “Prarambh”, the company’s sub-orbital mission. By year-end, Chennai-based Agnikul Cosmos expects to launch its small rocket too. Pixxel, another space startup, has already launched Shakuntala, India’s first privately built earth imaging satellite and a second satellite Anand. A consortium of L&T and HAL has been awarded a contract to build five PSLVs. This is the first time anyone other than ISRO has been tasked with this key responsibility- an indication of the government’s rising confidence in our private sector. The success is testament to the robust space sector ecosystem being built as a result of close collaboration between ISRO, IN-SPACe, academic institutions, and the private sector (both startups and established companies).

 

Why the Private Sector is Important for India’s Space Economy?

The capability to launch small rockets is critical because smaller rockets can place their payloads in more precise orbits. Also, they can be produced in shorter timelines by using 3D printing technologies. Miniaturization of components means that required functional capabilities can be achieved through smaller satellites. All this means that satellites with specific functional capabilities can be quickly assembled and launched. Smaller rockets can be easily fueled by liquid propellants, which are inherently easier to manage; they are also less prone to vibrations, which can become a challenge for launch vehicles that carry sensitive payloads.

Given rising geopolitical uncertainties, there is now a higher risk of conflicts between countries arising at short notice. Increasingly, wars will be fought using cyberattacks and directed energy weapons to degrade the enemy’s vital assets such as communication satellites and missile defence batteries. Swarms of weaponized drones too will be deployed to target and destroy vital military installations in remote, hard-to-access areas. In such a scenario, it becomes critical that as a country we can launch new satellites and other space assets quickly to replace lost capacities or augment and complement new space-based capabilities that are needed.

ISRO has successfully designed, developed, and launched heavy, multi-stage rockets into space. These technologies/capabilities have helped place many satellites in orbit and in turn, these are playing a key role in India’s development. ISRO has also developed the SSLV (Small Satellite Launch Vehicle), but unfortunately, its technology demonstration mission failed earlier this year. It is this gap that the private sector can help plug at short notice.

 

Public-Private Cooperation is Vital to Power India’s Space Economy

As various countries seek to build/enhance their space-based defence capabilities, countries like India can benefit from commercial contracts to launch satellites/other payloads and conduct defence missions in space. With defence capabilities increasingly relying on assets deployed in space, the evolution of India’s private sector space capabilities will also boost our credibility as a builder of solutions and not just as a provider of reliable, cost-effective space launch services. While ISRO continues to build its reputation as a reliable partner, it needs to scale up its ability to launch satellites for its customers. In October 2022, ISRO successfully launched 36 satellites for UK-based OneWeb (partly owned by the Bharti group), marking the use of the LVM3 rocket; this was also one of ISRO’s largest commercial orders. More such opportunities can come ISRO’s way because satellite-based internet services are rapidly becoming cost-competitive and an easy way to deliver connectivity to far-flung areas where building fibre-based infrastructure is difficult due to terrain and weather conditions.

It is estimated that by 2025, India’s space business will grow to US$12.8 Billion from US$9.6 Billion in 2020 (source: https://timesofindia.indiatimes.com/india/how-indias-space-startups-are-aiming-high/articleshow/95637043.cms). ISRO is a shining example of a public sector entity that has consistently overcome huge odds (including sanctions from time to time) to indigenously develop world-class capabilities in frontier areas like space technologies. Its ability to do much more has arguably been limited by budgetary support. And although launches are the most visible part of a space economy, they are by no means the only facet: design, development, manufacturing, building technology demonstration prototypes etc. are all just as important. Now, with the innovative energies and other resources available to the country’s private sector, significant synergies can be unleashed through public-private partnerships in the space sector.

References: 

Image Credits: Photo by Pixabay: https://www.pexels.com/photo/space-technology-research-science-41006/

With defence capabilities increasingly relying on assets deployed in space, the evolution of India’s private sector space capabilities will also boost our credibility as a builder of solutions and not just as a provider of reliable, cost-effective space launch services. While ISRO continues to build its reputation as a reliable partner, it needs to scale up its ability to launch satellites for its customers.

POST A COMMENT

AI Adoption: Behooves Heightened Responsibility & Higher Ethics

In July 2022, UK-based Artificial Intelligence (AI) firm Peak commissioned a benchmarking survey to study AI adoption in the USA, UK, and India. The study, jointly conducted by the Centre for Economics and Business Research, included 3000 senior decision-makers from companies with at least 100 employees; the survey was augmented by responses from 3000 middle-level staff as well.

A key finding was the inaugural Decision Intelligence (DI) Maturity Index, an indicator of how prepared businesses in these three jurisdictions were to adopt AI for commercial decision-making. The study found that over the past six years, the percentage of companies that have adopted AI technologies stood at 28%, 20% and 25% in the US, UK, and India respectively. While it was only expected that the US would be the leader, it was surprising that when it comes to leveraging AI in commercial areas, Indian companies ranked highest- they scored 64 (out of 100), while those in the US and UK respectively scored 52 and 44. 

The study also found that 18 % of US workers were unsure whether the companies they work for used AI at all; for India this figure stood at 2%. It was also revealing that Indian enterprises embedded data sciences capabilities within commercial teams, while their western counterparts relied more on central data teams[1]. Of course, it must be acknowledged that China is perhaps much further ahead in terms of deploying AI, although we will likely not get to know the details anytime soon.

 

AI will play a major role in how our world evolves

 

Consumers like you and me already experience the power of AI in the form of reminders from fitness apps or what books to read, shows to watch or music to listen etc. Intelligent parking assistance in some cars is another example of AI in action. AI is also at work when we see “deep fake” videos that look and sound so real. AI is not a new field; it has in fact been around since the late 1950s, which is when the term was coined. But it is only in recent years that AI has become less esoteric and more mainstream. 

This shift is due to rapid advances in computing power and speeds as also evolution of models and capabilities around natural language processing, voice recognition, machine vision and other allied areas. It is this pace and nature of AI evolution that gives experts the confidence that AI will play a key role in economic and social development, delivery of education and healthcare services, forecasting natural disasters and managing them, national security and much more.

Several national flagship infrastructure backbones in India, including the GST and Income Tax systems, Open Network for Digital Commerce (ONDC), Government e-Marketplace (GeM), the Unified Logistics Interface Platform (ULIP) and the Gati Shakti National Master Plan already have elements of AI embedded in them. India’s private sector too, has been actively working on AI-based projects and products that span different use cases and industry sectors.

 

India is taking steps to prevent unbridled use of AI- but “there are miles to go before we sleep”

 

A couple of decades ago, movie franchises such as “The Matrix” and “The Terminator” conjured up a world where machines take over the world. Today, the world is closer to being at a stage where inadvertent or deliberate misuse of AI can unleash unknowable harm to society. It can be argued that human avarice has already damaged our planet beyond redemption, but we have done that without much help from AI!

There have already been instances reported in media where the use of AI in some applications has thrown up evidence of discrimination and bias-negative traits that are patently human. The companies behind these applications have rolled them back but they signal a clear and present danger. There has also been much debate in recent times about whether AI-based programs are truly “sentient” i.e., capable of feelings. Maybe we are still some years away from truly sentient machines- or maybe they are already here. Either way, it is important to ensure that AI is governed by appropriate ethics to make it “responsible.”

Clearly, AI has great power; it must therefore also be used with great responsibility. “Responsible AI” has many dimensions, including reliability, safety, privacy, transparency, fairness, and accountability. Just as important is for humans to know how an AI system arrived at a certain conclusion or decision. While most of the above have to do with how AI powered devices and applications are designed and built, it is also critical to ensure that ethics govern how these devices and apps are deployed and what they are used for. 

In the absence of such mechanisms (and punitive actions for violators), think of the myriad privacy incursions that can be easily caused by physical surveillance using drones or digital eavesdropping of phone conversations. Even AI-powered software in place to analyze CVs to identify the “best” candidates can be misused to ensure that only candidates of a certain profile are hired.

AI ethics and governance needs to cover more than just individual companies that develop AI tools and applications. All stakeholders must work together to put in place an overarching framework that includes policies, laws, rules, and SOPs to ensure that AI does not become a Pandora’s Box. A key objective must be to ensure that there is mutual trust.

To support India’s burgeoning AI ecosystem, the Niti Ayog has begun to hold consultative discussions. Its report “AI for All” is grounded in the fundamental rights enshrined in India’s constitution. It suggests setting up of an expert committee comprising specialists in AI, cybersecurity, social scientists, law, various industry domains and representatives of government and civil society to create a regulatory/governance framework. 

Such a framework must necessarily be flexible, to accommodate unexpected changes powered by technological innovations. NASSCOM, India’s software industry association, has launched a Responsible AI hub to ensure that key stakeholders are engaged so that broader societal views are considered and factored into strategies and plans related to not just innovations, development, and deployment but also governance.

A survey by IBM Institute for Business Value has found that the responsibility for leading and upholding ethics has shifted to the CEO. 62% of business leaders agree that AI ethics is important to their organizations. It is a given that the world will never be a utopia. It is time that “leaders” in every field from around the world stand up and take necessary steps to prevent the world from becoming an AI-powered dystopia. AI is too important a domain to be left to the whims and fancies of individual countries, companies, or leaders- whether democratic, despotic, megalomaniac, idealistic or somewhere in between.

AI ethics and governance needs to cover more than just individual companies that develop AI tools and applications. All stakeholders must work together to put in place an overarching framework that includes policies, laws, rules, and SOPs to ensure that AI does not become a Pandora’s Box. The key objective must be to ensure that there is mutual trust.

POST A COMMENT

Card Tokenisation: Plugging Personal Information Leaks

Plastic money still captures a large portion of the market share despite the growing use of the Unified Payment Interface (UPI).  Recent data released by the Reserve Bank of India (RBI) indicates that there has been an increase of 16.3% year after year in the usage of debit and credit cards by Indian consumers in the last decade.

Nevertheless, this decade marked a shift to digital technology, augmented by governmental decisions and policies such as demonetisation, the introduction of UPI, and Digital India program, etc. that enabled Indian consumers to make a smooth shift to online payment solutions. The pandemic has also played a big role in this revolution. With face-to-face interaction minimized, the focus on digital products and payments skyrocketed.

Digital transactions are now considered the most sought-after payment mechanism in comparison to hard cash or currency for availing services and goods. As the number of transactions made through a mobile application or platform increases, customers usually prefer to save their card information on the merchant’s site or platform. Information saved on these sites and platforms is critical financial data of consumers and is considered sensitive personal data. The risk of misuse of such sensitive financial data by hackers or fraudsters looms over every individual, and cases of such misuse have garnered the attention of the authorities.

The RBI, through its notification dated 17th March 2020 had made it mandatory for payment aggregators to disable the storage of customer card credentials within the database or server of the company. Though a fixed date for implementation of this rule was not decided, RBI later issued notifications directing merchants to comply with this recommendation of not storing card data by 31st December 2021. Since then, the RBI has been extending the timeline for implementing tokenisation and as of today, the RBI has instructed all parties to delete the card information before 1st October 2022.

Card tokenisation is a process by which sensitive data of the cardholder is removed from the sites/platforms and replaced with randomly generated numbers and letters from the company’s internal network called tokens.


History


The groundwork for regulating this space of online payment and ensuring the safety of cardholders has been in line for a couple of years. As India is yet to formulate a dedicated data protection bill, the safety of a cardholder’s sensitive personal data stored on the merchant’s website was one of the major concerns of cardholders as well as the regulators. Moreover, the increase in data theft and leakage of debit and credit card details of cardholders did not really help in containing the concerns of the stakeholders.

In January 2019, the RBI released a notification whereby it permitted card networks to tokenise. This choice of tokenisation was made optional for the customers, and the permission was extended to all use cases like QR code-based payments, NFC, etc. However, such services could only be offered through mobile phones and tablets, and no other devices were permitted to offer such a facility at that time.

RBI later released the guidelines on the Regulation of Payment Aggregators and Payment Gateways, which made it mandatory for a payment gateway to not store customer card credentials within the database or on the server accessed by the merchant, with effect from 30th June 2021. This move reiterated the importance of safeguarding customer card details and the focus once again shifted to the introduction of a tokenisation scheme. Though the guidelines did not mention specifically tokenisation, they did find mention in the subsequent notification released by the RBI on Payment Aggregators and Payment Gateways on March 31, 2021. The guidelines called upon payment system providers to put in place workable solutions such as tokenisation to safeguard the interests of the cardholder.  In order to eliminate any ambiguity in the definition of ‘payment aggregators’ as defined in the Payment Aggregators Guidelines, the RBI explicitly stated that the Payment Aggregators Guidelines applied to e-commerce marketplaces that engaged in direct payment aggregation, and to that extent, e-commerce online markets that used the services of a payment aggregator were to be regarded as merchants.

The RBI further released a notification in August 2021 amending the 2019 notification by extending the scope of permitted devices that could use tokenisation. The present framework for tokenisation was extended to include consumer devices such as laptops, IOT devices, wearable devices, etc. A subsequent notification issued in September 2021 further allowed card-on files tokenisation. This notification permitted card issuers to offer the services of tokenisation as Token Service Providers (TSPs). The TSPs were permitted to tokenise only those cards that were affiliated with or issued by them. The notification also emphasised that no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data from 1st January 2022. Entities were only allowed to store limited data, like the last four digits of the actual card number and the card issuer’s name, for compliance and tracking purposes.

The earlier notification of removing all card details of customers with effect from 30th June 2021 was again extended to 31st December 2021 in view of the huge compliance hassle. This was again extended until 30th June 2022 and finally, the government set the latest deadline on 1st October 2022.


Functioning of Tokens


An e-commerce website, mobile application, or any merchant site for that matter, offers different payment methods to its consumers, which may range from cash to debit/credit card payment to UPI. When it comes to the authentication of the debit or credit card used by the consumer, the entire responsibility for authenticating the same vests is with the Payment Gateway service provider. The e-commerce platform or websites merely act as an intermediary to facilitate the trade and it is the responsibility of the Payment Gateway service provider to provide the technology to these platforms and websites that authenticates the card details. This process of authentication done by the Payment Gateway service provider is known as 2FA i.e., two-factor authentication. The process of authentication involves the registered bank of the customer sending a Time Password (OTP) to the registered phone number of the consumer to close the transaction. The OTP is the key that helps authenticate that the customer is the rightful owner of the card. Upon entering the correct OTP, the Payment Gateway service provider authenticates it and completes the transaction.

In general, a merchant website or an online portal is only allowed to store details like the cardholder’s name, the 16-digit number on the front of the card, the expiration date of the card and the service code, which is located within the magnetic stripe of the card. On the other hand, these portals and sites are strictly prohibited from storing information such as full magnetic stripe information, PIN, PIN Block and CVV/CVC number of the card.

After the guidelines kicked in on October 1, all the card details of individuals stored on the merchant’s website were automatically erased. All information concerning the cardholder, like the expiry date, PAN, etc., is replaced by the token. This token is a one-time alphanumeric number that has no connection with the cardholder’s account. Unlike the previous system, these tokens so generated do not contain any sensitive personal data of the cardholder.

An individual can tokenise his/her card in the following ways:

  1. The individual will have to visit the preferred merchant’s website for the purchase of any goods or services.
  2. The website will then direct the individual to the preferred payment option, and the individual will be able to enter his/her card details and initiate the transaction.
  3. The website will also contain another option called “secure your card as per RBI guidelines,” which basically generates tokens for the card.
  4. As soon as the individual opts for that option, a One-time Password (OTP) will be generated and sent via SMS or email to the individual.
  5. With the OTP being entered, card details are sent to the bank for tokenisation, which is then sent back to the merchant for storing the same for the purpose of customer identification.

The token so generated from one merchant website will not be applicable to every other merchant website. The cardholder will have to create separate tokens for each merchant website, and the use of the same token will not help in initiating the transaction.


Benefits of Tokenisation


Many customers today prefer digital payment over the traditional mode, mainly due to the convenience of not carrying hard cash.  Since the frequency of transactions across such an online medium among customers rose significantly, they preferred to save the card details on the online portal for convenience’s sake. As the sensitive personal data of customers is stored in such portals, there is always a risk of leakage, theft, or merchant access to such information. Hence, tokenisation provides much-needed safety and assurance, which helps in not exposing the customer’s card details.

Tokenisation helps reduce data theft and leaks, as the tokens are in no way connected to an individual’s personal information. Moreover, the process of replacing sensitive personal information with tokens helps build trust and confidence among consumers.


Effects of these Regulations on the Industry


The RBI is striving to organize payment aggregators by bringing non-banking payment aggregators under its regulation. The RBI’s main goal in introducing these guidelines is to reduce fraud and protect customers’ interests. Placing the burden on payment aggregators to ensure that merchants are genuine and have no malicious intent will go a long way towards removing dishonest merchants from the market and safeguarding customers’ interests.

Payment Aggregators are instructed to credit reimbursements to the primary payment source rather than the e-wallet account. Previously, refunds were credited to an e-wallet, posing a challenge for consumers to utilize the monies somewhere else.

Although the RBI has reduced the required net worth from INR 100 crores to INR 25 crores, it will not be sufficient for small-sized entities (including start-ups) seeking to enter the industry. Many existing players will be forced to exit the market if they fail to meet the net worth requirements. Moreover, small businesses operating as payment aggregators would find it difficult to implement the required baseline technology suggestions owing to the high implementation costs. This will result in the removal of market competition, leading to an oligopoly, which would harm merchants’ interests in the long term.

It can be stated that these guidelines represent an important advancement in the Indian fintech industry and assure that customers’ overall interests are secured.

Conclusion

With the current atmosphere where there is intense scrutiny over an individual’s personal information, the scheme of tokenisation is a breath of relief for a lot of privacy enthusiasts and the public in general.

Image Credits: Photo by energepic.com

Many customers today prefer digital payment over the traditional mode, mainly due to the convenience of not carrying hard cash.  Since the frequency of transactions across such an online medium among customers rose significantly, they preferred to save the card details on the online portal for convenience’s sake. As the sensitive personal data of customers is stored in such portals, there is always a risk of leakage, theft, or merchant access to such information. Hence, tokenisation provides much-needed safety and assurance, which helps in not exposing the customer’s card details.

POST A COMMENT

The Best Time to Enact Data Protection Laws was 20 Years Ago; The Next Best Time is Now!

The road to personal data protection in India has been rocky. In 2017, India’s Supreme Court upheld the right to privacy as a part of our fundamental right to life and liberty. A panel chaired by retired Justice B N Srikrishna was given the task of drafting a Bill. In 2018, this panel submitted its draft to the Ministry of Electronics & Information Technology. The Personal Data Protection Bill that was eventually tabled in parliament in December 2019 proposed restrictions on the use of personal data without the explicit consent of citizens and introduced data localization requirements. It also proposed establishing a Data Protection Authority.

However, the bill was widely seen as a diluted version of what was originally envisioned by the Srikrishna panel in terms of its ability to truly protect the data/privacy of individuals. The bill was seen to place a significant regulatory burden on businesses and thus viewed as an impediment to the “ease of doing business” in India. A major bone of contention was the bill granting the government a blanket right to exempt investigative agencies from complying with privacy and data protection requirements. Understandably, there was pushback from BigTech, global financial services players as well as activists; even startups were unhappy with the proposed regulatory burdens.

In December 2021, after a number of extensions spanning over two years, the Joint Parliamentary Committee (JPC) that was set up to examine the draft bill submitted its report to the Lok Sabha. The JPC report has reportedly highlighted areas of concern and proposes a number of amendments/recommendations such as:

  • a single law to cover both personal and non-personal datasets;
  • using only “trusted hardware” in smartphones and other devices;
  • treating social media companies as content publishers, thus making them liable for the content they host.

In early August 2022, the government withdrew the Personal Data Protection Bill, 2019, with the promise to introduce a new one with a “comprehensive framework” and “contemporary digital privacy laws”.

 

India needs New Regulations to Plug the Data Protection Gap

That India needs robust data protection and privacy regulations which should be enacted soon is beyond debate. With digitalization becoming ever more pervasive by the day, the longer we are without clear regulations, the greater the risk is to our citizens. Each of the major trends below has the potential to infringe on individual privacy and can give rise to large-scale risks of user data (including personally identifiable information) being leaked/breached and misused:

  • The growth in digital banking, payment apps and other digital platforms.
  • The potential for Blockchain-based apps (in education- e.g., degree certificates, mark sheets; in health care – medical records; in unemployment benefits; KYC, passports etc.).
  • The growing popularity of crypto assets (and the attendant risk of them being used for money laundering, funding terror/anti-national activities etc.).
  • The rise of Web 3.0.
  • The increase in the use of drones for civilian purposes (e.g., delivery of vaccines, food to disaster-hit areas etc).
  • The emergence of the Metaverse as a theatre of personal/commercial interactions.

According to a news report, IRCTC had sought the services of consultants to help them analyze the huge amount of customer data they have and explore avenues to monetize the information. Given that the existing bill has been withdrawn, they have deferred this plan till new legislation is in place. Delays in enacting new data protection legislation thus also can impact revenue growth and profitability of various businesses- which is another reason for quickly coming up with new legislation.

 

The New Data Protection Law should be Well-defined and Unambiguous

While “consent” must be a cornerstone of any such legislation, the government must also ensure that users whose data need to be protected, fully understand the implications of what they are consenting to. For example, each time an individual downloads an app on his/her smartphone, the app seeks a number of permissions (e.g., to mic, contacts, camera etc.). As smartphones become repositories of larger slices of personally identifiable information as well as financial data (such as bank/investment details), and authentication details such as OTPs, emails etc., the risks of data breaches and misuse that cause serious harm increase. There are a number of frauds and digital scams to which citizens are falling prey. Commercial and other organizations that build and manage various digital platforms must be held accountable for what data they capture, how they do so, why they need the data, how/where they will store such data, who will have access to them etc.

Just as important is for the new law to define unambiguously terms like “critical data”, “localization”, “consent”, “users”, “intermediaries” etc. Many companies are establishing their Global Captive Centres (GCCs) in India, to take advantage of the large talent pool and process maturity. Strong laws will encourage more layers to consider this route seriously, thereby adding to jobs and GDP growth. Such investments also make it easier for India to be a part of emerging global supply chains for services (including high-value ones such as R&D and innovation).

It must address the risks of deliberate breaches as well. For instance, if hybrid working models are indeed going to remain in place, who should be held responsible for deliberate data leaks by employees working remotely? Or by their friends/relatives/others who take screenshots (or otherwise hack into systems) and share data with fraudsters?

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. If the government fails to do so, our aspirations to become one of the top three nations on earth will take much longer – worse, they main only remain on paper as grandiose but unfulfilled visions.

Picture Credits: Photo By Fernando Arcos: https://www.pexels.com/photo/white-caution-cone-on-keyboard-211151/ 

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. 

POST A COMMENT

There is a Tide in the Affairs of Men…and Nations too

Three decades ago, the mobile revolution helped India overcome its communication challenges. Today, mobile phones have become a commodity in India. At least feature phones have, even if smartphones haven’t. But if you are old enough to remember India during the mid-1990s, you will know that India’s fixed line telephone density was very low at that time. Getting new telephone connections was tough, and involved waiting periods that often extended to several months. Due to ageing cables, making telephone calls was a challenge, and even when calls were connected, the quality was poor.  

Mobile communication technologies unleashed a powerful revolution that changed all this. Even far-off locations where laying fixed-line cables was a challenge got access to mobile towers and signals. So huge has been the transformative power of mobile technologies that an entire generation of regulatory reforms, business models and lifestyle paradigms all depend on the ubiquitous mobile phone.

Why is this relevant now?

Today, the world is on the threshold of a new breed of technologies such as AI/ML, Robotics, IIoT, Blockchain, Cloud, Analytics, Drones, Autonomous Vehicles, the Metaverse etc. Collectively and individually, these technologies have the potential to transform the world as we know it to a much greater degree. Indeed, the next decade may witness the greatest changes driven by technology in the recorded history of humankind.

The reason why it is important to be cognizant of this and take timely action. There are no established leaders in these areas because the sectors, their impact and tech are still evolving. India as a country has the technical and commercial savvy to harness these new technologies and drive innovations. What is needed is the educational and industrial framework to ensure that students get to acquire and sharpen their expertise in these new areas and start applying them to solving real-world problems. The National Education Policy is one step in this direction, but implementing it in the right way is key. Not just the curriculum, but the whole system of education must change. Internships must become more focused and integrated with the learning process, and not just a certificate-driven activity as it largely has been (and is).

It’s not just the central government that needs to act with alacrity and vision; state governments also need to formulate the right policies and rules to ensure that the country as a whole is able to take advantage of the massive disruption that is occurring all around us. Some states have woken up to this need and are putting in place plans to encourage entrepreneurs and attract investments into key sectors. The initial agreement to set up a chip-making facility in Karnataka is one example- but it’s early days yet, and many more hurdles need to be overcome.

The startup ecosystem, too, needs to readjust its approach to backing ventures in these new areas. Yes, the risk will be higher and the failure rate may be higher, but these ventures must be seen as proving grounds for technologies and ideas. Our private sector must also be ready to make the necessary investments to embrace these new technologies and lead innovation and adoption. Our large IT services industry must accelerate the shift to provide offerings built around these new areas. A lot is already happening, but the pace must pick up. India’s public sector, long regarded as a white elephant, can also play a key role by absorbing these technologies and innovatively deploying them in sectors of national importance, such as energy, agriculture, disaster recovery, infrastructure development, defence etc.

Achieving all this requires macroeconomic stability: inflation under control, relatively stable exchange rates and an adequate money supply. For a number of reasons that are outside the control of our government or individual companies, these conditions may not be met immediately. But as responsible citizens, business leaders, regulators, teachers and parents, each one of us has a role to play. Of course, the executive, the legislature and the judiciary also have their own roles to play.

To quote Brutus from Shakespeare’s play “Julius Caesar”,

“There is a tide in the affairs of men
Which, taken at the flood, leads on to fortune;
Omitted, all the voyage of their life
Is bound in shallows and in miseries.
On such a full sea are we now afloat,
And we must take the current when it serves,
Or lose our ventures”.

This is very much the situation that much of the world finds itself in at this time. If we in India can rise to the occasion, our continued ascendancy as a power is assured. But there is many a slip between the cup and the lip, and if we squander time and energy on needless and irrelevant issues, it is just as certain that we will not realise our potential. Let us make the right choice.

Image Credits: Photo by Pete Linforth from Pixabay 

Today, the world is on the threshold of a new breed of technologies such as AI/ML, Robotics, IIoT, Blockchain, Cloud, Analytics, Drones and Autonomous Vehicles, the Metaverse etc. Collectively and individually, these technologies have the potential to transform the world as we know it to a much greater degree. Indeed, the next decade may witness the greatest changes driven by technologies in the recorded history of humankind. The reason why it is important to be cognizant of this and take timely action. There are no established leaders in these areas because the sectors, their impact and tech are still evolving.

POST A COMMENT

CERT-IN's Cyber Security Breach Reporting: An Update

The Indian Computer Emergency Response Team (CERT-In) was constituted in 2004 under section 70B of the Information Technology Act, 2000. It is the national nodal agency that responds to cyber security threats within the country and is under the Ministry of Electronics and Information Technology, Government of India. Recently, CERT-In released a direction [1] relating to information security practices, procedures, prevention, response and reporting of cyber security threats.

Key Features of the Cyber Security Breach Reporting Directions 

 

Mandatory Reporting

The direction mandates all service providers, government organisations, data centres, intermediaries and body corporates to mandatorily report within 6 hours of noticing or being brought to notice of any cyber incident. Rule 12(1)(a) of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provides for a list of cyber security incidents that needed to be reported mandatorily by these entities mentioned above. The rules had previously listed 10 different types of cyber security incidents which need to be mandatorily reported. Apart from these 10 types, the new direction has also categorised data breaches, data leaks, attacks on IoT, and payment systems, fake mobile apps, unauthorised access to social media accounts and attacks or suspicious activities affecting software/servers/systems/apps relating to big data, blockchain, virtual assets, 3Dand 4D printing, drones as cyber security incidents which should be mandatorily reported. 

 

 

Point of Contact

All service providers, intermediaries, data centres, body corporates and Government organisations shall appoint a point of contact within their organisation, who shall ensure effective coordination with the CERT-In. The name and other details of the point of contact shall be sent to CERT-In and the entity should also ensure that it is updated every now and then when there is a change.

 

 

Log Retention and Data Localisation Requirement

The direction mandates all entities mentioned in the direction to mandatorily maintain and secure logs of their ICT systems for a period of 180 days. All such logs should be stored within the jurisdiction of the country and the same should be handed over to the CERT-In in the event of a cyber security incident or any order or direction from CERT-In.

 

 

Registration of Information

The direction has mandated data centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers to register certain information with CERT-In. All these entities are required to maintain such information for a period of 5 years or longer duration as mandated by law, even after the cancellation or expiration of the registration. The following information is required to be registered with CERT-In:

  • Validated names of subscribers/customers hiring the services.
  • Period of hire, including dates.
  • IPs allotted to/being used by the members.
  • Email address and IP address and time stamp used at the time of registration/on-boarding.
  • The purpose of hiring services.
  • Validated address and contact numbers.
  • Ownership pattern of the subscribers/customers hiring services.

 

KYC Requirement

This decade has witnessed the rise of cryptocurrencies across the globe and most countries, including India, still lack a dedicated framework to regulate this space. These new directions from CERT-In intend to regulate and streamline some aspects of this exponentially expanding sector. The directions mandate that virtual asset service providers, virtual asset exchange providers and custodian wallet providers to obtain KYC information from their customers. Further, these entities are also obligated to record all their financial transactions for a period of 5 years. Entities are also directed to maintain information about the IP addresses along with timestamps and time zones, transaction ID, the public keys, addresses or accounts involved, the nature and date of the transaction, and the amount transferred. 

 

 

Integration into ICT System

The direction calls on data centres, body corporates and government organisations to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) for synchronisation into the ICT system. Moreover, where ICT infrastructure of the entities are scattered in multiple locations, the entities are free to use accurate and standard time sources other than NPL and NIC.

 

Non-compliance

In the event that the above-mentioned entities fail to adhere or comply with these directions issued by CERT-In, they shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to one lakh rupees or with both under subsection (7) of section 70B of the IT Act, 2000.

 

Conclusion

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a corporate body in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared with the CERT rules 2013, the new directions have an expanded scope and applicability as well as a significantly increased compliance bracket for entities.

The European Union enacted the EU Directive on Security of Networks and Information Systems (called the NIS Directive), which supervises the cyber security of European markets. Unlike the present directive, the scope and applicability of the NIS directive are much larger. Certain critical sectors such as energy, transport, water, health, digital infrastructure, finance, and digital service providers such as online marketplaces, cloud and online search engines are all required to comply with these directives.

CERT-In has provided the entities with a 60-day window to comply with the directions. The increased compliance requirements and the added cost that comes along with such compliance will make smaller entities anxious. Hence, the effectiveness of these directions can only be judged with the passage of time. Significant concern can also be placed on the fact that these new directions will merely add to the compliance burden rather than improve the cyber security environment of the country.

References:

[1] https://www.cert-in.org.in/Directions70B.jsp

Image Credits: Image by Pete Linforth from Pixabay

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a body corporate in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared to the CERT rules 2013, the new directions have an expanded scope and applicability and a significantly increased compliance bracket for entities.

POST A COMMENT

Cryptocurrency and Money Laundering: Deciphering the Why and the How

The financial sector continues to revel in the advancement of disruptive technological innovations. Due to the attractive rates and fees, ease of access and account setup, variety of innovative products and services, and improved service quality and product features, financial technology is attracting more customers and investors today.[1] Despite the numerous advantages of these sectoral transformations, it is impossible to deny that the digitization and ease with which the internet has enabled all of us to function effectively in our day-to-day work has also created a space for virtual crimes.

Amidst the pioneering fintech revolution, cryptocurrency has emerged as a modern financial technology that can be used to easily launder money. Despite rapid market fluctuations and an uncertain legal status, cryptocurrency continues to captivate Indian investors, who are undeterred and unbothered by the associated risks of cyber fraud.

This article will explore how the crypto market nurtures a convenient and fertile ground for money laundering activities.

 

Cryptocurrency and India

 

The Indian regulatory market has had a hot and cold relationship with cryptocurrency over the years. The RBI, vide Circular DBR.No.BP.BC.104/08.13.102/2017-18 dated April 06, 2018[2], restricted all crypto transactions. However, in 2020, the Supreme Court effectively struck down the ban. As a result, the RBI stated in Circular DOR. AML.REC 18/14.01.001/2021-22 that banks and financial institutions cannot cite the aforementioned circular to warn their customers against dealing in Virtual Currencies. However, it did state that, “Banks, as well as other entities addressed above, may, however, continue to carry out customer due diligence processes in line with regulations governing standards for Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT) and obligations of regulated entities under the Prevention of Money Laundering Act (PMLA), 2002, in addition to ensuring compliance with relevant provisions under the Foreign Exchange Management Act (FEMA) for overseas remittances.”[3]

At present, while the talks of implementing comprehensive legislation governing cryptocurrencies have fizzled out, the Union Budget 2022 brought digital currencies under the tax net. As of 2022, the crypto asset market in India stands at an approximated evaluation of 45,000 Crores and 15 million investors[4].

However, it is pertinent to note that it is transactions, not investments, in the digital currency that pose an issue. In India, the Enforcement Directorate discovered over 4,000 crores of such illegal cryptocurrency transactions in 2021. As per the 2022 Crypto Crime Report by blockchain data firm Chainalysis[5], cybercriminals laundered $8.6 billion worth of cryptocurrency in 2021, $6.6 billion in 2020 and $10.9 billion in 2019. Furthermore, the study discovered that at the moment, darknet market sales or ransomware attack profits are virtually derived in cryptocurrency rather than fiat currency, thus significantly contributing to the data. 

Money laundering, terror financing, drug dealing, and other criminal activities are all done using cryptocurrency transactions. Although these transactions are recorded on a blockchain and are traceable, criminals use mixers and tumblers to make it difficult for a third party to track them.

 

The Laundering Mechanism

                           

                                    Eurospider Information Technology AG, “Mixers Tumbler Example,” fig.

For clarity, refer to the above image. Using the OHNE mixer, A sends 20 bitcoins to B, U sends 15 bitcoins to V, and X sends 5 bitcoins to Y. These are single-layer transactions that are simple to trace and identify.

The transaction takes place in a different way in the second image, where the MIT mixer is used. For the sake of brevity, let us consider a single layer of mixer being used. In real life, the number of mixers used is in the thousands. Here, A sends 20 bitcoins to M1, U sends 15 bitcoins to M2 and X sends 5 bitcoins to M3. In the next stage, B receives 20 bitcoins from M2, V receives 15 bitcoins from M1, and Y receives 5 bitcoins from M1. The difference we must notice is that B, V, and Y are receiving the same number of bitcoins as in picture one, but not from A, U and X, respectively. Because there is no information about A sending bitcoins to B, U sending bitcoins to V, or X sending bitcoins to Y, these transactions are not single-layered and are impossible to trace. Hence, making the transaction anonymous.

Criminals use a similar method to send money using cryptocurrencies. Consider the following scenario to gain a better understanding: A, B, C, and Z are cryptocurrency users who keep their coins in their digital wallets. They use the same mixing service to make transactions. A, B, and C are law-abiding citizens, while Z is a criminal involved in drug trafficking. A has to pay X a certain amount of money. X is paid, but the bitcoins he received were deposited by Z, a drug trafficker. When X received the payment, he had no idea that the bitcoins he had were dirty bitcoins and had been used for illegal activities. This is a straightforward explanation of how dirty bitcoins are making their way through the market, paving the way for money laundering. 

 

What can be done?

 

The International Monetary Fund (IMF) has released a report titled “Global Financial Stability Report”[6] which discusses the following details about how cryptocurrencies should be regulated, considering their increasing market capitalization and the growing exposure of banking and financial systems to crypto assets:

  1. Implementation of global standards applicable to crypto-assets should be the key focus area of national policies.
  2. Regulators should identify and control the associated risks of crypto assets, specifically in areas of systemic importance.
  3. Coordination among national regulators is key for effective enforcement and fewer instances of regulatory arbitrage.
  4. Data gaps and monitoring of the crypto ecosystem for better policy decisions should be prioritised by the regulators.

The report also discusses how stablecoins and decentralized finance pose a significant risk to the crypto market and the overall economy if they are not properly regulated and supervised by issuers.

  1. Regulations should be proportionate to the risk and in line with those of global stablecoins.
  2. Coordination is a must, to implement requisite recommendations in the areas of acute risks, enhanced disclosure, independent audit of reserves, and fit and proper rules for network administrators and issuers.

The report also discusses the importance of managing macro-financial risks through:

  1. Enactment of de-dollarization policies, including enhancing monetary policy credibility.
  2. Formulating a sound fiscal position with effective legal and regulatory measures and implementing central bank digital currencies
  3. Reconsidering Capital Flow Restrictions with respect to their effectiveness, supervision, and enforcement

However, according to the report, cryptoization would make finance more cost-effective, quick, and accessible.

There is also an intergovernmental organisation known as the Financial Action Task Force, which is constantly updating its recommendations to maintain legal, regulatory, and operational methods for combating money laundering, terrorism financing, proliferation, and other threats to the integrity of the international financial system. The Financial Action Task Force (FATF) recently released a compliance framework recommending that all anti-money laundering rules that traditional financial systems follow be applied to stable coins, cryptocurrency, and virtual asset service providers. Even though identifying the source of such funds and keeping track of who is the beneficiary of such funds is difficult, countries are still being encouraged to develop provisions that provide for due diligence, record keeping, and the reporting of suspicious transactions.[7]

 

The Legislative Way Forward for India

 

At present, there is no comprehensive legislative framework to govern fintech advancements encompassing blockchain and cryptocurrencies. At best, the present regulatory framework is a patchy, cross-networked arrangement that demands careful deliberations in alignment with the evolving technological innovations in the sector.

The Information Technology Act, 2000:

While the legislation successfully addresses issues like identity theft, hacking, and ransomware and provides a means to tackle the issue of extraterritorial jurisdiction, it is safe to conclude that the serpentine considerations of blockchain cannot be comprehended and addressed by the Act.

The Prevention of Money Laundering Act, 2002 and the Prevention of Money Laundering Rules, 2005

The offences listed in Parts A, B and C of the PMLA Schedule attract the penalties enumerated under the Act.

Part A categorises offences under: Indian Penal Code, Narcotics Drugs and Psychotropic Substances Act, Prevention of Corruption Act, Antiquities and Art Treasures Act, Copyright Act, Trademark Act, Wildlife Protection Act, and Information Technology Act.

Part B enlists offences under Part A with a valuation of Rs 1 crore or more.

Part C exclusively deals with trans-border crimes.

Recently, the Enforcement Directorate attached proceeds of crimes amounting to Rs 135 crores in 7 cases in which the usage of cryptocurrency for money laundering activities was flagged by the authorities.[8]

However, it is pertinent to note that the offences recognised under the respective parts of the schedule only comprise the offences under the current framework of legislation, which is at present not equipped to regulate any segment of cryptocurrency transactions and digital currency operations in the country. 

Foreign Exchange Management Act, 1999

Even though the Act specifies procedures to conduct cross-border and foreign exchange transactions, it fails to identify the role of technology as an instrumental enabler of such transactions at present. However, it is interesting to note that it empowers the RBI to establish a regulatory framework to address the same.

The Payment and Settlement Systems Act, 2007

The PSS Act was enacted with the objective of establishing a regulatory framework for banks and ancillary financial institutions, designating RBI as the nodal authority. Section 4 of the Act states that no payment system shall operate in India without the prior due authorization of the RBI.

Apart from the above-mentioned legislation, regulators like SEBI, Ministry of Electronics and Information Technology (MeitY), Insurance Regulatory and Development Authority of India (IRDAI), and Ministry of Corporate Affairs (MCA) have also undertaken initiatives to implement specialised guidelines. While these regulations deal with the contemporary issues of payments, digital lending and global remittances, none of them has managed to find a concrete ground for effectively supervising and regulating cryptocurrency transactions backed by blockchain in the current volatile ecosystem.

At present, key industry regulators and stakeholders should collaborate to understand the novelty, process and extent of the present disruptive fintech trends. Furthermore, initiatives should be taken to ensure transparency of such transactions, establish secure authentication transactions for the exchanges and tighten the legislative noose on cyber security systems in the country. Additionally, establishing a centralised statutory body and local self-regulatory bodies across the sovereign, and implementing an extensive centralised framework is also imperative. The current scheme of criminal activities in virtual space transcends geographical boundaries, hence it is crucial for global policymakers to implement mechanisms to ensure coordination and collaboration by institutionalising inter-governmental bodies.

References: 

[1] ‘The Current Landscape Of The Fintech Industry – Fintech Crimes’ (Fintech Crimes, 2022) <https://fintechcrimes.com/the-landscape-of-fintech-in-year-2020/> accessed 9 February 2022.

[2] https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=11243&fn=2&Mode=0

[3] https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12103

[4] https://timesofindia.indiatimes.com/business/india-business/union-budget-2022-no-crypto-bill-listed-this-budget-session/articleshow/89265038.cms

[5] https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf

[6] ‘Global Financial Stability Report’ (2021) <https://www.imf.org/en/Publications/GFSR/Issues/2021/10/12/global-financial-stability-report-october-2021> accessed 11 February 2022.

[7] ‘VIRTUAL ASSETS AND VIRTUAL ASSET SERVICE PROVIDERS’ (2021) <https://www.fatf-gafi.org/media/fatf/documents/recommendations/Updated-Guidance-VA-VASP.pdf> accessed 11 February 2022.

[8] https://economictimes.indiatimes.com/news/india/ed-investigating-7-cases-of-cryptocurrency-usage-in-money-laundering-attaches-rs-135-crore/articleshow/90200012.cms

 

Image Credits: Photo by Bermix Studio on Unsplash

At present, key industry regulators and stakeholders should collaborate to understand the novelty, process and extent of the present disruptive fintech trends. Further, initiatives should be undertaken to ensure transparency of such transactions, establish secure authentication transactions of the exchanges and tighten the legislative noose on cyber security systems in the country.

POST A COMMENT