Rajnish: Anindya welcome to the podcast and thanks for coming over.

Anindya: Thanks Rajnish and greetings to you and your listeners on world Energy Environment Week. I'm delighted to share my thoughts on the subject, but I would like to just place a key caveat that this should not be construed to be the views of Shell. Thank you.

Rajnish: My first question to you Anindya. How do you think a carbon price can help abate emissions?

Anindya: Yeah, that's a great question Rajneesh and there is a short answer and a slightly more evolved answer, so let me attempt both. The short answer is that greenhouse gas emissions carbon emissions have an externality, and the cost is borne by the society, and not necessarily by the emitter. Carbon pricing strives to place a cost on the emitter and thereby putting the sort of cost where the burden is. But if you sort of dig up a little deeper, the whole carbon pricing policy intervention is a clear nudge that Governments can give to various players across the economy on what they need to do. And there's various aspects that we should explore in this context, first is the competitive disadvantage of the first movers. There are companies right now who are contemplating climate action, but they find that such action involves costs which brings in a competitive disadvantage to them vis a vis with their competitors and therefore they do think twice before implementing major programs. A carbon pricing across a sector will ensure that all sector players are having the same level playing field and start taking the same steps and ideally this moves into an economy wide coverage, so I think that's very important to make sure that the early movers don't get disadvantaged. Secondly, there is a policy outlook signalling that this is very important. Companies right now are struggling to see what the pricing, carbon pricing or any compliance framework will look like in the coming years and decades. So, if the government can clearly indicate that this is going to be the carbon pricing methodology that the government will adopt and how it will progressively change over time, companies will be in a position to make the right technology choices back to green technology and make their investments that are well tested against such a carbon pricing regime. On the case on this case, also another aspect we need to talk about is resource mobilization. So carbon pricing of course also yields resources for the government whether it's a carbon tax or a market based mechanism like the ETS and the government, then can direct some of this to supporting new technologies. Green technologies that are not proven, for example, if it wants to support offshore wind or biofuels but also maybe use it to address the needs of just transition, so there are going to be sections of society which will be burdened by higher cost of the energy transition and some of this will be available for that. Another aspect I think we should also consider when talking about carbon pricing is globally various countries are adopting carbon pricing where there's tax or emissions traded systems and to make sure that there are no carbon leakages these countries are likely to impose a border adjustment mechanism as Europe is considering. So, if Indian companies have to operate or export into these markets then they'll have to demonstrate that they have carbon pricing domestically. So that's very important for Indian companies to achieve, I mean India has a huge trade with Europe for example of 36 or $37 billion and the part of that will get impacted by this. And the other advantage of integrating to global markets is that Indian players will have access to much deeper and wider markets for carbon offsets. For example, they are on the buy side or sell side.

Rajnish: So Anindya I agree with you, I think carbon prices are the talk of the day. Now the big question basically, which is there when you look in the case of India is should India go for a carbon tax or should it go for an emission based or a market based trading mechanism? What do you think are the pros and cons to the two and you refer to that while you're answering the earlier question?

Anindya: Yes, indeed, these are the two popular models which various countries have experimented with over the last several years. So, the advantage for India is that India can certainly benefit from the experiences of these countries and get sort of rich learnings out of it. Carbon tax in terms of implementation is perhaps much less complex, though politically less acceptable because it's it will be very transparently seen to be adding to the cost to the customers or taxpayers, as the case may be also, it needs to sit within the existing taxation framework and jurisdictional sensitivities, and I know Ernst & Young has already presented an analysis on how this can be done. As for emissions trading, there is a possibility that the existing market-based mechanisms for energy efficiency, which is the path scheme and the eCerts and the renewable energy, which is the RPO and RECs, could be brought under a carbon framework which could then be expanded to a functional emissions trading scheme. However, the complexities of the market design that address the needs of a progressive decarbonization without causing market failure needs to be carefully considered.

Rajnish: I agree with you Anindya, I think carbon taxes are easier and as you gave there are pros and cons to each of the approach. Now, given that we have a blank piece of paper in India as of this point of time, what would be your advice to our clients as to how they should think about this and go ahead?

Anindya: Indeed, that's a very important I think question to consider for countries so companies at this point in time as various regulatory changes are likely to happen in the coming future. Well, one can never be certain as to when a compliance framework for carbon will emerge in India, but we have seen a compliance framework in energy efficiency and renewable energy that was successfully implemented. We are also hearing of an RPO type framework for green hydrogen progressive Indian companies are already beginning their decarbonization journeys by implementing internal carbon pricing. CDP's annual report mentions 31 companies already having an internal common price or companies are signing up to the SBTI's or making commitments under RE 100 EP 100 EV 100 type commitments. But to ensure a sustainable future and a social license to operate, companies will need to transparently share their plans to adhere to carbon budgets available so as to achieve the climate action goals agreed by the international community such companies will withstand any shocks that could credibly arise from external carbon pricing, whether through taxes or market-based mechanism.

Back to podcast

Podcast transcript: Digital Personal Data Protection Act: How fintech companies are dealing with new data security challenges

09 min | 20 September 2023

In conversation with:

Aniket Bhosle
EY India Cybersecurity Consulting Partner

Pallavi: Welcome to a new episode of the EY India Insights podcast series on ‘Gateway to data privacy and protection’. I am Pallavi, your host, and today we delve into the evolving landscape of data security challenges in the fintech sector. Joining us is an esteemed guest, Aniket Bhosle, Cybersecurity Consulting Partner at EY India. Aniket's expertise spans vital domains, including payment security teams, secure architecture, and innovative IT security services. He skillfully analyzes risk factors, designing secure architectures for diverse businesses. With 14+ years of experience, Aniket optimizes security operations and enhances customer data protection with his understanding of finance-technology intersection. Welcome to our podcast, Aniket.

Aniket: Thanks Pallavi. Pleasure to be here and share my thoughts with you.

Pallavi: FinTech firms (fintechs) have become ubiquitous to banks, insurance companies and NBFCs, but they are also facing data challenges. Could you tell us about the current data security challenges that fintechs are facing?

Aniket: FinTechs have opened up numerous possibilities to enable the growth of the financial services sector— not just in India, but globally as well. Today, some of the leading banks or NBFCs in our country have more than one fintech partner that they work with. This has opened up these organizations’ technical perimeter to fintechs and they are dependent on the fintech security practices as well. As this perimeter opens up, data flows in and out of the fintechs’ setup seamlessly without even the end customer knowing where the data is, in most cases. Depending on the fintech’s hosting model, data security, and in general, the security challenges that emerge will vary depending on the relationships. Data discoverability and knowing what data flows where is one of the primary challenges.

If you look at data protection, whether it is about classifying the data or encrypting the data elements or even tokenizing them, it is one of the challenges that needs to be addressed. This is complex for a fintech (to do) as different organizations that they cater to may have their own policies and control requirements.

Sharing of encryption key was yet another challenging area for fintechs, particularly (with) the banks. But in the recent past, a few fintechs have started providing access to the keys or are using the client’s key to encrypt the data.

Pallavi: Thank you for outlining those challenges, Aniket. Adding to the earlier question, lending fintechs have gathered a lot of data from consumers. How safe is the data?

Aniket: In the account aggregator ecosystem of our country, initiatives like Open Credit and Enablement Network or OECN are changing the way in which credit is given. The kind of data decisions that some of the fintechs take are as good or even more powerful than what credit rating agencies in the country have.

There are regulations that prevent storage and misuse of this data. There are guardrails in place, but these practices need to be sustained on an ongoing basis. Typically, whenever there is a new security initiative, it is implemented with great rigor, but ongoing sustenance and refreshing the program is where things begin to come apart. The safety of data depends on fintechs’ ongoing sustenance practices.

Pallavi: Does the use of Software-as-a-Service (SaaS)-based application increase our cybersecurity risk?

Aniket: SaaS-based applications bring a lot of benefits of fast to go lifelines, being cost effective, lesser overheads for developing and managing the tech stack and just leaving it to the domain experts... But with every new application being added, the attack surface is going to increase.

Whether you host within your enterprise or in a fintech, it is definitely increasing the attack surface. So, diligence is required in the security practices of different techs. Depending on the arrangement, it could either be an independent assurance, as is the practice generally, or the organizations do a review themselves on the security practices.

So far, we have spoken about one organization, either a bank or an NBFC working with one or more fintechs. But from a fintech’s perspective, they are working back with many financial services organizations in the country. If there is a flaw in one of their applications, there could be a systemic risk that is introduced. Imagine if there is a breach at the fintech and a malicious code is injected into one of their applications; it is going to cause a major risk to the financial services ecosystem. So, diligence is required beyond the usual point in time vulnerability assessment requirements that the industry is used to.

Controls around code management or identity access management also need to be looked at. Practices like obtaining software assurance or ISO 27001 certificates should be looked at for increasing their (fintechs’) client’s confidence in their technology, risk, and cybersecurity practice.

Pallavi: What are the current regulations related to the data that fintechs need to consider?

Aniket: Today, fintechs in the country are not directly regulated. There are regulations that are being passed to them via their clients, which could be banks or NBFCs. There are regulations such as the one around data localization, and aspects of card data tokenization, which ultimately have to be implemented at the data element level by the fintechs.

If you look at the card data tokenization specifically, it provides us a benefit as customers from a security standpoint and also limits the cost of compliance for the entire ecosystem.

Initially, there were challenges in implementing these regulations, but gradually, we are reaching a steady state. The fintechs have to live through this journey as well. With their security practices, they have to make sure that they understand, interpret, and stay in close touch with their clients to understand how some of these nuances are to be implemented.

The Data Privacy and Protection Bill will have to be tracked very closely as well. FinTechs will largely be data processors in the data privacy context. The challenge will arise if there is room for interpretation. Different clients of fintechs will come up with their own interpretation and different control requirements. That is something that the fintechs will have to keep in mind. The Reserve Bank of India is also exploring regulation of fintech entities. When that happens, investments will be required to both implement compliance and also to demonstrate compliance on an ongoing basis.

Pallavi: Thank you, Aniket, for sharing all these insights with us and spending the time to let us know the data security challenges in the fintech sector.

Aniket: Thank you so much, Pallavi. It was my pleasure.

Pallavi: Thank you. On that note, we come to the end of this episode, and if you would like us to explore other such topics on data security and privacy, please do leave us some suggestions that you would like us to deep dive into. Thanks for listening in and goodbye for now.

Back to podcast

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

EY | Assurance | Consulting | Strategy and Transactions | Tax

About EY

EY is a global leader in assurance, consulting, strategy and transactions, and tax services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EYG/OC/FEA no.

ED MMYY

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

Topics

General

People

Back to podcast

Podcast transcript: Digital Personal Data Protection Act: How fintech companies are dealing with new data security challenges

09 min | 20 September 2023

Back to podcast

Welcome to EY.com

Topics

General

People

Trending

Back to podcast

Podcast transcript: Digital Personal Data Protection Act: How fintech companies are dealing with new data security challenges

09 min | 20 September 2023

Back to podcast