Share with Care KYC Protection for Fintech
The Trust Challenge

Key obligations in brief

The Information Technology Act 2000 as amended by the Information Technology (Amendment) Act 2008 (IT Act and IT Amendment Act), along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) rules 2011, define the data protection regulations in India. If any entity collects or processes sensitive personal data pertaining to an individual, it must establish a privacy policy.

Furthermore, the central bank of India, that is, the Reserve Bank of India (RBI) has issued master directions pertaining to customer data protection (or KYC protection) applicable to all fintech companies in India. Key highlights pertaining to KYC / customer data protection are as follows:


Total confidentiality, privacy, and security of customer information (Know Your Data).


Data storage in centers located & maintained in India, that is, the RBI has issued directions that require all fintech providers to localize payment transaction data in India (Data Localization).


Outsourcing of activities by fintech companies: Customer information is to be protected, by following appropriate practices to mitigate the risk involved with outsourcing / third parties (Third-party data sharing/Privacy Intelligence).


Handing Data Subject Requests (referred to as DSR’s - correction, updation, deletion, etc.,).

The Trust Challenge

Key challenges in brief


Data Discovery: Managing consumer data and the individual customer’s digital identity in the evolving fintech space. Cloning of the digital identity of the individual customer also poses a significant challenge.


Localization: “Proof of Data Localization” to government bodies.


CERT-IN provisions read with Section 70B(6) of the IT Act: The Indian Computer Emergency Response Team (CERT-In) has issued directions, under sub-section (6) of Section 70(B) of the Information Technology Act, 2000, relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet. It also provides the types of cyber security incidents mandatorily to be reported by body corporate.


Data Subject Rights Fulfillment: Lack of meaningful KYC data protection solutions.


Outsourcing–Third-Party Data Sharing: “Data theft by third parties” like partners, vendors, and within the supply chain.


Retention/Minimization/Data Deletion: Untimely action or inaction on the customer data, by not disposing the same in a secure manner, in spite of the fact that the customer has unsubscribed from the use of the services of the organization (fintech company).

TurtleShield’s capabilities:

Ardent Privacy’s patented technology product “TurtleShield” is an ML and AI-powered enterprise software platform, that helps businesses discover, identify, inventory, map, minimize, and securely delete personal data. With TurtleShield, a business enterprise can turn a “Privacy Program” into a “Profit Centre"

This is achieved by a nimble and oil drilling-like approach to discovery: We create a global map of organizational data, which is subject to “data protection/privacy regulations”.

Globally data localization or sovereignty is becoming a standard regulatory requirement. We can create a global data inventory, to facilitate a single pane of glass of personal or sensitive data based on geographies, to enable you to take necessary action on a proactive basis.

The data inventory module automates the data asset inventory and performs auto-tagging at high speed using machine learning. It discovers, identifies, and maps data from PII to sensitive data assets. Instead of relying on manual reports or questionnaires which are prone to errors, the data inventory module generates reports based on the actual data such as PII.

Search capability in large datasets to fulfill data subject requests in totality and at a rapid speed. The assumption that data only exists in databases and nowhere else is often not a reality, as customer data exists in many sources. Using ML & AI we crawl across data sources and predict where PII can exist.

Often there are silos within entities or business and IT teams, and it is challenging to secure a holistic view of the data flow outside the organization and the data flow into the organization, especially when the data is shared with the third parties, like vendors, business partners and many more. We can create a data map, based on the data sharing, to facilitate you to take remedial actions, on the same.

Assists organizations in minimizing excess data by scanning huge data sets for excess data using Machine Learning and identifying excess data, including personal data. Thus, decreasing operational inefficiencies and saving money by deleting useless data and the legal costs associated with having it for regulatory compliance.

Problems Addresses

Featured News, Blogs

Ardent Privacy @ Infosecurity Europe 2024: Security for AI or AI for security?
The 7 principles of Privacy by Design
The Florida Digital Bill of Rights (FDBR): Navigating the New Frontier of Data Privacy

Be the first to catch our latest updates,
happenings and more.

Follow us