B2B Firms & Compliance with The Digital Data Protection Act 2023 | Srikanth (CEO – Perfios)


In this SaaSTrana podcast, Srikanth Rajagopalan (CEO – Perfios Account Aggregation Services (P) Ltd) talks to Venky about the importance of data security for B2B (SaaS) companies and the implications imposed by the Digital Data Protection Act 2023 in case of a data breach.

Furthermore, Srikanth explains how focusing on data security can benefit organizations in the long run by giving them a competitive edge and building customer trust.

Key highlights from the discussion :
  • 00:00 - About Srikanth’s Journey and Perfios Account Aggregation Services 
  • 13:01 - Managing customer data securely as a data aggregator
  • 22:44 - Highlights of The Digital Data Protection Act 2023 by MeitY
  • 27:04 - Scope of the act (regulations) for fiduciaries and data processors
  • 31:32 - Applicability of fines and penalties for B2B (SaaS) businesses and its impact on the long run
  • 43:51 - Cybersecurity as a trust enabler for customers


I started life as a sales guy. As a sales guy going through durables to sodas, I accidentally landed a job at Amex. It’s just another sales job. 

Amex was a unique place; they ran a closed-loop network, which means you get to see the transaction end to end. And that’s got some fascinating data insights from understanding the customer underwriting her, giving her a card, tracking her spending behavior, and then mapping it to your merchant coverage. No other card network uses that kind of visibility—a seven-year, eight-year learning experience. 

Then, eventually, I got bored of a corporate career. So back in the day, I found a techy through a mutual introduction, and his idea was simple – “Can you install a 64 KB app on a Nokia feature phone, and people transact on that”? 

And as audacious as it sounds today, in hindsight, we were able to pull off an app, and we called it NGP or Next-generation payment. 

We were able to aggregate a bunch of merchants, over 50 merchants, who had stuff to sell. We started offering plane tickets and flight tickets. For train tickets, IRCTC was a major merchant on board. 

And then we found in those days that the distribution was a big problem because you didn’t have app stores; you didn’t have anybody but a carrier who was a gatekeeper. So, we instead went to the merchant and said, “Help me distribute this app, and I can help you reduce the distribution costs for your profit. 

It started taking off; we were that hockey stick started in about early 2008. We got a term sheet from a storied Silicon Valley investor. 

As fate would have it, we eventually had to shut down and did a fire sale to Flipkart. But then, moving on, I had to find my way back to a corporate career. 

Fortunately, at that point, we had a good partnership going with Nokia, and they were setting up mobile money. So, the story continued, and many of us set up mobile money at the time at Nokia. 

So, one thing led to another, and eventually, I found my way to Amazon, where they were starting their India journey. I joined Amazon when the website was five weeks old. We were selling books and CDs. 

So those were, again, the early days of e-commerce payments and success rates. And the quality of service you would find from banks was just not up to the mark. We had a big role in collectively working with financial institutions, card networks, and the regulator and improving the customer experience for people checking out with a genuine intent to buy but being held up by a poor purchase experience. 

We started with about 85% cash on delivery just because of friction. They did the opposite today, with about 10% cash on delivery. 

So, along the way, then, UPI came about. All that we’re doing is federate ID and Authentication. That’s it. That’s the most friction-full part but the least value-added part. We’re taking the pain away from here. 

The journey with Amazon continued. Then, I got introduced to Govi, a founder of Perfios. 

Perfios was about a tenth of our size today. We started going from 0 to 1 to 1 to 100 company. That journey started in 2019. Very quickly along the way, we found that this whole account aggregation piece, if we did it well and if you strategize well, could be a game-changer and a scale mechanism for our business.

At Perfios, we automate many rules-based processing for financial institutions. That could be onboarding, analytics, post-sanction, and monitoring, anything that can be defined by a set of rules that needs data to be extracted from various sources, cleaned up and allocated, and then put into that so-called audit engine. 

When we started, we had to build those proprietary pipes into many of these banks. To get your data from any bank, mutual fund, or insurance company, we have to build these proprietary data files. 

Even today, the number one limiting factor to any of us or any of our competitors’ growth is the friction that people face in fetching their data. 

If you’re an organized person and you’ve downloaded six months of your bank statement as a PDF, and you remember the passwords, and you’re trying to upload it onto a Bajaj Finance site, then you know the pain of doing that right? At Perfios we make some revenue by automating some of these use cases. 

This whole account aggregation piece, though still a little nascent, is meant to solve exactly that problem. If you simply remember one thing about AA (Account Authentication), we have the potential to do with data what UPI did to money. 

For context, we are two different organizations: Perfios, a B2B SaaS platform, and PerfiosAA (Account Aggregator). 

Perfios counts about 800-odd financial institutions in India and 20 other countries as clients. Our core product offering is analytics, decision automation, and process automation, using our secret sauce of being able to extract, annotate, categorize, and work with data. 

Our core competency is being able to deal with data. The way we put that to use is to help financial institutions automate most rules-based decisions. 

The entity that I run is a regulated entity. We have a Reserve Bank of India license to be an account aggregator. 

In simple terms, an account aggregator has four parties in this ecosystem. The first and most important one is the data principle. People like you and me who happen to have an account at, let’s say, SBI, and maybe you’re checking out at an Amazon website, and you have a loan offer or EMI offer from, let’s say, let’s pick a name, Bajaj Finance. 

Bajaj says, ‘Fine, I can help finance this 50-inch TV. Just give me six months of your bank statement today.‘ That’s where the trouble starts. What we’re able to do is help Bajaj connect directly to people like us. 

Anumati is our brand name. Anumati is the account aggregator that I run. They can go straight to an SBI through us, saying, “Here is Venkatesh’s mobile number. You recognize this mobile number; you have a bank account linked to this mobile number. If yes, please give me six months of data.” 

So, it’s a set of protocols and a set of standardized APIs: 

  1. The first entity is you; you’re shopping for a loan. You want to fetch your bank statements. 
  2. SBI is the Financial Information Provider (FIP). You have your data there and, on demand, are supposed to share it because it’s yours. 
  3. Bajaj is a Financial Information User (FIU). They are the ones who need your data to offer you a product or service. 

Conceptually, it’s simple: there is a giver of data, a user of data, and a mediator called an account aggregator who ensures all the permissions and security protocols are appropriately deployed. 

Today, our network includes 46 Financial Information Providers (FIPs), banks, and mutual funds companies. About 200 Financial Information Users (FIUs), such as Bajaj, seek your data. 

We are not the only Account aggregator in the market; approximately 14 of them make it a fairly competitive landscape. 

Look at an account aggregator as a consent manager who is responsible and accountable to the data principal, acts on their behalf, and says,” Okay, Venkatesh wanted his six months of bank statement from SBI to be shared with Bajaj” and here are two or three buttons you need to press, a couple of OTPs come, and your data goes securely between the two systems without any man in the middle. 

And you can start seeing the benefits of that from a security authenticity, real-time point of view. If you’re not a tech-savvy customer, you don’t even know what kind of leakages are happening from a security, permissions, or privacy point of view. And that’s what we’re trying to solve. 

Data Privacy Act will shape the course of the data economy in India. This bill has been in the works for the last three years, starting with the Srikrishna committee report. It’s been through a bunch of changes. The scope changed along the way, and we should also cover non-personal data but a lot of industrial feedback. And to the Government’s credit, they’ve been very open to engaging with people like us from FICCI and other such institutions. 

Finally, it is the directional decision that the MeitY (Ministry of Electronics and Information Technology), the arm of the Government, has put this together. 

After a lot of feedback, the MeitY finally decided we shall simplify. We will keep it very specific to a single purpose called privacy and data protection. 

From an intent perspective, their goal is clear: we need a law that ensures adequate protection for citizens’ data with little disruption in day-to-day business operations. 

But a very clear paradigm shifts in how data is handled and processed by people who are, as you call it, in the data business. 

There is a huge trillion-dollar digital economy goal that the Government is consistently pursuing. So, we see this as an enabler or a safe, protected data ecosystem as necessary. You have to feel secure that your data is not being misused if you have participated in the data economy. 

The other few things that directionally they have chosen to go down the path. One is saying that this law applies only to digital data. If the data is in a paper form, however, if that paper gets scanned and digitized, it’s now within the ambit. And you can see the intent here: if an average Joe wants to be assured that his rights are protected, you trade off security for transparency. 

You participate in the formal economy whereas either you were data dark, or, for whatever reason, you make the tradeoff by saying, “Okay, I will open up my data; I will digitize it in some form or manner in exchange for better services, faster-secured processing.” Automatically, the Government has got your back. The law has got your back. 

The flip side to that is a lot of data fiduciaries. We will need to go through a mindset change. And this is the hard part. Until now, there’s been this greed for getting data; grab it with both hands, stuff it somewhere, and figure out what to do with it later. 

That behavior would need to change. The guiding principle will be data minimization and purpose limitation. If you don’t need to know what car drive to give me an EMI, don’t ask me. 

There are a few nuances that are important to keep in mind when you’re running a data business: 

You have first to ask yourself, Are you a data fiduciary? It means the person who decides what data is collected, why it is collected, and how it will be processed and retained making those decisions, you are the fiduciary. However, your payment gateway processes the transaction, for example. Then you’re a processor, so you don’t get to decide what needs to be collected, and so on. 

Once it’s fixed, up from what I told you about what Perfios does – will essentially carry out processing instructions on behalf of, let’s say, an SBI or HDFC Bank; the relationship is very clear, and we’ve been in fairly intense conversations internally and with our clients to figure out how we should de-audit ourselves to this new law once it’s clear that these financial institutions, for the right reasons, continue to be the data producers, people like us, let’s say, a Razorpay, so on and so forth until they get licensed continue to be your processors. 

No, its scope is limited to fiduciaries. Almost every fiduciary is covered by the banking industry; that is something called IT outsourcing guidelines. The fiduciary’s job is to ensure that any processor or third party they use to handle processing or whatever of data there is adequate supervision, audit trails, and so on.  

No data co-mingling or all the things that go to the audit part. So, the regulators and the policymakers have made it clear that we don’t have the capacity to supervise and monitor hundreds of thousands or lakhs of entities. They do catch the fiduciaries whose business depends on this data. Make sure to behave responsibly.

No, it’s any business that deals with PII. And that scope is as wide as that. Yes, the answer to the question, are you a fiduciary or a processor? We’ll be very contextual to that industry.  The scope is not limited to just the financial service industry. Whatever business you are in, if you’re handling customer data and handling PII, you could be an entertainment or OTT platform, right? You can store user credentials. You’re a fiduciary. 

And to your point, should they worry about it? Absolutely. It’s a life and death kind of a thing, right? 50 crore is a big number for 80% of the businesses in their respective industries. Start-ups can get shut down as it’s an extinction kind of scale of event.  

The minister was very candid in how we responded. He said that this is exactly the reaction we want from the business to be aware that if you lose customer data and break the law, a life-ending event can happen out of carelessness or malintent. So, better take it seriously.

It’s still a work in progress. What we have is just the umbrella law. The umbrella law is designed for three things. 

One is its universality of application. 

Two, its simplicity of expression; you should go to the act. It’s one of the simplest English documents that I’ve read. And it’s intentionally drafted so that it can very quickly keep up with technological changes. 

But what they’ve left to be implemented is the rules. Third we need to draw a line between policy and rules. What we have is a policy. We have the act.  

We don’t yet have the rules, and that is yet to be created by the Data Protection Board. So that’s the next level of activity. That engagement is now happening between industry and the policymakers, saying, “Okay, give us feedback on what should be the construct of the board, what should be the skill the board has, and no surprises.” 

Data protection and cybersecurity is a key skill set that the board needs and the charter is to be an adjudicator. Not in the form and manner, let’s say, a regulator. That board is there to say, “Okay, this customer complained against this institution that they misused my data, and there is a process of inquiry.” And an outcome of that could be a self-reporting by an institution. 

Very well-intentioned and reputed, but all the right processes, efforts, and systems are in place, yet something happened. There is a provision for voluntary disclosure, saying, “Oops! It’s happened. So, it’s hard to predict”. 

50 crore is the starting point, and it’s more than that. It can go up to 250 crores in various regions. And for an organization, it is capped at a 500-crore number. It’s something serious and egregious, and it’s demonstrable that there were a lot of unfixed loopholes or sometimes even willful ignorance or processing beyond the scope of the law.   

Absolutely. I think you nailed it because we have always heard these smart two-liners: data is the new oil, and so on and so forth.  

But for the first time, just like there are rules in handling money, you won’t get rules for handling data. And what happens if you misbehave intentionally? What happens from a monetary perspective? So, people start drawing straight lines between how they handle data and something as simple as PNL.  

The answer to your first question is simple: how do I think about application and data security when running a business? It is a little old-fashioned and very simplistic that if you can’t keep your data secure, you shouldn’t be in business. It’s as black and white as that. You can’t have even an iota of doubt that this application doesn’t meet the figures of whatever security systems that you follow. Don’t be in the business because very quickly, you will find that whatever short-term benefits you might gain from all this Cambrian explosion of data and capabilities, they will not be back for an extinction-like event. 

If you lose data, you would have gotten away with it, but now, a law holds you accountable. And that is law enforcement through the data protection rule that is coming. Yes, many businesses today deal with data not up there regarding security and privacy protocols. 

The simple message to such a businessman or an entrepreneur is to start thinking of doing a complete audit and inventory of all your processes and systems that touch data right from when you contact the customer. Even going down to querying where I get my sales leads database from, what was, how was it procured? Did the customer consent to be in that database? 

It’s going to be messy. It’s going to be hard. There’s no return to being prepared to continue business in this new regime. Your first starting point: do a complete audit. Where all our data points are coming from, how am I processing it? Who are the different user groups and departments in my company that have access to what kind of data? 

Do they need a 16-digit card number or just the last four digits? It is simple to implement but overlooked. And finally, what is the data storage policy? 

The first and most immediate call to action would be to start doing the self-introspection. The bigger the business and the bigger the number of lines of business, it gets complicated, but it’s not going away from it. 

Two is, as a process of natural selection, you will find that the overall quality of business entrepreneurs’ data fiduciaries that survive will be of an order of magnitude higher or better quality regarding how they handle data. It’s got to be Darwinian in the short term. 

Those who survive will be those who will earn customer trust and will start building on top of that. They will start enjoying scale benefits because if 20 competitors die by the roadside for whatever reason, your scale economics pick up. 

These are some things that CIOs, and even boards, need to recognize—seeing that dealing with security and privacy is not just another compliance checkmark. It’s a whole new way of resetting a mental model and looking at it as both a threat avoidance as well as a booster two years down the line. 

Key Take Away 

The key theme of why security should be a business enabler for apps was trust. Because your customers will start placing their trust in you if you deal with their data and the applications on which they place their trust to demonstrate you are dealing in a safe, transparent, proactive manner, you will gain their trust, which is an enabler for business. It’s the right thing to do to gain trust. Ultimately, business runs on trust.