Governance by Data is the new Corporate Mantra for the next decade

Posted on February 14, 2023 by Vijayashankar Na

The world of Business Management has undergone a substantial change in the last decade with the advent of Information and Communication Technology (ICT). The impact of ICT was first felt in establishing an effective communication channel with Customers and Business Associates of an organization with the use of Internet, E Mail, Mobiles, Messaging services etc.  In the second generation of the use of ICT in business we saw the development of E Commerce where both purchases and sales were effectively handled online. Along with these, Customer service and HR functions also started using Online technologies. Some of the industries which really bloomed with the growing use of Internet in the broadband era were education, Online consultancy etc.

The next generation of Business Development with Technology is happened with the use of Data for Business decision making.  But now we have come beyond all these developments and started finding new uses of Data in Business. The future of Business Management is closely integrated with  innovative use of Data in Business.

Data for Business efficiency is the past. Data for New Business is the future.

Data is today an “Asset” of business and business managers need to find ways of using data not only for decision making and improving operational efficiency but to generate new products and services.

Today’s Business Management strategies are therefore directed on how to use “Data for creating more Revenue”.  Revenue can be generated both by saving on current operations (like replacing manpower with better use of ChatGPT ?)  and also through finding new products and services.

Where feasible, 3D printing can enable development of physical products including prototype development, customization, spare part production etc Products can be embedded with smart  chips to provide feedback for improvement.

What is the future however is to find new “Data Products”, “Produce Data Products”, “Market Data Products”, “Finance data Products” and find the manpower for managing Data Products.

In other words we are looking at a future of Technology Oriented companies where “Data” is the raw material of business and the entire business structure of production, marketing, finance and human resources have to be planned around ” Data as a Business Asset”.

Correspondingly R&D has to be developed to understand the Data Product needs of the consumers. This requires conducting market surveys related to Consumer’s Data Consuming and Usage habits. This is precisely the point where the “Data Protection Laws” create a hurdle for the Data Business. The Data Business Managers therefore need to have a good understanding of the Data Protection Laws and ensure that they are compliant with the law but continue to explore and harness business opportunities with the use of Data.

If therefore EU with GDPR is too restrictive, the choice of business location has to be in a place where the Data Protection Law is industry friendly. At the same time just because land is cheap we cannot put up a factory in a desert. We need to look at other resources and their availability. Similarly the Data Dirven business need to be set up in a location where regulations make it feasible to start and grow the business without un necessary harassment but where the resources such as manpower, Internet connectivity etc are also available.

The “Feasibility” analysis has to be therefore conducted with reference to the Product Idea vis a vis the regulatory restrictions along with the availability of other resources.

It is therefore considered that the knowledge of Data Protection and Laws related to Data Protection is an important input for the Business Management Community.

The future of Corporate Governance is “Governance by Data” and the Business Management education needs to incorporate elements of the new technology developments such as AI, Meta Verse etc from Management perspective along with the relevant regulations.

Privacy Activists and Courts should also remember that they cannot always take a stand against business since this could result in deceleration of business growth. Law Makers need to also ensure that while technology has to be regulated, the regulation should ensure that growth occurs in the desired direction.

Naavi

Posted in Cyber Law | Leave a comment

Will Ministry of Consumer Affairs Pre-empt MeitY on AI regulation?

Posted on February 13, 2023 by Vijayashankar Na

While many are rejoicing the success of Chat GPT 3 and waiting for the Google’s Bard to come up with a more efficient NLP system, there is an underlying fear that the growth of AGI and ASI may soon pass the critical stage and start creating rogue and malicious AI programs.

We can soon expect many variants of ChatGPT to surface with many ChatBots on different websites all trying to proclaim that they are “AI Powered”.

The Indian Government has taken the first step where the Ministry of Consumer Affairs is mandating that companies who want to project their projects or services as “AI Enabled” will be subjected to certain guidelines.

One concern would be that the “AI tag” could be used to mislead the public and hence the Ministry of Consumer Affairs may bring out some “Disclosure Standards” for claiming “AI empowered” tag.

The accompanying news report suggests that Bureau of Indian Standards is working on standards and will put them in public domain.

Just as Google was caught unprepared with the release of ChatGPT by Open AI, MeitY has been caught off-guard with the announcement that the Ministry of Consumer affairs will come out with an AI standard.

In a way, MeitY should be concerned that in an area where they should have taken a lead, another department has started acting before them.

While we need to appreciate the Ministry of Consumer Affairs and BIS for the initiative, it is necessary for MeitY to also join them and work in collaboration to develop a standard which is sound.

The definition of “AI” may be wide and encompass a simple script that automates some activity to  IoTs and robots working in deep learning domain and fixing some standards for disclosure for Consumer awareness would be tough.

It is possible that there will also be many of the small time players providing ChatBots which provide incorrect responses. Some may be hacked and taken over by malicious characters which will cheat the consumers with the “AI Empowered Certification”.

The Ministry of Consumer Affairs will not be able to make a proper assessment of the AI activity since it requires deep understanding of the technology.

However, one aspect that we have been asking for as the first regulatory principle namely “Registration of AI development companies” and “Code stamping of the Registration ID” can be done by the BIS registration.

While incorporation of other ethics of AI may take some time, I advocate that we adopt the known laws to cover the AI regulation at least as an immediate measure.

The Suggested Solution

The solution I suggest is to consider AI products as the responsibility of its owners just as we make parents and guardians responsible for the acts of the Minors.

The transport department has already made rules that if vehicles are driven by minor children the parents will be fined.

We can adopt the same principle here and introduce penalties for

a) Not registering an AI development (applicable to developers)

b) Not registering the use of AI in products (Which BIS may be thinking now)

c) Making the owner of AI liable for any adverse consequence of an AI algorithm even if they are registered (So that Registration does not become a certification of assurance of the functional quality)

This law can be brought in without any new law just by a notification of an explanation under Section 11 of Information Technology Act 2000,

This section already states

Attribution of Electronic Records

An electronic record shall be attributed to the originator

(a)if it was sent by the originator himself;

(b)by a person who had the authority to act on behalf of the originator in respect of that electronic record; or

(c)by an information system programmed by or on behalf of the originator to operate automatically

This automatically means that an output of an AI is attributed to the owner of the AI program. Hence if the output is faulty, malicious or damaging the responsibility falls on the owner of the algorithm. The laws such as IPC can be invoked where necessary.

The owner of the AI algorithm initially is the developer and subsequently the liability should be transferred to the user though the ownership for other reasons of licensing or IPR may remain with the developer.

Hence an explanation can be added to this section to mean the following:

Explanation:

Where the information system is programmed by one person and used by another person, the legal liability arising out of the functioning of the AI algorithm shall be borne by the user.

Where the user is the absolute owner of the algorithm the transfer contract shall include disclosure of the functionalities, the default configurations and the code.

Where the user is only a licensee, the license agreement shall disclose the licensor and the default configuration that affects the functional impact on the consumers.

If the developer does not disclose the required information, he shall be considered as liable for the acts of the AI algorithm.

This suggestion is some what similar to the concept of “Informed Consent” being obtained where the Data Controller discloses the details of processing and data processors to the data subject in a data protection law. The requirement would be a reverse of this consent mechanism where the transferor of the license rights provides an “Informed Disclosure” which the transferee shall further disclose to the consumers.

Since this suggestion does not need any change of law, it can be implemented immediately even before BIS comes up with its recommendations and our own UNESCO recommendation based AI law can be formulated.

Naavi

(Comments welcome)

Posted in Cyber Law | Leave a comment

MHA introduces Cyber Crime Reporting Number

Posted on February 13, 2023 by Vijayashankar Na

Posted in Cyber Law | Leave a comment

Citi Bank Customers in India face a sudden closure of account

Posted on February 12, 2023 by Vijayashankar Na

Posted in Cyber Law | Leave a comment

Who is responsible for the CitiBank fiasco?

Posted on February 12, 2023 by Vijayashankar Na

It is time for a PIL to explore the inconvenience and business disruption caused to customers of Citi Bank because of the acquisition of its consumer  business to Axis Bank. The damage caused to individual businesses whose cheques would have been returned and pending credits would have bounced etc  was entirely un necessary and reflects a failure of proper supervision of the entire process.

Perhaps an RTI on RBI is a starting point and some lawyer needs to take this case.

I refer to this post on Axis Bank website which states that the Acquisition of CitiBank Consumer business was handled by Axis Capital and Credit Suisse as financial advisors and Khaitan & Co as legal advisors. Additionally PricewaterhouseCoopers and Boston Consulting Group were involved as Business Consultants

I request that these professional firms need to explain to the public how they let the CitiBank fiasco to happen.

In cases of total merger of one entity to another such as Corporation Bank and Andhra Bank to Union Bank etc., the entire IT systems of one entity was transferred to the merged entity. Though there were technical glitches in migration, the old account numbers and chequebooks continued and there was not much of business disruptions like what the Axis Bank-Citi Bank deal caused.

I understand that in this case it was not possible for Citi Bank to provide control of its entire systems to Axis Bank. However it was possible to set up a middleware system which could have handled the customer issues over a period of time sufficient to allow the data to be  migrated. This was a technical failure and the financial, Business and legal consultants were incapable of suggesting this issue. There was a need for involving a Cyber Security and IT Consultant with experience in Banking in the process to handle the migration.

It also appears that this issue was handled as a business acquisition of a division and RBI has failed to exercise supervision. I request the Governor of RBI to initiate its own enquiry into the failure of its oversight mechanism.

It was clear to customers who had visited Citi Bank recently that Citi Bank executives were not even interested in suggesting continuation of the customer relationship and were happy to close the  accounts. This was indicative that they were not concerned either for their customers or for Axis Bank as their client.

While Axis Bank failed to market itself to the customers of Citi Bank, some card marketing activity continued on behalf of Citi Bank until a few days back.

The least that the two Banks could have done was to release a joint news paper advertisements to warn the customers to shift their accounts or face disruptions. Axis Bank should have setup a technical facility to migrate accounts if it required “Explicit Consent”.

It is surprising that this Rs 12325 crore deal was handled so shabbily. While on paper the deal looked great for Axis Bank, it now appears that Axis Bank will fail to get all the 3 million customers of Citi Bank whom they could have happily acquired at one stroke. Shareholders of Axis Bank should question the management on this failure.

A statement from the top management of Axis Bank  on how and why they let down the erstwhile customers of Citi Bank is expected.

PS:

Some of my readers have pointed out that they did receive several reminders from Citi Bank and they exited from the Bank. It appears that several others found the notice inadequate and were taken by surprise.

Personally I had a Credit card account only and I continued to get reminders for renewal till a few days back which I simply ignored.

Whoever is responsible for the fiasco, there will be a debate on what is “Due Diligence” under such circumstances and whether there will be liabilities for some body on causing denial of service.

Naavi

I received the following experience from one of my readers on how he handled the 9th February issue.

Quote

It was not easy,  I spent 6 hours with them to get back my 9.75 lakhs balance

  • CITIBank initiated the consent obtaining process to switch to Axisbank 4 months ago but till 7th feb evening it was showing an option to remind me later.
  • On 8th evening I received a message Cheque-book and debit card deactivated, I thought Internet banking will be working and tried to login on 9th Morning but it was not working.
  • Call center was not accepting my account number as a parameter (Account deactivated) to access the customer support, but I reached the customer support with the lost card option.
  • Customer support informed; I will receive a demand draft of balance within 15 working days to the official address.
  • 9th at 11 am I reached the South-end circle branch and found the branch working normal and still accepting cash deposits and many other activities, They gave a token number “A20” but it was looking like “420” 🙂
  • I was restless and started enquiring other members about their reasons and found more than 20 members waiting for the same reason.
  • I approached the branch manager and explained this is not a correct process and demanded to  re activate the account but they refused
  • Also they directed me to fill the “account closure request form” and “balance transfer request form”,
  • I refused and mentioned I will go to the Police station and RBI banking ombudsman customer grievance cell.
  • Around 1.30 PM another senior manager approached me and assured me of the transfer of funds  to my alternative account within 2 hours. Once again he asked me to fill the account closure request form, I refused and filled only the “balance transfer request form” and reached back to my office.
  • Around 3.30 PM the NEFT fund transfer to my alternative account initiated and I got acknowledgement from my other bank around 6 PM
  • Funny part is my both CITIBank credit cards are  still active, I can use it  but I can’t access my internet banking to manage my limits , enable disable card options of Credit cards.
  • I have seen branch staff including Branch manager were clueless on the chaos created somewhere in the boardroom.
  • I remember the CITIBank motto statement “CITI never sleeps” but now on “CITIBank customer also never sleeps” 🙂

Unquote

Posted in Cyber Law | Tagged , , , , , | 1 Comment

CItiBank abruptly closes customer accounts. RBI and Axis Bank fail in their duties

Posted on February 12, 2023 by Vijayashankar Na

Last week, CitiBank sprung a surprise on its customers by abruptly closing their accounts in preparation for the merger of its operations with Axis Bank by the end of March 2023.

In the process, many clients having their primary and business critical accounts with CitiBank  found that their business was disrupted.

In earlier mergers this kind of a situation did not arise since the accounts were automatically transferred to the new entity and it was left to the customer to decide what to continue their relationship with the new entity or not over a period of time.

In the meantime, in the earlier mergers of Corporation Bank-Union Bank, all cheques and standing instructions related to the old accounts continued to be operative and no inconvenience was caused to the customers.

It is not clear why Citi Bank adopted this move and why RBI did not prevent this inconvenience caused to the customers.

We are not aware if RBI was aware of this move and had approved  it or Citi Bank had kept RBI in the dark. Also, did Axis Bank take the trouble of informing the erstwhile customers of Citi Bank that such a move was contemplated by Citi Bank ?. The customers of Citi Bank are now the responsibility of Axis Bank and they need to preserve their own reputation for customer service and they seem to have failed in this obligation and opportunity.

It is time for some consumer oriented lawyer to file a PIL and ensure that CITI Bank pays damages to all its customers for suddenly stopping operating accounts and causing both material and reputational harm to them.

See details here

I am trying to figure out if there was any technical reasons for this fiasco. In earlier cases of mergers the merged entity continued to operate the account under the same account number for some time until it was migrated to a new account number. Even the standing instructions and cheque books continued to be operative till they were replaced and migrated.

It was surprising why this did not happen in the Citi Bank-Axis merger case.  It is not clear if this was handled like a merger under RBI  supervision or a business acquisition. In that case Axis Bank had to be pro active and provided some easy options to customers for migration.  Difficult to imagine why Axis Bank failed to use this marketing opportunity.

It should have been possible to set up an intermediary authentication system to direct the customers to the specific data base of account holders transferred to the control of Axis Bank. Probably Citi Bank did not want to help Axis Bank acquire the customers easily and Axis Bank failed to negotiate the merger/acquisition properly. Whichever consultant handled the transition has failed in his duty to guide Axis Bank properly.

We await more information to unfold in this regard from RBI.

Also see this article on which consultant handled this acquisition so inefficiently.

Naavi

Posted in Cyber Law | 3 Comments