India Financial Services – Disrupt or Be Disrupted

Matrix India recently hosted two firebrands of the financial services world, Mr Sanjay Agarwal, founder AU Small Finance Bank and Mr Sharad Sharma, founder iSPIRT Foundation, Volunteer at India Stack, for a no holds barred discussion at the Matrix Rooftop in Bangalore. Here is an excerpt from the evening and some of our learnings for fin-tech entrepreneurs.

Part 1 of the two-part series features the untold story of AU Bank, in the words of Sanjay Agarwal himself, as below:

Sanjay Agarwal – on his background and early days before starting AU:

“In my early Chartered Accountancy days, I started out by doing audit work, taxation, and managing clients. I had studied hard and was naïve and enthusiastic at that time hoping, to solve the world’s problems. This pushed me to work harder and I had a desire to do something more.

I believe that we are the choices we make. While evaluating various choices, I eliminated all the options that I didn’t want to pursue e.g. to work for a fee or commission and then I started digging deeper on what really interests me – that was when the concept of AU Financiers was formed.

In 1996, as 26 years old, I began approaching HNIs to raise capital, as back then, there were no VCs. I was fortunate to raise INR 10 cr at a 12% hurdle rate and I had to secure the funding with a personal guarantee. But what is the guarantee of the guarantor? No one questioned this at that time. So, I technically became one of the first P2P lenders, and structured a product that didn’t exist– short term, secured and at a 30% rate of interest. That was the start of the AU journey.”

The Early Days of AU:

“I started off AU as a one-man army. I was everything from the treasurer to the collector. Slowly we built our team and rotated the 10 cr of capital to disburse 100 cr of loans – not a single rupee was lost. There were several challenges at that time for e.g., there was no CIBIL score, financial discipline was lacking, people were still learning how to take a loan and repay it and customer ids didn’t even have a photograph. But somehow, we managed.

The period from 1996 to 2002 taught me everything I needed to learn – how to lend, how to collect, how to manage people, read people’s body language, and most importantly how to manage yourself in different situations. I follow all of that until today, and my team also benefits or suffers from those learnings of mine even today. In those 7 years, we would have dealt with 2000 customers out of which 500 defaulted. That was the ratio of defaulters – 25%. But we managed and there were actually no NPL’s.”

Partnering with HDFC Bank

“In 2002, retail credit was beginning to take off, but our HNIs started pulling their money out, as they wanted a higher return. However, at that time, the most premium bank in the country, HDFC Bank, appointed us as their channel partner. The model we followed was very simple – AU was responsible for sourcing the customer, KYC processing and doing on the ground diligence while loans were booked on HDFC’s balance sheet. HDFC is perceived to be a conservative bank, and it is – however, they gave me Rs 400 cr, on a net worth of only Rs 5 cr! They made an exception in our case due to our strong track record, through execution, sound knowledge of the market, and most importantly our integrity.

By 2008, our net worth had increased to Rs 10 crore through internal accruals. At that time, HDFC told us that we can’t give you any more capital, as we were overleveraged, and that we now needed to bring in equity capital if we wanted to grow.”

Growing the balance sheet and partnering right

“I had two choices at that point, I could continue in Jaipur, keep my ambition under control and live comfortably or figure out what else is possible. I chose the latter and this marked the beginning of my partnership with Motilal Oswal. Its easier to raise equity now, back in the day shareholder agreements used to look like loan agreements with min IRR requirements, etc. As luck would have it, a few months after we raised equity, the Lehman Brothers crisis broke out and most banks stopped funding. We were supported once again by HDFC – they were our saviour and I will cherish my relationship with them always. Once the market settled down, having survived this negative environment, there was no looking back.

Our next major investor was IFC. For the entrepreneurs here, I want to say that you have to be selective about your investors, who will help with not just capital – there should be added value they bring to the table apart from money. IFC was giving me 20% lower valuation, but I knew that I didn’t have any lineage to fall back on. As a first-generation entrepreneur, I had to raise money on the strength of my balance sheet and not basis my family name. I knew that partnering with IFC would shift the perception of AU within the industry, especially for PSU banks. After their investment, we grew from one bank relationship with HDFC to 40 bank partnerships. One thing led to another and Warburg Pincus, ChrysCapital, and Kedaara Capital all came on board after that.”

Consistent performance

“From 2008 onwards, we started diversifying from vehicle lending and got into other forms of secured lending like a loan against property, home loans etc. We never tried unsecured lending and never ventured into microfinance or gold finance. Those were very popular products at that time but focusing on what we were good at resulted in a consistently strong performance. We never had a bad year. In the world of finance, the margin of error is very less. If you have a bad year you can almost never come back. Good companies survive regardless of the market condition, you can never blame the market for your company’s poor performance. In 2015-16, we were a successful NBFC, our RoA was close to 3% with an asset base of close to 8,000 crores, with a RoE of 27-28% and everyone was chasing us – the question at that time before us was, what next?”

How we became a bank

“As an NBFC, it is very hard to manage a book of Rs 50,000 cr with the same efficiency and effectiveness as it’s a people dependent business, there are limits to the kind of products you can do and you can’t keep raising capital. Hence, we became a bank because we wanted to be there for the next 100 years and that perpetual platform can only be created through a bank. That is the biggest platform and it is not available at a price. It’s available through your integrity, business plan and execution. Today, we receive Rs 100 cr of money every single day. This is the same person who was struggling to raise Rs 10 cr in 1996, and is now getting money at the speed of Rs 100 cr every day – it feels amazing but there is a lot of responsibility!”

Part 2 of the two-part series features insights from Sharad Sharma:

Recognizing the Athletic Gavaskar moment in Indian Financial Services

“Indian financial services industry is going through its equivalent of the Athletic Gavaskar project of Indian cricket. The motive behind this project was to instil the importance of being athletic to successfully compete in the modern game. A new team was created with the rule that if you are not athletic, you cannot be a part of the team, regardless of other skills that you bring to the table. Virat Kohli eventually became the captain of this team and the results are for everyone to see. Similar yet contrasting stories played out in hockey and wrestling. In hockey, we lost for 20 years because we refused to adapt to the introduction of astroturf. However, in wrestling, the Akhadas in Haryana embraced the move from mud to mat with rigour, and Indian wrestling is already punching above its weight class and hopefully will do even better over time. The idea of sharing this is that similar to sports, sometimes an industry goes through a radical shift. Take the telecom space, for example, if Graham Bell came alive in 1995, he would recognize the telephone system, 20 years later he wouldn’t recognize it at all. The banking industry is going to go through a hockey/wrestling or communications type disruption and a lot of us are working hard to make it happen.”

Infrastructure changes lead to New Playgrounds

“All the banks and NBFCs put together are not serving the real India today. We have 10 million+ businesses that have GST id’s, out of which 8 million+ are big enough to pay GST on a monthly basis, but only 1.2 million have access to NBFC or bank finance. This is a gap that needs to be addressed and it cannot be solved through incremental innovations.

Entrepreneurs and incumbents should learn from what happened in the TV industry when new infrastructure became available. When India went from state-run TV towers in 34 cities to cable and satellite TV in pretty much every town, there was a massive new market that was unlocked that did not want to watch the same Ramayan or Hum Log TV serials. What transpired was an explosion of entertainment products because of the high demand stemming from the new markets and the TV channel players that reinvented their content is thriving today while others that did not, are barely surviving or have shut down.

So where does this leave the bankers? I think it is the biggest opportunity for the right banker who understands this problem, wants to serve this section of the market and is willing to reinvent the way they do their business and take advantage of the new infrastructure that will be available.”

Dual-immersed entrepreneurs have the biggest advantage

“Entrepreneurs who are immersed in the messiness of both the new infrastructure and the old problem are “dual immersed entrepreneurs”. They are the ones that succeed when a market shift is underway. Today this is not happening. Some of our city-bred entrepreneurs are more comfortable with California rather than Bharat. And some of our sales-oriented entrepreneurs are intimidated by the messiness of the new technology infrastructure.”

New Playgrounds need new Gameplay

“In a world where eKYC exists, and we can transfer money through UPI from a phone, and sign documents digitally – we are ready to deliver financial products on the phone and this is the disruption that is required. Access to credit drives the economy and with this new infrastructure, it is now possible to lend to the real India. However, it’s easy to give money, but the ability to get it back and keeping defaults at a minimum is the real trick. Even there we are moving towards seeing a radical improvement. Debt providers now have powers they never had and defaulters are being brought to book. Customers are now incentivized to build their own credit history to get better and lower interest rates over time. A new Public Credit Registry is coming to enable this at scale. But the biggest innovation is related to the dramatic shortening of the tenor. One can structure a one-year loan into 12 monthly loans or 52 weekly loans. This rewards positive customer behaviour and brings about the behaviour change that is needed.

There is no secret sauce here, it requires gumption – like that shown by Reed Hastings, founder of Netflix. He disrupted the TV and home video industry by first having the wisdom to go from ground to cloud and then again when they started developing original content. In both cases, he had little support from the board or investors. If you can reinvent yourself before it becomes necessary, you’re a winner but this is harder to do for a successful company. The legacy of success provides resisters with the clout to block change. The real beneficiary of Aadhaar based eKYC in the telecom world was not the incumbents but Jio – eKYC allowed Jio to acquire customers at an unprecedented scale and they saved INR 5000 crores on KYC costs as well.”

About iSPIRT

iSPIRT is a non-profit think tank that builds public goods for Indian product startup to thrive and grow. iSPIRT aims to do for Indian startups what DARPA or Stanford did in Silicon Valley. iSPIRT builds four types of public goods – technology building blocks (aka India stack), startup-friendly policies, market access programs like M&A Connect and Playbooks that codify scarce tacit knowledge for product entrepreneurs of India.

About AU Small Finance Bank:

AU Small Finance Bank Limited (AU Bank) started in 1996 as a vehicle financing NBFC, AU Financiers and scaled to touch over a million underbanked and unbanked customers across 11 states of North, West and Central India, prior to becoming a bank in April 2017. During this time, AU attracted equity investments from marquee investors such as IFC, Warburg Pincus, Chrys Capital, Kedaara Capital and recently went public when its IPO was oversubscribed ~54 times. Over the years, AU Bank, led by its founder Sanjay Agarwal, has created significant shareholder value with its equity value growing from ~$120 million in 2012 to current market capitalization of ~$3 billion.

Please Note: The blog was first published and authored by Matrix India Team and you can read the original post here: matrixpartners.in/blog

iSPIRT Final Comments on India’s Personal Data Protection Bill

Below represents iSPIRT’s comments and recommendations on the draft Personal Data Protection Bill.  iSPIRT’s overall data privacy and data empowerment philosophy is covered here.  

Table of Contents

Major Comments
1. Include Consent Dashboards
2. Financial Understanding and Informed Consent for all Indians
3. Data Fiduciary Trust Scores Similar to App Store Ratings
4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data
5. Warn of Potential Credit and Reputation Hazards
6. A Right to View and Edit Inferred Personal Data
7. Sharing and Processing of Health Data

Suggestions and Questions

  • Fund Data Rights Education
  • Limit Impact Assessment Requirement
  • Passwords should be treated differently than other Sensitive Personal Data.
  • Does the Bill intend to ban automatic person-tagging in photos and image search of people?
  • Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.
  • Need for an Authority appeal process when data principal rights conflict
  • Do not outlaw private fraud detection
  • Limit record keeping use and disclosure to the Authority and the company itself.
  • Fillings may be performed digitally
  • Request for Definition Clarifications
  • Author Comments
  • Links
  • Appendix – Sample User Interface Screens

Major Comments

1. Include Consent Dashboards

We support the idea of a Consent Dashboard as suggested in the Data Protection Committee Report (page 38) and recommend it to be incorporated in the Bill in Section 26 – Right to Data Portability and Section 30 (2) Transparency.  

We envision all of a user’s personal and inferred data that is known by data fiduciaries (i.e. companies) being exposed on a consent dashboard, provided by a third party consent collector or account aggregator (to use the RBI’s parlance). Below is an example user interface:

This mandate would enable users to have one place – their consent collector-provided dashboard – to discover, view and edit all data about them. It would also allow users to see any pending, approved and denied data requests.

Furthermore, in the event of data breaches, especially when a user’s password and identifier (mobile, email, etc) have been compromised, the breach and recommended action steps could be made clear on the consent dashboard.

Given the scope of this suggestion, we recommend an iterative or domain specific approach, wherein financial data is first listed in a dashboard limited to financial data and for its scope to grow with time.

2. Financial Understanding and Informed Consent for all Indians

We applaud the Bill’s Right to Confirmation and Access (Chapter IV, Section 24):

The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.

That said, we’ve found in practice that it’s difficult to appreciate the implications of digital policies on users until real user interfaces are presented to end users and then tested for their usability and understanding. Hence, we’ve put together a set of sample interfaces (see Appendix) that incorporate many of the proposed bill’s provisions and our recommendations. That said, much more work is needed before we can confidently assert that most Indians understand these interfaces and what they are truly consenting to share.

The concepts behind this bill are complicated and yet important. Most people do not understand concepts such as “revocable data access rights” and other rather jargon-filled phrases often present in the discussion of data privacy rights. Hence, we believe the best practices from interface design must be employed to help all Indians – even those who are illiterate and may only speak one of our many non-dominant languages – understand how to control their data.

For example, multi-language interfaces with audio assistance and help videos could be created to aid understanding and create informed consent.  Toll-free voice hotlines could be available for users to ask questions. Importantly, we recognize that the interfaces of informed consent and privacy control need rigorous study and will need to evolve in the years ahead.

In particular, we recommend user interface research in the following areas:

  • Interfaces for low-education and traditionally marginalized communities
  • Voice-only and augmented interfaces
  • Smart and “candy-bar” phone interfaces
  • Both self-serving and assisted interfaces (such that a user can consensually and legally delegate consent, as tax-payers do to accountants).

After user interface research has been completed and one can confidently assert that certain interface patterns can be understood by most Indian adults, we can imagine that templated designs representing best practices are recommended for the industry, much like the design guidelines for credit card products published by US Consumer Financial Protection Bureau or nutritional labelling.

3. Data Fiduciary Trust Scores Similar to App Store Ratings

We support the government’s effort to improve the trust environment and believe users should have appropriate, easy and fast ways to give informed consent & ensure bad actors can’t do well. Conversely, we believe that the best actors should benefit from a seamless UI and rise to the top.

The courts and data auditors can’t be the only way to highlight good, mediocre and bad players. From experience, we know that there will be a continuum of good to bad experiences provided by data fiduciaries, with only the worst and often most egregious actions being illegal.

People should be able to see the experiences of other users – both good and bad – to make more meaningful and informed choices. For example, a lender that also cross-sells other products to loan recipients and shares their mobile numbers may not be engaging in an illegal activity but users may find it simply annoying.

Hence, we recommend that data fiduciary trust scores are informed with user-created negatives reviews (aka complaints) and positive reviews.

In addition to Data Auditors (as the Bill envisions), user created, public ratings will create additional data points and business incentives for data fiduciaries to remain in full compliance with this law, without a company’s data protection assessment being the sole domain of its paid data auditors.

We would note that crowd sourced rating systems are an ever-evolving tech problem in their own right (and subject to gaming, spam, etc) and hence, trust rating and score maintenance may be best provided by multiple market actors and tech platforms.

4. Comments & Complaints on Data Fiduciaries are Public, Aggregatable Data

…so 3rd party actors and civil society can act on behalf of users.

A privacy framework will not change the power dynamics of our society overnight. Desperate people in need of money will often sign over almost anything, especially abstract rights. Additionally, individual citizens will rarely to be able to see larger patterns in the behaviour of lenders or other data fiduciaries and are ill-equipped to fight for small rewards on behalf of their community.  Hence, we believe that user ratings and complaint data about data fiduciaries must be made available in machine-readable forms to not only to the State but to third-parties, civic society and researchers so that they may identify patterns of good and bad behaviour, acting as additional data rights watchdogs on behalf all of us.

5. Warn of Potential Credit and Reputation Hazards

We are concerned about the rise of digital and mobile loans in other countries in recent years. Kenya – a country with high mobile payment penetration and hence like India one that has become data rich before becoming economically rich – has seen more than 10% of the adult population on credit blacklists in 2017; three percent of all digital loans were reportedly used for gambling. These new loan products were largely made possible by digital money systems and the ability of lenders to create automated risk profiles based on personal data; they clearly have the potential to cause societal harm and must be considered carefully.

Potential remedies to widespread and multiple loans are being proposed (e.g. real-time credit reporting services), but the fact that a user’s reputation and credit score will be affected by an action (such as taking out a loan), most also be known and understood by users. E.g. Users need to know that an offered loan will be reported to other banks and if they don’t pay they will be reported and unable to get other loans.

Furthermore, shared usage-based patterns – such as whether a customer pays their bills on time or buys certain types of products – must be available for review by end users.

6. A Right to View and Edit Inferred Personal Data

The Machine Learning and AI community have made incredible strides in computers’ ability to predict or infer almost anything. For example, in 2017, a babajob.com researcher showed the company could predict whether a job seeker earned more or less than Rs 12000 / month with more than 80% accuracy, using just their photo.  She did this using 3000 job seeker photos, 10 lines of code and Google’s TensorFlow for Poets sample code.  Note the project was never deployed or made publicly available.

As these techniques become ever more commonplace in the years to come, it’s reasonable to assume that public facing camera and sensor systems will be able to accurately infer most of the personal data of their subjects – e.g. their gender, emotional state, health, caste, religion, income – and then connect this data to other personally identifiable data such as a photo of their credit card and purchase history. Doing so will improve training data so that systems become even more accurate. In time, these systems – especially ones with large databases of labelled photos – like the governments’, popular social networks’ or a mall’s point of sale + video surveillance system – truly will be able to precisely identify individuals and their most marketable traits from any video feed.

Europe’s GDPR has enshrined the right for people to view data inferred about them, but in conjunction with the idea of a third party consent dashboard or Account Aggregator (in the RBI’s case), we believe we can do better.

In particular, any entity that collects or infers data about an individual that’s associated with an identifier such as an email address, mobile, credit card, or Aadhaar number should make that data viewable and editable to end users via their consent dashboard.  For example, if a payment gateway provider analyses your purchase history and infers you are diabetic and sells this information as a categorization parameter to medical advertisers, that payment gateway must notify you that it believes you are diabetic and enable you to view and remove this data. Google, for example, lists these inferences as Interests and allows users to edit them:

Using the Consent Dashboard mentioned in Major Comment 1, we believe users should have one place where they can discover, view and correct all personal and inferred data relevant to them.

Finally, more clarity is needed regarding how data gathered or inferred from secondary sources should be regulated and what consent may be required. For example, many mobile apps ask for a user’s consent to read their SMS Inbox and then read their bank confirmation SMSs to create a credit score. From our view, the inferred credit score should be viewable by the end user before it’s shared, given its personal data that deeply affects the user’s ability to gain usage of a service (in this case, often a loan at a given interest rate).

7. Sharing and Processing of Health Data

The Bill requires capturing the purpose for data sharing:

Chapter II, point 5:

“Purpose limitation.— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.”

In the healthcare domain, collecting the purpose for which the data is being shared might itself be quite revealing. For example, if data is being shared for a potential cancer biopsy or HIV testing, the purpose might be enough to make inferences and private determinations about the patient and say deny insurance coverage. On the other hand, stating high-level, blanket purposes might not be enough for future audits. A regulation must be in place to ensure the confidentiality of the stated purpose.  

The Bill has a provision for processing sensitive personal data for prompt action:

Chapter IV, point 21:

“Processing of certain categories of sensitive personal data for prompt action. — Passwords, financial data, health data, official identifiers, genetic data, and biometric data may be processed where such processing is strictly necessary— (a) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal; (b) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or (c) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.”

While this is indeed a necessity, we believe that a middle ground could be achieved by providing an option for users to appoint consent nominees, in a similar manner to granting power of attorney. In cases of emergency, consent nominees such as family members could grant consent on behalf of the user. Processing without consent could happen only in cases where a consent nominee is unavailable or has not been appointed. This creates an additional layer of protection against misuse of health data of the user.

Suggestions and Questions

Fund Data Rights Education

We believe a larger, public education program may be necessary to educate the public on their data rights.

Limit Impact Assessment Requirement

Section 33 – Data Protection Impact Assessment —

  • Where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section. …
  • On receipt of the assessment, if the Authority has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as may be issued by the Authority.

We believe that the public must be protected from egregious data profiling but this provision does not strike an appropriate balance with respect to innovation. It mandates that companies and other researchers must ask government permission to innovate around large scale data processing before any work, public deployments or evidence of harm takes place. We believe this provision will be a large hinderance to experimentation and cause significant AI research to simply leave India. A more appropriate balance might be to ask data fiduciaries to privately create such an impact assessment but only submit to the Authority for approval once small scale testing has been completed (with potential harms better understood) and large scale deployments are imminent.

Passwords should be treated differently than other sensitive personal data.

Chapter IV – Section 18. Sensitive Personal Data. Passwords are different than other types of Sensitive Personal Data, given that they are a data security artifact, rather than a piece of data that is pertinent to a person’s being. We believe that data protection should be over-ridden in extraordinary circumstances without forcing companies to provide a backdoor to reveal passwords. We fully acknowledge that it is useful and sometimes necessary to provide backdoors to personal data – e.g. one’s medical history in the event of a medical emergency – but to require such a backdoor for passwords would likely introduce large potential security breaches throughout the entire personal data ecosystem.  

Does the Bill intend to ban automatic person-tagging in photos and image search of people?

Chapter I.3.8 – Biometric Data – The Bill defines Biometric Data to be:

“facial images, fingerprints, iris scans, or any other similar personal data resulting from measurements or technical processing operations carried out on physical, physiological, or behavioural characteristics of a data principal, which allow or confirm the unique identification of that natural person;”

The Bill includes Biometric Data in its definition of Sensitive Personal Data (section 3.35) which may only be processed with explicit consent:

Section 18. Processing of sensitive personal data based on explicit consent. — (1) Sensitive personal data may be processed on the basis of explicit consent

From our reading, we can see a variety of features available today around image search and person tagging being disallowed based on these provisions. E.g. Google’s image search contains many facial images which have been processed to enable identification of natural persons. Facebook’s “friend auto-suggestion” feature on photos employs similar techniques. Does the Bill intend for these features and others like them to be banned in India? It can certainly be argued that non-public people have a right to explicitly consent before they are publicly identified in a photo but we feel the Bill’s authors should clarify this position. Furthermore, does the purpose of unique identification processing matter with respect to its legality?  For example, we can imagine mobile phone-based, machine learning algorithms automatically identifying a user’s friends to make a photo easier to share with those friends; would such an algorithm require explicit consent from those friends before it may suggest them to the user?

Notifications about updates to personal data should be handled by a Consent Dashboard, not every data fiduciary.

Chapter IV – Section 25.4 – Right to correction, etc

Where the data fiduciary corrects, completes, or updates personal data in accordance with sub-section (1), the data fiduciary shall also take reasonable steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion or updating, particularly where such action would have an impact on the rights and interests of the data principal or on decisions made regarding them.

We believe the mandate on a data fiduciary to notify all relevant entities of a personal data change is too great a burden and is better performed by a consent dashboard, who maintains which other entities have a valid, up-to-date consent request to a user’s data. Hence, upon a data change, the data fiduciary would update the consent dashboard of the change and then the consent dashboard would then notify all other relevant entities.

It may be useful to keep the user in this loop – so that this sharing is done with their knowledge and approval.

Need for an Authority appeal process when data principal rights conflict

Section 28.5 – General conditions for the exercise of rights in this Chapter. —  

The data fiduciary is not obliged to comply with any request made under this Chapter where such compliance would harm the rights of any other data principal under this Act.

This portion of the law enables a data fiduciary to deny a user’s data change request if it believes doing so would harm another data principal. We believe it should not be up to the sole discretion of the data fiduciary to determine which data principal rights are more important and hence would like to see an appeal process to the Data Protection Authority made available if a request is refused for this reason.

Do not outlaw private fraud detection

Section 43.1 Prevention, detection, investigation and prosecution of contraventions of law

(1) Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.

We worry the above clause would effectively outlaw fraud detection research, development and services by private companies in India. For instance, if a payment processor wishes to implement a fraud detection mechanism, they should be able to do so, without leaving that task to the State.  These innovations have a long track record of protecting users and businesses and reducing transaction costs. We recommend a clarification of this section and/or its restrictions to be applied to the State.

Limit record keeping use and disclosure to the Authority and the company itself.

Section 34.1.a. Record – Keeping –

The data fiduciary shall maintain accurate and up-to-date records of the following

(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;

We expect sensitive meta-data and identifiers will need to be maintained for the purposes of Record Keeping; we suggest that this Record Keeping information be allowed but its sharing limited only to this use and shared only with the company, its Record Keeping contractors (if any) and the Authority.

Fillings may be performed digitally

Section 27.4 – Right to be Forgotten

The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.

The Bill contains many references to filing an application;  we’d suggest a definition that is broad and includes digital filings.

This also applies to sections which include “in writing” – which must include digital communications which can be stored (for instance, email).

Request for Definition Clarifications

What is “publicly available personal data”?

  • Section 17.2.g – We believe greater clarity is needed around the term “publicly available personal data.“ There questionably obtained databases for sale that list the mobile numbers and addresses of millions of Indians – would there thus be included as a publicly available personal data?
  • We’d recommend that DPA defines rules around what is publicly available personal data so that it is taken out of the ambit of the bill.  
  • The same can be said for data where there is no reasonable expectation of privacy (with the exception that systematic data collection on one subject cannot be considered to be such a situation)

Clarity of “Privacy by Design”

Section 29 – Privacy by Design

Privacy by Design is an established set of principles (see here and in GDPR) and we would like to see the Bill reference those patterns explicitly or use a different name if it wishes to employ another definition.

Define “prevent continuing disclosure”

Section 27.1 – Right to be Forgotten

The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary…

We request further clarification on the meaning of  “prevent continuing disclosure” and an example use case of harm.

Define “standard contractual clauses” for Cross-Border Transfers

Section 41.3.5 – Conditions for Cross-Border Transfer of Personal Data

(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this subsection to any other person or entity.

We would like to standard contractual clauses clearly defined.

Define “trade secret”

Section 26.2 C – Right to be Forgotten

compliance with the request in sub-section (1) would reveal a trade secret of any data fiduciary or would not be technically feasible.

We request further clarification on the meaning of  “trade secret” and an example of the same.

Author Comments

Compiled by iSPIRT Volunteers:

Links

Comments and feedback are appreciated. Please mail us at [email protected].

Appendix – Sample User Interface Screens

Link: https://docs.google.com/presentation/d/1Eyszb3Xyy5deaaKf-jjnu0ahbNDxl7HOicImNVjSpFY/edit?usp=sharing

******

Policy Hacks On India’s Digital Sky Initiative 1.0

On August 27, 2018, India announced its much-awaited Civil Aviation Regulations (CAR) for drones. The new CAR had many improvements on the original draft published last year, but most important was the introduction of Digital Sky, a technology platform that would handle the entire process of regulating the registration and permissions for all Remotely Piloted Aircraft Systems above the nano category, i.e. any remote controlled or automated flying object – multi-rotor or fixed-wing, electric or IC-engine. These set of regulations along with the announcement of Digital Sky drone policy represent the government’s “Drone Policy 1.0”.

What this policy isn’t?

From the outset, one of the largest criticisms of the draft was its seeming omission of beyond visual line of sight flights, as well as those of fully-autonomous operations. Combined with a ban on delivery of items, it would seem like the government is pre-emptively clamping down on some of the most promises of Unmanned Aerial Vehicles before they even begin.

But on close inspection, the Ministry of Civil Aviation has made an interesting & what looks to be a promising decision in naming this policy as “1.0”. Through the various public comments made by the Minister of State for Civil Aviation, Jayant Sinha, it can be gathered that there is a phased-approach being adopted for the planning and implementation of the government’s strategy for unmanned aerial vehicles.

The more complex commercial operations will be rolled out atop the digital platform, allowing the government to test the waters before allowing potentially risky operations.

At iSPIRT, we appreciate this data-driven, innovation-friendly yet safety-first approach that has been inherent to all of civil aviation.

What does the policy say?

The policy lays out a general procedure for registering, and taking permissions to fly for every type of remotely piloted aircraft system (RPAS). A good summary of the regulations themselves, what you need to fly, what you can and cannot do is given here. We will be focussing this blog post on mystifying Digital Sky and the surrounding technology – How it works, what it does and what should private players be doing about it.

What is Digital Sky?

Digital Sky is essentially a barebones Unmanned Aircraft Traffic Management system. An Unmanned Traffic Management is to drones what ATC is to aircraft. Most countries are looking to external UTM providers to build and run this digital enabling infrastructure. The government of India, in continuing its digital infrastructure as public goods tradition, has decided to build and run its own UTM to ensure that this critical infrastructure system remains committed to interoperability and is free from the risks of vendor capture in the long run. Digital Sky is the first version of such a UTM for managing drone flights in both controlled as well as uncontrolled airspaces.

For consumers, Digital Sky essentially constructed of three layers. The three layers are Online Registrations, Automated Permissions and Analytics, Tracking and Configurable Policies.

Online Registrations are the layers that onboard operators, pilots, RPAS and manufacturers on to the Digital Sky Platform. It will be a fully digital process, and applicants can track their applications online. All registered users will have an identity number, including the RPAS, which will get a Unique Identification Number (UIN). There is a private key attached to the UIN allowing the drone to prove it is who it claims to be through digital signatures.

Automated Permissions is the transaction layer that digitizes the process of seeking airspace clearance. Using Open APIs or a portal provided by the government, drones can directly seek permissions by specifying the geographic area, time of operations & pilot registration id, signed with the UIN of drone. In response to the API call or portal request, an XML file digitally signed by the DGCA is generated. This XML response is called the Permission Artefact.

All RPAS sold in India under the new policy must carry firmware that can authenticate such a Permission Artefact. Further, they must confirm that the flight parameters of the current mission match those given in the authenticated Permission Artefact. If these parameters do not match, the RPAS must not arm. This condition is referred to simply as No Permission, No Takeoff or NPNT. Thus, the requirement is that any RPAS (except nano) operated in India should be NPNT compliant. We will cover what it means to be NPNT compliant in part two of this series.

To deal with areas of low connectivity, this authenticated request can be carried prior to the flight itself, when connectivity is available. The Permission Artefact can be stored, carried and read offline by an NPNT-compliant RPAS with a registered UIN. Thus flight operations in remote or low-connectivity areas will not be severely impacted. While this seems tedious, it promises to be a lot easier than the draft regulations, which required the filing of flight plans 60 days in advance.

Digital Sky will classify all existing airspace into three colour-coded zones: Green Zones are where drones are pre-authorized to fly, but must still obtain a permission artefact to notify the local authorities of their intent to fly. On applying for permission, a permission artefact is returned instantly. Red Zones are where drone operations are forbidden from taking place. This includes areas such as airports, borders and other sensitive areas. Amber Zones are areas restricted by appropriate reasons as mentioned in the CAR where additional permissions are required. These requests are also initiated and managed through the Digital Sky Platform

Analytics, Tracking & Configurable (ATC) Policies is a shorthand for the regulatory functions that the DGCA will carry out to regulate the use of airspace by unmanned aircraft. It involves functions such as the classification of Red, Amber & Green zones, deconfliction of overlapping flights, incident response, etc.

The MoCA has articulated its desire for an ecosystem-driven approach to building out the drone industry. From an earlier draft of the No Permission No Takeoff technical document shared with manufacturers, it is expected that this layer of Digital Sky will be opened up to private players labelled as Digital Sky Service Providers (DSPs). We will cover more about Digital Sky Service Providers in part three of this series.

Conclusion

Digital Sky appears to be a move towards a more data-driven, phased-approach to policy and regulation for emerging technology. It is a global first and offers a truly forward-looking approach compared to most other nations.

For operators, in the long term, a formal system leads to an eco-system of authorised players, increase in trust, and rise of a legitimate industry. 

Note:  We have been actively following the Digital Sky policy development, Intend to bring in Part two of this blog after an active role out and implementation starts.

Why the SC ruling on ‘Private Players’ use of Aadhaar doesn’t say what you think it does

On behalf of iSPIRT, Sanjay Jain recently published an opinion piece regarding the recent supreme court judgement on the validity of Aadhaar. In there, we stated that section 57 had been struck down, but that should still allow some usage of Aadhaar by the private sector. iSPIRT received feedback that this reading may have been incorrect and that private sector usage would not be allowed, even on a voluntary basis. So, we dug deeper, and analyzed the judgement once again, this time trying to disprove Sanjay’s earlier statement. So, here is an update:

Section 57 of the Aadhaar act has NOT been struck down!

Given the length of the judgement, our first reading – much like everyone else’s was driven by the judge’s statement and confirmed by quickly parsing the lengthy judgement. But in this careful reanalysis, we reread the majority judgement at leisure and drilled down into the language of the operative parts around Section 57. Where ambiguities still remain, we relied on the discussions leading up to the operative conclusions. Further, to recheck our conclusions, we look at some of the other operative clauses not related to Section 57. We tested our inference against everything else that has been said and we looked for inconsistencies in our reasoning.

Having done this, we are confident in our assertion that the judges did not mean to completely blockade the use of Aadhaar by private parties, but merely enforce better guardrails for the protection of user privacy. Let’s begin!

Revisiting Section 57

Here is the original text of section 57 of the Aadhaar Act

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Now, let us simply read through the operating part of the order with reference to Section 57, ie. on page 560. This is a part of paragraph 447 (4) (h). The judges broke this into 3 sections, and mandated changes:

  1. ‘for any purpose’ to be read down to a purpose backed by law.
  2. ‘any contract’ is not permissible.
  3. ‘any body corporate or person’ – this part is struck down.

Applying these changes to the section, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Cleaning this up, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual pursuant to any law, for the time being in force:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It is our opinion that this judgement does not completely invalidate the use of Aadhaar by private players, but rather, specifically strikes down the use for “any purpose [..] by any body corporate or person [..] (under force of) any contract”. That is, it requires the use of Aadhaar be purpose-limited, legally-backed (to give user rights & protections over their data) and privacy-protecting.

As an exercise, we took the most conservative interpretation – “all private use is struck down in any form whatsoever” – and reread the entire judgement to look for clues that support this conservative view.

Instead, we found that such an extreme view is inconsistent with multiple other statements made by the judges. As an example, earlier discussions of Section 57 in the order (paragraphs 355 to 367). The conclusion there – paragraph 367 states:

The respondents may be right in their explanation that it is only an enabling provision which entitles Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem.

Some pointed out that this is simply a discussion and not an operative clause of the judgement. But even in the operative clauses where the linking of Aadhaar numbers with bank accounts and telecom companies is discussed, no reference was made to Section 57 and the use of Aadhaar by private banks and telcos.

The court could have simply struck down the linking specifically because most banks and telcos are private companies. Instead, they applied their mind to the orders which directed the linking as mandatory. This further points to the idea that the court does not rule out the use of Aadhaar by private players, it simply provides stricter specifications on when and how to use it.

What private players should do today

In our previous post, we had advised private companies to relook at their use of Aadhaar, and ensure that they provide choice to all users, so that they can use an appropriate identity, and also build in better exception handling procedures for all kinds of failures (including biometric failures).

Now, in addition to our previous advice, we would like to expand the advice to ask that each company look at how their specific use case draws from the respective acts, rules, regulations and procedural guidelines to ensure that these meet the tests used by this judgement. That is, they contain adequate justification and sufficient protections for the privacy of their users.

For instance, banks have been using Aadhaar eKyc to open a bank account, Aadhaar authentication to allow operation of the bank accounts, and using the Aadhaar number as a payment address to receive DBT benefits. Each of these will have to be looked at how they derive from the RBI Act and the regulations that enable these use cases.

These reviews will benefit from the following paragraphs in the judgement.

The judgement confirmed that the data collected by Aadhaar is minimal and is required to establish one’s identity.

Paragraph 193 (and repeated in other paras):

Demographic information, both mandatory and optional, and photographs does not raise a reasonable expectation of privacy under Article 21 unless under special circumstances such as juveniles in conflict of law or a rape victim’s identity. Today, all global ID cards contain photographs for identification alongwith address, date of birth, gender etc. The demographic information is readily provided by individuals globally for disclosing identity while relating with others and while seeking benefits whether provided by government or by private entities, be it registration for citizenship, elections, passports, marriage or enrolment in educational institutions …

The judgement has a lot to say in terms of what the privacy tests should be, but we would like to highlight two of those paragraphs here.

Paragraph 260:

Before we proceed to analyse the respective submissions, it has also to be kept in mind that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21…

Paragraph 289:

‘Reasonable Expectation’ involves two aspects. First, the individual or individuals claiming a right to privacy must establish that their claim involves a concern about some harm likely to be inflicted upon them on account of the alleged act. This concern ‘should be real and not imaginary or speculative’. Secondly, ‘the concern should not be flimsy or trivial’. It should be a reasonable concern…

Hence, the privacy risk in these use cases must be evaluated in terms of the data in the use case itself, as well as in relation to biometrics, and the Aadhaar number in the context of the user’s expectations, and real risks. Businesses must evaluate their products, and services – particularly those which use Aadhaar for privacy risks. It is helpful that the UIDAI has provided multiple means of mitigating risks, in the form of Registered Devices, Virtual Ids, Tokenization, QR Codes on eAadhaar, etc. which must be used for this purpose.

What private players should do tomorrow

In the future, the data protection bill will require a data protection impact assessment before deploying large scale systems. It is useful for businesses to bring in privacy and data protection assessments early in their development processes since it will help them better protect their users, and reduce potential liability.

This is a useful model, and we would hope that, in light of the Supreme Court judgement, the Government will introduce a similar privacy impact review, and provide a mechanism to regulate the use of Aadhaar for those use cases, where there are adequate controls to protect the privacy of the users and to prevent privacy harms. Use cases, and an audit/enforcement mechanism matter more than whether the entity is the state, a public sector organization, or a private sector organization.

Note: This is in continuation of Sanjay Jain’s previous op-ed in the Economic Times which is available here and same version on the iSPIRT blog here.

The writer is currently Partner, Bharat Innovation Fund, and Chief Innovation Officer at the Centre for Innovation, Incubation and Entrepreneurship, IIM Ahmedabad. As a volunteer at iSPIRT, he helped define many of the APIs of the India Stack.  He was the Chief Product Manager of UIDAI till 2012

(Disclaimer: This is not legal advice)

How To Empower 1.3 Billion Citizens With Their Data

2018 has been a significant year in our relationship with Data. Globally, the Cambridge Analytica incident made people realise that democracy itself can be vulnerable to data.  Closer to home, we got a first glimpse at the draft bill for Privacy by the Justice Sri Krishna Committee.

The writing on the wall is obvious. We cannot continue the way we have. This is a problem at every level – Individuals need to be more careful with whom they share their data and data controllers need to show more transparency and responsibility in handling user data. But one cannot expect that we will just organically shift to a more responsible, transparent, privacy-protecting regime without the intervention of the state. The draft bill, if it becomes law, will be a great win as it finally prescribes meaningful penalties for transgressions by controllers.

But we must not forget that the flip side of the coin is that data can also help empower people. India has much more socio-economic diversity than other countries where a data protection law has been enacted. Our concerns are more than just limiting the exploitation of user data by data controllers. We must look at data as an opportunity and ask how can we help users generate wealth out of their own data. Thus we propose, that we should design an India-specific Data Protection & Empowerment Architecture (DEPA). Empowerment & Protection are neither opposite nor orthogonal but co-dependent activities. We must think of them together else we will miss the forest for the trees.

In my talk linked below which took place at IDFC Dialogues Goa, I expand more on these ideas. I also talk about the exciting new technology tools that actually help us realise a future where Data can empower.

I hope you take away something of value from the talk. The larger message though, is that it is still early days for the internet. We can participate in shaping its culture, maybe even lead the way, instead of being passive observers. The Indian approach is finding deep resonance globally, and many countries, developing as well as developed, are looking to us for inspiration on how to deal with their own data problem. But it is going to take a lot more collaboration and co-creation before we get there. I hope you will join us on this mission to create a Data Democracy.

AI/ML Shift for SaaS Companies: Insights from SaaSx Fifth Edition

Early stage SaaS startups typically struggle with one of two things. When you are just starting out, the first struggle is all about mere survival. Will we find customers willing to use and pay for our product ? Good teams typically manage to find ways to negotiate that first challenge. The playbook has been sufficiently commoditized that if you execute well enough, you can actually succeed in getting those early customers. Its a challenge for sure, but is getting easier and cheaper to overcome — which takes me to the second challenge. Once you survive that initial phase, how do you continue to stay relevant and grow? For if you don’t grow, you’ve only prolonged the inevitable and will likely get disrupted into irrelevance by the next upstart that comes along. When you play in a commodity market, that’s the sad reality.

If you find yourself gaining customer adoption, you can be fairly certain that competition isn’t far behind. Unless you find a way to establish sustainable differentiation while you have that head start, you will ultimately die. And that differentiation now increasingly comes down to the value of the data flowing through your platform and how you are able to leverage it better than your competition. In other words, if you are not thinking about constantly learning from the data that you are gathering and enabling implicit intelligence via your products, the odds of survival are going to be stacked against you. Given the significance this topic carries for us at Swym, I was really excited to have the chance to sit in on Ashwini Asokan and Anand Chandrasekaran’s session on AI/ML for SaaS at SaaSx5. And they most certainly didn’t disappoint. With a lucidly laid out argument, their talk served as a strong wake-up call for the SaaS founders in the room that weren’t sufficiently worrying about this topic.

SaaS growth is slowing

Ashwini started out by underscoring the fact that SaaS growth was slowing in general. There’s no denying that most solutions are rapidly becoming commoditized — building a good product has gotten fairly prescriptive, costs have come down and barriers to customer adoption are a lot lower than they used to be. That inevitably leads to markets getting very crowded, making survival increasingly difficult. If you don’t stand out in very defensible ways, you will perish. To make matters worse, AI is slowly but surely causing entire categories of work to disappear — Customer Support, SDRs, Financial/Market Analysts, to name just a few examples. If those workers were your market and you were helping them be more efficient, you are in trouble because your market is disappearing with them. You better be evolving from being software that’s serving those people that in turn serve a function, to actually serving the function itself. Of course you do this with human assistance, but in a progressively intelligent fashion that makes you indispensable.

Embrace the platform mindset

In order to stay relevant, you really need to create a viable roadmap for yourself to graduate from being a simple feature that’s part of a larger platform (No one likes being told they are nothing but a feature, but this really is where most early stage SaaS products sit today) to becoming the platform itself over time. It can most certainly be done because the opportunity exists, and the access you have to your data and how you are able to leverage it is likely to be the most effective weapon to get you there. Think really hard about new use cases you can light up, automations you can now enable, important solutions that hitherto weren’t possible or practical — enabling those capabilities is what will give you stickiness. And you can in turn leverage that stickiness to allow others to build on the data platform you’ve created to expand your moat. Easier said than done of course, but it is the only path to staying relevant. Alexa, Salesforce, Adobe, Hubspot, and most recently Stripe with their just announced app store, all come to mind as stellar examples of execution on this strategy.

How should I be thinking about Data Science?

Anand followed that up with some really good advice on how to go about this, especially touching on what not to do, and it was clearly resonating with the audience. For instance, when he highlighted the fact that most AI initiatives that start with “Here’s the data I have…what can I do with it?” are doomed from the get go, a lot of heads in the room were nodding in agreement — seemed like a pretty common trap that folks had fallen into. Instead, his advice was to identify the end goal that mattered first, with the caution that this could be deceptively challenging. Once that goal is well understood, then focus on the data you have and the gaps that exist — and your challenge basically boils down to filling those gaps and cleansing/validating your data. Those are your most critical, time-consuming steps in the process for once you get the data quality you want, it becomes much simpler to build and iterate your model around that and figure out how to engineer this into a repeatable part of your workflow. The sub par data quality is one of the most common causes for AI projects “failing” and no amount of modeling proficiency will save you from bad data or a poorly understood problem statement.

Get on the train, but don’t lose sight of what got you here

I’m really glad to have had the benefit of listening to their talk in person, and now that I’ve let the arguments sink in over the past couple of weeks, a few truths have become indisputably clear in my head. The AI shift is not one you can ignore as a SaaS founder. If you don’t get on the train, you’ll likely end up under it. And no, getting on the train doesn’t mean simply attaching a “.ai” to your domain name and claiming success. It really comes down to internalizing your vision for why you exist, identifying in very clear terms how your roadmap to making that vision a reality will need to evolve given the AI shift. How do you see your problem space changing in the the next 2–5 years thanks to AI, and what does that mean for you? And given your existing strengths, what can you do to make the most of that shift?

Its important to remember that a lot of the fundamentals of a good SaaS story still don’t change. For instance, a sound distribution strategy is still very much necessary, for without sustainable access to customers, the rest of it is moot. Likewise, you want to be able to protect the access you have to your most valuable asset, your data) and lower the barriers enough for adjacent players to be able to work seamlessly with your offering. All those advantages you have still very much matter. Really, the biggest mental shift you need to make is thinking very deliberately about how the world around you is changing because of AI, and how you leverage those strengths so you continue to have proprietary access to the data you need and become an integral part of that change.

The article is authored by our volunteer Arvind Krishnan, CEO & Founder – Swym Technologies.

Deeper Strategic Partnerships – Pitching for Significant Scale and Co-Creating the Value

David Vs. Goliath had a happy ending, but the odds of beating Goliath as a startup are slim and most startups do not have a fairytale ending, unless…

At SaaSx5, I had the opportunity to hear Vijay Rayapati share his story of Minjar. This was a fairy tale with all the right ingredients that kept you engrossed till the end. With angels (investors) on their side, along with Minjar and Vijay’s prior experience, Minjar could have faced many Goliaths in their journey. Instead of going the distance alone, Vijay followed the Potential Strategic Partner (PSP) playbook (Magic Box Paradigm) and identified one in AWS. His reasons were clear, one of the biggest challenges a startup faces is distribution. And, a PSP can open several doors instantly, making distribution easier, revenue growth faster and gives the startup multiple options. As a startup, you need to think about a PSP early in the game at the “Flop” and not at the “Turn”. You need time to develop a PSP and you need to start early.

Identifying a PSP in your vertical maybe easy, but building a relationship with them is the hardest. It requires continuous investment of time to build the bond with the PSP such that they become the biggest evangelist of your product. This involves building relationships with multiple people at the PSP -from Business, Product & Tech- to make sure you have the full support from the company to scale this relationship without roadblocks. In the case of Minjar, with AWS as their PSP, it opened roads to customers, built their brand and also increased the value of the company. One of the highlights of the Minjar story was about the CTO of AWS, evangelizing the product at their conference. As Vijay ascertained “Invest time in people who can bring visibility and credibility to your company”. Focusing on these people is a sales channel by itself, and a Founder has to be involved in building that channel when it shows glimmers of hope. The Minjar story had a happy ending, because they invested more time in building their PSP relationship and limiting other marketing activities: they did not spread themselves too thin. This involved multiple operational changes like training, presenting thought leadership & co-selling at conferences, and making sure the end users at the PSP are successful in using your product.  It is also important to note that a partnership is not a reseller or transactional relationship. A partnership is a relationship of strengths, in which each entity brings unique skills and together provides exponential value to the end customer. Partnerships work when you have champions leading on both sides of the table and one of the best outcomes a PSP can provide to a startup is a strategic acquisition. A PSP is one of the best ways for a startup to exit, especially if you have not raised a lot of capital.

At Tagalys we have tried to develop relationships with PSPs; twice, and we seem to be making good progress today after one failed attempt. My learnings resonate with Vijays’ and some of them are

Persona: Not every large enterprise, who might also serve your target customer, is a valid PSP. An enterprise is an ideal PSP if the value you provide as a startup is something that can be incorporated into the product or process of the Enterprise, and without which the end value of the enterprise depreciates. If your startup is not important to the customers of the PSP, then they are not a match for your startup.

Timing: In your early days, a startup needs to focus on customers, customers and more customers. A PSP is likely to work with you only if you are part of the affordable loss for them. Very early in your stage the risk is too high for the PSP to consider the relationship an affordable loss. Remember, you are adding value to the PSP, hence any risk in the value proposition you bring to the table, is a risk to the end customer. Only after having proven your value to your own customers, will a PSP be willing to take you to their customer.

Credibility: Today, Tagalys works with many recognizable customers in the country and that makes the process of gaining credibility & trust easier. Your product is only as good as what your customer says it is. For a PSP to work, you need buy in from stake holders like the CEO, CTO & Product Managers and they are going to put their neck on the line if they can trust you. Customer references are the best channels to gain trust.

Lifecycle: As CEO, I have time to invest in meeting with various stakeholders at the PSP because our product is in steady state. This steady state of the product is theright time to speak with a PSP because your team can take on this additional responsibility. We also have a clear understanding of our expected outcomes, risks and upside in working with the PSP, hence our conversations are well guided and makes the discussion very productive.

Bill of Materials: While Tagalys is a line item in what the PSP provides to the market, we are an important line item who can potentially extrapolate the end value provided to the customer.

Not every startup can find a strategic partner, but one thing is for certain, as Vijay said, “You miss 100% of the shots you do not take”.

Antony Kattukaran is the Founder & CEO of Tagalys. Tagalys is a merchandising engine for online retailers, dynamically predicting what products to display across search & listing pages to increase conversion.

Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products

‘Digital India’ is one of the flagship programmes of the Government of India (GoI) with an aim to transform the country into a digitally empowered economy. Given the massive push that the government is giving to this programme, some radical changes have taken place across the country at both the public as well as at the government level in terms of digitization. However, it is also a reality that the growing digitization has increased vulnerability to data breaches and cyber security threats.

According to the Indian Computer Emergency Response Team (CERT-In), more than 22,000 Indian websites, including 114 government portals were hacked between April 2017 and January 2018, including the Aadhaar data leak in May 2017. These incidents clearly emphasized a strong need for cyber security products to tackle the threat to India’s digital landscape. In fact, last year, the Union Ministry of Electronics & Information Technology (MeitY) had directed all ministries to spend 10% of their IT budgets on cyber security and strengthen the Government’s IT structure in the wake of cyber threats.

Now, in order to be prepared for cyber breaches, the government entities need sophisticated security products and solutions. Currently, there is a heavy reliance on the foreign manufacturers to source these products as there are a handful of domestic players operating in this space. MeitY had issued a draft notification in June 2017 stating its preference to procure domestic cyber security products and give further impetus to the government’s flagship programme ‘Make in India’, thereby also boosting income and employment in the country.

The good news is that now the government has mandated ‘Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products’ policy which was released on July 2, 2018. With this policy in place, the local manufacturers will get the much required clarity and support to produce cyber security products. As the participation of domestic players increases in the cyber security industry, it will not only make the digital economy stronger and safer for the nation, but also enhance the ability of the suppliers to compete at a global business level. At the same time, it will also give an opportunity to foreign players to invest in the Indian cyber security product manufacturers which in turn will enable India to channel more FDI into the economy.

Let’s take a look at the key highlights of this policy are:

What is the objective?

Cyber Security being a strategic sector, preference shall be provided by all procuring entities to domestically manufactured/produced cyber security products to encourage ‘Make in India’ and to promote manufacturing and production of goods and services in India with a view to enhancing income and employment

Who are the procuring entities?

Ministry or department or attached or subordinate office of, or autonomous body controlled by the Government of India (GoI) which includes government companies.

Who qualifies to be a ‘local supplier’ of domestically manufactured/produced cyber security products?

A company incorporated and registered in India as governed by the applicable Act (Companies Act, LLP Act, Partnership Act etc.) or startup that meets the definition as prescribed by DIPP, Ministry of Commerce and Industry Government of India under the notification G.S.R. 364 (E) dated 11th April 2018 and recognized under Startup India initiative of DIPP.

 AND

Revenue from the product(s) in India and revenue from Intellectual Property (IP) licensing should accrue to the aforesaid company/startup in India.

How big is the government opportunity?

There is a huge government opportunity waiting to be leveraged, especially because MeitY had asked all ministries to spend 10% of their IT budgets on cyber security.

What are the key benefits of the policy to the local supplier?

The main benefits of the policy that local suppliers can avail are:

  • Procurement of goods from the local supplier if the order value is Rs.50 lacs or less.
  • For goods that are divisible in nature and the order value being more than Rs.50 lacs, procurement of full quantity of goods from the ‘local’ supplier if it is L1 (refer the note below). If not, at least 50% procurement from the local supplier subject to the local suppliers’ quoted price falling within the margin of purchase preference.
  • For goods that are not divisible in nature and the order value being more than Rs50 lacs, the procurement of the full quantity of goods from the local supplier if it is L1. If not, then the local supplier will be invited to match the L1 bid and the contract will be awarded to the local supplier on matching the L1 price.
  • The cyber security products notification shall also be applicable to the domestically manufactured/produced cyber security products covered in turnkey/system integration projects. In such cases the preference to domestically manufactured/produced cyber security products would be applicable only for the value of cyber security product forming part of the turnkey/ system-integration projects and not on the value of the whole project.

Note: L1 means the lowest tender or lowest bid or lowest quotation received in a tender, bidding process or other procurement solicitation as adjudged in the evaluation process as per the tender or other procurement solicitation.

How do I get my cyber security product listed to start getting the benefits of this policy?

You need to get your product evaluated and approved by the empowered committee of the government.

The ‘Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products’ policy is a commendable step in the direction of providing a robust leap to ‘Digital India’ and ‘Make in India’ programmes.

Get complete details about the policy here. You can also reach the author for more details @ [email protected]

About Author:

Ashish Tandon, Founder & CEO – Indusface

Ashish Tandon a first-generation entrepreneur with a rare combination of strong technology understanding and business expertise has successfully lead and exited several ventures in the areas of security, internet services and cloud based mobile and video communication solutions. Under his leadership as founder & CEO, Indusface a bootstrapped, fast growing and profitable company, has been recognized as an award-winning Application Security company with over 1000+ global customers and a multi-million $ ARR. He is also closely associated with the government and industry bodies of India in drafting of the various Software Product & Security related acts, regulations & policies. Connect with him on LinkedIn or Twitter.

Scaling Sales: A Deep Dive At SaaSx Fifth Edition

As a first time attendee of iSPIRT‘s annual SaaSx conference, I didn’t know what to expect as we drove along the western coast of India towards Mahabalipuram – the venue for SaaSx5. From all the chatter around the event on Twitter, it looked like the who’s who of SaaS leaders in India were attending. Upon arrival, I took my seat with my colleague and looked around. There were only about 100 people in the room, very different from most conferences I’d attended in the past – a lot more exclusive, and a melting pot of SaaS founders building a diverse set of products. It had all the markings of an inspiring day, and it did not disappoint.

Starting with a keynote from the estimable founder of Zoho, Sridhar Vembu, the day was packed with talks and discussions focused on growing one’s SaaS company in the current technology landscape, primarily led by founders of notable SaaS companies of the country. One such event was an unconference on “Setting up and Scaling Sales across Segments and Geographies”, led by Ashwin Ramasamy from PipeCandy.

Picture this: about 80 founders seated in a room, circled around Ashwin who was leading the conversation about setting up and scaling your sales team. Since the flat organizational hierarchy at SignEasy, and the culture of openness at the company provide me with a wonderful vantage point of all functions across our company, including sales, I was eager to listen to the different perspectives that the founders brought to the table. At the start of the discussion, Ashwin graciously asked the audience for talking points they’d like covered, and the discussion began. A plethora of topics were discussed, starting from the very definition of inside sales, leading up to when and why to deploy an inside-sales team. Hiring and putting together the right sales team, including whether it should be in-house or outsourced, was another hot topic of debate with many founders offering their own experiences and perceptions.

The conversation then steered towards outbound sales and the mechanics and economics of that, which contributed to some of the biggest takeaways for me – things that cannot be found in a book and are only learned through experience.

The success rate of outbound sales peaks at 2%, as opposed to the 40-50% success rate you come to expect with inbound sales. This was an interesting insight, as it’s easy to assume your outbound effort is underperforming when it could actually be doing quite well. Also, you should use the interest you’re receiving through the inbound channel to refine your outbound strategy – your inbound interests are a goldmine of information on the kind of industries, company sizes, and job functions your potential customers represent. At SignEasy, we are constantly honing our outbound target by capturing as much information as possible from our inbound requests.


Further, the efficacy of your outbound sales effort is a direct function of the maturity of the market you’re in – for a saturated market with tens of other competitors, outbound usually fails to make a mark because it’s difficult to grab a potential customer’s attention. This is a great rule of thumb to decide if outbound is for you, depending on the market your product serves.

Outbound sales also requires dedicated effort rather than a ‘spray and pray approach’ – a minimum 6-month commitment is crucial to the success of your outbound strategy. Founders should be deeply involved in this initial effort, sending out 500 emails a day for at least 3 months, and tweaking and iterating through them as they get to the most effective email. It’s also important to dedicate yourself to a channel when experimenting, but also experiment and exhaust numerous channels over time to zero in on the most effective ones.


The value of this discussion, and indeed the day, was best expressed by the ferocity with which my colleague and I took notes and wrote down every piece of advice that was being dropped around the room. Being product leads of the SMB business and mobile products respectively, Phalgun and I were amazed at how much we could relate to each point being discussed, having been through and living the journey first-hand ourselves at SignEasy.

SaaSx5 was nothing short of inspiring, and we emerged from it feeling uber-optimistic about SaaS in India, and what the future holds

This blog is authored by Apoorva Tyagi, Product at SignEasy

Data Privacy and Empowerment in Healthcare

Technology has been a boon to healthcare. Minimally-invasive procedures have significantly increased safety and recovery time of surgeries. Global collaboration between doctors has improved diagnosis and treatment. Rise in awareness of patients has increased the demand for good quality healthcare services. These improvements, coupled with the growing penetration of IT infrastructure, are generating huge volumes of digital health data in the country.

However, healthcare in India is diverse and fragmented. During an entire life cycle, an individual is served by numerous healthcare providers, of different sizes, geographies, and constitutions. The IT systems of different providers are often developed independently of each other, without adherence to common standards. This fragmentation has the undesirable consequence of the systems communicating poorly, fostering redundant data collection across systems, inadequate patient identification, and, in many cases, privacy violations.

We believe that this can be addressed through two major steps. Firstly, open standards have to be established for health data collection, storage, sharing and aggregation in a safe and standardised manner to keep the privacy of patients intact. Secondly, patients should be given complete control over their data. This places them at the centre of their healthcare and empowers them to use their data for value-based services of their choice. As the next wave of services is built atop digital health data, data protection and empowerment will be key to transforming healthcare.

Numerous primary health care services are already shifting to smartphones and other electronic devices. There are apps and websites for diagnosing various common illnesses. This not only increases coverage but also takes the burden away from existing infrastructures which can then cater to secondary and tertiary services. Data shared from devices that track steps, measure heartbeats, count calories or analyse sleeping patterns can be used to monitor behavioural and lifestyle changes – a key enabler for digital therapeutic services. Moreover, this data can not only be used for monitoring but also for predicting the onset of diseases! For example, an irregular heartbeat pattern can be flagged by such a device, prompting immediate corrective measures. Thus, we see that as more and more people generate digital health data, control it and utilise it for their own care, we will gradually transition to a better, broader and preventive healthcare delivery system.

In this context, we welcome the proposed DISHA Act that seeks to Protect and Empower individuals in regards to their electronic health data. We have provided our feedback on the DISHA Act and have also proposed technological approaches in our response. This blog post lays out a broad overview of our response.

As our previous blog post articulates the principles underlying our Data Empowerment and Protection Architecture, we have framed our response keeping these core principles in mind. We believe that individuals should have complete control of their data and should be able to use it for their empowerment. This requires laying out clear definitions for use of data, strict laws to ensure accountability and agile regulators; thus, enabling a framework that addresses privacy, security and confidentiality while simultaneously improving transparency and interoperability.

While the proposed DISHA Act aligns broadly with our core principles, we have offered recommendations to expand certain aspects of the proposal. These include a comprehensive definition of consent (open standards, revocable, granular, auditable, notifiable, secure), distinction between different forms of health data (anonymization, deidentification, pseudonymous), commercial use of data (allowed for benefit but restricted for harm) and types and penalties in cases of breach (evaluation based on extent of compliance).

Additionally, we have outlined the technological aspects for implementation of the Act. We have used learnings from the Digital Locker Framework and Electronic Consent Framework (adopted by RBI’s Account Aggregator), previously published by MeitY. This involves the role of Data Fiduciaries – entities that not only manage consent but also ensure that it aligns with the interests of the user (and not with those of the data consumer or data provider). Data Fiduciaries only act as messengers of encrypted data without having access to the data – thus their prime task remains managing the Electronic Data Consent. Furthermore, we have highlighted the need to use open and set standards for accessing and maintaining health records (open APIs), consented sharing (consent framework) and maintaining accountability and traceability through digitally verified documents. We have also underscored the need for standardisation of data through health data dictionaries, which will open up the data for further use cases. Lastly, we have alluded to the need to create aggregated anonymised datasets to enable advanced analytics which would drive data-driven policy making.

We look forward to the announcement and implementation of the DISHA Act. As we move towards a future with an exponential rise in digital health data, it is critical that we build the right set of protections and empowerments for users, thus enabling them to become engaged participants and better managers of their health care.

We have submitted our response. You can find the detailed document of our response to DISHA Act below

The History and Future of Angel Tax

“I propose a series of measures to deter the generation and use of unaccounted money. To this end, I propose:

Increasing the onus of proof on closely held companies for funds received from shareholders as well as taxing share premium in excess of fair market value.”

When ex-Finance Minister Pranab Mukherjee introduced angel tax in 2012, it created an uproar in the fledgeling startup and angel investor community. While the purpose of this section was to reduce money laundering by imposing the hefty tax rate of 30.9 percent, it had several inadvertent consequences.

There were several cases of money laundering by Jaganmohan Reddy that were caught by the Enforcement Directorate, who revealed that people had “paid bribes to Reddy in the form of investments at exorbitant premiums in his various companies to the tune of Rs 779.50 crores apart from making payment of Rs 57 crores to him in the guise of secondary purchase of shares and donation of Rs 7 crores to the YSR Foundation”.

To prevent such abuses of the law, the government clamped down and stated that any unjustified share premium given by a private company would be taxed as income in their hands. But to catch one culprit, they threw the book at many innocents. The relevant law known as section 56(2)(viib) of the Income Tax Act came to be known as the angel tax section. Many startups which are private companies and had issued shares at a premium to angel investors ended up facing notices from the tax authorities under this section. This premium is treated as income in their hands, classified as “income from other sources” and taxed at the maximum marginal rate of tax.

The ‘Startup India’ initiative changed all that. Under the stewardship of the Honourable Prime Minister, startups became a focus area. As per the ten points in the Action Plan, if a startup was registered post- April 1, 2016, then the angel tax was not applicable to the startups. The move had helped startups operating in that area, but a problem still existed for startups that were incorporated before 2016. In fact, in December 2017, many startups received notices and orders for the Financial Year 2013-14. A few entrepreneurs who faced income tax notice hassles launched an e-petition called Change.org in January 2018 so that the government could take some concrete action in Budget 2018.

iSPIRT has taken up the matter with MoF and DIPP on the same. We had made some representations to MoF specifically before the budget. In the budget, the Finance Minister made a statement on continued assistance to the Angel Ecosystem. Due to rigorous efforts that went into sharing of information by these startups, we have recently seen MoF making the welcome announcement.

As per the latest announcement, angel tax would not be applicable on startups which are incorporated before 2016, fulfil the criteria under Startup India Policy and have been granted angel funding up to Rs10 crores. It is believed that at least 300 startups will get a breather from angel tax. The government is also likely to establish a separate committee for the recognition of startups that meet these criteria.

In a further relief to startups, the Finance Secretary Hasmukh Adhia also announced that income tax officers would not take precipitate action and will proceed only after the first set of appeals decided in appellate cases. The exact phrase they used was “no coercive action”, which helped many startups heave a collective sigh of relief. All pending appeals by March 31, 2018, will be quickly addressed.

If you are a startup and need further guidance on angel tax, you should follow the steps below:

  1. Register at DIPP for a startup even if you were incorporated before 2016 and currently are still a startup as defined by DIPP by logging onto this site and filling up the form at https://www.startupindia.gov.in/registration.php.
  2. If you are a startup as per DIPP definition, then get your DIPP certification. All startups which may have raised funding post-April 2016 and are registered with DIPP will not have angel tax applicable to them.
  3. If you are a startup which has received income tax notices for years before 2016 and is still eligible to register as a startup, then please register yourself with DIPP. You can share the registration certificate and relevant notifications with the assessing income tax officer to get an exemption from angel tax.
  4. If you are a startup which has received income tax notices for years after 2016, then please repeat step 2 mentioned above and then appeal against the order. It is important that due process is followed so that the redressal measures taken by the tax authorities can come into effect.

These startups do not have to pay 20% of the tax order at the time of appeal as this has been a one-time exception granted till 31st March 2018 to avoid hurting the sentiments of the startup ecosystem. You can share the order with iSPIRT.

Also, pursuant to our meeting with MoF, we have been assured that the income tax officers in the various jurisdictions have been directed to exercise leniency on this till the new taxation regime for angel and venture capital investors comes into place, as announced by the Finance minister in his budget speech. The officers are aware of the hardships that startups now face and are doing their best to mitigate this within the ambit of the current law.

DIPP and MoF are also in the process of allowing a waiver to the earlier startups facing the angel tax issue, provided the investment made is under Rs 10 crores and subject to an Inter-Ministry board approving the same. This should happen in the next 5-10 days.

We will encourage all startups which have received notices and orders under Section 56 to follow the above steps to chart their way across the new announcements.  

Please forward your orders to [email protected] enabling us to use these orders to take a strategic view to policy to help with this issue in the long term.

Start up India.

Stand up India.

This post is co-authored by Nakul Saxena and Siddarth Pai, Policy Expert Council Members, iSPIRT Foundation

A Look Back At How Startup India Has Eased The Journey Of Startup And Investors

image1

It’s been two years since the fateful 2016 budget which recognised “Startups” as a separate breed of companies unto themselves, demanding bespoke treatment from the government and authorities. The clarity brought forth helped quell the nerves of both companies and investors, who had to otherwise resort to exotic exercises, supplementary structures, and platoons of professionals to keep their entrepreneurial dreams alive.

As we all await with bated breath for the slew of reforms expected of the Finance Minister, it behoves us to see how far we’ve come and how much further we need to proceed so that a billion dreams may become a reality.

This article is the first part of a two-part series which explores how Startup India has eased the friction in the Startup ecosystem so far, from an investor’s perspective with the second part talking about the next step of reforms which would have a multiplier effect on the ecosystem.

Flywheel of Funding

More often than not, any coverage about fundraising covers the journey of startups and entrepreneurs and the travails of raising their multimillion dollar rounds. But there exists another dimension to this story, that of fund managers raising their own funds. A large section of the investor community was elated that the government recognised this oft-ignored story and created the Rs 10,000 Cr (USD 1.5 billion) Fund of Funds managed by SIDBI which invests into SEBI registered AIFs and Venture Capital Funds.

This approach seeks to galvanise an ecosystem through a flywheel effect, instead of gardening it via direct intervention. The 10,000 Cr corpus can help seed AIFs worth Rs 60,000 Cr in India, which when fully deployed, is estimated to foment 18 lakh jobs and fund thousands of Indian startups. By contributing a maximum of 20% of the corpus of a fund, many fund managers can hasten they fundraise and concentrate more on helping their portfolio companies raise, instead of competing with them.

The Fund of Funds has invested into 88 AIFs so far, thus galvanising more than 5,600 Cr (USD 873 million) worth of investments into 472 Startups.

Bringing back tax breaks, not a back-breaking Tax

The Government’s support of Indian investors found its way into the Income Tax Act, with several measures to incentivise investments into the Indian Startup ecosystem, such as:

  • Insertion of Section 54 EE, which exempts Long-Term Capital Gains up to Rs 50 lakhs provided it has been invested in the units of a SEBI registered AIF
  • Insertion of section 54GB, which exempts Long-Term Capital Gains of up to Rs 50 lakhs provided it been invested into the shares of a Startup which qualifies for section 80IAC
  • Clarifying that the conversion of debentures or preference shares to equity shares will not be considered as a transfer and thus subject to capital gains at the point of conversion (the entire Venture Capital industry is based on convertible debentures and preference shares and this move has settled long-standing disputes regarding the instruments of investments)
  • Issuing a notification that the dreaded angel tax will not apply to shares issued at a premium to domestic investors by those startups who qualify under the DIPP scheme (although the scope of this needs to be extended to rid the spectre of angel tax that haunts various investors and entrepreneurs)
  • Clarifying that the stance of the assessee in categorising the sale of listed securities held for more than 1 year as Capital Gains or Income from Business can’t be questioned by the taxman
  • Changing the definition of a capital asset to include any securities held by a Foreign Portfolio Investor, thus removing the friction arising from asset classification (a similar provision is sorely needed for domestic hedge funds and Category III AIFs)

Capital without Borders

The Startup India scheme over the past few years has rolled out the red carpet to foreign investors while rolling back the red tape. The success of this is evidenced by the percentage of funding foreign capital represents in the Indian startup ecosystem, which is 9 times higher than domestic capital investment.

Some of the initiatives include:

  • Liberalising Foreign Direct Investment into most sectors including financial services, single brand retail, pharma, media and a host of other sectors up to 100% in most areas
  • Abolishment of the Foreign Investment Promotion Board
  • Relaxation of External Commercial Borrowings (ECBs) for Startups for up to USD 3 million
  • Allowing for issue of shares for non-cash consideration to non-residents under the automatic route
  • Marshalling foreign investment into Indian entities primarily for the purpose of investing in other Indian entities has been brought under the automatic route as opposed to the previous government approval route
  • Dismantling the approval mechanism for the transfer of securities by a Foreign Venture Capital fund to an Indian resident
  • Moving most of the filings (FCGPR, FCTRS, etc) to an online window managed by the RBI (ebiz.gov.in)

Well begun is half done

The government’s efforts to improve life for Startups in investors have begun to bear fruit in tangible ways as evidenced by the reduction in the number of companies seeking to have a Delaware entity with Indian operations. The recent leapfrog in the “Ease of Business” rankings also stands testament to this.

The Government must now seek to consolidate all these gains and clarify its stance and the stance of the tax department on long pending issues which have been a bane to all startups. While we have miles to go before we sleep, we must look back and take note of what we’ve achieved before we seek to scale greater heights.

This post has been authored by Siddarth Pai of 3one4 Capital

Build On IndiaStack – Venture Pitch Competition

Announcing ‘Venture Pitch Competition: #BuildOnIndiaStack’

Dalberg and iSPIRT invite applications from early-stage ventures that are tech-
based solutions leveraging the India Stack platform at the core of their business
model to bring financial or transactional services to the underserved in India.
Pitch to some of the leading investors and thinkers in the Indian start-up ecosystem,
including the Bharat Innovations Fund, Omidyar Network and Unitus Seed Fund.
Winners will spend an hour of 'Think Time' – a mentorship session with
technology evangelist Nandan Nilekani.

Who are we looking for?

We are open to all innovations that use the India Stack to unlock new business
models or reach previously underserved new customer segments across sectors
such as financial services, education, healthcare and others. Some core focus areas
for the competition may include digital lending and supporting activities, such as
alternative credit scoring; sector specific affordable digital finance services such as
health insurance or education loans; sector specific digital services such as skilling
and certification, property registration agreements, patient-centric healthcare
management; and SaaS platforms “as a service” that support the development of
other India Stack based innovations such as Digi-locker or e-sign providers.

 

Who is eligible?
All applicants should:
1. Meet the 3-point criteria: tech enabled, leveraging India Stack Platform and
serving the underservedBe

2. Be a part of two (minimum) to four (maximum) members team including the
founder of the companyBe early stage start-ups that have received only seed (or limited angel)

3. Be early stage start-ups that have received only seed (or limited angel)
funding, if at all

 
What is in it for you?
The investor group, comprising of Bharat Innovations Fund, Omidyar Network and
Unitus Seed Fund, is a network of investors and operators, entrepreneurs and
technologists, designers and engineers, academicians and policy makers, with the
singular mission to solve some of India’s toughest problems.

Through this event you have an opportunity to receive:

-Exclusive focus on tech innovations that leverage the India Stack platform
and have the potential to address the underservedFlexible

-Flexible, insight driven, funding of up to Rs. 8 lakhs for early stage, innovative
modelsStrategic

-Strategic business support, through their specialists to support investees in
their strategy and growthA chance to be a part of the India Stack ecosystem through partnerships,

-A chance to be a part of the India Stack ecosystem through partnerships,
pilots, workshops, conferences and network building exercises

Visit www.buildonindiastack.in and send your pitch now.

Innofest to Innonation

Evolving from a festival of innovation to a platform helping innovators to succeed…

Over the past 3 years, while volunteering for Innofest – the platform for hardware entrepreneurs – I realized two things:

  • Doing a hardware product in India is much tougher ….
  • … but there are several resources available across the country that can make it easier for hardware companies to succeed

What was needed is a way to connect those who need the assistance and advice to those who can help and are willing to help.

The goal of this group of 10-12 individuals who selflessly give their time in organising various initiatives and events under the Innofest umbrella is to make it easier for first-time entrepreneurs and to assist them in their journey. We deliberately chose to focus on startups and individuals who were using hardware and technology to solve meaningful problems. Because that is the most underserved section of the entrepreneurial eco-system.

The initial 2 years were invested in reaching out to hardware entrepreneurs and enablers who can assist them – maker spaces, companies, mentors, investors, etc., and bringing them together to interact with each other. As with many other sectors, in hardware led innovation too, resources were concentrated in 3-4 cities, while innovators were spread across the country. These innovators usually worked on their own, often spending time and energy and money on aspects that had already been solved by someone else. Getting together problem solvers and innovation enablers was a critical first step. And the community responded enthusiastically. Over 1800 innovators turned up at the inaugural in Bangalore. Since then we have taken the initiative to Hyderabad, Jaipur, Nagpur and other cities. In fact, Prathibha Sastry, the key volunteer driving Innofest took two ‘yatras’ – once driving from Bangalore to Delhi and once Bangalore to Assam – to find innovators in small towns and tier 2 cities across India.

What she unearthed was awe-inspiring – folks who were solving local problems with their frugal innovations. However, many of these enterprising folks did not consider themselves as entrepreneurs. For them, they were just using their ingenuity and creativity in addressing a problem that they or someone in their family or community faced. They were solving for Bharat. And that we feel is the real opportunity. To encourage these inspired, enterprising and creative problem solvers to get their innovations to solve problems at a much larger scale than they have currently envisaged. To help spread their innovations to places that can benefit from these innovations. I.e. find innovators and help them in their entrepreneurial journey.

To do that, it was important that we shift gears. And at Innofest, we have.

We now have extended the goals to not just curate and connect innovators and enablers, but to also undertake programs and initiatives that will increase the chances of success of these innovations. These include providing better access to resources like maker spaces, working with large corporates in helping drive their innovation programs, creating better access to capital and markets, creating a pool of mentors, etc.

Indeed, from being a festival or celebration of innovation, Innofest is now a platform for innovators to succeed in solving problems and making our country a better place. And hence, we have also taken the bold step to change our name from Innofest to Innonation, which means using innovation to improve the nation.

Whether you are an innovator, or want to volunteer, or a company that wants to support innovation or a co-working space or maker space, do connect with us at Innonation. We need a lot more people in making this volunteer-driven platform successful.

To get a ringside view of the innovation happening across India, join us at the flagship event in Bangalore on 26th August. If you are into solving a problem for Bharat, check the agenda to see what workshops and events are most relevant for you.

See you at Innonation. The country needs you to be there.

Prajakt Raut

Founder –  Applyifi