Benson, thank you for your response. I just found out you are one of the founders @ Coinsecure, apart from being a moderator here. That's very cool at some level.
I think voluntarily following some KYC norms is a great idea, and will proactively address money-laundering concerns authorities are naturally likely to have. It is definitely the sign of a mature approach. My initial queries are intended to understand exactly how mature our ecosystem's approach to these things are, and this is reassuring, thank you.
a - No One Places these norms... We have used them as advised by our legal counsel.
b - We, as all other Bitcoin companies in India are unregulated as on 2nd Jul 2015. However, we store all our customer information in an encrypted format on offline machines that never touch the net. We are very very careful with personal information and how it is stored as that sets the base for our business.
I am curious about this part. You accept them over the internet, yet store them on a server that does not touch the net? How exactly do you do that?
c - What operational tasks are you asking about? If you are asking about how we validate the details sent to us, then, we have a partner who validates the same - for a fee for us - This company was advised by our 'prominent' banking partners. We will not be disclosing that at the moment.
By operational processes and controls I had in mind the following:
1) how do you validate the details you obtain? I can understand if you do not want to disclose your checking partner, but it is good to know you do some checks at this level.
2) After you store the data on your servers, who has access to the documents, and other personal / sensitive information?
3) What sort of security processes do you follow for your employees? Who has access to your encryption keys? Are they safe from a disgruntled ex-employee, for e.g.?
This is the part that I am most interested from the security of my own personal information.
d - We have corporate banking partnerships and accounts with those 'prominent banks', that allow us to ensure AML compliance. These allow us to validate/ cross-check information a lot faster than most other banks. We would not be able to get into any more details as of now. We will be announcing few more banks shortly though.
Do you know of any industry-wide standardised self-regulation? Perhaps overseen by NASSCOM, or some such?
I am curious about this part. You accept them over the internet, yet store them on a server that does not touch the net? How exactly do you do that?
Once they are received on a physical server, they are moved to an offline system. Nothing stays on the online servers. From the input to the time they are deleted, everything is done with as much security in mind as possible.
1) how do you validate the details you obtain? I can understand if you do not want to disclose your checking partner, but it is good to know you do some checks at this level.
Not much that I can answer about this at this point, apart from what has already been answered.
2) After you store the data on your servers, who has access to the documents, and other personal / sensitive information?
Our Banking & Compliance Team has access to data that they need to process Verification's and Withdrawals.
3) What sort of security processes do you follow for your employees? Who has access to your encryption keys? Are they safe from a disgruntled ex-employee, for e.g.?
The directors of the company and myself, hold keys based on what functions we need them for.
Do you know of any industry-wide standardised self-regulation? Perhaps overseen by NASSCOM, or some such?
Not sure if Nasscom will oversee self-regulations, but I do know that they may be asked to join a think tank to help with the self-regulatory bits.