EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
How can CFOs address cybersecurity and data privacy challenges with tech?
In this episode of the CFO podcast brief, Chief Financial Officer of PayU India, Maneesh Goel, talks about employing technology to enhance data privacy and compliance goals.
Arpinder Singh
EY Global Markets and India Leader, Forensic & Integrity Services
Arpinder Singh, Global Markets and India Leader, Forensic & Integrity Services, EY, speaks to Maneesh Goel, CFO, PayU India on the changing role of CFOs in driving key business functions through shifting focus to digital transformation and adopting timely integration of technology.
Key takeaways
Managing risks takes more than technology; it starts with the culture. Every single employee in the company should realize the importance of the function they handle to the overall business, and act responsibly.
Automating processes is not enough. Organizations must ensure every process that is automated runs efficiently.
Compliance can be managed at team level, but it is imperative to track every single regulatory aspect centrally. A CFO's sign off assures stakeholders.
Transparency and reporting is extremely critical, not only to assure stakeholders but also to build a robust organization.
For your convenience, a full text transcript of this podcast is available on the link below:
Arpinder: Hi everybody, welcome to the CFO podcast brief. This is a conversation to discuss how a CFO has evolved post-pandemic and had to reimagine their approach to compliance. Also, their role in tech innovation to make compliance more efficient. Today, we are elated to have Mr. Maneesh Goel, the CFO who has been one of the leading change makers in financial technology. He has been working as the CFO of PayU for many years now.
Maneesh, thank you for joining us today.
Maneesh: Thank you, Arpinder. I look forward to this conversation. Thank you for having me.
Arpinder: So, Maneesh, to start with a quick warmup question, how has your role as a CFO evolved over the last few years? Has the pandemic brought about any changes in the role as you see it?
Maneesh: All right, let us talk about the role itself since that was how you introduced me too. It has been just about six years since I started here. I came in at a time when we were a small business and were experiencing a lot of changes in the organization. I think my role started with a focus on the basics—processes and controls, transaction, the acquisition that we had just done—moving on to taking a strategic direction towards the business. My role over the years evolved to support how we handled our growth, ventured into new areas, like docket credit, among many other things. Talking specifically about the pandemic as it struck, I think continuity of the business and dealing with uncertainty were some of the biggest challenges. But as we went into it, the focus changed to how do we manage costs, how do we manage cash, how do we ensure that the unforeseen is managed well, how do we prioritize the wellbeing of our employees. I think some of those things were really the key.
Arpinder: Thanks for that, Maneesh. Since we are talking of the pandemic, we understand that there is a worsening cybercrime situation staring us in the face, with emerging new-age risks. What does this mean for a company like yours, which is so dependent on FinTech? How does it figure prominently on your agenda? Obviously, there is a way of dealing with it reactively or maybe proactively.
Maneesh: That has been there. As you know, PayU is a large player in the FinTech space. We have brought our payment and transactions to upwards of $5 billion in a month, which obviously involves not only handling of money but data as well. It is huge data to manage and maintain.
In terms of risks, you will see all kinds of risks. There are merchants that are fraudulent, who are trying to do things which are unlawful, which we would not want to promote on our platform. And there are all kinds of attacks that fraudsters are always trying to make, just so that they could get access to a part of our business to make ends meet. I think we have the best technology in the market, so far as tools are concerned to manage some of these things of concern. But really, if you think about it, Arpinder, it is not just about technology or how we take external help. A large part of it—large internal part of it—is also cultural. So, every single employee in the company, be it product, business, or finance, must realize the importance of what they handle and how critical it is for us as a business. I think we depend on not just the technologies available. Some of the experts in the global team help us. We even go to hackers to see if they can find any loopholes in our databases and data centers just to ensure that all parts of the business are covered. So, it is a lot that goes into managing the risk for our business.
Arpinder: Thanks a lot for that, Maneesh. I think you are right. With the amount of data you process, cyber risks and hackers are a colossal risk. And obviously having hackers defend you also is the best strategy because if an insider is testing for it, then there is no better test in that scenario. Obviously, it is also the reason people have confidence in your platform while using it.
Coming to the next topic, which is connected to security, is data privacy. As mentioned, you have got a lot of data with you. Obviously in Europe now there is the GDPR and the US have their own data privacy regulations. India’s own Data Privacy Bill has not yet come out. But just how does an organization like you, with large operations still in India which still does not have a Bill, take this seriously from a data privacy perspective? And how prepared do you think you are for when a Bill is introduced and applied?
Maneesh: Because we are a global company and have a very large presence in the European markets, we did a lot of work right when the GDPR was introduced to ensure that we remain compliant not only in the regions where it applies, but elsewhere as well. So, whether or not the data privacy bill has been passed, we have been extremely sensitive about data management. Starting from access controls to anonymizing every single data field for whatever purposes we use it—whether it is risk management, approving transactions or anything like that—there are very strict rules that have been applied. No one in the organization can download the data. PayU, thankfully, has prepared itself much ahead and as the new Bill comes in, PayU will not have to do much of a rejig.
Arpinder: You are right, cybersecurity and data privacy seem to go hand-in-hand, and both are extremely critical in understanding the data you have. I think building controls around it is extremely essential. I hope our data privacy bill comes out soon because that will bring a lot more clarity to organizations operating out of India.
Coming back to the first question, when you talked about technology and the evolving role of the CFO, you told us how you have obviously been responsible for many acquisitions and integrations at PayU. You have helped most of your teams deal with digital transformation by using technology to make the lives of the finance teams more efficient, improve compliance, focus on automation. You spend a lot of time on the business side and operations side beyond just finance. Share your thoughts with a few instances of transformation without divulging too much confidential information.
Maneesh: Let me first talk about finance automation itself, because that is something that I do naturally, almost all the time. When I came to the PayU, we were barely automated in the way we would do accounting. Even though the business was small, it was still large enough to do accounting of the basic revenues and costs as we looked at how we operated. A couple of principles that we followed were that we must take many steps before launching a big project, really thinking about how every part of the business comes together. Otherwise, it is likely to fail. The second principle that I have always followed in every area of automation is that you have to ensure that you just do not automate as is but think about how you want the processes to run. You do not want garbage in, garbage out. You clearly want to make sure that everything when it gets automated operates in the most efficient manner. And I think that principle really goes beyond finance and applies in every other area as well. We never looked at only one application or ERP, say, for example, SAP solving all our problems. There are unique challenges that our business faces that are unique models that, you know, we think ACP or any other people that might come in to solve. Therefore, it is okay as long as it passes the test of our tech teams, our CTO and our security organizations, who look at solutions that can be integrated and are leading in the market. These are some of the examples that I can think of right now when it comes to trust in any area of our business.
Arpinder: I have seen finance organizations be at the forefront. I remember a lot of the big IT companies in India have been set up initially in trying to transform finance today.
Many years ago, compliance was not top of CFOs’ agenda because it was still a new concept in India. We believed in complying with laws but not so much compliance as a concept. Third-party risk management policies were still rudimentary unless you were a part of a big multinational which had global policies. So, it was very, very nascent. But today, when I speak to CFOs, things seem to have totally changed. CFOs now talk about compliance first then business. What are your thoughts on how has compliance evolved? How is it being made a bit more user-friendly? Because some people complain that you can do too much compliance, since it may curtail business.
Maneesh: Let me cover PayU first, which is going to be regulated very soon. We applied for a license more than a year ago, and ever since that journey started, we knew that this changed regime will mean a complete shift from how we have been running our business to how it is going to be now. How do I look at compliance? Every single person—be it the board, stakeholders, or the larger organization—are looking at it as a single person or a single team, which ensures that we do not leave out anything that is critical. And that makes the role even more important for me now, in terms of how we do it. I think from a process standpoint, large parts of compliance are actually managed by individual teams that are owners of a particular process. But centrally we have a tool that allows us to track every single aspect of any regulatory filing or anything that is applicable to our business. Some members of the team are continuously tracking to ensure that we do not leave out anything. Eventually, it is the CFO who signs off, which brings a lot of assurance to the stakeholders.
Arpinder: So, coming back to maintaining transparency, one of the things I see with CFOs and boards and their interactions is how much to disclose, when to disclose, the transparency. That is the most important part of focused sound governance. Some companies walk the tightrope between reporting noncompliance and assuring stakeholders. Sometimes you have to make a subjective call as the CFO of what is material and what is not. So how do you walk the tightrope between compliance, transparency, and business?
Maneesh: Let us start with small items. As we are trying to build an organization that is compliant, able to deal with risks, and do business in the right way, I think reporting becomes extremely critical and that starts with the smallest of things. It is not critical whether we take every issue to the highest body that there is—whether it is the internal board or external regulatory body.
I think what is important is that we ensure that every single incident is first reported and then any action that emanates from that, whether corrective or in terms of fixing the issue and doing training, is taken. I think that is critical. Now, if we build that culture, I think it helps in two ways—it brings the right culture to the organization so that people know what to do. They become aware that anything that they are not supposed to be doing will get reported, and that there will be consequences. This way you build a stronger organization culturally. At the same time, it also brings a lot of assurance to internal stakeholders—be it the board, or the shareholders. So, whenever we need to know, we will know. And that, to me, is extremely critical. And if you take that forward to any regulatory body or even the market for that matter, I think the same principle will apply. So, to me, it appears that transparency and reporting are extremely critical to not only assure your stakeholders but also to build a robust organization.
Arpinder: I fully agree with the point you made on transparency. In fact, I think key to guiding my clients is that consultation and transparency are extremely important because every problem is not just your problem. And there is always someone globally or in India who can give you guidance, and support. So, I think your point on transparency and consultation is just such an easy tool to have if you are open to using it.
Maneesh: And I look at management teams. When we run large businesses, we do not build this culture. We all know what is happening in the organization and then we will be caught off guard. So, from that standpoint also, I would put very high importance on it.
Arpinder: Fully agree on that with you, Maneesh. Lastly, there are a lot of newspaper articles around the great resignation and moonlighting proxy interviews. You hear it happen more in the tech space than the non-tech space. I know you also hired a large number of people in India, especially in the technology space. How do you deal with this from a governance perspective? How do you keep more employees motivated? Does it work better if you hire young talent? Please share your thoughts on this as a whole. Though it is happening more from an employee perspective, it also borders on compliance.
Maneesh: I think both are very different from each other. While they could be seen as one because they relate to the talent that we have. So, let me quickly cover great resignation. So, you have effectively three legal entities or three lines of business in India. And I can tell you, Arpinder, that we saw very different levels of attrition in all three different businesses because of the way those businesses are in terms of maturity, growth, engagement, and so on and so forth. So, a business that was really in its early stage and had much lower attrition. So, to me, I think great resignation was more culturally mature than about loyalty factors. If you build a culture, it means that people have something to look forward to, something that they could feel engaged about, then you will not be affected as much. Moonlighting, whether somebody likes it or not, it is there. And I think it is going to stay. I may not be an expert. I may not know a lot about it, but I truly believe that there is an opportunity for the organization to even benefit from it. I am not talking about loyalty percent, but if we create very, very well-spaced-out frameworks where employees know what they are supposed to do and what they are not while pursuing any opportunity outside of the work that they do as part of the employment contract, it will just allow them to explore and learn. You are also getting the returns in the form of somebody who actually will learn something on the job and might even use it for what they do on a day-to-day basis. So really, you are not getting, you know, any impact in a negative way, but at the same time, you know, you as an organization might just benefit. Arpinder, I will be very keen to know how you look at it really, because you interact with much more clients and companies than I do.
Arpinder: I kind of agree with every point you said. Moonlighting is there. It has become quite prominent, especially in the last two years with the pandemic, where work from home has become a culture. Now everyone is actually changed the way of working where it is now hybrid with bosses coming back to office, with COVID-19 receding a bit. So, my view on this is that companies have to be clear on their policies. I think the problem happens when the policies are not clear. And I think companies have to also decide because everyone has come out saying that the manager or the compliance team has to approve. I think that is a bit tricky, you know, because everything is then so subjective. So, I think companies will struggle through this over the next few years. You cannot stop a person having a side business. You know, let us say they want a restaurant, or they want to do something, which is their passion like become a musician on the side. I think you cannot stop that. You have to encourage people. And, as you correctly said, some people may just want to do more with the knowledge they have if they are coders or they are technology people, as long as it does not leverage their confidential information. So maybe they do not work for a competitor. I think companies will have to work out policies and rules which are very clear and well-defined, because if you do not have them clear and well-defined, I think it will lead to further chaos because you would not know whether this is correct or not correct. So, I think it is something to look into. I think all organizations will have to learn to live with it and build processes around it. I think it is good from an entrepreneurial perspective. I think the more we, you know, encourage people to think differently, I think hopefully we will have a lot more business and business development within the country. So, you are right, I think time will tell us. But there is a lot of changes happening in India. And I think, Maneesh, your company obviously is at the forefront of this. So, thanks a lot for spending time with me today. I think it was very interesting and we look forward to hearing you more in these podcasts in the future.
Maneesh: Thank you so much. I actually enjoyed the whole process and it also led to learning from you and your experiences.
Arpinder: Thank you so much. Thanks a lot.
Maneesh: Thank you Arpinder, bye.
If you would like to listen to our podcasts on the go:
EY forensic team of 4,000+ helps investigate misconduct, manage risk & respond to financial crime through global forensic integrity & transaction support.
EY uses AI-driven tech to tackle employment fraud and strengthen background check processes, helping companies hire confidently and reduce hiring risks.
Discover how 'moonlighting' - holding one or more jobs during regular employment has started surfacing. Learn more about how companies can curb moonlighting.
Discover how evaluating risks stemming from hybrid work environments can help companies accelerate business transformation and deliver long-term value. Learn more about challenges of the hybrid work model.
