Security measures as tight as a bank's: Sheetal Kapur, Director Legal, Netflix on data security of financial information
Ashima Ohri: Ms Kapur, would you please share the treasured experiences of your glorious journey in law with us.
Well, what do I say about my journey I think my journey is very much defined by the areas that I've been passionate about. I would say that I've been at the right place at the right time so I've been lucky as well.
When I completed my law actually I wanted to get into human rights and taking that in mind, I've actually done my Master's in Public and International Law. However, being married into a corporate family. I decided to take my first job in India after I was born and brought up in Canada, and did go back there, credited myself as a lawyer there, worked with Fasken. But when I came back to India I started my career with Jyoti Sagar & Associates in their private equity and M&A team. I'm going to kind of divide my discussions into what learnings I got from each of my organizations.
When I joined JSA which is completely different than what I thought with human rights. What I learned is it's good to be flexible and experiment to figure out what you want to do next and what you're good at. At Jyoti Sagar, being a part of the private equity and M&A team I was a part of various different transactions, and also due diligence processes.
Some things that I learned there was while I was still a part of a lot of due diligence was the eye for detail. It's very important to understand and have that eye for detail. In order for you to not miss out on the intricate parts.
The second was formatting your document in layman's language in order to ensure that your business partners and your clients understand what you're saying and what you're writing.
It was an amazing experience, but at the same time coming from a business background. I felt I was always inclined to understand more, it was great to have the term sheet in front of me and draft an agreement, but it was there was somewhere that search for me to understand the business more and get into that aspect. And at that point in time, an opportunity came up with PayU payments Private Limited. It is a payment aggregation company and payments businesses at that stage were at a very nascent stage. There were not many payments lawyers, and the industry was also evolving at that time.
I think PayU has been one of my most enriching experiences. I think the first thing that I learned there was helping business understand the importance of compliance and legal. And at the same time building my own risk appetite. Coming as an external counsel, you tend to have a bit of a lower risk appetite than an in house counsel does.
Because I started off as one of their first employees we were still a part of the Ibibo group.
I was a part of a demerger over there between the Ibibo Group and PayU became a separate entity. I worked on I bought many licenses for them like the prepaid payment instrument license, a product bill payment, operating unit permissions, as well as acquired an NBFC.
But the most important thing I think was building the team, learning how to structure and build a team. I was meeting the legal regulatory compliance., but at the same time, I also was a part of a lot of business decisions so I was a part of the key management team that made strategies for the company. I think reaching from where it started off as a manager at PayU to being their vice president and head of legal was a long journey and I think I've met a lot of wonderful people who taught me the importance of business.
I think one of my strengths as a lawyer is not my legal knowledge. I think, we all as lawyers have that deep knowledge and some have a much better in-depth knowledge than I do, but it is the way I integrate that legal knowledge into business and technology that has worked for me. It became my niche of how I bring legal into business. What I learned over there is that legal individuals, especially in startups are considered somewhat a roadblock in business and are not really involved in all decision making processes or were not at that point in time. So one of my major efforts was understanding the business, understanding the technology and talking to each individual in their own language. So if I'm talking to the CEO who was a product guy I will ensure that I am not explaining to him what he cannot do, or what laws would affect him, but I would go into more details of giving him a structure that may work for him. So I started becoming more of a product counsel. I would ensure that I'm involved in transactions from day one. We were looking at how to structure the products so I would make presentations for him saying hey we can do this, we can structure it like this, of course, make those legal notes, if he wants to read them. So one of the most important things I learned was, in order to be good in house counsel, you need to know your business and your technology in and out, and you need to understand your stakeholders, well. You also need to ensure that you were explaining to them in a language that they understand.
Being a tech lawyer, you need to ensure that there's a lot of innovation in your decision making.
For example, I developed a compliance system I realized that when I call the compliance and made a report out of it. No one really bothered about it. So I worked with EY actually and we developed a compliance system that was in the form of operating process notes. So, each team was provided with their operating process notes and we kind of integrated the compliances within the processes we need to follow. This wasn't rigid processes that you need to do ABCD with checkmarks. It was basically a guiding note telling them how to do it. And it really helped because the word compliance kind of freaks people away. I also made their KYC processes other processes online..
It was amazing because I was involved in a lot of lobbying, as a part of the policy team as well. So while I was at PayU,
I was having a blast, and Google was looking out for counsel for their next billion user initiatives. For Google they believe that the next billion users will come out of the asian Apac market, and India was one of their major hubs for that.
It seemed like an amazing opportunity as I was always keen to learn technology, and it was opening doors for me to one of the largest technology companies in India and they were looking for a payments lawyer at that time, because they they were going to launch Gpay. And I joined Google One of my largest projects there was the launch of Gpay.
It was a really fun journey. I think it was interesting for me because I feel being a part of a startup like PayU, you're doing everything & anything you're not just a lawyer and I think the relationship I built with my stakeholders, the trust I built with them, I was doing much more than what a lawyer does. So I was involved in doing BD was involved with banking relationships, was involved in structuring literally sitting with banks and structuring our products for us next. And then I went to Google, which was a more structured organization where there's each defined team.
The good thing about the next billion-user initiatives worked more like a startup. And when I went in my first aim was again to ensure it is that trusted relationship with them and help them understand that. I understand business and technology as well and can help them build the product in the right manner. So it's involved in the development of GPay from inception itself. While we were structuring out what we want to do next, what approvals, we would require thereafter it was a part of various approvals that we required which was receiving the sanctioning from NPCI and RBI and also pushing for multi-bank consumer app.Google is not a bank, they are rather tech service provider to a bank. So having more than one bank on that app, there was no regulation in place. We were one of the first MNCs who received the UPI sanctioning so it was great.
Along with that, I was there data privacy counsel as well for the regional counsel that worked very closely with the global team on those aspects. And we have done various other products including YouTube subscription. I was having an amazing time there but due to health reasons I wanted to take a small break.
However, my manager wanted to see how we can make this work where I don't have to work full time. So I joined them as a consultant and started envisioning opening my own small payments tech law firm. I joined them as a consultant, while I was consulting for them and taking care of myself. Netflix came up as an opportunity and it was a very exciting. I am a Bollywood buff
And I thought when I joined payments, it was at that nascent stage where regulations were just being developed. And right now, OTT is at a similar place where they are.
There's a lot of limelight on OTT, but it's not, it doesn't have a structured legal regime.
So at Netflix actually, The teams are divided into two parts. There is one transaction and technology the core legal team, which I lead, and then there's a content acquisition team which is separate. So what I take care of is the OTT platform. The business relationship, the technology, the product counselling and litigation aspect. I have a wonderful team doing great work.
Here I think some of the greatest things I did were: learning a brand new technology, learn new abbreviations which I had no clue about. I know the payment side of things really well but understanding jargons of the OTT world was a lot of fun, learn different types of technology and integration over there, led to some large partnerships. One that was recently launched was a large partnership with Jio.
We are still developing the process and have developed most of it is reoccurring payments, standing instructions for Netflix, as we all know, Netflix is a monthly subscription.
We do charge on a monthly basis and therefore having a reoccurring payment, streamlined was, was an essential part. So I got that on board. Then there are customers who want to switch between plans. So these are some aspects that I have worked on and learnt a lot throughout all the areas that I've worked within Netflix.
Currently we are working on a few payments-related initiatives as well, where we are struggling with the way the regulator has defined a few things for merchants and trying to see what we can do best within that regime and help them also understand the merchant side of the story.
This is a brief summary of who I am. Again, a leader is nobody without their team I think, I have been blessed to have great team members. What I have learnt over time in order to build a great team is that you need to ingrain that passion in them and need to understand what their strengths are, and need to play on their strengths to build on their passion, instead of discouraging them on what they're not good at, of course, while you're building on their strengths, you're also focusing on how to build on their weaknesses, but if you encourage them by building on their strengths, they'll automatically become passionate about what they're doing and start building on their weaknesses and that is something I've done I've worked with amazing teams who are leaders, some of whom are leaders themselves right now and that makes me very proud.
These are some of the learnings I've learned over the years.
Be humble. Keep learning.Never stop learning and never think you're too big for your shoes.
Ashima Ohri: Thank you so much for sharing this journey with us. Speaking on the payments side, when we go on any of these payment platforms, we share our card details. Now, there begins the concern for data privacy as well because one is sharing so many details and financial information. How do you deal with this aspect especially when data privacy and both OTT is not as regulated in a place like India?
So data privacy bill is still in place, the information technology Act does define it as sensitive personal data. Therefore, the consents are very much required, and the purpose for using the data. Now, these two may have not evolved but RBI is evolving to the next level. So, for the security aspect, let me confirm that in order for a merchant, to store card credentials on their web platform they are required to be PCI DSS certified and large merchants, including ourselves, are PCI DSS level one, certified, which means we have equivalent numbers of security that any bank or scheme would have. Security for a merchant is as important as a banker. One of the reasons for that is the reputation harm. We are the face of the transaction when it comes to saving the data or the bank or the card scheme or otherwise, And therefore I think it means a lot to us to ensure that.
RBI is coming out with some stringent laws in this respect where they said that merchants will not be able to store card on file. They've now also mentioned that payment aggregators cannot. This can be a huge direct disruption to the seamless flow that consumers are used to. While consumers may be worried about their data, they also are too lazy to go through a five-page transaction or to keep filling in their details every single time. So I think that balance is required to be made and that's what we're trying to work with different industry forums and also hopefully get a chance to work with RBI on resolving how we can take a risk-based framework where we ensure the security of the transaction, but not disrupt the industry as a whole. So that is one of the things I'm working on right now but rest assured you're data is safe.
