We propose the addition of a new regulated entity within the AA framework, viz. the Virtual Data Room Provider (VDRP). In extension to this, we also propose new endpoint additions to the ReBIT API specifications and some miniscule enhancements to a couple of the existing AA endpoints. We have documented the proposed enhancements to data and encryption flows in the product guide on Notion, linked here.
We also propose guidelines around which regulatory and audit policies maybe formulated. We recommend (and have also implemented) a NO DATA PERSISTENCE POLICY and strict software controls around what kind of data can be returned in the output of the function execution. Knox implements and enforces a strict BOOLEAN ONLY JSON format for the output, thus ensuring no data leaks. This also in some ways solves the Data Governance problem statement to some extent because raw data is never revealed to the FIUs. Knox also ensures that the output of a function is TRANSIENT in nature.
When introduced as a new entity to the ecosystem, this will ensure trust, security, transparency and accountability by way of regulation and audits and enforcement of data persistence policies for VDRPs. This results in considerable benefits to both the FIUs and the Customers:
The primary challenge that we faced while trying to address the Virtual Data Room problem statement, essentially boiled down to the constraints of the existing framework. How can a Virtual Data Room Provider access FI data, without registering as an FIU? Restricting our solution to the existing framework meant making tradeoffs which raised several red flags in our eyes from a security point of view. FIUs cannot hand over their API Keys in a secure manner to third party middleware to fetch and process data for them. If the middleware organization is registered as an FIU, they would still be governed by the same data access and persistence policies that any other FIU would have to follow. This approach, although convenient, isn't elegant.
We solved this problem by proposing the introduction of a new regulated entity to the AA framework: the VDRP who are governed by a separate set of data policies. We spent a lot of time going over existing data and encryption flows and eventually came up with an enhanced architecture that seamlessly extends from the existing framework while making absolutely minimal changes to the existing API specs.