Tax payers - final call to reset your PE status


Tax payers were held to believe a PE was created only in certain circumstances given specific conditions in the treaty for agency activities, presence within a permitted threshold period, activities being considered auxiliary/preparatory, etc. This may however need a re-look and would now require a more holistic evaluation of business activities, which create a PE.

The need for cyber security

Sivarama Krishnan, Leader, Cyber Security, PwC India 

The digital playground has become a dangerous place to be.

Nation-states, hackers and organised crime syndicates are the cyber security villains that everybody loves to hate. Cyber espionage backed by a nation-state, or multibillion-dollar losses to an organisation due to cyberattacks— this is the stuff of front-page headlines. But while such events may make for eyeball-grabbing news, they’re a veritable nightmare for corporates.

There has been an unprecedented rise in cybercrime rates and associated security breaches. In 2014, the World Economic Forum rated cyberattacks among its top five risks in terms of likelihood, which is expected to increase more rapidly in the coming years, if the right security is not put in place.

Cyber security breaches

Cyber security breaches lead to global negative publicity for the victim firm, loss of shareholder value, reduced profits, and stolen product designs. They cost millions of dollars in breach-mitigation expenses. They impact innovation, service operations information and company strategies, and erode customer trust—which is indispensable to any business.

This year, overall financial losses as a result of cyber incidents increased by 135% over previous year, which is a sharp rise As security incidents grow in frequency, the costs of managing and mitigating breaches are also rising. For companies with revenue worth more than 1 billion USD, we have observed that in 2013, the average financial losses due to security incidents accounted for 3.9 million USD, whereas in 2014, the figure stood at 5.9 million USD. There has been a plethora of new-age cyberattacks, and the innovation in attack vectors is a major contributor to the ever-evolving threat landscape. As incidents continue to proliferate across the globe, it’s becoming clear that cyber risks will never be completely eliminated and will, from time to time, impact organisations.

Cyber security villains

The cyber security villains today are both external as well as internal to the organization. However, we have observed a big shift from outsiders, comprising cyber terrorists, organised crime, hacktivists, competition and nation-states, to insiders, consisting of current employees, former employees, service providers, etc.

Statistically, insider crimes are more costly and damaging than incidents perpetrated by an outsider. As per the responses received to our GSISS 2016 survey, insiders caused nearly 15 security incidents for every 10 caused by outsiders in 2015. Yet, a majority of us are unprepared for such insider threats. They need to be tackled on multiple fronts by adopting a holistic, risk-based cross-functional security effectiveness approach, because the insiders know exactly where to look for the organisation’s most valuable information—its crown jewels, so to speak.

Board’s involvement

Despite the high-profile security breaches perpetrated by cyber villains last year, the board is often not involved in critical initiatives that determine the effectiveness of the security mechanisms against threats and risks. Statistically, less than 46% of the board understands the costs and benefits of cyber security programmes. The barrage of incidents over the past year has resulted in a lot of discussion about the board’s involvement in the security function. Yet, for all the chatter, organisations clearly have not elevated security to a board-level agenda for discussion. Effective security awareness will not only require adequate funding by the board, but also more involvement and commitment to security maturity.

An effective security programme mantra

Based on the GSISS survey, the top five security challenges faced by organisations are:

  • Encryption in storage and in transit (19.7%)

  • Identity theft and loss of individual information (19.2%)

  • Authentication (18.8%)

  • Identity and privileged access management (17.4%)

  • Monitoring of access and information use (16.9%)

The challenges arise mainly because many organisations today are largely unsure of what is the right amount of investment in the right mix of solutions for effective security management, and thus also of the return on investment on security. Organisations forgo the alignment of security strategy with business needs. Businesses should identify and invest in the right cyber security practices, ones that are the most relevant to today’s threat landscape, which is evolving every single day in terms of motives, resources and methods. It is the need of the hour to fund processes that integrate predictive, preventive, detective and incident response capabilities that minimise the impact of an attack.

Being resilient to threats requires individuals and organisations to be on their toes to identify/detect threats, and quickly mitigate them to minimise impact by having an effective security monitoring strategy. A right mix of people, practitioners, tools, processes and leadership involvement is the mantra for an effective security programme.

Where is the doorway out of the cyber maze?

We have observed that businesses that have effective security awareness management report significantly lower average financial losses from cyber security incidents. The trick is to understand the sophistication of cyberattacks, symptoms when under attack, right antidote and defence mechanism, time taken to contain the attack, right kind of investments, and so forth.

  • Do you want to experience the impact of a cyberattack in a simulated environment and see how it affects customer confidence and company revenue? 
  • Do you want to observe the benefits of, and return on investment on, cyber solutions in a simulated game environment? 
  • Are you aware of the different terms, forms of attack and defence solutions in the cyber sphere?

Ashish Bhugra, Manager, Cyber Security, contributed to this article. For more information on our Cyber Security services, you can reach him at

Understanding identity theft: An investigator’s perspective

Murali Talasila, Partner, Forensic Services, PwC India

Of all the imposters and identity thieves in history, Frank Abagnale Jr is probably the most famous. His life was portrayed in the biopic ‘Catch Me If You Can’, which demonstrates his deceptive antics in a humorous light, while showing the repercussions of this form of fraud. At a time when the only way to stay in touch was snail mail, and when dot matrix printers were considered high-tech, Frank demonstrated the ease with which he was able to impersonate bankers, attorneys, general physicians and even pilots. Without so much as a personal computer, he was able to successfully impersonate more than eight identities by forging cheques and confidence tricking.

Over time, this has only become simpler. With the advent of new technology and more people willing to relocate their data onto online platforms, it is easier for us to maintain long-distance relationships and make global purchases online. Unfortunately, though, this has also exposed our cyber weaknesses to fraudsters and pirates.

An identity can be stolen either by actually pilfering the documents that prove the victim’s background (credentials and qualifications), or by creating a cyber profile (of a person who is deceased, alive or fictitious) and assuming that persona as one’s own. The most common consequences of identity theft now include credit card fraud, employment fraud, and government documents and benefits fraud. These are primarily a result of cyber hacks, dumpster diving(s), shoulder surfing, and physical loss of portable items (handbags, mobile phones, laptops and so on).


Identity theft is not only meant to cause people financial loss, but also to harass them and commit a variety of other related offences. For high net worth individuals, identity theft usually leads back to someone personally known to the victim and with a vendetta against them. In the recent past, there’s been a spike in the number of people accessing the Dark Net with reportedly stolen identities. Therefore, to begin investigating a case of identity theft, it is important to establish the motive. This sets the course for the investigation by helping to understand to what lengths the perpetrator would have been willing to go to get what he was seeking.

From an investigator’s perspective, one of the most crucial pieces of information is the detailed and chronological account of the victim’s life and experiences. To get to this involves collecting the victim’s biographical details. Subsequently, the investigator visits the victim’s residential and office addresses and other frequently visited places, to ascertain vulnerabilities and draw up a list of suspects. The victim’s most frequented stores and ATMs are also vital, as is the CCTV footage, if any, from these places.

From evolved social engineering to skimming devices installed at points of sale (POS), it is a little-known fact that untapped investigative opportunity exists in seizing these POS terminals along with the more traditional electronic devices like computers, tablets, and mobile phones.

Circuit boards and microprocessors to which skimming devices are connected hold tremendous metadata, e.g. the manufacturer or fabricator’s logo imprinted on it, a serial number, or an order number. While the more tech-savvy criminal may use these circuit boards or trusted platform modules (TPMs) to store authentication credentials, the less experienced miscreant may leave DNA traces (even fingerprints, if we are lucky) on the circuit boards while forging the connections.

Further, these devices are built on microcontrollers that require firmware to be installed on them to capture and store data, which is later retrieved by the perpetrator. This firmware always has a digital signature and can be traced on the target machine. Although this will require access from the manufacturer of the target machine, data gathered from this can provide insights on timelines and access logs, which may be corroborated with security feeds and CCTV footage to help in locating a suspect. Additionally, trails of fund transfers during routing of money through dummy accounts before they reach the perpetrator (final beneficiary) play an important role in identifying digital footprints and geographical boundaries of the theft.

Section 66C of the Indian IT Act of 2000 (similar to section 1028A of title 18 of the United States Code, which deals with aggravated identity theft) speaks about identity theft thus: “Whoever, fraudulently or dishonestly, makes use of the electronic signature, password, or any other unique identification feature of any other person shall be punished with imprisonment.”

This clearly shows that no quantification of loss or harassment is required to warrant an arrest, but only clear-cut evidence of malpractice and misuse of another person’s identity.

However, although these investigations are predominantly considered open-ended time-wise, they usually follow one of two distinct paths, neither of which may lead to the immediate arrest of the accused. On one hand, victims may choose to block all their credit cards, social media accounts and bank accounts. This leads to a passive and retrospective investigation that runs the risk of giving the perpetrator a heads-up and allowing them time to disappear without a trace. On the other hand, all of the victim’s social media and bank accounts are left active and enabled, with the knowledge of the authorities, in the hope that they’d serve as a honeypot for the perpetrator, who’d eventually access any of them again. In such a case, tracers are set up to locate and detain the fraudster.

It is paramount that we, as people, employees, and individuals living in a digital age, understand the complications caused by not being proactive in keeping our identities protected. Safeguarding against larceny and similar vulnerabilities (e.g. by proactively setting up firewalls around our home and office networks) in addition to creating complex Wi-Fi Protected Access (WPA2) passkeys can go a long way. Moreover, shredding documents such as credit card statements and receipts is always a better way to dispose of documents than just throwing them away. Finally, always being wary of phishing scammers—no matter that one may seem paranoid—is vital.

With contributions from Sachin Yadav, Associate Director, Forensic Services, and Rahul Vallicha, Consultant, Forensic Services


Demystifying BEPS: BEPS at a glance


With BEPS, global tax system is set to undergo a major shift. But do Corporates really need to worry?

To keep you abreast of the latest developments, we have launched the digital BEPS video series. The series is a course of short videos, to be released over the next few weeks. Through these videos, experts will give you an overview of the key action items and their implications for doing business in India.

Technology-related frauds: What you need to know

Dhruv Chawla, Partner, Forensic Services, PwC India

Over the last few years, the battle between netizens and fraudsters has been getting progressively vigorous. With fraudsters becoming more brazen, the quantum of fraud loss in just public sector banks in India touched 1.69 billion USD (11,000 crore INR) between April and December 2014 (The Economic Times, 2015) and the number of cybercrime cases rose by over 350% from 2010–2013 (Hindustan Times, 2015).

What cautions do people need to take under the circumstances, and what exactly is causing these huge fraud losses? What is it about cyber frauds that is so alarming?

Credit/debit card data theft is one of the prime sources of financial fraud. It began with high-tech devices that could replicate data stored on the magnetic strip of credit/debit cards and reproduce the same onto a cloned card. Although this vulnerability was addressed with the release of ‘chip and PIN’ cards, e-wallets (such as Paytm and Citrus Pay) and near field communication enabled cards, fraudsters have evolved as well. They have become more sophisticated and innovative in the means they use to obtain sensitive/confidential information. Fake panels or skimmers that are installed at ATMs to gather card details and drone-based surveillance cameras hovering above ATM kiosks are among the common new cyber theft technologies.

Nigerian scams still account for the highest share of online scams in India. What prompts a person to believe he or she has been lucky enough to win 750,000 USD (4.8 crore INR) in a random international lottery in which he or she didn’t even participate? Scammers have started to develop more enticing sales pitches, luring us into paying them ‘service fees’ in order to facilitate the processing of our fantastic lottery winnings.

Phishing is the next most rampant form of fraud in India. Contemporary phishing via emails has advanced to a form of tele-phishing called vishing. People are coaxed into divulging their credit card details over the phone, mistakenly believing that caller ID protects them against malicious callers.

Content and software piracy is another common form of cyber fraud. In 2014, India made it to an International Piracy Watch List, highlighting the need for efforts to curb piracy in India (TheHindu, 2014). The value of unlicensed software (resulting in massive losses for American developers) being circulated soared to nearly 2.9 billion USD (18,000 crore INR) (BSA, 2014).

And these statistics are just the tip of the iceberg! If research is to be trusted, the imminent advancements in cybercrime are nothing short of terrifying!

Net extortion by anonymous groups, for example, has now become a common follow-up to intellectual property theft. Also known as cyber blackmail, in such cases, hackers threaten to expose intellectual property (e.g. the case of Sony Pictures Entertainment in November 2014) or private images/videos (e.g. the iCloud hack in August 2014 wherein data of high-profile celebrities was leaked) to the public unless certain demands (usually financial) are met. Denial of service attacks that cripple cyber systems seem passé in comparison with ransomware which encrypts intellectual property until ransoms are paid out.

Very recently, the ‘Amazon of insider trading’ was created to sell trade secrets and market-sensitive information to the highest bidders. Although there were no ransom demands from hackers who illicitly obtained this information, the ramifications for information security were immense and authorities were left mind-boggled (Sydney Morning Herald, 2015).

Further, with the surge in black hat hackers and dark web networks indulging in gambling, black market activity, drug trafficking, counterfeiting, and distribution of weapons and pornographic content, the social and economic ripples are enormous.

But what does this mean for netizens?

It is now essential for us to ‘think before typing’ and invest in perimeter protection (at an individual and corporate level). It is not only imperative for businesses and people to protect their assets (intellectual property and physical resources) but also to encrypt data to whatever extent possible. Periodic information security audits and near real-time threat and vulnerability monitoring are a good form of defence for big firms. Additionally, encrypted private cloud-based storage can be developed to promote off-site data housing.

The repercussions of being too trusting of online enchanters are too severe to ignore. Cyber fraud is now ubiquitous—laptops, tablets and mobile phones are all vulnerable. Although the propagation of bring your own device (BYOD) in firms across the world makes employees’ data as susceptible to cyber fraud as that of the employer, it indirectly provides an incentive to employees to safeguard against fraud. Needless to say, awareness is key.

With contributions from Sachin Yadav, Associate Director, Forensic Services, and Rahul Vallicha, Consultant, Forensic Services

Securities frauds: Recent trends

Rahul Sogani, Partner, Forensic Services, PwC India 

A recent press release by the US Securities Exchange Commission (SEC) revealed the value of unpublished price sensitive information in today’s world of securities. A group of hackers used to steal corporate information from newswire services and sell it to traders, at times even on profit-sharing basis. One such trade, as quoted in the press release, helped them profit close to 0.5 million USD in a matter of just 36 minutes.

Now, imagine a situation where the information was not stolen but was available to the individual in the normal course of business, say, a CEO. Knowing that the security prices may increase post the release of the results; if the CEO were to buy the securities in anticipation of the increase and make profits, it is likely to be categorised as illegal in most of the countries worldwide, including India. In legal terms, this is called insider trading and is one of the most common types of securities frauds.

Simply put, insider trading means trading in certain security on the basis of unpublished, price sensitive information—that information which will materially impact the price of the security when published.

New insider trading regulations and its challenges

The Securities and Exchange Board of India (SEBI), through the recently notified regulations—SEBI (Prohibition of Insider Trading) Regulations, 2015—has significantly widened the definition of ‘insider’ to include even immediate relatives of professionals providing their services to the company in question in the last six months. It does, however, recognise the challenges it can face in the court of law as highlighted in the note to the definition of ‘connected person’ which states, ‘…such a presumption is a deeming legal fiction and is rebuttable.’

Trading data recently compiled for a single day shows an approximate turnover of 2,00,000 crore INR across all segments in NSE and BSE, a figure which is set to grow. On its part, SEBI has been constantly introducing enhancements through law and through their surveillance tools and investigation systems (the DWBIS system) to deal with the growing data and to identify the complex and innovative types of market malpractices.

There are various challenges that need to be tackled to effectively identify, prosecute and minimise instances of insider trading in India. A case in point is the US court’s decision to overturn a conviction based on two facts with regard to insider trading:

  • There was insufficient evidence to show that the company insider had received any personal benefit in exchange of the information he leaked.

  • It was also not clear whether the actual traders were trading on the information obtained from the company insider.

There is no doubt that SEBI is also going to face similar challenges when it tries to go through the legal tangles. To add to this, Indian complexities such as dabba trading, benami accounts and layering of exchange of information will make the investigations even more challenging. While SEBI may be able to enhance its analysis, capabilities and upgrade its systems to identify and unravel complex trade patterns, trying to link it to an insider and establishing possession of information is going to be a tough nut to crack.

SEBI is still not allowed to use wiretaps which have been crucial in exposing insider trading in other countries. While call detail records (CDRs) have been allowed, they only provide circumstantial evidence. With the evolving forms of communication hiding behind proxy servers, self-destructing chat apps, Fort Knox level encrypted communication apps; it is going to be an uphill task to establish a connection between the insider and the trader.

With contributions from Suresh Nayak, Associate Director, Forensic Services, and Prateek Surana, Manager, Forensic Services


Winds of change: FCPA in a new world

Gaganpreet Singh Puri, Partner, Forensic Services, PwC India

The dawn raids carried out by the Swiss authorities to arrest FIFA officials on corruption charges and the impending move to extradite them to the US signals the arrival of a new era. The way in which this extraordinary operation was conducted in Switzerland brings into focus the seriousness of the US Justice Department in enforcing anti-corruption laws and the emerging trend of international cooperation amongst regulators.

If one were to crystal gaze the actions of the US and Swiss authorities and put them in perspective, a couple of issues emerge and provide a glimpse into the future of enforcement around anti-corruption laws.

International cooperation

Such stringent actions, as seen in the FIFA case, are not decided overnight. They are based on strong leads and evidence collected by law enforcement and other agencies over long periods of time.

Given that the arrests were made by authorities in Zurich pertaining to a case in violation of the US law implies that the evidence collected must have been detailed and convincing to a level that secured international cooperation. This also shows the meticulous planning and coordination which can only result from intensive government-to-government contact and seamless international cooperation. This clearly seems to be an evolving trend in the global fight against bribery and corruption.


The FIFA case shows that the US will continue to invest in identifying cases and develop leads when it sees unethical conduct related to the violation of the US law, even though the offences may be global in nature.

Many high profile cases reported in recent times are related to potential bribes made in foreign jurisdictions. These crimes were potentially agreed to and planned in the US and payments are carried out via US banks. This signals an important trend on how the US government views jurisdiction. The fact that the transaction may have a US footprint can trigger US anti-corruption laws.

Personal liberties

The history of enforcement of the Foreign Corrupt Practices Act of 1977 (FCPA) shows that bribery and corruption charges can and will be brought against individuals. Actions have been taken in the past not only against individuals directly involved in bribery but also against people charged with governance and control.

As seen in a number of cases, US regulators are not going to hesitate to charge individuals and enforce laws strictly when the situation demands action. Criminal charges have resulted in significant fines, penalties and jail terms, in many cases; and some of these individuals are not US citizens. Clearly, a lot is at stake—personally and professionally—for individuals who can be charged with bribery and corruption.

Lessons for India

The US-Swiss cooperation in this endeavour signals the advent of an era where it will become even more important for Indian companies with a US footprint to be on the right track of US laws on anti-corruption. The fact that detentions or arrests are being made during the visits of executives abroad signifies the seriousness around enforcement.

In the light of what is happening in the global space today, Indian companies and nationals need to be extremely vigilant. The need of the hour is to not only have a state-of-the-art anti-bribery and anti-corruption compliance programme but also to undertake a comprehensive assessment of when and where obligations and liabilities under the FCPA get triggered and what needs to be done to effectively comply with them.

Excerpts of this blogpost were published in the Hindu Business Line article Penalty kick.

Building a better, more inclusive India


PwC’s Urban Child Project, in collaboration with Save the Children and its associated NGOs, is an attempt to make the voices of the marginalised urban poor heard. Children from Delhi, Mumbai, Pune and Srinagar have contributed to our report 'Forgotten voices: The world of urban children in India'.


The other side of the urban story


PwC’s Urban Child Project, in collaboration with Save the Children and its associated NGOs, is an attempt to make the voices of the marginalised urban poor heard. Children from Delhi, Mumbai, Pune and Srinagar have contributed to our report 'Forgotten voices: The world of urban children in India'.

The digital edge in retail

Sudipta Ghosh, Analytics Leader, PwC India

Retailing in Digital-Era

For the second year in a row, PwC India, in collaboration with the Retailers’ Association of India (RAI) launched a retail report on technological implementation titled Retailing in the digital era. It was launched at the Retail Technology Conclave on 18 June 2015 at the Renaissance Convention Centre, Mumbai.

For retail organisations, business challenges usually revolve around important questions such as, who are the most valuable customers and how can they be retained? How must offerings be priced in order to maximise profits? Which customers should be targeted during the next marketing campaign? Which products should be recommended to customers? What should the inventory level be in order for the business to neither go out-of-stock, nor have excess?

Retailers are under increasing pressure due to the ongoing economic uncertainty as well as greater competition and are required to be more responsive to the increasingly demanding customers, suppliers as well as other stakeholders. Our latest report discusses various analytical models that can help them improve business results, increase revenue, lower costs, and improve customer satisfaction while effectively enhancing performance at all levels. Experience and intuition as well as data and analytics need to not only co-exist, but reinforce each other.

The use of analytics has been highly disruptive across retail globally, affecting not only the revenue and cost structures but also shaking up core business and operating models. Our report explores the various analytics practices in retail, demonstrating their major applications through nine frequently used solutions across three different categories- customer experience, marketing and supply chain management.

Join the discussion on my blogpost on LinkedIn.

For detailed insights, please read our report: Retailing in the digital era

The opinions expressed in the blogs are personal.


Related Posts Plugin for WordPress, Blogger...