Editorial Team – [2024] 168 taxmann.com 310 (Article)

1. UAE releases guide on filing of Corporate Tax Return

A Taxable Person is required to submit a Tax Return and pay any Corporate Tax due to the FTA within 9 months of the end of its Tax Period. In this respect, the UAE Federal Tax Authority has published a corporate tax guide on furnishing tax returns.

This guide provides general guidance on filing and completing a Corporate Tax Return. It provides readers with an overview of the information to provide in response to each field in the Tax Return in the order in which they normally appear. However, this guide does not provide detailed technical guidance on implementing corporate tax laws.

This guide should be read by any Person required to file a Tax Return for a relevant Tax Period. This guide provides a detailed analysis of the different schedules contained under the Tax Return. It allows a Taxable Person to report their Taxable Income, including any relevant adjustments, such as exemptions and reliefs claimed. The parts of the Tax Return include:

• Part A – Taxable Person information
• Part B – Elections
• Part C – Accounting Schedule
• Part D – Accounting Adjustments and Exempt Income
• Part E – Reliefs
• Part F – Other Adjustments
• Part G – Tax Liability and Tax Credits
• Part H – Review and Declaration
• Part I – Schedules

Source: Corporate Tax Guide on Tax Return

2. UAE offers grace period to taxpayers for updating tax registration information

The Federal Tax Authority (FTA) announced that a new Decision has been issued to support businesses in efficiently meeting their tax obligations, offering a grace period for tax registrants who have fallen behind on updating their tax records for the period from 1 January 2024 until 31 March 2025. The initiative allows violators to make the necessary adjustments and avoid incurring the administrative penalties associated with failure to inform the FTA of any cases that require modifying their tax records.

The Decision on granting a grace period for administrative penalties for registrants who have failed to update their tax record information was issued by the Cabinet; it stipulates that in the event that penalties were imposed on registrants for failing to update their records in time and the registrants in questions already paid said penalties in the period from 1 January 2024 until the deadline set for the grace period, then the penalties will be refunded.

The initiative aims to encourage registrants to update their tax recordswithin 20 working days of any change in the information registered in the FTA systems. This includes the name, address, email, activity listed in the commercial license, legal form, partnership agreement for joint ventures, and articles of association, along with any changes in the nature of the registrant’s business or address from which they conduct any business activities.

The FTA Director General urged registered taxpayers to take advantage of the benefits the new Decision provides, which reduce the tax burden on business sectors, enhance their contribution to national economic growth, encourage taxpayers to meet their obligations and boost the UAE’s competitiveness in the business sector.

Source: Announcement by Federal Tax Authority

Click Here To Read The Full Article

The post [World Tax News] UAE Releases Guide on Filing of Corporate Tax Return and More appeared first on Taxmann Blog.

Information Security, often referred to as InfoSec, involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The aim is to ensure the confidentiality, integrity, and availability of data. It spans various practices and technologies designed to protect digital and non-digital information. This includes employing cybersecurity measures to defend against cyber threats and attacks, physical security measures to protect physical computer systems and related hardware, and administrative controls to establish the framework and procedures for data handling and protection.

Checkout IIBF X Taxmann's IT Security which provides an in-depth analysis of IT security tailored specifically for the banking sector. The key features include a thorough understanding of foundational principles like confidentiality, integrity, and availability and practical guidance on implementing robust security controls for hardware, software, and network systems. It also addresses modern cybersecurity challenges such as malware, data breaches, and incident management, providing strategies to mitigate risks and ensure business continuity. Additionally, the book emphasises regulatory compliance, covering standards set by RBI, SEBI, and TRAI, along with detailed audit methodologies.

Table of Contents

1. Introduction
2. Data and Information
3. Information Classification
4. Need to Know
5. Information Security
6. Other Applicable Attributes of Information Security
7. Physical Security
8. Logical Security

1. Introduction

In common parlance, the words ‘data’ and ‘information’ are used interchangeably, though technically, there is a subtle distinction between the two. What we input into a computer is referred to as data, and what the computer stores is also data. Our software programs and other utility software provides the information we need as output after processing the stored data. Therefore, data is typically considered the raw form of information, which requires processing to be used in a particular desired manner. In other words, processed data is generally referred to as information.

The Indian Information Technology Act, 2000 (IT Act, 2000) defines data as:

‘A representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer’. [Section 2(o)]

Though data is considered to be the first stage of information, sometimes the output or a piece of stored information or a print-out can also be called data. Therefore, it is quite clear that data does not necessarily mean the numbers and characters stored in the system but in a broader sense it refers to all that is stored in whichever form like music files, audio files, video files or in any internal medium like a hard-disk, a memory chip in the computer or an external medium like floppy, CD, DVD, Pen-drive etc.

The word ‘processing’ assumes significance when distinguishing data from information. Processed data is normally called information. Information is the data presented in the format required for use or other forms of analysis as part of Management Information System. In a computerised environment, information also includes all forms of data, in any format stored in the system, like audio files, video files, information in a network device, information while in transmission or stored in an external device.

2. Data and Information

Though technically, there is only a thin layer of distinction between data and information as explained above, in this article the word ‘information’ is used to refer to processed data and as far as storage in a computerized information is concerned and security ramifications are concerned, the word ‘information’ also includes ‘data’ unless otherwise specifically excluded in the context. The I.T. Amendment Act, 2008 has widened the definition of ‘information’ by including the words ‘data’, ‘message’ and ‘text’ within its ambit and the word ‘information’ is given an inclusive definition by bringing in ‘image, sound, voice, codes, computer programmes, software and databases’ as part of the definition.

2.1 Information Asset

Before we go into the subject of Information Security, it is better to know what to secure. Information Asset is the computer component where information is stored or passes through and the loss or non-availability of which may result in loss of facts of a business. Hence it can be a hardware gadget or software where information lies. It could be a network device, a hard-disk, a storage device, a pen-drive or a print-out, or just a communication channel where information traverses and is not stored. Securing the information asset is the first step in Information Security. Threats to information assets could be from

• outside as an external factor or event or
• human failures or
• systemic failures or
• just from factors beyond the control of an organisation.

Identification of an Information Asset is the preliminary and basic task before going ahead with the study of Information Security.

After identifying what exactly constitutes an information asset, we have to identify the parties or entities associated with an information asset. Every information asset has three persons associated with it: Owner, Custodian and User.

Owner of an information asset is the person or entity who has created or acquired the asset or who is legally the owner of the asset. For instance, in a typical bank set-up, the branch In-charge has the overall responsibility of all the physical records and ledgers in a bank and hence he is the owner. In a computerized set-up the branch manager is the owner of entire data relating to his branch. Of course, in the modern day Core Banking Solution adopted by all commercial banks in India and most of the co-operative banks, the issue of ownership of data is a little tricky. It is interesting to record here that even amongst many tech savvy bank officers, there seems to be a lack of clarity on who is the owner of CBS data.

With the obliteration of the concept of branch banking (i.e., no bank branch holds data), many bank officials appear to be under a misconceived notion that the data centre or the IT Department is the owner of the data. In CBS, there is a common database maintained at the Primary Data Centre (the primary data centre has the first level back-up and a secondary data centre also referred to as a Disaster Recovery Centre has the next level of backup) and the ownership is anyway with the person who created the data.

To put it in simple terms, unlike in the earlier non-computerised or partially computerized days, when the ledgers and registers were kept at the branch and the branch had a (perhaps a comfortable) feeling that the data is with him/her and all are under control in the premises, now in the CBS set up, the data is actually kept thousands of miles away but the ownership of the data still vests with the branch.

It would be wiser to understand that the entire branch data is not just one lot (like segmented or bifurcated branch data or register) but is a part of the whole data of Current Account, Customer data, Loans ledger, etc. out of which, every row in the data or the table (i.e., a record in the file) may have a different owner depending upon who actually input that particular row (i.e., record) in the RDBMS (Relational Database Management System). The database mandatorily stores the user id of the official who has input the data record i.e., row and in most cases, and also the one who has verified or approved it. Therefore, ownership of the data vests with these officials who may sometimes not even belong to the branch where the customer has the account.

This situation is quite understandable especially in the context of CBS, where the branch concept is declining and there is going to be no longer a ‘branch customer’ and only a ‘bank customer’. Perhaps in the upcoming days, customer may not even need to fill in the branch column (in an application form or in a credit challan/requisition slip) which could be left blank or just filled in as ‘virtual’ or ‘digital’. In short, the question of ownership of CBS data is often considered to be intricate.

Custodian of the information asset is the person who takes care of the database. Normally the system administrators are the custodians, since they are responsible for maintaining the external media when they take backup of the systems and when they keep safe custody of the backup tapes or DVDs or other media. Sometimes, such administrators also handle some transactions and are given limited powers to access and input some data in the database when they perform the role of users besides being the system administrators or custodians.

Typically, all bank employees who have access to an information asset are users. Interestingly, even non-employees can be users of a bank’s computer resources or an information asset in a bank in instances such as auditors who have access to a limited menu in a CBS system for viewing or a vendor who has a very limited access to the hardware resource or system related information in the bank.

Even internet banking customers for the time they are logged into a bank’s computer system and customers using the terminals provided at branches for viewing their accounts, are all users for the respective areas of operation within the limited access control privileges assigned to them. Hence in that capacity they are responsible for the resources they are utilizing and are bound by the rules and regulations of the bank like Information Systems Security Policy and other related policies.

3. Information Classification

Having studied what constitutes information and the role of different entities in an information asset, let us now study the nature and importance of information classification. We have to secure only that information that is needed to be kept and preserved. Hence, information is to be properly identified and classified.

Information Asset Classification is itself a very important ingredient of IT Security, because, it is at the stage of Asset Classification that an asset is given the importance and categorization that would impact its treatment as an asset. Standards such as ISO 27000 emphasise the importance of Asset Classification and it often becomes one of the early steps in the process of preparation for ISMS certification. Lack of classification or inadequate classification or improper classification will largely impact the IT security environment in the organization.

In practice, it is often observed that in most of the organizations, employees are not aware and in many cases even those at top management level especially the non-IT managers are not aware of the importance of any information. It has become quite common in organizations these days to send a mail to a select group in the top management and when one of the managerial personnel in the group wants a part of the information to be passed on to a lower level employee, he may at times simply forward the mail, without passing on the relevant and smaller part of the action point in the mail, without knowing the seriousness of the other information contained in the mail and the classification of such information.

For instance, a level ‘C’ employee in top management or a Director level employee who will be privy to some discussion or minutes of a particular meeting, should not pass on the minutes to his lower level employee even though that part of the minutes warrants some action to be taken by the employee who reports to him. Instead he has to give suitable instructions only without enclosing the entire minutes of the meeting.

Here, it should be kept in mind always that it is the information owner who does the information classification and decides the criticality or confidentiality of the information and not the other stakeholders. Through information security policy or other broader rules in this regard, a wider perspective will be drafted by the Information Security Committee represented by the Chief Information Security Officer, it is anyway, the owner who does the classification and decides the amount of criticality that the information or data should be treated with.

Information may be classified based on its Criticality, Confidentiality, Availability and Purpose:

• Criticality: information may be classified as Most Critical, Critical and Least Critical or Insignificant. What is available in the public domain, what can be recreated easily and what is quite easy to get may be called least critical and that which is more difficult, on these parameters, is called Critical and Most Critical.
• Confidentiality: information may be classified as Most Confidential or Private, Confidential and Least or simply as High, Medium and Low. Here again, what is confidential to one group of users may not be confidential to the other group. For instance, the HR data of an organisation’s employees may be treated as confidential to all employees but not within the HR department who need the data for their routine processing like salary, leave etc. Some information may be private to one individual and confidential to that particular employee alone and never to be revealed to anyone else. Confidentiality itself may again be classified as High, Medium and Low depending upon the nature of secrecy involved in it. Some information may be confidential based on time. For instance, exam results or any public information will be confidential only until the time of its official release or official uploading in the website for public viewing and not later. Such time-dependent secrecy, however, has also to be classified and treated with utmost confidence till it is made public.
• Availability: Information may also be classified on the basis of its availability depending upon the nature it is stored. If the information is available in only one source and no further copy is available nor can be taken, then such information should be classified as topmost critical. For instance, an old document, an old video film or the negative of an old photo taken in a public function for which copies are not available is supposed to be classified as topmost critical.
• Purpose: Depending upon the purpose for which the information is being gathered, it may be classified as Highly Critical, Medium or Low. If a crucial MIS decision is to be taken based on data obtained from different sources or from different systems, then the data may be available freely, but the report or the information so processed or presented or the note being prepared based on the data gains confidentiality. Such information may have to be treated as High, Medium or Low depending upon the nature of confidentiality vested with it and the information presented by it.

4. Need to Know

Information should always be made available on a need to know basis. Availability of information should be on the basis of need and not as a matter of routine. For instance, information taken from a data warehousing application may be made available to the actual users or the functional users depending upon their need to use the information as part of their routine official work. Top management, however, should have free access to a variety of information for its MIS purposes.

Need to know basis actually implies that employees in the organization are provided with the particular information and facts which are required to enable them perform their role in the organization and that information or fact is provided at the appropriate time and circumstances only and not otherwise.

Hence, Need to Know basis encompasses other basic principles of information security like Access Control, Access privileges, Availability, Authentication etc., about which we will discuss in the following paragraphs.

Information classification should be made on Need to Know basis. Based on the classification, right at the point of creation of the information and such classification should be maintained until the information reaches the archives and loses the significance of labelling of categorisation marked in it. Issues relating to Software Access Control and the availability of information based on Need to Know basis for a particular class of users, are being dealt with separately in the chapter on Access Control.

5. Information Security

After having studied what constitutes information and the nature of criticality and confidentiality, let us now examine the concept of security.

Security is the state of being protected from attacks and threats and other unauthorized access to information. To understand security, we have to look at what needs to be secured, from whom, when and where. An objective study into these aspects will reveal the entire structure of Information Security. Information Security can be broadly said to be the quality or state of being protected from unauthorized access and potential losses. Security is basically about protection of information assets. While it is generally understood that hundred percent security cannot be achieved, effort should always be in place to achieve the idealistic goal of cent percent.

5.1 Pillars of Information Security

Information security typically relies on several fundamental principles called pillars. Information is widely considered to have three main attributes. Information security lies fundamentally in ensuring these qualities without compromising any of these. The three such pillars of Information Security are Confidentiality, Integrity and Availability.

5.2 Confidentiality

Confidentiality as in normal parlance is the quality of secrecy in information. Security and secrecy has always been closely related. Though the terms privacy and secrecy are also used to denote confidentiality, there is a technological difference between these two terms on one hand and confidentiality on the other. While privacy is considered to be the protection of personal data, the term secrecy is normally used to denote protection of data belonging to an organisation. Whereas confidentiality is the state of keeping an information asset secret and disclosing it to authorised persons only. It is an assurance that the information is shared only among authorised persons or organisations.

Confidentiality does not only mean hiding an information but also not making it available for viewing or copying or any other kind of access whatsoever other than through an authorised process. Confidentiality of information asset is a dynamic concept and not static. What is confidential today may cease to be so tomorrow. What is confidential for one group of employees in an organisation may not be so for the other. However, confidentiality as an attribute of information security depends on the classification of the asset as decided by the owner of the asset.

5.3 Integrity

Integrity refers to detection and correction of modification including an intentional modification or a transmission error which has changed the data in transmission. Integrity controls in data give an assurance to the user that the data stored and retrieved is authentic and can be relied upon completely and is adequately accurate for the purpose it is used. Such controls also assure the user that the data stored cannot be altered other than through an authorised process of data entry and such other access to database.

Data should be maintained in the same manner as it was created and should not be accessible in an unauthorized manner for any kind of manipulation. No one should be allowed to tamper with the data or information from the time of its creation until the time of its ultimate destruction and it should remain the same throughout its entire life-cycle. Integrity is, this ‘non-tamperability’ of data or the state of information asset that it is exactly remaining in the same state it is supposed to be. If an information asset is prone to be tampered or is stored in a system which is vulnerable, easy for unauthorized access and manipulation then the asset is said to fail its attribute of integrity. In other words, data integrity is said to exist when the data in the system is the same as in the source and has not been exposed to accidental or deliberate attempt of destruction or alteration.

Integrity of information should be maintained not only in the computer system with proper controls, but also when it is in transit in a communication channel from one system to another and is stored elsewhere and retrieved. Integrity should be maintained on any number of retrievals and accesses to the system and not be hampered by any amount of attacks to the system. Consistency of data at different levels is often considered to be synonymous with data integrity.

5.4 Availability

On the face of it, availability may appear to be a simple term. But availability actually means that the information asset is available to the authorized user in an authentic manner when required and not available to any other users at any point of time. For instance, a bank official advising the account balance in a customer’s account at the bank counter is an example of availability. The same official not informing the customer his account balance or advising the balance through a letter sent to him which may reach him at a later date only, is a breach of the attribute of availability. Hence availability can be said to be the property of an information asset of being accessible and usable when required by an authorized entity.

Ensuring availability of data has always been a serious concern of information security managers and system administrators in any organisation. Attackers normally target an information system with the objective of making it either not available to the rightful users or making it easily available to all unauthorized users too. Attackers or intruders prevent authorized access to resources or send huge network data to a system and delay the process in time-critical operations and thus deny its service to authorised users. Such an attack often called Denial of Service attack results in breach of the attribute of availability.

6. Other Applicable Attributes of Information Security

In addition to the three traditional areas or pillars of information security as above, modern-day security professionals often include some additional attributes as ingredients of information security, like Non-repudiation, Accountability, and Reliability. Let us discuss these in a nutshell:

• Non-repudiation refers to the state of an information asset that makes the sender or the creator of the asset own the responsibility of such sending or creation and does not give any room for disowning it. In physical form, when one signs a letter or sends a hand-written communication, such hand-writing makes him own the task of writing or sending. He will not be allowed to repudiate or deny that he wrote it or sent it. In an electronic communication too, such a requirement does exist and it is but essential that the data entry operator of an asset or originator of the communication should be made to own it and should not be allowed to disown it. Usage of electronic signature in an electronic record or electronic communication is commonly used to bind the person who created the data or sent it and make him responsible for it.
  To elucidate the concept with practical banking examples, if in an RTGS (Real Time Gross Settlement) or other electronic funds remittances, imagine a situation, when a sender of remittance disowns the act of sending or the receiver after having received it, denies having received the message. Or, in a CBS database, a record (i.e., a row in the RDBMS) in the data which the data shows as having been entered by the particular user or the official and such user or the official disowns having entered the data, stating that he is in a branch hundreds or thousands of kilometers away.
  In all such cases, it is strength of the data or the system to prove that the data was actually input or sent or accessed or received by the actual user. This is an important pillar of information security. In a non-computerized environment, the user or the official’s signature or initials would be the biggest evidence making his denial impossible which in a computerized environment, is the role of Non-Repudiation.
• Accountability of information asset is the attribute of such audit information, to be kept selectively so that actions affecting security can be traced to the particular entity who breached it. Accountability presupposes a proper identity of authorised users and their records and availability of proper audit trail. Audit trail is the log or history of all system activities in chronological order, providing documentary evidence of processing that the data has been undergoing in its path of transformation from its inception right upto the final report generation and permanent storage. Accountability, therefore, is considered to be an off-shoot of non-repudiation and should be flawless in information security. Especially in the event of an attack to data security strong accountability ensures that the management has proper control and is able to identify the users who accessed the data at every stage.
• Authenticity may be broadly defined as conformance to the fact and therefore worthy of trust, reliance, or belief. Being authentic is the quality of being absolutely true and in fact, not fraudulent or counterfeit and being worthy of belief, ‘in absolute fact’, not fraudulent or counterfeit. In information security, it is the assurance that a message, transaction, or other exchange of information is from the source it claims to be from. Authenticity involves proof of identity.
• Authenticity is verified through a process of authentication, which is a very popular word in information security parlance. Very often we hear words like One Factor Authentication, Two Factor Authentication, etc. The process of authentication usually involves more than one “proof” of identity when such proof could be something a user knows, like a password. Authentication is the process of verifying a user who he claims to be. A user can prove his identity by producing his card and swiping it in a device by which the authentication is by a One Factor Authentication of ‘what he has’. The gadget or the device or the credit/debit that is produced for swiping is the authentication device of One Factor Authentication. In addition to such physical possession of the device, suppose the user inputs a password or a number after entering his user id, such authentication is said to be based on ‘what he knows’. Hence in ATM transactions it is always a Two Factor Authentication of what the user has (i.e., the ATM card) plus the ATM PIN i.e., ‘what he knows’.
  Suppose the authentication is done through a process of biometric verification after the user id is input or the card is swiped, then it is said to be based on ‘Who the user is’ i.e., a biological factor of the user, say his fingerprint scans or retina or palm or hand geometry scans or such physical parts of the body to confirm that he is the user he claims to be.
• Reliability is another attribute of information security that focuses on dependability. This assumes significance especially in the event of a crisis or a disaster when an information is retrieved and is wholly relied upon and used. In such an event, if the information sought lacks dependability or is unreliable, then the entire process of security will fail. Hence, reliability has a bearing on the related areas of a computer system like safety giving an assurance to its users that the information can be relied upon even in times of an emergency in a safety-critical application. For instance, in the case of a non-computerised environment, it is an assurance that data extracted from say, a physical record is a reliable copy of the original one and can be acted upon.
• Resilience: Resilience involves the ability of an organization to withstand and recover from security incidents, disruptions, or failures. It includes proactive measures such as risk management, incident response planning, and business continuity management to minimize the impact of security breaches or disasters and ensure the organization can continue to operate effectively. The organizations, including Banks, by addressing these pillars comprehensively, can establish a robust information security posture that protects their assets from various threats and risks.

7. Physical Security

Information Security has two layers viz. Physical Security and Logical Security and a successful implementation of security depends upon proper usage of both of these. Physical Security is the most fundamental security layer for any information asset. The moment an information asset is created in a physical form like purchase of a computer, arrival or installation of a hardware system or a network device, its physical upkeep assumes significance and the physical security steps related to the asset should be in place.

Physical Security can be enforced by having protective compound walls and barriers with posting of security guards, ensuring frisking of visitors, installation of CCTVs in critical and public areas and even having one or more additional layers to reach a critical physical area like a Network Operation Centre or a Core Banking-Data Centre or a Server Room.

8. Logical Security

While physical security is about a user’s physical entry to a system or an information asset, logical security is about a user’s access to data or information in a system through a computer system either in the same premises or from a far off location through computer network. It cannot be debated which of these – physical or logical – is crucial and important. It depends upon the nature of application and the nature of information asset.

For a network-centric application wherein nothing is stored physically in front-end computer system or Workstation or node, physical security issues may be less important and logical security is more important. For instance, in a bank-branch which is part of core banking, physical security for the resources in a branch, say the PC work-stations or nodes are not so crucial like logical security since loss of the physical resources may not impact the core banking solution resources, but breach of logical security from a local branch to the centralized resources may have disastrous impact.

In such an environment, the physical security would largely confine to the physical assets in the branch like the computers or the network devices (since no significant or valuable data or software is stored at the branches) and of course non-electronic assets like cash, jewels and furniture that are part of the branch books and are thus valuable and important.

Logical Security: Every computer resource can be accessed by reaching it through a physical contact and attacked. Just like physical threats to a computer resource, there are also logical threats through logical accesses. When a computer resource in the form of an information stored in a hard disk or any other device, is accessed through computer resources like keyboard or a mouse either on-site or through a remote location or through a network, such access is called a logical access. Such logical access can be through a proper user id of a front-end system as part of the application and the database.

If such access is attempted in an unauthorised manner or with authorisation manner to carry out an unauthenticated transaction, then such access should be denied and proper log of such attempt should be maintained. Logical Security is an essential element of information security.

• Access Control restrictions should be in place for the success of any information security implementation. Top management and the security managers should be aware of what access is to be given to which user — either physical or logical — and the related control measures should be put in place.
• Access Privileges are a subset of Access Control Management in which the security managers decide upto what level of access is to be given to the user. For instance, in a banking environment, the data entry operators or the clerical staff members are given access to perform data entry jobs by recording an entry including debiting an account, but their access normally stops there (unless the system specifically permits them to do a limited supervisory job like teller functions) and after such posting of the debit, say a cheque, the privilege of passing it and releasing the corresponding credit like cash payment, etc. is vested with a supervisory official. Such an arrangement is called Access Privilege.
• Role of Supervisory Official: Similarly, a normal supervisory official will have powers to pass cheques but not to grant an overdraft. Powers of an overdraft in a Current Account will normally be given to a senior manager or the branch In-charge or other officers nominated for the purpose by the branch or by whatever is the process as prescribed by the bank in its Manual of Instructions or Work Manual or its Systems document, by whatever name called. Not defining or adhering to such a system will be called breach of privilege.

An important principle underlining Access Privileges is the Maker Checker principle which is compulsorily adhered to in most banking applications (i.e., software programs running in banks). Data entry is normally made by one staff member and it is checked by another preferably by a supervisor or a person of higher hierarchical ranking called the checker and then the record is saved in the system. Application software is normally designed to ensure proper maker and checker principle in all operations and breach is normally not possible. The system normally records the user details who has entered the data (i.e., the maker) and the supervisory user who has passed it (or approved it i.e., the checker) and every transaction carries the time stamp along with these details. Maker-Checker principle also ensures proper access control mechanism especially in Software Access Control and Logical Access Control and enhances the security strength of the system.

The terms IT Security and computer security are often used interchangeably, though a discerning security specialist may like to distinguish between these two words as IT Security is more technology based and computer security is more user based on the use of a computer or other devices that can be defined as computer. However, for the purpose of our understanding, the terms refer to the entire spectrum of Information Technology including application and support systems and the protection afforded to an automated information system in order to attain the applicable objectives of preserving the pillars of information security as stated above in all computer related resources including all kinds of hardware, software, firmware and telecommunications.

It would be quite relevant here to also use the phrases “Cyber Security”, “Computer Security” and “Information Security”. While for a common usage, all the three may be used interchangeably, for an expert in the area and for an information security professional, there is a clear difference. Information Security refers to the privacy and security of information in the system, say the hardware or the software or application (commonly referred to as just “apps” these days) or even the network and the entire gamut of computer systems. Cyber Security is more with reference to the security in the cyberspace especially in a network or while the data is in transit or part of some communication say in e-commerce or an electronic funds remittance or a social networking site wherein communication is the essence. Computer Security may be generally referred to in the context of the data and information privacy and security stored in the computer and all those devices what may be broadly called a computer.

The post Introduction to Information Security | Strategies for Data Protection and Risk Management appeared first on Taxmann Blog.

Case Details: Mange Ram Mittal vs. Commissioner of Income-tax - [2024] 168 taxmann.com 306 (Punjab & Haryana)

Judiciary and Counsel Details

• Sanjeev Prakash Sharma & Sanjay Vashisth, JJ.
• Akshay Bhan, Sr. Adv., Shantanu Bansal, Dr. Deepak Jindal & Yugank Goyal, Advs. for the Appellant.
• Sanjay Bansal, Sr. Adv. & Ms Gauri Neo Rampal, Senior Standing counsel for the Respondent.

Facts of the Case

A search was conducted at the assessee’s residential premises, and certain incriminating materials were found with respect to the liquor business. After making elaborate enquiries, the Assessing Officer (AO) concluded that the assessee owned a liquor business and accordingly passed an assessment order determining the undisclosed of the assessee based on the seized document.

On appeal, the Tribunal held that ample evidence, including partnership deeds of various liquor firms, was found in the course of the search itself regarding the assessee’s undisclosed income from the liquor business he carried on. Thus, it could not be said that the assessment of undisclosed income in that regard was outside the purview of section 158BC.

Aggrieved by the order, an appeal was filed to the Punjab & Haryana High Court.

High Court Held

The High Court held that the Parliament had enacted a separate Chapter-XIV-B of the Act laying down the special procedure for assessing search cases, a self-contained code. The amount to be taxed under the said chapter should have a direct nexus with the material discovered during such search operations alone. The assessment should be restricted only to the evidence found during the search. The words are relatable to such evidence, added with retrospective effect to Section 158BB from 01-07-1995, and re-enforced with the legal position that was not relatable to the evidence found as a result of search ought not to be included in the computation of undisclosed income. The Tribunal has, therefore, examined the meaning and scope of phraseology

“such other materials or information as are available with the Assessing Officer and relatable to such evidence”.

The words that have been added are rightly interpreted by the Tribunal to include two types of material that the AO may consider. First, the material found during the search and relatable to such evidence and the second part is such other materials or information as are available with the AO. Thus, apart from the evidence that may be collected and noticed during the search, if the AO has any other information and such other material with him that is relatable to such evidence, the same can also be looked into for the purpose.

Therefore, an assessment under section 158BC is required to be made both on the basis of the result of the search as well as post-search enquiry and other proceedings which are in the nature of consequences of the evidence found as a result of the search.

List of Cases Reviewed

• Order of ITAT in Mange Ram Mittal v. ACIT [2006] 103 ITD 389 (Delhi) (SB)/[2006] 9 SOT 371 (Delhi) [para 10] affirmed.

List of Cases Referred to

• Mangalore Ganesh Beedi Works v. CIT [2015] 62 taxmann.com 400/378 ITR 640 (SC) (para 14).

The post AO Can Consider Info Relatable to Evidence Found During Search for Making Block Assessment | HC appeared first on Taxmann Blog.

Sahana R & Derlene Joshna – [2024] 168 taxmann.com 287 (Article)

The GST Council has been proactive in settling contentious issues under GST through recommendations to the Central Board of Indirect Taxes (“CBIC” or “Board”) to issue circulars clarifying the tax treatment in respect of several transactions. Recently, the GST Council has recommended the Board to regularize a few common trade practices on an ‘as is where is’ or ‘as is’ basis. Pursuant to the Council’s recommendations, the Board has issued few circulars which have clarified issues such as rate of tax paid on a supply for the past on an ‘as is where is’ basis.1 Few circulars have used the phrase ‘as is’ basis.2 These new catchphrases garnered widespread attention as the exact meaning of the same was not clear. The Hon’ble Gujarat High Court3 has clarified the scope of these phrases to a little extent. Subsequently, the Board has clarified the same through a recent Circular No. 236/30/2024-GST dated 11.10.2024 (“Circular dated 11.10.2024”). Through this article, the authors would delve into the meaning of regularization on ‘as is where is’ / ‘as is’ basis and the confusions which still prevail for taxpayers.

Examples of issues clarified on ‘As is where is’/ ‘As is’ basis

To better appreciate the meaning of the phrases ‘as is where is’/’as is’, it is important to take note of some of the issues clarified by the Board on an ‘as is where is’/ ‘as is’ basis.

The circulars regularizing the past practices on ‘as is where is’ / ‘as is’ basis have not always delved into the competing entries used by the taxpayers in the past.

Out of all the circulars issued for clarifying issues on ‘as is where is’ / ‘as is’ basis, Circular No. 200/12/2023-GST dated 01.08.2024 has explicitly stipulated that refund is not eligible to taxpayers who have paid GST on goods in respect of which GST rate has been regularized on ‘as is where is’ basis.

While these circulars were issued to put to rest genuine confusion on applicable rates, the use of the phrases ‘as is where is’/ ‘as is’ led to further confusion.

Click Here To Read The Full Article

The post [Opinion] The ‘as is where is’/‘as is’ Enigma – An Analysis appeared first on Taxmann Blog.

Case Details: Construction Catalysers (P.) Ltd. v. State of Assam - [2024] 168 taxmann.com 183 (Gauhati)

Judiciary and Counsel Details

• Devashis Baruah, J.
• Ms Nitu Hawelia, Ms M.L. Gope & A. Goyal, Adv. for the Petitioner.
• B. Gogoi, Standing Counsel Finance and Taxation, Dr B.N. Gogoi & Ms K. Phukan, Advs. for the Respondent.

Facts of the Case

The petitioner was issued a Summary of the Show Cause in GST DRC-01 along with an attachment of the determination of tax. It submitted a reply and requested for personal hearing but the reply was not considered and an order was passed. It filed writ petition and challenged the order by contending that proper show cause notice was not issued and opportunity of hearing was denied.

High Court Held

The Honorable High Court noted that in the instant case, the summary of Show Cause Notice in Form GST DRC-01 cannot substitute statutory requirement of show cause notice under Section 73(1) of GST Act. The statement of tax determination attached to DRC-01 would not be equivalent to show cause notice. Moreover, the authentication by proper officer is mandatory for show cause notices and orders.

Therefore, the Court held that the impugned order was liable to be quashed and the department would be at liberty to initiate de-novo proceedings. The Court also directed that period from issuance of summary show cause notices till service of judgment copy would be excluded for limitation under Section 73(10).

List of Cases Reviewed

• M/s Silver Oak Villas LLP v. the Assistant Commissioner ST [WP(C) No.6671/2024] – [Para 22] followed.
• Nkas Services Private Limited v. State of Jharkhand & Others [(2022) 99 GSTR 145] – [Para 18] followed.
• Mahindra & Mahindra Limited v. Union of India and Others [WA No.172/2024] – [Para 27] followed.
• Railsyls Engineers Private Limited v. Additional Commissioner [(2023) 112 GSTR 143] – [Para 22] followed.

The post Summary of SCN in Form GST DRC-01 Cannot Substitute Statutory Requirement of SCN Under CGST Act | HC appeared first on Taxmann Blog.

Dr. Sudheendhra Putty – [2024] 168 taxmann.com 291 (Article)

Key Points from Paragraph 4.25 of the Cadbury Committee Report

1. Source of Advice: The company secretary is described as a reliable source of advice on legal and governance matters. This ensures that boards act in compliance with both the law and the principles of good governance. The secretary advises particularly on implementing the Code of Best Practice.
2. Support for the Chair and Directors: The company secretary supports the board in conducting meetings effectively, providing advice that helps in navigating complex governance issues. The report stresses that directors should have access to the secretary’s advice, ensuring they are equipped to fulfill their responsibilities.
3. Governance Best Practices: The paragraph places importance on the company’s governance frameworks being upheld, with the company secretary playing a crucial role in the practical application of best governance practices.

Click Here To Read The Full Article

The post [Opinion] The Ever-Increasing Role of Compliance Officers | Guiding Boards Through the Labyrinth of Governance appeared first on Taxmann Blog.

Case Details: Evaan Holdings (P.) Ltd. v. Reserve Bank of India - [2024] 168 taxmann.com 202 (Delhi)

Judiciary and Counsel Details

• Dharmesh Sharma, J.
• Parag Tripathi, Sr. Adv., Anirudh Sharma, Srinivasan Ramaswamy, Ms Harshita Choubey, Ms Sonali Sharma & Ms Vridhi Kashyap, Advs., for the Petitioner.
• Avishkar Singhvi, Keshav Sehgal, Shivam Gaur, Kshitij Joshi, Aryan Kumar, Advs., Sidharth Luthra, Sr. Adv., Dhruv Chawla, Yoganshi Singh, Ayush Agarwal, for the Respondent.

Facts of the Case

In the instant case, the petitioner company had substantial shareholding in respondent NBFC company. The petitioner company highlighted certain alleged aspects of mismanagement and financial improprieties including misappropriation and siphoning off funds by respondent company through its Board of Directors.

The petitioner company lodged complaints with RBI but no action had been taken so far. Petitioner thus, filed instant writ petition seeking directions to RBI to initiate action against respondent company in terms of provisions contained in Chapter IIIB of RBI Act.

Further, it was noted that supervisory role of RBI is continuous; it commences from the date of registration of the NBFCs and remains till time of its commercial death by way of winding up. Further, Status Report indicated that company accepted OCDs without permission of RBI, thereby breaching leveraged ratio of the company beyond the acceptable level.

Also, it was also noted that management of respondent company had been withholding relevant documents from RBI and, thus, it was necessary to arrest any further misappropriation and pilfering of funds of respondent company, since any further delay might be too late to protect interests of stakeholders.

High Court Held

The High Court observed that RBI had failed to exercise its supervisory powers and, thus, it became imperative that certain directions be issued to RBI to intervene in matter and to ensure enforcement of binding regulations provided under RBI Act.

Therefore, considering necessity to safeguard interest of investors of respondent company besides other stakeholders including creditors, the High Cort held that instant writ petition be was to be allowed.

Also, it was held that the writ proceedings under Article 226 of the Constitution of India can be instituted against an instrumentality of State, such as RBI, when it is demonstrated that it is failing to exercise the power vested in it.

List of Cases Reviewed

• Nedum Pillai Finance Company Limited (2022) 7 SCC 394 [Para 18]; followed
• Hoichoi Technologies Private Limited v. Reserve Bank of India 2024 SCC OnLine Cal 3569 [Para 33]; distinguished

List of Cases Referred to

• Nedum Pillai Finance Company Limited v. State of Kerala (2022) 7 SCC 394 (para 5),
• Dr. Subramanian Swamy v. Union of India 2024 SCC OnLine Del 5706 (para 14),
• Hoichoi Technologies Private Limited v. Reserve Bank of India 2024 SCC OnLine Cal 3569 (para 14)
• Hari Krishna Mandir Trust v. State of Maharashtra 2020 9 SCC 326 (para 25).

The post Writ Seeking Directions to RBI to Take Action Against Respondent Company Was to Be Allowed Due to Alleged Misappropriation of Funds | HC appeared first on Taxmann Blog.

The recent amendment to the definition of Unpublished Price Sensitive Information (UPSI) by the Securities and Exchange Board of India (SEBI) aims to clarify and expand the events covered under the SEBI (Prohibition of Insider Trading) Regulations, 2015. SEBI's proposed changes align the UPSI definition with significant events and thresholds listed in Schedule III of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (LODR), covering aspects like changes in ratings, fundraising, management control agreements, fraud or defaults by key personnel, forensic audits, and significant regulatory actions. This broader definition seeks to standardize compliance for listed entities, enhance transparency, and protect investor interests by ensuring timely disclosure of price-sensitive information.

Table of Contents

1. Introduction
2. Background and Rationale
3. Current Definition of UPSI
4. Key Proposals from SEBI
5. Conclusion

1. Introduction

On November 9, 2024, the Securities and Exchange Board of India (SEBI) released a consultation paper proposing a review of the definition of Unpublished Price Sensitive Information (UPSI) under the SEBI (Prohibition of Insider Trading) Regulations, 2015 (PIT Regulations). The proposals aim to enhance clarity, certainty, and uniformity in compliance for listed companies by aligning the UPSI definition with key events and thresholds outlined in Regulation 30 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015.

2. Background and Rationale

According to SEBI’s observations, listed entities inconsistently classified events as UPSI. Many companies adhered strictly to Regulation 2(1)(n) of PIT Regulations, omitting potentially sensitive events outlined in Regulation 30 of the LODR Regulations that impact market prices. SEBI’s study noted various gaps in defining UPSI, which affected uniform compliance and transparency. Therefore, the consultation paper proposes amendments to ensure compliance that aligns with PIT and LODR regulations.

 3. Current Definition of UPSI

PIT Regulations define UPSI as follows:

As per Regulation 2(1)(n) of SEBI (PIT) Regulations, 2015, unpublished price sensitive information” means any information, relating to a company or its securities, directly or indirectly, that is not generally available which upon becoming generally available, is likely to affect the price of the securities materially and shall, ordinarily including but not restricted to, information relating to the following:

• financial results;
• dividends;
• change in capital structure;
• mergers, de-mergers, acquisitions, delistings, disposals and expansion of business and such other transactions;
• changes in key managerial personnel.

4. Key Proposals from SEBI

The proposals put forth by SEBI’s Working Group (WG) and informed by public feedback aim to update the UPSI list to include specific events and information types. These proposals cover material events categorized under Schedule III of LODR, ensuring they are addressed in the UPSI framework.

 5. Conclusion

The proposed amendments to the UPSI definition under SEBI’s PIT Regulations represent a proactive step toward achieving greater clarity and consistency in regulatory compliance for listed entities. By aligning UPSI events with the material events outlined in Schedule III of the LODR, SEBI aims to enhance transparency, protect investor interests, and establish a standardized compliance framework across industries.

The post [Analysis] SEBI’s New UPSI Definition – Key Amendments for Transparency in Insider Trading appeared first on Taxmann Blog.

Case Details: Ahs Steels v. Commissioner of State Taxes - [2024] 168 taxmann.com 150 (Allahabad)

Judiciary and Counsel Details

• Shekhar B. Saraf & Vipin Chandra Dixit, JJ.
• Praveen Kumar & Vaibhav Singh for the Petitioner.

Facts of the Case

The petitioner was aggrieved by the order passed under Section 73 of the Act since the GST registration was cancelled and no business was carried out by the petitioner. It was submitted that the show cause notice was uploaded on the GST portal and the impugned order was passed.

High Court Held

The Honorable High Court noted that once the registration has been cancelled, the petitioner is not obligated to check GST portal. The mode of service of any show cause notice has to be by way of alternative means to the petitioner.

However, in the present case, the notice was uploaded on GST portal without serving notice through alternative means. Therefore, it was held that there has been violation of the principle of natural justice and the impugned order was liable to be set aside. The Court also held that the department shall be at liberty to issue a proper notice to the petitioner and act in accordance with law.

List of Cases Reviewed

• M/s Katyal Industries v. State of U.P. and others, Neutral Citation No. 2024:AHC:23697-DB – [Para 6] followed.

The post Assessee is Not Obligated to Check Portal Post Registration Cancellation; SCN Must Be Served Through Alternative Means | HC appeared first on Taxmann Blog.

GSTN Update dated November 13th, 2024

The GSTN has issued an update to inform that the Supplier View of IMS has also been made available where the action taken by their recipients on the records/invoices reported in GSTR-1/1A/IFF, will be visible to the suppliers in ‘Supplier View’ functionality. This will help a supplier taxpayer to see the action taken on their reported outwards supplies and will help to avoid any wrong action taken by the recipient taxpayer.

Further, this is to be reiterated again that any action taken on records can be changed by the recipient taxpayer till the filing of GSTR-3B of the return period. In case the taxpayer changes any action after the generation of GSTR-2B, they need to click the GSTR-2B re-compute button to re-compute their GSTR-2B based on the new actions taken.

Click Here To Read The Full Update

The post GSTN Update | Supplier View of IMS Has Also Been Made Available on Portal appeared first on Taxmann Blog.