Deflecting concerns over Goods and Services Tax Network's (GSTN) equity structure and security, the head of the proposed unified tax's IT system firm Navin Kumar tells Praveena Sharma it was gearing up for July 1 deadline for GST.
Some concerns relating to the equity structure and the security aspect of GSTN has been raised, how valid are they?
First, let's talk about security issue arising from shareholding pattern. GSTN's 51% equity is with private companies that are duly registered in India under Indian laws. So, I do not understand what is the problem. There are some foreign holdings, but those are within permissible limit. Also, all large I-T projects in government, whether state or central, have a private IT company running them. The entire income tax data is with Infosys and TCS, why is there no security issue there? In our case, the government is the present board. There are security concerns, where the government is on board but I haven't heard anybody raising security concerns for other projects handled by non-government companies.
Should GSTN come under RTI?
Since it was funded by government it is subject to RTI.
Under the current legal framework, can Comptroller and Auditor General (CAG) have access to data on your system?
CAG is required to audit the receipts into the consolidated funds of the state and Centre under GST regime. Today, if they want to audit value added tax (VAT) of a state, they go to the state's commercial tax department and call for papers and audit them. Over the past decades, all states have computerised their tax operations because of funding from the central government. So they access the data through the commercial tax department officials. CAG officers tell us that when they go to the states or central government, they have problem getting the data because the I-T system is accessed only by the tax officers. They had requested that we should make some provisions in our system for access of data.
On that, we had told them that the data with us is that of taxpayers. This data, when we had not come into the picture, would have been with some private company, who have contract with tax departments. So CAG would get it from tax officials. Here also, the data is on our system but does not belong to us, so we cannot give it. However, if the tax departments tell us, we will do so. The governments have to authorise us to give the data.
For this, a dialogue is going on between the government and CAG.
Our suggestion was that CAG should access all the data from respective tax departments because everything that we have is with the state and central tax departments but we don't have everything that they have.
We have also said that we will give CAG online access, just like we have given access to tax officials, if the governments agree.
The other thing is that we are a non-government private company that was funded by the government in the initial three years. So for the first three years we invited CAG to audit us. Last financial year, the government did not give us any money. So, as per company law, we are not supposed to be audited by CAG.
Bhupinder Yadav panel has suggested equity restructuring, what is your view on this?
That is for the government to consider. GSTN was made a non-governmental private company to provide efficiency and to avoid red tap.
How ready is the government's IT system for a July 1 roll-out?
The central laws have been passed. The state laws have to be passed. Registration can start only after the law is notified. The government may choose to notify before July 1. The law also says that all the existing tax payers of all the taxes that will be subsumed in GST will be given a provisional registration on an appointed date. Within six months of getting the provisional registration, tax payers will then have to provide certain pieces of information for it's confirmation.
According to the model GST law, GST identification number (GSTIN) has to be given from July 1. That will, however, create a lot of problem if all converge on that day to get registration. So, we suggested that we want to do it six months in advance. The issue was there was no law that would mandate taxpayers to do this. So, we let people do it voluntarily. We put up the portal and invited people, not to migrate but to enrol themselves for a provisional certificate. For this, we launched our portal in November, last year.
Until now, of the 85 lakh tax payers, 55 lakh have activated their account and have got provisional ID, which will later become their GSTIN once the law is notified.
Has the testing of various modules of your system been completed?
Our user acceptance testing for many modules have been completed. Once that is over, the government testing organisation Standard Testing and Quality Certification (STQC) will test the whole system – load testing, vulnerability testing, penetration testing, etc. It will start working next month. It has already started looking at our hardware.
Hardware has arrived and our data centres have been set up. There are four data centres – the main data centre is here and a disaster recovery centre is in Bangalore. We have two near data centres for both. Testing for the entire system will start from May. That will take 4-6 months.
Does this mean you are on track for the July 1 deadline?
Our portal is already working. We are adding all the modules. The registration module is already there and we are testing the payments module and returns module. As soon as these are tested, we will be ready. So, we are on course.
What are you doing to take care of the security aspect of the system?
On the security issue, we are very sure there is no problem. But the government, as an abundant precaution, can carry out any checks they wish to. From day one, we are very concerned about our security. When we drafted our RFP (request for proposal), we had a special section on security. The best standard for information security is ISO 27001 and we are following that. All the security efforts we have taken has paid off because on the very first day our portal was launched there was a huge attack from within and outside India. We could thwart all that because we were prepared. We have put security systems at eight levels, starting from physical security called perimeter security, network, application, data, software and other levels. We don't stop there. We are also doing third party audits. After STQC testing, CAG will do our IT system audit.