The National Payments Corporation of India (NPCI), supported by the Reserve Bank of India (RBI) and the Indian Banks’ Association (IBA), was set up to achieve the goals of universal electronic payments, a “less-cash” society and financial inclusion. After enactment of the Payment and Settlement Systems Act, 2007, the RBI released vision documents for 2009-12, 2012-15 and 2018, in which it laid down principles for building future payment and settlement systems which are safe, secure and have universal reach.
E-payment systems are required for mobile transactions and online transactions. Mobile transactions and fund transfers are increasingly popular, due to their convenience, simplicity and accessibility. They are also in line with the government’s vision for achieving financial inclusion for everyone.
In 2014, the RBI released guidelines aimed at achieving greater standardization across mobile services offered by various banks. The guidelines urged banks to provide options for easy registration for mobile transaction services and minimizing or eliminating customer visits to bank branches for such services.
Challenges for mobile transactions include the lack of a uniform approach of the RBI and the Telecom Regulatory Authority of India (TRAI) towards protecting funds on the loss of a mobile phone or disconnection of a mobile number.
India is witnessing increasing integration of mobile numbers with bank accounts, with mobile phone numbers being used as virtual account numbers for prepaid wallets. Given the versatile usage of mobile phone numbers for financial transactions and fund transfers, there should be more focus on securing the bank account upon loss of a mobile phone or termination of a mobile phone number. It is crucial that TRAI and the RBI consult and that guidelines on this are issued.
Another challenge relates to the use of mobile phones for two-factor authentication through one-time passwords (OTP). Today’s smartphone users connect to their internet banking account or prepaid wallet account on the same phone to which the OTP is sent. This compromises the basic security principle of not sending the second-factor authentication on the same medium to avoid any misuse. There is a need to address this issue and issuance of comprehensive guidelines for authentication of transactions beyond the current method.
As for online transactions, the Board for Regulation and Supervision of Payment and Settlement Systems, a sub-committee of the Central Board of the RBI, has authorized NPCI for operating various retail payment systems.
NPCI has created and facilitated various products including: (i) the National Financial Switch, which facilitates the routing of ATM transactions through inter-connectivity between the banks’ switches; (ii) Bharat Interface for Money, an app which allows simple and quick payment transactions using the Unified Payments Interface (UPI); (iii) the UPI system, which powers multiple bank accounts into a single mobile application; (iv) the *99# service, a common technology platform which allows banks and telecom service providers to integrate with each other to provide banking services to customers over both basic mobile phones and smartphones; (v) the Aadhaar-enabled payment system, to allow online interoperable financial inclusion transactions through the business correspondent of any bank using Aadhaar authentication; and (vi) Bharat Bill Payment System, which works as a tiered structure to operate the bill payment system in India under a single brand image.
The basic challenge for any online transaction is to authenticate the transaction and to ensure that it was initiated by the authorized person. The Information Technology Act, 2000, provides for authentication of electronic records by either digital signatures or electronic signatures. The Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015, allow e-authentication technique using Aadhaar e-KYC services. It is notable that the second schedule, which provides for validating an electronic signature or electronic authentication technique, was left blank prior to 2015 and post 2015 only Aadhaar e-KYC services have been recognized as a valid electronic signature or electronic authentication technique.
NPCI’s efforts are being undermined by the lack of clarity on whether the combination of username and password, and the use of an OTP as second-factor authentication for validating a transaction, is a valid electronic authentication technique. The RBI should work with the government to resolve this anomaly and provide clarity on various forms of authentication techniques that may be used by NPCI.
SNG & Partners has offices in Delhi, Mumbai, Singapore and Doha. Amit Aggarwal is a partner and Rahul Sud is an associate partner.