What’s up with RBI?
Last year, in one of the Monetary Policy Speeches, RBI had promised to tighten digital payment security (you can just read the bold sentences for a gist):
Going by the pre-eminent role being played by digital payment systems in India, RBI gives highest importance to the security controls around it. Now it is proposed to issue Reserve Bank of India (Digital Payment Security Controls) Directions, 2020 for regulated entities to set up a robust governance structure for such systems and implement common minimum standards of security controls for channels like internet, mobile banking, card payments, among others. While the guidelines will be technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in more safe and secure manner. Necessary guidelines will be issued separately. - (Source from RBI)
So finally, this week, it has released the Master Circular on Digital Payment Security Controls.
It only applies to the following Regulated Entities:
Scheduled Commercial Banks (excluding Regional Rural Banks)
Small Finance Banks
Payments Banks; and
Credit card issuing NBFCs
The document is too complex for me to understand, so here’s an expert who understands this stuff:
Sandeep is the CEO of RedCarpet (a credit card issuing NBFC) - so this circular directly affects his company.
I glanced through the full document and the only sentence I found relevant was:
The alerts and OTPs received by the customer for online transactions shall identify the merchant name, wherever applicable, rather than the payment aggregator through which the transaction was effected.
This makes sense because if every SMS starts mentioning Razorpay (I don’t have the numbers but I’m sure you’ve noticed most of your transactions go through them), it’ll be really difficult to reconcile if you suffer a fraudulent or an error-based transaction.
But honestly, Sandeep is right. We really need better controls on UPI. Just look at the data.
Payment and Small Finance Banks, which make a significant chunk of the Security Controls, hardly receives any complaints. Majority of it comes from private banks (supposedly due to the fact that their customers are more prone to digital transactions), followed by nationalised banks, followed by SBI - which apparently generates more than a quarter of the total complaints!
All these bank complaints were clubbed under different complaints and ranked:
As expected, majority of complaints (~22%) come from ATM and Debit Card usage, followed by mobile/netbanking (~13%). Since Credit Cards make up a significant chunk (~10%), it makes sense that the Security Controls have included CC issuing NBFCs.
“Non-observance of FPC” or Fair Practices Code are just the guidelines for regular stuff like loan application, processing and disbursement. If you notice the pre-digital boom era (2017-18), you’ll observe that this segment had the highest share of complaints. In fact, for NBFCs, which are generally not known to follow guidelines as much as banks, FPC-related complaints are still the highest (at ~36%).
Then there’s an Ombudsman Scheme for Digital Transactions. Under it, UPI and QR related complaints form close to half the complaints! (~44%)
While the central bank has done a decent root-cause analysis, the remedial measures suggested for such a high number of frauds doesn’t really inspire confidence, does it?
More than this drab document, I feel RBI is doing a better job with awareness through these trendy rap videos (HDFC did it first though). Honestly, I’m pleasantly surprised!
In any case, some companies are trying to solve for the issue in their own way.
Take Airtel Payment Bank for example.
Their Safe Pay feature promises an “Additional” layer of security - here’s what it is:
In UPI, you don’t really have the concept of OTP. When you enter your four or six digit MPIN into the final screen - boom! Money leaves your account faster than you can blink! While this technology currently makes India the best country in the world when it comes to payments, it also has its own cons: Lack of controls.
So Airtel has a simple workaround for this - It will push a second alert to your phone after you enter the MPIN.
Problem? - this is a feature by a Payment Bank - which, apart from the low adoption, has a limit of 1 lac on the savings balance.
Almost every day, I read about fraud attempts where the QR code is used in a nifty way to withdraw funds from your account. Hopefully, the major facilitators (private and public banks) and NPCI together come up with unique ways to solve it.
But why is it a hard problem to solve?
Because it is trying to balance the perennial problem of REGULATION vs ADOPTION. Due to high regulation in credit cards, their penetration is low. On the other hand, UPI/QR codes have very lax regulation - something that NPCI has capitalised upon to build an infrastructure which has processed 2.3B transactions worth ₹4.2T just in January 2021.
What do you think? How can we solve this?
What I read this week…
Another day, another bank failure: RBI has put a ₹1000 cap on withdrawals from another weak co-operative bank. Good news? 99.58% of the depositors are fully covered by the DICGC insurance scheme. Bad news? The DICGC Act, 1961 is yet to be amended - post this, depositors would be able to get funds worth 5 lacs of their deposits with the particular bank even while it is in moratorium, which is exactly what this bank is in now. Unfortunately, as of now, their money is stuck.
Citibank, with all their fancy bankers, accidentally transferred $900M from their own balance sheet to a client. I cannot even begin to explain the hilarious turn of events in which three people failed to notice the error before it was too late! It’s a fascinating story and Finshots has done a good job explaining it here. Do note that I’ve covered this story before in my newsletter - but it is reappearing everywhere because Citibank challenged this in court… and LOST!
How trustworthy are the bad loan numbers for the banks? - Vivek Kaul is back again with his no-nonsense filter on. The Supreme Court has really messed up everything by not allowing banks to classify bad loans as NPAs - how are banks reporting it then? Will a RBI scrutiny reveal a situation much much worse that it currently seems?
That’s it for this week.
I love feedback. If you want me to cover a particular news, want to get featured, write a guest post or wanna simply say hi, do reach out to me at firstname.lastname@example.org or LinkedIN or Twitter. Meanwhile, like this post and share it around?
All views and opinions shared in this article and throughout this blog solely represent that of the author and not his employer. Since the author is employed by a bank, he has consciously chosen not to report any news related to his company to avoid conflicts of interest. All information shared here will contain source links to establish that the author is not sharing any material non-public information to his readers. His opinion or remarks on any news are based on the assumption that the source is genuine, thus he is not liable for any information that may turn out to be incorrect. This blog is purely for educational purposes and no part of it should be treated as investment advice. Using any portion of the article without context and proper authorisation will ensue legal action.