66. Dark Side of Digital Payments

Last week, I got a call from ‘an insurance company’ saying that my policy is matured and if I pay Rs.20K then I will get Rs.2L.

I received a SMS from a random number that my KYC with SBI had expired and was asked to call a number.

No need to guess, neither I have a policy from that insurer or ever had a bank account with SBI… two incidents in a week. I am sure you would have heard or faced similar cases.

While paying for tea at a roadside shop using UPI, one can still get the sense that he/she is not only doing good for the country but also boosting the valuation of a few FinTechs… Awesome… isn’t it!!!

Digital payments bring many benefits to the ecosystem and to the country. But there is a dark side to digital payments… The systems which are built for betterment can also be used by bad actors to cheat others. (When I say bad actors… don’t think about movie actors — Just bad people and companies)

And yes, you are right… today we will talk about these bad actors and what can be done to stop them.

Who are these bad actors? These are individuals and companies who cheat people or launder money.

Why do they do it? Greed, easy money and other laundry list of things.

Why do people fall prey to them? Greed (yes again), ignorance, lack of understanding, fear.

How to stop bad people:

Here is 6 Ps model (people like such models… don’t they?)

(FYI: Totally patented… hope you are already admiring those arrows :))

A. People

RBI and banks do run campaigns to create awareness about digital payments and what not to do but somehow many forget to follow it. So I am reiterating few points:

• Do not share OTP or PIN (no matter what)
• Do not write your ATM PIN on ATM card cover
• Nigerian Prince is as fake as ‘$1Million lottery’ that you won without participating
• Do not click on links that say ‘free iPhone’ or ‘free KGF2 movie download’
• SBI doesn’t block your debit card randomly and then call you
• LIC will not call you to give dividends or bonus
• No one can double your money in 30days
• Do not share OTP or PIN (Very important: revise this point)

Here are some do’s: (1) Understand the basics of payments (2) Keep customer support numbers handy (do not believe what you see in Google Search — Visit the bank/PSP website/App).

When conned, ‘do not panic’ — take a deep breath and (a) reach out to the bank / payment service provider (b) file a complaint with the police and © Raise dispute or chargeback… When conned, do not keep quiet… get help from your friends/family/bank.

B. Policies

RBI is the regulator that governs the payments in India and it is an amazing organisation. Read one of RBI’s vision documents to know how RBI thinks about payments.

One of the key goals for RBI is protecting the users. From time to time RBI issues guidelines related to products and processes to achieve this goal. Few of these

• Licensing: PA/PG, PPI, Master KYC, Account Aggregator (+)
• Processes: Cross-border, data localisation (+)
• Product Guidelines: Tokenization, Card mandate, geo tagging (+)

If the companies do not follow these guidelines, then RBI imposes penalties (here, here), enforces embargo (here, here, here) and even revokes licences (here, here).

C. Product/Platform

NPCI, card networks and banks are obliged to develop products and features as per RBI guidelines or in general keeping the best interest of users or even merchants.

Here are few such products/features:

• Mandatory 2nd Factor Authentication
• Mandate on cards that gives control to user to manage the mandates
• NPCI recommends merchants to implement ‘UPI intent’ which is much safer than ‘collect request’

D. Processes

Under various guidelines (e.g. PA/PG, PPI etc.) RBI mandates the payment companies to follow proper KYC and due diligence processes. This is to ensure that ‘right’ entities are receiving payment services.

Few guidelines: Master KYC guidelines, AML (Anti-Money Laundering) and CTF (Countering Terrorist Financing).

Which payment companies?

• Issuers (PPI and banks): Conduct KYC process as prescribed by RBI. Prepaid Payment Instrument provider has to complete minimum or full KYC depending on PPI type. Banks have to collect KYC for the user and complete due diligence of companies including KYC of board of directors.
• Payment Aggregators: Required to follow the KYC and conduct due diligence of the merchant before enabling a merchant account for collection. RBI’s new PA/PG guidelines mandates PAs to follow Master KYC guidelines.
• Acquiring banks: Make sure the PAs are onboarding merchants after following the correct process and not running shady merchants on Master MID.
• Merchants: If they are in financial services (e.g. Brokerage services or NBFC) then follow proper KYC and also validate the payment instruments (using UPI validation, penny drop, Third Party Validation — TPV).

Following the right process involves effort, cost and time, and may also slow down growth. Unlike a few years back when everything was paper based, now we have tools/solutions that bring efficiency to the process e.g. PAN and Aadhar Validation, Video KYC, CKYC, Credit Score and Account Aggregator model.

But still you will see there will be gaps… why? We will talk about it in a separate section.

E. Participants

Payment Ecosystem participants — banks, Payment Aggregators, PSPs, TPAPs are obliged to follow the guidelines and processes (above two points). Also, these entities are responsible for providing secure APIs and card vaults that cannot be tampered or hacked.

Apart from that, these entities have risk checks and velocity checks to flag and/or block the suspicious transactions. Mostly the risk engines analyse the pattern such as user, location, payment pattern, vintage of merchant etc. and flag those transfers and hold the amount until they get assurance that the transaction is genuine…. ‘data driven AI/ML can help’ (only if they are not urban legends but real tech thingies)

There are other entities that are not directly part of the payment ecosystem but still shape and safeguard the sector such as IRDA and SEBI who time to time send SMS/mails about bad actors.

Recently, TRAI planning to come up with framework where user will see caller name as per KYC (easy to know who is calling you, which other caller detecting Apps couldn’t do).

F. Protect and Prosecute

Every bank, PSP and FinTech is mandated to have a support number/mail that users can contact. Here are few examples: DigiSaathi, UPI Dispute redressal

Cyber crime police help finding the culprits and recover the money. But again, it is not always possible. Income Tax and Enforcement Directorate are other agencies that investigate financial frauds especially related to money laundering.

Visual form

In summary, payment systems are designed to provide a secure, efficient and economical way of transactions/payment processing and it is done in various stages (shown below)

You should be happy that Rs.10 that you paid using UPI in that roadside tea shop has so many safeguarding measures.

But still… Yeah… but still, there is no guarantee that bad actors won’t get access to payment systems. So what can be done.

Last piece:

Here is the missing piece that can reduce fraudulent users (to a large extent) — a database of fraudulent merchants and users…similar to sanction list.

At present, if a merchant who is flagged by Payment Aggregator A as ‘fraudulent merchant’, can simply go to another PA and restart the business or create a new company and get onboarded as a new merchant.

If all payment companies and banks can come together to build a database of merchants, users, board of directors who were indulged in fraud then surely we can weed out bad actors (to a large extent). It is not that simple… bringing all entities together, sharing data, enforcing guidelines and commercial models.

Good thing is… neither sanction list nor multi company data sharing is new to us. Sanction lists such as OFAC, OFSI exist for decades and are followed by many countries to stop bad people (E.g. Narcotics traffickers, terrorists, illegal arms dealers etc.). Our Account Aggregator model taught us how data can be shared across various entities responsibly and securely.

So let’s hope RBI will come up with some framework or guideline on this.

Closing Remarks:

If humans stop being greedy then frauds won’t happen and we all know that it is never gonna happen. So a simple and practical solution is…Knowledge — Make users understand about the payment system, how to safeguard themselves and what to do when conned. And this is not just the responsibility of RBI or banks or Payments companies. We should teach our parents, uncles, aunties, cousins, and friends about how cards or UPI works — Do not scare them but rather prepare them.

As RBI says — “Jaankar baniye, Satark rahiye” (Be aware, Be alert)