77. Validations

Validation or ‘double’ confirming is something that comes to us naturally. Isn’t it?

Let’s say you have to transfer Rs.25,000 to a friend through UPI… do you do it in one go?

Most likely, you will transfer a small amount (Rs.1 or Rs.5) then ask your friend to confirm. Post confirmation, you will transfer the rest. We will not stop there… you will take the screenshot of the transfer and WhatsApp it to your friend… and if you do not see double blue tick mark then call and inform.

I do that… many people that I know do that… Many people I know who are payment professionals do that… Because that is our nature… ‘double’ confirm!

Anyway… this article is not about our quirky behaviour but various validations features that you come across in the payments domain.

There are three possible stages where validation is done.

A. Customer Journey

• We all are familiar with OTP validations that we need to complete during registration or login to merchant App
• OTP validation is done during special cases as well (e.g., changing address, change password)
• Merchant of Financial Sectors do validate user’s PAN and Address. Merchant can avail PAN validation APIs or Aadhar Validation suit (Even Aadhar validation is done using OTP).

Recent update: UIDAI and NPCI are planning to set-up an aggregator platform for eKYC.

Note:

• Merchants use 3rd Party Service Providers for OTP validations (except Aadhar)
• Android Apps can read auto read OTP if SMS is sent in Google prescribed format [<# tony stark giving you OTP 1729>]

Curious: Along with many things, India must be a leading country to use OTPs.

We are so used to OTP that we don’t even see who is sending it and simply enter it. Maybe fraudsters know this and exploit it.

Reduce ‘damn’ OTPs!

On a serious note:

• You do not have to enter OTP to receive money
• Do check the SMS short code whether it is genuine or not

Bonus Note: Do not share OTP with anyone (I will keep reiterating this one)

B. Collection — Use cases

Let’s start with standard cases:

1. 2nd Factor Authentication (2FA) or Additional Factor Authentication (AFA) is mandatory for all transactions — UPI, cards, wallets. Even in net-banking, AFA is prompted as step-up authentication (varies from bank to bank). Usually 2FA is done with OTP or PIN validation.

Exceptions: UPI Lite, recurring Payment solution, NFC tap at POS for amount < Rs.5000 (Every time I find it funny when shop owner asks whether my card has ‘Wi-Fi’ :))

2. Third Party Validation (TPV)

Investment (mutual funds, stocks, bonds etc.) work a bit differently.

One of the important rules is that customers should invest only from the account that is registered with the merchant during the registration.

That means payment methods should have in-built bank a/c validation capability.

Illustration: TPV flow on Net-banking

C. Disbursement — Use cases

Merchants from every sector have use cases for disbursements. These payouts can be to customers or vendors or employees.

Please refer to these articles (here and here) to know more about payout

Payout to bank account and UPI (indirectly to bank a/c) are quite normal.

• IMPS, NEFT and RTGS are used for Bank account transfer (Even UPI can be used for bank transfer)
• UPI transfer can be done using… <wait for it> UPI rails (ha ha.. )

But how do you make sure that you are doing ‘payout’ to the correct payment instrument (bank a/c or VPA) that belongs to the correct beneficiary?

Solution: Bank account Validation and UPI ID Validation

1. Bank A/C Validation:

• Rs.1 is transferred to bank account and IFSC
• If the payout to the account is successful then beneficiary name (As per bank records) is returned
• Merchant has to match whether the user’s name (which it has) is the same as the one it received from penny drop API.

Name matching is not easy,

• Banks will save name as per KYC document and on merchant’s website customer may have entered name differently (E.g., Customer might have not given middle name and as per bank records there is middle name, customer would have entered Aditya K but as per bank it is Aditya Kulkarni)
• Banks may truncate the name (character limitation in APIs)
• Banks may return Surname first and first name later
• Banks may add prefixes (Shri, Mrs etc.)

The merchant can build fuzzy logic to match the name but still it won’t be 100% accurate.

Penny drop is an expensive solution — Merchant has to pay for IMPS charges plus the penny amount.

Note: Penny drop amount can be greater than or equal to Rs.1. A merchant can do variable penny drop (customer A will receive Rs.1.25 whereas customer B will get Rs.1.20) and then ask customers to confirm the amount they received. Kind of ‘double confirm penny drop validation’

There are a few alternatives to the standard penny drop:

a. Ride UPI rails: Construct VPA with the user’s bank account number and IFSC. Format: <Account Number>@<IFSC Code>.ifsc.npci

Use this VPA to do UPI ID validation and get the beneficiary name… Hurray, you saved Rs.1

b. Reverse Penny drop: A customer has to transfer Rs.1 to the merchant’s VPA / bank account number. Once the amount is credited, you will get the customer’s VPA, A/C number, IFSC and name. And refund that Rs.1.

Advantage over penny drop: (1) No need to collect customer’s a/c number + IFSC to do penny drop (2) Merchant doesn’t have to spend Rs.1 (penny drop amount). (3) Merchant will get to know un-truncated name (4) Get to know VPA and a/c number in one go

c. Fund Transfer Route: Here remitter and beneficiary bank are the same. Considering it is just a ledge adjustment to penny drop amount can be less than Rs.1 (Only handful of banks support it)

d. Name Enquiry API: NPCI circular released the ‘name enquiry’ feature wherein the Remitter Bank to validate the beneficiary name on the basis of IFSC Code + Account Number (for P2A) and MMID (for P2P). In this model there is no penny drop and this feature is live with a couple of banks.

2. UPI ID Validation

UPI ID or VPA validation API is triggered using the customer’s UPI ID/VPA (This is the first leg of ‘Collect Request’ UPI transaction)

• UPI ID / VPA is validated — Whether it exists or not
• Name associated with that VPA is returned
• Merchant has to build logic to do the name matching

Above solutions are not actual solutions but product hacks… Penny drop is nothing but regular IMPS payout and UPI ID Validation is part of the UPI collect request flow.

Validations are ‘norm’… done during various stages of the customer life cycle.

These validation solutions are simple but have very high significance… as they protect users and help merchants to adhere to the guidelines of regulators.

That’s it for now!