http://www.firstpost.com/business/digitisation-epayments-in-big-mess-with-no-regulation-in-place-customers-face-the-risk-of-scams-3420722.html

The Watal report is forgotten; and the government permits epayment scams

RN Bhaskar

Watal-committee-formation-orderOn 23 August, 2016, the government of India formally announced the formation of the Watal Committee (see pix).  On 1 September, the government issued instructions stating that the committee had been formed under the chairmanship of Ratan P. Watal, principal advisor, Niti Aayog, and former finance secretary.

The committee was urged to submit its report on the way forward to ensure digitisation and epayments were introduced smoothly and succe3ssfully in the country.  It was also requested to study other model for digitisation and epayments in other parts of the world, and suggest suitable legislation – both enactment of fresh legislation or modification of existing ones – for the implementation of digitisation and epayments in India.

Accordingly, on 9 December, the committee submitted its report — Medium Term Recommendations to strengthen Digital Payments Ecosystem. — to the government.  This was exactly a month after ‘demonetisation’ was introduced in India.  The urgency for introducing digital payments was stressed upon by the government. But, soon after the report was submitted, the government seemed struck with some kind of paralytic attack.  It just refused to move ahead with the commendations suggested by the Watal committee (excerpts of the recommendations may be downloaded from 2016-12_Watal-Committee-recommendations).

Watal-committee-report-2-pagesThe committee had suggested timelines – many of them were to be put in place by February 2017 (see the excerpted timelines by downloading it from 2016-12_Digital-payments-watal_report-timelines).  The entire Watal Committee report can be downloaded from http://finmin.nic.in/reports/watal_report271216.pdf ).

It would appear that there is an spoken of war within the government.  Nobody wants to speak of it.  But there are indications that the government itself does not know what to do about digital payments.

Take for example the manner in which the government quietly – without much discussion — quietly slipping through a legislation in mid-February which delegated the entire responsibility of epayments to the Ministry of Electronics and Information Technology (Meity) (http://www.asiaconverge.com/2017/02/epayments-the-rbithe-cabinet-secretary-and-the-govt/).  Since epayments is a banking function, shouldn’t it have been with the finance ministry? How can Meity regulate banks and financial intermediaries?

As a result, nobody knows who is responsible. The RBI? The Finance Ministry? Or Meity? Thus, no legislation for specifying the rules of business for regulating epayments has been introduced.  There is no regulator without which the process for dealing with potential fraud and mismanagement become more difficult. It is the perfect example of the government placing the cart before the horse.

As always, the person who loses money is the common citizen.  He uses the digital payments platform assuming that the government has thought through the system.  He assumes it is safe and secure and that the government will protect his interests.

Unfortunately, recent events have shown that the customer is not safe.  The digitisation process is headed for a big mess, or even a series of scams.

Take the first incident:

  1. Sometime in February 2017, Maharashtra Bank reported a loss of Rs.25 crore on account of flaws in the UPI (Unified Payments Interface). About 50-60 people in Aurangabad discovered this loophole. The fraud was reported first on 22 February, On 20 March, NPCI (National Payments Corporation of India) issued a statement saying that “… there is no vulnerability or loophole reported in Bharat Interface for Money (BHIM) application or UPI system. NPCI has done intensive testing, robust design of security controls and continuous monitoring of its UPI infrastructure.” By end of March 2016, the story hit media headlines (http://www.livemint.com/Industry/8HUcQEUGBn0CcPOD6cbfJP/Bank-of-Maharashtra-accounts-lost-Rs25-crore-due-to-UPI-bug.html). his came on the heels of another data breach in the Indian banking system involving 3.2 million debit cards. The breach in the systems of service provider Hitachi Payment Systems was detected when some banks raised an alarm over customers’ card being fraudulently used in China and the US, while these customers were in India.

In spite of this, the government continues to promote BHIM.  Once again, unknown to many, the creator of BHIM is And NPCI claims (http://www.moneylife.in/article/bhim-upi-npci-says-it-wonrsquot-be-responsible-for-loss-or-fraud-user-fully-takes-the-risk/50270.html) that any misuse of BHIM is the user’s responsibility.  NPCI refuses to take up the liability. This a departure from the practices adopted by Master and VISA. So, who should tell NPCI what to do?  After all, there is no regulator.

  1. The absence of a regulator gets highlighted once again when one recalls the manner in which ICICI refused to honour transactions put forth by PhonePE. ICICI did this because it said that PhonePE was not using the accepted protocols. This led to a spat between PhonePE and ICICI and dragged in NPCI too.  When NPCI asked PhonePE to follow the right protocols, the latter snapped back telling NPCI that it had no locus in the matter. The use of protocols is crucial.  They define the manner in which transactions should take place. They decide how reconciliation of debits and credit should also take place.  Absence of standardized protocols could mean customers losing money.  For instance, even today, there is a large mobile player which has debit amounts from customers without providing them transaction codes.  The customers have been running around trying to find out how to recover their money.

The rules of engagement between private players on the one hand (like PayTM, PayU, PhonePE, Rupay, VISA and Mastercard, among many others), and the banks where businesses and individuals park their money on the other, have not yet been clearly defined. This can lead to big scams and misuse of epayment gateways for private profit through thievery.

  1. Take another incident that these columns reported on just a couple of days ago (http://www.firstpost.com/business/shift-to-cashless-are-mumbai-municipalitys-finance-it-depts-hoodwinking-citizens-3411040.html). Organisations can still adopt practices which try and get the merchant discount rates (MDR) to be paid by customers rather than by merchants. Conventionally, MDR is to be paid by merchants only.

The violation of this rule took a queer form when Brihanmumbai Municipal Corporation (BMC) was the possible victim of some unscrupulous players in its finance department working in collusion with savvy IT professionals, in collusion with a payment gateway and a bank.  The modus operandi appears to be that when a customer pays his bill through a digital platform, he gets a receipt for the same amount as the bill, but the bank statement displays a different amount.  Since the additional amount is not there on the BMC receipt, this amount is not subject to the BMC auditor’s scrunity.  The payment gateway appears to be one which this author is unfamiliar with, even though the website stated that it was HDFC.  HDFC denies its involvement.  It appears that some IT professional used the name HFDFC, but wrote the underlying script to take the amount through another gateway.  The additional funds are parked with a third entity that has been be identified.  Both the BMC and HDFC are investigating this matter.  Since BMC has an annual budget of Rs.25,000 –Rs.30,000 crore, even a 1% skimming would amount to a scam of around Rs.300 crore annually. Multiply this several fold to take in account other municipalities and quasi government agencies, and the skimming could run into thousands of crore rupees.  So much for government supervision and assurances of security.

Then there is an unstated war between two camps over MDR itself.  The first wants status quo on the current MDR regime, where merchants are charged the fee, and not the customer.  MDR is itself negotiated between the merchant and the financial intermediary (Rupay, Mastercard or others).  The other group wants all financial transactions linked to Aadhar.  And since government itself is the biggest beneficiary, this group wants the government to pay the MDR to the financial intermediary. After all, they say,  Epayment is what helps the government identify tax defaulters. Moreover, the meta data generated can be used for planning future businesses and strategies. But there is another group which wants MDR to continue, allowing for a degree of market competition. They point to how the government itself allowed oim marketing companies to pay the MDR for petrol, diesel and CNG, instead of either the petrol pumps or customers.  The same principle could be extended across India for all services, they add.  The government hasn’t decided what to do.

And this is where one does not know why the government has been pushing digital payments without any regard to customers, the payment ecosystem, or even the economy itself.

The report’s first stage recommendations were to be implemented within two months – that is by February 2017.  We are already into April with nothing being done on this front.

So is the government actually promoting scams?

Has the government forgotten its commitment to good governance?  Does it want more customers to get defrauded?

There are so many questions, so many cries of helpless customers.  But there are few answers forthcoming.

COMMENTS

Comments can be posted to RNB@asiaconverge.com