Unified Payments Interface : A Platform with multi-layer protection

Introduction

Unified Payments Interface usually known as UPI is a payment system which provides an immediate real-time effect on transfer of an amount from one bank account to another. This system works on mobile platforms through various applications present in this regard. This idea was developed in pursuance of the target of the digital economy and the promotion of digital transactions. This platform was developed by NPCI (National Payments Corporation of India) and is controlled by the RBI (Reserve Bank of India) and IBA (Indian Bank Association). These platforms are not only user-friendly, well-designed and safe but also assist the government to keep records of the transactions and the moment of money.

The attention towards UPI currently has increased in the current crisis of COVID’19. Government has appealed people to use these online platforms for the purpose of monetary transactions. It is believed that this will reduce the risk of spread of the virus as currency notes go through many hands of people.

The recent plea against WhatsApp in regard to its extension of function in the digital market of India through UPI brings our attention towards the Mandatory and Regulatory Norms of UPI system. WhatsApp is trying to launch its payment service for the last four years. It has tried to launch its project with ICICI Bank, HDFC Bank and SBI. In 2018 WhatApp started to test its payment platform known as, ‘WhatsApp Pay’ on one million users in India after the approval of NPCI for the beta testing.

On the observation of WhatApp Legal information the section pertaining to payments can be witnessed. This section provides with all the intricate detail in regard to the payment policies of WhatsApp and clearly provides that it does not retain any “Customer Payment Sensitive Data (partial debit card number, expiry date, PIN, OTP, or BHIM UPI PIN)”. It further mentions that it will not have access to the UPI Pin as it is encrypted by NPCI through software known as Common Library. It articulates that the information pertaining to transactions are only collected. The major reason in regard to the collection is customer support and protection.

This brings us to the question of the rules, regulations and requirements for the purpose of registering oneself as a member of UPI.  Secondly, it also raises a curiosity in mind that why WhatsApp even after getting the approval of NPCI has not yet launched its application in these times of high demand.

Guidelines for Unified Payment Interface

In regard to the regulations there exist the Unified Payment Interface Guidelines by the NPCI. These guidelines are framed under the provisions of Payment and Settlement of System Act, 2007. These guidelines are binding in nature and hence every member of UPI has to abide them. There are three broad requirements given by these guidelines in order to become a member of UPI. First, the entity willing to provide mobile banking service will come under the regulation of RBI under the Banking Regulations Act 1949. Secondly, the member should abide by all certification requirements, procedural guidelines, risk & operating circulars and guidelines which is an issue by NPCI from time to time. Lastly, the bank should be live on Immediate Payment Service (IMPS).

The UPI ecosystem is intended for banks as only banks are allowed to interact with the UPI Switch. This though does not vitiate the possibility of non-banking organisations to carry transactions in this ecosystem. They have to fulfil one additional requirement and have to partner with any banking organisation which has enabled UPI. Once the bank enabled on UPI agrees the entity can build their PSP (Payment Service Provider) which is well known as third-party applications. The partnered banks are entirely liable for all the financial and operation liability of these applications.

There are many-fold conditions imposed on these PSP’s. These guidelines are majorly in regard to the security of information and hence create a boundary in which these PSP’s should work. It mandates these PSP’s central application should be in accordance with the RBI guidelines on Banking System. The customer data should be maintained by the bank’s data centre and merchant app should not have access to it. The payment regarding credentials, sensitive data should by no means reach these merchant apps and should only reside in bank’s UPI system. It imposes the responsibility on the bank for the proper functioning of the apps and to ensure that the application supports all versions of iOS and Android. These provisions also provide freedom to the customer for downloading any application as they wish. Customers can even have two applications in one device and no application should interfere in the functioning of the other while installing, running or any function done by the application. In the present scenario, the application is mandatory for iOS and Android but optional for windows.

The existing members can anytime be terminated or suspended from undertaking the functions by NPCI if the member fails to comply with any NPCI or UPI product, procedural guidelines or any provisions by NPCI or RBI. It can further be suspended if the RTGS account of the member with RBI is closed or suspended by the central bank. Furthermore, in the case where the member bank is amalgamated or merged with another member bank, the membership is terminated. Lastly, if the RBI suspends the approval of mobile application then also the merchants ceases to be a member. 

Whatsapp Pay Conundrum

In regard to WhatsApp, various petitions are filed against the functions, existence and launch of its trial version. One of the petitions was filed by the CASC (Centre for Accountability and Systemic Change). In the petition, the data localisation norm of the WhatsApp was questioned and was contended that it is inefficient to support the monetary and bank limits. In the data localisation norms, the international organisation which stores data around the world is expected to store it in the centres of the country. Although the major issue was in regard to the non-compliance of the data localisation norms yet the issue pertaining to the safety of transactional data was also raised. The Pegasus spyware incident added fuel to the fire and made government sceptical about the ability of WhatsApp to handle sensitive information regarding digital payments.

In the recent petition filed in the Supreme Court before a three-judge bench headed by Chief Justice of India S.A.Bobde various point were raised. First, the WhatsApp’s payment service is also embedded in the messaging application causing inconsistency with the UPI Scheme, as no separate application is provided by the messaging company. Second, it is urged in the petition to not provide any kind of relaxations to the WhatsApp is the compliance of Localisation Norms. Third, it is contended that WhatsApp has blatantly not complied with the directions and guidelines pertaining to the security of financial data of the users. Lastly, the risk in regard to a secure technological interface is raised by mentioning the security lapses by the messaging application in the past of the sensitive user data. The prayer by the petitioner, therefore, seeks suspension of the payment service operation by WhatsApp till the highlighted changes are made.

The court has still not restricted the government to process the applications filed by the WhatsApp and has directed to analyse the same in accordance with the law without any stay. The government has though asked replies to the contentions raised in this Public Interest Litigation(PIL). WhatsApp which was represented by Mr.Kabil Sibal itself has given assurance to the court that they will not undertake any function in regard to the payment scheme unless they fully comply with the all the regulation which are in force.

Conclusion

The proper analysis of the UPI system through regulations and the current controversy of WhatsApp brings us to the conclusion that India is taking big and positive steps in regard to digitalisation. These guidelines and procedures are well framed, exhaustive and yet reasonable in nature.  The multifarious surveillance system ensures overall protection and eliminates chances of error. The procedural guidelines are made keeping the mind the sensitivity it entails and all protective steps are taken in order to protect the customer. The imposition of liability on banks for any disparity brings confidence and trust among people to use these digital platforms. The recent case study of WhatsApp brings into light the stages a UPI payment platform has to undergo so to get a green signal of NPCI and RBI. The acceptance of these platforms can even be challenged in the court of law and hence make the judiciary the third layer of protection. These platforms are bringing our country close to the dream of Digital India endorsed by our Hon’ble Prime Minister.

_______________________________________________________________________

ABOUT THE AUTHOR

In Content Picture: Business Today