Recent times have seen an unprecedented surge in the number of digital payments being carried out across various channels. Not surprisingly, the pandemic has provided a further boost to this adoption. An increasing number of citizens, even those residing in non-metro cities and India’s rural and remote areas, have started shifting to cashless transactions via the use of channels such as the unified payments interface (UPI), the Aadhaar-enabled payments system, and internet banking.

As per recent estimates, the total value of transactions on the UPI platform doubled from Rs 2.1 trillion in January 2020 to Rs 4.3 trillion in January 2021. In fact, according to a report by KPMG, India is expected to witness a 78 per cent increase in digital payments in the coming months.

While a surge in digital transactions is a positive and is helping the industry grow, it is imperative to not lose sight of the challenges that come along with it. One of the biggest challenges and most important aspects when it comes to digital payments is security. With the growth in digital payments, there have been increasing incidents of digital payment-related fraud. Digital payment methods such as UPI and mobile wallets have become the latest targets of fraudsters.

Keeping in view the surge in security breach incidents in the digital payment space, the Reserve Bank of India (RBI) has come out with a host measures and policy moves to ensure that the security of customers stays intact.

A look at the growing threat landscape in the digital payments space, and some of the policy measures taken and announced by the RBI in this respect…

Growing threat landscape

Of late, there have been a greater number of incidents of security breach in the digital payments space. According to a 2020 report by Cybersecurity Ventures, the monetary implications of cybercrimes in the digital payments space amounted to around $6 trillion at the end of the year. In fact, as per a recent Kaspersky report, there were several UPI-related frauds in 2020, and various banks issued advisories alerting their users about such fraud. The report highlighted that Indian industries have faced ransomware actors such as Maze, Cl0p, Nefilmi and Netwalker. Various industries such as financial services, oil drilling services, pharmaceuticals, commodity and service providers, automotive suppliers, footwear manufacturers, professional and consumer services and manufacturing were targeted. Further, as various micro-, small- and medium-sized enterprises are now going digital following the Covid-19-induced lockdown, these companies will have to take necessary measures to protect their customers’ personal information.

Moreover, as per the report, cyber fraud incidents are likely to increase in 2021 as more users get connected to the internet and enter the digital payments ecosystem. According to Cybersecurity Ventures, the intensity of cyberattacks will increase from one every 40 seconds in 2016 to one every 11 seconds in 2021.

Measures taken by the RBI

Given the surge in cyber-fraud incidents in the digital payment space, the RBI has come out with a slew of measures to tackle the problem.

Self-regulatory organisation for digital payments sector

In 2020, the RBI proposed setting up a self-regulatory organisation (SRO) to improve security, customer protection and pricing in India’s digital payment network. According to the RBI, given the exponential growth the digital payments space is witnessing, it is imperative to create an SRO for the orderly operation of entities in this space. The SRO is supposed to act as a coordination and synchronisation body to manage synergies among all stakeholders and ensure compliance of payment gateways and aggregators with the new licence regime of the RBI. The Payments Council of India is reportedly in discussions with the Indian Banks’ Association for creating a joint venture to apply for an SRO licence. If the parties succeed, the digital payment industry may soon get a self-regulator.

Guidelines for making India’s digital payments ecosystem secure

The RBI recently published detailed guidelines for strengthening India’s digital payments ecosystem. With this, it aims to improve security, control and compliance among banks, gateways, wallets and other non-banking entities.

The new rules are directly applicable to scheduled commercial banks, small finance banks, payment banks and non-banking financial companies credit cards. They also specify the criteria under which regulated entities can form partnerships and interact with third-party apps and ecosystem players. The guidelines contain specifications for a diverse set of application areas, including mandates for source code protection of third-party UPI apps, cybersecurity guidelines for safety against external attacks, guidelines for card payments and internet banking security protocols.

As per the guidelines, compatibility and interoperability need to be incorporated into risk assessment. While the rules require regulated entities (REs) to have their own trained resources for managing cyberrisks, the RBI is expected to soon release guidelines on engaging third-party operators for REs wishing to outsource such functions. REs would also be required to conduct source code checks, vulnerability testing and penetration testing every six months for payment systems. Third-party operators, thus, will not only be subject to rigorous periodic testing, they will also have to submit their source code to REs to ensure continuity in service. They will be subject to penal provisions in case of non-compliance.

Moreover, the new guidelines require REs to set up near-real-time conciliation mechanisms providing 24-hour settlement, along with robust grievance redressal systems that can process requests faster. Besides, the rules outline methods for multifactor authentication and more secure internet banking services, requiring REs to follow the highest security standard protocols. As the intensity of phishing attacks using SMS, emails and tele-calling have increased, the rules call upon REs to focus on preventing such attacks. Moreover, since there have been situations in the past where users’ debit card and account information have been leaked, the rules require REs to secure such data.

According to the RBI, while the guidelines will be technology and platform agnostic, they will create an enhanced and enabling environment for customers to use digital payment products in a safer and more secure manner.

Renewed focus on customer engagement and security

Grievance redressal mechanism

The RBI has announced measures to strengthen grievance redressal mechanisms and security features for users of digital payment services in the country. These measures include a 24×7 customer helpline to address payment systems-related queries, setting up of an integrated ombudsman platform, and outsourcing norms for payment companies wishing to avail the services of third-party players for stricter monitoring. While the Integrated Ombudsman Scheme will be rolled out in June 2021, the proposed 24×7 customer helpline is expected to go live by September 2021.

Educating users on key security practices

As per the RBI, in spite of the various initiatives, the incidence of frauds, often using the same modus operandi that users were cautioned about such as luring them to disclose vital payment information, swapping SIM cards, and opening links received in messages and mails, continue to bedevil digital users. In view of this, the RBI has said that it is essential for all payment systems operators and participants – banks and non-banks – to continue and reinforce efforts to spread awareness about digital safety.

To this end, the RBI has directed payment systems operators to educate their users on safe and secure use of digital payments by undertaking targeted multilingual campaigns by way of SMS and advertisements. In fact, the RBI has already been taking measures to improve awareness through its electronic banking awareness and training programmes and by organising campaigns on secure digital payment modes.

To promote safe digital transactions among the general public, the RBI reiterated that users should not share their debit, credit, or prepaid card details and passwords, PINs, one-time passwords, CVVs, and UPIPINs. In addition, the RBI cautioned the public against undertaking banking or other financial transactions through public, open or free Wi-Fi networks, and storing important banking data on mobiles, emails, or electronic wallets.

The way forward

Going forward, any meaningful growth in the digital payments space has to factor in the means to address the increasing cyberthreats. As such, there is a need for the government and digital payment players to work together in developing a robust digital payments ecosystem.

Further, there is a need to develop a complementary testing and certification ecosystem, wherein app developers can participate and carry out testing to ensure that the digital payment platforms follow specific standards. This requires the government to release cybersecurity guidelines for devices and apps. Industry analysts have pointed out that the government moves fast on the cybersecurity front, else digital services would remain open to attacks.

In terms of technological innovations that can help quickly detect and reduce the incidents of cyberattacks in the digital payments space, tokenisation and AI in real-time fraud analytics are areas the industry can explore to build consumer trust in digital transactions.

By Diksha Sharma