Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Under the Master Directions for PPIs (MD-PPI), three types of PPIs are recognized namely

a) Closed System PPIs
b) Semi-Closed System PPIs
c) Open System PPIs

Closed System PPIs are those PPIs  which are issued by an entity for facilitating the purchase of goods and services from that entity only and do not permit cash withdrawal. As these instruments cannot be used for payments or settlement for third party services, the issuance and operation of such instruments is not classified as payment systems requiring approval / authorisation by the RBI.

Semi-closed System PPIs  are those  PPIs  which are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations / establishments which have a specific contract with the issuer (or contract through a payment aggregator / payment gateway) to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks,

Open System PPIs are those PPIs  which are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc. Banks issuing such PPIs shall also facilitate cash withdrawal at ATMs / Point of Sale (PoS) / Business Correspondents (BCs).

PPIs may be “Reloadable” or “Non Reloadable”. Some PPIs may permit “Cross Border outward Transactions” and some may not. PPIs may also be issued  against inward remittance to the beneficiaries under Money Transfer Service Scheme of RBI. Some PPIs may be denominated in Foreign Exchange also.

PPIs may be issued as cards, wallets, and any such form / instrument which can be used to access the PPI and to use the amount therein.

PPIs may be issued under Co-Branding arrangements. If one of the Co Branding partners is a Bank and the other is a Non Bank, the Bank will be the PPI Issuer. If both are non Bank institutions, or both are Banks, then one of them shall be designated as the PPI issuer.

Paper based prepaid meal instruments shall be discontinued from December 31, 2017 and semi closed PPIs shall be issued for such purpose.

The Regulations

Most of the regulations in the Master Directions relate to Semi Closed PPIs.

According to the guidelines, PPIs upto a monthly usage limit of Rs 10000/- can be issued on the basis of self declaration of name and an ID along with OTP on a mobile. Essentially these are non_KYC compliant instruments.

Funds in these non KYC PPIs can be used only for purchase of goods and services and money cannot be transferred back either to Bank accounts or to other PPIs.

These PPIs need to be compulsorily converted into KYC type within 1 year. If KYC is not provided, no further credit would be allowed but the balance can be used.

If the PPI is closed at the request of the user, money can be transferred back to the own bank account of the PPI holder for which KYC would be required or “Back to Source”. (P.S: Not clear if KYC is not required for Back to Source transfer on closure).

The PPI issuers need to ensure that same category PPI is not issued against the same mobile number. (P.S: There is an ambiguity whether a second non KYC PPI can be issued against the same mobile number if the name and ID is different. Ideally this should not be allowed).

PPIs for transaction upto Rs 1 lakh are KYC compliant PPIs. Money can be transferred to own bank account or Back to source.

“Pre registered beneficiaries” can be allowed for these KYC PPIs and money can be transferred to them upto the limit of Rs 1 lakh per month.

Fund transfer limits in the case of non pre-registered beneficiaries is limited to Rs 10,000/- per month.

Open Systems

The “Open” systems are permitted only to be issued by Banks and with KYC. Here also there can be pre-registered beneficiaries and others and transfer to others is restricted to Rs 10000/- per month.

The only difference between the Pre-closed and open systems is that Funds transfer for Open PPIs shall also be permitted to other open system PPIs, debit cards and credit cards as per the limits such as Rs 10,000/- except to pre-registered beneficiaries.

Gift and MTS PPIs

Other than the above three main categories of PPIs, specific PPIs such as Gift Instruments (Maximum value Rs 10,000/- without cash-out or refund or reloading).

But KYC would be required on a risk based approach if multiple Gift cards are required to be issued to one person. (P.S: This is tricky and needs some policy guidelines to be formulated by the PPI issuer)

PPIs can also be issued for Mass Transit Systems which may be Semi Closed PPIs usable only for the transit systems and allied merchants. They are re loadable with a maximum outstanding or Rs 3000/- at any point of time.

Conversion of Existing PPIs

According to the directions, PPI issuers shall give an option to all PPI holders to convert the existing semi-closed and open system PPIs issued to them  into any type of the PPIs as indicated in the directions.

After carrying out the applicable due diligence for that type of PPI, this conversion shall be completed on or before December 31, 2017 . Where PPI holders have not exercised the option  the PPIs issued to them shall mandatorily be converted into minimum detail PPIs  on January 01, 2018 with all the applicable features.

Looking at the regulations above, except for mandatory KYC after 1 year for all Semi Closed PPIs there is no major change from the current system.

Fraud control is through limiting of the fund transfer limit to the non pre-registered beneficiaries to Rs 10,000/-. Restriction of transfer and withdrawal by cash is essential for controlling the Black Money and hence, there should be nothing much for the PCI to object on the KYC aspect.

The argument that frauds happen at the loading time at the Card end and not at the Wallet/PPI end is not tenable since both need to share the responsibility and liability since fraud is facilitated because the Wallets/PPIs have no KYC and it escapes detection of the end user of fraudulent transfer from a Card. We need to take all steps to prevent frauds and losses and it is unfair that all the liabilities are to be boarne only by the Card issuers.

In view of the “Zero Liability” aspect, Banks need to bear the cost of frauds and there is a need for the PPI issuers in the private sector to also take precautions by proper KYC so that the losses can be recovered and possibilities of fraudsters repeating their fraud with different PPI issuers and multiple non KYC PPIs is prevented.

It is necessary for RBI to insist that both the Banks and the PPI issuers obtain necessary Fraud insurance so that their risks are covered and customers are not put into difficulty.

(To Be continued)

Naavi

The Prepaid Instrument Eco System in India under the Payment and Settlements Act 2007 has licensed several “Payment System Operators” under the Act. The list of such operators is available here.

The list consists of

  1. Two Financial Market Infrastructure operators namely the Clearing Corporation of India Limited and the National Payments Corporation of India (NPCI),
  2. 5 Card payment networks including the Amex, Diners, VISA, Master, etc
  3. 9 inbound Cross border Money Transfer Systems including Western Union etc
  4. 6 ATM Networks
  5. 55 Prepaid Instruments
  6. 9 White Lablel ATM Operators
  7. One Instant Money Stransfer system of Empays Payment Systems
  8. Three Trade REceiviables Discounting Systems
  9. Eight Bharat Bill Payment Operating Units

The entities who have been “Payment Bank” licenses such as Airtel Payment Bank Ltd, India Post Payments Bank Ltd, Paytm Payments bank Ltd, and Fino Payments bank Ltd are other entities in the Digital payment domain.

Licensed Scheduled Banks are also in the digital payment system with their UPIs, Wallets, Virtual and Physical Prepaid Cards, Debit Cards, Credit Cards etc. (Refer article in livemint). It appears that out of the eleven provisional licenses issued for Payment Banks, others have not yet operationalized their licenses.

The October 11, 2017 master directions of RBI apply to the 55 Prepaid Instrument operators which includes Aircel, Amazon Pay, Mannapuram, Muthoot, Mobikwick, Oxigen,PhonePe, Jio money, Sodexo, m-Pesa,etc.

On March 9, 2017, the Ministry of Information Technology had issued certain draft guidelines constituting “Reasonable Security Practices” applicable to the e-PPI instrument issuers. It was called  “Information Technology (Security of Prepaid Payment instruments Rules 2017-Draft.

At that time, some of the operators had raised objection on the rules and its requirement to interact with CERT IN to report security breaches etc.

Unfortunately, the Ministry succumbed to the industry lobby and there was no follow up on the draft guideline which was well within the powers of the Ministry.

The e-PPI operators are “Intermediaries” under ITA 2008 and they always had the obligation for “Reasonable Security Practice” whether they were defined by a rule or not.

Hence there was no reason for the Ministry to buckle under pressure except for the reason that the responsibility to issue the guideline could be delegated to RBI.

Now the Master Direction of RBI of October 11, 2017 is a follow up of this and represent among others the “Reasonable Security Practice” to be followed by these e-PPI operators.

The objection raised by the PCI is therefore yet another attempt to influence the policies in their favour. Hopefully RBI is made of tougher material and commitment to the security of the financial system rather than the Ministry of Information Technology and we can hope that it withstands the pressures from the industry.

We need to however watch the developments to see if the industry lobby is able to get any dilutions that may adversely affect the Consumer interests.

We have noted that in the past, the industry is only interested in “Exploitation” of the citizens and technologists are unmindful of the fraud possibilities in the new Digital payment eco system.

The Government appears to be only interested in only raising the “Revenue” by taxing the public for the digital transactions and levying “Cess” for security and is not genuinely concerned about the security of the public. We have seen this in the Bitcoin scenario where the Finance Ministry has been sympathetic to the criminal elements endorsing Bitcoin legalization rather than taking a quick decision to ban it. It is therefore not surprising that the MeiTy quietly withdrew the security rule notification.

It is only RBI which from time to time shows a commitment to securing the financial eco system though they are often over powered by the Banking industry lobby such as IBA.

Hopefully the PCI is not as powerful as IBA and hence it may not be easy to make RBI change its stance on the Master directions. But in the past we have observed that RBI has without diluting its stringent guidelines, turned a blind eye to contraventions and be good to the industry while also appearing to take care of the public interest.

I hope in this instance RBI will remain firm and impose the security directions in the interest of the public.

(More about the security requirements under the directions would be discussed in the continuation article)

Naavi

 


On 11th October 2017, RBI came out with a comprehensive “Master Direction” applicable to all Prepaid Payment Instrument Issuers, System Providers and System participants. This was mainly a consolidation of all earlier guidelines. However, it appears that some of the participants have already felt the need to approach RBI for diluting the norms.

See Article in Economic Times

The Payment Council of India, (PCI) an industry organization has represented that “Some of the new norms could severely cripple the industry and make the wallet business unviable,”

It is reported that among the major points of concern, according to industry members, are the demand for a mandatory full KYC or know your-customer certification, phased introduction of interoperability and restriction of peer-to-peer fund transfer in semi-KYC wallets.

The objection has been raised on the point “Another major hurdle for payment companies is prohibition of inter-wallet transactions, along with transfer of funds from bank account to wallet from semi-KYC accounts, which the companies believe will destroy the relevance of mobile wallets.”

According to the spokesperson, “The scope of fraud is more in moving money through debit or credit cards into wallets and then siphoning it off to other bank accounts. P2P fund movement is not risky that way. We had made multiple representations to the RBI on this,”

They feel that “doing a full-KYC to open a digital wallet every time will be a major hindrance for smooth business”.

The PCI representatives are likely to meet RBI officials and lobby for dilution of the norms.

In the light of the above, we need to take a comprehensive analysis of the objections raised by PCI vis-a-vis the guidelines and the risks faced by the public and whether there is actually scope for further hardening of the security measures.

We shall analyze the Master directions and the objections raised in the articles to follow.

Naavi