NPCI and RBI cannot absolve themselves of responsibility in UPI Fraud

The recent Bank of Maharashtra UPI Fraud in which Rs 25 crores were siphoned off from the Bank through UPI payment requests which were honoured by the system though there were no funds in the accounts, as well as the report that a security firm has indicated that at least 7 UPI apps of different Banks are infected with malware has raised the question yet again on the irresponsible manner in which RBI has been conducting itself in pushing insecure digital payment systems down the throats of unsuspecting citizens.

The Government of India knowingly or unknowingly incentivising the digital payment usage for its own reasons, without ensuring the safety of the citizens. Naavi.org has been time and again warning the Government and Mr Modi that without a security blanket of a Cyber Insurance for all, the digital payment initiative is a boon for fraudsters and ultimately the price will be paid by the ordinary citizens in the country.

The Bank of Maharashtra fraud created loss for the Bank only and not its customers since the payments were made without balance in the account. If the Bank had a Cyber Insurance for itself, it should have been covered. This is like the Bank of Muscat fraud in which over Rs 245 crores were siphoned off by international fraudsters from accounts without balances. However this indicates the surfacing of the  inefficiency in our Banking system when they are pushed too fast into the digital process.

Government and RBI should appreciate that transformation has to be managed properly and even a good medicine works only when given in proper doses.

The key to the current digital payment system is the organization called NPCI. NPCI today operates the technology platform  through which all the UPI payments go through. It has also taken over the systems which were earlier being managed by IDRBT. It is today the hot bed of digital payment risks in India and there is a need to question if it is adequately equipped to shoulder its responsibilities.

Firstly, NPCI is not constituted to be an “Independent Organization” free from the operation of vested interests in the Banking circles. IBA and 10 prominent Banks are the promoters of NPCI and this is the biggest flaw in the structuring of NPCI. IBA is a body of commercial Banks and the Banks are profit oriented commercial organizations. They have completely lost their vision of public service with which they were started. Hence NPCI also has complete conflict of interest. RBI on its own cannot manage this conflict as it is completely dominated by the IBA when it comes to critical decision making.

Hence the management of NPCI and its decisions is always expected to protect the interests of the commercial Banks and not meant to fulfill the objectives of Secure Banking regulation in India which is the RBI’s role.

I welcome RBI to challenge this statement and prove that I am wrong.

In the Bank of Maharashtra case, NPCI has washed its hands off stating that it was the responsibility of the Bank to reconcile its NPCI transactions with the Core Banking ledgers and it had failed to do so. However, technically when the Core Banking system sent  two messages, “Success” and “Error” and the UPI system failed to recognize that “Success” was that “the transaction reached the Core Banking server and was processed” and “Error” was that “transaction is rejected because there is no balance in the account”, and NPCI servers accept the first message  as if the “transaction was successful”, the problem lies squarely with the NPCI.

If the fraud is adjudged fairly, the legal liability for the fraud should lie more with NPCI rather than Bank of Maharashtra.

RBI and probably NPCI adopts the same principle in managing the ATM transactions. In the case of all transactions with cloned cards, the NPCI managed systems only indicate to the Banks “Transaction Successful” and this is claimed by Banks as that the genuine card only was used in the transaction. Most of the Card frauds are disposed off by the RBI”s Banking Ombudsmen only on the basis of a piece of paper doled out by the NPCI system that “Transaction was successful”.

The same way, now NPCI has responded to the statement from the Core Banking system that the fraudulent “Pull Request” sent through the bank of Maharashtra UPI. NPCI is blind to recognize that “Transaction Successful” only means that technically the handshake was established between the two systems and the session was successfully established. If this was followed by the next message that “There is no balance in the account and hence transaction is rejected”, NPCI cannot say that I have already closed the session and lost the second message. The systems were perhaps wrongly configured and the session was prematurely closed without a “session close” message from the Core Banking system.

My views here are not based on any direct interaction with NPCI and may therefore be incorrect. But the probability of this view being correct are high and I welcome of NPCI has any technical explanation why it interpreted the Core Banking message wrongly.

Further, it was as much the responsibility of NPCI to test the system of UPI integration as that of Bank of Maharashtra and such integration had to be tested not only for the technical aspects but also “Techno Legal Aspects”. NPCI has failed to make its systems techno legally robust.

It is this same negligence which allowed the malware in the HITACHI ATM which resulted in 32 lakh SBI Debit cards being withdrawn and millions more compromised by allowing the malware to worm its way from the ATM to NPCI servers, sit there and send out information to fraudsters without NPCI detecting the presence of the trojan in its systems.

Now that 7 more Bank UPI s are said to have been infected with malware, NPCI has a duty to publicize the names of the Banks so that customers can take a decision to un-install these apps. By withholding the names of the compromised Apps, NPCI is abetting the fraudsters and further endangering the customers. It also violates the RBI regulations that the breach has to be notified by Banks and CERT-IN  notification that  NPCI needs to report it to CERT IN.

In the light of these developments, the AEPS (Aadhar Enabled Payment Systems) which is likely to introduced despite the recent revelations that “Biometric store and Replay attack” is very much possible (Refer to the incident where Axis Bank, E Mudhra was charged or Jio SIM  Cards were fraudulently issued) will increase the fraud risks in digital payment systems. NPCI, RBI and the Government of India will be responsible for any scams that may be perpetrated in this domain in which public may lose money.

I have warned time and again that Mr Modi’s Government may have to pay a price for their not instituting a “Mandatory Cyber Insurance” that covers the public for all such digital payment frauds. I hope they listen to this friendly advise or face the risk of a huge reputation loss in the next elections.

PayTM has shown the way by providing cyber insurance cover for its customers and this should be mandatory for all Banks (RBI stated as much in its Internet Banking Guidelines issued in June 2001 but promptly rejected by most Banks for cost considerations).

NPCI cannot absolve itself of its responsibilities for the digital payment frauds since it is an intermediary in all the transactions. It can have its indemnity with the Banks but litigation where NPCI is a party as “Accused” for “Facilitating the fraud by negligence” cannot be avoided.

Last but not the least…. Dear Mr Urjit Patel, What happenned to the “Limited Liability Circular” of August 11, 2016? …Your team is still looking into public comments?… Or Is RBI lying in the RTI application? unable to say…”Sorry, our Bankers are not willing to accept the terms of the circular and hence we will keep quiet untill every body forgets the issue”

Naavi

Related Articles

Mobile apps of 7 Indian banks infected with malware, says study

Bug in UPI app costs Bank of Maharashtra Rs 25 cr in one of India’s biggest financial frauds

Bank of Maharashtra’s UPI app bug: Old world fraud using new age toys

Bank of Maharashtra accounts lost Rs25 crore due to UPI bug, says NPCI

Bank of Maharashtra reports another UPI breach; bank loses Rs 1.42 crore: report

NPCI and iSpirt say glitches in a bank’s UPI app caused fraudulent transactions

Bank of Maharashtra fraud: Accused committed similar crime earlier in Pune, say cops

[P.S: NPCI has in a personal clarification from one of the top management persons,  reiterated that the fault in the case of Bank of Maharashtra fraud does not lie with NPCI. This implies that either the Core Banking software of Bank of Maharashtra is to blame or configuration of the Core Banking software was faulty. The Core Banking software of Bank of Maharashtra has been implemented by TCS which can clarify. Further details of how the communication between the Core Banking system and UPI system  could have lead to erroneous results is awaited and will be published when received. As regards the report about 7 UPI apps being infected with malware, NPCI has stated that the report itself is faulty…..Naavi]

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to NPCI and RBI cannot absolve themselves of responsibility in UPI Fraud

  1. MARKANDAN PURUSHOTHAMAN says:

    Sir,
    I read your article.

    I am an advocate practicing before Madras High Court. I handling a case where my clients who are a leading Metro Train contractor. As there principals a foreign company defaulted they too defaulted in servicing their account. As such there collateral
    and there account were declared NPA.

    They approached some other financial institutions for refinancing. There outstanding was only 16 Crores.
    But some financial institutions alerted them that actually the CIBIL report was that they have availed facilities to the tune of 32 Crores that is two 16 Crores. When they get CIBIL report they were shocked that two credit facilities with almost very identical account numbers were reported. One defaulted actual account was in 15 digit format. The other ficitious account had 17 digits. But the starting branch code and the last six digit account number are same.

    We have sought a CBI inquiry as to ascertain as to what is the problem.
    Both tha bank as well as the CIBIL are blaming each other. Bank says the problem was because conversion from 17 digit to 15. But the bank had converted to 15 digit format in 2010 itself.
    And ore over both the accounts are shown to have been sanctioned only in Feb, 2013.

    I may be very thankful to you if could shed some light upon the reporting system between banks and CIBIL.
    As well as whether there can be two parallel reporting for digits.

    Thank you.
    they enqaoched had defaulted and were declared as NPA.on

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.