Naavi.org

I welcome the move of the Government to celebrate November 8, 2017 as “Anti Black Money Day”.

While politically, this is a reply to the opposition who wants to oppose the demonetization, I want Modi Government and Mr Arun Jaitely not to simply stop at counter rhetorics for the sake of TV media but to take the “Anit Black Money Drive” further.

Presently, if one goes through the various articles on this site, it is clear that I am blaming the Government and particularly the ministry under Mr Arun Jaitely that they have failed to take action against Bitcoins which in my opinion is required for curbing the growth of “Digital Black Money”.

I continue to hold this opinion until the Government takes the firm step of banning Bitcoin and all other private Crypto Currencies. I also continue to speculate that there could be vested interests in the Government who are not interested in eliminating Bitcoins because they themselves may hold Bitcoins.

Though this may displease MR Arun Jaitely as well as others around him and it is not fair to tar the entire ministry officials with the accusation of vested interest, as an observer from outside, there is no other conclusion that we can draw when we see that the Finance Ministry dithering in taking its decision.

If there are some “Good Bureaucrats” who feel offended by my repeated accusations, I request them to pardon me but at the same time come out into the open and state whether they want Bitcoin to be banned or not and why a decision on this is being delayed by other “Bad Bureaucrats”. If Good people remain silent, it means that they are passively assisting bad people. This is the time for people to take a stand on Bitcoin and either come in support of it or oppose it whole heartedly.

We have seen that when the Government released a policy for the public opinion through MyGov.in with a query “Should Bitcoin be banned, regulated or continue to be observed ?”, the query itself was unwise. Regulation and Banning were same and “Continue to Observe” was an absurd decision to seek public opinion on. This was perhaps first time that a Government was seeking public opinion for not doing anything on an important issue and allowing speculation to thrive.

Then the MCX which was part of the Government controlled regulator tried to meddle with the public opinion and officially intervened with its opinion on the My Gov platform until it was withdrawn after being challenged by the undersigned.

But the Ministry did not respond to the objection raised even with an acknowledgement.

Subsequently, the Finance Ministry stated that they have formed a committee to look into the public opinion expressed on the My Gov query without naming the members of the committee and later stated that a Committee of RBI will take the decision.

So far no decision has come forth and effectively, the absurdity of Government “continuing to observe” continues. This is the classic method of “Taking No decision is also a decision”. It works some times but in the current case it has only aided and abetted speculation in Bitcoin and there is no way independent observers like us cannot think that this is a deliberate move so that vested interests close to the decision makers or the decision makers themselves are benefiting by promoting the speculation.

This however has not prevented from “Leaks” coming from the Finance Ministry officials some times stating that Bitcoins will be regulated, some times stating that Bitcoins will be banned and some times stating that Government will introduce its own Cryptocoin etc.

All these things only add up to a “game” being played by vested interests. Some time back there was a private query on me why I say that “A game is being played”. I suppose the flipflops above are a clear reason why I think that somebody is playing a game.

Now therefore, when the Government says that it will observe November 8 as an Anti Black Money Day”, while we welcome the move, we also express our doubt if this is just a political counter narration and nothing else.

If the Government is serious,….Mr Arun Jaitely…kindly clarify if you are personally committed and serious on this issue…… why the Government cannot appreciate that the “Bitcoin” is a repository of “Black Money”. It is a representation of “Digital Black Money” and now it is present in the form of multiple Crypto Coins.

The operators of this Digital Black money are so confident that the Government of India would rule in their favour that they are willing to release advertisements in news papers for recruiting CEO for new Bitcoin business units and promote Bitcoin as an investment for Diwali instead of Gold.

It is a shame that the Government does not act to curb such attempts.

This is like keeping quiet when some body advertises :

“Here is a great opportunity to convert all your Black Money to an internationally accepted benami property Convert your Bank deposits to Bitcoins…today”

or inviting professionals with an advertisement

“Apply if you want to be  a CEO for Digital Black Money India Limited”. 

Mr Jaitely in an intelligent lawyer and also a Finance specialist. I therefore donot think that he does not understand the implication of Bitcoin promotion and its legalization on our economy.

Hence I take it that if Bitcoin is not being banned now, it is because Mr Jaitely does not want it to be banned.

It is now time for Mr Jaitely to prove me wrong. The occassion is November 8, 2017. The means is to announce “Demonetization of Private Crypto Currencies”.

If Mr Jaitely does not want to do it, then the ball is in the Court of Mr Modi once again. But it can even be done by Mr Urjit Patel on behalf of RBI.

Will any of these three people have the guts to act in the interest of eliminating Black Money in Digital Form?

I will watch for 8.00 pm on November 8 to hear …”Bhaiyon or Beheno” in Modi style or “Brothers and Sisters” in Swami Vivekananda style….that India has taken a tryst with destiny to eliminate Black Money not only in Physical currency form but also in Crypto Currency form.

If the Government does not know the modalities for implementation of a Crypto Currency ban, then free consultancy would be made available to the Government on what can be done.

Will Mr Arun Jaitely, the Honourable Minister of Finance respond?

Naavi

We have seen that frequently PIL lawyers approach Courts including the honourable Supreme Court on matters pertaining to changes required in Cyber Law. Supreme Court is highly responsive when there is a petition against the Government and celebrity advocates take up the case. When the matter is however of “Common Man’s Interest”, the Courts some time are unable to appreciate the importance and comes down heavily on the litigant with heavy fines. Hence many public spirited advocates hesitate to take up the real issues of interest to the public while unimportant issues hog the time of the Supreme Court.

I however request the PIL lawyers to consider the following reference to the Supreme Court and also urge the Supreme Court to consider hearing this petition in the general interest of the public.

The Problem

We are all aware that Cyber Crimes are on the increase and need to be addressed through all means including efficient use of the existing laws, modification of laws, improving the knowledge and skill of law enforcement, improving the public awareness, hardening the security in the IT ecosystem etc.

In the myriad number of ways that we can bring about improvement, I have just one immediate concern to be addressed in which the Ministry of Information Technology can administratively intervene through notification and the Judiciary can intervene by clearing the ground for challenges which are bound to arise.

In every Crime under IPC or ITA 2000/8 involving communication through E-Mail or Website, Facebook, Twitter or Mobile based messaging systems including WhatsApp, Sarahah, the critical component of investigation and subsequent prosecution is the identification of the “Source” from which the offending message emanated. In simple terms it could be the “IP Address” of the device from which the crime was committed.

Presently the Government of India is trying to add Aadhaar identification to Mobiles at least in India and therefore identification of mobiles should in future not be an issue though criminals may switch to use of SIM cards from Pakistan or Bangladesh or use the web for voice communication and continue  to hide their identity in committing crimes.

Since Internet Protocol requires an IP address to be allocated by some ISP some where for the communication, if the User of an IP address can be traced, quickly and accurately, part of the Cyber Crime investigation problem would be under control.

Technologists would immediately jump up and say that IP address can be hidden under proxy servers, there are many free anonymizers, and Tor browsers and a “Deep Web” where anonymization is the rule and hence it is impractical to rely on the IP address. They also point out that the use of IP address sharing technology in dynamic IP addressing systems including the Carrier Grade NAT (CGN) used by ISPs could cause errors in identification of IP address.

It is admitted that IP addresses in many cases become untraceable within the country and need the assistance of international law enforcement agencies, Mutual Assistance Treaties etc and even when resolved, there could be errors.

However, even to decide that a suspect is not traceable, we need to complete the process of IP address resolution and record that the person (or the device) who has been identified as the owner of the suspect IP address has a good alibi and hence a criminal case may not sustain.

However, even when the Criminal Investigation fails to make progress, Cyber Crime victims may pursue the Civil remedies available to them. Most of the Civil remedies donot depend on the apprehension of the suspect. It only requires a confirmation of the law enforcement that an “Offence Has Occurred” and a “Wrongful loss has been caused to a person”. The Intermediaries involved in the transaction become “Liable by Proxy” and the Victim is entitled to recovery of his losses even while the criminal investigation may continue to find out the real criminal.

Section 79 and Section 85 of ITA 2000/8 (P.S: IPC may be  vague on Vicarious liability of officials of a Company as this Supreme Court judgement may indicate) lay down clear principle that in offences falling under ITA 2000/8 the intermediary shall be guilty unless he proves “Due Diligence”. Even under IPC there could be many instances when the Company/Organization continues to be liable for the offences committed by the Company though the officers in charge may be exempt from the vicarious liability as per the Supreme Court judgement.

Hence Cyber Crime victims are interested in registering of a Cyber Crime and a report from the law enforcement that an IP address was either traced to the satisfaction or failed. They may prefer to continue their civil remedies and not be bothered if the criminal was arrested and prosecuted or not.

The intermediaries however need to cover themselves with suitable Cyber Insurance so that they absorb the loss as part of their operational risk.

I therefore consider that IP address Resolution is an important first step to every investigation and all hurdles to successful IP address resolution needs to be removed.

Solution

It is in this aspect that I urge both administrative action by the MeiTy and Judicial empowerment through a proper direction from the Supreme Court.

The biggest problem I see in the resolution of IP address is that the current system adopted by ISPs need to change. Currently they are all focussed on “Hiding the Originating IP address” of a web transaction and replacing them with a “Proxy Address”. In the case of CGN, the reason could be a more efficient use of available public IP addresses. But in many other cases, the reason is a false understanding that the “Privacy” of the service user requires that his IP address should be hidden from the communication.

As a result of this, e-mail providers like Google routinely replace the original IP address in the headers by their own proxy IP address. When therefore the IP address is to be resolved, the Cyber Crime victim needs to file a Police Complaint and the Police has to issue a proper CrPc notice to the representative of Google and then wait for them to respond.

Currently, this process of getting a response from Google or other international ISPs is highly inefficient and time consuming. Often the Police cannot get the information within the Golden hour and the criminals will easily escape.

If instead of Google if the service provider is a “Protonmail” then Police may find it even more challenging to get any cooperation from the e-mail provider.

Once the IP address is resolved to an Indian ISP, Police may be able to approach the local ISP and get the last mile resolution quicker but even this may take 24 hours unless some intervening holidays extend it even further.

The Requirement

We therefore require that the MeiTy issue an immediate notification under Section 79 (on the lines of the removal of offending content when brought to their knowledge) that when a request is made by any member of the public to the grievance redressal officer of the ISP (mandatory under ITA 2000/8), the ISP shall within two hours provide the resolution of the IP address to the next available level. The only condition to be attached to this request should be

a) Identification of the person requesting the information if necessary with his Aadhaar ID/other Government approved IDs

b) Declaration that the information is requested in good faith and belief that a “Contravention of an Indian Law” has occurred and the information is required for pursuing the legal remedies available under the laws of the land to the person seeking the information or to the person whom he is representing.

This notification can be issued either under Section 79 or under Section 69B or under both.

Alternatively, the Intermediaries such as “E Mail Providers” and “Domain Name Registrars providing WhoIs information” should be directed as part of the “Due Diligence” under Section 79 that “Originating IP Address” should be added to all header information and client registration information so that affected persons can take it up with the ISPs for final resolution. This would not amount to revealing the identity of the person since still one more layer of obfuscation is present in the form of the dynamic IP address allocated by the local ISP.

The ISPs using CGN and anonymizers should be mandated to maintain records of the original client identity mapped to the allocated dynamic IP address and make it available on request.

If such a notification is issued, it is likely that some Privacy enthusiasts may approach the Supreme Court asking for striking down the notification as “Unconstitutional” because it affects the “Privacy Right” of the suspected criminal and his “Guaranteed Human Rights”.

I also consider that it is the fundamental right of a recipient of an e-mail to know the originating IP address of the sender. Since the email body contains the declared name of the sender, there is no reason for the sender to have any objection to revealing of his originating IP address unless he has “Some thing to hide”. If he has “some thing to hide”, it is technically an “Attempt to impersonate” and an offence in itself.

I therefore request the Courts either at the High Court or Supreme Court level not to interfere if such a notification is made by the Government.

However, if the Government is not bold enough to take a stand and is not willing to issue, I would like the Supreme Court itself to issue such a direction in the interest of Cyber Crime mitigation in the Country.

This issue can be taken up by the Supreme Court Suomoto without waiting for any PIL.

However, I also request PIL advocates to take up this issue with the Supreme Court and try to obtain a direction to the Government.

I am sure that the usual celebrity PIL lawyers who fight for Kashmiri terrorists and Naxalites will not take up such cases because these issues  are not considered as fight for “Human Rights”.

It is therefore left to the genuine public spirited lawyers who have the cause of Cyber Crime victims in India in their hearts to take up the challenge and seek the intervention of the Court.

Are you one such lawyer?… Then go ahead and move the Supreme Court…. today…

Naavi

It was brought to my attention yesterday that an IT professional in Bangalore had ordered a Mac Air Book online and made payments to two individuals having accounts in SBI Aizwal and SBI , IIT Powai branches.

It appears from the records available that at least one of the two accounts used for the fraud has been repeatedly used for such crimes over a period extending at least 4 months. It means that the Bank has been nursing this fraudster’s account as a “Partner in Fraud”.

One of the account also has a PAN card number associated with the account which in the investigation has to be found out whether it is genuine or fake.

The victim has been advised to file a complaint of cheating with the jurisdictional police station and not as a Cyber Crime.

I hope the Police would register the complaint against the Bank and proceed to prevent further frauds occurring through the same accounts.

Despite the collection of PAN number, the accounts being used for commission of fraud and transfer of proceeds abroad represent a “Money Laundering” crime and I hope the Police will follow it to the logical conclusion and provide relief to the Victim.

I am posting this here to warn others not to rely on advertisements appearing in Facebook or Twitter where goods are being offered for sale as a direct import at a price lower than what the Flipkart or Amazon offers on their platforms.

In this case, it appears that the fraudsters had issued some advertisements in the name of a non existent foreign firm offering sale of Mac Air Book and collected money in India. It is not sure now if the money actually went abroad or was used by the fraudsters in India itself. Since they are the account holders of SBI, the Bank would also be liable as a conspirator in the crime.

If the KYC on the account is faulty, I expect the RBI to take notice and impose a heavy penalty on the Bank.

I have earlier recommended that such KYC fines should be used to provide compensation to the fraud victims. I urge that RBI should consider that proposal as a “Fraud Guarantee Scheme”.

Naavi

As India is taking more and more digital initiatives in E Commerce, E Banking and now the Digital Payment mechanisms, there is an increasing fear that Cyber Crimes will continue to grow. In the recent times, Cyber Crimes are also being used as a tool of Terrorism and Wars and unless we are efficient in managing Cyber Crime, it would be difficult to tackle the menace of Cyber Terrorism and Cyber Wars.

Naavi.org has been frequently raising the issue of a need to improve our Cyber Policing system to ensure that Cyber Criminals are caught and punished. Naavi is also personally involved in training of Cyber Crime police since 2000 when the laws first came into existence in India.

At one level we feel that there is a need to “Increase awareness” and “Build Cyber Crime investigation Skills” in the Police and this will improve the situation. If the recommendations of the  T K Vishwanathan Committee report (as leaked) is implemented, ITA 2000/8 will be amended to make it possible for Sub Inspectors to investigate Cyber Crimes. This would mean that a lot more Police Stations will be involved in the Cyber Crime investigations in the coming days and more and more people need to be trained.

However, Naavi has also pointed out that the emphasis of Cyber Crime Management cannot end with creating “Awareness” and conducting training programs whether under the banner of Police Academies, Law Colleges or DSCI. Though we can show statistics of such outreach programs indicating that there are thousands of police officers with a good awareness of Cyber Crimes, the number of successful investigations and Prosecutions is still very low. Many of the prosecutions have been sustained because the cases were pursued along with some IPC sections and had they been pursued only under ITA 2000/8, the cases would have failed. Judiciary has not been kind to Cyber Police with the scrapping of Section 66A.

The Cyber Crime victims therefore have been left completely unsatisfied about getting their grievances redressed through legal means. With the Adjudication system unable to take off and Cyber Appellate Tribunal being in eternal closure mode, the Civil proceedings are also not moving smoothly. For every dispute there is now a need to move the High Court and this is not feasible for most of the crimes.

If therefore a survey is conducted with Cyber Crime Victims, they would unanimously conclude that there is no effective Cyber Crime Police in India.

Recently, I had approached Mumbai Cyber Crime Cell for a simple e-mail based crime and the Police have been taking ages to respond. The possibility of the Police being unable to conclude the investigation in this case is therefore very high.

As I have indicated in my earlier article the efficiency of the Cyber Crime Police seems to have deteriorated in the current times compared to the days the undersigned entered the Cyber Crime investigation because the intermediaries like Google, Yahoo and ISPs seem to  value the rights of Criminals or Suspected Criminals in hiding their IDs which puts several hurdles before the Police can come anywhere near them. All the training and awareness workshops have yielded very little benefit to the common man.

If this situation is not brought under control, we will have a chaotic situation that will prevail in the country.

We as a society have to therefore  initiate some concrete steps to arrest the deteriorating situation and ensure that our Cyber Crime Police become more efficient.

In this direction, we have discussed many suggestions in the past. But it is now time to gather more scientific information from the market on What is causing problems delaying Cyber Crime Investigations and frustrating Cyber Crime prosecutions.

It has therefore been felt that we need to conduct an all India survey to gather a reliable information through a survey and involving as many stake holders as possible.

Target Audience 

Public are  the final stake holders and we need to gather their views to understand what they feel about the problem.

But another important part of the target audience is  informed professionals in the Cyber Crime investigation and prosecution and the Police themselves.

Many solutions have to come from within the Police.

The suggestion of the TK Vishwanathan Committee leaked report seems to have indicated that some amendments to CrPC would help and there could be more that can be attempted if there is need.

Scope of Survey

The Cyber Crime Management has a wide scope which includes

a) Prevention of Cyber Crimes

b) Reporting of Cyber Crimes

c) Detection of Cyber Crimes

d) Identification of offences as per law

e) Primary identification of the device responsible for the offence including the IP address, Mobile Number etc

f) Identification of the individual behind the device identification

g) Collecting evidence in a proper form admissible in a Court

h) Cooperation with inter state and inter national agencies

i) Improving the Legal system for Criminal complaints

j) Improving the Legal system for Civil Claims which includes the Adjudication and Cyber Appellate tribunals

k) Encouraging Alternate Dispute Resolution Mechanisms to aid and assist the formal judicial system

l) Role of Cyber Crime Insurance in mitigating the losses of the public

m) Role of RBI, the Banking Ombudsman, the Zero Liability circular of RBI, the CERT IN etc

When I floated the thought of conducting a survey to “Improve the Cyber Crime Investigations in India” in some of the professional groups, the response was overwhelming. Many have come forward to share their thoughts and participate in conducting the survey.

After further discussions, we will finalize how the survey would be conducted.

We can even handle the requirement in stages with small achievable targets to be taken in the beginning.

The first task I would like to focus is “Improvements in the Cyber Crime Investigation System” . This may include how we identify and record potential crimes quickly and how quickly we can bring the investigation of identifying the suspect within the “Golden hour” of crime. This should be followed by identification of evidence required to be collected and collecting them properly without adversely affecting their validity in a Court of Law.

The expertise and equipment required upto this stage is minimal and it is not difficult to equip every Police Station to have this capability within a short time.

After this stage the Case will take a turn either into a Civil proceeding or continue as a Criminal proceeding even while the victim pursues civil remedies. Some cases get closed at this stage itself.

If we are able to improve the “Time To Identifying the Suspect” then there will be a high level of public satisfaction.

Further delays may still happen in the Judicial Process where the need for ADR (Check out the concept of  Cyber Dispute Mediation and Arbitration Center or CDMAC) becomes relevant.

Beyond this, there will still be issues such as higher level of Forensic capability and international cooperation through treaties. These are issues that need to be tackled later.

If Awareness is the major issue, it should be handled on a war footing. If there are other issues, we need to address them involving appropriate agencies. If the issue is non cooperation of intermediaries like Google and Facebook, it may have to be tackled with the involvement of the MeiTy.

These and other related issues would be part of the survey when a questionnaire has to be designed.

I have placed some of my initial thoughts here so that we can together develop a scope document which is not too broad and unmanageable.

I invite responses from all concerned persons either through comments here or through email.

Naavi

The Payment Instruments industry which consists of many of the mobile wallet operators have raised objection to the recent Master Guidelines issue by RBI on several counts such as

a) KYC requirement made more or less mandatory for all Semi Closed and Open system PPIs

b) Phased introduction of interoperability

c) Restriction of peer to peer fund transfer in Semi KYC wallets

Out of these, KYC requirements are essential to prevent frauds and is non negotiable. Funds transfer for KYC done PPIs provide for transfer “Back to Source” and “Own Bank Account” and hence should not be an issue beyond that it is a little inconvenient for customers.

Transfer from one PPI to another actually creates a problem in understanding the usage pattern and creates double counting for statistical purposes. If both accounts are KYC enabled, RBI can consider relaxing this provision and managing its statistical problems by tweaking its system.

Interoperability is a technology issue and would perhaps introduce some costs. It may require a discussion at technical levels but it is desirable in the long run.

I presume that more than the above publicly expressed grievances of the PCI, (Payment Council of India) what has made them squirm is the reiteration of

a) Security and Fraud Prevention Management Framework

b) Customer Protection and Grievance Redressal Framework

c) Information System Audit

in the Master Directions.

Let’s now look deeper into these provisions as contained in the Master Directions.

a) Security and Fraud Prevention Management Framework

The Security measures envisaged in the guidelines include development of a “Board Approved Information Security Policy” which should be the starting point. The security measures need to be reviewed on an ongoing basis but atleast once a year, after any security incident or breach and before/after a major change to their infrastructure or procedures.

Apart from the usual security measures such as monitoring invalid log in attempts, time out, beneficiary creation alerts, cooling period etc the guideline requires that

“Issuers shall introduce a system where every successive payment transactions in wallet is authenticated by explicit customer consent”

Presently the OTP is used more as a pre-transaction second factor authentication. Will this double up as “Explicit Customer Consent”? needs to be discussed.

“Cards (physical or virtual) shall necessarily have Additional Factor of Authentication (AFA) as required for debit cards, except in case of PPIs issued under PPI-MTS.”

Some PPIs at present donot have second factor authentication at the time of usage transaction though they may have authentication at the time of loading. This may require some modification of the system.

” Issuers shall provide customer induced options for fixing a cap on number of transactions and transaction value for different types of transactions / beneficiaries. Customers shall be allowed to change the caps, with additional authentication and validation.”

This is an important requirement that was first suggested by the Damodaran Committee on Customer relations way back in 2011 and has not been fully implemented. This is an important risk control measure and should be welcome. However it requires some support since hackers can easily modify it once they have access to the system.

“Issuers shall put in place a mechanism to send alerts when transactions are done using the PPIs. In addition to the debit or credit amount intimation, the alert shall also indicate the balance available / remaining in the PPI after completion of the said transaction”

This “Alert” is also a requirement under the “Zero Liability Circular of July 6, 2017. Some PPI issuers have not incorporated the “Balance” aspect and need to incorporate it now.

“Issuers shall put in place mechanism for velocity check on the number of transactions effected in a PPI per day / per beneficiary.”

This is an important aspect of “Adaptive Authentication” which many have ignored. It however requires a proper system for identifying a risk and responding to it appropriately.

“Issuers shall also put in place suitable mechanism to prevent, detect and restrict occurrence of fraudulent transactions including loading / reloading funds into the PPI.”

This is an open ended requirement that requires a proper risk assessment including threats and vulnerabilities in the environment. Adequacy of this should be seen through the IS policy.

” Issuers shall put in place suitable internal and external escalation mechanisms in case of suspicious operations, besides alerting the customer in case of such transactions.”

This needs to be addressed through the Grievance Redressal Mechanism which was also part of the Section 79-ITA 2008 requirement which many of these PPI issuers did not recognize and implement. Now they cannot ignore the requirement.

” PPI issuers shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and cyber security breaches. The same shall be reported immediately to DPSS, RBI, Central Office, Mumbai. It shall also be reported to CERT-IN as per the details notified by CERT-IN.”

This is the most annoying requirement as far as the PPI issuers are concerned. But this is the only control that will ensure that PPI issuers take the directions seriously. It will also retain the hold of CERT-IN on the PPI issuers as envisaged in the ITA 2008.

b) Customer Protection and Grievance Redressal Framework

The guidelines are supported by a stringent Customer protection and Grievance Redressal Framework.

The framework includes “Disclosure” of important terms and conditions, creating awareness on secure use of PPIs and conform to the RBI’s “Zero Liability Circular”

It is interesting to note that the directions indicate that “In case of PPIs issued by banks, customers shall have recourse to the Banking Ombudsman Scheme for grievance redressal.”

Otherwise the grievance redessal framework needs to include:

a formal, publicly disclosed customer grievance redressal framework, including designating a nodal officer to handle the customer complaints / grievances, the escalation matrix and turn-around-times for complaint resolution. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible. The framework shall include, at the minimum, the following:

a) PPI issuers shall disseminate the information of their customer protection and grievance redressal policy in simple language (preferably in English, Hindi and the local language).
b) PPI issuers shall clearly indicate the customer care contact details, including details of nodal officials for grievance redressal (telephone numbers, email address, postal address, etc.) on website, mobile wallet apps, and cards.
c) PPI agents shall display proper signage of the PPI Issuer and the customer care contact details as at (b) above.
d) PPI issuers shall provide specific complaint numbers for the complaints lodged along with the facility to track the status of the complaint by the customer.
e) PPI issuers shall initiate action to resolve any customer complaint / grievance expeditiously, preferably within 48 hours and resolve the same not later than 30 days from  the date of receipt of such complaint / grievance.
f) PPI Issuers shall display the detailed list of their authorized / designated agents (name, agent ID, address, contact details, etc.) on the website / mobile app.

These are areas in which lot of action is still required for many Mobile wallet operators.

c) Information System Audit

The Master directions has also included a detailed guideline on the Information Security Audit requirements for the PPI issuers.

The directions make reference to the “Cyber Security Framework”  which is a comprehensive guideline which even the best of Banks are struggling to meet. PPI issuers who are banking on Mobile Apps will find meeting these guidelines challenging.

The Audits need to be conducted by CERT-IN empanelled auditors within two months of the cose of their financial year and submit reports to RBI.

In particular, the master directions indicate that

All PPI issuers shall, at the minimum, put in place following framework:

a) Application Life Cycle Security: The source code audits shall be conducted by professionally competent personnel / service providers or have assurance from application providers / OEMs that the application is free from embedded malicious / fraudulent code.

b) Security Operations Centre (SOC): Integration of system level (server), application level logs of mobile applications (PPIs) with SOC for centralised and co-ordinated monitoring and management of security related incidents.

c) Anti-Phishing: PPI issuers shall subscribe to anti-phishing / anti-rouge app services from external service providers for identifying and taking down phishing websites / rouge applications in the wake of increase of rogue mobile apps / phishing attacks.

d) Risk-based Transaction Monitoring: Risk-based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system.

e) Vendor Risk Management:

(i) PPI issuer shall enter into an agreement with the service provider that amongst others provides for right of audit / inspection by the regulators of the country;

(ii) RBI shall have access to all information resources (online / in person) that are consumed by PPI provider, to be made accessible to RBI officials when sought, though the infrastructure / enabling resources may not physically be located in the premises of PPI provider;

(iii) PPI issuers shall adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders;

(iv) PPI issuer shall review the security processes and controls being followed by service providers regularly;

(v) Service agreements of PPI issuers with provider shall include a security clause on disclosing the security breaches if any happening specific to issuer’s ICT infrastructure or process including not limited to software, application and data as part of Security incident Management standards, etc.

f) Disaster Recovery: PPI issuer shall consider having DR facility to achieve the Recovery Time Objective (RTO) / Recovery Point Objective (RPO) for the PPI system to recover rapidly from cyber-attacks / other incidents and safely resume critical operations aligned with RTO while ensuring security of processes and data is protected.

Obviously these are the matters that non Banking PPI issuers may not be prepared. It will also involve expenditure and management attention.

I suppose that these are the issues that is making PCI uncomfortable.

However, we welcome the stringent regulations which are in the interest of the general public. If only they had specified a mandatory Cyber Insurance aspect, it would have been even better.

Anyway let us now watch and observe how these guidelines are implemented by the industry and how RBI will enforce them.

Interesting days are ahead for Cyber Security professionals.

Naavi

Earlier Articles:

New RBI Norms for Prepaid Instruments make Digital payment Companies squirm

The PPI Ecosystem and the Power of the industry to lobby

Understanding the types of Prepaid Instruments under Payment and Settlements Act

Under the Master Directions for PPIs (MD-PPI), three types of PPIs are recognized namely

a) Closed System PPIs
b) Semi-Closed System PPIs
c) Open System PPIs

Closed System PPIs are those PPIs  which are issued by an entity for facilitating the purchase of goods and services from that entity only and do not permit cash withdrawal. As these instruments cannot be used for payments or settlement for third party services, the issuance and operation of such instruments is not classified as payment systems requiring approval / authorisation by the RBI.

Semi-closed System PPIs  are those  PPIs  which are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations / establishments which have a specific contract with the issuer (or contract through a payment aggregator / payment gateway) to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks,

Open System PPIs are those PPIs  which are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc. Banks issuing such PPIs shall also facilitate cash withdrawal at ATMs / Point of Sale (PoS) / Business Correspondents (BCs).

PPIs may be “Reloadable” or “Non Reloadable”. Some PPIs may permit “Cross Border outward Transactions” and some may not. PPIs may also be issued  against inward remittance to the beneficiaries under Money Transfer Service Scheme of RBI. Some PPIs may be denominated in Foreign Exchange also.

PPIs may be issued as cards, wallets, and any such form / instrument which can be used to access the PPI and to use the amount therein.

PPIs may be issued under Co-Branding arrangements. If one of the Co Branding partners is a Bank and the other is a Non Bank, the Bank will be the PPI Issuer. If both are non Bank institutions, or both are Banks, then one of them shall be designated as the PPI issuer.

Paper based prepaid meal instruments shall be discontinued from December 31, 2017 and semi closed PPIs shall be issued for such purpose.

The Regulations

Most of the regulations in the Master Directions relate to Semi Closed PPIs.

According to the guidelines, PPIs upto a monthly usage limit of Rs 10000/- can be issued on the basis of self declaration of name and an ID along with OTP on a mobile. Essentially these are non_KYC compliant instruments.

Funds in these non KYC PPIs can be used only for purchase of goods and services and money cannot be transferred back either to Bank accounts or to other PPIs.

These PPIs need to be compulsorily converted into KYC type within 1 year. If KYC is not provided, no further credit would be allowed but the balance can be used.

If the PPI is closed at the request of the user, money can be transferred back to the own bank account of the PPI holder for which KYC would be required or “Back to Source”. (P.S: Not clear if KYC is not required for Back to Source transfer on closure).

The PPI issuers need to ensure that same category PPI is not issued against the same mobile number. (P.S: There is an ambiguity whether a second non KYC PPI can be issued against the same mobile number if the name and ID is different. Ideally this should not be allowed).

PPIs for transaction upto Rs 1 lakh are KYC compliant PPIs. Money can be transferred to own bank account or Back to source.

“Pre registered beneficiaries” can be allowed for these KYC PPIs and money can be transferred to them upto the limit of Rs 1 lakh per month.

Fund transfer limits in the case of non pre-registered beneficiaries is limited to Rs 10,000/- per month.

Open Systems

The “Open” systems are permitted only to be issued by Banks and with KYC. Here also there can be pre-registered beneficiaries and others and transfer to others is restricted to Rs 10000/- per month.

The only difference between the Pre-closed and open systems is that Funds transfer for Open PPIs shall also be permitted to other open system PPIs, debit cards and credit cards as per the limits such as Rs 10,000/- except to pre-registered beneficiaries.

Gift and MTS PPIs

Other than the above three main categories of PPIs, specific PPIs such as Gift Instruments (Maximum value Rs 10,000/- without cash-out or refund or reloading).

But KYC would be required on a risk based approach if multiple Gift cards are required to be issued to one person. (P.S: This is tricky and needs some policy guidelines to be formulated by the PPI issuer)

PPIs can also be issued for Mass Transit Systems which may be Semi Closed PPIs usable only for the transit systems and allied merchants. They are re loadable with a maximum outstanding or Rs 3000/- at any point of time.

Conversion of Existing PPIs

According to the directions, PPI issuers shall give an option to all PPI holders to convert the existing semi-closed and open system PPIs issued to them  into any type of the PPIs as indicated in the directions.

After carrying out the applicable due diligence for that type of PPI, this conversion shall be completed on or before December 31, 2017 . Where PPI holders have not exercised the option  the PPIs issued to them shall mandatorily be converted into minimum detail PPIs  on January 01, 2018 with all the applicable features.

Looking at the regulations above, except for mandatory KYC after 1 year for all Semi Closed PPIs there is no major change from the current system.

Fraud control is through limiting of the fund transfer limit to the non pre-registered beneficiaries to Rs 10,000/-. Restriction of transfer and withdrawal by cash is essential for controlling the Black Money and hence, there should be nothing much for the PCI to object on the KYC aspect.

The argument that frauds happen at the loading time at the Card end and not at the Wallet/PPI end is not tenable since both need to share the responsibility and liability since fraud is facilitated because the Wallets/PPIs have no KYC and it escapes detection of the end user of fraudulent transfer from a Card. We need to take all steps to prevent frauds and losses and it is unfair that all the liabilities are to be boarne only by the Card issuers.

In view of the “Zero Liability” aspect, Banks need to bear the cost of frauds and there is a need for the PPI issuers in the private sector to also take precautions by proper KYC so that the losses can be recovered and possibilities of fraudsters repeating their fraud with different PPI issuers and multiple non KYC PPIs is prevented.

It is necessary for RBI to insist that both the Banks and the PPI issuers obtain necessary Fraud insurance so that their risks are covered and customers are not put into difficulty.

(To Be continued)

Naavi