The PPI Ecosystem and the Power of the industry to lobby

The Prepaid Instrument Eco System in India under the Payment and Settlements Act 2007 has licensed several “Payment System Operators” under the Act. The list of such operators is available here.

The list consists of

  1. Two Financial Market Infrastructure operators namely the Clearing Corporation of India Limited and the National Payments Corporation of India (NPCI),
  2. 5 Card payment networks including the Amex, Diners, VISA, Master, etc
  3. 9 inbound Cross border Money Transfer Systems including Western Union etc
  4. 6 ATM Networks
  5. 55 Prepaid Instruments
  6. 9 White Lablel ATM Operators
  7. One Instant Money Stransfer system of Empays Payment Systems
  8. Three Trade REceiviables Discounting Systems
  9. Eight Bharat Bill Payment Operating Units

The entities who have been “Payment Bank” licenses such as Airtel Payment Bank Ltd, India Post Payments Bank Ltd, Paytm Payments bank Ltd, and Fino Payments bank Ltd are other entities in the Digital payment domain.

Licensed Scheduled Banks are also in the digital payment system with their UPIs, Wallets, Virtual and Physical Prepaid Cards, Debit Cards, Credit Cards etc. (Refer article in livemint). It appears that out of the eleven provisional licenses issued for Payment Banks, others have not yet operationalized their licenses.

The October 11, 2017 master directions of RBI apply to the 55 Prepaid Instrument operators which includes Aircel, Amazon Pay, Mannapuram, Muthoot, Mobikwick, Oxigen,PhonePe, Jio money, Sodexo, m-Pesa,etc.

On March 9, 2017, the Ministry of Information Technology had issued certain draft guidelines constituting “Reasonable Security Practices” applicable to the e-PPI instrument issuers. It was called  “Information Technology (Security of Prepaid Payment instruments Rules 2017-Draft.

At that time, some of the operators had raised objection on the rules and its requirement to interact with CERT IN to report security breaches etc.

Unfortunately, the Ministry succumbed to the industry lobby and there was no follow up on the draft guideline which was well within the powers of the Ministry.

The e-PPI operators are “Intermediaries” under ITA 2008 and they always had the obligation for “Reasonable Security Practice” whether they were defined by a rule or not.

Hence there was no reason for the Ministry to buckle under pressure except for the reason that the responsibility to issue the guideline could be delegated to RBI.

Now the Master Direction of RBI of October 11, 2017 is a follow up of this and represent among others the “Reasonable Security Practice” to be followed by these e-PPI operators.

The objection raised by the PCI is therefore yet another attempt to influence the policies in their favour. Hopefully RBI is made of tougher material and commitment to the security of the financial system rather than the Ministry of Information Technology and we can hope that it withstands the pressures from the industry.

We need to however watch the developments to see if the industry lobby is able to get any dilutions that may adversely affect the Consumer interests.

We have noted that in the past, the industry is only interested in “Exploitation” of the citizens and technologists are unmindful of the fraud possibilities in the new Digital payment eco system.

The Government appears to be only interested in only raising the “Revenue” by taxing the public for the digital transactions and levying “Cess” for security and is not genuinely concerned about the security of the public. We have seen this in the Bitcoin scenario where the Finance Ministry has been sympathetic to the criminal elements endorsing Bitcoin legalization rather than taking a quick decision to ban it. It is therefore not surprising that the MeiTy quietly withdrew the security rule notification.

It is only RBI which from time to time shows a commitment to securing the financial eco system though they are often over powered by the Banking industry lobby such as IBA.

Hopefully the PCI is not as powerful as IBA and hence it may not be easy to make RBI change its stance on the Master directions. But in the past we have observed that RBI has without diluting its stringent guidelines, turned a blind eye to contraventions and be good to the industry while also appearing to take care of the public interest.

I hope in this instance RBI will remain firm and impose the security directions in the interest of the public.

(More about the security requirements under the directions would be discussed in the continuation article)

Naavi

 


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.