Watching the NPCI…Let NPCI not become a Crypto Exchange mechanism

We have pointed out several times how NPCI needs to take more responsibility for securing financial transactions in India

Besides yesterday’s article (NPCI needs to be watched) Some of the earlier articles in this regard are given below.

The Cosmos Bank fraud.. Could better security at NPCI have prevented it?

Software Application is not a mere piece of coding…There is business behind it

NPCI and RBI cannot absolve themselves of responsibility in UPI Fraud

4-D Secure protocol for Online security… Attention NPCI

Will NPCI indulge in Data Laundering like CIBIL?

Tweaking the MDR charges …Watal Committee recommendations…3

RBI cannot remain silent.. and so also NPCI, CERT and Ministers of Home, IT and Finance

The Unification of Fraud possibilities through UPI

Presently, NPCI is showing its affinity towards Bitcoins and is supporting Crypto Exchanges. We have a strong feeling that NPCI is getting ready to give a back office support to Crypto Exchanges to defeat any designs of RBI to bring a ban on Crypto currencies.

If RBI comes up with an official Crypto currency, NPCI may provide simultaneous support for all Crypto Assets as a category and enable that Bitcoins may continue to be used in our economy.

We have brought this possibility to the notice of all regulatory agencies but all regulators including the ministers in the Modi Cabinet are silent. The power of corruption can silence any body and it is showing its power by supporting the Bitcoin lobby. Honest citizens of India have no faith in Judiciary and the Government and are getting ready to succumb to the powers of corruption. Politicians take tax payer’s money distribute it before election and after election to their supporters and the tax payers look like fools who donot know how to live in this society.

Leaving this philosophical thought aside for a day when Mr Narendra Modi has a day of enlightenment like the Buddha, let us turn our attention to some academic debate on the NPCI handling Personal Data of millions of Indians and whether this data is safe in their hands, in the light of the CIBIL incident discussed earlier.

Status of NPCI

NPCI acts as a clearing house of all financial transactions using the UPI Id. All Banks have registered mobile numbers of account holders to the account which is also linked to the Aadhaar, PAN etc. When a UPI ID connects to a Bank account, it carries with it the payload of all personally identifiable sensitive data.

NPCI acts as an intermediary transmitting the requests from one UPI ID to another UPI ID. Hopefully the personal data behind the UPI IDs need not come to the hands of NPCI and remain with the respective Banks.

However, NPCI is maintaining a data base of financial transactions of various kinds which are linked to Inter Bank transfers of money, Credit card payments, payments from google pay, amazon pay, phone-pe, paytm etc. It must be having mobile numbers to bank account links of the public.

However, NPCI does not directly deal with individuals and is not visible as a “Data Fiduciary” to a data principal. It collects all the data from the participating institutions under a data processing contract not visible to the public.

It has 221 institutions registered for the UPI transactions including many cooperative Banks, As of April 2021 it handled 447.343 crores of transactions valued at Rs 1692.974 crores. This included Aadhaar related transactions, Bills pay transactions, eKyc transactions etc

It is clear that NPCI should have in its possession enormous amount of personal data in its accessible control.

However, the Privacy policy of NPCI available here and archived as on date here provides a very sketchy information about the personal data collected by NPCI and how it is used or shared.

There is a single Privacy Policy which addresses the website visitors which does not make any mention of the indirect data principals to whom NPCI is a “Joint Data Fiduciary”.

Para 2 of the policy states

“NPCI, in its role as a retail payment system service provider and a payment gateway, may receive financial information of a person which may include name of bank, account number, withdrawal amount, cheque number, payee details etc. Collection of such information by NPCI is in consonance with statutory and regulatory requirements and internal procedural and operating guidelines and byelaws. The internal procedural, operating guidelines and bye-laws of NPCI are duly documented.”

Para 3 appears incomplete and states as under

STORAGE OF INFORMATION

NPCI collects personal information online primarily to provide our visitors with a more relevant experience on this web site. When doing so, NPCI takes every reasonable effort to avoid excessive or irrelevant collection of data. As a corporate body and payment system service provider, NPCI maintains the records and information in a safe and secured manner as per its policy and in compliance with the statutory provisions and directions for the period required by it and as prescribed by laws and rules etc. We collect personal information only to the extent that it is necessary for the purposes set out below:

a. ———-

b. ———-

Personal information, if captured, is stored in paper and electronic files within NPCI’s premises, and approved archives. NPCI does not allow any unauthorized access to the information stored by it in any form whatsoever . The information is securely stored and access is restricted to authorised personnel only. NPCI incorporates confidentiality clause in non-disclosure agreement with entities having business with NPCI to keep personal information secure and confidential and not to disclose the personal information to others, unless required by law or by an order of a court or by written instruction by NPCI. Such non-disclosure agreements stipulate that all personal information obtained by other party from the arrangement with NPCI will be returned or destroyed on termination/expiry of the non-disclosure agreement.

Further, anytime you visit this web site, NPCI may gather certain non-personally identifiable information regarding the means you use to access our site. This information may include the type and version of your browser, your service provider, your IP address and any search engine you may have used to locate the website. We use this information to help diagnose problems with our server, administer the web site, and compile broad statistical data.

The purpose for which information is collected is left blank.

It is surprising that for an organization of global reputation, has such a shabby privacy policy which is not even complete.

If such an organization starts supporting the Digital Black Money exchange in India, then we can expect that the future of Indian economy is endangered.

Naavi.org has sought some clarifications from NPCI regarding the above and awaiting response.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.