Recently, the Reserve Bank of India issued new rules to tighten security on digital payments. The rules are imposed on the lenders, however, the customers are surely going to be affected by it. The RBI has directed commercial banks, payment banks, small finance banks, and card issuing non-banking lenders to adopt stringent measures for digital payments. Guidelines to be followed by these banking entities were specified in the notice issued. It set down various security protocols to be adopted in internet banking.
The banking regulator insists that the guidelines will create an enhanced and enabling environment for customers to use digital payment products while being technology and platform agnostic. The guidelines will reportedly come into effect within six months.
The lenders have been directed to have a board-approved policy in place and conduct regular audits. Vulnerability testing all the banks and non-banking entities will be made mandatory, to provide a secure experience to the customers. This will also make sure that the grievance redressal is quick.
To avoid data breaches, the highest standard of security needs to be adopted, standards that go beyond the payment card industry.
These rules come in the light of increased loss due to banking fraud in the year 2020 as compared to the previous years.
There has been a surge in complaints from customers about banking services in 2020. While ATM/Debit card complaints increased by 3%, complaints pertaining to electronic banking and credit cards doubled over the course of a year. Among all the complaints, 43% were related to funding transfers through UPI, QR code, and the likes.
This leads us to think about card frauds. Two-fifths of card users in India have experienced card fraud. This trend experienced a surge due to the lockdown; when people started depending upon online services. According to data released by the Ministry of Electronics and IT, Fiscal Year 2020 saw 52,006 cases of fraudulent transactions using debit cards, credit cards, and Internet banking. A loss of Rs.228.44 Crores was recorded, two times what was lost in 2019.
Another big concern, that first made headlines in 2019 was- Card Data of 1.3 million Indians being put on sale on the dark web. This was used by cybercriminals to clone cards and withdraw funds from ATMs. A 2018 report revealed that India has the highest number of cases pertaining to banking frauds in the world.
Card Frauds can be of two types-
i) Card Present: This involves stealing card information while a person is making a withdrawal at the ATM or making a payment at a store. This can be done by using devices that read your card details while you’re making the transaction. Another way is by hacking into the system. Although the latter has rarely been seen in India,
it is prevalent in countries such as the U.S where most of the ATMs are vulnerable to North Korean hackers.
ii) Card not present: This also involves hacking, but hacking into the websites and systems of lenders.
Another very common method used is Phishing websites, if you are not using widely used online platforms for online shopping, chances are you might end up on a website
which is just using the pretext of shopping or other online services to get your sensitive information.
However, the most prevalent card fraud in India happens through phone calls. These fraudulent communities gather your information like the bank you have an account at, your name, birth date, and phone number. In the guise of updating your KYC or simply warning you about suspicious activity, they can extract sensitive information.
This trend saw an increase during the lockdown. Cyber fraud was reported to have tripled during the lockdown months. Over 4500 complaints were registered.
How will the Customers be affected?
Some perks of the new rules that might affect the customer immediately, involves rules for mobile applications. According to the RBI, authentication tools such as One Time Passwords are not secure and hence, lenders are expected to come up with better alternatives. This guideline seems a little vague to the lenders.
The Reconciliation Process of the transaction is expected to be done within a 24-hour time period.
Stronger CAPTCHA codes should be used for authentication.
Banks and Non-Banking Financial Companies are advised to have a Grievance Redressal mechanism on their websites. This must be easy to use and access so that the customers can lodge their complaints in a hassle-free and quick manner.
A regulation that shines out above the rest and has pricked the minds of many is the instruction that the lenders are not supposed to store sensitive information in HTML fields, cookies, or any other side-storage mechanism. This is done to make sure that there is no identity-theft and card fraud.
This means that every time customers make an online transaction, they have to put in their 16 digit card number, only putting in the CVV will not be enough anymore.
The same applies to online subscriptions. Since card details would not be stored on the platforms, e-commerce companies will have to depend on the banks for carrying out refunds. This means that the refund process will become slower.
The Downside of it
The e-commerce websites are of the opinion that their business will be hampered. They might have to suffer losses because of the new rules.
Since the payment will not be quick anymore, the customers might have second thoughts on buying a particular product. Since these businesses know that Time is Money, the more time the customer has (to make the payments), the less likely they are to indulge in frivolous shopping.
In the case of platforms where a monthly subscription is required, the service providers won’t be able to deduct a certain amount from the accounts of the customers. Instead, the customers will have to manually do so every month. This would bring in a delay of a few days which might again hamper business.
Customers will either have to keep their card/s with themselves all the time or memorize the 16 digit card number, which might just seem like an impossible task. This again can decrease sales which were dependant on frivolous shopping by the customers.
Another concern that the Banks and NBFCs have is the authentication process. If OTP is sent to the phone number of the customer is not safe then what is? They say that there is no clarity provided by the RBI on this subject.
In conclusion, RBI is taking some strong measures to curb the losses suffered by citizens due to cyber fraud. This is a very important measure given the increase in cybersecurity breaches and identity thefts over the years. It is all the more important in the wake of the government aiming to digitize and modernize India. In my opinion, cybersecurity measures should have been introduced before the announcement of a digital India. People need to be made aware of the issues associated with going digital and the ways to counter those issues. However, suddenly announcing certain measures will not only hamper the productivity of e-commerce websites, but it will also be a hassle to the customers. Brainstorming, discussion, and consultation with all the parties could have brought out better results and lesser discomfort to the parties being affected by it.