ORF in conjunction with the Koan Advisory Group has come out with a report titled ‘Towards a Cyber-Security Roadmap for Digital Payments: Best Practices and Recommendations’ to smoothen and strengthen the digital payments system in India. The report, developed by Sidharth Deb of the Koan Advisory Group, was released on 3 May at ORF during a round-table discussion deliberating issues of friction which hinder the adoption of digital payments in India.
Moderating and initiating the discussion, Mihir Swarup Sharma, Head, Economy and Growth Programme, ORF, pointed out that the importance of the issue in India is unique. Policy responses are required to keep pace with the growth of a space which is seen as a pivotal component of India’s digital/Information and Communications Technologies (ICT) growth story.
Moreover, digital payments is inextricably linked with Demonetisation decision of the Modi Government which invalidated the then high-value currency notes (INR 500 and 1000 respectively) or more than 86 percent of the total value of cash in circulation at the time. IN this scenario, Sharma said it was decided that a thoughtful discussion could help identify bottlenecks to digital payments adoption, its interplay with transaction security and a potential future pathway which can aid future dispensations in stimulating the adoption of digital payments in the near to mid-term.
The context for the discussion was set by report author Sidharth Deb who highlighted certain key issues in the report — mostly in the context of transaction security, identity verification, convenience of transacting, etc. Rahul Gosain, Director, DigiDhan Mission at the Ministry of Electronics and Information Technology (MeitY) presented his thoughts on reducing friction in digital payments, mapping the progress of the DigiDhan Mission (India’s National Digital Payments Mission), issues faced by the ministry and possible steps to resolve these issues.
The round table was attended by a broad range of stakeholders who participate across the payments and settlement value chain, including banks, card networks and other payment service providers, government experts, economists, lawyers and technologists.
The discussion spanned disparate issues hindering financial inclusion across India’s digital payments ecosystem. These included the need for a robust institutional framework, enhanced transaction security, a convenient and secure customer authentication process and an ecosystem that enables recurring payments. Participants raised some merchant and consumer facing issues which were characterised as inhibiting the adoption of digital payments. Mainly, these issues are:
1. Lack of adequate acceptance infrastructure;
2. Limited options for digital payments;
3. Absence of incentives for digital payments;
4. High failure rates of transactions.
5. Lack of a grievance redressal mechanism;
6. Low digital literacy and awareness;
It was also highlighted that, the growth of recurring payments, which is a prominent form of customer transaction (for subscription services such as utilities, insurance, groceries, food delivery etc), has been inhibited by SMS based Two-Factor Authentication (2FA) requirements. In this context, stakeholders also raised an issue around the lack of mode-neutral standing instruction functionality which deters consumers from availing auto-debit features with common payment instruments like debit cards and UPI.
Regarding payments for government utilities through the Bharat Bill Payment System (BBPS), the main issues that were highlighted were: (i) limited number of modes of acceptance by Bharat Bill Payment Operating Unit (BBPOU); (ii) limited number of on-boarded billers on BBPS; (iii) non-availability of QR codes on bills and (iv) essential subscriptions such as education and insurance not being available as BBPS categories.
Concerns with transaction security
During the initial remarks that detailed the cybersecurity report’s findings, recommendations were made for standards which Indian policymakers could consider adopting. Broadly these include
- Developing risk-based standards for cybersecurity
- Evolving first principles as minimum compliance requirements.
An additional recommendation was made for enhancing transaction security. Discussants raised the need for India to start assessing global benchmarks which could be integrated into the local payments ecosystem such as that found in the European Union’s recently developed Revised Payment Services Directive (commonly called PSD2). To this end, several discussants highlighted India could shift away from the current practice of requiring OTP through SMS towards risk-based standards.
Such an approach is also validated by recommendations made by the International Telecommunication Union’s (ITU) Focus Group on Digital Financial Services and the US’ National Institute for Standards and Technology (NIST). A technology agnostic, principles-based approach of risk-based assessments for better transaction security is also a cornerstone of the EU’s PSD2 which has developed what is known as the Strong Customer Authentication (SCA) regime. Specifically, the SCA framework espouses three principles i.e. (i) knowledge; (ii) ownership and (iii) inherence, of which payment service providers can adopt a combination of any of these two develop a robust authentication protocol.
The EMV3DS 2.0 protocol developed by EMVCo, an industry standards developing group, also prescribes a strong customer authentication framework that is risk-based and technology agnostic.
Subsequently, the discussions progressed towards how greater digital payments adoption can grow the Indian subscription economy. It was highlighted that financial inclusion can be achieved only through the promotion of digital payments.
Many Indians subscribe to services such as utilities, insurance, telecom and content (both television and VOD) have no access to digital payments. A 2018 report by KPMG on the Bharat Bill Payment System cites that of the INR 5.85 trillion bill payments market, 70% is paid by cash or cheque. Payment for subscriptions are best met by digital modes of payment given the ease of transacting digitally, especially in the context of recurring payments.
Debit cards, the largest financial digital instrument with a subscriber base of 930 million as of April 2019, is not utilised optimally owing to the legal uncertainty regarding issuing standing instructions for recurring payments.
For recurring payments through debit or credit cards, PSD2 would mean more levels of authentication at the initial stage of setting up the standing instruction. However, recurring payments initiated by the merchant are exempt from EU’s SCA regulation.
This could substantially reduce friction in recurring payments as the authentication compliance would be met while the standing instructions are set up and subsequent payments would be seamless.
To onboard more customers, four essential factors were cited as drivers of adoption of digital payments, including (i) consumer consent; (ii) consumer convenience; (iii) transaction security and (iv) ease of transacting. It was pointed out that 2FA followed currently is an important tool for keeping fraud in check and acknowledging consumer consent, but it fails in ease of doing payments and consumer convenience, especially for recurring payments.
A balance between convenience and security may be struck by having differential standards when the transaction is (i) low value; (ii) low risk; (iii) payment for subscriptions or (iv) towards white-listed merchants. Further, customers have also indicated their interest for enabling recurring payments for subscriptions through debit cards by issuing standing instructions.
An individual-centric model
The discussants deliberated on “ease of doing payments” being a primary driver for digital payments adoption in India. Consumer insights around having positive correlation between education, awareness and infrastructure availability to drive digital adoption were shared. Awareness would require sustained campaign and display of use cases such as subscription payments.
The need for having digital payments mode-wise strategies to drive adoption is paramount. Democratising access of all payment modes, improving convenience, enhancing quality and security and facilitating seamless use of digital payments go together towards driving digital adoption in subscription services. Consumers cited lack of ease of making payments and lack of mode agnostic acceptance infrastructure as some key constraints for Deepening of Digital Payments.
Regarding risk-based standards, it was highlighted that the model should not only evaluate risk based on the transaction value but should seek to follow an individual-centric model. This would mean that risk would be determined relatively based on what the value of a transaction means to an individual. Essentially, the risk of a digital transaction of INR 2000 would have different risk connotations based on the income of the individual which should be accounted for when determining risk in a risk-based model for transaction security.
Resolving friction in identity verification
To effectuate this model, it was recommended that a risk-based model be followed with KYC verification. This would mean that the value of transaction at risk should determine the level of KYC followed. High value transactions would require higher standards of KYC and vice-versa. Such mechanisms that follow risk-based verification has also been explored by the Financial Action Task Force and the Department of Telecommunications with ‘carrier billing’.
Further, interoperability of KYC may also be explored. This should follow the Federated Digital Identity Management (FDIM) practice whereby KYC is anonymized and made interoperable at a local level. The key benefit associated with FDIM (as highlighted in the Report) is the limitation of privacy concerns. FDIM processes limit the number of entities and the number of times that user data is shared. Further, following first verification, other service providers may also use the corresponding tokenised information generated through FDIM for customer authentication.
The National Institute of Standards and Technology has acknowledged these benefits of privacy enhancement and released a set of ‘Digital Identity Guidelines’ to standardize FDIM processes and architecture.
Goals for digital payment
Acknowledging the diverse nature of actors in the digital payments ecosystem, both at the consumer-end and at the merchant’s end, three goals were identified which applies broadly to all players in this ecosystem. These were:
1. Fostering trust between user and merchant through efficient grievance redressal
2. Simplifying digital transactions through a standardized interface such as one Bharat QR code for utility payments; and
3. More accountability from the merchant’s end to enhance digital payments adoption.
Discussants also noted that the regulator in charge of payments, the Reserve Bank of India (RBI), has to make policy interventions at a faster pace than other regulators. This is because of (i) the fast pace at which technology evolves; (ii) the crucial nature of digital payments to the economy and (iii) the scope for bad actors to exploit gaps in the law.
- To create strong institutions, the RBI 2018 Vision document recommends creation of a Payments System Advisory Council – a proposal that should be revisited. Additionally, the Payments Regulatory Board when created should work in tandem with the future Data Protection Authority.
- Rahul Gosain pointed out interventions that banks and merchants could make to reduce friction in the digital payments ecosystem. These include (i) standardized billing processes and providing multiple options for digital payments; (ii) incentivizing digital payments to catalyse adoption; (iii) improving awareness and digital literacy and (iv) removing added costs such as a convenience fee from digital transactions. In this regard, amendments to laws such as state-level Shops and Establishments Acts to mandatorily have payments acceptance infrastructure may be explored.
- It was also pointed out that the Watal Committee on Digital Payments’ Report on Medium Term Recommendations to Strengthen the Digital Payment Eco-system released in 2016 was yet to be implemented. Some of the recommendations made in this report such as making regulation of payments independent of the central bank’s functioning should be revisited.
- To ease digital transactions while also following a strong standard for customer authentication, it was recommended that principles be evolved from existing best practices followed in the EU such as PSD2 and EMV3DS 2.0.
- Additionally, it was recommended that when adopting risk-based approaches to transaction security, Indian policymakers could consider evaluating risks on two counts. First, the traditional conception of risk which is based on the value of the transaction itself. The second relates to evaluating risk based on the income/user profile of the customer/individual initiating the transaction, while maintaining high standards of privacy.
- To grow digital payments without compromising on security, it was recommended that an exception to 2FA should be carved out for certain transactions. Low-value, low-risk, subscription payments or payments to white-listed merchants that are recurring in nature may follow a different standard from the 2FA. Further, standing instructions issued to the bank should not discriminate in authentication based on the mode of payment; i.e. between credit cards, debit cards or UPI.
- A consent-based authentication system should also offer an opt-out option to the consumer, particularly for recurring payments as opposed to multiple levels of authentication.
- This opt-out mechanism may be strengthened further by providing the option at three stages when a standing instruction is being issued: (i) when providing the standing instruction itself; (ii) five days before the standing instruction is acted upon by the bank and (iii) at debit. Further, customers should also be provided with the option of setting a transaction limit on debits through standing instructions.
- The RBI should work towards developing comprehensive Standing Instructions Guidelines to get rid of legal uncertainty regarding the same.
- A stratified KYC model that follows rules developed on a risk-based model would solve for simplicity while also standardizing and easing customer authentication.
- Other relevant recommendations made include (i) post-facto authentication as an alternative to 2FA; (ii) exemptions to 2FA for low-value transactions; (iii) passive biometrics such as facial recognition technology for real-time authentication and (iv) instituting an opt-out mechanism in areas with high digital literacy only and extending the same to other areas with low awareness levels.