This article is written by Sachin Kumar who is pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
In India, the 2010-20 decade has been recognized as the Payments Decade. There have been many breakthrough moments in the country’s payments ecosystem that have garnered global attention. The country has seen the launch of novel payment systems, the entry of non-bank entities, and a steady shift in consumer preferences from cash to digital payment over the last ten years.
Digital payments have experienced rapid growth in recent years. Despite the COVID-19 epidemic and its economic impact, 48 billion digital transactions were reported in the calendar year (CY) 2020. Overall, the total digital transaction volume in 2020-21 was 4,371 crore, up from 3,412 crores in 2019-20, according to the Reserve Bank of India’s Annual Report 2020-21, demonstrating the digital payment system’s resilience in the face of the epidemic.
The Reserve Bank of India (RBI) is in charge of payment system supervision, and the Board for Regulation and Supervision of Payment and Settlement Systems (BPSS) The establishment of a new department, the Department of Payment and Settlement Systems (DPSS), by the RBI in 2005 to focus solely on payment and settlement systems, and the subsequent legislation of the Payment and Settlement Systems Act, 2007 (PSS Act), ushered in a new era in the country’s payment system history.
In its vision for Payment Systems 2005-08, the RBI perceived the need for an umbrella organization to oversee all of the country’s retail payment systems. As a result, NPCI was established as an umbrella body under the supervision and assistance of RBI and the Indian Banks’ Association (IBA).
It was established in December 2008 as a Section 25 (not-for-profit) company under the Companies Act, 1956 (now Section 8 of the Companies Act, 2013) with the mission to serve all member banks and their customers, build infrastructure for operating pan-India systems with high availability and scalability to process growing volumes of retail electronic payments, and so on.
State Bank of India, Punjab National Bank, Canara Bank, Bank of Baroda, and Union Bank of India, Bank of India, ICICI Bank, HDFC Bank, Citibank N. A., and HSBC are the 10 main promoter banks. In 2016, the shareholding was expanded to 56 member banks, covering a wider range of industries.
In regard to the regulations there exist the Unified Payment Interface Guidelines by the NPCI. These guidelines are framed under the provisions of the Payment and Settlement of System Act, 2007. These guidelines are binding in nature and hence every member of UPI has to abide by them. There are three broad requirements given by these guidelines in order to become a member of UPI.
First, the entity willing to provide mobile banking services will come under the regulation of RBI under the Banking Regulations Act 1949. Secondly, the member should abide by all certification requirements, procedural guidelines, risk & operating circulars, and guidelines which is an issue by NPCI from time to time. Lastly, the bank should be live on Immediate Payment Service (IMPS).
The UPI ecosystem is intended for banks as only banks are allowed to interact with the UPI Switch. This though does not vitiate the possibility of non-banking organizations to carry transactions in this ecosystem. They have to fulfill one additional requirement and have to partner with any banking organization which has enabled UPI.
Once the bank-enabled UPI agrees the entity can build their PSP (Payment Service Provider) which is well known as a third-party application. The partnered banks are entirely liable for all the financial and operation liability of these applications.
There are many-fold conditions imposed on these PSP’s. These guidelines are majorly in regard to the security of information and hence create a boundary in which these PSP’s should work. It mandates that PSP’s central application should be in accordance with the RBI guidelines on Banking systems.
The customer data should be maintained by the bank’s data center and the merchant app should not have access to it. The payment regarding credentials, sensitive data should by no means reach these merchant apps and should only reside in the bank’s UPI system. It imposes the responsibility on the bank for the proper functioning of the apps and to ensure that the application supports all versions of iOS and Android.
These provisions also provide freedom to the customer for downloading any application as they wish. Customers can even have two applications in one device and no application should interfere in the functioning of the other while installing, running or any function done by the application. In the present scenario, the application is mandatory for iOS and Android but optional for windows.
The existing members can anytime be terminated or suspended from undertaking the functions by NPCI if the member fails to comply with any NPCI or UPI product, procedural guidelines, or any provisions by NPCI or RBI.
It can further be suspended if the RTGS account of the member with RBI is closed or suspended by the central bank. Furthermore, in the case where the member bank is amalgamated or merged with another member bank, the membership is terminated. Lastly, if the RBI suspends the approval of the mobile application then also the merchants cease to be a member.
Role and responsibility of NPCI
NPCI’s major goal is to bring together and integrate different systems with varying service levels and standard business procedures for all physical and electronic payment and settlement systems. It also intends to provide a cost-effective payment method that benefits the country’s common people and promotes financial inclusion.
The UPI Network’s owner, network operator, service provider, and coordinator are NPCI. NPCI has the right to run and maintain the UPI Network on its own or to contract with third-party service providers to deliver or operate essential services.
NPCI retains the right to inspect its members’ UPI-related systems (including hardware and software) as and when it deems appropriate, either internally or through an external agency. Additionally, each member must perform yearly internal audits and ensure that its processing agent, if any, follow the UPI Procedural Guidelines, and members must submit the audit report on an annual basis to NPCI.
Apart from that, the RBI may conduct or have conducted audits and inspections of PSP to carry out its functions under the Payment and Settlement System Act, 2007, and it shall be the duty of the PSP to assist the Reserve Bank of India in carrying out such audits and inspections, as the case may be.
The National Payments Corporation of India (NPCI) has been granted Type D RTGS membership and now provides settlement services to banks. The settlement rates might be changed at any time based on company needs. The National Payments Corporation of India (NPCI) acts as a settlement agency, arranging for the interbank settlement of credits and debits to the banks’ respective RTGS Settlement Accounts with the Reserve Bank of India (RBI). The amount of service fees owed by NPCI’s members for utilizing UPI services is determined by NPCI. NPCI also maintains an account with a member of the UPI network as a service provider.
If members violate the guidelines, NPCI retains the right to penalize them. Fines may be imposed as part of the penalty, as determined by the UPI Steering Committee from time to time. Depending on the member’s previous record, it reserves the right to either alert the member or issue a penalty. Failure to follow the UPI Procedures may result in Steering Committee recommendations or legal action.
The PSP/Bank will handle any customer complaints about non-refunds for failed transactions and/or non-credits for successful transactions. According to the rules published by NPCI from time to time, any complaint regarding credit not being delivered to a beneficiary shall be resolved definitively and bilaterally by the remitting and beneficiary banks.
Critical analysis of NPCI
The key infrastructure (such as IMPS and UPI) that supports retail payments is managed by NPCI. While the NPCI has performed well, there remains a regulatory vacuum in terms of eligibility requirements and operating circumstances for another interested organisation to provide services similar to the NPCI.
Because of its function, it also works as a quasi-regulator in the retail payments industry, and it is critical that the many responsibilities served by NPCI do not impede the sector’s growth. As a result, NPCI’s infrastructure provider position must be split from its instrument operator role, with payment instrument-related operations housed in a distinct profit-making organisation.
Another problem that has to be addressed is the fact that the NPCI has not yet been designated as a Financial Market Infrastructure (FMI), which would mean that it would be subject to more regulatory scrutiny.
The Watal Committee’s proposal for legal reforms to designate NPCI as a Critical Payment Infrastructure Company must be followed by the government (CPIC). NPCI would be governed by the principles of the CPSS-IOSCO Disclosure framework and assessment process if it was categorised as a CPIC.
This will make performance measurements and governance more transparent. Meanwhile, the RBI DPSS should make the NPCI risk assessment and the actions taken by the NPCI in accordance with the advice of the public.
While the RBI feels that self-regulation is sufficient, several areas of governance still need to be improved. Digital payments should ideally be governed by a co-regulatory framework. The NPCI, as a payment network provider, serves as the de facto technical regulator for all companies involved in the UPI ecosystem and is controlled by the RBI. If a new payments regulator is not possible, public transparency measures to increase accountability and confidence must be implemented.
The 2017 Bank of Maharashtra UPI Fraud case, in which Rs 25 crores were siphoned off from the bank through UPI payment requests that were honoured by the system even though there were no funds in the accounts, highlighted the need for NPCI to take more responsibility for UPI frauds.
Since it is an intermediary in all the transactions, it cannot absolve itself of its responsibilities for digital payment frauds. It can seek indemnification from the banks, but litigation in which NPCI is named as a “accused” of “facilitating the fraud by negligence” cannot be avoided.
Furthermore, RBI’s worry that the National Payments Corporation of India (NPCI), which handles almost half of all digital payments in India, might become a monopoly and a too-big-to-fail company in the retail payments sector, is justified.
The RBI’s new initiative to promote competition and innovation in the fast-growing sector, as well as to allow more players into the market by easing entrance and other rules, is well-founded. From a financial stability standpoint, it will reduce concentration risk in the retail payments industry and boost innovation and competition.
After a thorough examination of the UPI system, we can conclude that India is taking significant and good moves toward digitalization. These policies and procedures are well-thought-out, comprehensive, and yet sensible. The extensive surveillance system provides total security and eliminates the possibility of human mistakes.
The procedural rules are written with the sensitivity of the situation in mind, and all precautions are taken to safeguard the consumer. The imposition of accountability on banks for any discrepancies increases people’s confidence and trust in these digital platforms.
The recent case study of WhatsApp highlights the processes that a UPI payment platform must go through in order to receive NPCI and RBI approval. Acceptance of these platforms can even be contested in a court of law, making the judiciary the third line of defense.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: