This article has been written by Aishwarya Arora, Student, 3rd Year, LL.B. (H), Campus Law Centre, Faculty of Law, University of Delhi.
The digital payments ecosystem in India has seen an excellent growth in the last five years. For instance, the Report of the Committee on Deepening of Digital Payments has observed that the Digital Payments Per Capita in India has shown a growth from 2.4 transactions in 2014 to about 22 transactions in 2019. The segment is formed of different types of systems of online payment which cover transactions done through RTGS (Real Time Gross Settlement), NEFT (National Electronic Fund Transfer), IMPS (Immediate Payment Service), Digital Wallets, and Unified Payments Interface (UPI). Of these, Digital Wallets and UPI have amplified their operations in the wake of demonetization in the November of 2016.
In a report by the RBI, e-money is defined as the prepaid value stored electronically and is issued by authorized ‘Issuers’ and the liability for the stored value is that of the issuer. It is a value denominated in a currency backed by the central authority of that country. In India, its share in the total payments systems has increased from a negligible 0.8% in 2012 to 21.5% in 2017. Therefore, it is seen that the definition does not cover crypto-currencies as they do not enjoy the necessary approval by the RBI, but, places within its ambit, the Prepaid Payment Instruments (PPIs), more specifically, the digital wallets and the Government backed Unified Payment Interface (UPI).
Prepaid Payment Instruments (PPIs)
PPIs are defined as “payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments.” They can be of three types:
- Closed system payment instruments: They are issued by an entity to a holder to facilitate the purchase of goods and services from the issuer itself. An ideal example of this type of a system would be a brand-specific gift card.
- Semi-closed payment instruments: These are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations or establishments which have a specific contract with the issuer to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks.
- Open System PPIs: These PPIs are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc.
As closed-system payment instruments do not provide third party payment and settlement services and open-system PPIs are issued only by banks, digital wallets are placed under the second category, that is, the semi-closed payment instruments. They are reloadable instruments that can be issued only in electronic form.
The regulatory framework for digital wallets is provided in the “Master Direction on Issuance and Operation of Prepaid Payment Instruments”, which was first issued by the RBI in 2009 by virtue of Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007. The 2009 guidelines permitted the non-bank entities to issue semi-closed instruments for the first time. These guidelines have seen numerous amendments since then.
By 2016, as more disruptive technologies emerged and newer players entered the business, a fillip was given to the growth of the whole segment. With the implementation of demonetization that severely restricted the flow of hard cash in the economy, employing alternate means of payment had become necessary. Following this, it became imperative for the RBI to put in place a comprehensive set of directions to be followed by the private entities operating these online payment systems. Thus, after taking a feedback from all the stakeholders into consideration, major changes were announced in the aforementioned Master Directions in 2017 which was further amended in 2019.
With more and more private entities operating their own digital wallets, the Master Directions address some of the key concerns in this area as follows:
Any company incorporated in India and registered under the Companies Act, 1956 or Companies Act, 2013 can issue and operate PPIs after receiving authorisation from RBI. According to Regulation 3(1) of the Payment and Settlement Systems Regulation, 2008, entities are required to seek authorization from Department of Payment and Settlement Systems (DPSS) of the RBI by submitting an application in the prescribed manner.
The RBI looks at net-worth of an entity for approval. In the pre-2017 directions, there was a requirement of a minimum paid-up capital of Rs. 5 Crores and a minimum positive net worth of Rs. 1 Crore for non-banking entities. However, as the policy stands today, the minimum paid-up capital requirement has been done away with while the minimum positive net worth requirement has been increased to Rs. 5 Crore.
The minimum positive net worth requirement is to be satisfied as per the latest audited balance sheet at the time of submitting of the application for approval. Moreover, this has to be maintained at all times. Additionally, the entity, within three financial years of receiving the RBI authorization, has to achieve a minimum net-worth of Rs. 15 Crore which shall also be maintained at all times. Done with the intention of controlling who enters the market and to weed out non-serious players, this policy has proven to be unreasonably restrictive for the smaller entities.
The issuers can issue two types of semi-closed PPIs based on the level of their KYC compliance, that is to say, on the level of identification-related information provided by the user. The first type can be issued with minimum or limited KYC. The minimum KYC details include the customer’s mobile number verified through One-Time-Pin (OTP), and a self-declaration of name and a government identification number to authenticate the account.
The amount of funds loaded in this type of an instrument, during any month, cannot exceed ten thousand rupees and the total amount loaded during the whole of financial year cannot exceed one lakh rupees. Only the purchase of goods and services is allowed and bank transfer and interoperability of the instrument is not permissible for PPIs with a limited KYC compliance.
These minimum-detail instruments are mandatorily required to be converted within 18 months into full-KYC compliant, semi-closed PPIs. On the other hand, the full KYC-compliant PPIs, apart from allowing for purchase of goods and services, offer the option of ‘fund transfer back to the source’, bank account transfers as well as transfer to beneficiaries of up to one lakh rupees per month.
The entity operating a digital wallet is required to adhere to the RBI Master Direction on Know Your Customer (KYC), 2016 for customer identification. These Master Directions have provided for a sound framework for the prevention of money-laundering and since the non-bank issuers are essentially in the business of operating a payment system, compliance with Prevention of Money Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 framed thereunder, is necessary.
Additionally, PPI issuers are required to maintain the log of all transactions for a period of ten years and are also required to file Suspicious Transaction Reports (STRs) to the Financial Intelligence Unit (FIU-IND). These stringent procedures for customer identification and for monitoring of transactions through record-keeping will ensure that no criminal use of these alternate money instruments can be made, intentionally or unintentionally, for money laundering or for funding of terror activities.
Security of Payments
RBI, in its guidelines, has always emphasised on a strong risk management system to protect customer data shared during the financial transactions. Now the guidelines have even ensured that the entities issue an Information Security Policy approved by their Board. Some of the mandatory requirements to be followed by the private entities to prevent fraudulent transactions are:
If the PPI issuer provides the same login for its wallet and its other services, that information regarding the same has to be clearly conveyed to the holder.
Restrictions on multiple invalid attempts to log in have to be placed.
Every payment transaction has to be authenticated through customer consent and alerts should be sent out for every transaction.
Overall, a suitable mechanism has to be put in place for preventing, detecting and restricting occurrence of fraudulent transactions.
Increasing norms around customer protection and fraud prevention is going to have the effect of increasing customer confidence in the digital payments, thereby increasing its adoption and increasing business.
As per the norms, a ‘cooling period’ for fund transfer is also a requisite whenever a new PPI account is opened, freshly loaded or a new beneficiary is added. In that time, alerts are sent to the customers to review the new additions and prevent erroneous transactions.
Interoperability is the technical compatibility that enables a payment system to be used in conjunction with other payment systems. Interoperability allows PPI Issuers, system providers and system participants in different systems to undertake clear and settle payment transactions across platforms without participating in multiple systems.
With Prepaid Payment Instruments (PPIs) – Guidelines for Interoperability released by the RBI in 2018, an attempt has been made to make the digital wallets operable with each other. That is to say, a user of one wallet can make a payment to a merchant that accepts a different wallet. This has made the payments through PPIs seamless. The interoperability between the wallets is to be enabled through the use of Unified Payments Interface (UPI) facilitated by the National Payments Corporation of India (NPCI).
These directions have positives for both the non-banking entities as well as the users. For the users, it means that registration with multiple payment systems is not necessary anymore as payment to one system can be made using another system and for digital operators, it has meant that they get access to each other’s’ customer base much like the ATM networks.
Unified Payment Interface (UPI)
Private Entities facilitating UPI-based transactions
The aforementioned discussion on Unified Payments Interface (UPI) necessitates the need to explain the working of this instrument. It was developed by the National Payments Corporation of India (NPCI) and was launched in 2016. It facilitates inter-bank transactions in real-time which are processed either on web or a mobile platform. As per the UPI Procedural Guidelines released by the NPCI, the Payment System Provider (PSP) should be an entity regulated by RBI under Banking Regulations Act, 1949 and should be authorized for providing mobile banking services. However, the private players have been allowed to participate in the UPI based transactions through a multi-bank PSP model. Here, the private entity, usually a technology platform provider, connects multiple bank accounts to the UPI system through the use of Application Program Interface (API) Technology. Thus, a person having an account with one bank can transfer money instantly to a different account with another bank using any of the UPI- enabled applications available. It eliminates the need to add a beneficiary or to authenticate the transaction at multiple levels. The transaction data, however, can be decrypted only by the bank account of the payer and not by the Third Party App Providers (TPAPs) because of the use of the API technology embedded in UPI.
Obligation of the Participating Banks
Considering the sensitivity of these transactions, NPCI delineates the obligations that are to be fulfilled by the TPAP as well as the PSPs for enabling such transactions. For example, before initiating operations, the TPAP is mandated to seek a written permission from the NPCI and is required to give the names of the participating banks. The responsibility of the participating banks is immense as they are primarily responsible for providing security against any kind of breach of customer data that could happen through the third party apps. As the responsibility for storing payment sensitive data of the customers is with the PSP, they must perform an audit on the TPAP’s infrastructure to ensure that the integrity of such data is maintained and that the functioning of the app is secure. Along with the TPAP, the PSPs are also responsible for addressing the complaints of the consumers.
Obligation of the Third Party App Providers (TPAP)
The obligation on the third parties is to store only that customer data to which the customers have given their consent. A record of details like customer’s name, mobile number, gender, email id etc. can only be in an encrypted format and all the information exchange between the third party and the bank is to be done through a secure channel. As a caveat, it has also been provided that the third party shall not share the details of individual transactions with any other third party, including their holding company or subsidiary and the Indian Government or Intelligence without the prior consent of the PSP and NPCI. Currently, there are 40 NPCI approved third party apps and 141 banks connected on the UPI system. Various policy measures taken by the government to push its adoption among the business owners, its ease of use and zero cost to the consumers have all contributed to the growth of UPI. In September, 2019, the segment has registered 955.02 million transactions in volume worth Rupees 161 thousand Crores and it is likely to grow at an annualised average growth rate of 100 per cent.
As is evident from the above discussion, the economy’s dependence on the digital modes of payments has risen. The number of players operating both digital wallets and the UPI-based apps is also increasing. To regulate the operations of the semi-closed prepaid payment instruments or digital wallets, as they are called, RBI has issued the Master Direction on Issuance and Operation of Prepaid Payment Instruments taking into consideration the sensitivity of the information involved in these transactions of these transactions and its impact on the users. This is why the directions now provide for a stricter eligibility criteria for the issuers. Laws have also been tightened to prevent fraud and money laundering through PPIs while the convenience for the users has been increased by way of enabling interoperability between the instruments owned by different issuers. Apart from aiding interoperability, UPI is also a full-fledged payment system governed by the NPCI through the UPI Procedural Guidelines under which a private player connects multiple banks to the UPI system using the API technology. It enables users to make payments across bank accounts seamlessly, in a secure environment.
All these developments are likely to raise the number of digital transactions from 2069 crore in December 2018 to 8707 crore in December 2021. To support this level of rapid growth, a regulatory framework that encourages, inter alia, competition amongst the payment system operators, thereby ensuring cost-effectiveness to the users, and provides easier accessibility, quick grievance redressal mechanism and safe and secure transactions to the users, is a prerequisite.
 RBI, Digital Transaction Metrics, Report of the Committee on Deepening of Digital Payments, (May 17, 2019), https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/CDDP03062019634B0EEF3F7144C3B65360B280E420AC.PDF
Department of Payment & Settlement Systems, RBI, Glossary, Benchmarking India’s Payment Systems, (June, 2019), https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/BIPS04062019CE3C72E9873244ED8BAAE9C8FC5955A8.PDF
RBI, Definitions, Master Direction on Issuance and Operation of Prepaid Payment Instruments, (Oct. 11, 2017), https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11142
 RBI, Payment and Settlement Systems Regulation, 2008, (Dec 20, 2017), https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/PSSAMENDED201720122017C638035D14964D16B0D79590F4F86E31.PDF
 RBI, Master Direction- Know Your Customer (KYC) Direction, 2016, (Feb. 25, 2016), https://rbidocs.rbi.org.in/rdocs/notification/PDFs/18MDKYCD8E68EB13629A4A82BE8E06E606C57E57.PDF
 RBI, Prepaid Payment Instruments (PPIs) – Guidelines for Interoperability, (Oct. 16, 2018), https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NOTI61724025FD07FE407D8796EC6C97A17A8E.PDF
 NPCI, Membership Requirements, Unified Payments Interface- Procedural Guidelines, (Dec., 2016), https://www.npci.org.in/sites/default/files/UPI-PG-RBI_Final.pdf
 NPCI, Circular No. 32, Multi bank Model (API Approach), (Sep. 15, 2017), https://www.npci.org.in/sites/default/files/circular/UPI%20Circular%20no%2032_Multi-Bank%20Approach_15th%20Sept.pdf
 NPCI, UPI Product Statistics, What We Do, UPI, (Sep., 2019), https://www.npci.org.in/product-statistics/upi-product-statistics
 NPCI, supra note 9
RBI, Expected Outcomes of Vision 2021, Payment and Settlement Systems in India: Vision- 2019-2021, https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/PAYMENT1C3B80387C0F4B30A56665DD08783324.PDF
 RBI, supra note 11
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.