News and developments

India’s Payment Vision 2025 Towards Digital Payment: A Legal Study

The Department of Payment and Settlement Systems, the Reserve Bank of India, introduced India’s Payment Vision 2025 in June 2022 with an aim to deliver secure, convenient, and affordable electronic payment solutions to all users. The vision builds upon the success of the earlier Vision Plan of 2019-2021. The Payments Vision 2025 document outlines goals across five anchor points: Integrity, Inclusion, Innovation, Institutionalisation, and Internationalisation. Although the use of Digital Payment is rising tremendously, however, the legal measures we have today are not adequate to combat the dangers it poses. Any Digital Payment comprises of two phases, first is when the cash is withdrawn from the consumer’s account and second is when it lands to the receiver’s account. Now, we have used all our technologies in the first phase, however, India still lacks to protect the consumers if they lose money in the second phase.[1] That is the reason, it is said, “the devil lies in the details and it is the details that are concerning”.

Impediments To The Success of India’s Payment Vision 2025

It is safe to say that cash has always been in circulation and presently it is the most preferred mode of money transactions. For decades, India has been a cash-based economy and despite the government’s efforts to shift from physical currency to digital currency, people still believe in cash. Recent data indicates that in 2020, 53% of India's population uses smartphones with internet connectivity.[2] However, with the surge in digital adoption, India's susceptibility to cyber threats has escalated. Astonishingly, in 2023 alone, the National Cyber Crime Reporting Portal received 11 lakh complaints related to online digital payment frauds.[3] The Reserve Bank of India's annual report highlights that banks reported 6,659 digital fraud cases concerning cards and internet banking, causing a total loss of 276 crore Rupees.[4] Moreover, a 2023 survey conducted by FCRF reveals alarming statistics, showing that financial fraud constitutes 77.42% of all cybercrimes, with UPI-related fraud alone accounting for 47.3% of this figure.[5] This data unequivocally underscores the vulnerability of a significant segment of society.

Furthermore, the annual report of the RBI sheds light on a lesser-known occurrence termed the cash paradox. Notably, in 2022 as per the annual report, India experienced a cash paradox, evidenced by the continuous increase in the percentage of Currency in Circulation.[6] This indicates a notable increase in physical currency within the Indian economy. This fact is further verified by the statement of the current finance minister of India Smt. Nirmala Sitaraman in “Lok Sabha”, “in March 2014 the currency notes in circulation were 13 lakh crores and in March 2022 it increased to 31.33 lakh crores.” [7]

In light of the aforementioned data, it is evident that the vision is a positive goal, however, the bigger question is, whether India is ready to implement the Payment Vision 2025.

Adequate safety measures in different laws

The Payment Vision 2025 might have warranted an increase in electronic payments more securely and safely, but measures which directly ensure cyber security for digital payments are still outside the ambit of the Information Technology Act, 2000 or any other legislation thereto. There are existing laws that encompass crimes related to digital payments, including but not limited to the Information Technology Act, 2000; the Payment and Settlement Act, 2007; and the Digital Personal Data Protection Act, 2023. Upon careful examination of the various provisions of the Act, it becomes apparent that they all circumvent the issue of digital fraud, with none directly stipulating the associated punishments. The Information Technology Act, 2000 (IT Act)provides a legal framework for cybersecurity, online payment intermediaries and lays out the punishments for unauthorized access, and computer-related offenses, however, the IT Act was formed in 2000 even before social media and the internet and given the increase in digital payments and to achieve the agenda of becoming a cashless society, existing laws or merely amending the existing laws will not suffice.[8]

Moreover, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 focuses entirely on intermediaries including online payment intermediaries and digital media platforms with the objective to regulate the online space, however, several unsolved queries  tag along with the rules which are whether the requirements for intermediaries to comply with the due diligence are reasonable and consistently enforced throughout the new classifications or whether payment companies are actually complying with the rules as they are already regulated entities under the Reserve Bank of India. There are lacunae which are inherent in the very nature of crimes involving information technology as it does not directly cover the aspects of online digital payment frauds like (a) cyber-crime; (b) hate speech; (c) jurisdictional issues; and most importantly (d) the issue of non-reporting of cybercrimes with a fear that it might hinder with the reputation of the businesses operating online.[9]

While the Payment and Settlement Systems Act, 2007, the Payment and Settlement Systems Regulations, 2008 and the Payment and Settlement Systems (Amendment) Act, 2015 had been enacted with the intention of regulating payment systems in India and dealing with regulatory oversight. Subsequently, several committees have recommended reforms to include provisions on open access, risk-based regulation and interoperability, however, they are not yet incorporated in the present statute. There still remains a lacunae for dealing with modern retail digital payments, consumer protection, promotion of competition, no consumer grievance redressal mechanism and innovation due to the existing gaps.[10] As such the Act merely provides punishment only with regards to regulatory breach of the provisions. Surprisingly, it does not cover the criminal aspect of the fraud.[11]

Furthermore, the Digital Personal Data Protection Act, 2023 which has not yet come into force seeks to govern the collection, storage, and use of personal data by companies involved in digital payments. However, data breaches, phishing attempts, and identity theft continue to be a problem for digital payments in India that the Act does not talk about/is silent about.[12]

The clear lack of a certain law is further reflected in the fact that recovery rate in case of digital fraud is less[13] Although, India needs robust legislation, however, the Reserve Bank of India (“RBI”) as the apex regulator and supervisor for digital payments in India lays down various guidelines,[14] circulars[15] and rules concerning digital payment system security, risk management, encryption for sensitive data, grievance redressal mechanisms and client protection.

Following the COVID-19 pandemic, the use of digital payment systems has grown in acceptance and likelihood of fraudulent transactions has escalated significantly, therefore, to curb  cyber fraud, RBI has released the Guidelines on Regulation of Payment Aggregators and Payment Gateways[16] that are customer friendly and drafted with a primary concern of reducing the possibility of malpractices in online transactions. However, these guidelines governing digital money are ambiguous as they do not define terms such as ‘instant payments’. The new regulations have increased the responsibility of patent aggregators, as they now need to thoroughly investigate merchants and have a duty to protect and secure client and stakeholder transactions. There is room for more research on the complainant's degree of satisfaction with the relevant bank, UPI, aggregator, merchant, or the ombudsman's decision about the complaint's ultimate resolution. Due to the carelessness of the bank, UPI, or merchant, a payment failure or money blockage with the bank, UPI, or merchant may result in needless harassment for the consumer and resolving issues can take years at times.

The RBI has issued Master Directions, namely, RBI (Digital Payment Security Controls) Directions, 2021[17] as a guide to enhance the security and governance of payment getaways, wallets, and other digital payment transactions handled ,the security protocols will be implemented in mobile applications, card payments, internet banking and card issuing institutes.

The RBI has also issued draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators[18] which identify, assess, monitor and manage digital risks by outlining robust governance mechanisms for ensuring and securing digital payment transactions. Although these regulatory frameworks are viewed as a step in the right direction toward addressing loopholes to ensure seamless digital transactions, it is yet not certain how the security framework will be enforced in the wake of rapid and dramatic growth in digital payment frauds.

Conclusion

In India, cash still serves as the default basis for various forms of transactions. Ultimately, it retains significance within the payment infrastructure. Individuals still retain cash due to increasing unpredictability in economic and financial circumstances. Holding cash is paramount to preserving an asset that provides a sense of security, offering a readily accessible and highly liquid asset.[19]

The unprecedented growth in the use of digital payments witnessed in India is remarkable. So far, no country has observed such a successful implementation of the digital payment vision, however, India still needs to adopt multifaceted strategies like firstly, bringing amendments to the existing laws for a better implementation of the vision 2025 as both are intricately connected, secondly, cooperation between regulatory bodies, financial institutions, and technology firms to create secure and convenient digital payment platforms, thirdly, funding for cybersecurity, financial literacy and digital infrastructure projects, and lastly, India's shift to a cashless economy can be accelerated by removing access hurdles and offering tax benefits to encourage digital payments, which will foster financial inclusion and economic growth.

Since, there is an age-old adage that “precaution is better than cure,” and it has become evident that we have not taken sufficient precautions. Therefore, a cure is needed before we can turn the vision of a cashless society into a reality.

Authors: Mr. Amit Verma, Partner Designate, Ms. Darshita Sethia, Associate and Ms. Aayushi Jain, Fellow

Footnotes

[1] The Times of India (2022), Digital payment frauds will continue unless second half of process is streamlined, Available at: https://timesofindia.indiatimes.com/city/nagpur/digital-payment-frauds-will-continue-unless-second-half-of-process-is-streamlined/articleshow/92152463.cms

[2] Basuroy, T. (2023) India: Mobile phone internet users 2050, Statista. Available at: https://www.statista.com/statistics/558610/number-of-mobile-internet-user-in-india/#:~:text=The%20country%20had%20the%20world’s,over%201.2%20billion%20by%202050. (Accessed: 26 March 2024).

[3] Press Information Bureau (2024) Cases of cyber frauds, Cases of Cyber Frauds. Available at: https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2003158 (Accessed: 26 March 2024).

[4] (2023) Annual Report 2022-23. Available at: https://rbidocs.rbi.org.in/rdocs/AnnualReport/PDFs/0ANNUALREPORT20222322A548270D6140D998AA20E8207075E4.PDF (Accessed: 26 March 2024).

[5] FCRF Cyber Crime Survey, 2023 (2024)  A Deep Dive into Cybercrime Trends Impacting India. Available at: https://www.futurecrime.org/fcrf-cyber-crime-survey-2023 (Accessed: 26 March 2024).

[6] Deccan Herald, (2023), Digital Payments zoom, but cash is still king, Available at: https://www.deccanherald.com/opinion/digital-payments-zoom-but-cash-in-still-king-2815344

[7]Research Gate, (2023), Challenges in Digital Payment Adoption in India, Available at: https://www.researchgate.net/publication/375610457_CHALLENGES_IN_DIGITAL_PAYMENT_ADOPTION_IN_INDIA#:~:text=On%20the%20basis%20of%20this,connectivity%2C%20low%20quality%20of%20internet.

[8] Business Standards (2024), India lacks laws to protect customers of digital transactions, Available at: https://www.business-standard.com/article/economy-policy/india-lacks-laws-to-protect-customers-of-digital-transactions-experts-116120300744_1.html

[9]Research Gate (2024), Cyber Crime and Digital Payments in India: A Comprehensive Analysis, Available at: https://www.researchgate.net/publication/375555213_Cyber_Crime_and_Digital_Payments_in_India_A_Comprehensive_Analysis

[10] Cyril Amarchand Blogs (2023), Implications of Digital Personal Date Protection Act 2023 on Payment Service Providers, Available at https://corporate.cyrilamarchandblogs.com/2023/11/fig-paper-no-27-series-1-implications-of-digital-personal-data-protection-act-2023-on-payment-service-providers/

[11] Section 24 Payment and Settlement Act, 2007.

[12]Economics Times (2023), India’s dogotal transformation: A deep dive into Data Protection Act, Available at:  https://telecom.economictimes.indiatimes.com/blog/indias-digital-transformation-a-deep-dive-into-data-protection-act/102786525

[13] 229 banking frauds a day in 2020-21, recovery rate below 1%, RBI says in RTI reply (2021) India Today. Available at: https://www.indiatoday.in/business/story/229-banking-frauds-day-2020-21-recovery-rate-rbi-rti-reply-1888096-2021-12-15 (Accessed: 26 March 2024).

[14] Reserve Bank of India (Bharat Bill Payment System) Directions, 2024; Guidelines on Digital Lending, https://rbidocs.rbi.org.in/rdocs/notification/PDFs/GUIDELINESDIGITALLENDINGD5C35A71D8124A0E92AEB940A7D25BB3.PDF

[15] Reserve Bank of India, Framework for Facilitating Small Value Digital Payments in Offline Mode, https://rbi.org.in/scripts/FS_Notification.aspx?Id=12215&fn=9&Mode=0

[16] Reserve Bank of India, Guidelines on Regulation of Payment Aggregators and Payment Getaways, www.rbi.org.in.

[17] RBI/2020-21/74 DoS.CO.CSITE.SEC.No.1852/31/01/015/2020-21Reserve Bank of India, Master Direction on Digital Payment Security Controls, www.rbi.org.in.

[18] Reserve Bank of India, Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators, www.rbi.org.in.

[19]The Wire (2024), The need for regulatory transparency and accountability around Digital Money, Available at: https://thewire.in/tech/the-need-for-regulatory-transparency-and-accountability-around-digital-money