By Sidharth Deb*
- Cash scarcity; and
- The convenience afforded to consumers through e-wallet/online wallet services
In furtherance of the policy of demonetisation, the Indian government has also incentivised online transactions by offering discounts for digital payments.
Interestingly, India was recently ranked as one of the five most vulnerable nations to cyber security threats. This was highlighted by the recent debit and credit card hack which adversely compromised over 3 million accounts. The presence of a trust deficit seems justified when one looks at concerns expressed by both the National Crime Records Bureau (‘NCRB’) in its 2015 Report and the Reserve Bank of India (‘RBI’) . Both institutions have stressed numerous instances where people have been vulnerable to data theft. Further, it has been suggested that mobile wallets are not developed with hardware level security. Such industry practices leave sensitive information more susceptible to cyber threats. There is also a limited legal framework for the use of online payments.
The need for a stronger legal framework which adequately protects people’s financial/ sensitive data is clear. The use of private platforms such as PayTM, MobiKwik and FreeCharge and the launch of the Bharat Interface for Money (‘BHIM’) means digital transactions will only become more ubiquitous. This means that users are exposed to concomitant risks. This post seeks to understand the current legal matrix regulating digital payment security and highlight its inadequacies.
There is presently no central data protection/ security legislation. Given this background, what India has instituted is a National Cybersecurity Policy, which was released in 2013, by the Ministry for Electronics and Information Technology (‘MEITY’). The document seeks to establish an umbrella framework which “…creates(s) a secure cyber ecosystem in the country, generate adequate trust & confidence in IT systems and transactions in cyberspace and thereby enhance adoption of IT in all sectors of the economy.” It emphasises the need to introduce sector specific policies to ensure data security. However, there has been no statutory follow-up to this policy.
Keeping this in mind, we examine two legislations which are presently applicable to the digital wallet security landscape. The first is the Information Technology Act, 2000 (which was last amended in 2008) and the other is the Payments and Settlements Act, 2007 under which RBI circulars and guidelines relevant to online security are released.
IT Act, 2000
The two relevant portions of this statute are Section 43A and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Section 43A states that “body corporates” handling sensitive personal data or information must provide reasonable security measures. These measures must be “….designed to protect such information from unauthorised access, damage, use modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law…” Failure to do the same would result in liability to pay the affected party damages. The text informs us that digital wallet companies can contract out, via their terms of service agreements, the data security obligations imposed by this section. It should be noted that services which are provided by entities which are not corporate bodies (such as BHIM, offered by the National Payments Corporation of India) can be exempted from the obligations under this section.
Under this provision, the aforementioned 2011 rules were notified. Rule 3 characterises “sensitive personal data or information” as:
- Financial information such as Bank account or credit card or debit card or other payment instrument details;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information;
- Any detail relating to the above clauses as provided to body corporate for providing service; and
- Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise…”
The most glaring issue with this rule is its exhaustive nature. It restricts “sensitive data or information” to entries which only fit into one of the eight aforementioned categories. Such restrictiveness, has the capacity to exclude information or data which is stored, handled and processed by modern day online platforms. This indicates the rule’s incomplete applicability in today’s internet landscape.
Rule 8(1) describes reasonable security practices and procedures as companies having “…implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business…”.
However, experts have stated that most FinTech companies flout the above-discussed requirements.
Payment and Settlements Act, 2007
Section 18 of this statute gives RBI the power to determine appropriate policy for the regulation of electronic payment systems which affect domestic transactions. Section 10(2) gives the RBI the power to determine standards for the management of specific payment systems. Deriving authority from this, the RBI has been releasing annual circulars detailing the issuance and operation procedures for prepaid instruments. The latest one was released in July 2016.
This circular categorised digital wallets such as PayTM, as semi-closed payment instruments. While addressing “Fraud protection and security standards”, it orders such companies to “…put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.” No specific guidance is provided to determine what “adequate information and data security infrastructure” entails. Moreover, it has no reference to any penal measures should a company fail to adhere to these requirements.
The RBI released, in June 2016, a comprehensive cybersecurity framework to regulate banks. They have the authority to contemplate a similar course of action for prepaid instruments. In that vein the RBI in December 2016 released a new notification (under Section 10 (2) read with Section 18 of the Act) addressing “Security and Risk Mitigation Measure(s)…” for prepaid instrument issuers.
In this notification, the RBI acknowledges that without adequate cyber security their push for widespread adoption of digital payments will suffer huge setbacks. To enable a robust and secure digital ecosystem, this notification orders prepaid instrument issuers to undergo annual system audit reports from qualified auditors. The scope of these system audits includes “hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing the systems and applications, documentation, etc.”
Moreover, it advises all prepaid instrument issuers to carry out a special audit by empanelled auditors of India’s Computer Emergency Response Team (‘CERT-IN’) and to take subsequent appropriate steps as per the findings of the audit. They have also been advised by the RBI’s notification to take “appropriate measures” to mitigate phishing attacks and to disseminate best security practices to their customers periodically. Prepaid instrument issuers have also been asked to take dynamic security measures as per emerging threats and general threat perception.
The Union Minister for electronics and information technology has acknowledged the need for stronger cybersecurity laws. This has been echoed by a subsequent declaration that MEITY plans to review and accordingly update the architecture of the Information Technology Act, 2000. It was further stated that a digital payments division has been set up, which is tasked with reporting unusual activities to CERT-IN. Similarly, in January, 2017, the CMs Committee on digital payments led by Andhra Pradesh Chief Minister Chandra Babu Naidu submitted an interim report to the Prime Minister. This report recommended the adoption of measures which strengthen cybersecurity.
It has also been revealed that the central government is working on a legal framework aiming to shield privacy and financial details of users when they transact online. It hopes to be a comprehensive security regulatory framework which establishes obligations and liabilities to be imposed upon payment companies. It shall cover “e-wallets, payment gateways, prepaid cards and other payment platforms”.
Different legislative routes have been suggested to assure digital security for online transactions. Members of Parliament, such as Mr Rajeev Chandrasekhar, have recommended a central online digital security legislation. One drawback to such a general measure as evidenced is that it would lack specificity. This causes a problem, as generic laws have the scope to overlook problems which are exclusive to specific industries.
To that end, other cyber law experts have recommended sector specific laws which pertain to digital payments and their security. For an effective security regime, for the e-Wallet industry, stakeholders must be consulted whilst developing minimum standards of protection afforded to vulnerable information.
The Watal Committee for Digital Payments submitted a report in December, 2016, recommending a new statutory board for regulation and supervision of payments and settlements which is independent of RBI supervision. It further went on to state that the Payment and Settlements Act, 2007 requires updating with explicit mandates for data protection and security keeping in mind consumer interests. Lessons can also be learnt from Indonesia whose central bank, in November 2016 released a comprehensive regulatory system for e-wallet services. It includes compliance requirements with informational security standards.
*Sidharth is currently an intern at CCG. He graduated from WB NUJS in 2016.