India lacks laws to protect consumers if they lose money during digital transactions even as the government pushes for a less-cash economy after it withdrew Rs 500 and Rs 1,000 currency notes as legal tender.
The Narendra Modi government’s demonetisation move might have warranted an increase in transaction activity on digital wallets massively, but measures to ensure the underlying cyber security parameters for digital payments are still kept largely under the ambit of the Information Technology (IT) Act.
“We don’t have any dedicated law on digital payments. That’s very important to grant complete legality and remove and doubts and clarifications pertaining to legal efficacies and legal validity of digital payments,” says Pavan Duggal, an advocate in the Supreme Court specialising in cyber law.
While the Reserve Bank of India (RBI) usually sets security and privacy standards for banks in the country, digital wallets such as Paytm, FreeCharge and MobiKwik fall under the category of non-banking financial corporations (NBFCs) excluding them from this. For fintech companies in India today, security compliance falls under Section 43 A of the IT Act.
Today, transactions between a user and a mobile wallet service provider are merely contractual agreements which as Duggal puts it can always be repudiated. There’s a heightened need to legally back digital payments in India, not only to ensure the safety of consumer money but also for the safety of these companies themselves.
Also Read
While maintaining security standards for fintech companies falls under the data protection law of the IT Act, the lack of an enforcement mechanism hinders any good this can do.
Since the demonetisation announcement, digital wallet firms such as Paytm have seen as much as 35 million transactions by users to either buy goods and services or transfer funds to another account. Rival FreeCharge has tied up police forces of Mumbai to pay traffic fines using its platform.
According to Bengaluru-based think tank Centre for Internet and Society (CIS), their research shows that some of India’s largest technology companies still do not comply with Section 43 A.
“We have a minimal data protection law in our IT Act and that will apply to all the fintech players. But, our ISPs (intenet service providers) and telcos don’t comply with Section 43 A. So you can imagine compliance will be even lower in the fintech sector,” says Sunil Abraham, executive director, CIS.
The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services. While the issue is not being completely ignored by the authorities, some of the proposed workarounds such as creating a virtual sandbox around digital payment services have raised questions.
While RBI limits the maximum balance on digital wallets to Rs 10,000 per user, ensuring that in the case of a breach the damage caused to a consumer is minimal. On November 23, the banking regulator increased the limit to Rs 20,000. Last week, India’s largest digital wallet provider Paytm rolled out the option for customers to increase their wallet balance to a maximum of Rs 1 lakh upon completing the know-your-customer procedure done.
“There are no legal mechanisms available in case of disputes pertaining to digital payments. The compliance to the Indian cyber law is more done in the breach rather than in compliance,” adds Duggal. While laws might take years to be framed and implemented, Abraham says there are temporary workarounds with which the overall cyber security of digital payment services can be improved.
Under Section 43 A, there are provisions to allow a sector to form a consortium that agrees to set security standards. All players must follow this, which is valid in a court of law during dispute resolution. Vijay Shekhar Sharma, the founder of Paytm, says there is a dispute mechanism similar to what is done with credit or debit cards that firm such as his follow when a customer has an issue. “Regulation in digital money works just like in the case of cards. It is the issuer, in this case, the wallet companies that has to resolve the problem. If not, the next stop is consumer court,” says Sharma. “There is no ambiguity in this.”
This could be a call to India’s growing number of fintech companies to come together and define their own security standards. Moreover, this move is encouraged by experts as governments often lack the bandwidth to define sectoral specific laws, but is where private-sector expertise can go a long way.