Data breach: Business models of payment platforms under RBI scrutiny

Seeks info on lending ops after cases of data breach

The Reserve Bank of India (RBI) has decided to review the business models of payment aggregators in view of a spate of frauds hitting customers due to unauthorised sharing of financial data, sources aware of the development said. The banking regulator has sought information from these entities on their activities, including the sharing of customer data, the sources said.

Payment aggregators are entities that enable e-commerce sites and merchants to accept various payment instruments from customers for completion of their payment obligations. The RBI’s approval is needed to become a payment aggregator. The central bank had mandated a minimum net worth of Rs 15 crore by March 2021 and Rs 25 crore by March 2023 for such entities. Since the abolition of the merchant discount rate (MDR) on the unified payments interface (UPI) and RuPay transactions two years ago, payment aggregators have been facing a tough time to generate revenues. Earlier, they used to generate revenues by processing payments for the merchants.

“Payment aggregators invested a lot in developing their payment infrastructure. After the MDR was abolished, their revenues were impacted, because they stopped making any money by processing the transactions,” said an official from the payments industry. 

“As a result, they are now trying to monetise the payment data by sharing it with NBFCs (non-banking financial companies). They also tie up with NBFCs and sell loans on their behalf to earn a commission,” the person added.

PhonePe and Google Pay are the largest players among payment aggregators and they manage over 80 per cent of the transactions processed through UPI. In the current financial year, UPI has processed a little over 40.49 billion transactions worth Rs 74.51 trillion. This is almost double the number of transactions reported in FY21. Paytm, BharatPe, CC Avenue, Pine Labs are the other major payment aggregators. ICICI Bank, HDFC Bank, and some other private banks are also in this business.

RBI sources indicated that the department of supervision had been tasked with engaging with payment aggregators and other players in the payment ecosystem to find out the issues.

Payment history data is “precious”, said another source, as there are not many agencies which collect such data. “The aggregators have the actual data on payments. The data is then used for making lending decisions; the aggregator who sells the loan on behalf of the NBFC earns a fee.”

“The RBI is trying to understand how data sharing works, whether they are taking consent from the customer to share the data. Whether the loans they are extending are on their books or in the books of some other entities,” the source said.

The development comes at a time when a host of payment aggregators have queued up for NBFC licences. Sources said the RBI wanted to understand the issues of these entities before extending licences.

According to a report of a working group of the RBI, there were approximately 1,100 lending apps for Indian android users across more than 80 application stores during January 1-February 28, 2021. Of these, 600 loan apps were illegal. The RBI has written to the finance ministry in the past, asking for coordinated actions against such lending platforms.