RBI’s Circular on Unauthorized Electronic Payments in PPIs

The Cyber Blog IndiaCyber SecurityLeave a Comment

RBI's Circular on Unauthorized Electronic Payments in PPIs

On January 04, 2019, the RBI notified a new circular dealing[1] with limiting the liability of customers in unauthorized electronic payment transactions in PPIs (Prepaid Payment Instruments) issued by authorized non-banks. This is the third circular notified by the Reserve Bank in less than 18 months on customer liability in unauthorized transactions. It has been issued under Section 10(2) r/w Section 18 of the Payments and Settlement Systems Act, 2003 and it will come into effect from March 01, 2019.

Previously, the central bank notified a circular applicable to scheduled banks and small finance banks & payments banks[2] on July 06, 2017 while a similar circular applicable to co-operative banks[3] was notified on December 14, 2017. The latest circular is applicable only to PPIs issued by non-banks and for the PPIs issued by the banks, the July’17 guideline will continue to be applicable.

What is a Prepaid Payment Instrument (PPI)?

As per the definition given by the RBI,[4] a PPI facilitates purchasing of goods & services against the value stored on the said instrument. This value stored on an instrument represents the value paid by the instrument holder by debit to a bank account, by cash, or by a credit card. The RBI recognizes the following as PPIs

  • Smart cards
  • Internet accounts
  • Internet wallets
  • Mobile accounts
  • Mobile wallets
  • Paper Vouchers
  • Magnetic Stripe Cards

These PPIs are further classified into four categories – closed, semi-closed, semi-open, and open systems.

A closed system payment instrument is issued by an establishment for using at their own establishments only. For example, wallet issued by BigBasket or Delhi Metro smart cards.

A semi-closed system payment instrument can be redeemed at clearly identifiable merchants that enter into a specific contract with an issuer to accept the payment. This instrument does not allow a holder to withdraw cash or redeem it. Examples include MobiKwik and Oxigen wallets.

A semi-open system payment instrument can be used at any point of sale (POS) terminal i.e. card-accepting merchants. Like a semi-closed system payment instrument, the holder cannot withdraw cash or redeem it. Gift cards can be considered as an example of this system.

An open system payment instrument can be used at a POS terminal as well as supports cash withdrawal from ATM machines. Travel cards issued by various banks are a perfect example of open system payment instrument.

As of January 03, 2019, the RBI has authorized 48 business entities under the Payment and Settlement Systems Act, 20087 to operate a payment system based on PPIs.[5] Some of the most popular names include Amazon Pay, Delhi Metro Smart Cards, MobiKwik, Oxigen, PayU, PhonePe, m-pesa, etc.

Classification of Electronic Payment Transactions

This circular classifies electronic payment transactions performed via PPIs into two categories –

  1. Remote/Online payment transactions – Transactions which don’t require the physical presence of PPIs at the point of transactions such as wallets, card not present (CNP) transactions, etc.
  2. Faceto-face/Proximity payment transactions – Transactions which necessarily require a PPI to be present physically at the point of transactions such as cards, mobile phones, etc.

Responsibility of a PPI issuer towards customers

Clause 5 of this circular places following responsibilities on a PPI issuer –

  • To ensure that a customer registers for SMS alerts and wherever possible, email alerts for payment transactions.
  • To mandatorily send SMS alerts for payment transactions and additionally sending email alerts if registered
  • To mention contact number/email id for reporting unauthorized payment transactions or notify an objection in SMS/email alerts
  • To provide customers 24×7 access via website/email/website/dedicated toll-free helpline number for reporting either unauthorised payment transactions or loss of a PPI
  • To provide a direct link for lodging complaint regarding unauthorized payment transactions on the home page of PPI’s website or mobile application
  • To advise customers to notify the PPI issuer about unauthorized payment transactions at the earliest and inform that longer the time taken to notify, higher will be the risk of loss to PPI issuer/customer.
  • To send acknowledgement via auto responses mentioning complaint along with its registration number
  • To record time and date of sending alerts to customers and receiving their response
  • To take immediate action to prevent any further unauthorised payment transactions

In addition, clause 9 places an obligation on a PPI issuer to –

  • Clearly define rights and obligations of customers in cases of unauthorized electronic payment transactions
  • Revise their existing customer relations policy to include customer protection and customer liability
  • Clearly lay down the mechanism for compensation and prescribe a timeline for effecting such compensation
  • Display this policy along with reporting procedure in public domain or website or mobile application

Liability of a Customer

Clause 6 of this circular talks about limiting the liability of customer in different scenarios. This clause also mentions that the contents of this clause must be clearly communicated to all PPI holders.

  • When there is contributory fraud/negligence/deficiency on the part of a PPI customer – Zero liability of a customer (irrespective of whether or not an unauthorized transaction is reported by a customer)
  • Third party breach where deficiency is neither on the PPI’s part nor on a customer’s part but lies elsewhere in the system. The customer has to notify the PPI issuer regarding unauthorized transactions and liability will depend on the number of days lapsed between receipt of transaction alert and reporting of unauthorized transactions by the customer –
    1. Within 3 days – Zero liability
    2. Within 3 to 7 days – ₹10,000 per transaction or transaction value, whichever is lower
    3. Beyond 7 days – As per the PPI Issuer’s Board Policy
  • When loss is due to a customer’s negligence such as sharing payment credentials – Absolute liability. However, if unauthorized payment transactions occur after reporting by a customer, then the PPI issuer shall bear the loss.
  • Even in cases of customer negligence, a PPI issuer has discretionary power to waive off a customer’s liability.
What is Contributory Fraud/Negligence?

The words contributory fraud or contributory negligence has not been defined in any circular or notification published by the Reserve Bank of India. In legal literature, contributory negligence[6] is a common law tort principle which specifies that the plaintiff through his own actions has contributed to the harm or injury suffered. It can be taken as a defence and if successful, it eliminates the liability of a defendant to pay damages to an injured party i.e. the plaintiff. Over the years, this principle has evolved into comparative negligence[7] – the amount of damages that can be recovered by a plaintiff is based upon the degree of his own negligence which contributed to the injury i.e. liability of a defendant is proportionate.

In terms of electronic payment transactions, it can be understood that there is some negligence on the part of a customer, and at the same time, the PPI issuer has failed to comply with its rights and obligations. In such cases, the liability of a customer shall be zero and it shifts entirely on the concerned PPI issuer.

Following incidents might be considered under contributory negligence –

  • When there is a compromise of sensitive personal data of customers and further information is gathered about customers using social engineering techniques
  • When a PPI issuer does not comply with the minimum security standards prescribed by the RBI and simultaneously, a customer acts negligently by sharing OTP
  • When a PPI issuer updates registered mobile number or email address of a customer without proper authentication and verification
  • When a PPI issuer has not set up efficient fraud prevention and mitigation system which directly or indirectly contributes to unauthorized payment transactions
  • When a PPI issuer does not take appropriate action after a customer reports causing subsequent loss

Reversal Timeline

Clause 7 & 8 of this circular specifies that –

  • After being notified by a customer, a PPI issuer shall credit the amount involved in unauthorized electronic payment transactions within a period of 10 days into a customer’s account via notional reversal.
  • For crediting this amount, the PPI issuer shall not wait for settlement of any insurance claims.
  • The PPI issuer has to ensure that –
    1. A complaint is resolved within 90 days.
    2. Liability of a customer is established within the said period.
  • The customer is compensated as per clause 6 of this circular.
  • If a PPI issuer fails to resolve a complaint and establish a customer’s liability, the amount as prescribed in clause 6 must be paid to a customer irrespective of whether there is customer negligence or not.

Conclusion

Considering the exponentially increasing financial frauds via debit/credit cards, internet banking, and mobile wallets, it is imperative for a regulator to clearly define rights and liabilities of two major stakeholders – the service provider and the customer. This circular is indeed a positive step towards protecting the interests of customers in cases of unauthorized electronic payment transactions from prepaid payment instruments (PPIs). This circular also clarifies that the burden of proving a customer’s liability lies with the PPI issuer. With this circular coming into effect from March 01, 2019, the customers will finally have a remedy and properly defined procedure to avail that remedy in cases of unauthorized electronic payment transactions from their PPIs.


Co-authored by Titiksha Seth and Raj Pagariya.


References

[1] Reserve Bank of India. (2019, January 04). Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Payment Transactions in Prepaid Payment Instruments (PPIs) issued by Authorised Non-banks. Retrieved from Reserve Bank of India: https://rbi.org.in/Scripts/NotificationUser.aspx?Id=11446&Mode=0

[2] Reserve Bank of India. (2017, December 14). Customer Protection – Limiting Liability of Customers of Co-operative Banks in Unauthorised Electronic Banking Transactions. Retrieved from Reserve Bank of India: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11188&Mode=0

[3] Reserve Bank of India. (2017, December 14). Customer Protection – Limiting Liability of Customers of Co-operative Banks in Unauthorised Electronic Banking Transactions. Retrieved from Reserve Bank of India: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11188&Mode=0

[4] Reserve Bank of India. (2009, January 30). Draft Guidelines for issuance and operation of Prepaid Payment Instruments in India. Retrieved from Reserve Bank of India: https://rbi.org.in/Scripts/bs_viewcontent.aspx?Id=1902

[5] Reserve Bank of India. (2019, January 03). Certificates of Authorisation issued by the Reserve Bank of India under the Payment and Settlement Systems Act, 2007 for Setting up and Operating Payment System in India. Retrieved from Reserve Bank of India: https://rbi.org.in/scripts/publicationsview.aspx?id=12043#mainsection

[6] Legal Information Institute. (n.d.). Contributory Negligence. Retrieved from Cornell Law School: https://www.law.cornell.edu/wex/contributory_negligence

[7] Larson, A. (2018, May 08). Negligence and Tort Law. Retrieved from Expert Law: https://www.expertlaw.com/library/personal_injury/negligence.html

Leave a Reply

Your email address will not be published. Required fields are marked *