There is a furore over the “disappearing messages” feature on this app. This was necessitated as it is entering the payment domain through WhatsApp Pay and needs to prevent fraud.
By Na Vijayashankar
The regulatory approval given to WhatsApp Pay has brought into focus the method by which companies in different lines of business are converting themselves into financial technology companies and monetising their huge customer base. Already Google Pay has captured 40 percent of the UPI market share in India, which is around 3.5 lakh crore transactions per month. PhonePe, owned by e-commerce company Flipkart, is also having 40 percent market share. Amazon Pay is also working on establishing a presence.
It is, therefore, not surprising that WhatsApp has also entered the fray with WhatsApp Pay. With a customer base of 350 million, WhatsApp has all the potential to become the leader of the pack. The RBI wants none of the companies to have more than 30 percent market share and has limited WhatsApp to around 10 percent market share before the licence can be expanded.
Since 2018 when WhatsApp was ready with the beta version, approval was delayed because of discussions on data localisation requirements. It is not clear whether they have resolved this issue and agreed to hold the transaction data in India either exclusively or as a copy. While some would presume that the RBI would have made them agree to data localisation, until a clarification ism forthcoming, it cannot be presumed that it has made WhatsApp change its mind or vice versa.
The ministry of electronics and information technology has been at loggerheads with WhatsApp for two years regarding introduction of a technology feature by which the origin of a message can be tracked. WhatsApp has been refusing the request and stalling amendments to Section 79 of the Information Technology Act, 2000. Knowing the power of Facebook which owns WhatsApp, it is possible that the RBI would have yielded to the argument that it is only a “message carrier” in the payment infrastructure and transaction data is generated and stored by supporting banks such as ICICI, HDFC, Axis, SBI and Jio Payments.
Once WhatsApp enters the payment domain, the need for tracking the origin of a message becomes even more critical as this could be a source of fraud. As the scheme is structured, WhatsApp allocates a UPI ID to its customer. This does not have any KYC. The device is, however, identified and linked to the SIM. The receiver also has his own WhatsApp UPI ID. These IDs do not directly belong to WhatsApp but are issued by one of the partner banks. If the intended recipient is in the contact list of the sender, the payment instruction is sent on the message screen to the recipient. If the recipient is not in the contact list, his QR code can be used to trigger the payment instruction.
The payment instruction itself is a message to the partner bank, which then triggers a normal UPI transaction from the customer’s designated UPI bank to the destination partner bank through the National Payments Corporation of India (NPCI). The destination partner bank forwards the payment to the addressee’s default UPI bank registered with WhatsApp. A confirmation of credit is also sent through WhatsApp and reaches the message box of the recipient. It is possible that at either end, the WhatsApp partner bank may not be the customer’s bank. Hence, there may be the involvement of four banks, the NPCI and WhatsApp in completing the transaction.
As far as the user is concerned, the system is managed by WhatsApp and none of the other players is visible. Though WhatsApp is not licensed to undertake UPI transactions directly, it engages the services of its partner banks to initiate the transaction. As these partner banks are not bankers for the customers, they engage two more banks to assist them. Finally, NPCI acts as the agent of the two banks through which the money actually passes through to the right bank.
In terms of data protection laws, WhatsApp is the main data controller, while the others are all joint controllers as all of them determine the purpose and means of processing. At present, the App is not in conformity with the provisions of the Personal Data Protection Bill, 2019.
When a transaction happens smoothly, all participants enjoy sharing the financial benefits. However, when a fraud happens and a customer complains that a payment not initiated by him has been executed, then each of the participants is likely to blame the other for the fraud and WhatsApp would be denying cooperation with law enforcement authorities, quoting privacy.
The RBI is well aware that UPI frauds will only be on the increase. It could occur because any of the mobile devices (at present payment is not available from WhatsApp web) could be infected with malware or the banker’s systems are compromised either because of technical issues or insider fraud. WhatsApp itself can be hacked with a WhatsApp spyware.
Where the QR Code is used to identify the receiver of the money, there could be QR code related fraud. The RBI is trying to introduce a common QR code system for multiple payment service providers. Hence, the QR code itself needs to be resolved and the bank to which the account belongs has to be identified. Since there can be two UPI accounts such as vijay@sbi and vijay@icici that may belong to different persons, a wrong resolution of the bank can divert the payments.
All UPIs operate under a four number PIN, which is one of the lowest levels of security that can be thought of. This is not a digital signature nor is it a complex password and hence, it is liable for an easy brute force attack.
Frauds will increase in cases of “pull” transactions where a receiver of payment raises a request that is transmitted to the person designated to pay and on his approval, the transaction is activated. Many frauds occur because fraudulent request instructions may be activated through a hacked mobile.
We also know that fraud risks in UPI-based transactions are higher than in the wallet type of systems or prepaid payment instruments (PPIs) as UPI is linked directly to the bank account and exposes the entire bank balance to the risk of fraud. The limitation of 20 transactions and Rs 1 lakh per day do not provide adequate security. If transactions are triggered at midnight, the limit of Rs 2 lakh can be used by fraudsters.
Presently, the RBI has introduced a limited liability scheme for both online banking, credit cards, debit cards and other PPI instruments. However, the WhatsApp scheme may not be covered by the existing “Limited Liability Circular” on WhatsApp, though it may still hold against the banks. It is time the RBI made a disclosure of this and brought it within the limited liability scheme at the earliest.
In the limited liability system, the SMS alert should have a link for immediate dispute to be raised. But WhatsApp Pay will not have this facility. As a result, a fraud victim will not know how to raise a complaint in case he either receives a false request for payment (which gets automatically approved because his mobile might have been compromised with a malware) or receives a confirmation of payment which he has not asked for.
Hence, in terms of expanding the digital payment systems in India, WhatsApp Pay will be a game-changer, but it also increases the possibilities of cyber crimes and data breaches. The RBI should, therefore, quickly come up with a master circular which explains the liability of all parties involved in this kind of transaction.
Further, service providers need to ensure that international users of WhatsApp are not able to commit frauds and escape scrutiny under the excuse of “end to end encryption” and “lack of jurisdiction”. It is essential that WhatsApp confirms that this payment service cannot be initiated by users from outside India. The RBI also has to confirm whether they are diluting the security of the payment system by exempting them from the second factor authentication.
If the Personal Data Protection Act of India was in place now, it would require WhatsApp to conduct a Data Protection Impact Assessment (DPIA) and share it with the Data Protection Authority (DPA). The DPA could have even demanded the submission of “Privacy By Design Policy” which would have ensured that security of the system could have been enhanced.
On the other hand, there is a demand in sections of the industry to get financial information declared as “non-sensitive” in the PDPB so that it can be taken out of the purview of the Data Protection Act.
Considering all aspects, it can be suggested that the RBI should mandate that WhatsApp take a group insurance scheme to cover its payment systems so that frauds are covered by a mandatory insurance up to a reasonable amount. Also, payments above Rs 50,000 need to be covered under the income tax rules of PAN disclosure. Some of these precautions need to be taken before frauds reach unacceptable levels.
—The writer is a cyber law and techno-legal information security consultant based in Bengaluru