Online payments: Why citizens must exercise option to decline receiving payments (Part 2)

While there is a significant effort by the RBI to protect customers from online fraud and other risks associated with online banking and transactions, surprisingly it is entirely silent on another potential threat to customers regarding financial transactions. Image: Shutterstock

India is now a global leader in the adoption of digital payments accounting for 46 percent of worldwide real-time payments in 2022. With 89.5 million digital transactions, she has more transactions than the other four leading countries combined.  The spectacular $3 trillion digital payment market, predicted to more than triple to $10 trillion by 2026, is because of rapid expansion in digital infrastructure, UPI-led migration to digital, pandemic-led acceleration of shift in customer preferences, growing merchant acceptance network, and disruptive innovations by fintech companies. It is now making inroads into global expansion with UPI payments in countries like Saudi Arabia, Singapore, Canada, UK, Australia, HK, UAE, Oman, Qatar and USA.

Globally, almost all countries enforce stringent measures to ensure security of financial transactions particularly those involving customer transactions. These are usually achieved using combinations of Encryption, Tokenization and Authentication. Most popular methods involve Single-Factor Authentication (SFA) requiring usually a password or a PIN, Two-factor authentication (2FA)-requiring two forms of identification, such as a password and a one-time code sent to a registered device, or a Multi-Factor Authentication (MFA) requiring three or more forms of identification, which may include biometric data, security questions, or physical tokens.

RBI too has detailed guidelines regarding securing financial transactions of account holders. In general, RBI proposes three-stage authentication practices for internet banking—Something the user knows (e.g., password, PIN); something the user has (e.g., ATM card, smart card); and something the user is (e.g., biometric characteristic, such as a fingerprint).

However, while there is a significant effort by the RBI to protect customers from online fraud and other risks associated with online banking and transactions, surprisingly it is entirely silent on another potential threat to customers regarding financial transactions. This pertains to receiving electronic payments in an account.  Obviously, it begs the question: What is the risk associated with receiving payments that requires the RBI to put in security features?

Consider the scenario where payments from an account are being made to an individual.  For many, there is no obvious way to know when and by whom such payments are being made. In the current system, SMS or other alerts that inform the recipient about the credit of funds is neither a default nor a mandatory option.  Often such messages or alerts may get hidden among many such messages and alerts, if an individual doesn’t immediately respond to them.

This could potentially result in tremendous costs being imposed on the recipient. Such costs range from harassment by the authorities to far stricter punishments like imprisonment under Money Laundering or Anti-Terrorist Activities Law. 

Also read: How the 'option to decline' can help the government better target direct benefits (Part - 1)

For example, organisations that are otherwise “dubious” may erroneously make transfers to an individuals’ account without the consent of the individual. Under the current laws, the recipient is liable for receiving such payments. Fighting such cases in the court impose a tremendous cost on the individual as well as on the already overburdened legal system. The problem mainly arises because the receiver did not receive the payments willingly and hence cannot establish the origin and purpose of such payments.

In the case of India, with more than 360 million UPI transactions happening each day, they are increasingly becoming a target for fraudsters.

The victim gets a phone call where he or she is informed of an incorrect transfer of funds (amount usually around $20-30) to their account from an unknown sender. The victim is requested to transfer the amount back to the sender through a link or a barcode. While doing the same, a substantial chunk of money gets transferred from the victim’s bank account to the fraudster’s account through the link. The RBI has come up with an awareness campaign to highlight the process.

There is a simple solution to both these problems – and can be easily achieved via OTP authentication by the receiver.

Also read: Cyber criminals are getting smarter. Laws and awareness need to keep up

Similar to the proposal made in part 1 earlier, the receiver can opt for a receipt authentication process (RAP) or continue with the status quo. Once the receiver has opted for RAP, (s)he can enable senders’ accounts payments that do not require authentication (for example, salary accounts or accounts of family members and friends). Once enabled, any payments coming from these accounts should be credited seamlessly a la the status quo.

However, for any new sender, the receiver can opt for authentication through the OTP process. Upon authentication by OTP, the amount will be credited to the receiver. However, till the time the payment is authenticated by OTP, the amount shall lie in an escrow account maintained by the bank for a designated time and after that, it shall be returned to the sender.

Therefore, the receiver can refuse to accept a payment that (s)he is not sure of by not authenticating via the OTP. Such a process will protect any individual from any harassment resulting out of receiving payments from dubious sources and ensure that individuals are not “rapped’ or charged with false charges of “bribery” or “unlawful activities” by tracing payments that the receiver is not entitled to.  

There is little barrier to why individual banks cannot adopt this.  However, there is one area that requires regulatory changes before such a process can be implemented: allowing the setting up of an escrow account as well as the provision to return the money to the sender in the event the money is “not accepted’ by the receiver.

Regulatory changes along with the specifications regarding who must pay the charges (if at all) of this service are the finer details that needs to be addressed too. Note that, this concept is not entirely alien to Indian banking system.

Given the complex final transactions maze and increasing instances of governments often bringing harsh penalty on citizens for their failure to provide satisfactory answers to transactions (financial as well as non-financial), the option of declining to accept payments from sources we are not comfortable with, will be essential for citizens safety.

This piece has been co-authored by Bappaditya Mukhopadhyay, Professor, Data Analytics and Economics and Jayatu Sen Chaudhury, Professor, Data Analytics and Finance, Great Lakes Institute of Management Gurgaon.