Introduction
The evolution and advancement of India’s digital payments ecosystem through UPI, IMPS, and NEFT, have grown substantially and transformed India into a world-class leader in real-time (instant) payment systems over the last decade. This transformation of how people in India spend their money has also driven a significant increase in digital payment-related frauds, with Authorised Push Payment (“APP”) scams being one of the most pervasive forms of fraud that victimise users who are tricked into giving away their money voluntarily.
In response to this rapid increase in digital payment fraud, the Reserve Bank of India (“RBI”) has produced a discussion paper that recommends structural safeguards to protect consumers against fraud when making high-value digital payments, including a one-hour delay for certain high-value transactions to allow consumers time to change their minds about making these payments.
Reconceptualising Instant Payments: The Case for a One-Hour Lag Mechanism
The proposed one-hour delay on transfers greater than ₹10,000, by the RBI shows a significant departure from the immediacy principle associated with digital payments and is aimed at reducing APP fraud that results from user pressure to act quickly. Allowing for just enough time to reconsider a transfer would allow a user more time to evaluate if he/she is making a rushed decision.
This represents a move toward “ex-ante fraud prevention” rather than relying on remedies after a transaction has occurred, which often do not provide adequate protection against fraud. The idea of having a “golden hour” before transferring funds has been adopted in the UK and Singapore to reduce the risk of being defrauded. However, there are still concerns that using a threshold as the basis for delaying a transaction may be inconsistent with customer expectations of receiving instantaneous digital payments and that whitelisting methods used to further delay APP transactions could be vulnerable to exploitation by fraudsters.
Balancing Autonomy and Protection: Trusted Person Authentication for Vulnerable Users
The RBI’s second proposal is creating the need for “trusted person” authentication for vulnerable populations such as seniors and persons with disabilities ties financial regulation closely to social protection for transactions above ₹50,000, but it also serves to reduce fraud risk for these groups. The introduction of a third-party authenticating person (who has no direct legal relationship with the customer) presents a concern regarding agency and consent, as banking law has historically only recognised the customer and any authorised signatories to their account.
In addition, if a transaction is disputed, determining liability between the bank, account holder and the trusted third party may be difficult. While providing some protection, this measure may limit the ability to control one’s own finances. Requiring trusted person authentication to transact will likely be seen as paternalistic, unless a strong mechanism to opt-out is provided.
Cooling-off periods are an attempt to reduce coercion; however, practical issues will also arise if a trusted person is unavailable to authenticate the transaction due to the delay inherent in requiring them to do so.
Strengthening KYC and Anti-Mule Frameworks: Credit Caps and Shadow Balances
The RBI has introduced a new proposal that limits annual aggregate credits to ₹25 lakhs at non – KYC due diligence accounts, meaning that all transactions must be aligned to match the customer’s financial profile. The RBI believes this will build on the KYC efforts already in existence with a risk-based monitoring framework will now be able to monitor these transactions more accurately.
Additionally, the “shadow credit” idea, where excessive funds are “held” for a short time while the actual sources are verified, will add another layer of protection against fraudulent flows. However, procedural fairness and customer inconvenience may result. Legitimate users of this will experience severe delays and an increased documentation burden, particularly small businesses or those who receive their incomes inconsistently.
Additionally, if a customer’s funds are reversed after 30 days without sufficient justification, it could create contract disputes and potential claims against the Bank. Proportionality provides a framework for the challenge of balancing fraud prevention against compliance burdens. The success of the proposed rules will be based on clear regulatory guidance and consistent enforcement across the enterprise.
Empowering the Consumer: Legal Implications of Kill Switch and Transaction Controls
The RBI has submitted its fourth proposal, which follows the balance of power towards the consumer and brings individual controls over transaction amounts through custom-based tools (such as a Kill Switch) and allows the individual to disable any digital payment made (an act that will enable individuals to have control over their finances).
At the same time, this also provides banks with a legal framework to comply with the duty of care towards their customers through the use of informed consent. However, there are challenges in implementing the Kill Switch. Implementing the Kill Switch will require substantial changes to infrastructure in all platforms (i.e., UPI, cards, net banking and wallets).
There will still be exposure to the wrongful use of information given that fraudsters may obtain access to an individual’s device for a limited period of time (so that they may carry out their fraudulent transactions). In addition, it is difficult to implement any such controls as defaults or to enhance security via such controls, and in doing so, it would discourage individuals from using digital payment systems that will ultimately affect financial inclusion.
Regulatory Trade-offs: Efficiency, Security, and the Future of Digital Payments
The RBI has a typical regulatory obstacle: integrating efficiency and security. The rapid and convenience-based nature of India’s digital payments ecosystem means that any friction added through delays, more robust authentication, or limits on transaction amounts may have a direct impact on user experience. While the regulatory body must now step in with assistance due to the large increase in reported fraud, has exceeded Rs.220 billion annually.
The Reserve Bank has taken an approach signalling a movement towards a risk-based framework that will help to quantify the level of security protections by user profile, transaction history and risk level. Due to the careful design and implementation process that these protections will require.
There can be adverse effects. Very rigid regulatory protection mechanisms could incentivize individuals to use something that is less secure and those that are too flexible may not reduce fraud to any degree or provide confidence in the reduction in the amount of fraudulent activity. Therefore, it is essential to ensure that consultation with the stakeholders will be an ongoing process before fully implementing these very serious changes in regulations.
AMLEGALS Remarks
In revamping India’s digital payment regulations from reactive to sustainable governance through RBI’s discussion paper, the challenges posed by having designated 1-hour time limits on large-value transactions will likely come about due to significant changes in user behaviour related to modern-day Financial Crime. Legally, the new regulations may involve complex issues of proportionality, autonomy, fiduciary duties, and regulatory design. Ultimately, the success of these regulations is contingent upon accurately calibrating such regulations so as to avoid negative, unintended consequences such as reducing payment efficiency; increasing compliance costs for businesses and decreasing consumer satisfaction.
For any queries or feedback, feel free to connect with Hiteashi.desai@amlegals.com or Khilansha.mukhija@amlegals.com