Editorial Note: On July 13, 2020, we published an Issue Brief (No. 380) by Prof Sunil Abraham, titled, “Unified Payment Interface: Towards Greater Cyber Sovereignty”. The brief discussed the lessons that other counties could learn from India’s UPI experience, while highlighting some of the problem areas. This brief and its claims elicited a critique from iSPIRT – the Indian Software Product Industry Roundtable - of some of the claims made by Prof Abraham. We asked the author to respond to iSPIRT, and he has written a rebuttal.
ORF is publishing here the critique of iSPIRT, alongside the author’s rejoinder. This is an important public policy issue and ORF is presenting this engagement between the author and his critic in the spirit of taking the discussion forward.
Response of iSPIRT to the Issue Brief and Prof. Sunil Abraham’s rebuttal
Point Number 1> (IB, p. 4) Since UPI does not use biometrics, it does not need Aadhaar, which is the presenceless layer of India Stack. Aadhaar Number helps UPI identify consumers, but lack of tokenisation and availability of these numbers with many data controllers increase risk of financial fraud.
- UPI does not depend on Aadhaar for the purposes ofuser identification. User onboarding in UPI happens via SMS OTP and Debit card authentication. In fact, UPI does not use Aadhaar for any purpose whatsoever!
- Additionally, Tokenization has already been implemented in Aadhaar with non-regulated entities not allowed to store the unmasked Aadhaar number anywhere.
- While in theory UIDAI has implemented tokenization - it is unclear how many data controllers are using it exclusively in lieu of holding Aadhaar numbers and have deleted all Aadhaar numbers in their possession.
Point Number 2> (IB, p. 5) With a better designed presenceless and paper layer, the tight coupling with India Stack could have benefited UPI but is undermined by it instead.
- There is no tight coupling between UPI and the other layers of India Stack. UPI can be easily deployed in other countries with minimal changes to the current ecosystem. Google’s RTP report also indicates how easy it is to build UPI like solutions in other countries (without using other parts of India stack).
- See previous point - UPI has nothing to do with Aadhaar, so there is no way that one could undermine the other.
- Further, each API within the India Stack collection is owned by a separate entity (which owns the specification, and the governance of that API). It is not possible for these APIs to be tightly coupled!
- Aadhaar is mentioned more than 60 times in the UPI 1.2 specifications. It is not mandatory but, at the very least, was definitely an optional feature in the last publicly available version of the standard. It would be very helpful if NPCI could share version 2.0 of the standard with researchers.
- The Aadhaar number is OR was either mandatory OR optional for all the layers of the India Stack. This unique and permanent number that cannot be changed when compromised is the foundation upon which the other layers of the Stack rests. This tight coupling has been reduced by discontinuing services like “Pay to Aadhaar.”
Point Number 3> (IB, p. 5) NPCI’s reluctance in opening the standards specification of UPI is not easily understandable.
- NPCI is a private body and has complete rights over the UPI standard. To open source this standard (or not) is a strategic call which has little to no impact on the end consumer/Indian government.
- As of now, all the participants in the UPI ecosystem have full access to the technical standards and well defined forums are available for them to raise concerns (if any). This is akin to how VISA/MC operate today.
- The brief does not advocate an “open source standard,” it advocates for an “open standard.” Open standards are good for competition and also they make comprehensive security audits possible. Both these outcomes engender consumer trust in the ecosystem.
- UPI made previous versions of the standard publicly available on their website. In other words, it was different from VISA/MC and was based on a “public good” approach. It is not clear why emerging competition to the existing participants should not get access to the standard.
Point Number 4> (IB, p. 5) NPCI must act urgently to institute multistakeholder standard-setting processes for UPI.
- This is an insightful recommendation and one we’re sure NPCI is already considering. However, lack of a multistakeholder standard-setting process shouldn’t be considered a “weakness” of the ecosystem. Given the fast evolving nature of UPI, having a single entity control the specification lets the players iterate faster. Over the coming years, NPCI might decide to move away from this and create a multi-stakeholder standards setting process.
- This is true. It would be difficult to make progress if decisions were dependent on multistakeholder consensus. The multistakeholder standard-setting should be for design, discussion and feedback but NPCI should take the final call on the standard.
Point Number 5> (IB, p. 6) With little public visibility into the approval process it is uncertain whether smaller banks can protect their own interests and those of smaller app providers against global tech giants.
- This is a false allegation where no proof was provided by the author. The large tech giants have had to comply with the same regulations that others have. For instance, WhatsApp pay has not been approved for launch in the Indian market. Google Pay has also been reprimanded by the regulator for non-compliance.
- NPCI has done a remarkable job of keeping the ecosystem together and executives have often gone out on a limb to aid smaller banks/startups. The author should’ve cited concrete instances of abuse before making such strong claims. For reference, here’s the complete list of UPI apps available in the market.
- The brief makes no allegation, it only argues that there is no way of verifying that the interests of smaller app providers and banks were protected. For example - how were the banks selected to partner with the big PSPs? Greater public visibility will help civil society and consumers fully understand the rationale behind such important decisions
- The Ken article cited in the brief contains allegations of unequal treatment. Greater public visibility can be used to dismiss such allegations as false.
Point Number 6> (IB, p. 6) Consumers can only discern if UPI service provider is compliant with regulations if transparency obligation forces the latter to publish aggregate performance numbers on an open data portal
- Aggregate performance numbers shed NO light on regulatory compliance! Consumers can safely depend on the regulators to ensure that non-compliant actors are prevented from operating. NPCI already does periodical audits of all ecosystem partners to ensure compliance.
- However, there is merit to the recommendation that all service providers publish performance numbers. The RBI Committee for the Deepening of Digital Payments recommended that the RBI ensure that all payment system operators publish statistics related to uptime, failure rates, etc. and institute a process to reduce them by 25% every year.
- Apologies for missing the periodical audits in the brief, I was not able to find any public documentation regarding these audits. Indeed the regulator is expected to protect the interests of the consumer but transparency allows this trust to be verified. NPCI is already publishing some information here. The brief only argues that such transparency measures should be expanded to all banks and payment service providers.
- Agreed, the RBI committee’s recommendation makes it clear that transparency will result in better quality of service.
Point Number 7> (IB, p. 6) Customers can also upload their grievances on the same portal (mentioned above)
- Under the current regulations - the responsibility for grievance redressal lies completely with the customer's bank - they are the custodian of funds and responsible to the user. If the user does not get his issue redressed from the bank, they can approach the RBI ombudsman. NPCI is responsible to the banks, and can handle technical issues at their end only.
- NPCI hosting individual consumer grievances would consolidate consumer voices and make it harder for banks to ignore such grievances. Also it allows the regulator to understand the individual stories behind anonymous aggregate statistics and respond more effectively.
Point Number 8> (IB, p. 6) A fintech or bank engaging in predatory lending practices would want E-mandates to be signed biometrically using eSign and be non-cancellable, which enable legal debt recovery
- All lenders would want to ensure that they have a legal right to collect on debt, and their conduct is guided by the RBI policies on fair lending practices. Predatory lending practices have nothing to do with payments or consent. Were the E-mandate ecosystem to be extended for loan repayments, adequate guard rails will be put in place to safeguard consumer interests. These safeguards will ensure E-mandates become a more efficient form of E-NACH / PDS and thus, simplifying repayment process.
- The brief tries to argue that a frictionless payments ecosystem where the customer has reduced control over withdrawals from their bank accounts makes them vulnerable to predatory lending practices like payday loans and welfare-day loans. It would be wonderful to learn more about specific guard rails that stop predatory lenders.
Point Number 9> (IB, p. 7) BHIM should’ve been made available under FOSS license as reference implementation. This would’ve allowed firms to make proprietary derivative works in the tradition of Apple OS. This would’ve saved consumer data (from leaking via NPCI) and boosted the local ecosystem.
- We don’t believe that the lack of open source implementation is the primary reason for the dominance of Google/Walmart in the Indian payments market. Other factors such as funding and resources are much more likely explanations for the current situation.
- BHIM was always meant to be an accelerator for the payments ecosystem, igniting the imagination of entrepreneurs and consumers alike. NPCI has done a stellar job at this.
- There has been no leakage of customer data from the BHIM app, or NPCI. The report points to a leak from a platform maintained by CSC E-governance services, which has nothing to do with UPI. Criticizing NPCI, or BHIM for this incident isn’t valid.
- The brief did not claim that the licensing strategy was the only reason for the success of Google/Walmart backed entities.
- The phrase “public good” is often used by India Stack evangelists, a FOSS licensed BHIM would be the textbook implementation of a “public good” approach to creating a competitive market. It is not clear how the network provider launching a proprietary app ignites the imagination of small entrepreneurs.
- The brief makes it clear that the UPI was not hacked but the consequences were similar because the compromised personal data included data that was collected to onboard BHIM merchants>>
Point Number 10> (IB, p. 8) Privacy wise, NPCI today has a 360-degree financial picture of most non-elite Indians. Because UPI payment packets are decrypted at each leg of the transaction and thus, can be read.
- NPCI is a regulated payment system operator. It receives information necessary to complete a transaction from the various financial institutions. There is no evidence that NPCI has done anything to create a financial picture of users., We are comfortable that the ownership by banks, and the control of the regulator will prevent this from happening.
- Most financial messages do not include PII, or account balances, and prevent correlation between various accounts, etc.
- This picture can be constructed by combining rows from multiple tables across multiple databases using keys like account number, phone number and Aadhaar number. Trusting NPCI and the regulator would be easier if there are strong policy and technical safeguards in place that prevent this technical possibility from coming true.
- UPI 1.2 specifications states that the following fields may be part of the financial message - Aadhaar number, device fingerprint (generated from parameters such as DeviceID, App ID and IMEI number), IP address, operating system, application, bank account numbers, and GPS location of the user when conducting the transaction. The Indian bill like the GDPR does not only protect PII but all personal data.>>
iSPIRT: Apart from the above points, we were also surprised at the framing of certain sentences in the article. For example:
The NPCI is a joint initiative by the Reserve Bank of India (RBI) and Indian Banks Association (IBA). The IBA, however, has been accused of lack of transparency and accountability. Despite registering as a “not-for-profit” company (known as a Section 25 company in India) in 2008, the NPCI proceeded with only 10 core promoter banks as shareholders. (IB, p. 5)
Here the author has referenced a letter by a retired bank officer, who is aggrieved by recommendations made by the IBA relating to encashment of leave for officers who are compulsory retired. Without going into the merits of Mr. Ramachandran's letter, we fail to see how it is relevant to the topic of UPI, and cyber-sovereignty. It only appears to be an attempt to accuse the IBA of misconduct and hence tarnish the image of NPCI by association. Additionally, it's not clear what the second statement seeks to achieve - Why is there a disconnect between being a Not for Profit and having 10 core promoters?
Author: The brief remarks that only a minority of the member banks of IBA were invited as core promoters. The reader may therefore be prompted to ask - What was the reason for having only 10 core promoters? What was the process for selecting these core promoters?
iSPIRT: In addition to the obvious mistakes, the document reads like a biased critique of the sovereign platforms being built in India, without adequate justification being provided in most cases. While this is positioned as a way ahead to greater cyber sovereignty, the article seems to hurt the cause more than help it.
Author: The brief is very clear that other countries should adopt the Indian model if the magic of the market has not delivered. Cyber sovereignty is critical at all levels from the individual, home, village, state and nation state. However, the brief also tries to understand how the Indian model can be improved and protected in the long run especially from the perspective of the consumer.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.