The Unified Payments Interface (UPI) has already been designed to enable biometric-based authentication and it is a matter of time before payment service providers begin to use the feature, said AP Hota, MD and CEO, National Payments Corporation of India (NPCI). Speaking at an event to announce a limited launch of UPI-based merchant payments, Hota said the existing merchant discount rate (MDR) regime must be tweaked to get rid of the advantage issuing banks have over acquirers. Edited excerpts:
Last week, RBI mandated that banks and payment service providers enable Aadhaar-based biometric authentication for card-based transactions. Is that going to apply to UPI-based PoS payments?
RBI’s mandate, as of now, is that all the new PoS that comes should have the Aadhaar authentication facility. Initially, it was to be introduced on January 1. Now that has been deferred till July 1. That is about the new PoS terminals coming. Aadhaar as a means of authentication is obviously on the agenda of the government. They are pursuing it in many ways. The road map is that Aadhaar would be encouraged over a period of time. But, under in-store payment, as of now, there is no mandate. So we know there is a speed at which these transactions have to happen. In the Aadhaar-based payments, because at one go, it (authentication) is not 100% as yet. On the first attempt, you may get 91%, second attempt another 5% or 6%, third attempt it could stand at 11%. And in about three to four attempts, it comes to about 99%. So as of now, for in-store payments, is Aadhaar mandatory? Not yet. But UPI has been designed in such a way that it can use biometric for authentication. The enablement is there at the back-end. It is a matter of time before people come out with solutions.
As things stand today, the system of distribution of MDR is highly skewed in favour of card issuing banks. What is being done about that?
Let RBI bring out the MDR. Thereafter, the distribution of MDR will be streamlined and acquiring banks should stick together. Banks have appreciated that the concept is a little heavily tilted in favour of issuing banks because all over the world, for card payments, getting the customer in, it is the customer’s bank that makes a big difference. Now that it has stabilised, the time has come for giving a bit of encouragement to the acquiring banks. But it is the banks who sit together with the network (for working out distribution).
What are the plans for expanding the PoS infrastructure?
There were 1.4 million terminals before demonetisation. Then, in this demonetisation period, the government wanted 1 million (new) terminals to come by March 31. The latest data on the number of terminals is yet to come, but as per January data, it is 2.1 million and in March, I’m pretty sure it’ll touch 2.4 million. The next one-million target is given for September 30 and they (government) are thinking to give it (targets) bank by bank. Obviously, there are five large banks who have almost 80% of the PoS terminals, but now banks have realised that they will have to deploy a lot more terminals. For a bank to make the acquiring business financially viable, a minimum of 25,000 terminals need to be there and now, a good number of banks have come to the threshold level.
A UPI fraud was reported at Bank of Maharashtra. What is being done about that?
BoM had a UPI solution. In that solution, there was a minor bug. Even if the core banking solution had declined a transaction, the UPI solution at the bank level used to send a success message to NPCI. In NPCI, even if the core banking solution said ‘no’, based on the UPI solution of the bank, we used to do the clearing because NPCI is a clearing house. The bank used to send a success message, even though it was a failure. The moment it was noticed, it was rectified and Bank of Maharashtra was talking to the solution provider. But what is more important is, about 50-60 people near Aurangabad area could know the loophole in the system and they have collected a good deal of money. They have accounts with 19 other banks. As reported by the bank, it (loss to the bank) is about `25 crore and they have already recovered quite some amount.
You might also want to see this:
What are the learnings from the episode?
We are not allowing any bank now to join the UPI unless they have a thorough reconciliation process and they have audited their package by the best of audit professionals. The CERT-IN have given the list of information security auditors. They must get it certified by one of the auditors and we are also planning that we ourselves will audit, going forward. As you know, 44 banks have already joined UPI. Getting the 45th bank would be a little tougher job because we’ll be very circumspect.