Introduction
The Reserve Bank of India (RBI) released the ‘ Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions' (Draft Framework) on 31 July 2024. The Draft Framework advocates the usage of Additional Factor of Authentication (AFA) for digital payment transactions by all Payment System Operators (PSO) and Payment System Participants (PSP). RBI in its ‘Statement on Developmental and Regulatory Policy' dated 8 February 2024 had earlier announced adoption of a principle-based framework for authentication of digital payment transactions. The Draft Framework now sets clear guidelines for the authentication of digital payment transactions to bolster trust in digital payments ecosystem.
1. Risks in payment systems
Digital payments in India have witnessed consistent growth year-on-year, with 13.46% increase in digital payments by value from June 2023 to June 2024, owing to the increasing penetration of internet and adoption of digital payment instruments. On the other hand, there has been 81.13% year-on-year frauds increase in domestic payments. Such frauds have necessitated the requirement for enabling strong authentication mechanisms to validate the credentials of the person originating or confirming a payment instruction.
The existing authentication factors have been susceptible to various commonly known security threats, such as:
- Phishing. Deceiving to click on fraudulent links posing as website of legitimate financial institutions and extracting usernames, PINs, passwords and such other private credentials.
- Smishing. Similar to phishing, except that the fraudulent link is sent to the user through a text message. Such links may also download malwares on the user's device, which may be employed to extract the private credentials inputted / stored on the device.
- Vishing. Fraudulent calls or voicemails soliciting personal information and private credentials.
- Brute force attack. Hacking through trial and error to crack passwords or such other login credentials.
2. Existing Factors of Authentication
Username, password, PIN, One-Time-Passwords (OTP) etc. are the most commonly used factors for authentication of digital payments. OTP, a unique numeric / alphabetic / alpha-numeric PIN that is sent to the user for confirming a payment transaction, is the most commonly used factor. While OTP is dynamic in nature and negates the risk of the credential being leaked, it is still prone to phishing.
A Two-Factor Authentication (2FA) requires a combination of two separate factors to authenticate a payment. A typical example of 2FA is seen in Unified Payments Interface (UPI) where a user undertakes two layers of authentication, viz., (i) authentication of the device at the time of setting up their UPI account on the user's particular mobile device through an SMS (device binding), and (ii) requiring the UPI PIN at the time of each payment. Thereby, the risk of fraud is minimised since a potential fraudster would require both SIM card (a physical identifier of the user), as well as the UPI PIN (a cognitive credential), to initiate a UPI transaction.
3. Extant regulatory framework
Currently, there are scattered regulatory stipulations on different regulated entities for authentication of payment instructions. The table below sets out the key requirements prescribed under the existing regulatory framework.
# |
REGULATORY FRAMEWORK |
REGULATED ENTITIES |
KEY AUTHENTICATION REQUIREMENTS |
---|---|---|---|
1. |
Prepaid Payment Instrument (PPI) issuers |
|
|
2. |
Scheduled commercial banks, small finance banks, payments banks and credit card issuing NBFCs |
|
|
3. |
Scheduled commercial banks, cooperative banks, Non-bank PPI issuers, authorised card payment networks |
|
|
4. |
Master Circular – Mobile Banking transactions in India – Operative Guidelines for Banks |
Scheduled commercial banks and cooperative banks |
|
5. |
Internet Banking Facility for Customers of Cooperative Banks |
Cooperative banks |
|
4. Key Stipulations in the Draft Framework.
The Draft Framework underscores the concerns in authenticating digital payments and providing for a uniform authentication framework applicable to all PSOs and PSPs. In case the Draft Framework is notified in its existing form, all PSPs and PSOs will be required to ensure compliance with the framework within 3 months from the date of issuance of the framework.
The Draft Framework prescribes the following notable stipulations:
- Proposed definitions.
Under the Draft Framework, Authentication is defined as ‘the process of validating and confirming the credentials of the customer originating any payment instruction'. Usage of more than one factor for authentication of a payment instruction is referred to as AFA. The definition of ‘digital payment transaction' has been harmonised with the definition of ‘electronic funds transfer' prescribed under the Payment and Settlement Systems Act 2007. Issuer is defined as ‘the bank / non-bank where the customer's account is maintained and who verifies user credentials and provides confirmation of debit to the account on receipt of payment instruction'.
- Categorisation of factors of
authentication.
# CATEGORY OF AUTHENTICATION FACTORS EXAMPLES 1. Something that the user knows (cognitive factor) Password; PIN; security questions 2. Something that the user has (tangible factor) ATM card; smart card; device identifiers; software tokens 3. Something that the user is (biometric factor) Fingerprint; face ID; iris
- Requirements for factors of
authentication.
The Draft Framework mandates AFA to be implemented for all digital payment transactions, except for certain exempted categories of digital payments (as detailed below). Additionally, one of the factors of authentication, other than for card present transactions, has to be (i) unique and dynamically created at the time of initiation of payment, which cannot be reused (like an OTP); and (ii) the first factor and the AFA has to mandatorily belong to separate categories of authentication factor.
- Exempt transactions.
In line with extant regulatory relaxations vide various notifications by the RBI, the following payment transactions are exempted from the AFA requirement under the Draft Framework as well:
- Small value contactless card payments. Card present transactions for values up to INR 5,000 per transaction in contactless mode at point-of-sale terminals.
- E-mandates for recurring transactions. Subscription of mutual funds, payment of insurance premium, and credit card bill payments for values up to INR 1,00,000, and all other recurring transactions of values up to INR 15,000 (except for the first transaction, which shall require AFA).
- Select PPI and National Electronic Toll Collection (NETC) payments. PPI-MTS, Gift PPIs and transactions in NETC system.
- Small value digital payments in offline mode. Offline payment transactions up INR 500.
- Obligations on Issuers.
The responsibility of ensuring the effectiveness of the authentication mechanism is placed on Issuers and they shall assume liability for the process and technology adopted for authentication. Further, the Draft Framework imposes the following additional obligations on Issuers:- Risk based implementation of AFA. Adopting a risk-based approach in determining the appropriate AFA to be implemented for a transaction. Such risk assessment shall be based on the risk profile of the customer and / or beneficiary, transaction value, payment origination channel, etc.
- Payment Alerts. Alerting the customers on a near real-time basis for any digital payment transaction other than offline transactions of a value of up to INR 500.
- Customer consent. Obtaining explicit customer consent prior to enabling any new factor of authentication for such customer. The Issuer must also provide the customer with a facility to deregister from using the new factor of authentication.
- Third-party arrangements. Abstaining from any exclusivity arrangement with any payment / technology service provider, such that it limits the Issuer's ability to implement any alternative authentication mechanism.
Comments
The Draft Framework provides clarity on baseline safeguards and practices for authentication of digital payments. While the onus is on the Issuers to implement appropriate authentication requirements on a risk-based approach, a standard threshold-based framework is not prescribed for such risk assessment. The key actionable for Issuers would therefore be implementing the appropriate AFA for its users having varying degree of awareness and technological savviness.
It would be also interesting to witness the implementation of the proposed requirements under the Draft Framework for devices with limited features (without face ID detectors, or fingerprint scanners). In such cases, device binding (tangible credential) along with PIN / OTP (cognitive credential) becomes the only viable form of AFA. However, device binding processes may not be feasible for payment interfaces that operate on a website (and not a native mobile application). Such operational challenges should be taken into account before notification of the Draft Framework in its final form.
Further, while a consent-based framework for implementation of authentication factors is user-centric; where users deny their consent to usage of biometrics, it may inevitably result in denial of service to the user even when the user may be willing to adopt a convenient combination such as password + OTP. This is because both passwords / PINs and OTP belong to the same category of factors of authentication. Such challenges also require careful consideration.
The content of this document does not necessarily reflect the views / position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up, please contact Khaitan & Co at editors@khaitanco.com.