Topics In Demand
Notification
New

No notification found.

Reserve Bank of India (RBI): Representation on ‘Consideration of App-based notifications for account related transactions’
Reserve Bank of India (RBI): Representation on ‘Consideration of App-based notifications for account related transactions’

May 31, 2022

2562

0

  1. Backdrop

We made a representation to the Reserve Bank of India (RBI) on considering allowing app-based notifications for account related transactions. Currently, the RBI has circulars and notifications which require banks to send SMS alerts to customers and the charges to be levied for such alerts. (You can find a list of these circulars below)

According to RBI’s circular on ‘Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions’[1], banks are required to register their customers for SMS alerts for electronic banking transactions. According to a report by National Payments Council of India (NPCI), approximately 87% of households in 2020, received SMS updates from banks.[2] With increased adoption of smartphones[3] and digital penetration[4], alternatives to SMS based notifications are worth considering.

In this regard, we also note that the circulars specified below largely predate the developments related to smartphones, mobile applications, increased digitalisation, and internet penetration in the country, and therefore, are restricted to only SMS. Since then, several interactions between the state and citizens, and private entities and citizens are facilitated via the internet in a safe, secure, and efficient manner. Due to fast paced technological developments, regulators are increasingly focusing on the intention of the law and technology neutrality of regulations.  Therefore, the focus of a regulation should be to enable secure and efficient access of information to a citizen in a certain manner, instead of regulating the medium of which the information is transmitted or stored.

With this backdrop, we made certain suggestions related to allowing ‘In-App notifications’ by RBI regulated entities for safe and secure transmission of information related to any account-based transactions of a customers. Alternatively, we also recommended that the RBI could consider defining what all a notification shall entail and amend its circulars accordingly.

  1. Considerations to adopt ‘In-App notifications’

 

  1. SMS based frauds

The Telecom Regulatory Authority of India (TRAI) has come up with circulars and guidelines to prevent SMS-based frauds and to impose restrictions on commercial SMSes.[5] However, SMS continues to be used by fraudsters because these guidelines do not apply to personal SMS. It is worth noting that there is no mechanism in place to authenticate and ascertain genuineness of such SMSes by telecom companies or their aggregators. There have been instances where customers have fallen prey to such malicious SMS senders pretending to an RBI Regulated Entity (RE) leading to financial losses. Even RBI has acknowledged these financial frauds in its recently released booklet called “BE(A)WARE” where it acknowledged that there has been a surge in financial frauds and that this was a root cause of analysis of the complaints received at Ombudsmen Offices.[6] This booklet includes various SMS based frauds, OTP based frauds and SIM swapping or cloning frauds.[7]

In addition to these, there are of examples where SMS services have been relied upon by malicious actors to defraud bank unsuspecting customers. This is particularly challenging for customers who find it difficult to demarcate between malicious and genuine SMSes. For example, several customers have been duped under the pretext of KYC updation through fake SMSes.[8]

  1. Scope of ‘In-app notifications’

To remedy the problems related to SMSes to an extent, we suggested that the RBI could consider introducing ‘In-app notifications’ to provide a single channel of communication to customers.

This would be an alternative channel for alerts within the banking apps and can be considered to replace SMS based alerts to a limited extent for now. Herein, transaction and account-based notifications will be prompted on mobile application of the banking app itself instead of SMS based notifications sent through a third-party intermediary or aggregatory. In addition to these, the ‘In-App notifications’ have additional features including:

  • Direct channel of communication between banks and customers: Since these ‘In-App notifications’ shall serve as a direct channel of communication between a bank and its customer, no third-party will be able to send alerts, thereby, mitigating the possibility of fake or phishing messages.
  • Lower failure rates than SMS notifications: As per industry inputs, the failure rate for SMS-based notifications is higher due to multiple hops. However, since ‘In-App notifications’ serve as direct communication between the bank and customer, they might have a higher success rate than SMS-based notifications.
  • Cost: SMS charges are mandatory communications which come as a significant cost to be borne by RBI regulated entities. For instance, as per industry inputs, we have informed that the cost of an ‘In-App notification’ is ₹ 0.001. According to Government of India’s data, digital payments transactions in FY 21-22 were ₹ 8734 crore.[9] Therefore, the approximate cost of sending ‘In-App notifications’ would have been ₹ 8.8 crore.

Comparatively, each SMS based notification costs ₹0.12. Therefore, the cost of sending SMS-based notifications would have been approximately ₹ 1048 crore.

 

  1. Elements of an in-app notification

In this regard, we noted that to ensure that ‘In-app notifications’ serve the purpose of an informed customer, and that is recordable, the following could be mandated for the same:

  • Only by RBI regulated entities: Only regulated entities be allowed to send ‘In-App notifications’ to mitigate the possibility of malicious messages defrauding customers. As has been noted above, this will eliminate the third-party intermediaries or aggregators required to send SMSes, and therefore, the responsibility shall be of RBI regulated banks to send notifications related to any transactions associated with the customer’s account.
  • Enhanced security and privacy: As noted above, since no third party will be able to send ‘In-app notifications’, the possibility of frauds might reduce. Due to the absence of any intermediary, the data shall be secured within the banking ecosystem, and therefore, will be required to adhere to any data security guidelines or directives issued by the RBI.

The RBI could also consider including an additional factor of authentication (AFA) for the customer to read an ‘In-App notification’.  

  • History and retention requirements, and data portability: The RBI could consider mandating that the ‘In-App notifications’ be retained on bank servers according to relevant statutory and regulatory requirements. However, similar to SMSes, customers should be allowed to retain these messages in perpetuity, and that in case a customer changes their cellular device or has deleted the app, older alerts should be retained in the chat messages section.[10]

These notifications can be (and should be required to be) automatically backed up and restored when a user logs in to a new device or when the app is re-installed on the same device.[11]

Compared to this, as per industry feedback, SMS logs are stored locally. Though they can be backed up, in case the phone is damaged or stolen, these cannot be restored.

  • Language: ‘In-App notifications’ can be required to be sent in all official languages. Comparatively, as per industry feedback, the option to choose the preferred language for receiving SMSes exist only for a few banks.
  • Traceability: It needs to be noted that Telecom service providers (TSPs) maintain a message history so that in case of any reference or dispute, the SMS sent date and time can be checked. In an analogous manner, details of ‘In-App notifications’ can be preserved by the banks on a server in case of a dispute. App-based chat messaging systems, unlike SMS, also provide details on when a user has seen the notification and hence, can provide a better traceability of communication over SMS.

Alternatively, we suggested that the RBI, based on parameters required for an ‘In-App notification’ above, could consider defining the parameters of a ‘notification’ such as traceability, language, retention, security requirements amongst others, and not restrict to any specific technology such as SMS, In-App notifications etc. This will allow space for innovation in transaction and account-based notification technologies with enhanced security, privacy, and accessibility.

  1. Recommendations

Based on the above, we recommended that the RBI may consider a phase-wise approach for moving in-to ‘In-App notifications’. This would include:

Phase I: For small volume transactions of upto ₹ 10,000 – Herein, an option may be given to the user to choose either or both SMS and ‘In-App notifications’, and for more than ₹ 10,000 transactions, both SMS and In-App notifications may be mandatory.

Phase 2: Herein, for transactions of upto ₹ 10,000, only ‘In-App notifications’ may be sent to the user who have opted-in for this service. For more than ₹ 10,000 transactions, both SMS and ‘In-App notifications’ may be made mandatory.

However, it needs to be noted that these considerations may exist only for customers with access to smartphones, internet and mobile-banking apps.

For more information, kindly write to apurva@nasscom.in.

List of RBI circulars/notifications directing banks to send SMS alerts

 

Year

Circular

Brief Summary

2011

Security Issues and Risk Mitigation measures – Online alerts to the cardholder for usage of credit/debit cards, 2011[12]

The notification directs banks to take steps to put in place a system of online alerts for all types of transactions, irrespective of the amount, involving the usage of cards at various channels.

2013

Charges levied by banks for sending SMS alerts, 2013[13]

As per this notification, “Banks are required to put in place a system of online alerts for all types of transactions irrespective of the amounts involving usage of cards at various channels.” The notification says, “considering the technology available with banks and the telecom service providers, it should be possible for banks to charge customers based on actual usage of SMS alerts. Accordingly, with a view to ensuring reasonableness and equity in the charges levied by banks for sending SMS alerts to customers, banks are advised to leverage the technology available with them and the telecom service providers to ensure that such charges are levied on all customers on actual usage basis.”

2017

Customer Protection – Limiting Liability of Customers, 2017[14]

As per this circular, “Banks and PPIs issuers shall ensure that their customers mandatorily register for SMS alerts and wherever available also register for e-mail alerts, for electronic payment transactions. The SMS alert for any payment transaction in the account shall mandatorily be sent to the customers and e-mail alert may additionally be sent, wherever registered. The transaction alert should have a contact number and/or email-id on which a customer can report unauthorized transaction or notify the objection.” The circular further states that “ banks shall also enable customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers should not be required to search for a web page or an email address to notify the objections, if any.”

 

 

 

[1] See, Reserve Bank of India, Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions (July, 2017), available at https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NOTI15D620D2C4D2CA4A33AABC928CA6204B19.PDF.  

[2] See, National Payments Corporation of India, Digital Payments Adoption in India, 2020 (2020), page 7, available at Report on Digital Payment India 2020_14th Jan'21_2_Final (npci.org.in).

[3] See, Deloitte, Deloitte’s 2022 TMT Predictions for India – Big bets on smartphones, semiconductors and streaming service, available at https://www2.deloitte.com/in/en/pages/technology-media-and-telecommunications/articles/big-bets-on-smartphones-semiconductors-and-streaming-service.html; Also see, India Cellular & Electronics Association (ICEA), Contribution of smartphones to Digital Governance in India – A study by India Cellular & Electronics Association (July 2020), page 18, available at https://icea.org.in/wp-content/uploads/2020/07/Contribution-of-Smartphones-to-Digital-Governance-in-India-09072020.pdf.

[4] See, Telecom Regulatory Authority of India, Highlights of Telecom Subscription Data (January, 2022), available at https://www.trai.gov.in/sites/default/files/PR_No.04of2022_2.pdf.

[5] See, Telecom Regulatory Authority of India, Telecom Commercial Communication Customer Preference Regulations (TCCCPR) (2018), available at https://www.trai.gov.in/sites/default/files/RegulationUcc19072018_0.pdf.

[6] See, Reserve Bank of India, BE(A)WARE (March, 2022), available at https://rbidocs.rbi.org.in/rdocs/content/pdfs/BEAWARE07032022.pdf.

[7] See, Reserve Bank of India, BE(A)WARE (March, 2022), page 3, 9, 19-20, available at https://rbidocs.rbi.org.in/rdocs/content/pdfs/BEAWARE07032022.pdf.

[8] See, Jagmeet Singh, Digital Payment Frauds reach a new high in India during pandemic (October, 2020), Gadgets360, available at https://gadgets360.com/internet/features/digital-payments-paytm-kyc-google-pay-frauds-india-coronavirus-outbreak-2307236; Also see, Bismee Taskin, Bulk SMS, calls, fake SBI app, 6 modules – how KYC fraudsters looted over 8,000 victims (March, 2022), The Print, available at https://theprint.in/india/bulk-sms-calls-fake-sbi-app-6-modules-how-kyc-fraudsters-looted-over-8000-victims/895059/; Also see, IndiaTV, Bank warns fraudsters sending fake bulk messages, says do this to stay safe (2019), available at https://www.indiatvnews.com/business/news-hdfc-bank-warning-fraudsters-fake-message-fraud-trading-company-sbi-567367.

[9] See, Ministry of Electronics and Information Technology (MeitY), DigiDhan Dashboard, available at https://digipay.gov.in/dashboard/About.aspx.

[10] SMSes are stored for a period of six months by Telecom companies as mandated by the Ministry of Home Affairs. See, Joji Thomas Philip, Telcos told to archive text messages for six months (2010), available at https://economictimes.indiatimes.com/industry/telecom/telcos-told-to-archive-text-messages-for-6-months/articleshow/6766072.cms?from=mdr.

[11] Compared to this, as per industry feedback, SMS logs are stored locally. Though they can be backed up, in case the phone is damaged or stolen, these cannot be restored.

[12] See, Reserve Bank of India, Security Issues and Risk mitigation measures – online alerts to the cardholder for usage of credit/debit cards (2011), available at https://www.rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=6309.

[13] See, Reserve Bank of India, Charges levied by banks for sending SMS alerts (2013), available at https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=8594&Mode=0.

[14] See, Reserve Bank of India, Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions (2017), available at https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NOTI15D620D2C4D2CA4A33AABC928CA6204B19.PDF.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Apurva Singh
Senior Policy Associate

Write to me for all things related to FinTech, Drones, Data and Gaming

© Copyright nasscom. All Rights Reserved.