- Backdrop
We made a representation to the Reserve Bank of India (RBI) on considering allowing app-based notifications for account related transactions. Currently, the RBI has circulars and notifications which require banks to send SMS alerts to customers and the charges to be levied for such alerts. (You can find a list of these circulars below)
According to RBI’s circular on ‘Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions’, banks are required to register their customers for SMS alerts for electronic banking transactions. According to a report by National Payments Council of India (NPCI), approximately 87% of households in 2020, received SMS updates from banks. With increased adoption of smartphones and digital penetration, alternatives to SMS based notifications are worth considering.
In this regard, we also note that the circulars specified below largely predate the developments related to smartphones, mobile applications, increased digitalisation, and internet penetration in the country, and therefore, are restricted to only SMS. Since then, several interactions between the state and citizens, and private entities and citizens are facilitated via the internet in a safe, secure, and efficient manner. Due to fast paced technological developments, regulators are increasingly focusing on the intention of the law and technology neutrality of regulations. Therefore, the focus of a regulation should be to enable secure and efficient access of information to a citizen in a certain manner, instead of regulating the medium of which the information is transmitted or stored.
With this backdrop, we made certain suggestions related to allowing ‘In-App notifications’ by RBI regulated entities for safe and secure transmission of information related to any account-based transactions of a customers. Alternatively, we also recommended that the RBI could consider defining what all a notification shall entail and amend its circulars accordingly.
- Considerations to adopt ‘In-App notifications’
- SMS based frauds
The Telecom Regulatory Authority of India (TRAI) has come up with circulars and guidelines to prevent SMS-based frauds and to impose restrictions on commercial SMSes. However, SMS continues to be used by fraudsters because these guidelines do not apply to personal SMS. It is worth noting that there is no mechanism in place to authenticate and ascertain genuineness of such SMSes by telecom companies or their aggregators. There have been instances where customers have fallen prey to such malicious SMS senders pretending to an RBI Regulated Entity (RE) leading to financial losses. Even RBI has acknowledged these financial frauds in its recently released booklet called “BE(A)WARE” where it acknowledged that there has been a surge in financial frauds and that this was a root cause of analysis of the complaints received at Ombudsmen Offices. This booklet includes various SMS based frauds, OTP based frauds and SIM swapping or cloning frauds.
In addition to these, there are of examples where SMS services have been relied upon by malicious actors to defraud bank unsuspecting customers. This is particularly challenging for customers who find it difficult to demarcate between malicious and genuine SMSes. For example, several customers have been duped under the pretext of KYC updation through fake SMSes.
- Scope of ‘In-app notifications’
To remedy the problems related to SMSes to an extent, we suggested that the RBI could consider introducing ‘In-app notifications’ to provide a single channel of communication to customers.
This would be an alternative channel for alerts within the banking apps and can be considered to replace SMS based alerts to a limited extent for now. Herein, transaction and account-based notifications will be prompted on mobile application of the banking app itself instead of SMS based notifications sent through a third-party intermediary or aggregatory. In addition to these, the ‘In-App notifications’ have additional features including:
- Direct channel of communication between banks and customers: Since these ‘In-App notifications’ shall serve as a direct channel of communication between a bank and its customer, no third-party will be able to send alerts, thereby, mitigating the possibility of fake or phishing messages.
- Lower failure rates than SMS notifications: As per industry inputs, the failure rate for SMS-based notifications is higher due to multiple hops. However, since ‘In-App notifications’ serve as direct communication between the bank and customer, they might have a higher success rate than SMS-based notifications.
- Cost: SMS charges are mandatory communications which come as a significant cost to be borne by RBI regulated entities. For instance, as per industry inputs, we have informed that the cost of an ‘In-App notification’ is ₹ 0.001. According to Government of India’s data, digital payments transactions in FY 21-22 were ₹ 8734 crore. Therefore, the approximate cost of sending ‘In-App notifications’ would have been ₹ 8.8 crore.
Comparatively, each SMS based notification costs ₹0.12. Therefore, the cost of sending SMS-based notifications would have been approximately ₹ 1048 crore.
- Elements of an in-app notification
In this regard, we noted that to ensure that ‘In-app notifications’ serve the purpose of an informed customer, and that is recordable, the following could be mandated for the same:
- Only by RBI regulated entities: Only regulated entities be allowed to send ‘In-App notifications’ to mitigate the possibility of malicious messages defrauding customers. As has been noted above, this will eliminate the third-party intermediaries or aggregators required to send SMSes, and therefore, the responsibility shall be of RBI regulated banks to send notifications related to any transactions associated with the customer’s account.
- Enhanced security and privacy: As noted above, since no third party will be able to send ‘In-app notifications’, the possibility of frauds might reduce. Due to the absence of any intermediary, the data shall be secured within the banking ecosystem, and therefore, will be required to adhere to any data security guidelines or directives issued by the RBI.
The RBI could also consider including an additional factor of authentication (AFA) for the customer to read an ‘In-App notification’.
- History and retention requirements, and data portability: The RBI could consider mandating that the ‘In-App notifications’ be retained on bank servers according to relevant statutory and regulatory requirements. However, similar to SMSes, customers should be allowed to retain these messages in perpetuity, and that in case a customer changes their cellular device or has deleted the app, older alerts should be retained in the chat messages section.
These notifications can be (and should be required to be) automatically backed up and restored when a user logs in to a new device or when the app is re-installed on the same device.
Compared to this, as per industry feedback, SMS logs are stored locally. Though they can be backed up, in case the phone is damaged or stolen, these cannot be restored.
- Language: ‘In-App notifications’ can be required to be sent in all official languages. Comparatively, as per industry feedback, the option to choose the preferred language for receiving SMSes exist only for a few banks.
- Traceability: It needs to be noted that Telecom service providers (TSPs) maintain a message history so that in case of any reference or dispute, the SMS sent date and time can be checked. In an analogous manner, details of ‘In-App notifications’ can be preserved by the banks on a server in case of a dispute. App-based chat messaging systems, unlike SMS, also provide details on when a user has seen the notification and hence, can provide a better traceability of communication over SMS.
Alternatively, we suggested that the RBI, based on parameters required for an ‘In-App notification’ above, could consider defining the parameters of a ‘notification’ such as traceability, language, retention, security requirements amongst others, and not restrict to any specific technology such as SMS, In-App notifications etc. This will allow space for innovation in transaction and account-based notification technologies with enhanced security, privacy, and accessibility.
- Recommendations
Based on the above, we recommended that the RBI may consider a phase-wise approach for moving in-to ‘In-App notifications’. This would include:
Phase I: For small volume transactions of upto ₹ 10,000 – Herein, an option may be given to the user to choose either or both SMS and ‘In-App notifications’, and for more than ₹ 10,000 transactions, both SMS and In-App notifications may be mandatory.
Phase 2: Herein, for transactions of upto ₹ 10,000, only ‘In-App notifications’ may be sent to the user who have opted-in for this service. For more than ₹ 10,000 transactions, both SMS and ‘In-App notifications’ may be made mandatory.
However, it needs to be noted that these considerations may exist only for customers with access to smartphones, internet and mobile-banking apps.
List of RBI circulars/notifications directing banks to send SMS alerts
|
Year
|
Circular
|
Brief Summary
|
|
2011
|
Security Issues and Risk Mitigation measures – Online alerts to the cardholder for usage of credit/debit cards, 2011
|
The notification directs banks to take steps to put in place a system of online alerts for all types of transactions, irrespective of the amount, involving the usage of cards at various channels.
|
|
2013
|
Charges levied by banks for sending SMS alerts, 2013
|
As per this notification, “Banks are required to put in place a system of online alerts for all types of transactions irrespective of the amounts involving usage of cards at various channels.” The notification says, “considering the technology available with banks and the telecom service providers, it should be possible for banks to charge customers based on actual usage of SMS alerts. Accordingly, with a view to ensuring reasonableness and equity in the charges levied by banks for sending SMS alerts to customers, banks are advised to leverage the technology available with them and the telecom service providers to ensure that such charges are levied on all customers on actual usage basis.”
|
|
2017
|
Customer Protection – Limiting Liability of Customers, 2017
|
As per this circular, “Banks and PPIs issuers shall ensure that their customers mandatorily register for SMS alerts and wherever available also register for e-mail alerts, for electronic payment transactions. The SMS alert for any payment transaction in the account shall mandatorily be sent to the customers and e-mail alert may additionally be sent, wherever registered. The transaction alert should have a contact number and/or email-id on which a customer can report unauthorized transaction or notify the objection.” The circular further states that “ banks shall also enable customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers should not be required to search for a web page or an email address to notify the objections, if any.”
|
