‘India far more secure than others from transaction fraud’7 min read . Updated: 16 Dec 2015, 01:54 AM IST
In conversation with Saket Modi, Santanu Mukherjee, Sanjay Bahl, Nitin Gupta and Rajat Kathuria at Mint's Cash to Digital Summit
New Delhi: With technology disrupting the way we transact, there is a larger threat of technology-led frauds as well. Tackling them is a huge concern for all stakeholders such as banks, customers, solution providers and regulators. A panel at the Mint Cash to Digital Summit discusses related issues and possible solutions. Moderated by Anil Padmanabhan, deputy managing editor of Mint, the panel includes Saket Modi, co-founder and chief executive at Lucideus Tech; Santanu Mukherjee, chief innovation and strategy officer at Janalakshmi Financial Services; Sanjay Bahl, senior consultant, Computer Emergency Response Team-India; Nitin Gupta, co-founder and chief executive at PayU India; and Rajat Kathuria, director and chief executive at Indian Council for Research on International Economic Relations (ICRIER). Edited excerpts:
Padmanabhan: What are the security threats as we move towards digital money and how can we tackle them?
Mukherjee: On the things that we started doing since Janalakshmi’s inception, in some ways ahead of the curve, was investing in technology. In addition to the traditional core banking solutions, some time in 2008-09, we believed that given the profile of the customers, biometric is the way to go. Even before the Aadhaar initiative started, we started investing in biometrics. We have close to three million customers and the internal authentication is done through biometrics. We use it both for on-boarding of customers as well as regular collections.
Towards the second half of 2015, we started a journey on transforming our technology architecture, given into account the scales and ambitions that we have from moving from a purpose-based technology to a payment-centric platform. At that point we launched prepaid cards and moved all loans to a PIN secured card. I think Aadhaar is more secure than other identity threats. And we are talking about people who have never been exposed to financial services. As we grow more into the electronic journey, whether it is mobile wallet, cards or others, I think the security and identity issue is going to remain our focus.
Modi: As a young start-up we not only work with RBI (Reserve Bank of India), NPCI (National Payments Corporation of India) and banks, we also work with some Fortune 500 banks across the globe. The only difference between the service we are providing to Indian banks and banks abroad is that we charge $300 a man day here and there we charge $2,000. It is exactly the same people doing the same job, providing the same security.
There is a perception that since some banks spend more on security and still get breached, connecting security with spend, it is okay to tell the investors but when you look at it from the technology perspective, it is more than the spend. So, we are in no way incompetent or less secure than any bank abroad. We should also be proud of RBI because if you go to the US or Europe, you still do not have the chip and PIN facility. Most frauds that are happening there are still due to card swiping and it is easy to skim a credit card or debit card. It was the RBI which mandated the two factor authentication and it has drastically brought down the number of frauds which were otherwise happening three years back.
Gupta: When it comes to transactions, we are far more secure than the rest of the world. If you look at a country like the US, a typical merchant would lose 1% of the transaction value to frauds. In India that number is less that 0.05%. And actually the merchant does not bear that loss anymore because that liability gets shifted to the consumer. If we look at the total ecosystem, thanks to RBI but we are ahead of some of the other countries but that does not mean that bad things are not happening.
In spite of 3D Secure, losses are happening. The question then is how do you protect the consumer in such a case. As a wallet and check-out service provider, that is a key problem that we try to solve. In another two years, every smartphone that we carry will have a fingerprint identifier. What that means is that by default, everything we do we uses fingerprints. In two years, every transaction will be via that fingerprint. In a traditional world, people thought convenience and security were two trade-offs. If you wanted things to be simpler, you had to give up on security.
Do you think fingerprints can face challenges?
Bahl: Yes, fingerprints can be cloned. There have been enough cases where hackers and researchers have shown that it can happen. When you look at security per se, it is about people, process and technology. If you have these three things right, you can look at being more secure. What is being done today is that things that were done physically till now are being automated. From a customer point of view, you need to look at what is the value that one is going to get. When we are moving into a knowledge economy, you need to start creating that knowledge. We buy things because of quality than brand value. So security is a quality factor. If you are building systems and not putting in quality, no one will use them. So if you have governance and security, you will also have profitability.
What is your big-picture observation of the way things are moving?
Kathuria: I agree that there is a seeming trade-off between security and convenience, but I think there is a bigger challenge for India, which is the financial inclusion. It is a question about technology enabling access and therefore providing more access to financial products. That was something that was sorely and severely lacking in India. We had all kinds of experiments—we had banks, regional rural banks, co-operative banks—and then this type of disruptive technology came in. It is providing us the possibility of reaching out to the unbanked.
Of course, security has been a big concern. We will always make what economists call type 2 errors and we will have to live with that in the sense that there will be abuse of the system, but we have to minimize that and that is where regulation and enforcement comes in. We will never be able to get anything 100% right.
But one thing is clear that the market is probably at least a step ahead of the regulator. So the regulatory mechanism will always play catch-up to the market. But that does not mean that you throw the regulatory apparatus out of the picture. The reason why the RBI has been risk-averse is because India has a huge number of people who are transacting through small accounts. So one has to safeguard that money and therefore, there has been progress albeit a little slow. So the big picture is that we have technology that has come in, we have huge number of unbanked people in the country, we have huge amount of credit requirement in the country, technology is an enabler. If I have to use a strong word from the research we have done is that the physical banking system has failed because it is too expensive to meet those small-ticket requirements and the economies of scales are not realized. So aggregation through technology is the way to go. And smartphones will help us overcome all these hurdles that we have faced in the Indian market.
With technology coming, the nature of fraud will also become organized. How do we tackle that when it comes to customer interface?
Mukherjee: For us the customers are underserved ones. Many of them are the first-time user of financial services. We spend a lot of time educating them in terms of responsible use of financial products and technology. Whenever there is a dispute, we have found that someone else is doing the transaction. So for this segment I am not worried if there will be a cyber attack. But I am worried how to educate them for responsible usage. So while we invest in technology, this part has to be looked into for the segment we are working with.
Gupta: Technology cannot be thought of in traditional ways. Whether robbers or organized crimes, it will continue to remain one step ahead. But as institutions, we have to keep that pace when it comes to security. We have to use the best practices. Otherwise what will happen is that 100 years ago a lot of banks went bankrupt because somebody robbed them. Similar things can happen to institutions of today if they are not thinking one step ahead in terms of technology.