India is fast becoming the global ransomware capital, says NPCI CEO – ET CISO
Dominance of a few players may not be in the best interest and there is a need to raise competition, Asbe said in the exclusive interaction.
Our focus has been on enabling specific use cases. With the support of SEBI, we are nearing 50% of total retail IPO applications using . It is helping expand investments, especially among the younger generations. Similarly, the AutoPay (recurring mandates) solution is gaining traction, and Netflix, Hotstar are in the initial stages of going live. has just been launched. We now have customers of more than 200 banks using the UPI platform, and we intend to roll this out to clients of 500 banks.
There have been discussions about payment failures. How effective has NPCI been in bringing down transaction failure rates since last year?
With the regulatory support, we now have multiple daily settlements including the weekends on all our systems including the card payments – the first of its kind in the world. This reduces settlement risks significantly and allows banks and others to put more volumes on NPCI systems. Last year, we saw an incredible increase in digital transactions. To manage this increased volume efficiently, NPCI, banks, with the dashboard published by Meity and the regulator have increased the capacity of core platforms. If you see month on month, the transaction failures have reduced substantially, and recent volume growth is proof of the pudding.
NPCI recently launched E-Rupi with the government of India. How is the live implementation of this service?
e-RUPI is a context-free, purpose-specific and person-specific solution. There could be many use cases that can leverage this new platform. The top 15 banks of the country have already enabled the workflows; however, the acceptance ecosystem will still have to be built. It reverses the standard UPI model of customers scanning the merchant QR code; here the merchant scans and thus needs the smart phone.
Cyber-attacks have been the biggest worry in the digital space. There have been some high-profile breaches of customer payment data. How is NPCI dealing with it?
This is a super critical issue for the ecosystem. This is something that keeps us worried and awake. Recently I read that India is becoming or has become the Ransomware capital of the world, and most of these demands are in crypto currencies. The regulator has recently delivered a strong “tokenisation framework” which reduces the risk to almost near zero for card payments, if the ecosystem adopts them effectively. While there may be some criticism that it may increase the consumer friction in short term, finally, if there is a large breach, the blame is always on the regulator. The question is who takes the liability, and how do we protect the customers from such breaches? We want all start-ups, irrespective of their size and risk appetites, to participate in payments to expand the market. But how does the regulator mitigate the risk than better technology implementation? As we all know, security standards and certifications are necessary but may not be adequate.
So does tokenization address it?
We at NPCI believe RBI’s initiative is a welcome step and with efficient implementation of tokenization, the customer experience and trust will actually increase. There is nothing to fear. I recall a similar situation when RBI decided to implement the 2-factor authentication in 2012. The entire industry was against the RBI and, in just a few years, everyone started praising the decision and now the world is adopting the same. Customer protection always involves tough actions which benefit the system in the long-run. The regulator must implement without hesitation and deal with short-term criticism.
What about security at NPCI itself?
We at NPCI ensure that robust and in-depth security standards are applied – from infrastructure to data security. We are gearing to implement this in RuPay in the next few days, and in addition the UPI with its inherent design offers safe and secure tokenization.
What is the rationale behind implementing the 30% market share cap rule for UPI? Even now two firms – PhonePe and GPay – are dominating 85% of the market. Will this be a problem?
The market share cap is implemented keeping in mind the concentration risk approach while ensuring that it doesn’t hinder the growth of UPI to the extent possible. We still believe the existing players such as Paytm, Amazon Pay and WhatsApp shall increase their market share in due course so that we don’t need to interfere or take any action to reduce or curtail the growth of UPI. Now, we also see that popular banks’ apps have been converted to full-fledged UPI apps (our long demand) example is iMobile, and we understand Yono and Payzapp shall enable soon. With these measures, we believe that the market share should balance itself out. We are actively consulting various players to increase their penetration in UPI. While digital is still at such a nascent stage, curtailing the UPI growth in the near future may not be in the best interests of the country. We still need huge growth in UPI, especially to enable the next 300 million users in the country who have smartphones and bank accounts, and the ecosystem efforts shall make it happen in the next 24 months.
The MDR was waived in 2020. What has been the impact on Rupay card issuances?
Majority of the MDR (charges from the merchants to accept digital payments) funds the acceptance or infrastructure deployment of those services. The network or the clearing house gets about 10 to 15% of these charges. This is the only source of revenue for the ecosystem to fund the increasing the acceptance infrastructure, superior customer service or protection, prudent cyber security investments and the upscale central IT infrastructure by the entire chain of players part of digital payments. We believe that reasonable MDR charges should be levied so that the digital ecosystem can expand and grow. RuPay and UPI, the home-grown systems are put to disadvantage to some extent due to this regulation.
Coming back to, how can RBI’s new rules on tokenization help?
What RBI is saying is – you can’t store. There is an acceptance ecosystem and issuance ecosystem and there is a network. What the RBI is saying is that apart from the network and issuer, nobody can save card details. Tokenization is something like an alias number for the card which can be stored by anyone. So even if there is a breach, the customer card data won’t be impacted. UPI on the other hand is already a tokenized system right from the design. For cards – the number is part of the authentication design. While it puts a short-term burden on the ecosystem so there will be criticism of the regulator, but we must look long term.
Has NPCI gone live with tokenization?
We have gone live with Jio and are in the process of going live with GPay. We have given the communication to the regulator that we will be ready for tokenization by 30th September and we will onboard our ecosystem before the RBI deadline of 31st December. Bank by bank we will have to certify our partners, which will be done.
The RBI has announced a Payments Infrastructure Development Fund (PIDF). How is the progress on the implementation of this?
It’s already operational. PIDF objective is to create an acceptance ecosystem in J&K and North East. Both POS and QR have different acceptance models. The question is whether demand comes first or supply. PIDF is aimed at fixing the supply side in tier 3 and beyond. PIDF is a big enabler to get the next 300 million into the digital journey. With increased smartphone penetration
What is the outlook on Bharat Bill Payment Systems?
We are very bullish on BBPS and good growth. We are building an ecosystem around BBPPs. There are Operating Units that are licensed by RBI. Around 15+ are licensed and we have over 15 more interested in becoming OUs. The ecosystem I think will grow around BBPS with banks, fintech and startups.
RBI is now reportedly mulling over deferring the New Umbrella Entity scheme. Would the introduction of NUE affect innovation being led by NPCI? How do you view competition in this space?
We have always shaped the market with localised innovation, and we shall continue to do so, with or without NUEs. We have been competing very hard with on card and mobile payments with international card schemes that are well entrenched in the world market. We or for that matter anybody cannot survive nor succeed without innovation and faster execution in such a fast-moving payment space.
NPCI’s design as of today is more like not for profit. Can NPCI compete with NUE which is likely to come up and operate on commercial terms?
RBI and the top banks (with support of IBA) in the country created NPCI as “public good” and nurtured and made this organisation reasonably successful selflessly. China appears to adopt what India did a decade back, but again every country has different objectives and agendas.