In the last five years, the use of digital payments in India has skyrocketed, with the volume of digital payments going from Rs 2,071 crores in 2018 to Rs 13,462 crores in 2023. But along with this rise, cyber fraud targeting online payments has also risen significantly. In 2023 alone, over 11 lakh complaints on digital payment fraud were reported through the National Cybercrime Reporting Portal (NCRP), helpline number 1930, and through complaints lodged with the police, and the victims have rarely seen any recovery of lost funds.
Two parliamentary panels have taken note of this rise in payment fraud and have prescribed various measures to curb it. In July 2023, the Parliamentary Standing Committee on Finance recommended various measures, a summary of which can be found here. And now, the Parliamentary Standing Committee on Communications and Information Technology on February 8 presented its report on digital payments before the parliament with the following observations and recommendations.
1. Curbing the presence of fraudulent apps on Android and iOS: The easy availability of predatory loan apps, fake KYC apps, and other types of fraudulent apps on Android and iOS is one of the major causes of financial fraud. The Committee took note of this, especially about the higher number of incidents involving Android phones. The IT Ministry informed the Committee that the higher presence of malware and fraudulent apps on Android is due to the sideloading feature, which is being exploited by scammers to peddle apps that access sensitive information of phones like SMS, call logs, etc. The Ministry further informed that the Indian Cybercrime Coordination Centre (I4C) maintains a repository of such fraudulent apps and periodically sends hash values of these to Google for appropriate action. Separately, illegal and fraudulent lending apps are found on both Google Play Store and Apple App Store and these are being regularly sent to these entities for urgent action against such apps. The Committee asked the IT Ministry to inform how effective have these measures been in containing frauds and what actions have Google and Apple taken in response to the information shared with them. Notably, the Parliamentary Standing Committee on Finance also took cognisance of the involvement of fraudulent apps in cyber crimes and recommended various measures to address this such as mandating app stores to share metadata, verifying developer identity, and more stringent vetting of apps. You can read these recommendations here.
2. Promoting local fintech apps over foreign-owned apps: The Committee noted that Google Pay and Phonepe, both owned by foreign entities, dominate the Indian fintech sector as they command over 80 percent of the UPI market share. It urged the government to promote local alternatives as regulation of Indian apps would be more feasible for regulatory bodies. You can read more about this recommendation here.
3. Formulating region-specific strategies to address crimes in hotspots like the Mewat and Jamtara regions: The Committee learned that two major pockets from where cyber frauds originate are the Mewat Region (Delhi, Haryana, Uttar Pradesh and Rajasthan) and Jamtara Region (Jharkhand, Bihar, West Bengal, Chattisgarh and Odisha). The types of fraud committed in these areas include KYC fraud, remote accessing of phones, sextortion, AePS fraud, fake franchise fraud, QR-based fraud and spreading of Android malware. These are of low value but high volume. Notably, the micro-ATMs installed in these areas for the convenience of the general public were being misused to siphon money made through cyber fraud. Taking note of this, the committee recommended that the IT Ministry formulate region-specific strategies to arrest the reoccurrence of cyber frauds in these regions.
4. Addressing AePS frauds carried out by biometric cloning: The Aadhaar Enabled Payment System (AePS) is a payment system that allows users to make financial transactions using their Aadhaar number and biometrics. The Committee learnt that there has been a rise in frauds using AePS due to biometric cloning by using dummy fingers or rubber fingers to withdraw money belonging to someone else. The NPCI and UIDAI informed the Committee that various measures are being taken to reduce these frauds such as requiring banks to enforce stringent checks before onboarding agents that provide AePS facilities, making it mandatory to report fraud to law enforcement agencies, directing banks to disable AePS services for accounts with no debit transactions in the preceding 12 months, etc. The Committee urged the government to enforce these measures to the hilt so that there would be tangible outcomes.
5. Addressing the usage of virtual accounts to mask the trail of money: The Committee was informed that a common tool used in committing financial fraud, especially in investment and predatory loan app scams, is virtual accounts. Banks provide virtual account facilities to some customers such as payment aggregators allowing them to open and map multiple virtual accounts to a single current or escrow account. These payment aggregators in turn assign these virtual accounts to their customers. Law enforcement agencies have little insight into what goes on in these virtual accounts as all the transactions are attributed to the main account. Furthermore, virtual accounts are provided with minimal KYC. Along with virtual accounts, virtual cards that work on Visa and Mastercard networks are used to egress money out of India. Hence, these virtual accounts and cards are being used to mask the trail of funds and might be evading anti-money laundering measures. The Committee noted that this is a very serious lacuna in the banking system and called upon the government to evolve a mechanism wherein such misuse can be checked.
6. Sensitising users via fintech apps: Noting that prevention is the first line of defence, the Committee urged fintech companies like Paytm, Phonepe and Google Pay to use their apps to create awareness about bogus methods being used by fraudsters to dupe people. It asked the government to come up with guidelines requiring platforms to generate awareness in the form of creatives, pop-ups, etc. Platforms must also raise awareness in local and regional languages so that users in rural and remote areas of the country are sensitised.
7. Working with foreign jurisdictions to curb crimes carried out from outside the country: Many cyber frauds include activity carried out outside the country, especially by Chinese actors operating from Dubai, Cambodia, Vietnam, and Hong Kong. Investment scams which run largely through the Telegram app, task-based scams, illegal loan apps, illegal gaming apps, ransomware, and matrimony scams (largely from Nigeria) are some examples of crimes carried out from other jurisdictions. In these cases, it is difficult for Indian agencies to locate the perpetrators. The Committee, therefore recommended that the government focus on proper coordination with law enforcement agencies of the countries from which these scammers operate. Further, the best practices of other countries such as the Financial Fraud Kill Chain (FFKC) and FBI’s Internet Crime Complaint Center (IC3) both followed in the US and the Anti Scam Centre in Singapore should be explored for implementation in India as well.
8. Setting up a nodal centre with representatives from various agencies to tackle cyber crimes more holistically: Given that the issues related to cyber security are diverse ranging from hacking of critical digital infrastructure to social engineering techniques to lure people for quick financial gains, a single agency can’t focus on all aspects, the Committee noted, stressing the need for coordination among various agencies like the IT Ministry, the Indian Cybercrime Coordination Centre (I4C), the Department of Financial Services, CERT-In, RBI, and NPCI. The Committee found the current coordination wanting and asked the government to see the feasibility of having a nodal centre which houses representatives of all these agencies to address issues more holistically.
9. Training staff in monitoring and law enforcement agencies to tackle cyber crime: The Committee highlighted that cyber security has diverse domains and to cater to these domains adequate staff specialised and trained in tackling cybercrimes is required. To this effect, the Committee recommended that the government train staff in monitoring and law enforcement agencies such as CERT-In, CSIRT-Fin, and state law enforcement agencies, equipping them with skills needed to understand and tackle cybercrime.
10. Punitive measures to curb cyber crimes have not been effective and need to be overhauled: Despite the exponential rise in cyber crimes over the last few years, the conviction rate in these cases is very low. As per the Crime in India (2017-2021) report published by the National Crime Records Bureau, as against the 54,979 cyber cases registered for trial in the year 2021, in only 491 cases the accused have been convicted. Given this, the committee concluded that punitive measures have not been very effective in tackling cyber crimes and called for a statutory and legislative overhaul in the domain of cybercrimes so that punitive measures under the law act as a deterrent for criminals. Additionally, the committee noted that only having punitive measures to combat cyber fraud is long-drawn, time-consuming, and less effective, and instead, the government should have a multipronged approach with effective coordination of all stakeholders.
11. Effectiveness of the existing fraud reporting mechanism: The IT Ministry informed the Committee that financial entities are required to report all fraud instances to the Central Payments Fraud Information Registry (CPFIR) either reported by their customers or detected by the entities themselves regardless of value. Before reporting, they are required to validate the payment fraud information reported by the customer in their system to ensure authenticity and completeness. The timeline to report these frauds for both domestic and international transactions is 7 days from when the fraud was detected or reported. The Committee asked the Ministry the extent to which these measures have been successful in checking financial fraud or have helped in reporting fraud.
12. Streamlining the process of returning money to victims of fraud: The Committee noted that while fraud is rising at an alarming rate, in comparison to that recovery made the amount returned to the victim is very low. For example, in 2022, Rs 2294 crore was lost in cyber frauds but only Rs .57 crore was returned to the victims. Additionally, the Committee found that there is a high turnaround time to close complaints lodged by victims of fraud and fraud money is only refunded through a court order. In light of this, the Committee urged the government to streamline the process of the return of the amounts to the victims.
13. Strengthening cybersecurity of government infrastructure: The Committee took note of the rising number of cyber incidents targeted at government infrastructure. A total number of 110, 54, 59, 42, 50 and 58 website hacking incidents of central ministries or departments and state government organizations were observed during the years 2018, 2019, 2020, 2021, 2022 and 2023 (up to September) respectively. The Committee urged the government to strengthen the cyber security of government websites and other critical digital infrastructure and to ensure adherence to cybersecurity guidelines issued by the IT Ministry.
Also Read
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!