In February 2017, Whatsapp had announced its plans to introduce a UPI-based payments service in India. Since then, a number of developments have taken place with respect to the payments service, including a discussion on privacy concerns surrounding the application’s use of customer data. This post provides a timeline of all the developments that have taken place on this front since the February announcement last year.
|February 2017||First reports of Whatsapp planning to enter payments in India.|
|July 2017||Whatsapp gets a nod from the National Payments Corporation of India (“NPCI”) for UPI payments.|
|January 2018||(i) Whatsapp partners with 4 banks – SBI, ICICI Bank, HDFC Bank and Axis Bank. User to have the freedom to transact through any of these banks.
· Whatsapp would identify the sender and receiver of the money on the basis of the mobile number. It would communicate the mobile number to the participating bank.
· The bank would use the UPI server to identify the bank account numbers.
· Finally, the UPI interface would settle the transaction between the bank accounts.
|February 2018||Beta testing
· Whatsapp starts beta testing its product in partnership with ICICI Bank.
· ICICI opens the product to a limited set of users who could in turn invite their friends to sample the service.
· NPCI restricts the testing of the digital payment service to a sample of 1 million users or 1% of WhatsApp’s total user base, whichever is lower.
(ii) The Ministry of Electronics and Information Technology (“MeITY”) sends a letter to NPCI and a copy to the Reserve Bank of India (“RBI”), raising questions over WhatsApp not following the two-factor authentication norms laid down by RBI in addition to expressing concerns over management of user data.
|April 2018||(i) NPCI responds to MeITY’s letter, however MeitY is not satisfied.
(ii) Whatsapp Payments’ ‘request money’ feature goes live for limited android beta users.
|May 2018||(i) Whatsapp owner Facebook decides to bail out on SBI as a partner and go ahead with the remaining three banking partners to launch the payments service.
(ii) NPCI CEO, Dilip Asbe, states that NPCI has no concerns about data security on the payments platform on May 9.
(iii) Meanwhile, Paytm expresses concerns about Whatsapp Payments, alleging that Facebook-owned WhatsApp’s UPI payment platform has security risks for consumers and is not in compliance with the guidelines.
(iv) On data localisation, specifically:
· NPCI appears to be satisfied with WhatsApp’s declaration that Facebook can’t use the data for any commercial purpose. “Many group companies share the infra, so no issue on that. The main issue is what the data is used for,” said a senior NPCI executive.
· The RBI states that all payment data should reside in India.
|June 2018||(i) On the two-factor authentication issue:
· Allegations made that Whatsapp Pay did not adhere to the NPCI’s two-factor authentication rule.
· Whatsapp responds by stating that the first factor of authentication is the mobile number while registering on the app, and the second is the UPI pin.
· NPCI seems to be happy with the aforesaid arrangement and states that they “don’t see this as a big issue with WhatsApp Pay”.
(ii) On the data localisation issue:
· As per the company,
a. Basic data is collected during a transaction which includes username, payment address, receiver and senders’ account status, balance sufficiency etc.
b. Some of this data is retained for future reference.
c. All transaction related information is stored in an encrypted format.
d. As for debit card details, only the UPI pin and card expiry date are taken and these are not retained.
e. The UPI Pin is encrypted by NPCI’s software.
· Whatsapp Payments clarifies that they have limited visibility on the Indian consumer’s banking details and that they strictly abide by the norms of the Reserve Bank of India on the handling of payments data.
(iii) MeitY re-iterates lack of satisfaction with NPCI’s response to the first letter and wants detailed answers on the compliance standards, etc., followed by WhatsApp Payments.
(iv) MeitY sends a second letter to the NPCI with detailed questions on how WhatsApp Payments plans to abide with laws on sharing of user data and how it would conform to the RBI’s security and privacy rules.
|July 2018||(i) MeitY is now of the opinion that if the NPCI can’t respond to the second letter satisfactorily, then its should do its own due diligence and take a call on the approval for Whatsapp Payments.
(ii) WhatsApp will have to consult with banks, the NPCI, and the RBI to resolve the matter as MeitY is not the authorising entity.
(iii) Whatsapp affirms that sensitive user data like the concluding six digits of debit cards as well as UPI PINs do not exist on its server.
(iv) NPCI has not yet disclosed by when it is likely to give its approval for the formal launch of WhatsApp Pay.
|August 2018||(i) It appears that Whatsapp’s attempts to launch its payments services in India will continue to be delayed as MeitY has stated that Whatsapp cannot launch Whatsapp Payments in India until it sets up an office and recruits a team in the country.
(ii) Additionally, the government also plans on seeking the RBI’s views on whether payments services controlled remotely can be allowed to operate in India.
[This post has been authored by Isha Jain, a third year law student studying at Campus Law Centre, Faculty of Law, University of Delhi, with inputs from Tuhina Joshi, Associate, TRA and Nehaa Chaudhri, Policy Lead, TRA].