INDIA Law and Practice Contributed by: Shilpa Mankar Ahluwalia, Purva Anand and Ansh Jain, Shardul Amarchand Mangaldas & Co
12.2 Areas of Regulatory Focus Indian regulators primarily focus on fraud affecting retail customers and the general public (such as card fraud, UPI payment fraud, fraudulent loan recoveries, unauthorised transactions) as well as fraud that has larger, system-wide implications on the banking and financial ecosystem of the country (for example, wil - ful defaulters, diversion of bank-borrowed funds, etc). The RBI’s constant endeavour is to monitor emerging fraudulent techniques with the objective of protect - ing retail consumers from them. The RBI is working with banks and enforcement agencies to strengthen transaction-monitoring systems and ensure sharing of best practices for control of mule accounts and prevention of digital frauds. The RBIH is also piloting an AI/machine learning-based model, MuleHunter.AI, to address this concern. 12.3 Responsibility for Losses The RBI has issued directions that limit the liability of customers in cases of unauthorised electronic pay - ment transactions involving banks and non-bank PPIs. If the unauthorised transaction results from contribu - tory fraud or negligence/deficiency on the part of the RE, the RE bears the full liability. If the loss occurs due to the negligence of the customer, the customer is responsible for the entire loss until the unauthorised transaction is reported to the RE. Once reported, any subsequent loss is borne by the RE. In cases where the loss is due to factors beyond the control of both the RE and the customer (eg, systemic issues), the customer’s liability remains zero if they report the unauthorised transaction within three working days. Thereafter, the customer’s liability increases the longer the reporting is delayed. Typically, the RE will include contractual terms to recover such amounts from its service providers if the unauthorised transaction arises due to contribu - tory fraud or negligence/deficiency on the part of its unregulated fintech service provider.
zens to access authenticated identity documents and certificates. Data Layer An account aggregator (AA) is an NBFC that facili - tates the retrieval or collection of financial information pertaining to a customer from financial information providers on the basis of explicit consent of the cus - tomer. The financial information shared through the AA is not stored with the AA and is to be used solely for providing it to the customer or consenting financial information user. 11.2 Concerns Raised by Open Banking Data protection remains the biggest concern surround - ing open banking. Market players in India are gener - ally gearing up for the DPDP Act to become effective. Banks, financial institutions, technology platforms and fintech players will need to align their existing systems and processes to comply with the detailed consent architecture prescribed in the DPDP Act and with the restrictions on the use, processing and storage of data that are mandated by the DPDP Act. With the expansion of digital payments, fraudulent transactions through compromised credentials, iden - tity theft and phishing attacks have been on the rise in India. A typical fraud involves the perpetrator of fraud getting illegal access to a card, UPI pins or other pay - ment credentials (such as illegal tapping on unsecured internet networks, phishing attacks, spam and fraud - ulent calls to retrieve sensitive payment credentials such as card numbers, PINs, OTPs and passwords) and then using them to make payment transactions. Financial regulators are quick to react and introduce regulatory measures to protect customers. For exam - ple, in light of increasing card frauds, the RBI intro - duced guidelines on storage of customer card data and a tokenisation framework to control such fraudu - lent transactions. 12. Fraud 12.1 Elements of Fraud
374 CHAMBERS.COM
Powered by FlippingBook