Recent events can be the tipping point that changes the way we look at payments players and the world they operate in.
The occurrence of- what we shall call the Truecaller incident– is grabbing everybody’s attention and headlines for two main reasons:
Truecaller is an ubiquitous app. It was on everyone’s phone and well used and abused.
The bug drove a wedge in one of the most trusted pieces of public infrastructure in India today- UPI
outrage over the bug was not dissimilar to being cheated by the neighbourhood’s
A face that everyone loved and a ‘betrayal’ that no one saw coming.
Tuesday morning, some android users of the app in India saw that the Truecaller
app had sent an encrypted SMS from their phones to an unknown number, following
which ICICI Bank sent an SMS that read, “Your registration for UPI app has
action skips the first two of three steps of the UPI registration process-
Selecting the bank account, and manually providing UPI consent.
And that’s the core
of the outrage- that a UPI account was created by Truecaller without the
UPI players such as
Truecaller are categorised as Third Party Apps by the NPCI (National Payments
Corporation of India). These Apps form the last mile customer interaction layer
of the UPI system.
And are currently
Let’s be clear- this
is in no way specific to the UPI system.
The Reserve Bank of
India has traditionally only regulated entities that hold funds/value- be it
banks, NBFCs or wallets.
Entities such as
Payment Gateways and Third Party UPI Apps only serve as an interaction layer
that comply with the protocol provided by the bank integration and the UPI
And this makes sense. Because in the case of the Truecaller incident- the checks required to ensure that this lapse in operations did not occur needed to have come from within Truecaller itself.
The incident didn’t entail a public movement of funds- loans, misselling etc.- in fact not a rupee moved during this process. And as the root issue was a software release- not a policy decision or communication- it is something that the RBI could not have reviewed or effectively governed in any way.
An incident like this can only be checked by strong internal audits and checks and balances of self governance.
Given the growing
position of such last mile payments interaction companies, it is becoming
evident that such companies will soon come within the radar of the regulator,
an eventuality worth embracing.
But to ensure that such regulation is rendered effective while retaining customer trust in these extremely vital systems- can only be achieved by the payments ecosystem itself.
standards of vigilance in self governance is the only way forward- to ensure
that the payment companies are able to create solutions that address the
concerns of the regulator while serving the public in the interest of the