Relaxing two factor authentication for both card present and card-not present transactions below a certain specified amount is a major policy development
On 29 February 2016, India’s finance ministry said in its office memorandum titled Promotion of Payments through Cards and Digital Means that the “Department of Financial Services/RBI shall relax Two Factor Authentication for both card present and card not present transactions below a certain specified amount. DFS/RBI shall work out a multi-tired authentication framework for low, medium and high value transactions.” This is a major policy development which, when coupled with the National Payment Corporation of India’s (NPCI) Unified Payment Interface (UPI) system —to be launched at the hands of the RBI Governor on 8 April 2016 —has the potential to revolutionize mobile payments in India.
Authentication is about verifying that you are who you say you are. What is 2 factor authentication (2FA)? 2FA means using any two out of the following factors of authentication:
• Possession factor: what you have (example SIM card)
• Inheritance factor: what you are (example fingerprint)
• Knowledge factor: what you know (example passwords)
Now, for most mobile phone customers in India, 2FA is either expensive or inconvenient or both. As per Ericsson Mobility Report India June 2015 : Smartphones make up only 15% of the mobile phone subscriptions in 2014 and they project that by 2020, this number will reach 55%. Because of network effects, it will be more convenient for everyone that mobile payments work for both basic mobile phones as well as smartphones. A scenario in which a vegetable vendor can receive payments only from those with smartphones but where she cannot pay her vendor through a basic mobile handset cannot be considered as convenient.
In the case of basic mobile phones, the deployment of apps is a major challenge. In Kenya, Safaricom does a SIM swap for an MPesa customer wherein the app is on the new SIM . This can be huge challenge for addressing hundreds of millions of customers in India with a multitude of telecom operators. In Tanzania, Vodacom uses Unstructured Supplementary Service Data (USSD) technology; however, USSD generally has poorer user interface and is generally not considered a success in India’s mobile payments space. (USSD is commonly used by prepaid GSM cellular phones to query the available balance.)
2FA is difficult to achieve on a basic handset as the hardware does not support inheritance factor (example fingerprint authentication) and knowledge factor presents huge challenges when attempted on a scale of hundreds of millions, necessitating distribution of passwords through post/courier and password reset. Moreover, passwords slow down the user experience—especially when there is no access to mobile internet as is often the case with basic mobile handsets.
Thus, a requirement of 2 factor authentication makes mobile payments either expensive or inconvenient or both expensive and inconvenient.
Consider single factor authentication (1FA). Now, it is conceptually easy to undertake mobile number (MSISDN) authentication through a system (additional steps could be required for strengthening the mobile number authentication). Caller ID is the simplest manual way of doing just that; that is, possession factor authentication.
Now, coupled with the soon to be rolled-out NPCI UPI system, it will be possible to make payments based on the payee’s mobile number and amount. That’s because a centralized map will map the payee’s mobile number to her bank account and then use existing NPCI’s products like IMPS to effect the payment. This will make mobile payment inter-operable without asking the payer for excess information. (More details are available here .)
(Note: NPCI UPI can work with multi-factor authentication method too.)
For mobile payments, we need to seek a suitable three-way compromise between security, convenience and cost. 1FA instead of 2FA in the case of small payments seems like a reasonable compromise in security for the sake of greater convenience. And one way to address the lower security in 1FA would be for the bank to buy fraud insurance cover to protect itself and its customer. This will undoubtedly raise the cost but as long as fraud analytics is used for early detection, the cost can be managed—as the insurer ought to charge a lower fraud insurance premium if the loss can be limited quickly. A fraud insurance cover will also address a significant reason for non-adoption of mobile payments by the customers. Without fraud insurance and early detection of fraud, the regulator may have valid concerns related to systemic risk due to small payments.
A truly competitive mobile payments solution—at least in the case of small payments—ought not to have costs for customer. This is as there are neither explicit nor implicit costs in using currency notes for the purpose of small payments. In response to an RTI query, the RBI has said that it costs Rs 1.79 to produce a Rs 100 currency note . This cost is not borne by the user of the currency note. It is quite convenient to carry a Rs 1,000 note or Rs 500 note in the pocket. On the other hand, there are significant implicit costs in carrying large amounts in the form of currency notes. Additionally, there would be supply-chain related costs during the life of the currency note followed by end-of-life disposal related costs. There is a strong case for a transaction amount based multi-tiered tariff structure with zero tariff for small payments. Otherwise, mobile payments would primarily get limited to remittances.
The 1FA for small payments combined with the soon-to-be launched uniform payments interface system presents a great opportunity for adoption of mobile payments beyond just remittance. It can make financial inclusion a reality by negating the need to convert to currency notes (through bank branches/ATMs/micro-ATMs)—something that could be considered as a wasteful exercise in the future. And the mobile payments’ digital trail can drive future innovations including the design of new financial products. Mobile payments can facilitate the delivery of these new as well as existing financial products. This, in turn, can power financial inclusion.
What may still go wrong? Poor quality of service by the telecom networks can render policy changes and product innovations ineffective!