Indian fintech is fast, furious — and fraudulent?

FIRST, Paytm was asked to freeze its banking business, a crackdown so severe that India’s pioneering digital payments firm bled out nearly 60% of its market value in two weeks. Then came the regulatory diktat to Visa, Inc. The network was told to halt the use of its business cards for commercial payments where a […]

Indian fintech is fast, furious — and fraudulent?

Indian fintech is fast, furious — and fraudulent? thumbnail

FIRST, Paytm was asked to freeze its banking business, a crackdown so severe that India’s pioneering digital payments firm bled out nearly 60% of its market value in two weeks. Then came the regulatory diktat to Visa, Inc. The network was told to halt the use of its business cards for commercial payments where a […]

FIRST, Paytm was asked to freeze its banking business, a crackdown so severe that India’s pioneering digital payments firm bled out nearly 60% of its market value in two weeks. Then came the regulatory diktat to Visa, Inc. The network was told to halt the use of its business cards for commercial payments where a fintech is in the middle. And now, media reports suggest that more nonbank intermediaries may expect a rap on the knuckles. Just what has made the Reserve Bank of India (RBI) so cranky all of a sudden?

The answer to that question may lie in the cloud. Or, to be more precise, in cloud computing.

The growth of neo-banking is courtesy of Amazon Web Services, which has allowed the world’s most-populous nation to move very large numbers of small payments instantaneously. However, fast and furious has also created more room for fraud in a country where documentation has always been patchy. Even “Aadhaar,” the biometrics-based unique number and card through which Indians are supposed to establish who they are, is not to be relied upon as proof of date of birth, the manager of the world’s largest identity project said recently.

Know-your-customer, or KYC, regulations aren’t easy anywhere. But fintech adoption in India has done more than just open the floodgates to financial inclusion. The cloud has added complexity — and risk — to the landscape. Three years ago, Sunny Leone, a Bollywood actress, was scammed by someone using only her name and her tax identity number to take out a $27 ghost loan that ended up spoiling her credit score. All other data, including her address, phone number, e-mail, date of birth, and bank account, were fake, according to a report by The Ken, a news website.

If individual KYC is this sketchy, the process of onboarding businesses isn’t ironclad, either. It used to be that only large retailers accepted online payments, as cards were too expensive for small players. But now more than 50 million merchants accept QR code-based settlements over a ubiquitous smartphone-based protocol known as Unified Payments Interface (UPI). UPI logged more than 100 billion transactions last year, among the fastest-growing account-to-account systems alongside Brazil’s PIX, a later entrant.

But who exactly are the merchants that are accepting money online? What fintech intermediaries have done is something innovative. They have established virtual addresses — such as “amazon@pockets” — as legitimate payees. However, the regulator will have a problem if the bank account linked to that ID has been opened by Ckjxh Fiddbh, which doesn’t appear to be a genuine name. (The example, though, is real. I have borrowed it from security researcher Karan Saini’s investigative work last year.)

Fintech firms that give apps to consumers and QR codes to merchants ensure speed by putting their computing operations in the cloud, where activity can be scaled up quickly without having to invest in on-premise servers. However, at the two bookends of any transaction, there are deposit-taking institutions, one for the payer to send money and the other for the payee to receive the funds. They’re trying to cope with the surge in volumes with core banking software running on IBM mainframe computers.

This two-speed system doesn’t work when traditional players have to handle a huge number of small debits quickly. Which is why, for merchant payments, the likes of Paytm maintain so-called nodal accounts with depository institutions. Banks manage the pressure on their infrastructure by recording debits only when customers load their wallets, and not every time they use their apps at a shop.

Think of the nodal accounts as shock absorbers, says Bengaluru-based fintech consultant Anand Venkatanarayanan. They process payments in real time in the cloud, and hand them to the merchants’ bank accounts — over the core banking system — in a day or two. But in this system, authorities are bound to have niggling doubts about who is passing money to whom behind a node. The merchant’s KYC approval means very little. It is this discomfort that’s visible in the RBI’s recent action.  While freezing fresh credits into Paytm Payments Bank accounts for “persistent non-compliances and continued material supervisory concerns,” the regulator mandated that the bank terminate the nodal accounts of One 97 Communications Ltd., the publicly traded entity, and Paytm Payments Services Ltd., a subsidiary, “at the earliest.”

As a senior payments-industry professional in Mumbai explained to me, the RBI’s concerns with corporate credit cards may be similar. Why would any merchant pay a 1% fee to a fintech to move its card balance to its bank account, unless they are unauthorized lenders, flipping the money over to a borrower who has agreed to pay 2%? Mind you, the actual activity that’s being financed may not be illegal: In a rapidly digitizing economy, a lot of e-commerce inventory needs storage. Walmart, Inc.-owned Flipkart and Amazon.com, Inc. aren’t allowed by Indian law to carry their own stock. But someone has to.

Yet, even innocuous supply-chain financing is risky when it hides in the dark. With the formal banking system facing a liquidity shortage, the monetary authority may not be comfortable with loans in the economy rising faster than deposits.

The RBI has tried to license nodal-account operators as payment aggregators, so it can have oversight on these fintech firms. Still, no matter what it does, the regulator may always find itself a little out of touch.

Three fundamental sources of infirmity need fixing. First, the know-your-customer process needs a more solid underpinning: If Aadhaar is here to stay, it must be made credible and secure. Second, 40% of payments are digital, but they have their origin and destination in a banking system that earns very little from it. Since most UPI transactions are free, traditional lenders have little incentive to shorten their technology-upgrade cycle. Third, the National Payments Corp. of India, which runs the UPI, is a monopoly. What is fast and furious will inevitably be more than a little fraudulent as long as the country’s preferred system for moving money online is devoid of fair charges — and free from competition.

BLOOMBERG OPINION