NPCI unveils norms for banks to compensate AePS fraud victims

The new NPCI guideline mandates the bank to reimburse the customer within three days

Synopsis:

During the course of the Covid-19 pandemic, several cases of fraud were reported in Jharkhand and Tamil Nadu in the direct benefit transfers (DBT) where government welfare funds meant for underprivileged beneficiaries were allegedly siphoned off u…

The National Payments Corporation of India (NPCI) has introduced detailed guidelines for banks to redress frauds perpetrated on customers and merchants where a misuse or an error in biometric data or UIDAI seeding on Aadhaar Enabled Payment System (AePS) have led to a loss of funds.

As per AePS fraud liability guidelines, introduced formally from September 1, NPCI has issued new rules for acquiring and issuing banks on responsibilities to deal with such fraudulent transactions that cause monetary losses for customers and to reimburse them.

During the course of the Covid-19 pandemic, several cases of fraud were reported in Jharkhand and Tamil Nadu in the direct benefit transfers (DBT) where government welfare funds meant for underprivileged beneficiaries were allegedly siphoned off using the AePS.

ET has seen a copy of the enabling circular issued to all banks. The guidelines have been in the making for over two years. NPCI and AePS member banks agreed in February 2019 to formalize such a standard. The final decision to implement the fraud liability guidelines were taken in an NPCI steering committee meeting in July 2021.

The issuing bank must notify within five days when a customer registers a complaint along with an investigation report. NPCI will then give the acquirer bank 10 days to make their submission where they will have to contend that the liability of fraud is not at their end, the circular said.

If the acquirer is unable to do so, the new NPCI guideline mandates the bank to reimburse the customer within three days. The submission of the acquirer bank will be scrutinised by the issuer bank too, the circular said.

The bank that acquired the merchant or whose device has been used is the acquirer bank. The issuer is the bank in which the user holds her deposit and links Aadhaar AePS transactions. These guidelines are

applicable for all financial transactions – cash withdrawal, deposit, fund transfer, involving business correspondents (BC) or customer service points (CSPs) on AePS network.

These guidelines will have a multi-pronged benefit, one is that it brings more discipline to the entire process as the onus is on the acquirer bank, so we will have to put in tighter fraud

control mechanisms,” said Anand Kumar Bajaj, the chief executive of Pay Nearby, a leading fintech facilitating AePS transactions.

NPCI joins advisory board of PCI Security Standards Council:

The National Payments Corporation of India has been appointed on the board of advisors at PCI Security Standards Council for the year 2021-2022. The board represents the Council’s Participating Organisation from across the globe to ensure global industry involvement in the development of PCI standards and programmes.

The board comprises other

members like Ingenico, Amazon, PayPal, Barclays, Citigroup, Stripe, Square and other large payment players from across the world.

While the board has an advisory role, the body derives

technical standards and processes from each of these companies, who bring their experience from different countries into developing common payment standards for all.

This is the second time NPCI has joined the board of advisors.

The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help

businesses detect, mitigate and prevent cyberattacks and breaches.

Close “We depend on the guidance and input provided by our advisors to understand and address the new challenges and new technologies facing

payment security. The PCI SSC solicits and incorporates feedback from the entire payment ecosystem including merchants, vendors, payment processors, financial institutions, trade associations and FinTechs,” said Lance J. Johnson, Executive Director, PCI SSC.

NPCI secures PCI DSS compliance certification

National Payments Corporation of India (NPCI) has been validated as compliant with the Payment Card Industry-Data Security Standard’s (PCI DSS) latest

The validation makes NPCI the first company in the BFSI sector to receive the compliance certificate.

PCI DSS aims to improve

security of card transactions through a set of policies, as well as helps to safeguard the transmission and storage of payment card data.

Principles of PCI DSS can be applied to diverse environments where cardholders’ data is

processed, stored, or transmitted including e-commerce, mobile acceptance, and cloud computing.

NPCI MD and CEO A P Hota said: “User information data transmitted through cards are highly sensitive and hence we keep our entire infrastructure secure and upgraded. All member

banks can trust NPCI with their sensitive payment card information and also get their payment platform certified on PCI DSS.

Aligning security programs with the updated standards helps us in continual identification of threats and vulnerabilities that could have potential adverse impact.”

RBI Keeps Rates on Hold; Market Eyes Views on Liquidity, Inflation