Need a more flexible AePS environment
While the Aadhaar Enabled Payment System (AePS) has emerged as the foundational technology enabling cash-in cash-out (CICO) across the country, efforts by bad actors to defraud banking customers through it continue to be a pressing concern
While the Aadhaar Enabled Payment System (AePS) has emerged as the foundational technology enabling cash-in cash-out (CICO) across the country, efforts by bad actors to defraud banking customers through it continue to be a pressing concern. The Reserve Bank of India (RBI), having taken note, had issued (draft) directions to all banks and the National Payments Corporation of India (NPCI) regarding the onboarding and ongoing due diligence of AePS touchpoint operators. Among other things, the rules state that NPCI and acquiring banks must ensure that any AePS touchpoint operator is onboarded only by one acquiring bank.
The basis for this was RBI’s 2010 guidelines that did not permit customer service point operators (CSPs) to represent more than one bank at the point of customer interface. This was necessary for the context then, of limited connectivity and monitoring capabilities of banks to oversee CSPs. However, the banking environment has matured significantly. While proactive action towards fraud prevention is welcome, our field research in 2022-23 indicates that mandating exclusivity for AePS operators may reduce the effectiveness of the system in serving the last-mile customer.
Interviews with CSPs across three states indicate that transaction failures due to server downtime/failure are a very common experience. A Spice Money study last year found a 34% failure rate in AePS transactions. While NPCI publishes statistics on unscheduled downtime of AePS servers (instances where more than three lakh transactions are declined for over 30 minutes), a narrower definition and disaggregation of such incidents across geographies would help to understand the actual extent of server failure issues.
In the absence of robust data, we have established the impact of server failures/downtime on both CSPs and customers anecdotally. When a transaction fails, the customer cannot access CICO services. Customers become distressed when transactions fail after debit from their account, and there is no certainty about when the reversal will take effect. CSPs lose earnings when they must turn customers away due to servers being down and may be accused of fraud by customers. Since CSPs make great efforts to cultivate trust and good reputations within their communities, for instance, by providing services late into the night to meet customer needs, this is especially worrying for them.
To avoid these outcomes, CSPs regularly acquire licenses from multiple providers. This practice has been observed by our researchers for many years now and corroborated by other stakeholders as well. Holding more than one licence allows CSPs to switch servers and access the infrastructure of a second bank when the original acquiring bank is experiencing downtime incidents. By doing so, CSPs ensure continuous availability of AePS withdrawal services to customers who approach them.
We submit that the practice of CSPs “multi-homing” makes for a more flexible AePS environment, providing user service continuity. Strictly requiring banks to prohibit this practice would prevent the benefits of flexibility and convenience from accruing to customers and CSPs. In addition to limiting flexibility, this prohibition may not be very effective in curbing fraudulent activity, considering how some bad actors among CSPs cheat customers of their money using the pretext of server failure or thumbprint mismatch. Similarly, it may be ineffective to prevent fraud incidents that emerge upstream of the AePS environment, such as mule KYCs.
It may be opportune to revisit and update the regulatory and supervisory design of the BC model, considering the technological developments and evolving needs of customers and CSPs. Today, the AePS generates copious amounts of data that can be employed for fraud-monitoring purposes. This data can also be leveraged to adopt a graded, risk-based approach towards allowing CSPs to act as non-exclusive operators that can leverage whichever bank’s servers provide them with the highest possibility of a successful transaction. For instance, regularly active operators have a long history of undertaking CICO transactions in one location, do not appear in the NPCI blacklist, do not have a history of complaints from the corporate BC and can be assessed by acquiring banks and/or NPCI for this permission.
Agents with a higher risk score may be disallowed from accessing the AePS servers through banks other than their original acquirer. The score may also incorporate customer feedback obtained at the point of sale. Such a system would improve fraud monitoring in addition to creating an overall more flexible and customer-friendly CICO environment.
Deepti George is the deputy executive director and head of strategy, and Aishwarya Narayan is senior research associate, Dvara Research.The views expressed are personal