As the adoption of digital payments in the country grows, security and safety of these platforms interacting with sensitive financial information of a user become imperative. However, a number of these services, in their terms and conditions necessary to use the apps, have indemnified themselves of responsibility arising out of a cyberattack. The Indian Express studied the terms and conditions of six digital payments platforms — BHIM UPI, Paytm, MobiKwik, Google Tez, Jio Money and Airtel Money — to analyse how these companies have secured themselves against the future loss that their user might face due to an event beyond his/her control.
To begin with, by accepting the terms and conditions of service, the consumer using any of the aforementioned six apps agrees to the condition that the platform doesn’t warrant an uninterrupted and error-free service. In a competitive market like India, while it is in the best interest of the company to provide efficient services, they have indemnified themselves of any liability by putting these clauses in the terms of service.
Paytm, BHIM and Jio Money, in their terms, say that they do not warrant that their app or website will be free from viruses or defects. “No warranty is given that products/services or any data/content are free from any computer virus or other malicious, destructive or corrupting code, agent, program or macros,” Paytm Payments Bank, which operates the wallet, says.
One97 Communications Ltd, which is a key shareholder in Paytm Payments Bank, says in its terms: “One97 uses 128-bit encryption by Verisign for security and follows PCI DSS (payment card industry data security standard) mandated by the card association networks and administered by the Payment Card Industry Security Standards Council. However, One97 cannot, and does not, guarantee that the information in transit may not be altered or intercepted or accessed by others and decrypted.” Paytm is the flagship brand of One97, in which Chinese company Alibaba has a significant investment.
Similarly, BHIM app, which is run by the National Payments Corporation of India, says: “No warranty is provided that the app will be free from defects or virus or that operation of the app will be uninterrupted. Use of the app by the user is at the user’s own discretion and risk and the user is solely responsible for any damage resulting from the use of the app”. Reliance Payment Solutions Ltd (RPSL) says: “RPSL also does not warrant that any links that may be accessible or any files available for downloading through the Website or mobile app will be free of viruses, worms or other code that may be damaging”.
Both Paytm Payments Bank and RPSL have said that they will not be liable if any transaction does not fructify in case of a Force Majeure event. Notably, both these entities have listed “breach, or virus in the processes” or payment or delivery mechanism as Force Majeure events.
Paytm spokesperson declined to comment. E-mails sent to Jio and NPCI went unanswered. Furthermore, in the terms and conditions of their services, these companies have also laid down the cap beyond which they are not liable, something which the customers agree to once they start using the services. In case of Google Tez, the “total cumulative liability” cannot exceed “the net fees Google has actually received and retained from your valid transactions during the three month period immediately preceding the date of the claim”. Google did not respond to a request for comment.
Explaining the functionality of Tez, a Google India official said that the app was only an intermediary in a given transaction and that the transaction was conducted at the bank’s end. Google itself has tied up with four banks to offer UPI services on Tez. “Banks have their own grievance mechanisms in place in case a transaction fails, which is why the liability that Tez would bear is limited,” the official said.
Similarly, RPSL’s total cumulative liability cannot exceed “value of transaction under dispute”. Paytm and MobiKwik both have put a number to their maximum liabilities in their terms of service. “Notwithstanding anything stated under this Agreement, the aggregate liability of PPBL (Paytm Payments Bank) from any and all causes whatsoever shall not in any and all events in the aggregate exceed the sum equivalent to the preceding INR5,000/-,” Paytm Payments Bank says.
Prepaid wallet firm MobiKwik, on the other hand, says in its terms and conditions: “Your sole and exclusive remedy for any dispute with us is the suspension of your MobiKwik account. In no event shall our total cumulative liability to you for any and all claims relating to or arising out of your use of the Website, regardless of the form of action, exceed INR 1000 /- (Indian Rupees [ONE THOUSAND] only)”.
MobiKwik co-founder and director Upasana Taku, in response to a query by The Indian Express, said: “We are a responsible financial services brand. We take responsibility of any loss of money that happens to our wallet users in case it is found out that the same is a result of a malfunction or cyber-attack at our end.”
“MobiKwik understands the importance of maintaining high levels of security standards & puts this at the centre of all user interactions on the platform. Mobikwik is PCI-DSS and ISO27001 certified, and it follows all information security guidelines laid down by the regulators and the Indian government. For us, security is not just a state; it’s a process which is applied in every new feature upgrade or in case of any new product development. MobiKwik’s consumer complaint rate is less than 0.0001 per cent, as our security team works round the clock in identifying and resolving frauds,” she added.
Airtel Money’s terms and conditions say: “The Customer agree to indemnify, defend and hold the Bank and/or related parties harmless from any and all claims, losses, damages, and liabilities, costs and expenses, including and without limitation legal fees and expenses, arising out of or related to the use or misuse of the Airtel Money Services, any violation of these Terms and Conditions, or any breach of the representations, warranties, and covenants”.
An Airtel official said that the company deploys world-class security solutions but declined any further comment on the issue.
The monthly volumes of a non-cash mode of payments have nearly doubled to 1.1 billion in February 2018, when compared with 671 million in November 2016. This growth has come on the back of a large number of peer-to-peer transactions that started happening in the aftermath of demonetisation. As more users adopt digital payments, experts have time and again called for setting up of an independent digital payments regulator. In the Union Budget for 2017-18, Finance Minister Arun Jaitley had announced setting up of a Payments Regulatory Board under the Reserve Bank of India, which replaced the existing Board of Regulation and Supervision of Payment and Settlement Systems.