'If it ain't broke, don't fix it': Banks rue RBI's direction on OTP alternative for digital payments

RBI wants banks to move away from OTPs

Banks’ hesitancy to fix something that isn't broken is one of the key reasons why the lenders are not moving away from the popular one-time password (OTP)-led second-factor authentication (2FA), despite the regulatory nudges over the last six months.

The most popular 2FA or AFA (additional factor authentication) in regulatory parlance OTP (one-time password) has been in vogue for more than a decade and a half. Now, RBI wants to move away from OTPs as more secure technologies have emerged over the last decade. The central bank first stated in February this year on AFA and followed up with a draft framework in July, requesting banks to consider the proposal.

In India, OTPs are the popular way in which banks do 2FA for debit card and credit card payments for online transactions, where a card is not present. 2FA is a regulatory requirement for online payments, where the first factor of identification is the card CVV.

For offline transactions where a card is present at Point of Sale (PoS) machines, only the customer’s chosen PIN (personal identification number) is required for verifying payments.

““If it ain't broke, don't fix it” is the maxim banks took regarding AFA for digital payments. The problem here is that for anything related to UPI, the National Payments Corporation of India (NPCI) acts as the implementation and pushes through the changes. Here each and every bank has to individually push for this,” said a fintech consultant, who has worked with banks’ digital teams in the past.

The possible solutions

A little-known small startup called Minkasu Pay based in Silicon Valley, California, is possibly at the centre of the Indian banking sector’s move away from the popular OTP method.

Since February, its founder and CEO Anbu Gounder has been fielding calls from prospective clients from payment gateways to banks to merchants from India, more than the startup and its 16-member team can handle.

The company provides a device biometric authentication solution as an alternative to OTPs, which can be integrated by the merchants in their apps. However, this solution is enabled only for net banking as of now as the banks have not activated this for card transactions. The company is looking to raise $15 million from venture capital funds to address the growing customer demand.

Net banking is not a popular method for payments and the recent regulatory diktats on moving away from OTP is for card payments. Minkasu powers biometric solutions for a few merchants such as Makemytrip, JioMart, Ixigo, Paytm Money, Tata Cliq and FirstCry among others. It also has partnerships with ICICI Bank and Axis Bank.

In 5 percent of the cases, the OTP messages do not come and this could be a big loss to merchants. Since a large part of such online transactions (more than 80 percent) happen through mobile phones, biometrics can be a realistic solution in the medium term.

“When RBI introduced 2FA, banks were given the option to choose their preferred method. OTPs were the easiest and cheapest solution then. However, the technology has advanced much but banks are striking with what worked well for them. But merchants want newer solutions and change is likely to be driven by them and the regulator,” says Gounder, who started Minkasu more than seven years ago.

The liability gap

While biometrics is one of the key solutions that banks are exploring, the implementation poses multiple legal and compliance challenges for banks.

At the merchant payment page, instead of an OTP, the customers are given the option to enter their biometrics.

To implement the fingerprint biometric solution, the merchants need to install a software development kit (SDK). This raises a new concern for most banks as the authentication is done at the merchant website using a customer device identification.

Whenever a new solution is implemented, the liability issue needs to be addressed. For instance in case of monetary loss to customers because of a payment failure or fraud, whose liability is to cover the customer’s loss especially if the payment failure happens because of an error or bug in implementation at the merchant’s end. In the existing framework, the policies are clear that banks are responsible.

“When you adopt a new authentication solution, the main concern for the ecosystem partners is who is liable in case of monetary loss to the customers. That is why this has not taken off yet,” says Suresh Rajagopalan, CEO of Wibmo. The company is part of the payments firm PayU.

The second-factor authentication is done by Access Control Server or ACS, a solution where Wibmo is the leading provider with close to 80 percent market share and a deep relationship with banks built over the years.

A digital head of a mid-size private sector bank that is exploring alternative solutions said that while the technology and business divisions have given the green signal to the new solution, the compliance and legal teams have not.

“They need to be convinced that it aligns well with the bank’s legal requirement to protect customer funds and from fraud. It should also align with the regulatory requirement and is not prone to any loopholes or frauds, and even detecting and flagging suspicious transactions,” the digital head said.

The challenges

Some of the existing biometric solutions require customers to have the card-issuing bank app on their phones. Most active credit card users in the country have multiple cards and the customers likely will not have all the bank apps on their phones for authenticating a card transaction. This is one of the reasons why banks and merchants are not keen on such solutions.

To be sure, even Microsoft Authenticator requires enterprise customers to have a separate authenticator app.

Wibmo launched a merchant-side and bank-side biometric authentication solution in partnership with a few merchants and South Indian Bank at this year's Global Fintech Festival event last week. This does not require the customer to have the card-issuing bank app. However, several banks are yet to adopt this.

Similarly, Minkasu Pay has partnered with M2P, a banking software company, to integrate its biometric solution with the latter's ACS. Several banks such as Federal Bank, IndusInd Bank and Kotak Bank have implemented this but still are in the pilot stages for a few of their cards.

While Wibmo is understood to have held discussions with Minkasu Pay for partnership, those have not been concluded yet.

“We have all types of solutions if the requirement arises and banks are ready. These solutions require everyone from banks to merchants to rearchitect how the transactions are done. While the process is starting now, this is going to be a long journey. The customer redressal mechanism will have to change in case of a dispute. Banks are conservative,” adds Rajagopalan of Wibmo.

Getting thousands of merchants and banks to integrate a new SDK at the payment page is going to be a long-drawn effort.

Wibmo is also working with a couple of private-sector banks to implement risk-based authentication on a real-time basis. For instance, if a payment is considered unusual, the banks don't process such transactions. However, this is not widely deployed yet as the model is yet to become fool-proof and needs a lot more data and Artificial Intelligence to work better.

“This is difficult to implement and has to go live with a lot of merchants. There is a huge cost involved in compliance and legal norms to implement this for banks. It takes a lot of effort and time as well with no monetary benefits for the banks. RBI’s nudges will not work. It will have to direct banks to implement with a strict deadline,” says the head of cards at a large private sector bank.

Another challenge with biometric solutions is that this is not universal as the transaction needs to happen on a customer's smartphone. If the customer is using a desktop website, the customer cannot authenticate the transaction using a fingerprint.

“This means that multiple systems need to coexist, which is a drag for banks as well as merchants,” says the fintech consultant quoted above.

UPI has no OTP

Interestingly, the country’s most popular digital payment method, UPI, does not use OTP as 2FA. It uses device binding as the first factor and customer PIN as the second factor. However, unlike OTPs, this is not dynamic.

Since the customers need their mobile phone to enter the PIN, it works as if a card is present transaction if one draws a parallel to card transactions.

Even NPCI is considering a biometric solution for authentication instead of PIN as the chances of a static PIN being stolen are higher and biometrics is considered a safer option.

Meanwhile, other options such as risk-based authentication and behavioural analytics are also being considered by the banks. However, most banks use these tools today to trigger an alert to customers for making payments that vary from their regular payment locations or patterns, rather than for processing payments.