Audit , Finance & Banking , Governance & Risk Management
WhatsApp Pay Faces One More HurdleData Localization Compliance Must Be Achieved to Launch Service in India
WhatsApp, the messaging service owned by Facebook, says it’s ready to launch its digital payment services, WhatsApp Pay, in India following its beta test, making payments possible to anyone in a user’s contact list. But the Supreme Court says WhatsApp must comply with Reserve Bank of India’s data localization requirements before the court can make a final decision in July to approve the official launch.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Sources at WhatsApp tell Information Security Media Group that the messaging service plans to store Indian users’ data on local servers locally to meet RBI’s requirements. Plus, it has expanded its team in India.
WhatsApp’s user base is 1.5 billion, including more than 200 million in India - its single largest market, PTI reports
Meanwhile, on Tuesday, Facebook announced it’s preparing to launch its own cryptocurrency, Libra, in 2020, triggering a privacy and security backlash both in the U.S. and Europe. Lawmakers and regulators are raising concerns about the offering based on the company's poor history of protecting user data.
The Beta Test
In February 2018, WhatsApp leveraged National Payment Corporation of India's Unified Payment Interface platform to launch its beta test of a payment service that enables users to send money to other WhatsApp users, excluding merchant accounts. Almost 1 million people tested using the service to send money during the test period in a simple and secure way, which will end in July this year, according to a WhatsApp spokesperson.
"WhatsApp Payment is useful for people in their daily lives and we hope to expand the feature to all of India soon so we can contribute to the country's financial inclusion goals," the spokesperson added, speaking to IANS.
State Bank of India, ICICI Bank, HDFC Bank and Axis Bank provided infrastructure for the test.
The beta testing is complete, and the leveraging of NPCI’s UPI platform for fund transactions did not raise any integration issues, says Ashutosh Jain, CISO of Axis Bank says.
WhatsApp Pay uses two-factor authentication. Besides using UPI, which enables account holders of any bank to send and receive money from their smartphones with a single identifier, WhatsApp Pay offers options for a second factor. These include Aadhaar, a 12-digit individual identification number, serving as proof of identity and address anywhere in India; a mobile number; or a virtual payments address.
Dr. N Rajendran, NPCI’s chief technology officer, says the authentication approach for WhatsApp Pay is similar to the verification required on Google Tez, which allows users to send money to anyone with a bank account even if they don't have the app on their smartphone.
At the back end, Rajendran says, banks must connect to NPCI's UPI using their payment service provider system, which interfaces with banks' core banking systems, banks' customers, authentication systems and fraud and risk management systems. Banks can integrate UPI with their mobile banking system if they have one.
Rajendra says the biggest benefits of WhatsApp Pay for banks are single-click two-factor authentication for subsequent transactions and a universal application for transactions that leverages existing infrastructure.
WhatsApp payment can be accessed via the payments option in the settings page, Rajendran explains. Tapping on it opens the verification page, where users must furnish the mobile number linked to their bank account.
Using an application that customers download on their mobile phones, the UPI service is designed to handle WhatsApp transactions - third-party payments and sending and receiving money below Rs 1 lakh - with minimum clicks.
Rajendran suggests security practitioners focus on the security of mobile apps and APIs, saying they can leverage NPCI's library - which captures and stores customer data - to securely capture user credentials.
To leverage WhatsApp Pay, banks must implement changes in their core banking, reconciliation and authentication systems, plus develop interfaces with risk management systems, customer grievance and mobile application functions, he adds.
Complying with Data Localization
The only remaining step WhatsApp has to take so it can launch its new payment service in India is to comply with data localization requirements, says Dilip Asbe, NPCI’s CEO.
Since Oct. 15, 2018, RBI has required all payments firms to store Indians’ data locally.
The Supreme Court asked RBI to check WhatsApp’s adherence to data localization requirements before it launches the proposed payments services the country. Justices R.F. Nariman and Vineet Saran took up the issue with RBI after it received a petition from the Center for Accountability and Systemic Change claiming that WhatsApp had not fully complied with RBI’s data localization requirement.
WhatsApp told the court that it was completing some engineering work and then it would follow the data localization requirement.
“We built a system that stores payments-related data locally in India,” a WhatsApp person recently told IANS.
The Times of India reports that WhatsApp is working with a third-party company to audit its payments systems and ensure that it complies with Indian data localization rules.
In addition to data localization, WhatsApp faces the challenge of complying with the “know your customer” requirements that banks must use to facilitate any transactions, says Sriram Natarajan, COO at Quattro, a business process optimization group.
“Most importantly, WhatsApp must register as a payment provider/money transfer agent with the RBI - it’s not clear if it’s approved,” Natarajan says.
Data Localization Move Criticized
Many large tech companies, including Google, have criticized with RBI’s requirements for data localization.
“Mechanisms allowing for cross-border data flows are critical to the modern economy. Countries should adopt an integrated framework of privacy regulations, avoiding overlapping or inconsistent rules whenever possible,” Google’s chief privacy officer Keith Enright told the Economic Times.
But global payment companies, including Mastercard and Visa, say they’re making progress toward storing their data on Indians domestically and wiping out data regarding Indian transactions stored overseas.
Vikas Varma, Mastercard's senior vice president of account management for South Asia, said Mastercard is setting up a $350 million data processing center in Pune (see: Visa, Mastercard Moving Toward Data Localization).
WhatsApp Pay: A Game Changer?
Analysts say WhatsApp Pay could be a game changer, creating fierce competition for PayTm, Google Pay, Apple Pay, Amazon Pay and others.
“Indians want something they’re used to, in a language they can read and write in,” says Ram Rastogi, an architect of the UPI system in India, and a former NPCI employee and consultant for The Consultative Group to Assist the Poor (CGAP), a World Bank organization. “WhatsApp’s willingness to provide services in 13 major languages can play a vital role, taking digitization of payments even to villages.”
Rastogi of CGAP adds: “Within six months of the full launch, WhatsApp Pay can easily reach 100 million-150 million monthly transactions, a rate similar to that Google’s seen here.”