In the first four months of 2024, Rs. 1,750 crore has been lost to cyber criminals. Victims are being targeted using online investment and trading scams, fake digital arrests, and OTP forwards, amongst others. During its annual conference in January, the Indian Cybercrime Coordination Centre (I4C, Ministry of Home Affairs) reported that while some proportion of the amount that has been defrauded by scamsters since April 2021 was “blocked due to prompt government initiatives”, only 9-10 per cent of the same has been returned to the victims.
With many Indians being first-time digital payment users, susceptibility to scams combined with the unpredictability in the recovery of defrauded funds, can lead to a loss of trust in digital interfaces. This situation is counterproductive to the policymakers’ goal of encouraging more digital transactions, especially through payment systems like the Unified Payment Interface (UPI).
Legal liability and compensatory frameworks exist in India for unauthorised electronic transactions. However, the modus operandi in many common scams involves users being manipulated into authorising transactions. Technically, these transactions are authorised by users themselves, even though they did not intend to transact with a scamster. This renders such transactions to fall outside the perimeter of any existing legal liability or compensation frameworks. In July 2023, a Standing Committee on Finance’s report on the Rising Incidence of Cyber/White Collar Crimes mentioned an “automatic compensation” that may be used to “immediately compensate the hapless customer, pending further investigation and final traceability of funds”.
This recommendation is a good starting point for conceptualising a framework for the apportionment of liability for different ecosystem entities that can limit user losses and improve investments in prevention and detection systems by banks, TPAPs (third party application providers), and other participants.
Investigations for fraudulent transactions can be long-winded, and there is no assurance that victims will receive their lost funds. A fair and clear legal liability framework for fraudulent transactions could ensure protection and adequate compensation to victims, while investigative action continues in tandem. For such a framework, certain questions must be debated: Who is responsible for permitting the scam attempt? Did the victim take adequate steps to prevent themselves from falling prey? What are the limitations to the compensation being offered? We discuss these below.
Key Issues
Discerning eligible and authentic complaints for compensation: It is important to identify whether users may have directly or indirectly authorised a transaction, whether the entity to whom the money was transferred was the intended entity, and whether scamsters exploited previously unknown system-level vulnerability or not to perpetrate the fraud.
Laying out standardised criteria to determine eligible complaints can streamline the process flow while also helping reduce the chance of nefarious actors from gaming the system’s response mechanisms. Centralised fraud analytics and intelligence systems that are linked in real-time to existing fraud databases can play a critical role in establishing the authenticity of incoming complaints given its capabilities in triangulating information.
Establishing that the user was not negligent: A minimum standard of caution may be considered when assessing users’ negligence as part of a fraud attempt. This means that a complaint can become eligible for automatic compensation only after being subjected to certain checks against negligence on the complainant’s part. These standards may include checking whether the users had acted as per warnings and cautions issued by their banks, UPI apps or the NPCI and RBI, whether they promptly reported any fraudulent incidents to banks or relevant stakeholders, and if they were responding appropriately and reasonably to information requests from banks, TPAPs, and law-enforcement agencies to aid in compensation and investigation processes.
Determining liability for the compensation through a prescribed procedure: The responsibility for executing the compensation process can rest with the transaction participants, such as the issuer bank, the acquirer bank, and/or the TPAPs. The designated entity can be required to determine whether the flagged transaction involved social engineering fraud, whether the complaint can be considered authentic, and whether the user adhered to the set caution standards.
There are several other dimensions to consider for such a compensation mechanism. The compensation offered to fraud victims would need to have an upper cap, which could be determined by a committee comprising representatives from the government, industry, and civil society. Similarly, assessing a user’s eligibility for compensation using established caution standards can only occur after it has been established that banks and TPAPs have implemented needed measures that will allow users to uphold the caution standards. To effectively apportion liability, factors such as weak execution of KYC norms, non-flagging of suspicious accounts to users, or poor cybersecurity standards may be considered as starting points.
UK’s Authorised Push Payment (APP) Scam Reimbursement Policy is set to come into effect in October 2024. Some dimensions, such as exceptions to be made for socially vulnerable users, upper limits for compensation and liability apportionment amongst system participants, have been conceptualised. Its experience can serve as an example of similar frameworks that can work for India’s unique requirements. Other innovations in the financial sector such as low-cost cyber insurance cover can protect customers and cover for losses over and above any compensation cap.
A multifaceted approach will encourage wider adoption of digital transactions and ensure that users feel secure in navigating the digital financial landscape.