Mar 02, 2020

To

Members of the Board for Regulation and Supervision of Payment and Settlement Systems (BPSS)

Mr. P. Vasudevan, CGM Department of Payment & Settlement Systems,

Reserve Bank of India.

Copy To

Mr. Dilip Asbe, CEO NPCI

Mr. A.R.Ramesh, Chief Project Officer, BBPS, NPCI

Subject : Follow up of Privacy Breach -  Non-consensual retrieval of bill data by BBPSOUs.

Dear Sir,

In October 2018, I had brought to your attention about privacy breach in BBPS[1] related to non-consensual retrieval of bill data of consumers by various apps / bill payment services operated by several authorized agents. Subsequently, NPCI had issued a circular on 1 November 2018 regarding the same[2] and stressed the importance of obtaining consumer consent in fetching bill data, providing option to opt out of auto fetch, and asked for compliance by BBPSOU members and their partners within 60 days of the circular as well as noted penalties for non-compliance of these guidelines.

While the swift response from NPCI is appreciated, 12 months after the circular has come into effect, consumers are continuing to see multiple apps / services violating this guideline related to user consent and are building their credit scores using bill data of consumers without their knowledge. This is also evident from the data published by NPCI itself on BBPS transaction volumes and bill fetch transaction volume. (See Annexure 1). It is being observed that for each bill is paid using BBPS, there are 5 bill fetch transactions indicating multiple players are auto fetching bill data and augmenting their profiling databases, violating user consent. This rampant misuse of the infrastructure put in place for providing user convenience to pay bills is unacceptable and has to stop immediately.


I would like to know if NPCI, as the BBPSCU has penalised any BBPSOU or its agents for non compliance of the above noted circular and if so the details related to the same. I would also urge NPCI to put forth a detailed explanation publicly on this matter including details related to top entities / agents performing fetch and those using bill fetch requests disproportionate to the payment requests made by them. NPCI holds critical information related to individuals and enforcing stringent supervision related to data access is necessary and extremely important, not just from the point of privacy and data protection, but also for cybersecurity.

There has to be a zero tolerance policy against unauthorized, non consented data access by anyone for private profits. I also urge RBI to make more granular payment systems data publicly available to help improve supervision of payment systems and identify abuse / unacceptable market conduct such as this and regulate the industry better for a safe and stable payment system infrastructure which will improve consumer confidence and respect their privacy.

A copy of the letter is also made available publicly at https://docs.google.com/document/d/e/2PACX-1vSDRNf1EyiLgEVJ0uugh2XSGrGgyAh1E9VrCcDd-E25XWMfyTk4yRQ6tYiwBJfXBSsx-uXxcfgnceOz/pub

Regards,

Srikanth L

Cashless Consumer

https://www.cashlessconsumer.in

References

[1] Complaint to RBI- BPSS about Auto Fetch of Bill data by BBPS entities, Oct 16, 2018 https://docs.google.com/document/d/e/2PACX-1vSK2DtOHtQXhFmdgSv0EVqjg2dORT56FWCpSBnku-AjFzFxw9ayv-wfhaoROYG-eWiVzpXK0GF483Zh/pub

[2] Circular No. NPCI/2018-19/BBPS/007 by (A.R.Ramesh) Chief Project Officer, Bharat Bill Payment System, NPCI dated 01 Nov 2018. https://www.bharatbillpay.com/download.php?filename=ckdxemVOWXRBdXBDQ0NFNmo4UWxqcitVRWhqTjhLQnM1UXBsMEVVd0xLS3lIRVJuOStCSHVZUldpUnM2VENZdzBkOHViNVpZdnhmem94akZkVUhBeDJQNTk5TzE3MjJxb1I0T0hwOEwxQUk4Q0FROExUc1JZRjd0ZTNsdmFGTEw6OqRrYzL%2BfhE6t%2FTVSBaIeeQ%3D&url=QU1HZTNEdWZES3dWTEttbEpDbENnSTQ3cFM1NVJzNloxRE9ZZjFsc0g3NjNqN0pFZStzQ1JCcVY2MHd0cWNoSFJnWlhwbTdzR1A2MitDYmJ1OTc4UkE5VjlMK3FHNzYyS3RUaENJQW5PNEVHOTNtOG9MbEg3OGVaZDVubzFKZ2I6OoD13g9cQ6uCLHAcd7GPnhs%3D

[3] Annexure 1 - Data related to BBPS obtained from NPCI’s retail payment statistics for the month of Jan 2020 from https://www.npci.org.in/sites/default/files/RETAIL-PAYMENTS-STATISTICS%20Jan-2020.xlsx


Annexure - 1

https://www.npci.org.in/sites/default/files/RETAIL-PAYMENTS-STATISTICS%20Jan-2020.xlsx - Data related to BBPS obtained from NPCI’s retail payment statistics for the month of Jan 2020.

BBPS -  Bill Payment vs Bill Fetch

Period

Bill Payment Transactions

(In Million)

Bill Fetch Transactions

(In Million)

Fetch Ratio

(Bill Fetch / Bill Payment)

F.Y-2016-17

0.03

0.03

1

F.Y-2017-18 (Apr'17 to Mar'18)

10.6

15

1.41509434

F.Y-2018-19

73.5

264

3.591836735

Apr'19

8.83

38.54

4.364665912

May'19

9.82

44.96

4.578411405

Jun'19

9.63

55.23

5.735202492

Jul'19

10.23

67.84

6.631476051

Aug'19

10.57

53.96

5.107699583

Sep'19

10.97

54.62

4.977433288

Oct'19

12.6

69.43

5.51013977

Nov'19

13.39

66.87

4.993444755

Dec'19

14.08

74.92

5.322482037

Jan’20

14.80

82.27

5.557342345

F.Y-2019-20

114.92

608.64

5.296206056

CashlessConsumer - For a fair cashless society