The National Payments Corporation of India (NPCI) has swung into action to stop fraudsters from misusing their customers’ credentials to drain their bank accounts. It asked acquiring banks to allow AePS (Aadhaar-enabled Payment System) interoperable cash withdrawal transactions only after Aadhaar-based biometric authentication of business correspondents (BCs) and agents.
Additionally, acquiring banks, which provide the necessary infrastructure for the merchant to accept payments and facilitate acceptance of card payments, must ensure that there is no misuse of BHIM Aadhaar Pay transactions to make cash withdrawals and carry out daily monitoring to identify and stop any misuse.
The advisory comes as cases of fraud have been reported across the country, in which money was withdrawn by scammers through AePS by surreptitiously using customers’ Aadhaar credentials.
Cybercriminals are now using silicone thumbs to operate biometric point-of-sale devices and biometric ATMs to drain users’ bank accounts, according to a May 2023 report in The Hindu.
AePS is a payment service that allows a bank customer to use Aadhaar as their identity to access their respective Aadhaar-enabled bank account and carry out basic banking transactions such as balance enquiries, cash deposits, cash withdrawals. cash and remittances via a BC. /Agent.
BHIM Aadhaar Pay allows merchants to receive digital payments from customers over the counter via Aadhaar authentication. It allows any merchant associated with any acquiring bank, live on BHIM Aadhaar Pay, to accept payment from customers of any bank by authenticating the customer’s biometric data.
NPCI said the process of two-factor authentication for BC/Agent login at least once a day, one of the factors being Aadhaar biometric authentication, continues.
Acquiring banks are now required to put in place a mechanism whereby if three consecutive BC/Agent authentication requests are refused due to biometric incompatibility, they are blocked for 24 hours. Investigations must be carried out before allowing the BC/Agent to resume the AePS service.
Biometric authentication should help identify the PO/agent assisting a customer with their cash withdrawal transactions. This will also enable banks to take appropriate action, if any, against CBs/Agents found to be involved in inappropriate activities.
NPCI has asked banks to implement the measures relating to BC/Agent authentication from January 1, 2024, for an initial period of three months, after which the impact will be examined to decide on further action.
In case of any dispute reported in BHIM Aadhaar Pay, the onus is on banks to convincingly prove that it is a purchase/payment transaction and not a cash withdrawal.
According to RBI data, in November 2023, AePS recorded 1,079.59 lakh transactions (944.92 lakh in November 2022), totaling ₹28,972 crore (Rs 25,541 crore). BHIM Aadhaar Pay recorded 18.82 lakh transactions (14.52 lakh), totaling ₹590 crore (₹275 crore).
The civil society forum « Bank Bachao Desh Bachao Manch » had drawn the attention of the RBI in September 2023 to a wave of frauds surfacing across the country, according to which the fingerprints of bank customers are used by unscrupulous fraudsters to withdraw money from customer service points. using AEPS.
Forum co-conveners Soumya Datta and Biswajit Ray, in a letter to RBI Governor Shaktikanta Das, said instructions should be given to all banks not to force customers to submit Aadhaar card during opening bank accounts, as this is not obligatory according to the instructions in force. .
“Banks should not discourage customers/account holders from delinking their Aadhaar number from their accounts. On the contrary, banks should facilitate these requests quickly,” they said.
The co-conveners suggested that the AEPS cash withdrawal system should not be available by default and that an appropriate system should be put in place by banks so that unless a customer specifically opts for the ‘AEPS, the flag is generally raised for the withdrawal of cash. rest of the customers.