Sunday, August 24, 2014

Shutting down Uber in India was unwise

by Suyash Rai and Ajay Shah.

When you finish a taxi ride, between two to ten minutes are wasted in dealing with the payment. You could pay cash, he might fumble on change, you could swipe a credit card, after an interminable delay the device does not work, and so on.

A few years ago, there was an important innovation in this business by a firm named Uber. Their process flow works like this. The customer goes to the Uber website and submits credit card details (as is done with any E-commerce website). Now he undertakes a ride in a taxi. At the destination, the customer steps out of the taxi and walks away without doing anything on the question of payment. The payment is effected using the pre-stored credit card details. A bill is sent to the customer by email. This saves two to ten minutes for customer(s) and the taxi drivers.

If you multiply millions of taxi rides per year by a saving of two to ten minutes, it adds up to GDP growth. It is estimated that there are 5 million taxi rides per day in India. If we're dealing with 3 persons per taxi ride including the driver, we save 91 million man-hours of time saved per year, for each one minute that is shaved off the payment step. This sort of process innovation is how, one small step at a time, the world achieves productivity growth.

Two days ago, RBI released an order which effectively requires Uber to shut down in India by 31 October.

The problem

RBI has issued multiple regulations imposing specific restrictions on card-based and card-not-present transactions. Instead of a signature, consumers are required to enter a PIN at merchant outlets. For online, card-not-present transactions, we are required to enter one time passwords or other authentication information. Uber was using a loophole in the RBI regulations, which allowed payment transactions with foreign exchange outflow to be exempt from the authentication requirement. The payment was flowing to Uber's bank outside India, and then Uber was sending payment to the taxi driver in India, even though the receipt was issued on behalf of the taxi driver in India. Competing taxi services were also considering such a method of routing payment through a gateway abroad, but it was harder for them to overcome India's capital controls, as they are based in India, unlike Uber which is a foreign company.

RBI's decision creates a level playing field between Uber and Indian taxi companies -- one in which all taxi companies are equally bad in their dealing with consumers, forcing two to ten minutes of time wasted with every ride.

The reason behind this and many other such steps can be found in RBI's overall approach towards regulation. It prefers paternalistic micro-management to market-based solutions.

Need for a composite strategy: prevention and law enforcement

Every month India is clocking about 100 million debit and credit card transactions on Point of Sale (POS) devices, with total value of about Rs.20,000 crore. This means an annual card-based transaction volume of 1.2 billion, with a value of Rs.240,000 crore, and growing fast. Over and above this, there are  "card-not-present" or online transactions. In calendar year 2012, the total money lost due to frauds relating to ATMs/Debit Cards/Internet Banking and Credit Card, amounted to about Rs.52 crore. This may seem like a very small number compared to the total value of payments, but each instance of fraud is a crime and must be dealt with. This raises questions about consumer protection and law enforcement.

The consumer protection objective in this context is: consumers' funds must be protected from fraud. The question is: how should this be done? There are basically two approaches to this: prevention and enforcement. Both are important in an overall anti-fraud strategy. The regulator can impose security requirements that make it difficult to defraud customers, but each requirement has costs. Law enforcement can also help the consumer recover the money lost to fraud, but this also has costs and the consumers may get their money with a time lag or not at all.

When it comes to prevention, it is important to consider who is best placed to develop and implement preventive steps. This responsibility can be substantially shared by service providers, who are often better placed to make the right preventive choices, as long as they are held accountable. Service providers, in any case, have an interest in maintaining trust in their systems, and in addition to that, they could be held accountable by the regulator.

What has India's approach been?

RBI has been writing `regulations' to address this problem which have largely been paternalistic, micro-managing, and technology-specific. Earlier, one could make a card-based transaction by simply swiping a card and signing on the slip, but now one must enter PIN in the POS device. This has made every transaction more cumbersome, especially where the POS device is not present in the immediate vicinity of the transaction (e.g. at restaurants). Earlier, one could transact online (called "card not present" transactions), with one factor of authentication, but now two factors are required, one of which is often a one-time password, generated and sent over the mobile network or on email. Given the relatively low reliability of SMS in India, this often leads to delays and failed transactions. In the world of E-commerce, all over the world, customers link a credit card to a merchant website once, and transact at wish. This is not allowed in India. In addition, RBI has imposed several requirements on technological specifications for cards, POS devices, etc.

These measures have improved security of transactions. But were they optimal? Do they pass the test of cost-benefit analysis? Effectiveness of a measure is not the only consideration. Excessive regulation can be effective but not efficient. Regulators such as RBI have enormous powers, and they must always be asked to defend the use of these powers - on effectiveness, efficiency, and jurisdiction. This is essential to ensure accountability of these agencies.

All preventive measures impose costs on consumers, and, on the margins, create a preference for cash payments and contribute to the tendency to avoid online transactions and the white economy. On the other hand, they also increase robustness of transactions, thus increasing the trust in these systems, and encouraging greater participation in these systems. When we look closely we find that all payment transactions do not pose the same level of security risk. Systems can enable small-value transactions with minimal friction, and require significant authentication processes for higher value transactions. Some transactions might justify 3 factors of authentication, but some other transactions may require just 1 factor. Regulatory intervention at system level takes a one-size-fit-all approach, which is costly. So, preventive measures are crucial, but they need to be proportionate to risks. This proportionality cannot be achieved by regulatory diktat. It must come from innovative market practices. The incentive for such innovation is destroyed by RBI's paternalistic approach. The counter-factual world that we do not see is one where innovative firms in the business of payments invent improved methods of risk management.

What about law enforcement?

Payment fraud is a crime, and it should be looked at from that lens. When it comes to crime, it is often easy to prevent it by imposing excessive restrictions on potential victims. It would be easier to prevent pickpocketing, if people are mandated to carry wallets attached with chains to their clothes. Does that mean we should mandate such costs to be incurred by the people? Most would laugh at the very suggestion. And yet, for crime prevention in electronic payments, we easily accept the entire country to spend a few extra minutes on every transaction, or to give up the enormous convenience of automatic transactions on linked cards.

Public choice theory teaches us that bureaucrats and politicians are self-interested actors, and work for themselves -- not for the people of India. It is always convenient for government agencies to ratchet up prevention because they then have to do less work on enforcement. As citizens, we must push back against such behaviour. Better enforcement generates deterrence and is hence an important tool for prevention. But it requires more work on the government, and all too often government agencies prefer the laziness of shutting down activities.

How to do better

  1. The government must not hinder innovation in business models and technology. As Percy Mistry says: Elsewhere in the world, the government fits the needs of the economy, but in India, the economy is forced to fit the needs of the government. This must be turned upside down. In the long run, nothing matters as much to India as achieving higher productivity, which requires that organisations such as RBI need to stop blocking progress. The right attitude at RBI should have been: "Uber has come up with an interesting innovation, how do modify our rules and procedures so that everyone in India can utilise such innovative business models?".
  2. The foundation of the regulatory strategy should be principles of responsibility: who will be held responsible under what circumstances. If the consumers has been excessively lax, then he should take responsibility for the failure, and if the payment service provider has not implemented adequate security measures, then it should be held accountable. Once Uber or Paypal know they are responsible, they have the best incentive to innovate on technologies of security. Clarity on consumer protection, as is done in the draft Indian Financial Code, should shape these principles of responsibility. This is the business of financial regulation.
  3. Employees of the government almost always do not know enough to interfere in technology. `How to produce' should be the exclusive preserve of the private sector. See Hrush Bhatt of Cleartrip responding to RBI's rules about two factor authentication.
  4. The regulator should define a proportionality principle for security of payment transactions, and then leave it to the payment service providers to choose and implement risk-based security approaches. This will lead to innovation in payment security. For example, a payment service provider may choose to implement a minimal authentication process for low value transactions. Or, they could link it to the credit limit or available balance, so that the poor consumers are disproportionately protected.
  5. Enforcement is hard work, and prevention is easy by shutting down complexity in the economy. Regulators must almost always avoid banning things, and work harder on developing State capacity in enforcement. In many instances, neither the consumer nor the provider would be responsible, and it would be a crime that could not have been reasonably prevented. In such instances, enforcement is the only option.
  6. Two laws gave RBI the raw material to shut down Uber: the Foreign Exchange Management Act (which gives power to hamper all cross-border transactions) and the Payment and Settlement Systems Act (which gives power to hamper innovation in payments). These laws are incompatible with progress, as has been argued by the Financial Sector Legislative Reforms Commission (FSLRC).
  7. The regulator should supply the public goods of data and foster research on payments and security and the performance of alternative authentication mechanisms.

The most important ingredient required for progress is humility. These are complex problems. The simplistic, overly prescriptive and paternalistic approach is harmful. In India, the costs of such an approach could keep people away from the financial system. The use of cash is even riskier than a relatively less secure electronic payment system. Cash is friendlier to money laundering, terrorism financing and fraud. That is the continuum of choices. A costly, one-size-fit-all, prescriptive approach may lead to high security for those in the electronic payment system, but may be leaving a large number of people out.

What Phil Libin, the CEO of Evernote, says about decision making in corporations is equally true of the world of public policy:
"We always try to ask whether a particular policy exists because it’s a default piece of corporate stupidity that everyone expects you to have, or does it actually help you accomplish something? And very often you realise that you don’t really know why you’re doing it this way, so we just stop doing it."

How to make RBI serve the needs of India?

Uber is just one company and taxi rides are only one place where payments are required and payments is only one sub-component of finance. The problems seen here are afflicting Indian finance all across the place. We have to look deeper and solve problems in how regulation is done.

RBI's intervention is problematic from a legal process perspective. Regulators are mini-states with legislative, executive and judicial powers. Such powers are easily misused, especially in name of doing good. Payments is just one area where productivity-enhancing innovations are being hampered in the name of security. In fact, many bad things are done with some noble objective serving as justification. Bad behaviour need not mean stereotypical corrupt behaviour. It could also mean other things, such as taking excessively restrictive steps, because the regulator wants to make its life easy. For example, giving two bank licenses per decade, just to reduce the amount of work required in supervision, is also bad behaviour. So, we must be a little more circumspect with agencies like RBI. They need to be held accountable. One good way of ensuring good behaviour is to mandate them to follow certain process of making and enforcing regulations.

The principle of proportionality, market-based innovations on security, and strong enforcement, are the magic ingredients for achieving optimal security in payment. Only careful analysis, and continuous review can reveal the right mix. Cost-benefit analysis of regulations will help choose the most efficient regulatory pathway to an objective. This analysis requires the regulator to list a few plausible regulatory alternatives, compute their costs and benefits for the entire economy, and choose the most efficient alternative. In case of payment security, at least two types of stylised choices are possible: those making specific prescriptions that payment services providers must follow, and those holding the service providers accountable for ensuring proportional security. Analysis would reveal which approach would work in what context. The world is changing rapidly, and the regulator must keep on learning. Hence, each such regulation must be subjected to periodic reviews, to understand what effect it had on the economy, and to make course corrections.

Such cost-benefit analysis and ex-post review are parts of the regulation making process in many good countries. They have also been recommended in the draft Indian Financial Code formulated by the Financial Sector Legislative Reforms Commission (FSLRC). Indeed, decades of observation of the blunders of financial agencies in India, of the sort being discussed here, is what has given the subtleties of the draft Indian Financial Code. You may like to see this talk on how to obtain progress on payments.


  1. There are some key principles of process improvement. Faster, cheaper, safer, easier. The UBER model tried to all of these. Going to a level playing field is the fastest way to mediocrity. It is quite likely the competition, which was getting clobbered because of the non level playing field, complained to the regulator. Per my understanding, even today foreign banks operating in India, play on a non level playing field, in that they do not have to comply with priority sector lending, or open rural branches..

    1. If foreign banks operating in India play on non-level playing field, we should raise a voice against that, instead of promoting to do away with level playing field under to garb of innovation. To have a level playing field is the right of all Indian citizens and enterprises.

    2. Are you going to give foreign banks taxpayer support like the banks that have to do priority sector lending or open rural banks? Yes, please lets have a level playing field. Lets have the govt recapitalize private and foreign banks with taxpayer money just like they do with PSUs!!! LOL.

  2. It is perfect to have the PIN requirement in credit/debit card POS transactions and 2-layer authentication in online credit/debit card transactions. Millions of bank savings accounts in the country are forced to have a debit card. When the PIN and 2-layer norms were not present earlier, and a debit card was misplaced by someone who may not realise this loss for several days and weeks the customer's entire savings account balance (including linked FDs) was put to risk. The banks offered no options of selecting one's own limits on debit card spends (per trade or cumulative in a month).
    Risk-management of one's personal finance is every citizen's right and the regulator should ensure this rights remains with her.

    1. You and I are in complete agreement on your last statement that risk management of one's personal finances is every citizen's right. However, what that also means is that if I decide that I'm alright with an exposure to elevated risk I should have the right to make that decision and live with the consequences. Forcing the least-common-denominator of risk management down everyone's throat by regulation is not an appropriate fix.

    2. This is something which is not being seen in developed countries in Europe and the West. I understand with debit cards,you might need 2-factor authentication, but not with credit cards. Credit cards are preferably, not linked to bank accounts directly. Also, they have protection from illegal usage, which renders the above comment invalid. Also, this seems like a political decision rather than a decision from a financial standpoint. We know that RBI is not a lazy organization per-se, but it would do better than to bow to political pressure for decisions which obstruct with the growth of the economy.

    3. To the one who made the Aug 25 9.48 pm comment: I agree that those having no problem in elevated risk should have the right to make that decision. However, RBI did what it did (PIN... 2-layer etc) precisely because banks and card companies were not offering the options such as lower transaction limits on debit cards and other user-decided limits, to those who did not want that elevated risk. We also should not have a system forcing the highest-common-denominator of risk maangement down everyone's threat.

      To the one who made the Aug 26, 12.32 am comment: I agree. My arguements do not apply fully to credit cards since they are not linked to savings accounts (included FDs linked) and more importantly credit card users can choose to have lower credit limits on their cards.
      The real need is for debit cards since a bank account holder does not get the choice to choose between an pure-ATM card and a debit-cum-ATM card. The latter is forced upon him in India. For instance, I may want to hold 1 or more credit cards for my POS and online transactions but would like to hold a pure-ATM card for withdrawing cash from my savings account (including linked-in FDs). But banks in India are not offering pure-ATM cards and while I did manage to force one or two banks to issue me a pure-ATM card they made things diffiuclt by assigning a very low daily cash-withdrawal limits.
      I do not think RBI's decision was political. On the contrary, banks were doing what they were doing (offering zero risk-management handle to customers) for more than a decade before RBI, a couple of years, made the PIN and 2-layer norms mandatory.

  3. Enforcement is much more costlier than prevention (cost of police, courts, prisons etc.), and not much of a deterrence either (or we would have been rid of crime by now). Graded preventive measures, stronger where risk is more, are the best bet.

  4. I wonder what will happen to Apple Store and Google Play Store transactions.

  5. RBI has done the right thing by asking foreign companies "to use domestic payment gateways for domestic transactions". They have not not banned anyone or banned any activity(just foreign gateways). Card security is very important and cannot be compromised for the sake of comfort. Uber can easily introduce a concept of wallet which we fill up at time of registration like Rs1000 and every ride is deducted from that balance and regular top ups using domestic gateways.

    1. I work in India for Indian clients should I use only Indian computers? How many people will open a new complicated wallet account which can only be used for taxi rides? Please think from a business point of view. If you think it is so easy start a taxi service with mobile wallets and see.

  6. The online password required by Verfiied by Visa (VbV) is pointless, as the password can be reset by clicking on "forgot password" and entering the card details + the data of birth. So, the password actually is irrelevant. If someone has your card details and your date of birth, then the password does not add any extra layer of security. Additionally, online password forms like VbV's open up the possibility of phishing sites which can steal the information online (as has been the case). In other words, its pointless.

    Amazon doesn't use VbV, and one wonders if they don't need it, with the millions of transactions being done on that site, why does anyone else require it?

    From a regulation perspective, RBI could have taken the democratic approach by leaving the option of using VbV on the merchant, and with the merchant taking responsibility for its choice.

    Furthermore, canceling a fraudulent transaction is very easy in US/Europe. One just makes a call and no questions are asked. And, many times the card issuer themselves detects fraudulent transactions and triggers a call to confirm. On the other hand, the liability protection is not as robust in India. For example, my Kotak card terms say that I would need to file a FIR and file and insurance claim if I have to get a fraudulent transaction reversed. I think RBI should be looking at fixing this lack of liability among Indian card issuers, rather than making useless policy decisions like the one being referred here.

    1. As you mentioned, the Visa verification process for online transactions requires birth date for getting the password changed. If I lose my debit/credit card and do not realise this loss for several days or weeks, then the person who finds it and fraudulently tries to use it for online purchase will need to know my date of birth for getting the password (which he would not know) changed. Such a person, with intent to do fraud, will not know my date of birth. So the Visa verification process works fine. My entire savings account (included by linked-in FDs) is not put to risk unncessarily.
      Ajay Shah, you have to realise that you are among the top 1% of customers who have the influence to get a fraudulent transaction reverse due to your clout in the financial and political system. 99% of bank customers do not have such a clout, nor I am sure are they seeking it. They just want their hard-earned money in their savings account (including linked FDs) to be protected and safe. That is the most basic aspect any financial system must offer, and I am absolutely stunned you are not able to see this.

    2. If someone knows your card details, it is quite easy for them to know your DOB too.

      In any case, as I mentioned, the real regulation (to do with consumer protection) is the ease of canceling a transaction, like it is in other countries. The second issue that you have cited is what the RBI needs to fix - simple, no questions asked transaction cancellation, like it is in the rest of the world. If you (as do I and everybody else) are concerned about protection of your money (whether hard earned or not - emotional arguments are best kept aside) then you should be asking for this regulation to be introduced as it enforces better consumer protection with or without the extra password being in place. That is real consumer protection, which is required even with 2FA.

      Moreover, why did RBI enforce it only for local transaction? Why not enforce it for foreign transactions too?

    3. To the one who made the Aug 25, 7.35 pm comment: Please share how someone who has my debit card will know my DOB? The debit card does not have the DOB on it, and neither is my DOB details available on the internet (not even on my facebook profile). So, how?

    4. Oh I'm pretty sure our lovely KYC system pretty much guarantees that all kinds of agents, etc have our PAN number and DOB. And, I'm pretty sure databases with this information are sold around quite commonly. It is harder for someone to know my card details than my date of birth.

  7. Ajay, I disagree with the way this debate has been framed. It reaches right conclusion but in a most inappropriate and a wrong way. There are two separate issues- 1) compliance with law as it exists and 2) seeking change in law if it unreasonable and doesn't meet the cost benefit test in particular. Über was violating Indian laws on FEMA and Payment Act and not exploiting a loophole as you mentioned. I can write another piece for those who don't agree with this. They were violating it knowingly and wilfully to take unfair business advantage against other law abiding corporates. This has nothing to do with technology which is very simple and every taxi company could have implemented. So please don't make a hero out of Über. In fact they lobbied hard and have managed to get an extension of existing process upto October.

    Now the second issue. I agree that RBi should allow the card transactions without double authentication. A process can be easily designed to ensure that the possibility of fraud is further minimised. We must all lobby hard with the bank and get this changed. It will help not only the taxi companies but also other e commerce businesses.
    Disclosure: I am with india Value Fund which has invested in Meru Cab Company

    1. Agree to what is said here.

      Saving 2-10 minutes of Taxi ride time is no big innovation! More time is spent in loading and unloading luggage! So the stats author presents are meaningless to say the least.

    2. I do not think we are in a position to judge what is a big innovation or not. It is for the market to judge it. The proof of the pudding is in people using it.

  8. Completely agree. The credit card usage in India has been made difficult to the point where one is forced to carry substantial cash everyday. The world is moving towards one-click purchase of items and we have to do a lot of clicks and key presses just for the payment. Maybe Uber and others can start a pre-paid taxi card that one can use easily - but I do not know if that would have the same multiple authentication requirements.
    A very similar change for the worse has happened in the purchase of prepaid mobile connection. It is now extremely difficult and time-consuming to get one. You need proof of address, local contact details with phone number, a photo and at least 2 days to get it working. Kind of makes buying it meaningless in case its a short trip. All this has been done because the law enforcement agencies do not / cannot do their job well or the identification documents issued by the government are not reliable.

  9. I want to repeat a point I made earlier. Fraudulent online transactions are a larger concern in India because card issuers do not allow easy cancellation of transactions like in other countries. In the US/Europe, one can cancel a transaction with a quick phone call/click of a button. In India, one would have to make multiple trips to the bank and file an insurance claim and perhaps an FIR too. This is the real regulation gap that RBI needs to fix. If the responsibility lay with the issuer (like in other countries) then card holders would not have to worry about frauds and or whether they are using 2FA or not, which has limited to no additional benefit.

    Irrespective of whether 2FA is made mandatory or not, we need to make the protection similar to other countries, where a card holder can promptly request a cancellation of a transaction (without any hassle).

  10. I beleive that the authors are based in the US. The present governer of RBI was able to predict the 2008 global crash of markets when huge banks in the US collapsed. These happened due to the presence of weak internal and central controls. U are talking about the time which can be saved just by authorizing the transactions.. If controls were there the entire world could have saved years!!

    U believe that RBI is interfering whereas give time for the market and public at large to understand. Slowly when the time is correct these controls could become optional.

    Also say suppose uber charges rs 100 as fare but dues it send back rs 100 to India? Of it does its is OK but say it reduces charges and profit then are they paying any tax on the dividend distribution they do?

    What's the harm in promoting Indian gateways? We should think of reducing our import bill in the best possible manner.

    Prevention is better than cure..

    A complete one sided article.

    1. By your analogy no kids should go and play in a park because they can get hurt while playing. We should 'prevent' them from playing because it is better than 'curing' them when they get hurt. But there is a much better third alternative of providing them a safe environment to play. Sure its not easy and needs the parents to spend time to understand the games and monitor the kids. But most parents would do it because of the great benefits of sports.

      Many RBI and government policies are based on zero desire to spend time or money to monitor or understand the cost / benefit. It has nothing to do with prevention or cure no matter how much they try to say that.

    2. As I have commented before, the 2008 crisis has given an excuse to our Indian luddites to claim that they are better on various unrelated issues, which has not an iota of rhyme or reason to it. Its like a villager saying look there are no road accidents in my village (because there are no roads), so my village is much better and we should never have any roads.

      You need a more relevant argument specific to the problem at hand, than referring to an issue which has nothing to do with credit cards. That is lazy, disingenuous argument at best.

      The very fact that you think that the issue is foreign vs domestic gateways means that you haven't understood the problem. Uber uses a foreign gateway because the way they make transactions is not supported by the domestic gateway. So, usage of domestic gateways can be encouraged by supporting their process in the domestic gateway. Problem solved.

    3. You misunderstand the situation - the reason domestic gateways do not support this type of transaction is that the RBI has prevented it. Uber bypassed this by using a foreign gateway. Other taxi operators decided to do the same, and sent a note to RBI informing them of their plans - and you can see the result for yourself.

      What Uber is doing is not innovative - it is common amongst many service providers -(Amazon has a 1-click, and there are many subscription / micropayment services which do this) but it is indeed the desired experience.

      While I do not agree with making Uber the centerpiece of the discussion, it is important that we find a way to move from prevention to a risk management approach, while ensuring that consumer protections are stronger than they are today. RBI's prevention method does not protect the consumer - try disputing any transaction today and you will figure that out. In the US, liability is on everyone but the consumer. This is the exact opposite of what we have in India today.

      BTW, the more factors of authentication you put in, the more liability moves to the consumer. It becomes even more easy for a card issuer to say that the card holder must have been a willing participant in the transaction!

  11. I'm in two minds about this. Yes, Uber is convenient. Yes, credit card fraud is a crime. But the potential
    losses with online fraud are much more than with pickpocketing, and the difficulty of getting the culprit (who may be in another country) is much greater. In the US they handle it by the bank simply refunding the customer the cost of any fraudulent transaction, no questions asked. They do this because (a) banks don't want to invest in security (b) they fleece customers in numerous other ways so can afford to do these payouts. I don't think this is feasible in India. I appreciate the low transaction costs (eg wire transfer for Rs 5), lack of hidden fees, and, yes, the increased security of credit cards in India. I am nervous about using my card on foreign sites or in foreign shops. I think Uber should, probably will, come up with another technological solution -- perhaps team up with mobile providers via things like Airtel Money! Also, other taxi operators with mobile apps, like OLA, are doing fine. So I think you are overreacting.

    Also, chip+pin, with wireless machines brought to your table, has been standard in Europe for over 10 years. And is becoming common in India too -- a local shop where I live even sends the machine to your place for home delivery, if you want. And it is much more reliable than those machines with fiddly wires that they kept unplugging and replugging because of a loose connection. And I totally fail to see how typing a 4-digit PIN is more cumbersome than signing!

    Overall, RBI is doing a great job, and the Fed in the US isn't. Sorry.

    1. " They do this because (a) banks don't want to invest in security (b) they fleece customers in numerous other ways so can afford to do these payouts."

      I think you are making wrong assumptions. They invest a lot more in security and have much more robust security features due to the greater emphasis on customer protection and legal risk in these countries. As you said yourself, customers can easily cancel a transaction and that is all the regulation that is needed in India too, with or without extra PIN/password. No annual fee. no charge credit cards are more easily available in foreign countries than in India, so charges for credit card are actually higher in India (on average).

      Secondly, if the RBI thought this helped with fraud then they should have been consistent and enforced the rule for both domestic and foreign transactions by Indian credit cards. But, they have enforced it only for domestic transactions!! So, your concern about safety on foreign sites remains un-affected and unaddressed by this rule!!

    2. " As you said yourself, customers can easily cancel a transaction" -- no, I didn't say that and they can't. They can report a fraudulent transaction and the bank gives them back the money -- and suffers the loss, ie does not recover it from the fraudster. It is not "easy" either, it is at best an unnecessary hassle and worry, even if the bank usually obliges in the US.

      "Secondly, if the RBI thought this helped with fraud then they should have been consistent and enforced the rule for both domestic and foreign transactions by Indian credit cards." I don't see how they can enforce RBI rules on foreign merchants. All they can do is disallow international credit cards, and nobody wants that. But I'd guess this worry doesn't apply to 99.9% of Indian card users.

  12. Wonderful Article. appreciate the same.

    The costs for Fraud (Rs. 52 cr). versus total estimated volume of Rs. 2,40,000 crore could have been easily covered through general insurance cover itself by players. The industry would have shared the costs and passed on to the customer base, without complicating things for customers.

    The new system is open to higher abuse, but this time Customer can be blamed. For example, when I shop at large retail stores, where there is electronic surveillance, the 4 digit code can be read off. Also while punching this 4 digit code at petrol pumps, myriad shops, the code can be read/seen by people. Once the code is gone, and anyone forgets the card / Pocket gets picked etc. there is no stopping after that. The same 4 digit code can also be used to encash Credit card/Debit card at the ATM also.

    The only thing is that this time customer will be at blame for loosing both card and 4 digit code.

    1. Electronic surveillance or peeping Toms can't read the PIN code if we cover the keypad with our palms and enter the code with the fingers of the other hand. In the regime when PIN was not mandatory cards could be simply swiped and your bank account wiped out in India. With PIN, you have the ability to restrict that possibility even if you can not eliminate it completely. Something is better than nothing.

  13. I agree with your thoughts. Uber is the best taxi experience in India till now but I am sad its gonna go!

  14. All Uber needs to do is charge an upfront payment in the wallet and then bill by deducting out of it. A simple answer. Of course, you need to check the balance for paying the trip in advance etc, but I think it could work anyway.

  15. This doesn't require such a long article. Just do a thought experiment:

    What are the odds that a fraudster will use stolen card details to buy a free taxi ride on Uber? Where one has to present oneself in person, and provide a functional mobile number? Is it worth it for a fraudster to use a stolen card to get a taxi ride worth a few 100 rupees?

  16. For those arguing this is in favor of customer protection, what we really need is what this gentleman is saying:

    Credit cards: RBI keen on ‘zero liability' to customer

    Note that this article is from 2012 and RBI hasn't done this still !!!!

    Until the RBI implements this, there is no real customer protection in India with credit cards, and PIN, password etc are all a way to inconvenience customers and put the onus on them rather than the financial system, which should own the liability. The article indicates how this works for customers in the developed world and we should figure out soon how we are going to get to the same goal of 0-liability of customers. RBI needs to at least provide regular updates on what is holding them back from implementing this and/or state a road map to achieve this.

    1. The RBI has not done anything in this regard simply because the banks and the card companies won't play ball. Do not blame the RBI on this one. If RBI gets strict on this, the banks will cry out aloud and intimidate customers with such high annual charges and other charges. The banks and card companies have to first take the lead.

    2. The banks and the card companies won't ever play ball unless the RBI takes a firm stand on it. What industry is going to be happy with 0-customer liability? If the RBI can't do such things, then what is the use of a regulator? The RBI controls annual charges and other charges, so that is no excuse. Furthermore, the industry has had enough time to get this going and if there is a valid reason, then the RBI needs to outline it and what needs to be done to tackle outstanding issues.

  17. This is a good move by RBI and is appreciated. 2-factor auth certainly enhances customer's safety. India is a much safer place to shop with credit cards than USA. We don't want a Target happening here. And if a hacker in Russia steals Uber's credit card database, Uber will go scott free and the customer here, in India, is toast.

    This article unnecessarily cries wolf. Some of the arguments are preposterous. It claims SMS service is spotty in India. If that is true, how does Uber ever work on the mobile phones? It needs a data network!!
    And given a choice of spending two minutes to enter 2FA or risk loosing your hard earned money to a hacker, which one would you choose?

    RBI has done what it should be doing - plugging loopholes and making regulations that enhance safety for users in India.

  18. Uber is indeed the the biggest innovation that has happened to mankind after the slide bread. They have not just innovated in the payment space but many other structural areas that RBI has objected to, but somehow ignored by our learned authors. Let me give you a few examples:
    1. The consumer’s money goes to a bank in Netherlands and the vehicle owner gets money from a bank in US. Money doesn’t touch Uber’s indian entity and there’s no money trail that India’s law makers can establish. This innovation is something that can definitely be a great inspiration for money launderers and hawala guys who do not wish to be identified by India’s monetory system. Obviously if India’s central bank turns nelson’s eye to the business practices of an $18 billion global behemoth like Uber, on what ground can it stop them? RBI is definitely regressive in raising an issue here.
    2. Since no monetory flow touches Uber’s Indian entitiy, they don’t have to pay service tax, which every other Indian car rental player has to end up paying. This can make not just the large taxi players but even thousands of small operators financially unviable and thus global companies can rule the roost in India. Very innovative indeed.
    3. Again since no monetory flow touches Uber’s Indian entity, they don’t have to pay any income tax from their second largest market globally. Our learned economists can write another well researched article on why India should abolish all direct and indirect taxes and how that is bad for the economy.
    4. For all those who are crying foul on the innovation and free market economy principles being killed by RBI, western countries are the Mecca of innovation and free markets. These people are pretty sure that if a large Indian behemoth starts operation in US in multiple cities and decides that no money trail is traceable by US Govt and they don’t have to pay any taxes in US, their Govt will never mind it and never raise a question on the Indian entity.
    5. RBI put the regulations on two factor authentication way back in 2009, which put many Indian e-commerce entities to a great inconvenience and hit their business badly. Our learned authors decided not to raise voice then, since it was only the Indian companies that were getting affected and if an indian company was able to provide seamless payment experience prior to 2FA rollout by RBI, that wasn’t really an innovation. But Uber is able to provide payment experience without 2FA, completely ignoring the laws in the country that they operate in, that is the real technology innovation, right?
    6. An $ 18 Bn entity like Uber with unlimited resources decides to enter India. Obviously they do not have time to understand the local laws for credit card usage, foreign exchange regulations, local taxes etc. The $ 18 bn gives them the war chest to roll out predatory pricing on both consumer and car owner side to kill local competition. (Their aggressive competitor strategies are known globally. See One gem of an innovation that Uber launched was booking thousands of trips on competitor systems and then cancelling them to fetch the database of drivers for poaching. It is indeed a dirty lobyying tactic by Indian taxi operators to request for similar facility of mobile payment without 2FA and requesting ground for fair competition to operate within India.

    1. This is quite an eye opener... The writers of this blog should provide a response on this, why they've been sympathetic to a company that is grossly violating all laws under the garb of innovation. Also, why have you portrayed that Uber has been asked to shut down or killed by regulators? Aren't there taxis and taxi companies working in India without 2FA for so many years? Why should Uber be above the law? Shouldn't it work with RBI to change the regulation before launching it's services?

  19. 7. Uber’s Terms and Conditions read: “For the avoidance of doubt: Uber itself does not provide transportation services, and Uber is not a transportation carrier. It is up to the Transportation Provider to offer transportation services, which may be requested through the use of the Application and/or the Service. Uber only acts as intermediary between you and the Transportation Provider. The provision of the transportation services by the Transportation Provider to you is therefore subject to the agreement (to be) entered into between you and the Transportation Provider. Uber shall never be a party to such agreement.
    The quality of the transportation services requested through the use of the Application or the Service is entirely the responsibility of the Transportation Provider who ultimately provides such transportation services to you. Uber under no circumstance accepts liability in connection with and/or arising from the transportation services provided by the Transportation Provider or any acts, actions, behaviour, conduct, and/or negligence on the part of the Transportation Provider. Any complaints about the transportation services provided by the Transportation Provider should therefore be submitted to the Transportation Provider.”

    This way, even after providing exactly the same taxi service like any other taxi service aggregator, Uber completely absolves itself from any responsibility to customers through innovative structuring of its business model.

  20. There was a good debate going on in another blog and a commenter was critical of the RBI. The relevant excerpt is here:

    "...Actually, the real regulation loophole here is that card issuers do not own the liability of fraudulent transactions (like in the US). Transactions can be easily canceled in the US with no questions asked, whereas in India, one has to go through an onerous, insurance claim-like process to revert a fraudulent transaction..."

    The whole conversation is interesting and can be found here:

    PS: I have no links to the blog except for the fact that I post comments there from time to time like I do here.

  21. First of all, this post could have used at least 50% lesser words and saved time for readers ;)

    Second, I disagree with your opinion. I feel, the extra authentication steps issued by RBI in India, should be followed by other countries too. When I provide my credit card to some US-based websites, they use it to automatically renew services, etc. But in India, no company can do that because I need to personally authenticate each transaction. This extra-step is very essential, especially in the Indian market.

    In the case of Uber, what prevents them from coming up with a pre-paid system where customers can deposit like say, 1000 rupees in advance and then after every ride, the amount can be automatically deducted?

    Destination Infinity

  22. I strongly disagree with Mr. Shah view. Most people will prefer a little annoyance in lieu of increased security. The introduction of mandatory pin and two factor authentication has only increased my peace with using these cards. even if I lose my card, I know it is not easy to misuse it as it used to be earlier. And let me tell you, I am a young professional who does, on an average 10 online transactions every month and I am cool with the little annoyance

  23. one more thing, though not exactly relevant here is I have serious doubt over their integrity. I have created uber account, but as I am not comfortable holding them my credit card info, wanted to delete my uber account. Sadly I can't find any way to delete my account. They have kept my credit card info and I can't do anything about it. Writing to them fetch no response.

  24. Dear Mr. Suyash Rai and Ajay Shah,

    I very much agree with your views that RBI wrongly trying to counter a problem.

    An off topic thought (or may be a related one),

    At least metro/large cities in India should have such an effective public transportation that, private taxi market should not become as big market as it is today. Hence saving many resources (fuel, man-power) and environment (compare 1 car for 4 people to 1 bus for 40 or 1 train/underground tube for 200-500 people).

    Disclaimer: I don't mean that there is no need of private taxi. But if you would get a train/bus to you destination from a stop within 5-10 mins of walk which has bus frequency of 5-10 mins, in many cases using private taxi will automatically be avoided.

    For eg. in, Pune I've seen many areas where autowalas do to and fro trips giving shared ride on seat basis. Surely this says that there needs to be increase of public bus frequency or if no bus service is there, it should be started.

    I've myself used private taxi for short distances many a times. It's convenient, but I always think that a public transport would save environment and a person (a human being) will not have to drive to my place specially for me and just because I want to go to a short distance. That's under utilization of resources.

    By short distance I mean 3-7 kilometers.

  25. So you are talking of CC ! My friend paid for CFA exam thru my credit card but after exactly 1 year i receive a message that my CC has been charged with 10000 INR because my friend had not stopped the auto renewal of some services offered by CFA !! I got the refund in a week but what could happen if my CC limit was breached !! Therefore for CC a OTP is needed !!

  26. Luckily, uber did not shut down in India. The govt is mandating CNP authentication as a safety measure. This will add an additional step in payment completion , but people still don't mind because uber is still good


Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticising me is perfectly okay; uncivilised language is not. I delete any comment which is spam, has personal attacks against anyone, or uses foul language. I delete any comment which does not contribute to the intellectual discussion about the blog article in question.

Please note: LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.