WhatsApp? IT Ministry asks Payments Corp

New Delhi: The ministry of electronics and IT has written to National Payments Corporation of India (NPCI) seeking further details about the digital payment service being tested by WhatsApp — the global messaging app owned by Facebook — that is due to be formally launched in India this month.

MeitY, which had earlier sought clarifications from the NPCI on the WhatsApp payment service, shot off a fresh letter this week asking for details about the data storage policy of the American service and how user data will be shared with its parent company, according to two officials privy to the details. They said a copy of the latest letter has also been sent to RBI.

MeitY had raised questions over WhatsApp not following the two-factor authentication norms laid down by India’s central bank in addition to expressing concerns over management of user data.


NPCI had responded to MeitY’s first letter in April. “The department was not very convinced with the response from NPCI, so it has (again) asked explicit questions,” said one of the officials cited above.

The person added that after the first letter was sent, RBI announced its data localisation policy, which mandates all payment service providers to store data on servers within India. “We are asking them to respond more clearly on how they will ensure that adequate measures are taken to store data in India,” the person told ET.

Questions have also been asked about the kind of data shared with Facebook since regulations disallow payment firms from sharing user data with third parties. “NPCI has said that data is not to be shared with third parties. It also says that some data which is not of importance can be given, we are asking what that data is (sets which can be shared and which cannot be shared),” the person said.

As NPCI is the governing body for India’s unified payment interface (UPI), the government has sought clarification from the payments corporation and has not written directly either to WhatsApp or Facebook, the officials said.

In response to queries from ET, a spokesperson for WhatsApp said, “We are not commenting on payments since we are still beta testing.” The government is also concerned about the lack of a two-factor authentication on the WhatsApp payment service, as users do not have to enter a PIN to open the application for payments. Users only need to enter a PIN while making a transfer. In the case of other UPI apps such as Google’s Tez, a PIN is required to access the app and also for making the final transaction.

One of the officials who spoke to ET on condition of anonymity said: “WhatsApp considers app installation on the phone as the first port of authentication called device binding.”

“The government has asked NPCI why the security protocol of other UPI apps should be higher than what WhatsApp follows,” the person said.

Typically, when a user makes a payment on WhatsApp, the instructions are sent to its payment service provider with the help of Facebook’s secure payment infrastructure. Facebook does not use WhatsApp payment information for commercial purposes, according to an official aware of WhatsApp’s policies.

WhatsApp also offers two-step verification for added security but it is optional for users. In a response to email queries from ET, a spokesperson for NPCI said that “as per the circular 15C issued on March 16, 2018, WhatsApp is compliant to NPCI’s interoperability requirements from the date of compliance mentioned”.

“Three banks are currently live to cater to BHIM UPI payments through WhatsApp and fourth bank shall be live in next few weeks,” the spokesperson said.

Referring to the question of two-factor authentication, the spokesperson said, “BHIM UPI services uses two-factor authentications for each transaction i.e. what you have (device binding) and what you know (UPI PIN).” NPCI did not reply to specific queries from ET on WhatsApp’s data storage and data sharing plans.

It, however, cited a September 2017 circular that allows apps to store customer data on its system, while encrypting UPI transaction data. The account data and customer payment authentication data should be stored with banks that are payment service providers, the circular said.

RBI did not respond to ET’s queries till the time of going to press.