India Lacks Laws to Protect Customers of Digital Transactions: Experts

India Lacks Laws to Protect Customers of Digital Transactions: Experts is a Business Standard report published on 3 December 2016 by Alnoor Peermohamed and Karan Choudhury. The article examines legal and regulatory gaps in India’s digital payments ecosystem following the government’s demonetisation announcement, featuring analysis from Sunil Abraham, then Executive Director of the Centre for Internet and Society, cyber law expert Pavan Duggal, and Paytm founder Vijay Shekhar Sharma on consumer protection frameworks, compliance challenges, and industry self-regulation mechanisms.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: Business Standard
📅 Date:: 3 December 2016
👤 Authors:: Alnoor Peermohamed, Karan Choudhury
📄 Type:: News Report
📰 Article Link:: Read Online

Full Text

India lacks laws to protect consumers if they lose money during digital transactions even as the government pushes for a less-cash economy after it withdrew Rs 500 and Rs 1,000 currency notes as legal tender.

The Narendra Modi government's demonetisation move might have warranted an increase in transaction activity on digital wallets massively, but measures to ensure the underlying cyber security parameters for digital payments are still kept largely under the ambit of the Information Technology (IT) Act.

"We don't have any dedicated law on digital payments. That's very important to grant complete legality and remove any doubts and clarifications pertaining to legal efficacies and legal validity of digital payments," says Pavan Duggal, an advocate in the Supreme Court specialising in cyber law.

While the Reserve Bank of India (RBI) usually sets security and privacy standards for banks in the country, digital wallets such as Paytm, FreeCharge and MobiKwik fall under the category of non-banking financial corporations (NBFCs) excluding them from this. For fintech companies in India today, security compliance falls under Section 43A of the IT Act.

Today, transactions between a user and a mobile wallet service provider are merely contractual agreements which as Duggal puts it, can always be repudiated. There's a heightened need to legally back digital payments in India, not only to ensure the safety of consumer money but also for the safety of these companies themselves.

While maintaining security standards for fintech companies falls under the data protection law of the IT Act, the lack of an enforcement mechanism hinders any good this can do.

Since the demonetisation announcement, digital wallet firms such as Paytm have seen as much as 35 million transactions by users to either buy goods and services or transfer funds to another account. Rival FreeCharge has tied up police forces of Mumbai to pay traffic fines using its platform.

According to Bengaluru-based think tank Centre for Internet and Society (CIS), their research shows that some of India's largest technology companies still do not comply with Section 43 A.

"We have a minimal data protection law in our IT Act and that will apply to all the fintech players. But, our ISPs (internet service providers) and telcos don't comply with Section 43 A. So you can imagine compliance will be even lower in the fintech sector," says Sunil Abraham, executive director, CIS.

The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services. While the issue is not being completely ignored by the authorities, some of the proposed workarounds such as creating a virtual sandbox around digital payment services have raised questions.

While RBI limits the maximum balance on digital wallets to Rs 10,000 per user, ensuring that in the case of a breach the damage caused to a consumer is minimal. On November 23, the banking regulator increased the limit to Rs 20,000. Last week, India's largest digital wallet provider Paytm rolled out the option for customers to increase their wallet balance to a maximum of Rs 1 lakh upon completing the know-your-customer procedure.

"There are no legal mechanisms available in case of disputes pertaining to digital payments. The compliance to the Indian cyber law is more done in the breach rather than in compliance," adds Duggal. While laws might take years to be framed and implemented, Abraham says there are temporary workarounds with which the overall cyber security of digital payment services can be improved.

Under Section 43A, there are provisions to allow a sector to form a consortium that agrees to set security standards. All players must follow this, which is valid in a court of law during dispute resolution. Vijay Shekhar Sharma, the founder of Paytm, says there is a dispute mechanism similar to what is done with credit or debit cards that firm such as his follow when a customer has an issue. "Regulation in digital money works just like in the case of cards. It is the issuer, in this case, the wallet companies that has to resolve the problem. If not, the next stop is consumer court," says Sharma. "There is no ambiguity in this."

This could be a call to India's growing number of fintech companies to come together and define their own security standards. Moreover, this move is encouraged by experts as governments often lack the bandwidth to define sectoral specific laws, but is where private-sector expertise can go a long way.

Context and Background

This article appeared three weeks after Prime Minister Narendra Modi’s 8 November 2016 announcement withdrawing Rs 500 and Rs 1,000 currency notes from circulation, a shock policy affecting approximately 86% of India’s currency supply by value. The demonetisation created immediate payment disruptions as citizens struggled to obtain replacement currency, prompting government advocacy for digital payment alternatives. Digital wallet companies experienced explosive growth—Paytm reporting 35 million transactions following the announcement—but this rapid adoption exposed regulatory gaps in consumer protection frameworks.

Duggal’s observation that India lacked “dedicated law on digital payments” highlighted a fundamental regulatory deficit. The Information Technology Act 2000, designed primarily for regulating e-commerce and cybersecurity rather than payment systems, governed fintech security through Section 43A’s data protection provisions. Meanwhile, the Payment and Settlement Systems Act 2007 focused on interbank clearing and settlement infrastructure, creating ambiguity around consumer-facing wallet services classified as non-banking financial corporations (NBFCs) but operating outside banking regulations that mandated deposit insurance and stringent security standards.

Abraham’s finding from Centre for Internet and Society research that “some of India’s largest technology companies still do not comply with Section 43 A” demonstrated enforcement failures preceding the fintech boom. If established internet service providers and telecommunications companies ignored data protection obligations without consequence, newly emerged wallet providers operating under time pressure and venture capital growth imperatives would likely exhibit even lower compliance. This created systemic consumer vulnerability as millions adopted digital payments without robust legal protections against fraud, data breaches, or company failures.

The regulatory response through wallet balance caps—initially Rs 10,000, raised to Rs 20,000 on 23 November, then Rs 1 lakh after KYC verification—represented risk mitigation through damage limitation rather than comprehensive consumer protection. This approach presumed breaches would occur and sought to contain losses rather than preventing security failures through mandatory standards, regular audits, and meaningful penalties for non-compliance.

Sunil Abraham’s suggestion that fintech companies form consortia to establish self-regulatory security standards under Section 43A provisions reflected pragmatic recognition that government capacity to develop sector-specific technical regulations lagged industry evolution. Self-regulation carried risks—industry capture, race-to-the-bottom standards, enforcement weakness—but offered speed and technical expertise that bureaucratic processes lacked. However, without oversight mechanisms ensuring standards protected consumers rather than industry interests, self-regulation could legitimise inadequate practices.

Vijay Shekhar Sharma’s assertion that Paytm followed card-network dispute resolution mechanisms and that “there is no ambiguity” in regulations contrasted sharply with expert assessments identifying legal gaps. This divergence suggested either differing interpretations of existing frameworks or corporate messaging minimising regulatory uncertainty that might alarm users or investors. Sharma’s comparison to card networks overlooked crucial differences: established card schemes operated under decades of Reserve Bank regulations, international standards like PCI-DSS, and chargeback mechanisms backed by issuing banks, whereas wallet services lacked equivalent oversight and institutional backing.

The article appeared as the Modi government pursued its “Digital India” agenda whilst regulatory frameworks struggled to keep pace. The demonetisation shock accelerated digital adoption but exposed infrastructure deficiencies and legal ambiguities that incremental growth might have allowed policymakers to address systematically. The tension between promoting fintech innovation and ensuring consumer protection would persist through subsequent years as India developed payment system regulations, data protection legislation, and fintech-specific frameworks.