e-Wallets: No prescribed security standards under Indian e-wallet laws puts your financial data at risk

While cashless transactions are a convenience and the future, it is being pushed without addressing two critical concerns - security and privacy of digital transactions. In the case of e-wallets and other fintech corporations, laws establishing security requirements and liabilities for loss are missing.

By Asheeta Regidi

The government is pushing very strongly for a cashless society. After the demonetisation move, several initiatives have been seen to further encourage going cashless. The latest of these is the Ministry of Urban Development’s direction for all Urban Local Bodies to shift to e-payments. While cashless transactions are a convenience and the future, it is being pushed without addressing two critical concerns - security and privacy of digital transactions. In the case of e-wallets and other fintech corporations, laws establishing security requirements and liabilities for loss are missing.

RBI governs digital wallets
The usage and issuance of digital wallets are governed under the RBI’s Master Circular on Pre-Paid Payment Instruments. The circular identifies 3 types of wallets - open, closed and semi-closed. Open wallets can be accepted by any merchants. The popular e-wallets in use, such as Paytm, Freecharge and MobiQwik, are semi-closed wallets. These wallets are accepted only by certain identified merchants. These e-wallet companies are non-banks.

RBI prescribed protective measures
The circular lays down a list of measures to protect customers of e-wallet providers. These measures are designed to ensure, on the one hand, the reliability of the e-wallet provider. For example, it establishes rules relating to minimum capital requirements and rules regarding the deployment of the money collected. Similarly, non-banks are not allowed to issue open wallets (these are yet to be launched in India).

It also establishes rules to prevent money laundering. A cap of Rs 10,000 on the amount that can be loaded into a wallet (this limit was temporarily increased to Rs 20,000) is imposed to this end. Higher amounts upto Rs 1,00,000 can be loaded on complying with KYC requirements. The RBI also protects customers by requiring wallet providers to establish customer redressal mechanisms.

Image Credit: Paytm

Image Credit: Paytm

RBI does not prescribe standards of ‘security’
On the issue of security, however, the circular only requires the wallets to have ‘adequate’ data security infrastructure and systems, for the prevention and detection of frauds. The circular does not prescribe any minimum standards of security to be followed by the wallets. Nor does it establish liability in case of any fraud or loss that occurs due to the lack of security measures.

The RBI establishes these factors for banks, for example, through the Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Fraud. With Indians being forced to go cashless and turn to digital payments, the lack of such rules for non-banks like fintech corporations is not safe.

Security requirements under Section 43A of IT Act
In the absence of RBI rules regarding this, liability for loss is imposed on e-wallet providers under the Information Technology Act, 2000. Section 43A of the IT Act is the sole clause which provides for security and privacy of the information held by private corporations (Note: Section 72 of the IT Act also deals with breach of privacy and confidentiality, but it’s application is limited to information gained by persons, such as the police, in exercise of powers under the IT Act).



Under this section, fintech corporations like e-wallet providers are mandated to maintain ‘reasonable security practices and procedures’. The IT Sensitive Personal Data Rules, 2011, which were issued under Section 43A, require corporations to have security practices proportionate to the data in their possession. Such practices are required to be documented. If any loss is caused due to the lack of such procedures, or their negligent implementation, the customer is liable to be compensated. There is no upper limit on the amount of compensation.

Low compliance with Section 43A
The issue with Section 43A is that once the corporation proves that it has maintained the security standards it documented, there is no further liability. This does not take into account other factors, such as if the corporation failed to update its security standards. Moreover, there is no requirement/ method to verify if such corporations have in fact documented their security practices, or if their practices are adequate. Research has also shown that in reality, compliance with Section 43A by large corporations is very low.

Terms and Conditions are binding
Additionally, Section 43A permits the corporations and customers to enter into agreements determining what security practices and procedures are adequate. For example, the Terms and Conditions of the e-wallets may stipulate the security practices adopted by them. Due to Section 43A, such stipulations are binding. The wallet providers, on their part, have assured customers of the highest protection in their T&Cs. In the absence of proper laws, however, there is no way to verify this.


Additionally, many wallet providers disclaim liability for the security of data or for any bugs in the software used in their T&Cs. There is a lack of clarity on the extent to which this disclaimer is binding. This is because the IT Act on the one hand requires adequate standards, and on the other hand allows private contracts to set the standards. In the case of a dispute where the contracted standards are inadequate, it is not clear which will prevail.

In the absence of any method of verifying a company’s standards, it is possible for a company to have inadequate standards and hold customers to those under their T&Cs. Considering that the agreements have been entered into by customers who have no understanding of security requirements, the law needs to play a larger role.

The need for fixed security standards
As customers increasingly turn to digital payments, it is necessary to establish the level of security to be maintained by fintech corporations. Section 43A allows the government to issue such rules in consultation with proper professional bodies. Equally important is establishing a method to verify compliance with the rules.

One option is a mandatory cybersecurity audit, say on an annual basis. Lastly, laws have to be in place which establish the rights and liabilities of the customers and the fintech corporations. These will not only protect the customers, but also the fintech corporations.

Such laws are essential as India moves towards a cashless society.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.