The last few years have seen an unprecedented rise in digital payment transactions via Payment Aggregators (“PA”), Payment Gateways (“PG”), and Unified Payments Interface (“UPI”), via third-party application providers (TPAPs), with PAs undergoing licensing by the Reserve Bank of India (“RBI”), under the March 17, 2020, RBI PA/PG Guidelines. Retail payments historically would flow via NEFT/ RTGS/ IMPS, etc. However, UPI has now become the preferred payment mode for online payments, constituting a significant volume of small ticket retail payments in India, which is mostly via PAs. The payment architecture, which was earlier ‘card network’ driven via entities licensed under the Payment and Settlement Systems Act, 2007 (as a ‘payment system operator’), is increasingly moving towards PA/PGs, including for digital asset exchanges, online shopping, check-out financing and digital lending (where significant changes have been implemented by the RBI recently, including via the September 2022 Digital Lending Guidelines).
However, the increase in digitisation of payments has resulted in cyber security risks, payment frauds and customer protection concerns, with digital payments, digital lending, digital assets, cross-border inward money flows, via MTSS and OPGSP routes, being key sectors under the lens of Indian law enforcement agencies (“LE”), such as the Enforcement Directorate (“ED”), state police, Financial Intelligence Unit (FIU), National Investigation Agency (NIA), etc., which among others implement the Foreign Exchange Management Act, 1999, and the Prevention of Money Laundering Act, 2002 (“PMLA”).
Global digital, platform and fintech/ payments businesses are well-versed with LE investigations, especially in Europe and the US. Similar trends are starting to play out in India. Usually, basis experience, LE action arises on the following grounds:
(i) basis reference by the RBI/ Government;
(ii) customer or merchant/ vendor complaint; or
(iii) if the subject matter involves larger public interest, AML/ CFT concerns.
In digital/ platform and fintech space, in recent years, LE action is primarily triggered on account of rising customer and merchant complaints. Information is sought under S. 91 of the Code of Criminal Procedure, 1973 (“CrPC”), or S. 50 of PMLA, which provide wide investigative powers.
In recent cases, LE action has also included ‘app’ takedown orders, or an account freeze against the concerned PA, resulting in the underlying pooling account (being a nodal/ escrow) being frozen. Several such instances have been in the media recently, especially involving digital lending transactions. Such action has resulted in business continuity worries for digital/ platform and financial services entities, especially in the emerging technologies space.
The policy rationale for an enhanced LE focus in this sector can be attributed to cyber-security, customer protection and other risks arising out of payments digitisation, and PA/PGs hitherto being unlicenced/ unregulated by the RBI – low entry barriers. Even now, only less than 20 PAs have received the RBI’s in-principle approval, with no final approvals yet. Return/ rejection of smaller or players found not to be ‘fit and proper’ by the RBI, is ongoing, resulting in several unlicenced PA/ PGs being in the market, often with huge payment volumes flowing through them.
LEs have also been issuing freezing orders under S. 102, CrPC, or S. 5, PMLA, directing PAs to freeze the amounts belonging to persons under investigation, whose nodal accounts are being operated by such PAs as part of their investigation. In recent experience, whenever a complaint of cyber fraud/ crime is registered, as a measure of abundant caution, LEs issue a freezing order, directing the freezing of the account where the funds have been transferred. Further, such orders are not restricted to the amounts in question, but the entire nodal account is put under a debit freeze. As a lot of these merchants have users whose funds are also kept as part of their businesses, which come under the debit freeze, risk of business disruption has been high.
Recently, the Karnataka High Court in Razorpay v. State of Karnataka. held that “the court has now come across a plethora of cases of such sweeping powers exercised either under Section 102 or 91 or 92 of the CrPC directing freezing of the amount or marking of lien. Though these actions are permissible, certain diligence is required to be exercised by the prosecution before rendering such sweeping directions as found in the case in hand, as the amount of Rs.6,74,83,683.65 is debit frozen without there being any rhyme or reason”. The Court also held that in case of a freezing order by the enforcement authorities, only amounts belonging to the accused merchants can be frozen and the lien cannot be extended to amounts belonging to the PA or other merchants who are not an accused in the complaint and are not even part of the investigation.
Unfortunately, freezing orders have been issued as a matter of first step and sometimes during the initiation of an investigation. Whilst such measures can be justified to ensure that the complainant’s lost property is preserved, if the freezing order is issued without investigating the genuineness of the complaint, it affects the merchant (who has not even been found guilty yet) whose account has been frozen.
In few instances, LEs have demanded transfer of the allegedly defrauded amount to the victims account from a third-party account, without completing investigation, or authenticity of the complaint, sometimes even closing the complaint as soon as the refund is completed. Courts have taken note – the Karnataka High Court in Sri Rahul Chari v. State of Karnataka held that “while the right of a complainant is to be looked into, since the complainant is a victim of a fraud, but the investigation cannot be cut short without unearthing the fraud and closing the issue, by transfer of amount from a third party”. The Court formulated three questions that a magistrate should answer before confirming a direction for freezing or transferring the amount to the complainant:
· Whether the accused has been identified by the investigating officer?
· Whether the account of the accused is identified by the investigation officer?
· If the rival claimant is not an accused, whether intimation is given to the account holder, from whose account the money is sought to be transferred to the account of the complainant, before its transfer?
In a welcome relief, the Court also held that a director of a PA/ PG cannot be held personally liable for fraud committed by unknown persons where the PA/ PG was only the facilitator of a transaction between the customer and the merchant.
Another question LEs grapple with is whether the fees charged by a PA/ PG for facilitating transactions of the accused merchant and/ or providing its platform for the transaction is liable to be attached or be considered as ‘proceeds of crime’. Recently, the Patna High Court held in HDFC Bank Limited v. Government of India that “the property derived from legitimate source cannot be attached on the ground that property derived from the scheduled offence is not available for attachment”. However, many important cases are still sub judice, and jurisprudence on LE’s actions/ powers qua PA/ PG in particular, and the financial services/ technology space in general, is likely to evolve in 2023.
The FIU has also been active in this space, with a close watch over the players, imposing penalties for defaults, for non-compliance with reporting requirements under the PMLA (KYC, STR etc). In 2020, FIU served a show cause notice to Paypal, seeking explanation as to why the entity has not been reporting, resulting in a penalty order – this risked all PA/PGs, till then unlicensed, to fall within PMLA. Paypal challenged the order before the Delhi High Court, arguing that Paypal is not a “reporting entity” under PMLA. The Delhi High Court stayed the FIU order, directed the Central Government to clarify the definition of a “reporting” entity under the PMLA, and made the RBI a party to the case. The matter is still pending, and likely to have a far-reaching impact on PA/PGs.
India has the highest number of digital payment transactions in the world and it is expected that 65% of all payments will be digital by 2026. This growth trajectory requires certainty for the financial services and technology sector from a LE standpoint in India, whose recent actions have not been completely unjustified, balancing the requirements of creating a secure financial ecosystem, while ensuring a smooth digital transformation for India.