With WhatsApp Pay set to launch its payments service in India soon, the Government, through the nodal Ministry, The Ministry of Electronics and Information Technology, MeitY is not still convinced if WhatsApp and its owner Facebook have complied with the regulations in place for such digital payments.
The ministry has reportedly written a query to the body responsible for the oversight of digital payments, the National Payment Corporation of India (NPCI) asking it to clarify and confirm a few points.
According to the Economic Times report, the main bone of contention has to do with data protection and privacy. The MeitY may be concerned with the worldwide attention the Facebook-Cambridge Analytica has attracted and the government may not want to be put into any embarrassment later. This is particularly important since senior ministers in the current government have questioned the main opposition party on its links with Cambridge Analytica.
The other issue relates to storing the data on severs located within Indian soil. The ministry is also keen to know if WhatsApp will be sharing the data of people who do transactions n WhatsApp Pay with Facebook and if so which portions of the data would be shared.
Another doubt raised by the ministry relates to the 2-stage authentication process, which has been made mandatory by the Reserve Bank of India.
Incidentally, the MeitY had sent a similar clarification seeking letter to NPCI earlier on the same WhatsApp Pay issue, but the response it received was perhaps not to its full satisfaction. Plus, the new directive on data storage to be held within the country also got announced. It is in these contexts that the ministry wrote to NPCI.
On the subject of the 2-factor or 2-stage authentication, WhatsApp Pay has a model where any transaction has to be wetted by an authentication code, while for accessing the facility there is no such need. This is in contrast to what other apps like Google’s Tez have this system in compliance with the regulations.
WhatsApp’s argument is that the first stage identity verification takes place with the messaging app sitting on the user’s mobile device which they term device binding and that should be good enough. NPCI seems to be happy with this arrangement since it claims the government’s BHIM app and the Unified Payments Interface UPI, envisage 2 verifications, before the payment transfer is permitted; it is what you have, which is typically the device used and what you know, which is the PIN generated and they don’t see this is a big issue with WhatsApp Pay.