There's a lot of buzz around cybercrime. Not a week goes by when we don't hear of someone or the other losing money to scammers and fraudsters via UPI / Zelle et al.
Let's consider the following ubiquituous cybercrime described in Why Is It So Hard To Catch Cybercriminals?.
"Joe uses UPI to buy something from Jane, and does not get what he ordered."
While I've taken UPI as an example, this post is equally relevant for other types of A2A RTPs like FPS (UK) and Zelle (USA).
(For the uninitiated, A2A RTP stands for Account-to-Account Real Time Payment, where money goes from sender's bank account to receiver's bank account in near realtime.)
We concluded
Fraud v Scam: Who Is Liable For Cybercrime on the note that the payor will be forced to take the fall for a cybercrime carried out with an A2A RTP. We also mentioned that banks will typically own cybercrimes conducted via credit card.
Which begs the following question:
"Why can't UPI provide the same degree of fraud protection as Credit Card?"
This is like expecting a Maruti 800 to be a BMW.
In this post, we will trace the roots of credit card and A2A payments and show why Scam / Fraud protection is a feature in credit card but a bug in A2A RTP.
In fact, the absence of scam / fraud protection is a USP of A2A RTPs since they were introduced in response to pushback from merchants over a diametrically opposite feature in credit card payments, which is variously called Repudiation, Revocability or Chargeback.
Let's get into it.
----------
When you use UPI, you use your money. UPI is a right.
When you use credit card, you use your bank's money. Credit card is a privilege.
When somebody commits a cybercrime via UPI, they're stealing your money. You're on your own.
When somebody commits a cybercrime via credit card, they're stealing your bank's money. They face the wrath of your bank. To help catch the cybercriminal and recover its money, your bank lets you bring dodgy charges to its notice. As highlighted in
Fraud v Scam: Who Is Liable For Cybercrime, these include:
- Fraud aka Unauthorized Payment: Someone else uses my credit card to make purchases for themselves.
- Scam aka Authorized Payment: I use my credit card to make a purchase. I don't get the product.
- Deficiency of Service: I use my credit card to make a purchase. I get the product. But it does not work as advertised.
As you can see, grounds for chargeback in a credit card payment go beyond cybercrime. You can raise a dispute not only when you pay the wrong beneficiary by mistake but even when you pay the right beneficiary.
When you do that, some credit card issuers (e.g American Express) will immediately reverse your charge, no questions asked.
"This is a standard feature of all credit cards. American Express is able to tout it as a USP because banks have kept it under wraps in India". ~ https://twitter.com/s_ketharaman/status/844843818398564352
Some issuers might ask you a few questions before fulfilling your reversal request. Some others might carry out investigations in the background after hearing you out and accede to your request provided they don’t find any evidence that you’re lying outright.
Even if some banks make you run around from pillar to post, eventually, most credit card issuers reverse disputed charges on credit card as long as the dispute has some merit. Because of this, a credit card is called Revocable and Repudiable method of payment
(MOP).
When your bank reverses your charge, it pulls the money out from the merchant's account unilaterally. In other words, the bank does not seek the merchant's permission to fulfill your chargeback request.
No doubt this leaves credit card highly susceptible to “first party fraud”, where the real owner actually uses the credit card but turns around and claims that somebody else used it. But it's possible for credit card issuers to use readily available tools
to control the amount of first party fraud and ensure that it’s a small irritant compared to the larger goal of reducing cash usage. Besides, as I noted earlier, credit card is a privilege: If a bank finds too much first party fraud on an account, it can just
cancel the credit card. The cardholder has no recourse.
Credit card pioneers designed the product in this manner so as to make it as convenient to use as cash. It worked. Countries like USA, UK, Japan, Australia, and South Korea have achieved a very high usage of credit cards, thus replacing cash to a great extent.
"@s_ketharaman: Even 15 years ago, people in USA used credit card for everything and there was virtually zero use of cash for shopping. Unlike
people in India who didn't qualify for credit card and had to wait for an A2A MOP like UPI to go cashless."
As is evident from the above, the basic design of a credit card leans towards protecting the customer’s interest ahead of the merchant’s interest. That’s totally intentional. As an aside, that’s also how PayPal works (“Buyer Protection” versus "Merchant
Freeze").
Now, if you’re a merchant, you might find it unfair that your bank pulls out your money for no fault of yours. You might be peeved at the lack of finality of your receipts. Next only to MDR, chargeback has been the biggest bone of contention between merchants
and banks in the 60 year history of credit card.
But credit card has become very popular in advanced markets. Merchants know they’d go out of business if they don’t accept credit card, so they "grin and bear" chargebacks.
"@GTM360: When all is said and done, there are only two reasons for a merchant to accept credit card: (1) He will lose business if he does not (2)
He will be able to make the customer overspend if he does."
Over time, in order to placate merchants, banks and fintechs launched A2A RTPs like FPS (UK), Venmo, Zelle and eChek (USA). In emerging markets like India, not many people were creditworthy enough to get a credit card, so UPI was launched to ramp up retail
payment volumes.
Because the payments industry wanted to assuage merchants' concerns surrounding credit card chargeback, it designed A2A RTP to be irrevocable and nonrepudiable i.e. exactly the opposite of credit card. Which means that, once he got paid, the merchant kept
his money. Because of this feature, merchants love A2A RTPs.
OTOH, as a payor, if you made a payment with UPI, your money is gone forever – whether you made it rightly, wrongly, got a good product or bad product.
As you can see, A2A RTP is biased towards protecting the merchant’s interest. Unlike credit card, nobody could take away the money received by the merchant via an A2A RTP because, by design, the MOP is irrevocable.
Because of the same irrevocability feature, if you pay someone with UPI, your bank cannot reverse the payment. Period. It does not matter whether you paid the right guy or wrong guy. Finders keepers, losers weepers.
In fact, your bank and law enforcement may not have the locus standi to contact the payee and ask him or her to give your money back. Just that, in status-driven cultures, they will not admit this openly. Instead, they will use some smokescreen or the other
to hide their helplessness.
"Despite all the KYC song & dance required to get a new mobile connection aka SIM, UPI fraudsters can't be tracked because fake documents are apparently used to get a SIM. What's the point in all that friction if it doesn't lead to more security?" ~ https://twitter.com/s_ketharaman/status/1216638564026527745
It’s really up to you as the payor to contact the payee and request him or her to return your money. Obviously, cybercriminals will tell you to take a walk. That's assuming that they even answer your call.
Being a basic design feature, irrevocability of UPI, Zelle and other A2A RTP MOPs cannot be changed so easily.
Besides, even if the technical hurdles are overcome, why would merchants adopt an A2A RTP if it subjects them to the same chargeback tyranny as credit card without delivering the overspending benefit that credit card does?