By Dr Rakesh Goyal
A perpetual student of cyber security since 1991, he is a PhD in Cyber Security, Gold Medalist Engineer, Gold Medalist PGDM from IIMB. he is MD of Sysman Computers Pvt Ltd, Mumbai, one of the 23 IT Security Audit organizations empaneled with CERT-In Min of IT, GoI to audit cyber security of critical national infrastructure / assets. He can be contacted at rakesh AT sysman DOT in
Prime Minister Narendra Modi has demonetised Rs. 500 and Rs. 1000 notes, exactly a month back. There is a shortage of new replacement currency notes of both Rs. 2000 and Rs. 500 denominations. There can be two hypotheses for this shortage.
First hypothesis for this shortage can due to (a) genuine shortage of new currency notes whereas second hypothesis can be (b) a deliberate attempt by government to keep supply of new notes tights for various reasons.
If it is deliberate attempt to keep the tight supply of new notes, the reasons may be attributed to either (a) to curb illegal conversion of old currency to new currency by various interests such as black money holders, corrupt bureaucracy, industrialists or politicians or terrorist or naxalites; OR (b) denying disruptive forces to pump counterfeit currency in Indian economy; OR (c) forcing people to go for cashless digital transactions (CDT); OR (d) a any partial/full mix of all these three.
On the onset, let me state that I am ardent supporter of PM Modi for his various measures to undertake basic structural changes in Indian economy, society and culture. Some of these measures include demonetisation, IDS, Jandhan, DBTL, give-up subsidy, e-auctions, Swacch
Bharat, etc. But the purpose of this article is not to be a blind bhakt of PM Modi but to analyze various issues and challenges, which PM Modi may face in implementing his dream and desired structural changes.
The current focus of this article is only on forcing people to go for CDT. I fully support CDT as it brings transparency in all dealings from individual transactions to commercial transactions to government payments, payment of wages/salaries in unorganized sector, tax collection, tax deployment, etc. If we become even 86% (size of cash economy catered by official demonetised currency) cashless, my belief is that it will curb 90%+ corruption, black money and 100% of counterfeit currency.
Implementing CDT is not easy. It has many challenges including and not limited to technology, vested interests, resistance to change, education/awareness, risk, cost and legal. In these challenges by vested interests and resistance to change are mostly political, whereas others are technical and logistical. I will discuss here these technical and logistical challenges.
There are five major technical and logistical challenges to implement cashless digital transactions (CDT) in the existing technological, cultural and economic environment. These are –
- Logistics and infrastructure
- Cost to users
- Cyber Security
- User awareness and ease-of-use
- Legal issues
Let us discuss these one by one
Logistics and infrastructure
Let us consider that all economic adult (age 15+ years) population of current 130 crore Indians will be using CDT in due course. As per 2011 census, population age-group-wise 15-64 and 65+ years is 69.8% (say 70%) of total population. That means approx 91 crore (0.91 billion) Indians will be using CDT. Even if all this mass of people may not use CDT to start with, but the infrastructure need to be planned for all these people scalable to same demographic population after 10 years. Let us derive the dimension of required infrastructure and logistical support system.
Assumption – Let us assume that a person does 5 CDT per day on an average. That means there will be 910 crore transactions per day considering each debit transaction will have one corresponding credit transaction also. Even if 20% of population is covered in CDT, even then this load will be approx 180 or say 200 crore transactions per day. This load cannot be evenly distributed over the day (24 hours). It may follow some pattern, most probably similar to bell curve. There will be peak and lean period in a day. Nights should be lean period, where as some periods in day will have peak. Average load for 24 hours will be about 7-8 crore transactions per hour or 12 lakh transactions per minute or 20 thousands transactions per second. Peak load may be estimated as 50-60 thousands transactions per second from all over India considering only 20% population. Further, I have assumed 5 CDT per person per day. My wife and some of my friends say it will be minimum 15-20 CDT per day. In that case, the peak load will be 2 lakhs transactions per second. But, this needs some sample survey in all demographies distributed all over India. For 100% population with 15-20 CDT per day, the peak load may be 1 million transactions per second. Even the lower peak load of 50-60 thousands transactions per second is quite huge for any IT infrastructure and it needs lot of logistical and management support.
Current state of CDT infrastructure –
CDT means following type of transaction, based on current set of technology and business processes, will replace cash based transactions –
- Credit / Debit / ATM / Payment / Cash / Similar Cards (cards such as RuPay, Visa, Master, Bank’s debit or ATM cards)
- Internet Banking offered by various banks along with services like NEFT/RTGS/SWIFT. Most big banks are offering internet banking.
- Mobile payment applications (app) and platforms by some private players (such as PayTM, PayU, JioMoney, Oxigen, freecharge, etc.) with their own back-end infrastructure.
- Mobile payment platforms offered by banks (Buddy by SBI, Pockets by ICICI, Payzapp by HDFC Bank, etc.)
- UPI and NUUP (USSD based) offered by NPCIL with front-end by many banks and back-end by NPCIL.
- Payment gateways by banks for web-portals and used by portals such as IRCTC.
Current back-end infrastructure is either of service provider bank or NPCIL or private mobile app provider. Connectivity is provided by TeleCom operators like MTNL, BSNL, Tata, Vodafone, Idea, Airtel, etc.
Requirement to cater to 50-60 thousands to 1 million transactions per second from all over India –
Let us consider the same set of front-end applications provided by existing set of service providers will continue and may be some new will also join the band-wagon after seeing the enormous potential.
Apart from these above front-end applications and interface, back-end infrastructure requirements will be as below –
- Integrated single or distributed data acquisition, storage and processing facility / facilities (let me use the word Data Center or DC).
- If distributed facilities, fail-safe high bandwidth connectivity amongst these facilities.
- These DC will further have high bandwidth connectivity with various Banks, FIs and other financial intermediataries as defined by RBI or any other regulator.
- Guaranteed end-to-end connectivity between DC or Bank and end-user as designed in infrastructure architecture. This may be provided by one player or many players. For example BSNL/MTNL/Tata provides connectivity to DC, where as various TeleCom players provide to end-users, including payer and payee. But the connectivity between DC to end-user must be seamless.
- Interoperability amongst various front-end CDT players.
Current problems –
Interoperability amongst various front-end players except NEFT/RTGS is does not exist. If one person has PayTM and other has freecharge or any other front-end app, they cannot transect payment between them. There is no standard defined for interoperability. Each player has its own standards or non-standards or method of deployment, which is mostly incompatible with rest of other players. Further, most of their infrastructure is planned for low volumes and based on legacy systems, which has evolved organically. For example, 2 banks are using Finacle CBS, compatibility is very limited.
Back-end DC infrastructure to support desired load of CDT has a big capacity gap. Each Bank or operator has its own back-end infrastructure, which is designed to take limited amount of transaction load. There is no backend DC infrastructure, single or distributed, which can take the load of CDT, even if 20% of adult Indian population goes fully cashless.
It will be nightmare for citizens to wait for completion of transaction, especially when CDT is compared with immediate completion of cash based transaction, with no time lost and no wait for connectivity and/or speed. For CDT, backend infrastructure and last mile connectivity both are heavily inadequate. If the existing infrastructure is put to stress test, velocity test, spike test, soak test and endurance test of defined load of CDT, where 20% of “all monetary transactions in India” are CDT, most of infrastructure will fail miserably. Some may even die-down under the stress.
Further, internet connectivity is another big challenge as of now. All devices (mobile phone or any other specific devices) will be connected for CDT through internet data lines, either using mobile data packs or wifi. I have two different internet connections and cannot rely 100% on either of these. The availability of either is never over 90%. There are times, when both are not available simultaneously. The speed is always questionable. In Mobile data, operators talk about 4G, even real 3G speed is a myth. Many times, in 4G, we get a speed less than 2G. Connectivity outage is rampart. While doing internet transaction, many times, getting OTP (one time password) on mobile via SMS as 2FA (2 factor authentication) takes literally few minutes in a city like Mumbai, where I have clearly visible mobile towers just 50 meters across the road. At least minimum 25% times, I need to ask to resend OTP, as it expires in 120 seconds.
This is current scenario, when the penetration of CDT is very limited and may be just less than 2% (my wild guess which may includes net-banking, IRCTC, all card transactions, eWallets, NEFT/RTGS, etc.) of all transactions by volume. Just for clarification, in CDT the value of transaction has no bearing on load on infrastructure. A transaction, whether it is valued for Re 1 or Rs. 100 crores put same load on the infrastructure.
Another characteristic is that there are heterogeneous types of mobile phones and operating systems. Citizens use featured (smart) phones and basic phones. Out of claimed approx 100 crore phone connections, smart phone are estimate is about 25% and rest as basic functional phone, which just have facilities of talking and SMS without internet connectivity. In smart phones also the operating system may be android or iOS or windows or blackberry or some other. The challenge will be to cater to all this heterogeneous jig-saw puzzle blocks in seamless manner so that a basic phone can transact business with so-called smartest phone seamlessly in defined quality parameters.
Thus, the first challenge for PM Modi will be to create and ensure robust and reliable back-end IT infrastructure, WAN connectivity and last mile connectivity with defined and measurable quality parameters. The quality parameter of the whole infrastructure setup must be a reliable transaction within a specified time of say 2 seconds when the peak load will be from 50-60 thousand to 1 million transactions per second.
Cost to users
Another critical factor is cost of transaction to users. We Indians are quite sensitive to price elasticity. We always believe in saving cost, sometimes even at the cost of quality.
Let us compare cost of CDT with cost of existing cash transaction.
Cost of cash transactions
Cash transaction has three players. First player is payer, second is payee and third is currency note. Currency note can be considered as representative of RBI (which issues and guarantees), which again represents Indian government. Thus the third player is government (frontend by RBI), which issues the real rupee (one rupee).
In any cash transaction, the cost of transaction to both payee and payer is NIL. The transaction cost is incurred by government (frontend by RBI). RBI prints currency; stores currency in currency chests; moves it to banks; collects back, stores, destroys mutilated/returned/demonetised currency. Cost is borne by RBI for all these activities. This cost includes direct cost, indirect cost and overheads for all these activities. I am not considering opportunity cost because cash has been a mandatory activity for our economy. Now, in CDT environment, cash transaction cost will be reduced so opportunity cost of part of the total cost may be considered but let us ignore it for this paper.
To understand it easily, let us assume that all these cost for one currency note is Rs. 10 and the currency note life is 100 transactions. Then, the cost per transaction per note becomes 10 paise, which is incurred by RBI or the government. A person buys goods/services worth Rs. 20 and gives a note of Rs. 100 to shopkeeper and shopkeeper returns back 8 notes of Rs. 10. There is an exchange of 9 notes in the deal. Thus the cost of transaction becomes 90 paise, borne by RBI. This cost is not real but illustrative. It will be different, based on real data. But there will be a cost. For coins, the cost will be different based on their higher cost of minting and also much higher life.
Cost in CDT environment
In CDT, there is paradigm change upside down. Currently, the cost to government is nil. The cost to payer may be smaller but not nil. Major cost is incurred by payee. All cards payments, mobile app payments, UPI charges payee. Sometimes, payee transfers this cost to payer directly or indirectly. This cost varies from 0.5% to 3% of transaction value. Payer will also be paying for internet/mobile data and/or SMS, as applicable. Thus, both payer and payee pay the cost of CDT. We cannot calculate this cost per transaction in a simple manner as cost of cash transaction can be calculated. This cost will be based on value of transaction and not number of notes exchanged.
It can be considered as a monetary penalty to payer and payee for using CDT compared to cash transaction.
There will be resistance from many payees and even from payers that why should they incur this cost, especially when cost in cash transaction is nil to them and there is no delay.
An average pre-paid Indian mobile user is so much cost conscious that after every call, s/he verifies the balance available. Missed call is an Indian jugaad to save cost with number of rings in missed call is the code for some action.
Thus, the second challenge for the PM Modi will be – who will incur the transaction cost in CDT environment. He needs to invent ways to incentivize the CDT and not penalize the payee and/or payer. If RBI / government save a lot of money in CDT, PM must use this saved money to create reliable, robust and secure infrastructure, connectivity and last mile and let payee and payee incur no cost as in cash transaction. Else, the resistance may continue.
Cyber Security –
Cyber Security is another serious challenge and concern, which can make or break CDT mission. Current service providers including banks, payment companies, etc. do not guarantee cyber security to either cashless digital payer or payee.
Cyber security can be defined as achieving minimum baseline of basic security criteria including (a) assuring “Confidentiality” of all data; (b) maintaining “Integrity” of all data and infrastructure; (c) assuring “Availability” of services in desired quality parameters; (d) assuring protection of “Privacy”; (e) “Non-repudiation” of person and/or transaction; (f) maintaining “Incident response” with defined service level parameters and; (h) availability of “Customer protection functionalities” in end-to-end IT infrastructure.
Barring a few exceptions (just to save me of prejudice), almost all IT infrastructure of all transaction service providers will fail on more than one of the basic cyber security (apart from transaction load) criteria like Confidentiality, Integrity, Availability, Privacy, Non-repudiation, Incident response and Customer protection functionalities for CDT requirements.
We read regularly cases of data theft, hacking, loss of money, software malfunction, hardware malfunction, data center outage, denial of service, delays, etc. The list is long. Few years back a big Indian bank was offline for 50 hours during week-days. Most of the times, all these are conveniently covered under the wrap as technical glitch (as happened with Jet Airways few days back).
Internet banking applications are not tested for many customer oriented risks and vulnerabilities such as and not limited to man-in-the-middle attack, malware, business intelligence, information leakage, etc. In some cases, it is observed that even very basic requirement are missing, for example SSL/TLS is not used; password storage in browser not blocked; auto-complete is enabled; cookie is not secured; security patches are not applied; to name a few from a long list. Having security vulnerabilities such as SQL-Injection, Cross Site Scripting, CSRF, unsafe transport layer, session hijacking, etc. is another major concern. These vulnerabilities are hacker’s gateway to compromise the user demographic, logon and transaction data. Any compromise violates the basic cyber security criteria like confidentiality, integrity, privacy, etc. and exposes the citizen to risk of various losses including and not limited to financial, regulatory, credibility, image, identity hijack, etc. Very limited web-portals are rigorously tested for cyber security vulnerabilities.
Similarly, in mobile apps, very few apps are rigorously tested for cyber security. Examples exist that the app is made available without even complete functionalities and security testing. Hack of NaMo app, which is basic and simple app, for online voting on demonetizing demonstrate the level of cyber security posture in unsecure apps and lack of cyber security awareness in developers/ programmers. In at least one of the currently available and fairly used mobile payment apps, the session do not end after a transaction or after specified time, thus risk of user session hijacking exist.
Further, in featured (smart) Mobile phone environment, installing any app will ask you almost all permission such as (a) take pictures and record videos; (b) read, add and modify contacts; (c) Approx and precise location; (d) record audio; (e) read phone status and identity; (f) directly call phone numbers; (g) read, receive, send, view your SMS and MMS; (h) read, modify or delete contents on your SD card; (i) full network access; (j) activity recognition; (k) control vibration; (l) run at startup; (m) view network connections; (n) control NFC; (o) install shortcuts; (p) receive data from internet; (q) read google service configuration; (r) prevent phone from sleeping; (s) measure app storage space; (t) change audio/video settings; (u) pair with blue tooth devices; (v) view and connect wifi connections; (w) change network connectivity; (x) send sticky broadcast. Most of the app asks either for all these permissions or most of these permissions. The user, without reading and understanding, permits all permissions. S/he has the option either install app with permissions or forget it.
I have downloaded a Hanuman Chalisa app. It asked for over 10 permissions including reading SMS, making phone calls, video/audio recording. Ideally, only permission was required for this. i.e. playing audio. So, you decide whether it a strategy to steal my information in return of providing some desired service?
Now, in some operating systems, the user has an option to deny certain permissions. But, very few citizens are aware of it and even after that there is no guarantee that the app is not be reading the data even after permission is off.
Further, many apps also read data, which is not in permission list. This data includes and not limited to (a) reading data from buffer/cache/RAM; (b) specially read authentication (user-id and password) data; (c) sending data to defined IP address/server; etc. There is no check or control or regulation over this tendency.
Given all above permissions and read of data, in mobile phone, especially smart phones, the citizen data is totally naked. The data used by payment app, including authentication (user name and password etc) is totally exposed to many other apps, which are loaded on mobile and reading everything with permission and even without permission.
This has absolute potential for stealing citizen credentials and misusing by criminals.
Phishing and vishing attack are another area of great concern in both mobile and PC environment.
In Credit/Debit/ATM cards, the risk of card cloning and skimming exists in POS terminals and ATMs. I know few e-commerce sites, which have glaring security vulnerabilities and it is 100% guaranteed in these sites that your data will be exposed to some hacker (this word loosely used).
Pushing CDT forcibly without rigorously tested and properly certified apps along with reliable and cyber secure infrastructure is exposing the citizen, without any shield, before the demon called cyber criminal. Lot of cyber crimes are expected to happen. For a common man, even a loss of Rs. 100 will be big. Citizens will lose faith in CDT and PM Modi.
Thus, the third challenge for PM Modi will be to make sure that cyber security parameters – confidentiality, integrity, availability, privacy, non-repudiation, incident response and customer protection functionalities are guaranteed. The infrastructure and apps are rigorously tested and properly certified and de-risked before asking the citizen to use.
User awareness and ease-of-use –
Assume that robust and secure infrastructure exist; reliable connectivity exist; costing is not an issue and cyber security is assured, if the citizen do not know the usage, the mission will fail.
Any user need to know following –
- Why s/he need an application (app) or a service?
- What the app or service is suppose to do?
- Is there any better and/or cost-effective solution exist?
- How to load or install the app (includes web, mobile, card, ATM, etc)?
- How to use the app?
- Does app has an user-friendly user manual in my language?
- What all facilities are available and what are limitations?
- What care and precautions to take?
- Dos and Don’ts / FAQs
- How to protect him/her from attacks from hackers, phishing/vishing agents, call center frauds, money mule and other frauds?
- In case of operational problem, where to report and how to get these resolve? This must be a single point contact, hearing patiently in his/her own language.
- In case of legal and/or fraud, what to do and whom to contact?
- What are his/her duties, rights, liabilities?
- How his/her money is safe and/or secured and/or protected?
The current status is that the user awareness or education is extremely low up to the extent that it is almost nil or non-existent. With my limited sample size, I have seen that even most of the operational bankers in branches have limited or no awareness or education about cashless digital banking/ transaction, i.e. internet banking or mobile app. Branch Manager refer the problem to IT or some other department to resolve some basic issues in internet banking.
Another aspect of user awareness is language. Almost all instructions and data to fill, are in English, which is used by a miniscule minority. Further, given the standard of education, many graduates cannot understand the “instruction of install” or FAQ, provided on websites of banks. The user instructions and awareness material must be in local language harnessing different print/audio/video/multimedia/animation modes and channels. User must get clear educational data either written and/or visible and/or audible examples or instructions and guidance, just by pressing a predefined button/key (similar to F1) at every step, while using the app.
PM Modi is banking on the fact that there are more mobile phones in India than Indian adult population. But most of these mobile phones are non-smart category; while in smart-phone category, the phones are used for low hanging applications such as whatsapp, facebook, youtube, with almost all permissions, apart from talking and SMS. Installing and using in secure manner, a CDT app needs some higher consciousness level of education and awareness.
Further, it is widely seen that any general purpose application like Windows or Linux is mostly installed by hardware engineers or are self installed, where default settings are on, which are dangerous for cyber security. They do not customize the installation to suit the need of the person and security. The same will be repeated in CDT apps, if user himself is not properly educated and that will be big risk for security of data and money.
In case of UPI apps, most of these offered by banks are non standard and often user-hostile to install. Coupled with slow or broken data lines and slow response, even the informed user, who has spent at least 30 minutes to read the instructions, also gives up. Further, the configuration and security features are not defined clearly. High risk exist that the current versions of apps are offered in haste, may be due to pressure from PMO or RBI or other such body. This puts off the user. As and when few users will have problems, the bad reputation spreads like wild fire.
Thus, the fourth challenge before PM Modi is to create simple, user-friendly, standardize educational material. He needs to create mechanism to educate the users in installing, configuring and using in user-friendly manner.
Legal issues –
Legal issues in CDT are another critical challenge to avoid future problems.
Over a period of 210 years of modern banking, many laws, acts, rules, guidelines, practices are created, streamlined and followed. There are over 80 laws, acts, rules, guidelines for banks to follow. Some examples of these laws, acts, rules, etc. are Banking Regulation Act, Negotiable Instruments Act, Bankers Book Evidence Act, Indian Evidence Act, SARSAESI Act, FEMA, etc. apart from other specific acts like RBI Act, SBI Act, SIDBI Act, etc. Then there are other well established controls such as maker-checker control, physical control, Security items (accountable documents), etc.
Many of these laws, rules, and guidelines were framed when there was no concept of CDT. These laws cannot handle digital transactions, even in cash based environment. For operating in digital environment, the nearest law is Information Technology Act-2000, amended in 2008 (say IT Act-2000).
Let us take an example. As per Banking Regulation Act and other related acts, any financial transaction or instrument is valid only if it is physically signed in ink on paper. Further, as per section 3, 4 and 5 of IT Act-2000, any digital transaction is considered equivalent to paper based signed transaction, only if it is digitally signed using “Digital Signature” issued by licensed Certifying Authority (CA), licensed by Controller of Certifying Authorities (CCA). Apart from these, any other transaction is legally illegal. Thus, theoretically and technically, all internet banking transactions and payments done using mobile, which are not digitally signed using “Digital Signature” issued by licensed CA are illegal. This may create legal issues at some point of time in future.
Further, in case of crime / fraud, creating and collecting evidence in digital environment is radically different compared to paper based or physical environment. In physical environment, the evidences are generated and available on paper. Thus hard copy evidence exists. Creation of chain of custody is easy. Laws support this. Forensic analysis of paper based evidence is an established science. In digital environment, many times, logs are unavailable or deleted or corrupted or tampered; the storage is corrupted or deleted or tampered; evidences are scattered over different places/jurisdictions, in some cases even in other countries; law to define and accept digital evidences does not exist. These and similar issues need to be addressed before courts will be further loaded with CDT related cases over and above 3 crore cases, already pending in various layers of Indian courts.
Another legal issue that will come in cash environment that transactions are done by minors also and they are considered valid. Will transactions done in CDT environment by minors be legally binding and valid? As per banking law and practices, minor can have a bank account only under the guardianship of a major, mostly either of the parents. What will be the status of transaction by a minor in CDT environment using that account?
Another important legal issue is of protection of citizen in case s/he is victim of cyber crime in CDT. Currently there is no protection to citizen, in case of cyber fraud, where the citizen is pure victim and not responsible for the crime. As per IT Act-2000, all cyber crimes / frauds are to be adjudicated by Cyber adjudication officer, who is mostly Secretary/Principal Secretary of IT department of the respective state. Currently, most of the Cyber adjudication officers are non-functional. The appeal is to be filed with Cyber Appellate Tribunal, located at Delhi. Cyber Appellate Tribunal is non-functional for last 5 years. Both these remedies are created under IT Act-2000/2008, which is an act of parliament. Civil / Criminal courts has no jurisdiction in cases related to cyber frauds. What is the recourse open to cyber crime victim citizen?
Further, there exists no cyber liability insurance in India. For banks, RBI has published draft “limited liability circular” on 11 August 2016, asking for comments by 31 August 2016. Even after 3 months, this notification is still pending and citizens are not even partly protected. It is speculated that this may be due to lobbying by banks.
Thus, the citizen is totally unprotected and no working forum to get his/her grievances redressed.
There may be more legal issued, which needs brain storming and PM Modi need to find workable solutions to those legal issues.
Thus, the fifth challenge before PM Modi is to create and review the existing legal framework to address the above and other legal issues related to CDT. He need to change/amend/create laws aligned to technology and business requirements. Further he has to ensure that in case of cyber fraud, the citizen is (a) protected and (b) gets fast and immediate remedy/justice, for which the basic legal framework is available but not implemented.
What to do now –
I do not want to finish this paper with problems and challenges. This issue needs lot of brain storming. There can be many stand-alone and/or combined cost-effective and appropriate solutions. Even then, I would like to make few suggestions, which are neither exhaustive nor fit-all type. These further need more deliberations and debate –
Administrative measures –
- Government should consider making mandatory all B2B, B2C, B2G, G2B and G2C payment transaction using CDT. B2C transactions for small petty expenses below Rs. 100 can be allowed using cash with a certain limit of either daily expenses or turnover. (B=Business, G=Govt and C=Citizen)
- Government should make mandatory or at least encourage with incentive, all C2B and C2G over Rs. 5000 using CDT. This limit may gradually be reduced to 2000 in 6 months and 1000 in 1 year, as maturity level and infrastructure increases.
- Similarly, even C2C can be considered. Transactions under Rs. 100 with small vendors (Chai wala, vegetable wala, etc) can be considered as C2C.
- These amounts and time limits are not sacrosanct and can be debated and modified.
Infrastructure and logistics –
- Government must either create or facilitate a robust and secure backend infrastructure, which will take peak load, considering 80% of adult population goes for CDT. This can be government’s own or under PPP model or assigned to some experienced Indian organisation with proven track record. It must be ensured that no alien entity will have access to this infrastructure as it contains one of the most super critical national assets. This must not fall into bureaucratic red tape else failure is guaranteed.
- TeleCom operators must guarantee WAN and last mile connectivity availability and speed, with penalty clause.
- Web applications and Mobile app must be simple, user-friendly and secure with robust testing and certification. In case of failure, the certification agency must be answerable. They must follow standard front-end and have back-end standards.
- In case of more than one service providers, interoperability must be ensured with no cost to user.
- Government must work on single UPI/USSD app, which must be used by all banks connecting to their backend using API. This UPI service must be free and compatible with smart phone as well with ordinary phones. This must be available on various operating systems. This must be thoroughly tested and certified for functionalities and security. The government must guarantee protection of personal, access and transaction data.
- Government must ensure service level quality parameters such as completion of transaction in 2 seconds.
Cost of transaction –
- Cost of CDT transaction to payee and payer must be NI
- Government must incentivize CDT against current penalize model for payer and payee. It may consider subsidizing all CDT against saving accrued to RBI by reduction in cash transactions and thus currency cost.Government must incentivize and promote CDT in rural areas through gram panchayats, zila panchayats, etc. There must be some visible benefit to village, if they go CDT
- .There can be fiscal and tax incentives for citizens. For example rebate u/s 80 on some percentage of total digital transactions or percentage of digital transactions in a year. Rebate in indirect taxes may be considered.
Cyber Security –
- It must be ensured that the whole end-to-end CDT IT eco-system is secure on basic and advanced security parameters. There must be on-going audits and assurance to citizens that their operations, money and data are safe and secure.
- This must be done using qualified, experienced, specialized and certified empanelled IT Security auditors. Auditor must be answerable in case of any breach or glitch or vulnerability.
- The end-user apps must have functionalities to block any attempted data leak from PC and mobile phone.
- The user-interface must be user-friendly, available in all languages defined in eighth schedule of Indian constitution. It must allow minimum data entry on prompts with provision for audible prompts.
- A periodic report on cyber security and incidents must be published.
- Citizens must be regularly updated on cyber security.
Awareness and education –
- User-friendly user/operating manuals and other related material must be created ASAP.
- A big push must be given to user awareness and education in their own language using different kind of media for different demography. This will be a full time task in itself.
- Students of 9th and 11th class can be trained and mobilized to further train, create awareness and implement CDT with citizens. These students must be awarded extra incentive such as performance certificates or 2-5 marks for social work in their 10th and 12th exam based on their tangible and measurable performance.
- Indian NGOs with no foreign funding and agenda must be encouraged to create mass awareness and education. RBI or government can engage, encourage and fund creditable Indian NGOs for this awareness with accountability and performance parameters.
Legal issues –
- Required laws must be created and existing must be amended, with due checks and controls, to facilitate CDT to become legally valid.
- Citizen must be protected from losses in case of loss of money or data or privacy. It can be done using insurance and limiting the liability of citizen with defined time frame. DICGC or insurance companies must be encouraged to underwrite these losses at a predefined premium.
- Adjudication process must be reactivated and function in time bound manner. It may require more Adjudication Officers, who can be appointed other than state IT Secretaries.
- Other legal issues must be address. This may require one or more bills in parliament. This can be part of finance bill, thus require passing by Lok Sabha only.
- CDT must be implemented in mission mode. A separate nodal officer or CEO at PMO/RBI may be appointed, who will have powers to take action and bypass bureaucratic red tape. His/her performance must be measurable.