After many consumers faced problems making online transactions requiring one-time passwords (OTPs), the Telecom Regulatory Authority of India (Trai) delayed the implementation of some additional restrictions on SMSes. These regulations, which required all commercial SMSes to adhere to specific templates, were meant to curb the runaway spread of spam or bulk SMSes. As such, they are badly needed, given that most mobile phone users have been inundated with spam to such a degree that many have moved away from SMSes altogether. Trai
has allowed cellular service providers another week to implement the norms. In this period, it is hoped that banks in particular— as well as applications using the UIDAI authentication service, including the Covid-19 vaccination platform Co-Win — will manage to change the format in which they send OTPs to adhere to the Trai
guidelines. Earlier this week, there were widespread outages, with a large proportion of OTPs being caught up in the anti-spam filter deployed by the telephone companies. That this happened in the first place is, however, puzzling. The Trai
guidelines were hardly foisted on banks and others at the last minute, although the Delhi High Court directive to speed up the implementation of the guidelines came only in February.
The problem appears to be that the banks failed to submit all the templates they used. One reason might be that some banks subcontract the SMS sending to professional aggregator companies. But the responsibility for the lack of communication does not appear to rest with either the regulator or the telecom company or, for that matter, the subcontractor. It is up to the banks to ensure that they are in a position to meet what appear to be perfectly sensible regulatory requirements. It is not the first time in the recent past that bank customers have faced problems with OTPs. In November, HDFC Bank’s platform essentially crashed, leaving its customers unable to access any services, not even those built around the unified payments interface or UPI; in December 2019, the same bank faced an inability to process payments that led to a Reserve Bank of India
(RBI) enquiry. In October 2020, meanwhile, ICICI Bank’s platform crashed on a day its credit card division had partnered e-retailer Amazon during a major sale.
Given the implications of this failure for the banking
sector, it would not be surprising if the RBI takes another look at the current OTP system. The regulator can consider the broader impact on the financial system of an over-reliance on OTPs as the sole form of authentication for absolutely every transaction. It should take this opportunity to re-examine the entire OTP system, in order to ensure it is keeping up with technological advances, new forms of fraud, and growing digital literacy and uptake. The RBI should also revisit the OTP requirement for micro-transactions, and consider mechanisms that would allow for greater consumer choice on when and how to receive OTPs. The onus must be on banks to ensure that consumers have their preferred combination of security and efficiency available, perhaps by granting them an option to opt out fully or up to some limit. Banks must stop treating technological interfaces and platforms as an afterthought, or something to be subcontracted to the cheapest bidder. Given the growth of digital interactions with banking
and of online transactions, the reliability and user-friendliness of banks’ digital communications and platforms must be made a priority.