Top officials in key ministries, including finance and IT, are of the opinion that a sensitive payments system such as UPI should not be on a platform whose security is possibly compromised.
WhatsApp Pay may not launch anytime soon in India, as the government is planning a comprehensive safety audit of the payments platform, according to a source in the know.
The payments vertical of the chat app has been running on beta for the last one year.
Top officials in key ministries, including finance and information technology (IT), are of the opinion that a sensitive payments system such as Unified Payments Interface (UPI) should not be on a platform whose security is possibly compromised.
Reserve Bank of India (RBI) officials who deal with fintech also fear that financial data of Indian users would not be safe on WhatsApp Pay.
The proposed audit is likely to be conducted jointly by the IT ministry and the RBI.
Last week, Facebook-owned WhatsApp said it was filing a federal complaint in the US against Israeli technology firm NSO Group.
NSO Group’s Pegasus software exploited a loophole in WhatsApp’s video calling feature that could let the buyer of software access a person’s phone or device data.
NSO has maintained that it sells only to governments.
But India has so far not categorically accepted or denied buying NSO software by either the Centre, states or other government agencies.
The Centre has, however, asked WhatsApp to explain the breach of privacy of Indian citizens, after it was revealed that some activists and journalists were targeted by the Pegasus spyware.
Officials are also irked that even after asking multiple times, WhatsApp Pay has not maintained the same level of transparency that banks in the country as well as Indian payments platforms do.
It’s also not clear if WhatsApp Pay is storing its financial data in India - a sore point with the government as well as the RBI for a long time.
“I believe they are still in beta phase as they are probably short of meeting the requirements. Banks are driven by stringent regulations related to disclosure, security and data protection.
"WhatsApp at the moment is not well regulated or monitored. It is bound by an agreement with the banks and that’s a loophole,’’ said a senior official in the IT Ministry.
Banks can do an audit of WhatsApp, but that may not be effective, he pointed out.
He added that the company is still to come up with satisfactory steps to meet the government’s requirements on data localisation.
“In case of frauds, Indian authorities will be unable to trace the origin of message as WhatsApp refuses to share details due to their privacy policies,” added the official.
Last year, WhatsApp had claimed that in response to India's payments data circular from RBI, it was ready with a system to store payments-related data locally in India.
On concerns that security on WhatsApp was compromised, it had earlier said its security team had caught and stopped a cyber attack designed to send malware to mobile devices in May.
"Unable to break end-to-end encryption, this kind of malware abuses vulnerabilities within the underlying operating systems that power our mobile phones.
"Technology companies are constantly working to stay ahead of these kind of challenges through updates and patches.
"The safety and security of our users remains the highest priority, which is why in May we blocked the attack and have taken action in the courts to hold NSO accountable," a WhatsApp spokesperson said.
Experts believe that till the government can figure out the extent of breach on WhatsApp, UPI, which is built by the National Payments Corporation of India, should be kept off-bounds from the chat platform.
Also, WhatsApp should stop the beta test on payments, according to them.
“With the government, RBI and NPCI planning to evaluate the risks involved in making payments via social media apps and services, the security of the UPI payment infrastructure on WhatsApp Pay has been rendered under a cloud of vulnerability,’’ said Salman Waris, managing partner at TechLegis Advocates & Solicitors, a law firm.
This further complicates the situation after the RBI revealed in an affidavit filed in the Supreme Court earlier that WhatsApp had not complied with the data localisation norms, Waris pointed out.