--- layout: default title: "No Laws in India to Protect Customers if They Lose Money During Digital Transactions" description: "A Business Standard report by Alnoor Peermohamed examining legal protection gaps for digital payment users following demonetisation, featuring cyber law expert Pavan Duggal on absence of dedicated digital payments legislation, Sunil Abraham's analysis of Section 43A compliance failures among ISPs and telecoms, and proposals for industry-led security standards consortiums." categories: [Media mentions] date: 2016-12-02 authors: ["Alnoor Peermohamed"] source: "Business Standard" permalink: /media/digital-transactions-legal-protection-gap-business-standard/ created: 2026-01-10 --- **No Laws in India to Protect Customers if They Lose Money During Digital Transactions** is a *Business Standard* report published on 2 December 2016 by Alnoor Peermohamed. The article examines critical consumer protection gaps in India's digital payments ecosystem exposed by demonetisation's forced migration to cashless transactions, featuring Supreme Court advocate Pavan Duggal on the absence of dedicated digital payments legislation, Sunil Abraham's findings that major ISPs and telecoms fail to comply with existing Section 43A data protection requirements, and proposals for industry-led security standards consortiums whilst RBI wallet balance limits increased despite security concerns. ## Contents 1. [Article Details](#article-details) 2. [Full Text](#full-text) 3. [Context and Background](#context-and-background) 4. [External Link](#external-link) ## Article Details
đź“° Published in:
Business Standard
đź“… Date:
2 December 2016
👤 Author:
Alnoor Peermohamed
đź“„ Type:
News Report
đź“° Article Link:
Read Online
## Full Text

India lacks laws to protect consumers if they lose money during digital transactions even as the government pushes for a less-cash economy after it withdrew Rs 500 and Rs 1,000 currency notes as legal tender.

The Modi government's demonetisation move might have warranted an increase in transaction activity on digital wallets, but measures to ensure the underlying cyber security parameters for digital payments are still kept largely under the ambit of the Information Technology Act.

"We don't have any dedicated law on digital payments. That's very important to grant complete legality and remove doubts and clarifications pertaining to legal efficacies and legal validity of digital payments," says Pavan Duggal, an advocate in the Supreme Court specialising in cyber law.

While the Reserve Bank of India usually sets security and privacy standards for banks in the country, the various digital wallets such as Paytm, Freecharge and Mobikwik fall under the category of Non-banking Financial Corporations (NBFCs) excluding them from this. For FinTech companies, security compliance falls under just Section 43A of the IT Act.

Today, transactions between a user and a mobile wallet service provider are merely contractual agreements which can always be repudiated. There's a heightened need to legally back digital payments in India, not only to ensure the safety of consumer money but also for the safety of these companies.

Since the demonetisation on November 8, digital wallet firms such as Paytm have seen 35 million transactions by users to either buy goods and services, or transfer funds to another account. Rival Freecharge has tied up with police forces of Mumbai to pay traffic fines using its platform.

Research by Bengaluru-based think tank Centre for Internet and Society (CIS) shows that some of India's largest technology companies still do not comply with Section 43A.

"We have a minimal data protection law in our IT Act and that will apply to all the FinTech players. But our ISPs and Telcos don't comply with Section 43A, so you can imagine in the FinTech sector the compliance will be even lower," says Sunil Abraham, Executive Director at CIS.

The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services. While the issue is not being completely ignored by the authorities, some of the proposed workarounds such as creating a virtual sandbox around digital payment services raised questions.

The RBI limits the maximum balance on digital wallets to Rs 10,000 per user, ensuring that in the case of a breach the damage caused to a consumer is minimal but on November 23, the banking regulator increased the limit to Rs 20,000.

Just last week India's largest digital wallet provider Paytm rolled out the option for customers to increase their wallet balance to a maximum of Rs 100,000 by getting a KYC check done.

"There are no legal mechanisms available should there be disputes pertaining to digital payments," said Duggal. He added that there are no effective remedy mechanisms available in case money in the digital payment ecosystem gets lost, hacked, stolen or misused.

While laws might take years to be framed and implemented, Abraham says there are temporary workarounds with which the overall cyber security of digital payment services can be improved. Under Section 43A there are provisions to allow a sector to form a consortium that mutually agrees to set security standards, which all players must follow and is valid in the court of law during dispute resolution.

This move is encouraged by experts as governments often lack the bandwidth to define sectoral specific laws but is where private sector expertise can go a long way.

{% include back-to-top.html %} ## Context and Background This report appeared three weeks after Prime Minister Modi's shock announcement on 8 November 2016 that Rs 500 and Rs 1,000 currency notes—comprising 86% of India's cash in circulation—would cease to be legal tender within hours. The demonetisation exercise forced hundreds of millions of Indians toward digital payment platforms overnight whilst regulatory frameworks, consumer protection mechanisms, and dispute resolution systems remained underdeveloped. The article documented the dangerous asymmetry between government policy pushing cashless transactions and legal infrastructure protecting citizens using those systems. Duggal's observation that digital payments lacked dedicated legislation highlighted fundamental uncertainty about transaction validity and enforceability. Unlike traditional banking governed by comprehensive Reserve Bank of India regulations under the Banking Regulation Act 1949 and Payment and Settlement Systems Act 2007, digital wallet transactions existed as contractual relationships between users and NBFC-classified service providers. This contractual basis meant disputes over failed transactions, unauthorized debits, or wallet balance losses required litigation under contract law rather than specialized consumer protection or payment system regulations with defined redressal mechanisms. Abraham's finding that major ISPs and telecommunications companies failed to comply with Section 43A—the IT Act 2000's sole data protection provision requiring "reasonable security practices" for sensitive personal data—suggested enforcement weakness that would extend to the FinTech sector. Section 43A imposed compensation liability on corporate bodies experiencing data breaches from negligent security practices, but lacked proactive enforcement mechanisms, mandatory breach notification requirements, or regulatory oversight bodies. If established technology companies with mature compliance infrastructure ignored Section 43A, rapidly scaling wallet providers handling financial credentials would likely demonstrate even lower compliance. The RBI's response to security concerns through wallet balance caps illustrated regulatory reliance on damage limitation rather than security enhancement. The initial Rs 10,000 cap ensured breaches caused bounded losses, but the rapid increase to Rs 20,000 on 23 November—then Paytm's KYC-enabled Rs 100,000 balances—demonstrated policy accommodation to demonetisation liquidity needs overriding security considerations. This created perverse incentives: users needing to store larger balances for daily transactions faced increased risk whilst remedial mechanisms remained absent. Sunil Abraham's proposal for industry-led security standards consortiums under Section 43A reflected regulatory capacity constraints. Governments typically lack technical expertise to specify rapidly evolving security requirements for digital payment systems, whilst industry players possess implementation knowledge but face collective action problems absent coordination mechanisms. Section 43A's provision for sector-specific security standards mutually agreed among players and recognized by courts during disputes offered a hybrid governance approach balancing private expertise with legal enforceability, though voluntary consortium formation without regulatory mandate risked lowest-common-denominator standards. ## External Link - [Read on Business Standard](https://www.business-standard.com/article/economy-policy/no-laws-in-india-to-protect-customers-if-they-lose-money-during-digital-transactions-116120200342_1.html)