Clipped from: https://economictimes.indiatimes.com/prime/fintech-and-bfsi/ed-raid-at-payment-firms-is-a-tale-of-missing-merchant-kycs-will-betting-sites-face-the-heat-too/primearticleshow/94035817.cms
SynopsisED suspects that payment-gateway firms facilitate the operations of Chinese loan apps. This practice is also rampant across betting and gambling sites. Payment gateways often use a single KYC identity for multiple merchants. This has allowed the Chinese money lenders to not only disburse money to users in India but also transfer the money collected back to its origin.
Even as the Enforcement Directorate (ED) raided the offices of payment gateway companies Razorpay, Cashfree, and Paytm last week in the Chinese loan app case, there was another set of smart players going about their business unrestrained. Gambling and betting sites based outside India, such as Betway.com and bet365.com, were seen using all kinds of Indian payment methods including UPI as on September 6 morning to facilitate betting and gambling transactions by Indian users.
While the websites are not illegal per se, according to Indian payments guidelines, these platforms are not allowed to let their customers use domestic payment methods like netbanking or UPI to top-up or cash out from the wallet. In other words, these are foreign platforms allowing Indian citizens residing in the country to gamble or bet using Indian payment methods such as netbanking, IMPS, and UPI.
An Indian merchant, CSL-FZ, working as a client of SBI is enabling the UPI transactions. Airpay is the payments gateway/payments aggregator that got this particular virtual payment address or VPA issued by SBI for one of its sub-merchants.
There are many other betting apps that use fraudulent merchant identification code (MID) and payment gateways to hoodwink Indian banks.
ED has had the suspicion that payment-gateway companies are facilitating the operations of Chinese loan apps. But this practice is also rampant across betting and gambling sites.
While the government has banned many Chinese lending apps, new clones keep sprouting every day on the play store. Ultimately, these apps do need a payment gateway to be able to disburse the loan amount as well as to collect it back from the customers. The Chinese lenders’ collection tactics such as harassing the borrowers, and even their relatives, have pushed several of them to take their lives.
The modus operandi
Many of these payment gateways wittingly or unwittingly help move the money out of the country.
During the ongoing Asia Cup, there was a flurry of ads by an online betting platform called Fairplay.club, often through surrogate marketing such as Fairplay News. Online betting is illegal in India.
So, how do they let the users pay for the game?
The payment seems to be routed through the merchant, DK SON with VPA dkson@yesbank, which is probably an approved merchant according to the know your customer (KYC) registration, also known as MID in industry parlance.
The betting platforms are using multiple payment options, including UPI, bank transfer and crypto, for topping up the wallet or depositing the money, all of which are illegal. There is even a YouTube video explaining how to do payment transactions.
Stranger still is that DK SON may just be one of the merchants that Fairplay.club deploys for enabling payments. These companies have a repository of approved MIDs that they use. They also keep on changing merchants, payment gateways and banks every 15-20 minutes to avoid any disruption in payments. This keeps the banks guessing and avoids fraud detection.
These are the same MIDs that are sometimes used for legitimate transactions and that is how the merchant KYC gets approved.
Sometimes, the platforms act smart to avoid detection. They have a pool of MIDs to pick from and if an MID or UPI ID gets blocked, they add others and the business runs as usual until they get caught the next time. This cycle repeats.
Banks and NPCI have monitoring systems and website crawlers in place to identify and block fraudulent merchants who misuse their payment rails for illegal transactions. But what used to be websites earlier are now apps and bank crawlers, that cannot identify such transactions over apps. These apps also try to put guardrails in place (like asking for user Aadhaar/PAN or other documents) primarily to avoid the detailed scrutiny by officials checking the apps for legitimacy or for checking which payment gateway is facilitating the transactions.
The apps are also quick to ban any IP they think is coming from banks trying to understand whether the platform is being used for the purpose for which the merchant KYC was acquired.
The mucky world of KYC
There are three different types of KYC fraud that happen.
- One is when lending or betting companies, which is an illegal money-transfer pipe, deploy a legal MID for that specific transaction. Approval from the bank and a genuine merchant MID is taken on the basis of a legal merchant app or a website KYC but after a few weeks or months, illegal transactions start getting routed through this MID.
- The second route is when multiple merchants or platforms use a single approved and legal merchant KYC for routing illegal money.
- The third route is they create entirely fictitious but seemingly legit merchant apps or websites, akin to how large corporations create shell companies.
One of the biggest facilitators of these illegal transactions is payment gateways, sometimes willingly.
Well, payment gateways often do not follow the due diligence while registering, or doing the KYC, for all the merchants that they onboard on their platforms. This happens partly because of intense competition and the insatiable appetite to grow big faster.
The rise of digital-payment methods also meant that it became much more difficult to track humongous payments passing through digital infrastructure. Since 2011, the number of payment-gateway businesses in India has grown by more than five to six times. There were only 14 payment gateway firms a decade ago. Any business can approach a bank for a payment-gateway business and the banks give them access to their infrastructure and monitor their channel while the KYC of the merchant lies with the payment-gateway entity.
Most often payment gateways use a single KYC identity for multiple merchants, and they keep adding merchants gradually to a single MID so that it escapes their partner bank’s scrutiny. The growth of transactions is also kept at a reasonable level so that banks don’t get suspicious.
The way out
The merchant KYC issues come to the fore only when a customer complaint triggers an investigation by the banks, cyber cells, or ED. When the authorities ask for details about merchants, the payment gateways often cannot explain the nature of these transactions that facilitated illegal payments.
This is one of the reasons why the RBI came up with the payment aggregator licence so that they could be held accountable and could be brought directly under the supervision of the central bank.
What usually happens is that the fraudulent merchants try to hoodwink a payment gateway and the latter is also trying to hoodwink the banks. Preventing and identifying such practices is a continuously improving process similar to preventing payments fraud. Banks may not be able to prevent all of it, but once found, they should learn from it and put models and controls in place to prevent it from happening again. The control could also be around auditing payment gateway compliance policies among other things.
But for most banks, merchant acquiring, or payment gateway, is not a lucrative business to invest money, human resources, and the effort to understand the ever-evolving and smarter payment gateways and merchants.
Chinese lenders often charge high-interest rates and penalties on gullible customers desperate for credit. Since they don’t have the licence to lend, the whole operation is illegal.
The proceeds of the profits earned by either the Chinese moneylenders or the gambling and betting platforms are sent back to the foreign entities in their home country.
The tie-up with the payment gateways helps them transfer the money back to their home country. This comes under the purview of money laundering. We will come to that in the second instalment of this story.
(Nitesh Singhal runs Aryaa Advisors, a consultancy for digital banking and payments. He was previously the head of UPI business at Axis Bank.)
(Graphics by Sadhana Saxena)(Originally published on Sep 7, 2022, 12:01 AM IST)
The latest from ET Prime is now on Telegram. To subscribe to our Telegram newsletter click here.