Delhi High Court
Abhijit Mishra vs Reserve Bank Of India & Anr on 7 August, 2023
Author: Satish Chandra Sharma
Bench: Chief Justice, Subramonium Prasad
* IN THE HIGH COURT OF DELHI AT NEW DELHI
Date of decision: 07th AUGUST, 2023
IN THE MATTER OF:
+ W.P.(C) 3693/2019 and C.M. No. 34242/2020
ABHIJIT MISHRA ..... Petitioner
Through: Petitioner in person.
versus
RESERVE BANK OF INDIA & ANR ..... Respondents
Through: Mr. Ramesh Babu M. R., Ms.
Manisha Singh and Ms. Nisha
Sharma, Advocates for Respondent/
RBI.
Mr. Arun Kathpalia, Sr. Advocate
with Mr. Saurabh Kumar, Mr.
Abhishek Kr. Singh, Mr. Saurabh
Kumar and Ms. Diksha, Advocates
for Respondent No.2.
+ W.P.(C) 11262/2020
ABHIJIT MISHRA ..... Petitioner
Through: Petitioner in person.
versus
UIDAI & ORS. ..... Respondents
Through: Mr. Kirtiman Singh, CGSC with Mr.
Waize Ali Noor and Ms. Shreya
Vedantika Mehra, Advocates for
Respondent/ UOI.
Mr. Ramesh Babu M. R., Ms.
Manisha Singh and Ms. Nisha
Signature Not Verified
Digitally Signed By:HARIOM
SINGH KIRMOLIYA
W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 1 of 20
Signing Date:17.08.2023
13:05:17
Sharma, Advocates for Respondent/
RBI.
Mr. Arun Kathpalia, Sr. Advocate
with Mr. Saurabh Kumar, Mr.
Abhishek Kr. Singh, Mr. Saurabh
Kumar and Ms. Diksha, Advocates
for Respondent No.3.
CORAM:
HON'BLE THE CHIEF JUSTICE
HON'BLE MR. JUSTICE SUBRAMONIUM PRASAD
JUDGMENT
1. The present petitions have been filed in the nature of Public Interest Litigations, for the issuance of appropriate writs, order or directions directing the Respondent authorities to direct Google Pay India Services Private Limited to cease their operations in India for violation of regulatory and privacy norms.
2. In W.P.(C) 3693/2019, the Petitioner has prayed for the following reliefs:-
"a) Writ, order or direction in the nature of Mandamus or any other appropriate writ, order or directions to the respondents particularly Reserve Bank of India to immediately order Google India Digital Services Private Limited doing business as Google Pay to stop its unauthorised operation in India as Payment and Settlement Systems for its failure to comply and obtain authorization of the Reserve Ban k of India before commencement of the operations as per the provision prescribed under section 4 and sub section 1 of the Payment and Settlement Systems Act, 2007;
b) To conduct compliance audit of the Google India Digital Services Private Limited doing business as Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 2 of 20 Signing Date:17.08.2023 13:05:17 Google Pay doing unauthorised operation in India as Payment and Settlement Systems under the provisions of section 13, 14, 16 and 17 of the Payment and Settlement Systems Act, 2007;
c) To impose penalties on the Google India Digital Services Private Limited doing business as Google Pay doing unauthorised operation in India as Payment and Settlement Systems under the provisions of section 26, 27, 28, 29 and 30 of the Payment and Settlement Systems Act, 2007 for contravention of the laws, regulations and procedure;
d) any other order or directions as the Hon'ble Court may deem fit and proper in the facts and circumstances of the case be also passed in favor of the Petitioner;
e) Cost of the Present Petition be also allowed in favor of the Petitioner and against the respondent."
3. In W.P.(C) 11262/2020, the Petitioner has prayed for the following reliefs:-
" A. Kindly issue the writ of mandamus of any other writ that the Honourable Court deems justified upon the Respondent No. 1 UIDAI to initiate actions against the Respondent No. 3 i.e. Google Pay under the aegis of Section 29 Section 38 and Section 43 of the Aadhar Act 2016 for collecting, storing and using the Aadhar information of the citizens in the violation of objects of the Aadhar Act, 2016.
B. Kindly issue the writ of mandamus of any other writ that the Honourable Court deems justified upon the Respondent No. 1 UIDAI to issue appropriate directions under the aegis of Section 23A, Section 28, Section 29 of the Aadhar Act, 2016 for the protection Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 3 of 20 Signing Date:17.08.2023 13:05:17 of unauthorized access to the Aadhar information of the Citizens of India.
C. Kindly issue the writ of mandamus of any other writ that the Honourable Court deems justified upon the Respondent No. 1 UIDAI and Respondent No. 2 i.e. Reserve Bank of India to prevent unauthorized access of the Aadhar and Banking information of the citizens of India in the banking and financial system.
D. Any other order or directions as the Hon‟ble Court may deem fit and proper in the facts and circumstances of the case be also passed in favor of the Petitioner or interest of justice."
4. It is stated that the information brought on record in the present petition has been obtained by the Petitioner through RTI applications and representations filed before government authorities such as the Reserve Bank of India (RBI), the Unique Identification Authority of India (UIDAI) that are entrusted with the responsibility of implementing, administrating, and managing provisions of the Aadhar Act, 2016; Payments and Settlement Systems Act, 2007; and the Banking Regulation Act, 1949, respectively.
5. It is stated that through these petitions, the Petitioner seeks to bring forth questions of public interest, insofar as the operation of Google Pay services in India are concerned.
6. The Petitioner contends that Google Pay has violated privacy norms by gaining access to and using consumers' personal data such as Aadhar details which is in contravention of Section 29, 38(g) and 38(i) of the Aadhar Act, 2016 and the Payments and Settlement Systems Act, 2007 and Banking Regulation Act, 1949. Further, it is stated that storage and use of Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 4 of 20 Signing Date:17.08.2023 13:05:17 sensitive and personal banking information would tantamount to an offence by a company as per Section 43 of the Aadhar Act, 2016.
7. The main grouse of the Petitioner is that operations of Google Pay in India as a payment system provider are unauthorized for want of obtaining necessary permissions and hence Google Pay storing sensitive information of Indian citizens would tantamount to violations under Aadhar Act, 2016; Payments and Settlement Systems Act, 2007 (hereinafter referred to as „the PSS Act‟) and the Banking Regulation Act, 1949.
8. It is further submitted that upon a perusal of the terms and conditions of Google Pay, it emerges that the Google Pay application which operates on the UPI platform has been performing a role of facilitator of transactions. Therefore, Google Pay has been performing the role of a Payments System Provider (hereinafter "PSP") without obtaining valid authorisation from the RBI as per Sections 4 and 7 of the Payments and Settlement Systems Act, 2007, and therefore this constitutes an offence by a company under Section 26 of the PSS Act.
9. To buttress this submission, the Petitioner places reliance on a reply to an RTI applications filed by the Petitioner before the RBI and UIDAI, seeking information as to whether Google Pay was authorized to operate as a payment system provider, and if the UIDAI had granted permission to access and store customer data while processing payments. The replies to RTIs dated 09.09.2019 and 04.03.2020, before the RBI and the UIDAI respectively are as under:-
Sr. No. Information Sought Reply
1. Has the Google Pay made an application under No. Section 5 of the Payments and Settlement Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 5 of 20 Signing Date:17.08.2023 13:05:17 Systems Act as on 10 August 2019?
2. Has the Reserve Bank of India issues Show Cause Notice to the Google Pay for operating without registration under section 5 of the Payments and Settlement Systems Act as on 10 August 2019. If yes then please provide the copy of the show cause notice No.
3. Has the Reserve Bank of India initiated proceedings and actions against illegal and unauthorized operations of the Google Pay under section 26, 27 and 30 of the Payments and Settlement Systems Act as on 10 August 2019?
4. Has the Reserve Bank of India allowed and permitted Google Pay to store the banking transaction data of the citizens on its server as on 10 August 2019. If Yes then please provide the letter of permission.
No.
5. Has the Reserve Bank of India allowed and permitted Google Pay to collect Personal Identity Information such as AADHAR, PAN, Voter ID etc. as on 10 August 2019. If Yes then please provide the letter of permission.
6. Has the Reserve Bank of India issued show cause notice to National Payments Corporation of India for allowing unauthorized access to UPI and BHIM platform and application to Google Pay as on 10 August 2019. If yes then please provide the copy of the show cause notice.
7. Has the Reserve Bank of India issued show No. cause notice to National Payments Corporation of India for allowing unauthorized access of the banking transaction information through UPI and BHIM platform and application of the citizens to the Google Pay payment system and servers as on 10 August 2019? If yes then please provide the copy of the show cause notice.
8. Has the Reserve Bank of India conducted audit of the payment system and servers of the Google No. Pay where it is storing the Banking Transaction and Personal Identity information of the Citizens Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 6 of 20 Signing Date:17.08.2023 13:05:17 under section 16 of the Payments and Settlement Systems Act as on 10 August 2019? If yes then please provide the copy of the audit report.
9. Has the Reserve Bank of India received any communication from Google Pay that all citizen banking transaction data and personal information are maintained in the servers located only in India as on 10 August 2019. If yes then please provide the copy of the communication.
10. Has the Reserve Bank of India issued directions to the Google Pay under the provisions of Section 17 of the Payments and Settlement Systems Act as on 10 August 2019? If yes then please provide the copy of the same.
xxx
Information sought Information
1. Has the Unique Identification Authority of India permitted Google India Digital Services Private Limited doing business as Google Pay (Mobile Payments Applications) to access and use citizens AADHAR database/platform for processing and No. authentication payments using BHIM Aadhar platform as on 7 February 2020. If yes then please provide the details of the permission issued by Unique Identification Authority of India.
2. Has the Unique Identification Authority of India received information from Reserve Bank of India that, Reserve Bank of India has given permission to the Google India Digital Services Private Limited doing business as Google Pay (Mobile Payments No. Applications) is accessing and using AADHAR database/platform for processing and authentication payments via BHIM Aadhar platform as on 7 February 2020. If yes then please provide the details.
Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 7 of 20 Signing Date:17.08.2023 13:05:173. Has the Unique Identification Authority of India received information from National Payments Corporation of India that, National Payments Corporation of India has given permission to the Google India Digital Services Private Limited doing No. business as Google Pay (Mobile Payments Applications) is accessing and using AADHAR database/platform for processing and authentication payments via BHIM Aadhar platform as on 7 February 2020. If yes then please provide the details.
4. Has the Unique Identification Authority of India received application from Google India Digital Services Private Limited doing business as Google Pay (Mobile Payments Applications) is accessing and No. using AADHAR database/platform for processing and authentication payments via BHIM Aadhar platform as on 7 February 2020. If yes then please provide the details.
5. Has the Unique Identification Authority of India received complaint from Reserve Bank of India that Google India Digital Services Private Limited doing business as Google Pay (Mobile Payments Applications) has been accessing and using AADHAR No. database/platform without approval and registration for processing and authentication payments under Payments and Settlement Systems Act, 2007 or via BHIM Aadhar platform as on 7 February 2020. If yes then please provide the details.
6. Has the Unique Identification Authority of India received complaint from National Payments Corporation of India that Google India Digital Services Private Limited doing business as Google Pay (Mobile Payments Applications) has been accessing and using AADHAR database/platform No. without approval and registration for processing and authentication payments under Payments and Settlement Systems Act, 2007 or via BHIM Aadhar platform as on 7 February 2020. If yes then please provide the details Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 8 of 20 Signing Date:17.08.2023 13:05:17
10. It is further submitted that Google Pay does not find a mention under the list of entities authorized under the PSS Act, 2007 read with Board for Regulation and Supervision of Payment and Settlement Systems Regulations, 2008, for setting up and operating a payment system in India. It is further contended that by virtue of Google Pay not finding a mention in this list, Google Pay is an unauthorized payment system service and as an unauthorized payments systems operator, Google Pay has obtained unfettered access to its customers' personal information such as AADHAR, PAN and other transaction details. It is also alleged that Google Pay violates privacy of its users by requiring phone numbers, sharing contacts, amongst other personal details. Further, it is alleged that Google Pay has not adhered to the RBI Circular RBI/2017-18/153 |DPSS.CO.OD No. 2785/06.08.2005/2017-18 dated 06.04.2018 issued under Section 10(2), 18 of the PSS Act, 2007, which mandates all payment system providers such as National Payments Corporation of India (hereinafter referred to as ' NPCI') to ensure that all data pertaining to payment systems operated by them is stored in a system only in India.
11. The Ld. Counsel for the Reserve Bank of India at the outset submitted that the objective of the PSS Act, 2007 is to regulate and supervise payment systems in India, and RBI is the designated authority for such purposes. It is submitted that entities are required to obtain RBI permissions under PSS Act, 2007 only for commencement or operation as payment systems. The RBI under section 7 of the PSS Act, 2007 has granted a certificate of authorization to the NCPI, an undertaking of the RBI, and has entrusted the responsibility of operating retail payments and settlement systems in India. NPCI is duly registered as an authorized payment system provider under Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 9 of 20 Signing Date:17.08.2023 13:05:17 PSS Act and is the network operator, service provider and coordinator of the Unified Payments Interface (hereinafter referred to as "UPI"), which is a system for real-time instant payment system facilitating inter-bank transactions. Reference is made to NPCI procedural guidelines to submit that NPCI is empowered to oversee customer grievances. It is further submitted that the NPCI also performs the role of a regulator of domestic payment systems. Since UPI is a platform operated and controlled by NPCI, Google Pay functions as an application merely to provide its services on the UPI platform, and it cannot be said that Google Pay is a Payment Systems Provider in itself. It is stated that Payment Service Providers are entities that provide front end or the final applications to be used by customers. PSPs provide end to end services to customers. Banks may participate in the UPI framework as system participants, and under the multi-bank model launched by the NPCI, a Third-Party App Provider (TPAP) may participate in the UPI system through PSP banks. It is submitted that under this arrangement, Google Pay is a TPAP.
12. Learned Counsel has further submitted that at present NPCI has allowed 4 banks to partner with the UPI system under the multi bank mode. Every PSP bank in the UPI system allots Virtual Payment Addresses (VPAs) to individual users, to facilitate either Peer-to-Peer (P2P) or Peer-to- Merchant (P2M) transactions. This elaborate arrangement ensures that no other information such as bank details or private data is leaked, as all transactions are routed through customers' VPAs. In this framework, Google Pay merely acts as a TPAP, by connecting participating banks/system participants to a large customer base.
Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 10 of 20 Signing Date:17.08.2023 13:05:1713. Learned Counsel for the RBI has highlighted the difference between BHIM AADHAR Pay and UPI in response to the Petitioner's concerns regarding storage of sensitive banking information of customers such as AADHAR details, etc. While both services are products offered and operated by the NPCI, Google Pay is only a third-party UPI enabled app which is not connected to BHIM-AADHAR in any way. Referring to a reply in response to the Petitioner's RTI application dated 28.03.2019 filed before the RBI, it is submitted that the on boarding of entities on the UPI platform is a decision left to be taken by the NPCI. Accordingly, reference is placed on a list of third-party applications on the UPI system, wherein Google Pay is included.
14. Learned Counsel for the RBI further submits that the appropriate mechanism to address complaints regarding digital transactions undertaken by customers of system participants is squarely covered by the RBI Ombudsman Scheme for Digital Transactions, 2019. Chapter IV of the Scheme provides the procedure for redressal of grievances faced by individuals through the channels of filing a complaint before the RBI. Under Section 3(11) of the Scheme, the 'System Participant' would mean any person other than a bank participating in a payment system as defined under Section 2 of the Payment and Settlement Systems Act, 2007 excluding a 'System Provider' and a 'System Provider' would mean and include a person who operates an authorized payment system as defined under Section 2(1)(q) of the Payment and Settlement Systems Act, 2007.
15. The Ld. Counsel for Google Pay at the outset submits that Google Pay would not fall within the definition of a Payment System as defined under Section 2(1)(i) of the PSS Act, 2007. It is submitted that Google Pay is Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 11 of 20 Signing Date:17.08.2023 13:05:17 neither a system provider nor a payment system operator as far as its activities as a TPAP under the UPI, which is a payment system operated by the NPCI. He therefore submits that only system providers would be required to obtain authorization in consonance with Sections 4 and 7 of the PSS Act, 2007. It is stated that NPCI is registered as an authorized system provider and controls UPI infrastructure and its antecedent payment systems. It is stated that UPI works in real time by instantly transferring funds between two bank accounts and enables UPI account holders to send and receive money using an assigned user ID, which circumvents the need to enter bank information such as bank account details, PAN number or even the net banking PIN. Learned Counsel further submits that the NPCI has already received authorization from the RBI under PSS Act, 2007 to operate UPI, which in turn allows authorizes participant banks and third-party applications to offer their respective payment services. NPCI introduced guidelines which dictates how PSP banks engage with TPAPs in the UPI system. Ld. Counsel for Google Pay submits that the said Guidelines have a binding effect and are enforced contractually between the parties in the UPI system. Section 20 of the PSS Act reads as under:-
"20. System provider to act in accordance with the Act, regulations, etc. Every system provider shall operate the payment system in accordance with the provisions of this Act, the regulations, the contract governing the relationship among the system participants, the rules and regulations which deal with the operation of the payment system and the conditions subject to which the authorisation is issued, and the directions given by the Reserve Bank from time to time."Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 12 of 20 Signing Date:17.08.2023 13:05:17
16. Learned Counsel has placed reliance upon NPCI Circular dated 15.09.2017 which enables the operation of a multi PSP bank model in UPI to submit all data exchanged between the UPI enabled app, the app provider's system and PSP bank through a secure channel. Google Pay works on this multi-PSP model and connects to UPI systems, which is in turn operated by the NPCI (system provider) through multiple PSP banks. Thus, it is averred that Google Pay is merely an application that provides the technological platform and the interface through which users undertake UPI transactions.
17. Heard learned Counsel for the parties and perused the material on record. The matter is being disposed of with the consent of the parties at admission stage itself.
18. The relevant statutory provisions governing the field as contained under Sections 2(1)(i), 2(1)(p) and 2(1)(q) of the PSS Act which define 'payment system', 'system participant' and 'system provider' respectively, reads as under:-
"2(1)(i) ―payment system means a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange.
xxx 2(1)(p)―system participant means a bank or any other person participating in a payment system and includes the system provider;
2(1)(q)―system provider means a person who operates an authorised payment system; "Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 13 of 20 Signing Date:17.08.2023 13:05:17
19. Section 7 of the PSS Act which gives power to the RBI to grant authorisation for payment systems, reads as under:
"7. Issue or refusal of authorisation.--(1) The Reserve Bank may, if satisfied, after any inquiry under section 6 or otherwise, that the application is complete in all respects and that it conforms to the provisions of this Act and the regulations issue an authorisation for operating the payment system under this Act having regard to the following considerations, namely:--
(i) the need for the proposed payment system or the services proposed to be undertaken by it;
(ii) the technical standards or the design of the proposed payment system;
(iii) the terms and conditions of operation of the proposed payment system including any security procedure;
(iv) the manner in which transfer of funds may be effected within the payment system;
(v) the procedure for netting of payment instructions effecting the payment obligations under the payment system;
(vi) the financial status, experience of management and integrity of the applicant;
(vii) interests of consumers, including the terms and conditions governing their relationship with payment system providers;
(viii) monetary and credit policies; and
(ix) such other factors as may be considered relevant by the Reserve Bank.Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 14 of 20 Signing Date:17.08.2023 13:05:17
(2) An authorisation issued under sub-section (1) shall be in such form as may be prescribed and shall--
(a) state the date on which it takes effect;
(b) state the conditions subject to which the authorisation shall be in force;
(c) indicate the payment of fees, if any, to be paid for the authorisation to be in force;
(d) if it considers necessary, require the applicant to furnish such security for the proper conduct of the payment system under the provisions of this Act;
(e) continue to be in force till the authorisation is revoked.
(3) Where the Reserve Bank considers that the application for authorisation should be refused, it shall give the applicant a written notice to that effect stating the reasons for the refusal: Provided that no such application shall be refused unless the applicant is given a reasonable opportunity of being heard. (4) Every application for authorisation shall be processed by the Reserve Bank as soon as possible and an endeavour shall be made to dispose of such application within six months from the date of filing of such application."
20. Keeping in view the aforesaid statutory provisions of law and the counter affidavit of RBI, it can be safely gathered that NPCI is the operator of the UPI system for transactions in India and is a "system provider" which is authorized by the RBI under the PSS Act to extend its services for facilitating transactions and the transactions carried out via UPI through Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 15 of 20 Signing Date:17.08.2023 13:05:17 Google Pay are only peer-to-peer or peer-to-merchant transactions and is not a system provider under the PSS Act, 2007.
21. The UPI Guidelines, 2019 also make it exceedingly clear that data may be stored under two types, namely, 'customer data' and 'customer payments sensitive data'. While the former may be stored with the app provider in an encrypted format, the latter can only be stored with the payment services providers bank systems, and not with the third party app under the multi model API approach that Google Pay has opted for. We therefore do not find any merit in the Petitioner's contention Google Pay is actively accessing and collecting sensitive and private user data.
22. Within the framework of UPI, banks perform two roles. The first role is that of a PSP which provides payment services to customers, the other is to facilitate and settle all debit and credit transactions. The PSPs are entities that provide front end application services to the customer. A PSP may also provide a user with an application which may be used by the same bank's customers or even by other banks' customers.
23. In this context, third-party apps such as Google Pay are designed to provide a large customer base to participating banks. A third-party app such as Google Pay obtains approval from NPCI for operating on the UPI platform. In the multi bank application system which Google Pay has adopted, the NPCI provides a common library for integration to TPAPs on behalf of PSP banks. It would be relevant to revert to an extract of the NPCI issued Unified Payment Interface Procedural Guidelines, 2019 ("UPI Guidelines, 2019"), which refers to a TPAP as under:-
"Multiple bank model (API approach) Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 16 of 20 Signing Date:17.08.2023 13:05:17 This approach enables multi-bank PSP's to partner with a single 3rd party, in which a large merchant/tech player (referred as "third party app provider") having an access to large customer base, can connect to UPI system through multiple PSP banks. In the multi-bank Application Programming Interface (API) arrangement, NPCI shall provide the NPCI Common Library (CL) ' directly for integration to the third party app provider on behalf of PSP banks. The App connects to PSP bank systems through third party app provider's system using API on secure channel.
For initiation, the third-party app provider needs to write to NPCI with the -names of participating banks (up to-maximum of 5 banks). The letter should also include the details of existing user base and volume commitment. "
24. In addition, the Procedural Guidelines, 2019 sheds light on the models used in UPI. Under the model which is dependent on bank architecture which Google Pay has opted for, all transactions are routed through participating banks which are connected to the NPCI-NET.
25. A perusal of the counter affidavit filed by the RBI shows that the RBI has issued the Certificate of Authorisation to the NPCI to operate various retail payment systems in India including UPI. As pointed out by learned Counsel for RBI, UPI is an instant real-time payment system developed by the NPCI for facilitating inter-bank transactions and works by instantly transferring funds between two bank accounts on a mobile platform. It has been further pointed out that UPI is a system that powers multiple bank accounts into a single mobile application bank, merging several banking features, seamless fund routing and provide for merchant payments into one hood. Relevant portions of the counter affidavit reads as under:
Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 17 of 20 Signing Date:17.08.2023 13:05:17"7. That before adverting to the facts of the present case, it will be pertinent to mention here that UPI is an instant real-time payment system developed by the NPCI for facilitating inter-bank transactions and works by instantly transferring funds between two bank accounts on a mobile platform. Thus, precisely UPI is a system that powers multiple bank accounts into a single mobile application (of any participating bank), merging several banking features, seamless fund routing and provide for merchant payments into one hood. It is further submitted that both person to person (i.e. P2P) and person to merchant (i.e. P2M) payment transactions can be done using a UPI application. Furthermore, the UPI also permits real time push transactions, i.e. the customer initiates the transaction to pay the beneficiary; and pull transactions, i.e. the beneficiary initiates the request to make payment. It is further submitted that the UPI has many unique features including immediate money transfer through mobile device round the clock 24x7 and 365 days with single click 2 factor authentications. And also, different bank accounts can be accessed using a single UPI application and payment can be made using Virtual Payment Address (i.e. VPA), wherein the customer need not part with any other information such as Card number. Account number, IFSC code, etc.
8. That it is submitted that there are various players in UPI system such as (i) NPCI, (ii) payer Payment Service Provider (iii) payee Payment Service Provider,
(iv) remitter bank, (v) beneficiary bank, (vi) bank account holders (payer / payee) and (vii) merchant.
Whereas, as per the PSS Act, NPCI is the system provider of the UPI and owner as well as operator. It is further submitted that Payment Service Providers (i.e. PSPs) are the entities that provide for the front- end/ application for the customer. They are the ones who acquire customers and provide payment (credit/debit) services to them. Moreover, it will be of Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 18 of 20 Signing Date:17.08.2023 13:05:17 utmost significance to state here that only banks are allowed to act as PSPs and therefore, the services under UPI are presently offered by banks in their capacity as PSP banks, i.e. PSP banks are the system participants of UPI.
9. It is submitted that the NPCI has initially launched the single PSP model under UPI and under this model, a third party could also connect to the UPI platform through a single sponsor PSP bank. However, subsequently NPCI approached the answering Respondent with a proposal of multibank model in UPI which was taken note of vide RBI letter dated August 22, 2017. Accordingly, NPCI introduced multibank model under UPI on September 15, 2017 wherein a large merchant / tech player, referred to as Third Party App Provider (TPAP), having access to large customer base, can connect to the UPI system operated by the NPCI through multiple PSP banks.
10. It is submitted that the NPCI has allowed four banks, i.e. Axis Bank, ICICI Bank, HDFC Bank and State Bank of India (sponsor banks) to partner with Google (i.e. one of the TPAPs) under the multibank model f UPI. Therefore, Google provides the necessary customer interface through its application, i.e. Google Pay, while the transactions are processed through these sponsor PSP banks. A copy of the RBI letter dated August 22, 2017 is hereby annexed as ANNEXURE B to the present Affidavit.
11. It is submitted that the Google is a TPAP and does not operate any payment system for which the authorization is required and mandatory under the provisions of PSS Act. It is further submitted that the answering Respondent does not give any approvals/ authorisations to entities like Google which are acting as TPAPs. They are not considered as system providers i.e. authorized payment system operators under the Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 19 of 20 Signing Date:17.08.2023 13:05:17 provisions of the PSS Act, 2007. Hence, they do not find place in the list of authorized Payment System operators published on the website of the answering Respondent.
12. In view of the aforesaid submissions and explanations, it is submitted that the present Petition filed by the Petitioner is wholly misconceived. The Petitioner has totally misconstrued and utterly misunderstood the provisions of the PSS Act 2007 as well as the services provided by the Google being a mere Third Party App Provider for which no authorization is required under the provisions of the PSS Act, 2007. Therefore, the present Petition is devoid of any merits and is liable to be dismissed. "
26. In view of the counter affidavit filed by the RBI it is clear that Respondent No.2 is a mere third party app provider for which no authorisation from RBI is required under the provisions of PSS Act.
27. In light of the foregoing, this Court does not find any merit in the present Writ Petitions. The same are dismissed, along with pending application(s), if any.
SATISH CHANDRA SHARMA, CJ SUBRAMONIUM PRASAD, J AUGUST 07, 2023 hsk/ss Signature Not Verified Digitally Signed By:HARIOM SINGH KIRMOLIYA W.P.(C) 3693/2019 & W.P.(C) 11262/2020 Page 20 of 20 Signing Date:17.08.2023 13:05:17