The National Payments Corporation of India (NPCI) wants companies offering the Aadhaar-based Payment System (AePS) to implement additional security measures to prevent the spread of online fraud attacks.

In a notice sent to all banks and payment companies offering this service on October 26, NPCI wrote that banks must implement mandatory security features for AePS transactions, similar to the mandatory security features for debit cards.

The Retail Payments Authority has asked banks by the end of next month to suspend AePS services for accounts that have not been paid to AePS in the last 12 months.

It also asked banks to immediately ban the service on accounts where the only detected AePS transaction in the last 12 months was reported as fraudulent.

Similar to international transactions on cards, which are mandatorily blocked at the time of issuance of the card, NPCI wants banks to take explicit consent from customers regarding offering this service. Banks should also offer the option to either ‘enable’ or ‘disable’ AePS as a debit mode through multiple modes like mobile banking, branch banking, call centre etc, NPCI said.

“NPCI wants customers to have easy access to enabling or disabling this service and that needs to be done through the multiple communication channels that banks have,” said the founder of a payment company, which offers these services in rural India.

Another fintech CEO providing AePS services in rural India pointed out that in many cases, agents deal with fraudsters, which requires proper audit controls.

The UIDAI has already developed an AI-based software upgrade that can help stop transactions authenticated by silicon-implanted fingerprints, but a senior banker in the know said it will take time to roll out across the industry.

The problem with AePS as a service is that, although only a fraction of the population uses the debit service, a large number of bank customers receive government support over the network as a credit transaction.

In a notification issued on October 26, NPCI wrote that all such credit transactions and linking of Aadhaar number with bank account should not be disturbed by this communication.