Blog article
See all stories »

My Two Cents On PayTM Kerfuffle

PayTM is the first digital payment product I've used at scale in India.

When RBI enforced the two factor authentication mandate for online payments, bill payments became a major PITA. By requiring users to fill credit card number, expiration date, and half a dozen fields, Reg 2FA caused tremendous friction. After they received the OTP, entered it and hit the submit button, many users - me included - frequently experienced failed payments. More at Why Two Factor Authentication Is A “Conversion Killer” & “Blood Pressure Booster” and Going From Card To COD. (hyperlink to post on my company website removed to comply with Finextra Community Rules but these posts should appear on top of Google Search results when searched by their title + "GTM360")

Frustrated by this experience, I craved for an electronic wallet that I could top up with a lumpsum amount from my credit card once a month and use the balance to pay all my monthly bills without being subject to friction and risking failure of each payment.

PayTM fulfilled that wish. While PayTM extended support for UPI and UPIlite much later, I'm talking about the time when it had only one mode, namely, wallet, and put through online payments without OTP or even password. In other words, PayTM blatantly subvented two factor authentication. RBI looked the other way.

Although Indians are supposed to be very security-conscious, they lapped up PayTM by the millions despite its lax security. At the peak, PayTM had 100 million wallet users, which was more than the customer base of any bank in India. Through the years, I've written many posts on this blog about PayTM's innovative approach towards wallet topup, PUSH notifs, OTP SMS, autofill OTP, soundbox, feet-on-street sales and its rise to become a blockbuster hit.

By proving that the sky didn't fall due to its nuanced approach towards security, I'm guessing that PayTM shaped the design of UPI. Unlike the previous online payments that reflected the regulator's historical bias towards security, UPI leans towards convenience and superior user experience. As described in the following exhibit, UPI has way less security than NEFT, IMPS and other methods of payments that touch a bank account.

Fast forward to 31 January 2024.

RBI ordered PayTM to stop operations by end of February.

The regulator took this unprecedented step after its comprehensive systems audit exposed persistent non-compliances and continued material supervisory concerns in PayTM Payments Bank (PPB).

The point to note is that RBI's enforcement action is targeted only at the payments bank associate of the publicly traded fintech called One97 Communications Limited aka PayTM.

PayTM offers a wide range of financial services products and services such as payments, FASTag (prepaid highway toll product), NCMC (prepaid public transport ticketing), consumer credit, merchant credit, payment gateway, and so on. (PayTM's application for Payment Aggregator aka Merchant Aggregator was not approved by RBI). Some of these products / services are rooted in PPB, some are independent of PPB and some straddle both firms. While PPB has "bank" in its name, it cannot do any lending since it's a payments bank, which is a restricted form of banking charter that allows deposit-taking but not lending.


@s_ketharaman: Bank that can't lend can make revenue - and profit - via fees on its payments products, rake on bancassurance, and difference in interest between what it gets from government bonds and what it pays to depositors.


Soon after RBI's announcement, I speculated the following non-compliances and oversight concerns with PayTM, in the increasing order of severity (not legal advice but they go from a mere rap on the knuckles through to fine and jail time):

  1. Didn't give enough bhaav (respect in Hindi) to RBI / external auditors
  2. Skimmed MDR from bank to parent company
  3. Used bank's balance sheet for parent company's lending business
  4. KYC violations
  5. Money laundering.

According to the mostly speculative media reporting in the following 2-3 days, all five have emerged as highly likely factors behind the regulator's harsh action. The media has clubbed the second and third points under the catch-all expression "breach of arms length relationship between related parties". More in The Morning Brief podcast.


According to McKinsey, fintech players are "start-ups and growth companies that rely primarily on technology to conduct fundamental functions provided by financial services, thereby affecting how users store, save, borrow, invest, move, pay, and protect money".

When they start off, fintechs don't have a banking license, and partner with sponsor banks to offer checking accounts, savings accounts, loans, and other banking products. Over time, some fintechs apply for and get a banking charter and become a bank themselves.

PayTM is the only fintech I know that's not a bank, which not only works with sponsor banks but also has an inhouse bank (One97 has 49% stake in PayTM Payments Bank, the other 51% of which is held by its founder Vijay Shekhar Sharma in his personal capacity.)

In my time, I've come across many (perfectly kosher) deal structures, financial engineering and corporate labyrinths but I haven't seen anything like what PayTM has done here.

I can imagine the insane amount of complexity caused by PayTM's product, service and corporate structure in how security, data privacy, and wall cross laws apply to it. A couple of days after RBI cracked down on it, PayTM told the Economic Times that its bank "could not satisfy the banking regulator regarding compliance and technology".

I'm not surprised. While I'm being a bit generous to PayTM here, most regulators have large egos and tunnel vision and can't tolerate creative interpretations of the rules they've written. Exhibit Z: Coinbase v. SEC in USA.

RBI looked the other way when PayTM subvented 2FA in the past but it has clamped down on the fintech giant now.


Startup Bros and VCs have lamely copied Adani Group's response to Hindenburg Research's hit job around this time last year, and have called RBI's action an attack on fintech consumers and the overall startup ecosystem. That's self-serving BS.

Some industry observers say the regulator's action is disproportionate e.g Nikhil Pahwa in his op-ed titled RBI is not fit to regulate digital payments in the Economic Times. In my opinion, the author is conflating policy with enforcement action. Let me explain.

RBI has released many regulations in the last two years or so. I've shared my take about some of them like Reg Emandate, Reg CofT, and Reg Positive Pay on this blog in the past. These regs are examples of policy targeted at entire industries and sub-industries. In my opinion, policies need to be expansive in order to drive GDP growth. I agree with the author that the regulator has thrown the baby out with the bathwater in these instances.

The regulator's latest move is a case of enforcement action against a specific company, namely, PayTM Payments Bank. Unlike the author, I believe that tight enforcement is necessary in order to ensure that the economy doesn't go rogue. According to my ideal regulatory framework displayed in the exhibit on the right, expansive policy combined with tight enforcement is the best recipe for a vibrant economy in a capitalism.

RBI's policy stance is akin to "Highway can cause accidents, we should ban highway". Which is obviously lame. Whereas its stance on enforcement is akin to "We will come down on one wrong side driver in such a way that nobody else will drive on the wrong side of the highway". Which is fine.

While the former stance thwarts innovation and growth, I can think of many examples where the latter has proved highly effective.

  1. Ticketless travel in Germany. Whenever a train ticket examiner caught a ticketless traveler in an S-Bahn in Frankfurt, she'd deboard the offender at the next station. Five more TTEs in the train would join her on the platform. All six of them would surround the ticketless traveler and march him up and down the platform so that the whole train would see the poor sod's walk of shame. (For the uninitiated, S-Bahn or Schnell Bahn i.e. Fast Rail is one of the multiple modes of rapid transit in German cities, the others being U-Bahn, Str-Bahn and Omnibus).
  2. Powell Doctrine in USA. Although Shock and Awe and Strike with Overwhelming Force are standard American warfare tactics, the current crackdown by OCC on Blue Ridge Bank and many BaaS providers is a nod to this approach in the American banking industry.
  3. Mask mandate in India. During the pandemic, the moment any one out of a posse of five traffic cops spotted a maskless motorist in Pune, all five of them piled on to him or her. Even if a few maskless motorists slipped away in the ensuing circus, everyone got a loud and clear message that law enforcement was serious about enforcing the rules on wearing masks.

While it might come across as a tad unfair to the solitary offender, tight enforcement works as long as it's not barbaric. As governments become lean and slash headcount in government agencies, disproportionate enforcement might be the only pragmatic model of ensuring order going forward.


Pathbreaking business model innovators like AirBnB, Reliance and Uber have been shrouded under the regulatory cloud for much of their corporate existence but eventually they have persuaded the powers-that-be that their business models are "not illegal".

Time will tell whether PayTM will be able to do the same.


Comments: (0)

Now hiring