There is a lot of pressure on people from the government, banks and various service-providers to go cashless. In a cashless world, the government prints fewer currency notes and saves on the cost of printing and high security distribution logistics. There is an expectation that the underground or black economy will vanish and we will move to an all-white economy.
Meanwhile, banks will charge customers for all transactions. It means, the banks as service-providers, get immediate payment at negligible cost, the retailers are freed of the hassles of counting notes and coins if cashless is free for them; the one and only loser is the customer.
A switch to a cashless society and online transactions is set to cause a paradigm change in the social, cultural and economic environment of India, entirely driven by technology and the growing computing power.
However, the flip side of this much touted cashless society and economic transformation is not so well known.
Newton’s third law of motion says: “For every action there is an equal and opposite reaction.” The same is true of the cashless drive.
Apart from known risks such as high cost, digital security, slow Internet connectivity and low tech-literacy, there exists another dimension of risk. It is the Risk of Denial of Service (DoS) or Risk of Exclusion (RoE). And this can affect the life and liberty of citizens.
If there is large-scale power or Internet disruption (or connectivity disruption/ malware infection) in a very large service provider’s operations—say, a bank or a telecom company—what will happen in a cashless environment?
These risks are no longer hypothetical or theoretical but are registering their presence on a small or local scale, around the world, especially during natural calamities. And large-scale disasters do not come with a prior announcement.
Let me give you a few examples from the past three or four weeks alone:
1. PNB operations at a standstill for almost half a day:
I have my personal and business accounts at the Punjab National Bank (PNB), and another one at another bank, as a disaster precaution. I went to PNB’s Sion branch in Mumbai at 10am on 5 October 2018 to withdraw money for some statuary payments and tender document payments as they ask for cash or a demand draft, and the deadline for the payment was 3pm on the same day.
The branch manager told me that the network was down and that I should come back after some time. Accordingly, I returned at 11.15am. The network was still down.
The branch manager now said there was an India network outage since morning and that people were working on it in Delhi.
I asked him why the Disaster Recovery (DR) site was not immediately operationalised when the DC (data centre) was down and what the RTO (recovery time objective) was.
He looked blank.
I asked him, what do I do when I have to make payments and you will not allow me to withdraw my own money? He had no answer.
Ideally, if the main DC is down, the DR site at an alternate location should start operating within a specified, pre-defined time, which is called RTO. For a bank like PNB, the DR site must be a hot site with real-time replication and RTO should be a few micro or milli-seconds.
But, PNB’s operations were down until 12 noon (as I was told next day), which means for at least for 3-4 hours. I had money in my bank accounts but it was not available to me. Customers of the Bank all over India suffered.
In the US, this may have led to a class action suit.
Ironically, the branch manager was not even aware of terms like DR site, disaster recovery plan (DRP) and RTO. He made shocking excuses like ‘even human beings fall ill’.
It shows the lack of training at PNB even at the branch manager level.
I had to borrow money to make my immediate payments. In a cashless environment, I would have missed both payments in case of a disaster.
This is not the first time that this has happened with PNB. There was an operations outage of 50 hours on 24 May 2012 and then for a whole day in 2014. It must be happening with other banks too, I have heard of a few banks making their customers suffer due to their technology problems.
2. Indigo Airlines server crashed for two hours
A friend travelled from Kochi to Mumbai on Indigo 6E215 on 7 October 2018. There was a long queue at the check-in counters at Kochi because Indigo’s servers had crashed.
The airline started issuing manual boarding passes, for which they were neither accustomed nor trained. There was commotion, fights, and delayed flights.
Things were sorted out after an hour or two.
Since Kochi is a small airport, the disruption was limited, but my question is the same as in the case of PNB.
Are we prepared for disasters or outages in connected or cashless/paperless world? Why is there no DR site, and defined RTO? How can we allow things to remain disrupted for long periods?
Among other things, it said, “Japan's Hokkaido strong earthquake (06 Sept 2018) triggered a large-scale power outage, and Sapporo City instantly became the dark capital of Hokkaido. Power restoration took minimum 24 hours to one week. During this period, 1.95 million residents flocked to supermarkets and convenience stores to buy life supplies. However, some of the victims who usually only use mobile phones have lost their ability to pay and can't buy what they need.”
(Image Courtesy: The Nation)
The blogpost goes on to mention an anonymous discussion on a Japanese forum on 6 September 2018. It was about an app that allows only electronic payment, which suffered a large outage after the earthquake. A user decided to stock up on supplies, checked the refrigerator and finding only milk and mayonnaise, rushed to the supermarket to stock up.
(Image Courtesy: WTOP)
When he arrived at the supermarket, he found that he had no cash at all. He nervously saw that his phone was also 62% charged. When he reached the payment counter, he was told that he could not use electronic payment. In fact, he could not pay electronically anywhere.
At seven o'clock that night, he sat alone at home, hungry.
(Image Courtesy: The Nation)
The blog quotes a warning by the Swedish central bank governor Stefan Ingves who said, “A cashless society is unrestrained in the face of war or natural disasters, and the huge social and financial system will collapse in an instant”.
It goes on to say that cashless payment is just a supplement to the “payment function” because it requires some basic conditions—electricity, network, base station, etc.
My Internet search indicates that this blog is fairly accurate.
A countrywide outage in Estonia on 27 April 2007, caused all websites of Estonian organizations, including the Estonian parliament, banks, ministries, newspapers and broadcasters to shut down for about 2 days. In 2007, Estonia was about 95% digital and paperless. The near-shut down led to riots. In the past decade, Estonia has become a centre of excellence in cyber security and resilience.
5. OCBC Bank of Singapore:
On 1 September 2018 operations were down from 8:45pm to 11:30pm. The shut-down caused untold embarrassment to customers who were out at restaurants or shopping/ travelling and had only OCBC Bank’s credit card. Many took their outrage to twitter. That the management issued a detailed apology
was cold comfort.
(Image Courtesy: Straitstimes.com)
What will happen, if we have a large-scale disruption in India? Are we ready for the chaos that will ensue as we push for a cash-less and technology-dependent existence?
The PNB and Indigo incidents suggest that we, as a society, are not even prepared for small disasters. DRP and business continuity plan (BCP) do not seem to exist, or, like fire-fighting equipment in many Indian buildings, do not work when required.
After demonetisation, there was a big surge in digital transactions. PayTM became a highly popular choice. Of late, Unified Payments Interface (UPI) and Bharat Interface for Money (BHIM) are being actively promoted.
But data shows that India has gone back to using more cash than we did before demonetisation.
Cash in the hands of the public (M1) and demand deposits with bank has reached more than Rs19.43 lakh crore, as per the statistics released by the Reserve Bank of India (RBI) on 21 September 2018, a level about 10% higher than what existed before demonetisation.
I like to inquire from retailers about the level of acceptance of e-payment systems like Paytm, BHIM, and UPI. The usual answer is that people are not comfortable with electronic payments because they have no control over transaction failure; are worried about hacking; are hobbled by poor connectivity issues and are irritated about transaction costs – none of these are a problem while using good old cash.
Denial of service (DoS) or Risk of Exclusion (RoE) due to wholesale outage is a new risk added to these concerns.
The purpose of this article is not to discourage cashless economy but to highlight the many dimensions to going cashless or even less cash. It cannot be done in a causal manner. If a cashless economy has to succeed, government and service-providers need to do a lot more to provide uninterrupted, quality and secure services to the customers.
Education took us from the thumb impression to signature. Technology must not take us back from signature to thumb impression.
(Dr Rakesh Goyal has a PhD is cyber security. He is a gold medalist both in engineering and PGDM from IIMB. He is the managing director of Sysman Computers Pvt Ltd, one of the few IT security audit organisations empanelled with CERT-In and CCA, with the ministry of IT, and with GoI to audit cyber security of critical national infrastructure/assets. He can be contacted at [email protected]