ABSTRACT
India’s digital payments giant, Paytm, has transcended its roots, building a vast financial
services empire spanning wealth, loans, insurance, and more. While this expansion unleashes
exciting possibilities, shadows lurk beneath the surface. This paper unveils the potential risks
associated with Paytm’s diversified ecosystem, focusing on data privacy breaches, regulatory
pitfalls, systemic instability, consumer vulnerabilities, and interconnectedness threats. Dive
deep with us as we peel back the layers, exposing these risks and proposing crucial mitigation
strategies. We explore these dangers and propose crucial mitigation strategies, ensuring a
sustainable future for Paytm and the Indian financial landscape.
Keywords: Paytm, Financial Services, Fintech, Risk Assessment, Data Privacy, Regulatory
Compliance, Financial Stability, Consumer Protection
INTRODUCTION
Do you make use of any of the services offered by Paytm, including Paytm Gold, Paytm
Insider, Paytm Payments Bank, and others? We all use Paytm, just like millions of Indians,
for a variety of services, such as paying bills and purchasing tickets for events. Even so,
there’s a persistent concern: in this huge ecosystem, are my finances, privacy, and data safe?
To ensure that we may all benefit from Paytm’s growth without jeopardising our security, this
study investigates the hidden risks connected to its growth.
Founded in 2010, Paytm started with an initial investment of $2 million (₹ 9.2 crores as of
August 2010) under the parent company One97 Communications. In its inception days,
Paytm offered prepaid mobile services at a time when smartphones were on the rise, later
adding DTH recharging to their services. They further expanded their services and added
debit card, post-paid mobile and landline bill payment services in 2013. Paytm has been
Page 2 of 2
receiving surplus funds from its series of investors since 2011 and have amassed $3.3 billion,
₹ 27,010 crores (approx.) from early investments and major funding rounds 1 which have been
used to transcend into various other businesses.
Paytm headquartered in Noida, Uttar Pradesh, India primarily operates in India, being owned
by One97 communications, they expanded their operations to Canada in 2014, being
established as Paytm Labs Inc in Ontario, research, and development-based company, they
started a fraud risk management company in 2022 named Pi 2 catering to high transaction
value fintech firms and digital marketplaces.
They expanded in Japan with a tie up venture with Japan based Softbank and Yahoo Japan
with a QR based payment service call PayPay 3 in 2018. However, midst this impressive
growth and expansion, concerns regarding potential risks of privacy breaches and compliance
issues may emerge. Data privacy breaches may lead to exposing sensitive information such as
information relating to finances, health etc, breaches as recent as May 2023 4 and November
2023 at Norton Healthcare and Infosys respectively.
Norton, who operate with more than 40 clinics and hospitals, 20,000 employees, more than
3000 providers in their medical staff in Louisville, Kentucky had a wide range of sensitive
data of approximately 2.5 million patients, their employees and their dependents accessed
during the ransomware attack in May (between 7 th and 9 th May), their “time-consuming”
internal investigation reported that information such as birth dates, social security numbers,
health and insurance information numbers and medical identification numbers.
As for Infosys 5 , their unit in the U.S, Infosys McCamish Systems (IMS) was hit by a
cybersecurity event which resulted in non-availability of certain applications and systems.
They released a statement that they launched an investigation to investigate the issue and
1 CrunchBase, https://www.crunchbase.com/organization/paytm/company_financials, assessed 10 th February,
2024 .
2 Catherine Knowles ,Paytm Labs launches ML-powered fraud risk management platform, Security Brief Asia
https://securitybrief.asia/story/paytm-labs-launches-ml-powered-fraud-risk-management-platform, assessed 10 th
February, 2024 .
3 ET Bureau, The Economic Times, https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/paypay-
in-japan-with-paytms-qr-tech/articleshow/66310108.cms?From=mdr, assessed 10 th February, 2024
4 Carly Page, Tech Crunch, https://techcrunch.com/2023/12/11/norton-cyberattack-ransomware-hacker-
millions/, assessed 10 th February, 2024.
5 Reuters, https://www.reuters.com/technology/indias-infosys-says-us-unit-hit-by-cyber-security-event-2023-11-
03/, assessed 10 th February, 2024.
Page 3 of 2
identify potential impact and damage. In this dynamic market, cybersecurity events like these
are results of lack of security patches and robust encryption, unclear instructions may have
allowed unauthorized individuals to have wide range of access and thus plan infestations. All
of this being followed by outdated systems leading to time-consuming investigations, which
lead to delayed responses, all of this raises questions at the firm’s preparedness for such
attacks such as the Norton healthcare breach.
In the latter’s case, lack of details about specific vulnerabilities or affected systems made it
tedious to pinpoint exact failures. These events having gravitational effects affect the firm’s
reputation, lead to financial losses which the firm may face in terms of lawsuits, regulatory
fines etc at large while also exposing highly sensitive data, ultimately questioning trust itself.
While it may be argued that the cost of ensuring trust, that is ensuring safety is essential for
safeguarding from such events, firms may argue that these costs are exorbitant, potential
costs of breaches easily outweigh the upfront costs of prevention.
After the costs being dealt with, balancing convenience and security can a problem however
proper consumer education can be used to bridge that gap. It may be a combined view that
such a problem can be addressed from both sides of the coin, user education and awareness
having its own importance, the one to look after security is the company.
This analysis will explore the complex interactions that exist between the constant threat of
cyberattacks, the changing regulatory environment, and Paytm’s rapid expansion. This
research aims to make Paytm and its millions of users’ futures more secure and sustainable by
exposing the hidden threats.
RESEARCH METHODOLOGY
The Research Methodology adopted is a combined approach, using a literature review,
analysing case studies, and performing a qualitative analysis of nuances and arguments.
REVIEW OF LITERATURE
Page 4 of 2
As per Dr. Anupam Saxena and Dr. Shalini Sethin their paper, expansion in technological
based innovations is generating a lot of societal change. This trend is currently paving its way
towards restructuring in payments systems as well as giving rise to payments through mobile
and other such electronic devices. Easy availability of mobile computing devices has
facilitated online shopping and mobile payment is gaining popularity 6 . The mobile payment
revolution acted as a successful approach and many consumers, vendors and corporate houses
adapted this method because it gave ease of doing transactions. E-commerce transactions are
considered more assuring from the perspective of vendors 7 . Overall, the global digital
payments market is expected to grow up to $10.07 trillion by 2026 8 .
The number of merchants accepting digital payments in India has also increased to over 10
million, in a short span of two to three years” 9 . The Indian digital payment transaction
turnover witnessed an increase from 7.14% to 8.42% since 2016 to 2018 with reference to
GDP 10 . Per capita digital transactions in India have also risen from 2.4 in 2014 to 22.42 in
2019 and has the potential to grow to 220 by 2021 11 . Easy access to multiple apps for
payment purposes have facilitated payments anytime and anywhere generating a conducive
mobile payment ecosystem. Mobile payments are virtual payments in which virtual money is
stored for transactions and payments 12 . A user needs to have a mobile device which is
6 Thakur & Srivastava, 2014; Dahlberg, Guo, & Ondrus, 2015; Liébana-Cabanillas, SánchezFernández, &
Muñoz-Leiva, 2014; Perez, Zeadally, & Jabeur, 2017, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi,
Associate Professors, Jaipuria Institute of Management, Lucknow, India, Exploring the security risks and safety
measures of mobile payments in fintech environment in India, International Journal of Management, Volume 12,
Issue 2, February 2021, Page 3 to 4, 2021.
7 Kang, 2018; Aydin & Burnaz, 2016, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate
Professors, Jaipuria Institute of Management, Lucknow, India, Exploring the security risks and safety measures
of mobile payments in fintech environment in India, International Journal of Management, Volume 12, Issue 2,
February 2021, Page 3 to 4, 2021.
8 ET Telecom.com, 2019, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate Professors, Jaipuria
Institute of Management, Lucknow, India, Exploring the security risks and safety measures of mobile payments
in fintech environment in India, International Journal of Management, Volume 12, Issue 2, February 2021, Page
3 to 4, 2021.
9 The Statesman, 2019, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate Professors, Jaipuria
Institute of Management, Lucknow, India, Exploring the security risks and safety measures of mobile payments
in fintech environment in India, International Journal of Management, Volume 12, Issue 2, February 2021, Page
3 to 4, 2021.
10 Reserve Bank of India, 2019, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate Professors,
Jaipuria Institute of Management, Lucknow, India, Exploring the security risks and safety measures of mobile
payments in fintech environment in India, International Journal of Management, Volume 12, Issue 2, February
2021, Page 3 to 4, 2021.
11 Reserve Bank of India, 2019, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate Professors,
Jaipuria Institute of Management, Lucknow, India, Exploring the security risks and safety measures of mobile
payments in fintech environment in India, International Journal of Management, Volume 12, Issue 2, February
2021, Page 3 to 4, 2021.
12 Pat et al, 2017, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate Professors, Jaipuria Institute
of Management, Lucknow, India, Exploring the security risks and safety measures of mobile payments in
Page 5 of 2
compatible to a network, for conducting payments 13 . Looking at the above-mentioned
statistics and literature, it was evident that mobile payment ecosystem has witnessed a
tremendous rise particularly, in the use of mobile payment systems which are becoming a key
driver for growth of m-commerce industry facilitating the boom of digital sector 14 .
On one hand this sector is giving a positive boost to various economic initiatives but on the
other hand it has resulted in increased cybercrimes and monetary thefts 15 . “According to a
2017 report, Indian consumers lost over 18 billion U.S. dollars due to cybercrimes. In 2018,
there were over 27 thousand cases of cybercrimes recorded in the country, marking an
increase of over 121 percent Exploring the Security Risks and Safety Measures of Mobile
Payments in Fintech Environment in India compared to the number of cases just two years
back” 16 . The consumers are afraid of their privacy being violated, risks due to cyber thefts
and usage of new technology since there is a probability of loss of their valuable money
during digital transactions 17 .
To sustain the growth of this sector and take it to the next level, it is imperative to
maintain and build sufficient level of trust, security, privacy, use of new technology with
appropriate safety measures and reduce risk during mobile payments. Absence of these
parameters may significantly hamper the growth of mobile payments systems 18 .
fintech environment in India, International Journal of Management, Volume 12, Issue 2, February 2021, Page 3
to 4, 2021.
13 Au and Kauffman, 2008, Sharma et al., 2018, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi,
Associate Professors, Jaipuria Institute of Management, Lucknow, India, Exploring the security risks and safety
measures of mobile payments in fintech environment in India, International Journal of Management, Volume 12,
Issue 2, February 2021, Page 3 to 4, 2021.
14 Phonthanukitithaworn et al., 2016, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate
Professors, Jaipuria Institute of Management, Lucknow, India, Exploring the security risks and safety measures
of mobile payments in fintech environment in India, International Journal of Management, Volume 12, Issue 2,
February 2021, Page 3 to 4, 2021.
15 Arya, 2019, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate Professors, Jaipuria Institute of
Management, Lucknow, India, Exploring the security risks and safety measures of mobile payments in fintech
environment in India, International Journal of Management, Volume 12, Issue 2, February 2021, Page 3 to 4,
2021.
16 Diwanji, 2020, cited in: Dr. Anupam Saxena, Dr. Shalini Nath Tripathi, Associate Professors, Jaipuria
Institute of Management, Lucknow, India, Exploring the security risks and safety measures of mobile payments
in fintech environment in India, International Journal of Management, Volume 12, Issue 2, February 2021, Page
3 to 4, 2021.
17 JangJaccard & Nepal, 2014; Hua, Chen, & Luo, 2018, cited in: Dr. Anupam Saxena, Dr. Shalini Nath
Tripathi, Associate Professors, Jaipuria Institute of Management, Lucknow, India, Exploring the security risks
and safety measures of mobile payments in fintech environment in India, International Journal of Management,
Volume 12, Issue 2, February 2021, Page 3 to 4, 2021
18 Pal et al., 2017.Alwraikat, 2015; European Central Bank, 2013; Vision, 2017, cited in: Dr. Anupam Saxena,
Dr. Shalini Nath Tripathi, Associate Professors, Jaipuria Institute of Management, Lucknow, India, Exploring
Page 6 of 2
As per Kiersten E. Todt in her paper, Data privacy and protection are paramount for
businesses, irrespective of their size, sector, or location. In today’s digital age, data collection
has become a fundamental aspect of business operations, encompassing client data for service
delivery and enterprise data for critical infrastructure operations. Data now stands as a crucial
corporate asset, yet many businesses struggle to prioritize its protection.
The challenge of data protection doesn’t imply an immediate need for regulation. Market
forces can incentivize companies to secure their Internet of Things (IoT) devices. Regulation
should only be considered if market forces fail to ensure the security of such devices.
Businesses often struggle to adapt their security strategies to align with evolving technologies
and innovations, relying on outdated models that emphasize physical security. However, in
today’s digital economy, digital infrastructure and interdependencies define the economic
landscape, requiring new approaches to security, such as prioritizing privacy and utilizing
new technologies effectively.
Technology platforms like Facebook and Google are accumulating vast amounts of data,
necessitating responsible behaviour from these entities. These companies are no longer mere
technology platforms; they play critical roles in national security and must act accordingly.
As digital interdependencies grow, the definition of critical infrastructure must evolve to
align with the digital economy’s expansion.
Despite the digital economy’s rapid growth, US security policies have primarily focused on
traditional industries like telecommunications and finance. As a result, there is a need to
redefine what constitutes critical infrastructure to encompass the digital economy’s impact on
national security.
Businesses must realize that with the power of technology comes great responsibility. Recent
cybersecurity failures have highlighted the need for businesses to reassess and redefine what
is critical in today’s digital environment. Protecting critical information must become a top
priority.
the security risks and safety measures of mobile payments in fintech environment in India, International Journal
of Management, Volume 12, Issue 2, February 2021, Page 3 to 4, 2021.
Page 7 of 2
To effectively protect data, businesses must create a comprehensive data inventory, prioritize
data based on business missions, and understand data usage. They must also establish strict
policies for data access, particularly regarding third-party vendors, and regularly review and
delete unnecessary data. Additionally, businesses need to communicate their privacy and
protection policies transparently to build customer trust.
In conclusion, data privacy and protection are essential for businesses. By focusing on data
inventory, public projection of data privacy policies, and incident response, businesses can
develop robust approaches to data protection, ensuring an effective response to security
incidents 19 .
REGULATORY CHALLENGES AND THE FUTURE OF PAYTM
PAYMENTS BANK: A CASE STUDY
In their Press Release on 23 rd February 2024, The Reserve Bank of India, reiterated that they
had imposed certain restrictions on Paytm exercising their power under section 35(A) of the
Banking Regulation Act, 1949 vide press releases dated 11 March 2022, 31 January, 2024, 16
February, 2024, they also released an FAQ set for the benefit of customers, wallet holders and
merchants who are availing banking services from Paytm Payments Bank.
This action of the Reserve Bank of India sent a shockwave in the financial industry since this
prohibits Paytm from onloading new customers, also raises red flags and questions on RBI’s
decision, their motivation, and their potential implications on this matter. The Reserve Bank
of India, acting as the apex banking authority in India ensures financial stability, protection of
consumers’ interests, ensuring level playing field within the financial sector. It ensures this
with comprehensive regulations including aspects such as:
i. Know Your Customer (KYC) Norms: By forcing financial firms to confirm the
identity and background of their clients, these regulations seek to stop money
laundering and the funding of terrorism.
19 Data Privacy and Protection: What Businesses Should Do, Kiersten E. Todt, The Cyber Defense Review, Vol.
4, No. 2 (FALL 2019), pp. 39-46 (8 pages)
Page 8 of 2
ii. Data Privacy Regulations: Stricter laws like the Personal Data Protection Bill (2022),
which mandates strong data protection procedures from financial institutions
(Ministry of Electronics and Information Technology), are a response to growing
concerns about data security and misuse.
iii. Financial Stability Guidelines: These guidelines aim to ensure the soundness and
sustainability of financial institutions through capital adequacy requirements, risk
management practices, and operational resilience.
iv. Consumer Protection: RBI actively safeguards consumer interests through various
regulations and initiatives, including grievance redressal mechanisms and fair
financial practices guidelines.
Paytm Payments Bank having defaulted on KYC, several other RBI guidelines such as
maximum balance limits, reporting requirements, and cybersecurity standards 20 . Although no
specific data breach was reported at PPBL, the broader Paytm ecosystem has faced data
security concerns 21 in the past. The interconnectedness of the ecosystem amplifies the
potential risks associated with data breaches and unauthorized access to sensitive customer
information.
Similarly, in the KYC scenario, RBI found irregularities in PPBL’s (Paytm Payment Bank
Limited) KYC processes, including a significant number of accounts with incomplete KYC
details and potential instances of fraudulent activities. These lapses raised concerns about
money laundering and financial stability risks.
The RBI’s action may have implications on both the industry as well as on PPBL, as for
PPBL, both its business model and potential for expansion have been negatively harmed by
the RBI’s regulations. It must navigate a competitive market while correcting the highlighted
deficiencies. In the much wider industry Paytm’s case serves as a strong reminder for other
players to prioritize regulatory compliance, data security, and robust risk management
practices. It highlights the importance of building trust and maintaining transparency with
both regulators and consumers.
20 Latha Venkatesh, CNBCTV18, https://www.cnbctv18.com/business/companies/paytm-saga-rbi-says-its-a-
supervisory-action-restrictions-proportionate-to-gravity-of-situation-19005711.htm, assessed 24 February 2024
21 Nikita Prasad, LiveMint, https://www.livemint.com/companies/news/what-to-do-if-you-have-a-paytm-upi-
handle-rbi-advises-this-11708693470580.html, assessed 24 February 2024
Page 9 of 2
SUGGESTIONS
Suggestions are as follows:
i. Enhancing Data Privacy Measures: Data privacy has grown to be a major concern for
both consumers and organisations in the current digital era. Paytm, a prominent
financial services company, needs to give data privacy top priority to safeguard the
private information of its users. Strong encryption methods are one approach to
improve data privacy. Data is securely transferred and stored thanks to encryption,
which also makes it more difficult for unauthorised people to access or alter the
data.To guarantee adherence to privacy laws like the General Data Protection
Regulation (GDPR) and the Personal Data Protection Bill in India, audits of data
handling procedures should also be carried out on a regular basis. Through these
audits, Paytm can take corrective action if any gaps in data privacy policies are
found. Giving consumers succinct and understandable privacy policies is a crucial
part of improving data privacy. The policies ought to provide a clear explanation of
how Paytm gathers, maintains, and utilises user data. Paytm can gain users’ trust and
show its dedication to privacy protection by being open and honest about its data
policies.
ii. Strengthening Regulatory Compliance: To keep the trust of regulators and users
alike, Paytm must adhere to regulatory regulations. Paytm needs to make sure that all
aspects its business operations are compliant and keep up of any new developments
in regulations. Conducting routine internal audits is another important way to
evaluate compliance and pinpoint areas that need improvement. These audits serve to
reduce the risk of non-compliance and guarantee that Paytm’s activities comply with
legal standards.
iii. Improving Financial Stability: Maintaining financial stability is essential for Paytm to
keep running and expanding. Diversifying sources of income is one strategy to
increase financial stability. Paytm can lessen its reliance on any one service or market
by providing a variety of financial services and products, increasing its resilience to
financial shocks. For financial security, keeping a solid reserve fund is also crucial.
Page 10 of 2
Paytm can maintain seamless operations and be able to weather unforeseen financial
issues with the support of a reserve money.
iv. Enhancing Consumer Protection: Paytm places a high premium on consumer
protection since it fosters user trust and keeps them loyal. Educating consumers on
safe financial habits and fraud protection is one strategy to improve consumer
protection. Paytm offers tools and information to assist consumers in comprehending
and mitigating the risks involved in financial transactions. Another crucial aspect of
consumer protection is offering readily available customer service. If users have any
questions or complaints, they should be able to get in touch with Paytm quickly.
Putting strong fraud detection and prevention mechanisms in place is another strategy
to improve consumer safety. Paytm should make investments in instruments and
technology that can identify and stop fraudulent transactions to shield its users from
monetary loss.
v. Addressing systematic instability: Systemic instability can seriously jeopardise
Paytm’s business operations by interfering with its services and eroding user
confidence. Paytm should make investments in maintaining and updating a strong IT
infrastructure to address systemic instability. This involves making certain that its
systems are trustworthy, safe, and able to manage the increasing number of
transactions. Additionally, regular stress testing must be carried out to find and fix
any potential weaknesses in Paytm’s systems. Through these testing, Paytm’s systems
are made more resistant to outside threats and cyberattacks. Addressing systemic
instability through cooperation with regulators and industry peers is an additional
strategy. Through the exchange of best practices and collaborative risk mitigation,
Paytm can contribute to the stability and security of the larger financial ecosystem.
vi. Managing interconnectedness threats: Paytm depends on outside service providers for
a range of services as part of a linked ecosystem. Although this interconnection has
many advantages, there are hazards as well because Paytm’s operations may be
impacted by flaws in third-party systems. Paytm should set up explicit guidelines for
data exchange and cooperation with outside service providers to handle
interconnectivity risks. These procedures must guarantee that outside vendors adhere
to privacy laws and Paytm’s security requirements. To evaluate the security posture of
third-party providers and find any potential weaknesses, regular security assessments
Page 11 of 2
should also be carried out. It is recommended that Paytm maintain tight collaboration
with its third-party partners to rapidly mitigate any vulnerabilities that are found.
CONCLUSION
Paytm’s financial services expansion unlocks opportunities but also harbors risks like data
breaches, systemic instability, and customer vulnerabilities. Mitigating these risks requires
prioritizing data privacy, financial stability, customer protection, and addressing systemic and
interconnectivity issues. Implementing strong encryption, diverse revenue streams, robust
fraud detection, and frequent security assessments are key. By navigating these challenges
responsibly, Paytm can empower users, build trust, and contribute to a safer, more inclusive
financial ecosystem. However, vigilance and continuous risk mitigation are crucial for long-
term success in this dynamic landscape.
WRITTEN BY:
Name: Aditya Trehan
College: Symbiosis Law School, Nagpur