Home / Business and Economy / Fintech Facade: Shady TSPs Exploit Bank APIs for Laundering
Fintech Facade: Shady TSPs Exploit Bank APIs for Laundering
24 Nov
Summary
- Unregulated tech firms disguise as fintechs to misuse bank payout APIs.
- Payout APIs bypass OTPs and manual checks, enabling bulk illicit transfers.
- RBI proposes background checks, but industry seeks stronger beneficiary verification.
Shady technology service providers (TSPs), masquerading as legitimate fintech firms, are exploiting banks' payout Application Programming Interfaces (APIs) to facilitate large-scale money movement, raising significant concerns within the payments industry. These APIs, intended for automated bulk transfers to employees or vendors, lack the One-Time Passwords (OTPs) and manual checks present in retail banking, creating vulnerabilities for money laundering by unregulated entities.
The Reserve Bank of India (RBI) has recently issued a draft circular suggesting banks conduct background checks on customers utilizing these payout APIs. However, payment industry members argue this measure is insufficient. They advocate for mandatory pre-registration of all beneficiaries with a cooling-off period, similar to NEFT transfers, to enable PAN and account number verification and facilitate suspicious transaction reporting.
This issue has been discussed among payment industry stakeholders and organizations like the India Fintech Foundation (IFF) and the Payments Council of India. Reports suggest some payment aggregators and TSPs may be renting out bank-obtained APIs to facilitate illicit fund movements, with a list of approximately 30 such TSPs allegedly involved in laundering funds being shared with regulators. The RBI is currently seeking industry feedback on its draft circular.
