Apple and Google should share detailed app metadata and developer identities to help trace the origins of fraudulent apps on their platforms
The panel also envisaged the formation of a centralised agency, dedicated solely to cyber security on the lines of the DGCA
The committee also recommended the establishment of a whitelisting framework and a code of conduct for digital lending apps
Training its guns yet again at big tech giants, the Parliamentary Standing Committee on Finance has called on the centre to institute new norms, mandating Google and Apple to share detailed app metadata and developer identities listed on their app marketplaces.
“… The Committee strongly recommends that there should be a mandate that app stores, such as Apple’s App Store or Google Play Store, adhere to specific guidelines and standards. This can include requirements for detailed app metadata, verification of developer identities, and the provision of traceability information, such as app ownership and origin,” the panel said.
The recommendations were part of the committee’s report presented to the Parliament on Thursday (July 27) on the issue of ‘Cyber Security And Rising Incidence Of Cyber/White Collar Crimes’.
Citing its rationale, the panel said that such rules for these app marketplaces could effectively help trace the origins of fraudulent apps and safeguard users. Besides, the committee also suggested a slew of guidelines for app marketplaces, hinting directly at Google and Apple, which also operate their operating system (OS):
- Bear the responsibility of regularly updating and patching their OS to fix vulnerabilities and incorporate security features
- Enforcement of stringent vetting processes for application approvals within their app stores, encompassing malware detection and privacy complainces
- Active promotion of user education and awareness on safe practices within their products
Among other things, the committee also recommended establishing a ‘proactive’ regulatory framework to strengthen cyber security enforcement capabilities and formulate more responsive consumer grievance redressal and compensation mechanisms.
Under this, the panel envisaged the formation of a centralised agency, the Central Protection Authority, dedicated solely to cyber security and modelled on the lines of the DGCA.
The recommendations also sought to strengthen central and state cyber security enforcement capabilities and collaborate closely with countries across the globe. The committee also highlighted the use of ‘new and threatening’ emerging technologies such as generative artificial intelligence (Al) and quantum computing by cyber criminals to evade tracking by authorities.
Big Techs & Fintechs In Question Again
Noting that there were challenges in ‘exerting sufficient control’ over third-party service providers, namely big techs and telecom operators, in matters of cyber security, the committee rued the lack of robustness in anticipating and dealing with emerging threats in the digital financial ecosystem.
“The Committee, therefore, urges the Government to consistently evaluate the impact of Al tools along with periodic assessments to monitor the effectiveness of potential drawbacks of Al tools. Accountability standards should be set in this regard for all concerned entities,” the report added.
The Parliamentary standing committee batted for enhancing regulatory powers and instituting new norms to oversee the role of big techs and telcos, especially in the fintech space, including stringent security controls, regular cyber security audits, and better eKYC verification.
This, as per the panel, could be achieved by promulgating new cyber security laws or via amendments to the upcoming Digital India Act.
“… the Committee emphasises the need for a strong and comprehensive legal framework (to secure critical financial infrastructure against cyber threats)… that encompasses robust policies, procedures and guidelines along with advanced security technologies, regular risk assessments, employee training and incident response plan,” the report noted.
Taking potshots at big tech players, the committee said that the RBI provided it with evidence that many such players refused to embed various modifications to their operating systems to make OTP-based, two-factor authentication more secure.
The report also mentions illegal digital lending apps, which recently grabbed headlines for all the wrong reasons. Taking cognisance of growing incidents of predatory recovery practices and exorbitant interest rates charged by illegal lending apps, the panel called for building a consumer-protection framework for consumer-facing digital lending platforms.
“The Committee, therefore. recommend the establishment of a whitelisting framework by the CPA for Digital Lending Agencies (DLAs) and other ‘financial intermediaries’ as a measure to combat illegal practices and promote a standardised code of conduct in the digital lending sector,” the committee said.
As per the standing committee, the whitelisting framework would underline criteria for lending platforms to be recognised as legitimate entities, ensure compliance with rules, and weed out fraudulent DLAs from the market. The blueprint would cover aspects such as responsible handling of data, appropriate disclosure of terms and conditions, and adherence to regulations.
On this aspect, the committee opined that the presence of search engines and big tech giants in the digital landscape increased the vulnerability of the digital ecosystem to cybercrime. As such, it urged the government to delineate responsibilities for search engines and global tech companies.
In what could potentially increase the compliance burden for fintech startups, the Parliamentary Standing Committee recommended all financial services providers to ensure that grievance redressal is completed within a stipulated time frame.
Besides, it has also recommended the creation of self-regulatory organisations (SROs) to facilitate global best practices, and enhance coordination and effective implementation of cyber security frameworks.
Reacting to the development, chief executive officer (CEO) of Fintech Association for Consumer Empowerment Sugandh Saxena said, “… Given the complexities, such illegal apps, despite vigilance and verifications, manage to deceive and harm consumers and undermine their trust and faith in digital lending. We concur with the Committee’s view about the need to explore and shape a framework for consumer- focused platforms to ensure consumer protection.”
The report was submitted after hectic parlays with multiple stakeholders, including names such as Apple, Paytm, Flipkart, Razorpay, PhonePe, and CRED, among others.
The report comes at a time when India has seen a big spurt in cyberattacks. Early this year, MoS IT Rajeev Chandrasekhar said that the country witnessed 13.91 Lakh cyber attacks in 2022.