Why did Yes Bank stopped working?

“What this means is the partner bank is just a business partner, which can be changed in 24 hours,” said one source, who is involved in research on the payments industry.

“There was no way they could have had a migration this fast to ICICI Bank,” said a senior executive in a fintech company.

NPCI, in its circular, mandates that partner banks store all sensitive customer information—account numbers, etc.—while third-party apps are allowed to store names, mobile numbers, and email IDs. But by virtue of operating the back end for Yes Bank, sources allege that PhonePe has access to information that is meant for the bank’s eyes only. The Ken could not verify this independently.

“This is grey because the rules don’t say third-party apps couldn’t keep a backup outside the bank,” said the third source. The second source, though, believes this is a “blatant violation.” “No third-party app should be storing this data. NPCI has let this happen,” he added.

PhonePe strongly denied this. “Which companies have suggested this? Please ask them to explain how this works? Talk to NPCI and our banking partners and not rely on false information and speculation being spread by unnamed sources,” PhonePe’s spokesperson said via email.

NPCI did not respond to these allegations.

Spreading risk

The other thing that stands out is how NPCI allowed PhonePe to operate with just one partner bank.

Back in September 2017, before Google Pay launched UPI-based payments, NPCI made a provision for partnering with multiple banks. Having multiple banks seems like a prudent approach in case one bank went down. PhonePe took steps in this direction… in September 2019. But what it didn’t manage over the six months since September, it pushed through the day after Yes Bank went down.

“Mature companies like Google Pay had the foresight about things like business continuity. But in India, startups are caught in that growth hustle that they don’t have tech bandwidth to spare for this. This kind of hygiene is not a priority,” said a senior executive at a payments company. This points to the fact that NPCI has hardly cracked the whip on compliance. On 2 March, it reminded all its third-party apps to migrate to a multi-bank model. But curiously, this reminder did not come with a deadline.

See, the NPCI’s role is curious. It isn’t a regulator, so its notifications and circulars don’t have teeth. But by virtue of operating digital payments, it is tasked with drawing up guidelines for the smooth running of these operations. And companies take full advantage of this.

“We only take what NPCI says as a recommendation. They send warnings, and we continue to ignore it because NPCI is not RBI. They are also a tech player,” said the fintech executive quoted above.

PhonePe, of course, is hardly alone in its lack of a backup. Most fintechs also took Yes Bank’s APIs for granted and balked at a failsafe.

Saying Yes to APIs

For all the muck around Yes Bank, the unanimous verdict among digital companies is that Yes Bank’s API were better than those from other banks. And this led to some serious traction—about 5-8% of Yes Bank’s income comes from fees and interest that the APIs helped earn, said a source aware of the matter.

Take the example of cab platform Ola. When you pay your cab fare after an Ola ride, the money goes to Ola. After keeping its share, it gives the rest to the driver-partner. Ola has close to 2 million active drivers. That means sending money to millions of bank accounts across hundreds of banks within a few hours. It did this through Yes Bank’s cash management APIs.

Ask any engineer and they say good APIs depend on the code quality, the number of servers, and network connectivity, among other things. Yes Bank was an early mover when it came to this, working with multiple partners and creating APIs for every sector.

“The APIs can’t take too long to respond, else it will create bottlenecks. If there are errors in payments, the APIs need to report them fast, else it can cause errors,” said a former Ola employee who was involved in this integration. The flipside of not having good APIs could mean a driver being paid double or not paid at all—both unwelcome outcomes.