RBI’s Payment Guidelines: Implications – Explained, Pointwise

For 7PM Editorial Archives click HERE

The Reserve Bank of India’s guidelines on recurring payments, payment aggregator/payment gateways, and card storage have left businesses, banks, and fintech in a dilemma.

What are the new guidelines issued by RBI w.r.t recurring payments and Payment Aggregator/Gateways?

– Advanced notifications on payments of 5k or above: The new rules mandate advanced notification by banks to customers for executing recurring payments which are of the value of ₹ 5,000 and above. It is meant for seeking the latter’s approval for taking forward any such transaction.

Under this new system, for any transaction of more than ₹ 5,000, banks will send one-time passwords (OTPs) to customers. Currently, auto-debits are allowed under the new system without one-time passwords for payments under Rs 5,000.

– Mandatory AFA: In addition, RBI has also made an additional factor of authentication, or AFA, mandatory for all recurring transactions below ₹5,000 on debit cards, credit cards, unified payments interface (UPI), and other prepaid payment instruments or PPIs.

As per the guidelines, the banks are now required to take clear consent, while registering and sending notifications 24 hours prior to customers, giving them an option to opt-out.

RBI changed this entire model from merchant-led to bank-led. In the earlier era, consent was taken by the merchant and communication also took place with the merchant.

The new guidelines state that the registration has to be executed by a bank, which will also handle customer escalation and send the necessary messages.

Guidelines that RBI introduced on Payment Gateways/Aggregators –

– The payment aggregator/payment gateway guidelines (PA/PG) were introduced by RBI mandate that firms approved by the RBI can acquire and offer payment services to merchants.

– One condition that was particularly troubling for the industry was that no merchant will be allowed to store the Card-on-File (CoF). It is the card information stored by the payment gateway and merchants to process future transactions.

Guidelines on card storage:

– Further, RBI had earlier this year mandated that e-commerce companies and payment aggregators will no longer be allowed to store card details of a customer online.

What is the rationale behind the new guidelines?

On recurring payments:

The broad purpose of the new rules is to ensure that holder of credit or debit cards are not constantly hit by recurring charges without their consent. Other reasons include:

– Loose regulation: Recurring payments were not allowed in India, but it was also never disallowed. It has been in the grey zone for long. There were no structured guidelines around it.

– Customer protection: In the past two-three years, a lot of banks started supporting recurring payments. RBI was worried that such a fast-paced growth would compromise customer protection, considering India’s demographic. For example, many financially less-literate customers might be signing up for recurring payments mandate thinking it’s a one-off payment. They wouldn’t know whom to approach and how to approach to cancel such mandates.

– Malpractices by Merchants: Some merchants started abusing the system. They started taking standing instructions on their platforms and made it difficult for subscribers to stop auto-debits.

On Payment Aggregators/Gateways:

– The motive of the new PA/PG guidelines is to have better supervisory control over payment operations of internet and e-commerce firms in India.

On Card storage:

– The recent data breaches at Juspay and MobiKwik were also a trigger for the strict card storage rules. However, there is no guarantee that even with these changes, a data breach will not happen as this rule also brings in concentration risk to the ecosystem.

What have been the implications of RBI’s new regulations and guidelines?

On subscribers: The ease of transaction they are used to have, disappeared. Some are annoyed because their Apple, or cloud storage, OTT (over-the-top) platform, music and newspaper subscriptions are getting rejected.

On the other hand, some customers are indeed happy this happened—they can easily get rid of subscriptions they no longer need.

On companies: Indian subscription renewals are failing due to the Issue of re-verification. They are at the risk of losing their businesses. More than 70% of all standing instructions failed on 1 October and they continue to fail.

On small businesses: There are plenty of small businesses, such as jewellers, who depend on subscriptions. For instance, some of them run gold kitty schemes allowing customers to deposit as little as ₹1,000 per month systematically for a tenure of 11-36 months after which they are entitled to purchase jewellery at a discount.

On Banks:

– Lack of infrastructure. Only the top 10 banks are ready with the required infrastructure today and many banks lag behind. For banks, the migration of old data is a tough task.

– Huge Cost to banks. According to industry sources, it would cost ₹12lakh and ₹15 lakh as one-time integration cost to the banks. Then, there are expenses banks would incur for onboarding a customer, customers opting out and on every transaction.

On Ecosystem companies: The issuer (banks) ecosystem being ready was not enough because next, the payment aggregators and merchants needed time to integrate. Ecosystem companies such as payment aggregators not only had to build the solution but also test it, get a sign-off from the banks and solution providers before they could go live.

The Card storage guidelines will be a major blow for businesses such as Cred, Flipkart, Swiggy, Zomato, Amazon and other e-commerce businesses. The business model of all these companies depends on “frictionless one-click” payments to consumers. Under the new rules, companies such as Cred will need to compel its users to type in their card details every single time a payment has to be made.

What is the way forward?

First, pre-authorisation of debits must be clear and transparent, users should be clear where their personal data is being held, and it should be easier to cancel subscriptions through payments operators.

Second, RBI as a consumer-facing regulator will have to work harder to expand its consultation process before introducing new rules.

Third, having observed the problems caused by the new rules, the RBI must swiftly respond, and work out how to make them more palatable for smaller enterprises and consumers.

Fourth, There are multiple other mechanisms that can be considered. For example, banks could be mandated to keep a record of recurring payments on a customer’s net-banking portal, where they could access it and turn it on and off as desired.

Alternatively, the new protocols could be limited to recurring payments over a certain threshold.

Fifth, On one hand, while the business of cards will be impacted, the card storage guidelines open up a new revenue line for the card networks as the entire industry has been asked to move to ‘tokenization’.

Print Friendly and PDF