by Tarun Krishnakumar
Quick overview
– RBI’s 2FA requirement applies to all transactions using cards issued in India, for payments on merchant sites where no outflow of foreign exchange is contemplated (RBI Circular No.RBI/2010-2011/243).
– Foreign exchange outflow, if present in a transaction, exempts the same from the RBI’s 2FA requirements. It is possible that such outflow may, in fact, be present with Netflix as there may be no return of transferred funds to India (unlike Uber where funds flow back to Uber India to compensate drivers etc.).
– In addition, unlike Uber, it is not necessarily the case that the service in question is being provided by Indian service providers to Indian customers.
– Preliminary indications suggest that, so far, Netflix Inc. (USA) deals with Indian customers and not an Indian subsidiary. Without clarity as to Netflix’s corporate structure, suggestions that it violates RBI’s 2FA requirements are, at best, premature.
A parallel between the Indian expansions of Uber and Netflix has been the debates they have stimulated about the issue of Two-Factor Authentication (2FA) requirements for transactions involving Indian-issued credit and debit cards. What 2FA essentially means is that, unlike abroad, the mere details present on a card are insufficient to carry out a transaction online.
In India, Reserve Bank of India (RBI) regulations stipulate that in addition to the details available on a card (such as card number, holder name, expiry date and CVV), an additional layer of authentication is required to carry out Card Not Present (CNP) transactions. In most cases, this has taken the form of an additional password (such as MasterCard’sSecure Code or VerifiedbyVisa) or an SMS-based one-time-password (OTP) sent to the holder’s registered mobile number. In 2014, the RBI is widely reported to have found Uber’s payment structure in violation of these requirements. According to the RBI, Uber’s direct charging of cards for trips without 2FA and the use of a foreign payment site/gateway (Background available: here, here and here).
Subsequent to Netflix’s Indian launch on January 6th, 2015, commentators (for example: on The Next Web and Medianama) have suggested that Netflix’s model (technical glitches and fake Twitter accounts aside) may violate the RBI’s 2FA requirements. In my view, given the lack of clarity of Netflix’s corporate structure, these suggestions are premature and illustrate the same with reference to the text of RBI circulars on 2FA for CNP transactions so far.
2FA – The Story So Far
It all began in February 2009, when the RBI, noticing the increasing use of debit/credit cards in the country, decided that there was a need for “a system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions” (in other words, 2FA) in addition to requiring online alerts to cardholders for all CNP transactions of the value of five thousand rupees and above (RBI Circular No. RBI/2008-2009/387).Later on, in April 2010, this requirement was extended to cover IVR transactions as well (RBI Circular No. RBI/2009-2010/420).
October 25, 2010 saw the issuance of a direction which directly affects entities processing payments abroad (such as Uber and Netflix here). Here, the RBI clarified that “the mandate [of 2FA] shall apply to all transactions using cards issued in India, for payments on merchant site where no outflow of foreign exchange is contemplated. The linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate…The mandate is not presently applicable for use of cards issued outside India, on Indian merchant sites” (RBI Circular No.RBI/2010-2011/243).
This was followed up by a relatively inconsequential direction in December, 2010 which allowed IVR transactions to proceed without 2FA till January 31, 2011 and also sought stakeholder input in respect of recurring and money-order-telephone-order (MOTO) transactions which are a subset of CNP (RBI Circular No. RBI/2010-11/347).
In March, 2011, the RBI mandated that banks “may take steps to put in place a system of online alerts for all types of transactions irrespective of the amount, involving usage of cards at various channels”(RBI Circular No. RBI/2010-11/449). Another critical direction came in August, 2011 when the RBI mandated 2FA for recurring/standing order based as well as MOTO transactions following the stakeholder consultation. (RBI Circular No. RBI/2011-12/145). MOTO transactions are those where card details were provided over mail or telephone to service providers (hotels/travel agents) as part of confirming a reservation. If a cancellation was made, providers would charge the card for the necessary fees.
No other directions in relation to CNP transactions followed till August, 2014. In this direction, the RBI noted that:
“there are instances of card not present transactions being effected without the mandated additional authentication/validation even where the underlying transactions are essentially taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India). It is also observed that these entities are evading the mandate of additional authentication/validation by following business / payment models which are resulting in foreign exchange outflow.”
The RBI directed that entities immediately put a stop to such arrangements as they violated existing directions.
In the same circular, the RBI further advised that:
“that where cards issued by banks in India are used for making card not present payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.” (RBI Circular No. RBI/2014-15/190).
This development was commonly perceived to be in response to Uber’s payment model which involved payments for rides being routed through Uber B.V. (Netherlands) before returning to India to pay drivers and cover other costs. The RBI, in this circular, also pointed out that such models may constitute violations of FEMA – a subject not addressed by this post.
The most recent directive in relation to 2FA was issued in May, 2015 and exempted cards which employed Near Field Communication (NFC) contactless technology for transactions under Rs.2000/-. The circular expressly clarified that it would not apply to ATM or CNP transactions (RBI Circular No. RBI/2014-15/601).
Implications of these circulars (or lack thereof) for Netflix
In light of the above circulars, it is my view that 2FA would only apply to govern CNP transactions where no foreign exchange outflow is contemplated. As a corollary, if there is foreign exchange outflow that occurs, the same would not invite the application of the RBI’s 2FA requirement. As per the text of the circulars, residency of the service provider and customer as well as where the services are provided seem to be factors which influence this determination.
In the case of Uber, the RBI noted – and, this is critical – that certain entities were using foreign payees to acquire payments for what were essentially transportation services provided by one Indian resident (the driver) to another within India. A similar configuration of actors may not be implicated in Netflix’s case.
In case of Netflix, suggestions that it falls foul of RBI directives are premature. If indeed it is the case that content is licensed by Netflix USA (or another foreign entity) and not an Indian subsidiary, there would be no Uber-like return of the foreign exchangeto India. The subscription fees of customers would flow out of India to the concerned entity and would not necessarily return. In other words, what flows outwards to Netflix B.V. (Netherlands) would stay in the Netherlands or flow elsewhere. Moreover, the streaming service would be provided by a foreign resident to an Indian resident and may not be provided completely ‘within India’.
At the moment, there is no indication yet that there is an Indian Netflix subsidiary to which subscription payments are routed or which is providing the streaming services in question. So unlike Uber where the transaction was for services between Indian entities, Netflix may involve services being provided by a foreign entity to Indian users.
In fact, circumstantial evidence points to the fact that for Indian subscribers, Netflix Inc. (USA) may be the nodal body. For instance, there are no Indian customer care details provided on the Netflix India site and the entity entering into the Terms of Use and Privacy agreements with Indian subscribers is Netflix B.V. (Netherlands). Moreover, unlike Uber which has a substantial physical presence and offices in India, Netflix, at least at the moment, seems to be offered over the internet without the need for physical presences (this would explain the ability to release in around the world in paralleland the lack of any India-based employees so far).
In addition, while searches of the Company/LLP Registry do reveal a Netflix LLP registered in 2010, I could find no connection to the on-demand video streaming service in question (search “AAA-2729” here; also do a name search here). Public Trademark Registry documents reveal trademarks to have been granted / applied for by the US corporation Netflix Inc. as well (for instance, search for “Netflix” in TM classes 9 and 38 here) though they may be other independent commercial or legal reasons for this.
In sum, it remains to be seen if Netflix will be launching a full-scale local office or subsidiary in India (most recently, like Tinder) but, as far as questions of compliance with the RBI’s 2FA go, the approach should be wait and watch.
Tarun Krishnakumar is a technology lawyer and policy consultant based in New Delhi. He is an alumnus of the National Law School, Bangalore and a former Berktern. He may be contacted at tarunkrishnakumar1@gmail.com. All views expressed are personal.
