The Reserve bank of India has finally issued revised guidelines on for prepaid payment instruments (PPI) and said that they will be interoperable. Here are some the broad changes in the wallet guidelines.
Net worth requirements:
All companies which are trying to get a wallet licence have to have a minimum net worth of Rs 5 crore which needs to be maintained for three years at all times, following which they need to have a net worth of Rs 15 crore at all times. Existing wallet companies need to maintain Rs 15 crore by March 31, 2020, following which they need to maintain the net worth at all times.
The draft guidelines stated that wallet companies will have to have a minimum net worth of Rs 25 crore, a sharp turn from the earlier regulatory norms for wallets included a minimum paid-up capital needed of Rs 5 crore and a minimum net worth of Rs 1 crore.
The net worth will consist of:
-Paid up equity capital
-Preference shares which are compulsorily convertible into equity capital
-Balance in share premium account
– Capital reserves which will include surplus arising out of sale proceeds of assets. This will not include reserves created by revaluation of assets which are adjusted for accumulated loss balance, book value of intangible assets and deferred revenue.
The RBI said that Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT) guidelines will apply to wallets. Provisions of Prevention of Money Laundering Act, 2002 and Rules will be applicable to all wallet issuers.
- For semiclosed PPIs such as Paytm, MobiKwik, FreeCharge, PayU Money etc, any new wallets opened will have 12 months to upgrade to full KYC norms. The minimum details for KYC shall include OTP verified mobile number and self-declaration of name, address, gender, date of birth and unique identification number of any of the ‘officially valid document’.
- For existing wallets, companies need to ensure that they will have full KYC by the end of the December 31. Following which, these wallets will cease to exist.
- Will wallet users need to link Aadhaar to their wallets? MediaNama reader Srikanth points out that the RBI is using a hack not using Aadhaar directly on regulation instead offloading into Prevention of Money Laundering Act (PMLA) regulations which may be “amended from time to time”. Currently, the PMLA regulations mandate that all citizens should link Aadhaar to their bank accounts and this will follow for wallets as well. Bottom line, we may have to link Aadhaar to all wallets now.
The amount that can be held in wallets:
- For semi-closed wallets with minimum KYC, the RBI has reduced the amount that can be held to Rs 10,000 from the earlier Rs 20,000. The RBI had raised the limits on wallets following the demonetization of Rs 500 and Rs 1000 notes. In January, the RBI said that the enhanced limits would continue till it came out with the revised guidelines.
- Wallets with full KYC can hold up to Rs 1,00,000.
Here’s some good news from the RBI. Interoperability will be allowed but only for KYC compliant wallets. The RBI is proposing that it will allow interoperability in phases.
- In the first phase, wallet issuers (both bank and non-bank entities) shall make all KYC compliant wallets interoperable amongst themselves through the UPI within 6 months. This means that a user can transfer money from a Paytm account to a MobiKwik account if they are KYC compliant.
- In the next phase, interoperability shall be enabled between wallets and bank accounts through UPI. This means that users can send money back into their bank accounts and might do so without additional charges. Wallets typically charge around 4% to send it back to bank accounts.
- Interoperability for wallets issued in the form of cards shall also be enabled in due course. However, banks may continue to issue prepaid instruments in association with authorized card networks. Wallets can issue cards for the amounts in them and usually tie up with banks, as is the case we have seen with ItzCash. However, with this, wallets need not partner with banks and can simply tie-up with a card network. But it remains to be seen if the RBI will allow cash withdrawal through these cards.
- The operational guidelines will be issued separately.
Wallet players will have to take an undertaking form e-commerce marketplaces and payment aggregators or gateways that payments made by them will be used for paying merchants. This undertaking and list shall be submitted to the escrow bank.
Wallet issuers will have to submit the list of merchants acquired by it to the escrow bank and update the same from time to time.
Security and authentication:
PPI issuers shall review the security measures on:
- on on-going basis but at least once a year,
- after any security incident or breach,
- before / after a major change to their infrastructure or procedures.
The RBI has also prescribed many of the measures the ministry of electronics and information technology (MeitY) said in its consultation paper for developing a framework for security of digital wallets. These include mechanisms such as customer induced transaction caps on their wallets, restriction of multiple invalid attempts to sign-in, and a cooling period for funds transfer after opening a wallet to prevent fraudulent use of the account.
Anti-phishing: Wallet issuers shall subscribe to anti-phishing / anti-rouge app services from external service providers for identifying and taking down phishing websites/rouge applications in the wake of increase of rogue mobile apps/phishing attacks.
To further prevent phishing, the RBI also prescribed some additional norms.
- Wallet issuers should put in place suitable mechanism to prevent, detect and restrict occurrence of fraudulent transactions including loading/reloading into the PPI. Note that State Bank of India (SBI), the country’s largest lender, has removed the option of loading money on all major wallets through net banking due to rising online frauds. The bank said at increased instances of phishing led SBI to take this step.
- Issuers shall put in place mechanism for velocity check on the number of transactions effected in a PPI per day / per beneficiary.
- Issuers shall introduce a system of alert when a beneficiary is added. This might be problematic for mobile wallets which ask for permission for phonebooks and links them as a beneficiary.
The Validity of wallets and time period:
All wallets shall have a minimum validity period of one year from the date of activation or issuance to the customer. Issuers will have to caution customers at regular intervals 45 days prior to expiry of validity period. The caution advice shall be sent by SMS/e-mail/post. Even after the expiry of validity period, grace period of at least 60 days shall be given to the customer.
But more importantly, the wallets with zero balance for a consecutive period of one year shall be closed automatically by the issuers, and a notice sent to the customers. This will have a significant impact on the number of wallets companies claim that they have on their platform. Many wallets lie dormant as people download the application once and don’t use them. At the time wallet companies create a PPI but many users would uninstall the application later.