Through a combination of lobbying and non-compliance, the banking and payments industry has convinced the Reserve Bank of India (RBI) to extend the timeline for compliance with a set of new rules that impact recurring payments and card storage by merchants and payment aggregators.
The RBI had introduced two new rules, it has now given industry additional time to comply with both guidelines:
- Framework for processing of e-mandates on recurring online transactions, August 2019: deadline extended from by six months to September 31, 2021
- Guidelines on Regulation of Payment Aggregators and Payment Gateways, March 2020: deadline for some aspects extended by six months to December 31, 2021
Recurring payments deadline extended at IBA’s request
Under the August 2019 policy, the RBI mandated banks and payment companies to introduce a pre-transaction notification before auto-debiting a customers’ account via their debit or credit cards, digital wallets or the Unified Payments Interface. It also mandated companies to issue a post-transaction notification for recurring transactions, an option to withdraw the e-mandate and set up a dispute or grievance redressal mechanism for the same. This policy was to be in force from March 31, 2021 onwards, but has been extended to September 31.
All transactions below Rs 5,000 do not need Additional Additional Factor of Authentication, like one-time-passwords. The RBI introduced these changes to ensure that customers are made aware of every recurring automated tranasaction, before and after their accounts are debited. This was done to ensure greater protection for customers against fraudulent transactions.
However, banks were late in complying with these new rules as their entire e-mandates system needed to be overhauled. As a result, several banks like ICICI Bank and Axis Bank said that all recurring transactions from April 1 this year would fail, regardless of the transaction size. This is because they would first need to re-engineer their e-mandate system which will provide customers with a pre and post-transaction notification and second they would need to set up e-mandates again in order to comply with the new rules.
“Based on a request from Indian Banks’ Association (IBA) for an extension of time till March 31, 2021, to enable the banks to complete the migration, Reserve Bank had advised the stakeholders in December 2020 to migrate to the framework by March 31, 2021. Thus, adequate time was given to the stakeholders to comply with the framework. It is, however, noted that the framework has not been fully implemented even after the extended timeline. This non-compliance is noted with serious concern and will be dealt with separately. The delay in implementation by some stakeholders has given rise to a situation of possible large-scale customer inconvenience and default.” — Reserve Bank of India
The RBI added that during the extended timeline, no new mandates for recurring transactions can be registered unless they are in compliance with the framework.
Card storage rules
In March last year, the RBI issued a new guideline for non-bank payment aggregators (PAs) and payment gateways (PGs) which were due to come into force from June 30 this year. While the guideline sets out the contours for PA and PG businesses, in a significant development the RBI barred merchants and PAs from storing card data irrespective of their being PCI-DSS compliant or otherwise.
According to the rules:
- Merchants are not allowed to store payment data, but are allowed to store limited data for the purpose of transaction tracking
- PAs cannot also store customer card credentials within its database or the server (irrespective of it being accessed by merchant or not) except for the limited purpose of transaction tracking
This earned the ire of the startup ecosystem and fintech industry that relies on customers’ storing card data for a better check-out experience. Companies like Zomato, Swiggy, Uber, Ola, Amazon and Flipkart, among many others, would be significantly affected by the new rules since they allow customers to store their cards online. The customer would only need to enter their CVV number and OTP to process the transaction. Under the new rules, customers would need to enter their card details every time they make a transaction, which would inevitably increase friction for customers.
On Wednesday, the RBI the extended the timeline to comply with this aspect of the March 2020 guideline from June to the end of December 2021.
“Based on the representations received from the industry seeking additional time for implementing the above instructions, it has been decided, as a one-time measure, to extend the timeline for non-bank PAs by six months, i.e., till December 31, 2021, to enable the payment system providers and participants to put in place workable solutions, such as tokenisation”—Reserve Bank of India
All the other rules under the guideline would remain in effect from June 30, 2021, the RBI said. These include:
- While bank PAs do not need to seek fresh authorisation from the RBI, non-bank PAs and PGs are required to submit their application for licenses by June 30.
- Existing non-bank PAs had to submit an auditor certificate of their net-worth at the time of their application for authorisation by March 31, 2021. Companies that did not meet the net-worth requirement would not get the central banks’ authorisation to operate as a PA/PG.
- KYC guidelines are applicable to PAs who maintain an account-based relationship with merchants. If the merchant already has a bank account, which is being used for transaction settlement purpose, the PA need not carry-out the entire KYC process
- There are also rules on net-worth, authorisation, capital, governance norms, Know-Your-Customer and merchant on-boarding, settlement and escrow accounts, security, fraud prevention and risk management, money laundering provisions, customer grievance and dispute management which come into effect from June 30 onward.
- Lessons for the RBI on central bank digital currencies from abroad
- Lending fintechs warrant novel regulation methods to address risks, says RBI governor Shaktikanta Das
- RBI seeks industry inputs on regulating digital lending apps: Report