wordpress blog stats
Connect with us

Hi, what are you looking for?

RBI extends timeline on new rules for recurring transactions and card storage

Through a combination of lobbying and non-compliance, the banking and payments industry has convinced the Reserve Bank of India (RBI) to extend the timeline for compliance with a set of new rules that impact recurring payments and card storage by merchants and payment aggregators.

The RBI had introduced two new rules, it has now given industry additional time to comply with both guidelines:

Recurring payments deadline extended at IBA’s request

Under the August 2019 policy, the RBI mandated banks and payment companies to introduce a pre-transaction notification before auto-debiting a customers’ account via their debit or credit cards, digital wallets or the Unified Payments Interface. It also mandated companies to issue a post-transaction notification for recurring transactions, an option to withdraw the e-mandate and set up a dispute or grievance redressal mechanism for the same. This policy was to be in force from March 31, 2021 onwards, but has been extended to September 31.

All transactions below Rs 5,000 do not need Additional Additional Factor of Authentication, like one-time-passwords. The RBI introduced these changes to ensure that customers are made aware of every recurring automated tranasaction, before and after their accounts are debited. This was done to ensure greater protection for customers against fraudulent transactions.

However, banks were late in complying with these new rules as their entire e-mandates system needed to be overhauled. As a result, several banks like ICICI Bank and Axis Bank said that all recurring transactions from April 1 this year would fail, regardless of the transaction size. This is because they would first need to re-engineer their e-mandate system which will provide customers with a pre and post-transaction notification and second they would need to set up e-mandates again in order to comply with the new rules.

“Based on a request from Indian Banks’ Association (IBA) for an extension of time till March 31, 2021, to enable the banks to complete the migration, Reserve Bank had advised the stakeholders in December 2020 to migrate to the framework by March 31, 2021. Thus, adequate time was given to the stakeholders to comply with the framework. It is, however, noted that the framework has not been fully implemented even after the extended timeline. This non-compliance is noted with serious concern and will be dealt with separately. The delay in implementation by some stakeholders has given rise to a situation of possible large-scale customer inconvenience and default.” — Reserve Bank of India

The RBI added that during the extended timeline, no new mandates for recurring transactions can be registered unless they are in compliance with the framework.

Advertisement. Scroll to continue reading.

Card storage rules

In March last year, the RBI issued a new guideline for non-bank payment aggregators (PAs) and payment gateways (PGs) which were due to come into force from June 30 this year. While the guideline sets out the contours for PA and PG businesses, in a significant development the RBI barred merchants and PAs from storing card data irrespective of their being PCI-DSS compliant or otherwise.

According to the rules:

  • Merchants are not allowed to store payment data, but are allowed to store limited data for the purpose of transaction tracking
  • PAs cannot also store customer card credentials within its database or the server (irrespective of it being accessed by merchant or not) except for the limited purpose of transaction tracking

This earned the ire of the startup ecosystem and fintech industry that relies on customers’ storing card data for a better check-out experience. Companies like Zomato, Swiggy, Uber, Ola, Amazon and Flipkart, among many others, would be significantly affected by the new rules since they allow customers to store their cards online. The customer would only need to enter their CVV number and OTP to process the transaction. Under the new rules, customers would need to enter their card details every time they make a transaction, which would inevitably increase friction for customers.

On Wednesday, the RBI the extended the timeline to comply with this aspect of the March 2020 guideline from June to the end of December 2021.

“Based on the representations received from the industry seeking additional time for implementing the above instructions, it has been decided, as a one-time measure, to extend the timeline for non-bank PAs by six months, i.e., till December 31, 2021, to enable the payment system providers and participants to put in place workable solutions, such as tokenisation”—Reserve Bank of India

All the other rules under the guideline would remain in effect from June 30, 2021, the RBI said. These include:

  • While bank PAs do not need to seek fresh authorisation from the RBI, non-bank PAs and PGs are required to submit their application for licenses by June 30.
  • Existing non-bank PAs had to submit an auditor certificate of their net-worth at the time of their application for authorisation by March 31, 2021. Companies that did not meet the net-worth requirement would not get the central banks’ authorisation to operate as a PA/PG.
  • KYC guidelines are applicable to PAs who maintain an account-based relationship with merchants. If the merchant already has a bank account, which is being used for transaction settlement purpose, the PA need not carry-out the entire KYC process
  • There are also rules on net-worth, authorisation, capital, governance norms, Know-Your-Customer and merchant on-boarding, settlement and escrow accounts, security, fraud prevention and risk management, money laundering provisions, customer grievance and dispute management which come into effect from June 30 onward.

Also Read

Written By

Reports on banking, payments, fintech and crypto-curencies. Additional reporting on media regulations, data protection and other areas.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Find out how people’s health data is understood to have value and who can benefit from that value.


The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ