RBI's New Recurring Payment Rules: Last December, the RBI had informed banks and payment gateways that recurring transactions via cards, UPI, or prepaid payment instruments, which are not compliant with the additional factor authentication, would not be processed beyond March 31, 2021. The deadline was later extended till September.
New RBI Norms on Recurring Payment: While the need to give consent and go through a two-factor authentication process for every payment above Rs 5,000 will enhance the security of transactions, it might create some disruption among businesses and personally, I also agree that if a mandate from the customer is given, the need for an additional factor of authentication should not be there, Vishwas Patel, Chairman at Payments Council of India (PCI) and Executive Director at Infibeam Avenues told Financial Express Online in an interaction.
Patel was responding to a question whether new recurring payment rules by the Reserve Bank of India (RBI) would have any impact particularly on small and emerging entities, which offer cloud or SaaS services, that work on monthly, quarterly, or yearly payments, or subscriptions. Largely, insurance premiums, EMIs, vehicle or home loans, etc., are payments usually preferred by customers for auto-debit.
The new rules, which came into effect on October 1, 2021, mandated customers to give their consent for every recurring payment of over Rs 5,000, and also to go through a two-factor authentication process every time a payment is to be made instead of the simpler auto-debit rules earlier. For payments up to Rs 5,000, customers will have to re-authenticate any standing instructions for recurring payments to make subsequent payments without the additional factor authentication (AFA).
“This is a giant step backward. What we need is effective redressal, not better locks. Two-factor authentication for every transaction has a real cost to the economy: it inhibits spending, and the ones who are most affected by it are the smallest merchants. It is surprising that credit/debit card based payment is a well-solved problem the world over, but we are still struggling to take any steps forward. We need to ease transactions online, and give greater control to users to determine how and when they spend, what alerts and limits they set for themselves, and the nature of transactions they are comfortable with,” Utkarsh Sinha, Managing Director, Bexley Advisors told Financial Express Online.
The RBI’s notification on the processing of e-mandate on cards for recurring transactions in August 2019 read that “keeping in view the changing payment needs and the requirement to balance the safety and security of card transactions with customer convenience, it has been decided to permit processing of e-mandate on cards for recurring transactions (merchant payments) with AFA during e-mandate registration, modification and revocation, as also for the first transaction, and simple / automatic subsequent successive transactions.”
Last December as well, the central bank had informed lenders and payment gateways that domestic or cross-border recurring transactions via cards, UPI, or prepaid payment instruments, which are not compliant with the additional factor authentication, would not be processed beyond March 31, 2021. The deadline was later extended till September after multiple banks failed to comply with the guidelines.
“While the implementation has been made on a positive note to improve transaction security but on the business side, it will have a significant impact. For example, in most businesses the access to credit card, which would be in the name of the founder, is with the finance department for billing of various services like Google cloud or Amazon cloud every month. However, the cardholder may not be available every time for the authentication or verify it instantly. This might lead to discontinuation of services,” Anish Achuthan, Co-founder and CEO, Open told Financial Express Online. Open offers digital neobank services to SMEs and had last week raised $100 million Singapore’s Temasek, Google, Japan-based SBI Investment, Tiger Global, and others.
“This would have significant inconvenience basically. It should have been implemented only for B2C transactions but on the business side where frauds are relatively lesser currently, the RBI should have given some relaxation. However, as more businesses raise this concern, I’m sure the regulator will find ways to improvise this system,” added Achuthan.
In September, experts have noted that e-mandates for recurring online transactions and guidelines related to the Payment Aggregators and Payment Gateways (PAPG) will lead to challenges for not just payment aggregators, gateways, but also merchants, small businesses, banks, and others. In a webinar organised by think tank Empower India, a think tank, Dr Aruna Sharma, Former Secretary, Government of India had said, “When it comes to the data privacy issue, unless there’s a huge leak, the regulation should not operate in a heavy-handed manner. We have a huge cash economy and digital payments is the only way to tackle that. RBI has the right to ensure financial data is not hacked and protect the data of the consumer but not the way they are trying to do by regulating merchants.”
Patel said since most banks are not ready yet for the new process, the council had asked for an extension by a month. “The biggest blame is on banks who were lethargic to get their systems ready well in advance. While many public sector banks including the biggest ones are yet to adopt new rules, HDFC Bank and Kotak Mahindra Bank have already implemented the rules.”
Nonetheless, according to Patel, the move would empower consumers in the long term with respect to their online transactions. “If you have subscriptions for multiple things like Netflix, Zoom, electricity payments, etc., you were so far required to visit their respective websites to manage them but with the new guidelines, you can login to your bank account to manage all of them. Also, it would help eliminate payments fraud related to auto-debit. With new guidelines, the control is with the user to provide permission for every transaction.”