By Pradeep S Mehta & Sidharth Narayan
To enhance the safety and security of card-based online transactions, the Reserve Bank of India has mandated the operationalisation of the Card on File Tokenisation (CoFT). The move is coming into effect from October 1. The industry is yet to fully operationalise CoFT, particularly for recurring transactions. This may warrant another extension of the deadline, at least for recurring payments. More importantly, it is time for RBI to start penalising defaulting entities, after releasing a ‘status of readiness’ report.
The adverse implications of the under-prepared implementation of RBI’s circular on ‘Processing of e-mandate on cards for recurring transactions’ were seen last year. It led to the failure of a significant number of e-mandates for recurring payments, causing immense inconvenience to both consumers and merchants. A similar fate must be avoided for CoFT.
Laudably, RBI has played its part in raising awareness amongst consumers for tokenising their cards. A reference to CoFT was made in the Financial Literacy Week 2022. Many advertisements have also been published by RBI on securing cards and card-based online transactions. Merchants have also been prompting consumers to tokenise their cards before the due date of September 30.
Also Read: Crowdfunding booster
However, the questions to be answered are whether RBI can ensure industry readiness for implementing CoFT, and what use is CoFT if token-based transactions fail. It appears that RBI has put the cart before the horse by only focusing on consumers. This may do more harm than good for consumers. While the industry has made considerable progress in token creation, many in the ecosystem are still not fully ready to operationalise CoFT completely. This has been revealed in an RBI circular dated June 24, and is corroborated by recent media reports claiming that popular online payment platforms such as Paytm and PhonePe have tokenised most but not all cards saved on their platforms. Furthermore, industry associations like Merchant Payments Alliance of India (MPAI) and NASSCOM, in their recent joint submission to RBI, claimed that the industry is yet to achieve absolute success rates of token provisioning and one-time payment processing via tokens.
The number for recurring payments is believed to be far lower, with some merchants not having had the opportunity even to begin testing these. This shows that the industry is still in the last lap of fully operationalising CoFT, especially for recurring transactions. Notably, as per data released by RBI, the value of card-based e-commerce payments is over Rs 70,000 crore per month. It is believed that 1.5% of these are recurring payments, which would amount to over Rs 1,000 crore per month.
A survey conducted by CUTS International revealed that consumers may face several challenges like more time taken and inconvenience in making payments. Added to this are the risks of transaction failure due to entering incorrect card details for online payments. Notably, consumers were found to be more likely to store their card details with merchants they transact with frequently.
This perhaps enhances the risk of adverse impact on recurring payments. The survey also revealed that consumers might prefer to reduce the frequency of card-based online payments, stop using online services altogether, or shift to alternative modes of payment instead of re-entering all their card details for every transaction on different platforms. Purging card details without the complete implementation of CoFT could also increase the risks of third-party fraud. It would also dent consumers’ trust in card-based online payments. Accordingly, the unprepared implementation of CoFT in the present state has the potential of becoming a classic case of the economic concept of the ‘cobra effect’, where an attempted solution to a problem makes the problem even worse.
Considering the above, unfortunately, it seems like extending the deadline of operationalising CoFT and purging card details is, once again, the only option in front of us, at least for recurring payments. RBI needs to ensure that CoFT is fully and securely operationalised at scale, for different use cases. Furthermore, the industry is capable enough to successfully process token-based transactions in real-time before card details are purged.
Parallelly, in line with our long-standing demand, it is imperative for RBI to come out with a report on the ‘status of readiness’ of the stakeholders involved in the process. This will help in highlighting delaying entities, who may then be pulled up appropriately. More needs to be done in spreading awareness, building capacity, and generating consumer trust in CoFT. RBI may support credible consumer organisations for undertaking appropriate initiatives in this regard. For this, they already have a dedicated fund. Lastly, RBI should also take steps to minimise consumer harm by strengthening the grievance redressal mechanism in case of transaction failure or financial fraud due to glitches in CoFT. Provisions for reimbursement of lost amount and compensation may also be explored in this regard, by utilising the penalty amounts recovered from defaulting entities.
The authors are with CUTS International