CUSTOMERS IN LIMBO AS BANKS, PAYMENTS FIRMS AND THE RBI THRASH OUT DIFFERENCES
WHO WILL BLINK FIRST: PSPS worried about losing business over regulator’s stance on tokenisation; banks dragging feet on e-mandate and auto-debit rule
“THE BIGGEST THREAT TO MACROECONOMIC STABILITY IS THE ENTRENCHMENT OF INFLATION EXPECTATIONS. THAT BECOMES A SELF-FULFILLING PROPHECY”
The payments industry is at a crossroads with the banking regulator on two pressing issues, neither of which seems headed towards an amicable solution.
Depending upon which side accommodates the other, customers in India will have to choose between convenience and ironclad safety. In the end, the Reserve Bank of India (RBI), which regulates both banks and all payments services providers, will prevail. But the question is: will it do so by bending a little or by sticking to its firm stand?
The two issues — one concerning payment facilitators storing customers’ card details and the other about auto-renewal of payments — appear similar but aren’t.
Tokenisation
The RBI is not willing to ease its stance on tokenisation, insisting that payment facilitators cannot store customer card details. This would come as an inconvenience to many, particularly online shopaholics who have to so far key in only the CVV number of their cards saved (masked with the last four digits visible) on the e-commerce portal and proceed with a transaction.
What the RBI is proposing is that every time a transaction is to be made, the entire card details must be keyed in. These would reach the merchant servers in a tokenised format, or as random numbers. Since the tokenised numbers generated would be onetime in nature, the merchant site and payments facilitator would have no reason to save the details.
The RBI’S logic is that this will introduce a robust safety mechanism for Indian consumers. E-commerce sites and others in the chain, however, argue that it will be a body blow to online transactions since fast checkouts will be hampered. Single click purchases with tech sites such as Google and Apple will also cease to exist with this, adding some element of complexity to purchasing apps.
To be sure, even now, few people want to store their card details with e-commerce sites.
And while payments industry insiders, too, have welcomed the RBI stance on customer safety, they want an alternative mechanism, which the central bank has not yet agreed to.
“The RBI’S concerns are genuine because we have seen several hacks on merchants and payment service providers (PSPS) in the recent past, wherein data of millions of cards was compromised,” says Vishwas Patel, chairman,
Payments Council of India.
“While the RBI has allowed payment aggregators to store card details for transaction processing purposes, it wants to prohibit the oneclick checkout service. The demand, however, is that since payment aggregators and gateways are following best practices, they might as well allow the one-click checkout service,” Patel adds.
Rameesh Kailasam, CEO and president of Indiatech.org, an industry association representing India’s technology start-ups, unicorns and investors, agrees that while the RBI’S intention is noble, it will create “frictions in the transaction process and may upset the experience of the consumer”, who will have to enter the 16-digit card number, name, expiry date, CVV number, and the OTP instead of just the CVV and OTP now.
“The efficiency and ease of making payments in the periodic/monthly subscriptionbased models will be disrupted,” says Kailasam. “We are proposing that the RBI allow PCI DSS Level 1-certified merchants to store the card details.” (PCI DSS, or Payment Card Industry Data Security Standard, is the benchmark of payments security, and Level 1 is its highest and most stringent standard.)
Modes such as Unified Payments Interface (UPI) and net banking would likely gain from tokenisation.
Payments companies, which have been dragging their feet on the issue, have till December 31 to comply. The RBI is unlikely to budge.
E-mandates
The second, and more nuanced, is the issue of e-mandates, which is staring at a September deadline. Under the revised rule on auto-debits and e-mandates, which was to be earlier implemented on April 1, a customer has to give her consent for payment to be deducted from her account. This Additional Factor of Authentication (AFA) applies for auto-renewal of payments up to ~5,000, across all modes such as UPI, wallets and banks.
Industry sources say so far only two private banks have upgraded their platforms to accommodate this AFA mandate. Others, including public sector banks (PSBS) that ordinarily comply with RBI rules readily, are not willing to invest in the infrastructure.
The RBI has in the past delivered a stern warning on non-compliance, but banks have dug in their heels and are unwilling to invest millions for a value-added service that they can simply drop from their product offerings. Of course, everyone will eventually end up complying with the RBI diktat so as not to be in the regulator’s bad books, but they will be in no hurry to do so, experts say. And this won’t be the first time banks would be stalling.
It took about a decade for the RBI to push all banks to migrate to CTS2010 standard for cheques. International Financial Reporting Standards (IFRS) is something that has still not been achieved even after more than a decade. With e-mandate, too, it could be a long-drawn affair, despite the RBI threatening “stringent supervisory action” if the September deadline is missed.
Sources say some PSBS have argued that since their customer base is not as tech savvy, such a consent-based mechanism would add to the confusion. The customers may not give their consent on even mundane things, fearing fraud, and this could lead to payments failure.
“Clever fraudsters, who evolve with technology, will exploit such a consent type system,” says a senior banker, requesting anonymity. “We have just educated the customers not to respond to bank messages, especially with sensitive data. Now we will have to tell them you can give consent sometimes. This will bewilder many who are not savvy, and will have the opposite effect of what the RBI’S intention is.”
Banks, particularly the public sector ones, also do not want to upset their stable network that facilitates varied kinds of transactions, including running direct benefit transfer (DBT) schemes of the government.
Therefore, it is likely that when the deadline ends, banks will do what they did at the end of March — alert customers that the autodebit service is being cancelled from the bank’s end. And they will be well within their rights to do so, experts say.
That said, on both issues — tokenisation and e-mandates — the RBI will have its way, says a senior banker. For the regulator, the banker adds, “safety is of primary concern while convenience comes a distant second”.
“The regulator issues discussion papers, consults all stakeholders and gives sufficient lead time — and also extends it many times. Despite this, if the players are behind the curve, nothing can be done,” says the banker, adding that the regulatory sandbox process is throwing up interesting solutions for today’s problems, provided the players invest.
“This ecosystem is going to evolve constantly. Can anyone stick to the old ways and do business? The inertia in the system, plus an unwillingness to invest in safety, is the bane of the Indian financial system,” the banker adds.