Traditionally, India has been recognized among the most notable cash denominated jurisdictions in the world. While the government has sought to promote digital payments among the masses, the transition to cashless digital transactions has been slow and gradual. However, with the onset of the pandemic, digital payments in the country have grown exponentially.

AFA Restrictions

Recurring transactions are commonly used by customers for enabling periodic payments for digital content subscriptions, utility payments, etc. Most digital service providers operate on a subscription model wherein debit/credit cards of customers are auto-debited based on pre-determined billing frequency. Such deductions are automated and do not require the customer's pre-approval or a requirement of presenting the card at the time of debit.

To secure recurring online transactions, the Reserve Bank of India (RBI) introduced the concept of 'Additional Factor of Authentication' (AFA) in August 21, 2019 (AFA Circular). This AFA Circular indicated that auto-debits of customers' cards (for both domestic and cross-border transactions) would no longer be permitted, and every such transaction would be subject to a compulsory e-mandate registration. Scope of the AFA Circular covers all recurring transactions, including transactions initiated through cards or pre-paid instruments (PPIs), wallets and Unified Payment Interface (UPI).

E-mandate

Pursuant to the AFA Circular, customers who authorize recurring transactions on their cards would be required to undertake an AFA registration for recording their e-mandate. Such AFA registration will be facilitated by the card issuing entity i.e., banks.

In simple terms, each customer will be allowed to set a transactional limit on their cards. Such transactional limit may either be a for a fixed value or a variable value subject to an upper cap determined by the customer. Debits for recurring transactions on such cards can only be up to such limit. However, as prescribed by RBI, no customer can register an e-mandate that exceeds INR 5,000.

Once an e-mandate is successfully registered, the first recurring transaction for such card would also require an AFA validation. Subsequent recurring transactions may be performed without the requirement of AFA. Transactions that are beyond the registered e-mandate would require an AFA to be conducted for each of such transactions. Further, banks will be required to enable customers to modify/delete their e-mandates.

Generally, banks will follow an OTP based mechanism to conduct AFA validation, wherein such OTP will be sent to the registered mobile number of the customer. As a risk mitigation measure, RBI has proposed that banks should send pre-transaction and post transaction notifications to its card holders who have registered their e-mandate with them.

Industry Concerns

To implement RBI's regulations on recurring transactions, banks will be required to undertake a comprehensive system and technology overhaul. The regulations require constant monitoring of recurring payments by banks by way of conducting periodic AFA validations and sending (pre and post) transaction notifications.

Given that the margin of recurring online transactions in India, although increased, is not significant, it raises serious doubts if banks would foresee any incentive in implementing these regulations. Also, several banks in India are not equipped sufficiently, both in terms of finances and workforce, to ensure compliance with the regulations.  

The economic model of digital businesses will suffer tremendously if there is any disruption in receiving payments through recurring transactions.  

Prohibition on Merchants from storing Customer card credentials

If implementation of the AFA Circular was not enough of a blow already, with the introduction of the card tokenisation framework, merchants have found themselves in the midst of another radical transformation in the digital payments space.

To curb the menace of card related frauds, data theft, etc., RBI, in its Guidelines on Regulation of Payment Aggregators and Payment Gateways issued dated March 17, 2020 (PAPG Guidelines) directed payment aggregators and merchants against storing card credentials of customers and to purge any previously stored card data. As a consequence, merchants would not be able to prompt card details to a customer at the time of making digital payments. Hence, customers would be required to bear the inconvenience of entering their card details every time they undertake online transactions.

However, to ensure that customers have a seamless digital payment experience, RBI issued the revised tokenisation framework for card transactions on September 7, 2021 (Tokenisation Framework).

Tokenisation

Tokenisation is an irreversible process whereby actual card numbers are replaced by random codes. This offers improved security when compared to encrypted card data.

Under the Tokenisation Framework,

  • Apart from last 4 digits of the customer's card number and card issuer's name, no entity other than card issuers (i.e., banks) and card networks will store any customer card data.
  • Any such data previously stored would need to be mandatorily purged.

When a customer initiates payment on a merchant's application, the merchant sends such request to the card network which stores the card data. The card network then issues a token after satisfying itself about the customer's solvency. Upon successful generation of a token, a customer may continue to pay using such saved (tokenized) card.   

Impact of Tokenisation on Recurring Transactions

Industry stakeholders appreciated the tokenisation initiative, however, the tight timelines for its implementation caused great concern. While merchants and payment aggregators were only given until December 31, 2021, to fully comply with the card storage norms and purge all customer card data in accordance with the PAPG Guidelines, RBI issued a feasible alternative in the form of tokenisation only in September of this year.

To implement tokenisation, entities would be required to undertake an overhaul of their technology and infrastructure. However, given the timeframes, it seemed unlikely that all participants in the Tokenisation Framework would be able to successfully implement this model. Consequently, digital payments, including recurring transactions would suffer a huge hit as customers would not be keen on feeding in their card data every time they undertake online transactions. They would grow averse to purchasing products/availing services online.

Some of the concerns that plagued stakeholders have been discussed below.

Cost Implications for Merchants

Implementation of tokenisation will lead to several cost implications and operational challenges for merchants. If a merchant does not employ tokenisation, then its customers would be required to feed in their card details for every transaction they make with such merchant. This would not be a viable business model as customers would prefer purchasing from competing businesses that offer the comfort of tokenisation.

To reduce associated costs with tokenisation, merchants (especially smaller players in the market) may contemplate shifting to annual subscription models. Annual subscription model with hiked subscription amounts may impact customer subscription rates adversely. This will directly affect their profitability and may even lead to their businesses collapsing.

Merchants are at the mercy of Banks/Card Networks

Pursuant to the Tokenisation Framework, only banks and card networks are enabled to store card data. Hence, the hands of merchants and payment aggregators are tied unless the banks and card networks carry out the necessary technology overhaul to implement the Tokenisation Framework. Failure by banks and card networks to effectively implement tokenisation would have a domino effect on merchants / payment aggregators wherein the latter would not be able to proceed with its token requesting process.

Although introduction by RBI of the auto-debit and Tokenisation Framework is driven by consumer interests, a hasty implementation may only add to consumers woes. It is important for RBI to appreciate that compliance with the Tokenisation Framework by merchants and payment aggregators is hinged on banks' and card networks' ability to implement the same. Hence, it was recommended by stakeholders that RBI provide interim timelines for banks and card networks to successfully implement technology for enabling tokenisation. In the meantime, merchants and payment aggregators should be allowed to proceed with digital transactions using customer card data stored in their database. Otherwise, online transactions would come to a halt, thereby disrupting the digital services industry.  

Notably, RBI has taken due note of industry concerns and representations and, vide notification dated December 23, 2021, has extended the timeline for compliance with card storage norms by a further period of 6 months. Now merchants will have time until June 30, 2022 to store customer card data and post this, all such data would need to be purged. Further, RBI has suggested that for activities (such as handling recurring e-mandates, EMI options, post-transaction activities like chargeback handling, dispute resolution, reward / loyalty programme, etc.) undertaken by merchants for which they rely on customer card data, they may devise alternate mechanisms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.