The RBI is not willing to ease its stance on tokenisation, insisting that payment facilitators cannot store customer card details.
The payments industry is at a crossroads with the banking regulator on two pressing issues, neither of which seems headed towards an amicable solution.
Depending upon which side accommodates the other, customers in India will have to choose between convenience and ironclad safety.
In the end, the Reserve Bank of India (RBI), which regulates both banks and all payments services providers, will prevail.
But the question is: will it do so by bending a little or by sticking to its firm stand?
The two issues – one concerning payment facilitators storing customers’ card details and the other about auto-renewal of payments – appear similar but aren’t.
Tokenisation
The RBI is not willing to ease its stance on tokenisation, insisting that payment facilitators cannot store customer card details.
This would come as an inconvenience to many, particularly online shopaholics who have to so far key in only the CVV number of their cards saved (masked with the last four digits visible) on the e-commerce portal and proceed with a transaction.
What the RBI is proposing is that every time a transaction is to be made, the entire card details must be keyed in.
These would reach the merchant servers in a tokenised format, or as random numbers.
Since the tokenised numbers generated would be one-time in nature, the merchant site and payments facilitator would have no reason to save the details.
The RBI’s logic is that this will introduce a robust safety mechanism for Indian consumers.
E-commerce sites and others in the chain, however, argue that it will be a body blow to online transactions since fast checkouts will be hampered.
Single click purchases with tech sites such as Google and Apple will also cease to exist with this, adding some element of complexity to purchasing apps.
To be sure, even now, few people want to store their card details with e-commerce sites.
And while payments industry insiders, too, have welcomed the RBI stance on customer safety, they want an alternative mechanism, which the central bank has not yet agreed to.
“The RBI’s concerns are genuine because we have seen several hacks on merchants and payment service providers (PSPs) in the recent past, wherein data of millions of cards was compromised,” says Vishwas Patel, chairman, Payments Council of India.
“While the RBI has allowed payment aggregators to store card details for transaction processing purposes, it wants to prohibit the one-click checkout service.
"The demand, however, is that since payment aggregators and gateways are following best practices, they might as well allow the one-click checkout service,” Patel adds.
Rameesh Kailasam, CEO and president of IndiaTech.org, an industry association representing India’s technology start-ups, unicorns and investors, agrees that while the RBI’s intention is noble, it will create “frictions in the transaction process and may upset the experience of the consumer,” who will have to enter the 16-digit card number, name, expiry date, CVV number, and the OTP instead of just the CVV and OTP now.
“The efficiency and ease of making payments in the periodic/monthly subscription-based models will be disrupted,” says Kailasam.
“We are proposing that the RBI allow PCI DSS Level 1-certified merchants to store the card details.” (PCI DSS, or Payment Card Industry Data Security Standard, is the benchmark of payments security, and Level 1 is its highest and most stringent standard.)
Modes such as Unified Payments Interface (UPI) and net banking would likely gain from tokenisation.
Payments companies, which have been dragging their feet on the issue, have till December 31 to comply.
The RBI is unlikely to budge.
E-mandates
The second, and more nuanced, is the issue of e-mandates, which is staring at a September deadline.
Under the revised rule on auto-debits and e-mandates, which was to be earlier implemented on April 1, a customer has to give her consent for payment to be deducted from her account.
This Additional Factor of Authentication (AFA) applies for auto-renewal of payments up to Rs 5,000, across all modes such as UPI, wallets and banks.
Industry sources say so far only two private banks have upgraded their platforms to accommodate this AFA mandate.
Others, including public sector banks (PSBs) that ordinarily comply with RBI rules readily, are not willing to invest in the infrastructure.
The RBI has in the past delivered a stern warning on non-compliance, but banks have dug in their heels and are unwilling to invest millions for a value-added service that they can simply drop from their product offerings.
Of course, everyone will eventually end up complying with the RBI diktat so as not to be in the regulator’s bad books, but they will be in no hurry to do so, experts say.
And this won’t be the first time banks would be stalling.
It took about a decade for the RBI to push all banks to migrate to CTS2010 standard for cheques.
International Financial Reporting Standards (IFRS) is something that has still not been achieved even after more than a decade.
With e-mandate, too, it could be a long-drawn affair, despite the RBI threatening “stringent supervisory action” if the September deadline is missed.
Sources say some PSBs have argued that since their customer base is not as tech savvy, such a consent-based mechanism would add to the confusion.
The customers may not give their consent on even mundane things, fearing fraud, and this could lead to payments failure.
"Clever fraudsters, who evolve with technology, will exploit such a consent type system," says a senior banker, requesting anonymity.
“We have just educated the customers not to respond to bank messages, especially with sensitive data.
"Now we will have to tell them you can give consent sometimes.
"This will bewilder many who are not savvy, and will have the opposite effect of what the RBI’s intention is."
Banks, particularly the public sector ones, also do not want to upset their stable network that facilitates varied kinds of transactions, including running direct benefit transfer (DBT) schemes of the government.
Therefore, it is likely that when the deadline ends, banks will do what they did at the end of March — alert customers that the auto-debit service is being cancelled from the bank’s end.
And they will be well within their rights to do so, experts say.
That said, on both issues – tokenisation and e-mandates – the RBI will have its way, says a senior banker. For the regulator, the banker adds, “safety is of primary concern while convenience comes a distant second”.
“The regulator issues discussion papers, consults all stakeholders and gives sufficient lead time – and also extends it many times.
"Despite this, if the players are behind the curve, nothing can be done,” says the banker, adding that the regulatory sandbox process is throwing up interesting solutions for today’s problems, provided the players invest.
“This ecosystem is going to evolve constantly. Can anyone stick to the old ways and do business?
"The inertia in the system, plus an unwillingness to invest in safety, is the bane of the Indian financial system,” the banker adds.
Caught in the middle
This tug of war of sorts between banks and the regulator have left many – over-the-top (OTT) and direct-to-home platforms, media platforms, websites, and everything that depends on auto-renewal of subscriptions – in a quandary.
For the framework to work, banks and payments aggregators will have to make changes in their technology system, data-interchange processes and underlying business contracts, besides how they intimate their customers, says an industry source.
Banks, he adds, are not willing to undertake these exercises as they have “little or no returns on investments” from these efforts.
And unless banks finish their system upgradation, payments aggregators cannot start working on theirs, says a source.
Customer inconvenience aside, a disruption to these auto-renewal services is likely to have a “domino effect on large and small businesses,” and will affect the merchant business “while having minimal impact on banks’ services,” the source adds.
One particular technical issue is that the RBI’s framework is silent on migrating customers on the legacy auto-debit system to the new structure.
And banks do not want to undertake such a job on their own, risking auditing and compliance issues.
The affected merchants and service providers, instead of approaching the RBI directly, are now in discussions with banks to convince them of the benefits of moving to the new e-mandate platforms.
Realising that their losses would be far greater than those of banks, merchants sent their representations to the Ministry of Electronics and Information Technology (MeitY), NITI Aayog and the finance ministry to highlight their concerns.
Even as these merchants have no direct channel to the RBI, they now plan to send a representation to the regulator with a detailed note on the potential fallout of noncompliance by banks and the impact it would have on consumers and merchants, sources say.
In short, this issue will linger on unless both the banks and the RBI agree on a middle ground – with the regulator offering some flexibility and banks willingness to invest in a new platform.