Paying heed to the concerns raised by several organisations over the possibility of failure of millions of e-mandates or auto-debits because all banks have not upgraded their systems, the Reserve Bank of India (RBI) had extended the compliance timeline by six months in April this year. Now that this deadline of 30 September 2021 is looming, lending institutions are working to comply, but consumers are nowhere in the loop and are clueless about how the new rules will affect them. Instead, they are receiving threatening SMS and emails to update their mandates, failing which their recurring transactions could be rejected.
In a note, Macquarie Capital Securities (India) Pvt Ltd has said that private sector banks and MasterCard and Visa are well prepared for the auto-debit rules compared to public sector banks (PSBs) Rupay network and merchant ecosystem. “There is likely to be disruption and friction to the payment ecosystem around these timelines. But there is agreement that “these rules are very essential for data security, theft, privacy issues and RBI’s concerns and steps are in the right direction in this regard and eventually could strengthen the payment ecosystem,” the report says.
The industry has been systematically pushing for a relaxation in the e-mandate to process recurring transactions with an additional factor of authentication (AFA). An RBI circular issued on 21 August 2019 permitted “processing of e-mandate on cards for recurring transactions with an AFA during e-mandate registration…Keeping in view the changing payment needs and the requirement to balance the safety and security of card transactions with customer convenience, it has been decided to permit processing of e-mandate on cards for recurring transactions (merchant payments) with AFA during e-mandate registration, modification and revocation, as also for the first transaction, and simple and automatic subsequent successive transactions, subject to conditions...” This was based on the industry representations.
On 4 December 2020, RBI had increased the limit on e-mandates from Rs2,000 to Rs5,000, saying it was “based on requests received from stakeholders and given the sufficient protection available to customers.”
Even then, there was no consultation with consumers or consumer groups since regulators only speak to industry bodies, even as customers continue to lose large sums of money to e-fraud and banks. The banking ombudsman also tends to rule against consumers and blame customer negligence in most cases.
Many banks are now sending messages to customers on recurring transactions. One such SMS reads, “As per RBI’s recurring payment guidelines, w.e.f. 20-09-21, standing instructions on your xxxxxxx Bank card(s) for recurring transactions will not be honoured. You can pay the merchant directly using your card for uninterrupted service...”
However, neither the bank nor RBI shared any information about how and where the customer can update the e-mandate to continue using this service. As per the circular, customers need to re-register with their bank/s for the e-mandate using the AFA.
“Since most payments are below Rs5,000 (it is largely utility payments are on the auto-debit which are small) which do not require AFA after a one-time registration effort with the standing instruction (SI) hub, there should not be an issue in future in our view,” Macquarie says, adding “However, some vendors like Netflix and Apple process payments internationally through Singapore and Dublin that makes compliance and adherence difficult as these are international transactions. Also, PSBs, local vendors, merchants, and the entire ecosystem need to adapt technology, which could take time, especially in SI disputes. There have been many cases example, large mobile bills and some international subscriptions, which RBI now wants to secure through AFA.”
Most consumer organisation believe that policy-making is entirely driven by the industry with neither awareness building or ease of compliance or hand-holding of customers to comply with new rules. Instead, consumers are harassed by unilaterally blocking transactions or allowing them to suffer the consequences of failed transactions.
What is worse, consumers are being relentlessly pushed to electronic transactions even if they are uncomfortable with with such payments or, as in case of very senior citizens, have cognitive issues dealing with complex electronic processes. In addition, most bank and financial websites have problems with user-interface, which is neither intitutive nor robust in terms of technology.
RBI, as a regulator, has also failed to safeguard customer interest by acting quickly and efficiently against companies which force people to use apps that store customer data without their permission (this is also true of government apps) or store the credit card details of customers either by force or stealth (having a virtually invisible auto-checked tick-box granting permission to store data).
In March 2020, RBI did stipulate that authorised payment aggregators and the merchants onboarded by them should not store customers’ card data, but this new rule will come into force only from 1 January 2022.
RBI is fully aware that the availability of such details with many merchants substantially increases the risk of card data being stolen. Any leakage of card-on-file (CoF) data can have severe repercussions because many jurisdictions do not require an AFA for card transactions. Stolen card data can also be used to perpetrate frauds within India through social engineering techniques.
Earlier this month, RBI decided to extend to CoF tokenisation (CoFT) – a device-based tokenisation framework to overcome this issue. “Introduction of CoFT, while improving customer data security, will offer customers the same degree of convenience as now. Contrary to some concerns expressed in certain sections of the media, there would be no requirement to input card details for every transaction under the tokenisation arrangement,” RBI says.
Hyderabad-based technology expert Srikanth says, “CoF and e-mandate regulations are to be seen in the context of the weak regulatory regime. The regulator conventionally sees prevention and sometimes that stifles convenience than let things happen.”
Dr Rakesh Goyal, director of Sysman Computers, which conducts security audits for organisations, agrees that banks and e-commerce organisations lobby for rules that may hurt consumers. “I believe RBI should have broad-based group, which may include not just banks but other stakeholders such as consumer groups, IT product developers, IT security and audit experts, privacy experts, chartered accountant,” to discuss the best way forward, he says.
According to Dr Goyal, every technology payment instrument is dangerous if not securely implemented. “And security always comes at user convenience, which nobody wants to compromise,” he says.
Processing of E-mandates for Recurring Transactions
In August 2019, RBI had decided to permit processing of e-mandate on cards for recurring transactions (merchant payments) with AFA during e-mandate registration, modification, and revocation, as also for the first transaction, and automatic and straightforward subsequent successive transactions.
While processing the first transaction in the e-mandate-based recurring transaction series, AFA validation is a must. “Subsequent recurring transactions shall be performed only for those cards, which have been successfully registered and for which the first transaction was successfully authenticated and authorised. These subsequent transactions may be performed without AFA,” RBI had said.
As a risk mitigant and customer facilitation measure, the issuer should send a pre-transaction notification to the cardholder at least 24 hours before the actual charge or debit to the card. While registering e-mandate on the card, PPI and UPI, the customer needs to be given a facility to choose a mode among available options like SMS or email for receiving the pre-transaction notification from the issuer in a clear, unambiguous manner and in an understandable language, RBI says adding, the facility for changing this mode of receiving the pre-transaction message, should also be provided to the customer.
As per the central bank, the pre-transaction notification should, at the minimum, inform the customer about the name of the merchant, transaction amount, date and time of debit, reference number of transaction or e-mandate, the reason for debit or e-mandate registered by the cardholder.
On receiving such notification, RBI says, the customer should also have the facility to opt out of that particular transaction or the e-mandate. Upon intimation of such an opt-out, the issuer shall ensure that the specific transaction and further recurring transactions are not effected, as the case may be, the central bank says.