Context
On April 15, 2021, the Reserve Bank of India (RBI) announced setting up of new Regulations Review Authority (RRA 2.0) for a period of one year from May 1, 2021, to review the Central Banks’ regulations and compliance procedures with a view to streamlining/ rationalising them and making them more effective.
The RRA 2.0 is focused on streamlining regulatory instructions, reducing compliance burden of the regulated entities by simplifying procedures and reducing reporting requirements, wherever possible.
This is not the first time that the Central Bank has set up an RRA. From April 1, 1999, an RRA was set up for a period of one year for reviewing the regulations, circulars, reporting systems, based on the feedback from public, banks and financial institutions. The recommendations of the RRA enabled simplifying regulatory prescriptions, paved the way for issuance of master circular and reduced reporting burden on regulated entities.
On May 7, 2021, RBI constituted an Advisory Group, representing members from regulated entities, including compliance officers, to support the RRA in achieving the objective set forth in the terms of reference of RRA 2.0. The Group assists the RRA by identifying areas/ regulations/ guidelines/ returns which can be rationalised and submits reports periodically to RRA containing the recommendations/ suggestions. To undertake its preparatory work, the Group decided to invite feedback and suggestions from all regulated entities, industry bodies and other stakeholders.
Highlights of the Submission:
1. Reduce Reporting Requirements
Since card networks have been required to submit daily data reports to RBI, there is duplication of work in furnishing monthly reports such as, monthly report on volume and value of transactions and monthly card transactions processed at point-of-sale (POS) terminals.
In some cases, reporting requirements are repetitive. For e.g., payment networks reporting the count of POS machines as part of acceptance infrastructure takes the count from the acquiring banks – since the POS machine is not network specific, so multiple networks could end up reporting the number in their report resulting in multiple or repetitive count.
Suggestions:
• RBI may consider doing away with monthly reports in cases where daily data is already being reported by card networks.
• Instead of seeking the entire data in the report from the card networks, the format can be revised and amended to collect only such data which the networks have and remaining may be collected from the banks.
• For the participants to share reports more effectively and efficiently, a more cohesive reporting mechanism could be considered, which is standardised and allow participants to share details systematically at defined frequency without cross referencing.
2.Facilitate Compliance with RBI Guidelines on Payment Aggregators and Payment Gateways
We are thankful to RBI for considering our representation dated March 24, 2021 and extending the timeline for non-bank PAs by six months to ensure compliance with the Guidelines on Regulation of Payment Aggregators and Payment Gateways (PA/PG Guidelines). The new deadline for non-banks PAs to comply with the provisions of the PA/PG Guidelines is December 31, 2021.
We would like to bring to the notice of RRA that the Central Bank in its notification dated March 31, 2021, clarified that merchants would be permitted to store “limited data” and only for the purposes of “transaction tracking”, while also urging stakeholders to put in place ‘workable solutions’ which would serve as alternatives to storage of card-on-file, such as tokenisation, within the framework set out in the circular (Device Tokenisation Circular).
a. Card-On-File (COF) Storage Restrictions
In our submission to RBI dated March 24, 2021, we had highlighted the significant disruptions to customer convenience and the wider e-Commerce ecosystem which would occur in the short-to-medium term due to COF storage restrictions. These include, increase in compliance obligations for PA/PGs and merchants while reducing the ability to service the customers in the best possible manner, disruption in the customer’s online payment experience and impact on subscription mandates. We had also highlighted the need to ensure that while concerns related to data security are addressed, it should be done in a manner, which gears the ecosystem to manage business continuity and provide ease of transaction to the customers. While we understand that the RBI is encouraging other “workable solutions” to comply with the PA/PG Guidelines, it should also take cognizance of industry's reliance on COF data to provide seamless payments experience.
Suggestions:
• RBI should provide clarity on the rationale behind the exclusion of PCI-DSS and PA-DSS Level 1 certified entities (PAs and merchants included) from COF restrictions mentioned under the PA/PG Guidelines and hold consultations with the industry to discuss the risks identified by the RBI and possible feasible solutions to address the same.
• Akin to this Advisory Group which comprises experts and veterans from the banking and financial services industry, the RBI may also consider setting up an expert committee to assess the surmised risk and challenges, identify the actual risks and recommend security measures that may go beyond compliance with PCI-DSS Level.The PA may be made responsible to confirm merchant’s compliance with the framework.
• RBI may also contemplate establishment of a regulatory sandbox for testing the efficacy of card storage standards and best practices.
b. COF Tokenisation
While tokenisation of card transactions has been allowed since January 08, 2019, it is restricted to mobile devices and limited use cases only. The e-commerce transaction on desktop or web based are not allowed to be tokenised. Currently, there is no regulatory framework with respect to COF tokenisation. While COF tokenisation was not specifically disallowed in the Device Tokenisation Circular, based on industry consultation, we understand that RBI specifically disallowed the networks to offer the COF solution vide a subsequent letter to the networks. In our previous submission to RBI on March 24, 2021, we had highlighted that tokenisation of payment data is one of the potential solutions towards balancing data security concerns with those of business continuity. However, it needs to be extended to all other device ecosystems to be an effective solution.
Suggestions:
• There needs to be a comprehensive and platform agnostic regulation with respect to tokenisation in line with global standards, i.e., enable authorised Payment Systems Operators to roll-out tokenisation for a broader device ecosystem beyond mobile-based payments.
• Such regulation should be mandatory for all banks to (i.e., not optional as is the case at present with the Device Tokenisation Circular and E-mandates Circular-1) and implemented in a phased manner providing the industry time to adopt and test the benefits and efficacy of tokenisation i.e., until the success rates of tokenisation have been proven/established.
3. Processing of e-Mandate on Cards for Recurring Transactions
The RBI vide E-mandates Circular-1 permitted the processing of e-mandates on cards for recurring (merchant) transactions up to INR 2,000/- with additional factor of authentication (AFA), subject to several conditions. The burden of complying with the E-mandate Conditions predominantly fell upon issuer banks. Key among these E-mandate Conditions were (i) pre-transaction notification from issuer bank at least 24 hours prior to debit; (ii) transaction limits set by issuer bank; (iii) facility by issuer to modify or withdraw existing e-mandates; (iv) card schemes and issuer banks to provide appropriate grievance redressal mechanisms in relation to e-mandates. It is noteworthy that these conditions are unique to India and hence there was no existing process or infrastructure in place which could have been leveraged by card networks or issuer banks.
The RBI’s Circular dated December 04, 2020 (E-mandates Circular-2) increased the above-mentioned relaxation/exemption from AFA for recurring payments to INR 5,000/- per transaction. Additionally, the RBI also prescribed a deadline of March 31, 2021, for compliance and determined that the processing of recurring transactions (domestic or cross-border) using cards / PPIs / UPI under arrangements/practices that do not fulfil the E-mandate Conditions would not be permitted beyond March 31, 2021. Upon receiving representations from banks and industry stakeholders alike, RBI subsequently extended the deadline to September 30, 2021 vide RBI Circular dated March 31, 2021 (E-mandates Circular-3), however, new mandates for recurring online transactions were not permitted to be registered by stakeholders, unless such mandates were compliant with the E-mandate Conditions. [Note: E-mandates Circular-1, E-mandates Circular-2, and E-mandates Circular-3 have been collectively referred to as E-mandates Circulars in this document.]
a. Domestic transactions
Banks and card schemes are currently using one technology service providers (TSPs) i.e., BillDesk to build the new platform/infrastructure for recurring payments and stakeholders are integrating with each other through this TSP. Each stakeholder is required to integrate with the TSP platform for recurring transactions to be successful.
RBI had mandated issuing banks to ensure compliance by March 31, 2021. Based on industry feedback, we understand that till date, only one or two issuing banks are launch ready on the platform. Payments with respect to insurance premium, utility bills, education periodical subscriptions, telephone bills, groceries, SaaS, and cloud services to SMEs, DTH, entertainment, and other subscription payments will be severely impacted without full participation of all banks in the recurring infrastructure. Eventually, by issuing banks not meeting the timeline prescribed by RBI or deciding not to participate, it is merchants and their customers who will suffer the consequences.
Suggestions:
• Pre-debit notifications are an important step to protect customers from unauthorised charges and facilitate customer choice. However, issuers do not have complete visibility into the billing cycle for recurring payments. Considering the practical challenges to this issue, merchants should be permitted to send such pre-debit notifications in compliance with the E-mandate Conditions. Issuing banks may continue to work with merchants to oversee compliance with the E-mandate Conditions and retain flexibility in approving merchants who may be allowed to exclusively send pre-debit notifications based on their risk assessment and compliance. Additionally, to safeguard customers from any unauthorised charges, we propose that the liability of charges incurred by a customer due to non-compliance by the merchant with the requirement to send pre-debit notifications, should be borne by the merchant.
• For the recurring framework to be successful, all issuing banks need to participate in the recurring framework and complete integration with the platform in a timely manner. To ensure compliance by all issuing banks to the Recurring Circulars, the RBI needs to continuously monitor the implementation progress by banks to direct them towards timely compliance by on or before September 2021 or consider providing an extension.
b. Cross-border transactions
E-mandates Circular-2 introduced and included recurring cross-border transactions into the ambit of E-mandates Circulars. The application of the circular on the cross-border transaction has created operational challenge to comply, as these transactions are with overseas merchants and in most of the cases acquired by the acquirers overseas and does not necessarily have any operations in India. So, the technical requirements to comply with the RBI circular by the overseas merchants and acquirers poses a practical challenge. While there is a solution for domestic recurring transactions, there is no practical solution for the overseas recurring transactions unless and until the overseas merchants and the acquirers carry out system level changes to accommodate the RBI requirements, which is not a requirement mandated by any other country for acquiring.
The overseas merchants selling international typically serves more than 200 countries and not just India and their systems are built with a global approach. This overseas merchant community, to comply with RBI directions, will have to make changes to accommodate India-specific e-mandate requirements, and at the same time also maintain separate mandate management systems; one for India and the other one for rest of the world. Along with the merchants, foreign payment gateways, overseas payment card acquiring banks and international card schemes will also have to modify and solve for the proposed changes.
Suggestion:
• We request for review of E-mandates Circular to exclude the cross-border recurring transactions from the ambit of the circular. The failure of cross-border transactions will impact millions of transactions in volume and value.
4. Informal Guidance Scheme
When new regulations are notified, oftentimes different stakeholders take different interpretations based on their business objectives. While the RBI has kindly been addressing queries from industry through the mailbox scheme or through trade associations, these clarifications are typically not universally available to all affected stakeholders.
Suggestions:
• Institute an Informal Guidance Scheme like the one already operational with the SEBI to promote a culture of compliance and consistent interpretation of a regulation.
• All industry participants would have the opportunity to share their queries with the RBI under the scheme; all responses would be published on the RBI’s website. In this manner, the entire industry would be able to take a uniform interpretation.
5. Promote competition and growth of digital payments
On May 27, 2021. RBI released its Annual Report for the year 2020-21. The Report covers the working and functions of the Central Bank. It suggests that the prospects for FinTech in India’s financial system in 2021-22 will depend upon the degree of entrenchment of digital usage, which is, in turn, contingent upon the resilience of the underlying acceptance infrastructure, financial literacy and awareness of the users (both merchants and consumers) and strengthening of the customer protection and cyber security protocols in place.
RBI has also listed several steps over the last year to increase adoption of cashless and digital payments in the country. Based on industry consultations, we have summarised suggestions, which will enable greater competition and promote growth of digital payments.
Suggestions:
• Continuous on-tap licensing to be opened across all payment entities to promote competition and accelerate growth of digital payments.
• Enable options for all payment entities to move up or down the value chain of financial services, to offer services, based on fulfilment of basic eligibility criteria and technological capabilities. For e.g., non-bank entities and technology service providers such as PAs can be leveraged to increase the digital payments growth by using them as an affiliate partner for card issuing and acquiring.
• Clarify that all regulated entities that are a part of the payment ecosystem can be on-boarded as members on payment networks. Specifically, the RBI is requested to clarify that licensed PAs can become members of a payment network and acquire merchant on their own (without requiring an acquirer bank at the backend).
• Increase the limit for card network authenticated transactions to INR 5,000 from the current limit or INR 2,000, in line with the contactless circular and the recurring transactions circular.
• Consider revisiting existing categories of Payment System Operators (PSOs) and create a new category of payment system operators that process Business-to-Business payments through a network model (including for cross-border transactions).
• The regulator, in its review of existing licensing norms should consider eligibility criteria for licensing as a multi-faceted requirement and should allow development of innovative payments products which provides safety and security to the ecosystem.
6. Efficient Processing of Applications
Currently, applications for new licenses and products take a lot of time for processing. There are often instances of new request for information from RBI at the last minute, which further delays the process.
Suggestions:
• All applications to the RBI would have to be addressed in a timebound manner e.g., all new licenses within 6 months, new products within 3 months, and all other matters within 1 month.
• Formulate Guidelines for Preliminary Review to avoid delay of application processing for lack of desired information from applicants.
• Institute a Single Window Scheme for processing all applications for new licenses and products etc., in a streamlined manner.
• If a particular application would require inputs from multiple departments of the RBI (say Foreign Exchange Department and Department of Payment and Settlement Systems), the application would automatically be routed to both departments for them to consider the matter and share their views in a timely manner.
7. Industry Feedback on Policy Changes
From time to time, RBI publishes draft version of policy changes (e.g., the Guidelines for Payment Aggregators and Payment Gateways where a draft was published for comments). We request that this process be followed as consistent approach for all new guidelines, reporting requirements etc. (except for immaterial amendments or emergencies). We request that feedback from industry stakeholders be taken on implementation timelines and alternative options to achieve the same regulatory objective. This would avoid the need for industry representations and requests for extension after the fact.
Suggestion:
• Publish all draft regulations (including amendments to regulations) together with a white paper for public comment for a period of 30 days before notification.
In case of any further clarifications, please write to komal@nasscom.in