On 31 March, the Reserve Bank of India (RBI) decided to extend the timeline for processing of recurring online transactions by six months. The new deadline for stakeholders to migrate to the framework for processing of such transactions is September 30, 2021. The move by the Central Bank is aimed at prevention of any inconvenience to the customers. RBI in its press release said that it has noted that the framework has not been fully implemented even after the extending the timeline till 31 March. "This non-compliance is noted with serious concern and will be dealt with separately. The delay in implementation by some stakeholders has given rise to a situation of possible large-scale customer inconvenience and default," RBI said.
While the new deadline to comply with the above directive has been extended to 30 September 2021, any further delay in ensuring complete adherence to the framework beyond the extended timeline will attract stringent supervisory action. In a separate notification, RBI also said that "during the extended timeline, no new mandate for recurring online transactions shall be registered by stakeholders, unless such mandates are compliant with the framework." This clause may cause disruption in operations of the payments industry. We are still reviewing the notification released by RBI and will update the blog after due consultation with the industry.
NASSCOM's Representation to RBI:
On 23 March, NASSCOM and DSCI jointly rolled out a survey to understand where the various participants of the payments ecosystem are, when it comes to implementation of the RBI 's directive on processing of e-mandates for recurring transactions. Based on the interim findings of the survey, we made a representation to RBI on 30 March seeking an urgent extension of the timeline to comply with the directive.
We divided the representation into the following themes to bring out a clear picture of the underlying issues pertaining to meeting the deadline of RBI's Directive.
Obligations under the e-Mandate Directive
The e-Mandate Directive was issued by RBI with a view to balancing the needs of card transaction security, and the needs of customer convenience. Accordingly, the e-Mandate Directive enables recurrent transactions by way of a one-time Additional Factor Authorisation (AFA) at the time of creation, modification, and revocation of an e-mandate, followed by automatic charges to the relevant card for subsequent transactions. The primary regulatory burden of enabling e-mandates has been placed on the issuers of the cards, i.e., the issuing banks, who are inter alia required to:
- Register e-mandates by recording card details, maximum amount for recurring transactions, the validity period of the e-mandate and all other audit trail documents for modification of the e-mandate later.
- Adopt AFA at the time of registration, modification, and adoption of e-mandates.
- Send a pre-transaction notification at least 24 hours before the actual charge/debit on the card and provide the option to opt-out of the e-mandate prior to actual debit.
- Ensure adherence to transaction limits (₹5,000/- per transaction) and adopting velocity checks and other risk mitigation procedures.
- Provide an online facility to track, modify or review existing e-mandates, together with appropriate grievance redressal mechanisms in relation to e-mandates.
- Ensure compliance with the above requirements in the case of cross-border recurring transactions as well.
Issues with Achieving Compliance within Stipulated Deadline
Currently, most recurring/subscription-based transactions are initiated by merchants, who by virtue of having Card-on-File (COF) data on their servers, send the relevant instructions to issuing banks to charge customers’ payment instruments. However, there exist no platform for banks to capture e-Mandate creation information from all merchants, resultantly inhibiting compliance with the e-Mandate Directive.
Absent a minimum level of preparedness amongst issuers to provide for an e-Mandate dashboard, and widespread awareness campaigns by merchants and banks alike to inform and acquaint customers with the new facilities, the cumulative impact of RBI’s PA/PG Guidelines and the e-Mandate circular, are likely to create a significant disruption in the way customers, merchants and banks manage recurring/subscription-based e-Mandates. Here is an example of the scale of disruption we are referring to and we are sure there will be other such examples. As a measure of combating piracy and enabling better Digital Rights Management (DRM), the IT/ITeS industry has adopted the "as-a-service" model at scale. Resultantly, most consumer and retail software applications, and online content-based services, adopt the Software-as-a-Service (SaaS) model. Enabling frictionless recurring transactions are central to the success of SaaS. Should issuers remain unprepared to provide for facilities to create, manage and revoke e-mandates at a time when merchants (including ITeS and e-Commerce industries) are unable to store COF data, the entire SaaS model is likely to be significantly disrupted, as most e-mandates (currently managed by merchants) are going to come to a grinding halt
Assessing State of Preparedness While the e-Mandate Circular has been in force since 21 August 2019, our initial consultations revealed that several major banks had not upgraded capacities to comply with the requirements of enabling registering, tracking, modification, and withdrawal of e-mandates in line with the e-Mandate Directive. Moreover, RBI's Circular dated 4 December 2020, extends the applicability of the e-Mandate Circular to all payment instruments, including debit cards, Pre-Paid Instruments (PPIs) and Unified Payments Interface (UPI). Resultantly, in addition to issuing banks, issuers of PPIs will also need to upgrade their systems to bring themselves in line with the obligations under the e-Mandate Circular.Therefore, should all non-compliant recurrent transactions be discontinued post 31 March 2021, the eMandate Circular is likely to significantly disrupt e-Commerce in India, especially when the prohibition on merchants to store COF data comes into force on 31 June 2021.
Given the potential scale of disruption, NASSCOM and DSCI conducted a limited anonymous survey amongst participating banks, merchants, card networks, payment aggregators & gateways and PPI Issuers, to ascertain the state of preparedness of the industry. Our interim findings, based on 18 complete, and 29 partial responses, reveal that ecosystem participants urgently require an extension of 3 to 6 months to ensure complete and meaningful compliance with the e-Mandate Directive, without causing any significant disruption to the eCommerce ecosystem and to end-consumer experience.
Key Interim Findings of the Survey
- A 100% of the participating institutions believe there is a need for an extension to the deadline for compliance beyond 31 March 2021, indicating an overall lack of preparedness to comply with the e-Mandate Directive as of the stipulated deadline.
- Indicating varying states of preparedness amongst banks, 60% of the responding banks have stated their inability to comply with the e-Mandate Directive as on 1 April 2021, whereas 40% of the responding banks, while indicating their preparedness to comply, responded in the affirmative to the need for an extension of 3-to-6-month in compliance timelines, to ensure a seamless transition to the new framework set forth under the e-Mandate Directives.
- Out of the participating banks which indicated an inability to comply with the deadline, 66% suggested the need for a 6-to-12-month extension in compliance timelines, whereas 33% of indicated the need for a 3-to-6-month extension in compliance timelines.
- The key factors stated by participating banks for their inability to comply include:
-the timelines required for system upgradation by banks and other ecosystem entities including PAs;
-the lack of any existing rails to connect all ecosystem participants, particularly merchants to banks, thereby hampering banks’ ability to receive information on standing instructions even if such capabilities exist within the bank;
-challenges faced in integrating all potential cross-border merchants on to any potential platform developed for giving effect to the e-Mandate Directive, which include the need to localise acquiring banks of cross-border merchants;
-Amongst other non-bank participating entities (card networks, PAs, PGs, PPIs, and merchants), 46% indicated the need for a 3-to-6-month extension to the compliance timelines, 38% indicated the need for a 1-to-3-month extension to the compliance timelines, and 16% indicated the need for at least a months’ extension to be ensure compliance.
-Participating entities estimate an approximate number of 9 to 10 million recurring transactions being declined by major issuers per month, on account of non-compliance with the e-Mandate Directive.
Request for Extension
The interim findings of our survey indicate that the ecosystem is at varying stages of preparedness to comply with the e-Mandate Directive. However, meaningful, and effective compliance by all ecosystem participants cannot be achieved without all stakeholders being prepared and interlinked towards operationalising the e-Mandate management framework prescribed under the e-Mandate Directive. Based on the responses received, NASSCOM notes that most ecosystem participants have indicated the need for a 3-to-6-month extension to the compliance timelines. Accordingly, and view of the foregoing, NASSCOM would urge the DPSS, RBI to consider extending the timelines for the enforcement of the e-Mandate Circular by 3 to 6 months (or such longer time, that is coterminous with the enforcement of the PA/PG Guidelines) to allow for sufficient time for issuers (issuing banks and issuers of PPIs) to enable eMandate Dashboards, AFA for medication/revocation of e-Mandates, and pre-Debit Notifications, as required under the e-Mandate Circular.
Background
In 2019, the RBI introduced guidelines for processing e-mandate on cards for recurring transactions with a view to balancing the needs of card transaction security, and the needs of customer convenience. The guidelines enables recurrent transactions by way of a one-time AFA at the time of creation, modification, and revocation of an e-mandate, followed by automatic charges to the relevant card for subsequent transactions. While the primary regulatory burden of enabling e-mandates has been placed on the issuers of the cards, i.e., the issuing banks, other players in the ecosystem also have their role to play. On 4 December 2020, RBI issued another directive, which stated that processing of recurring transactions (domestic or cross-border) using cards / PPIs / UPI under arrangements / practices not compliant with the guidelines, shall not be continued beyond March 31, 2021.
In case of any queries/clarifications, please write to komal@nasscom.in.
