Policy Radar: Bringing consumer protection to card issuance

Asheeta Regidi Head, Fintech Policy at Cashfree.

The financial sector, banking in particular, is undergoing a major revolution in India. Which is why it is a highly regulated space and understandably so. And, for the Reserve Bank of India (RBI), as the banking and financial services regulator, it is imperative to keep the interest of consumers at the forefront while formulating regulatory policies for the sector.  

RBI has been playing a key role in protecting consumer interest and some of its interventions, such as the introduction of Banking Ombudsman scheme, launch of DigiSaathi, fraud liability guidelines to protect AePS users, and so on can be traced way back to 2006.

Taking another step in the same direction, RBI recently announced new rules to safeguard consumers and make card-based transactions more secure for them. Let’s dive into the latest edition of Policy Radar where we look at these changes and other recent regulatory updates.

Master Direction: RBI revises rules for credit, debit card issuance

Card issuance in India is in an interesting space, particularly with non-banks entering the market through co-branded arrangements and other partnerships. Now, the RBI has issued a new master direction governing the issue of and conduct related to credit and debit cards.

These define norms for the entire card issuance journey – who can issue what type of card, governance requirements, rules for customer acquisition such as consent or disclosures, defining underwriting practices and applicable interest rates, billing and recovery practices, and so on.

The primary focus is on credit card (CC) issuance by banks and NBFCs, but this also applies to debit card (DC) issuance by banks. These will also impact co-branding arrangements.

The Impact

On customers

The biggest beneficiaries here are the customers, with the norms placing them at the front and center of all issuer/partner decisions. This comes as the RBI tightens its focus on digital lending in general and reins in illegal practices. 

Protections range from explicit consent needed at multiple levels from issuance to upgradation, barring unsolicited cards and holding issuer liable for any charges. They also extend to multiple transparency and new privacy requirements.

On card issuers

The norms apply to card issuers, i.e, banks and NBFCs. Many specific rules are laid out – scheduled commercial banks with net worth over ₹100 crore can issue CCs.

After the revamping of NBFC regulations recently (the scale-based regulations), NBFCs are permitted to issue CCs, DCs and charge cards, but with RBI approval. They must also have a minimum net owned fund of ₹100 crore. 

This opens doors for NBFCs to increase their revenues via CCs. It also allows them to act as issuing partners for fintechs and others, providing various Issuing-as-a-Service facilities or co-branding arrangements. 

On co-branded partners

Co-branded cards are key offerings of several non-banks today, be it airlines or retail stores, even fintechs like neobanks or wealth management solutions. Perks offered by these cards include loyalty points, special discounts, etc.

These co-branded partnerships are now restricted from accessing customer transaction data. Their role in the tie-up has now been restricted to marketing and distribution, and they cannot be involved in any processes/ controls post-issuance. 

Ambiguous wording makes it unclear if they can take customer consent here, even though general RBI regulations on customer confidentiality by banks do permit consent-based sharing.

RBI issues Digital Banking Unit norms

The RBI has issued official norms on Digital Banking Units (DBUs), as promised in Budget 2022. These DBUs will be set up by scheduled commercial banks with an aim to widen the reach of digital banking services in the country.

  • The DBUs would act more like ‘phygital’ channels than a digital only channel –  requiring a specialised fixed point business unit/hub.
  • A minimum list of products and services is specified but banks can expand offerings. These include account opening, cards issuance, loans, etc. and digital kits for merchants and customers.
  • The hubs will be required to have a minimum digital infrastructure, which will enable services via both self-service and assisted modes. These include kiosks for account opening, digital KYC, internet banking, passbook printing, ATMs and cash deposit machines, etc.

Operational changes for banks

Banks must include establishing DBUs as a part of their digital banking strategy. In fact, no separate RBI permission would be required for banks that have prior digital banking experience. 

The DBUs will be housed separately from existing banking outlets (i.e., branches) with separate entry and exit points. Banks would be free to choose smart equipment, digital-native technology, create new digital environments, etc. as per their digital strategy.

A DBU must result in a monitored increase in digital penetration of financial services in its area of operation. For this, monthly performance reports must be shared with the RBI. 

What changes for customers

For customers, the establishment of DBUs will increase the digital banking touch-points available to them. 

Additionally, DBUs will have a mandate to educate and familiarise customers with digital banking products and processes. Customers will thus receive more guidance on using new-age digitised banking products and services. 

This guidance will happen in two main forms – fully-digitial onboarding for the offered products and services; and hands-on customer education via various tools, methods to induct them on self-service banking.

Impact on neobanks and other BaaS players 

The guidelines add a new channel for neobanks and other fintechs that partner with banks to offer services, which currently includes business correspondent and outsourcing models.

Banks would be free to insource or outsource, in compliance with current outsourcing guidelines. They can also engage business correspondents or digital business facilitators to expand their virtual footprint.

If the bank uses an API layer to connect with external third-party apps, then these will require testing in an isolated environment prior to integration with the core banking system.

RBI proposes OEIF to simplify cross-border payment norms

The RBI has issued new draft guidelines for cross-border payments for export/import, aiming to replace current Online Payment Gateway Service Provider (OPGSP) norms with Online Export-Import Facilitator (OEIF) norms.

The OPGSP is basically the equivalent of a payment aggregator/payment gateway, but which specifically handles cross-border export and import related payments in agreement with banks. Its operations are within the terms of the OPGSP framework set out by the RBI. 

These draft norms are more aligned with the 2020 payment aggregator (PA) guidelines, for eg., it is clarified that an OEIF facilitating imports acts as a PA; and the one facilitating exports acts as a PG. OEIFs will need RBI authorization.

RBI has invited feedback from all stakeholders till April 24th. The final guidelines are expected to be issued after that. 

What’s good for merchants

The proposed increase in values is a welcome step that would allow for higher value export/ import ticket-sizes, which would normally need restructuring in processes.

Adding UPI increases the payment options for imports for customers, tapping into UPI’s popularity and increasing its use-cases.

Flexible settlement timelines are another plus point, which will replace the OPGSP’s T+2/ T+7 settlements. Merchants will be able to agree with the OEIF on a time frame within which funds will be finally credited into their account. This would give flexibility to manage refunds, chargebacks, etc. more efficiently.

What more can help?

Many points in the OEIF guidelines need clarification. Two important ones are:

  • With the new common category of ‘goods and digital products’, what ‘digital products’ means is ambiguous, thus requiring clarity on whether this includes services or not. This is important given the sheer volume of exported services in India, be it the IT/ITES sector, BPOs, travel, consultancy, freelancers, etc. 

With the full KYC requirements,  relaxations similar to those for PAs will help. Under the PA guidelines, instead of full KYC checks, PAs can onboard based on internal policies approved by their Board. Given that merchants link bank accounts which are already KYC-ed, PAs rely on the KYC checks the banks would have done.  

Other notable updates

CERT-In issues new cybersecurity guidelines

The Indian Computer Emergency Response Team (CERT-In) has asked all service providers, intermediaries, body corporates, etc. to mandatorily report cyber incidents within 6 hours of notice. Logs of all IT systems must be enabled and maintained securely for 180 days and provided along with such reports.

A 5-year data storage requirement has been imposed on cloud and VPN service providers (for subscriber-related information), custodian wallet providers and virtual asset service providers (for KYC), among others.

RBI to introduce cardless cash withdrawals 

The RBI plans to enable interoperable cardless cash withdrawals via UPI across all ATM networks, a step which may significantly impact card usage in the offline space.

LEI for borrowers

The RBI has extended the legal entity identifier (LEI) mechanism to NBFCs and UCBs for increased transparency and accountability. Borrowers meeting defined exposure limits will be required to obtain LEIs by prescribed timelines.

IFSCA issues framework for fintechs

The International Financial Services Centres Authority (IFSCA) has introduced a framework for fintech entities, which will apply whenever a fintech entity wants to participate in a permissible activity, for eg. eligibility criteria for the IFSCA’s regulatory sandbox.

TRAI waives off USSD-based tariff

TRAI has waived off tariff charges for mobile banking and payment services, this was previously ₹ 0.50 per session.

Extension in timelines for NPCI compliances 

The NPCI has extended timelines to allow PSPs, TPAPs and other participants to implement UPI Global and UPI’s Online Dispute Resolution (ODR) mechanism by 30 September, 2022.

This edition has been assisted by Urmil Shah and edited by Sunny Lamba.

References:

RBI Master Directions | DBU Norms | OEIF Norms | CERT-In | LEI | IFSCA | NPCI

Asheeta Regidi Head, Fintech Policy at Cashfree.