Via our Payments Digest, we aim to provide a view on key payments policy initiatives taken each month. Discussions for Edition 3: RBI extended timelines for card storage by PAs and e-mandates- what happens next? NPCI has issued SOPs for UPI volume caps- how will this work? A TRAI regulation wreaked havoc with digital payments earlier this month- why?
PART I: RBI extends compliance timeline for card data storage by PAs
Banks, PAs, merchants, customers, have all heaved a sigh of relief with the two last minute RBI extensions on March 31st. The first allows non-bank PAs to continue storing customer card data until December 31st 2021. Our last edition discussed how the prohibition impacts card payments (Related Read: Payments Digest by Cashfree: Feb 2021), here’s looking at what happens next:
Top priorities for PAs/the industry
- For now card based payments continue unaffected (for recurring payments see Part II below). Workarounds need to be found by the year-end.
- Integration with card network authentication solutions, a viable alternative unaffected by the prohibition, needs to be speeded up.
- Tokenisation based solutions need to be developed- all card payments (card-saving, one-click, recurring) can continue unaffected using tokens, without storing card data.
- Other norms under the PA Guidelines remain unaffected, for eg., non-bank PAs still have to apply for authorisation before June 30th, 2021, and PAs which couldn’t achieve Rs.15 cr. net worth by March 31st, 2021 need to wind-up business.
Why we need a new tokenisation framework
The RBI has suggested developing tokenisation based solutions, within the 2019 tokenisation framework. Tokenisation as a solution strikes the right balance between data security and payments efficiency. The issue is that this is needed now as an industry wide practice, but the current framework permits it only for a specific use-case- via apps on mobiles/tablets (think Samsung Pay). Key issues with the current framework prevent a seamless, frictionless experience, for example:
- Permitted only for mobiles/tablets- Not all customers making card based digital payments use devices equipped with these facilities + it completely excludes other devices like laptops, desktops, etc.
- Requires an ‘identified’ device- This makes card-based payments device-specific rather than device-agnostic, or will require customers to separately register each time they use a new device.
- Requires download of a certified ‘token requestor’ app- Customers can only pay using cards if they have such an app, direct payment is not possible.
Going forward, the industry needs clarity on whether the existing framework itself needs to be adapted for the current requirements or whether tokenisation solutions must be restricted to the scope of the current framework, i.e., mobile-based payments. Best of all would be the introduction of a new, wider framework altogether.
PART II: RBI extends compliance timeline for e-mandates
The second extension was for e-mandates non-compliant with RBI’s new e-mandate framework that were to be discontinued by end March. There is now time till September 30th, 2021. Two important factors here- the extension doesn’t apply to new mandates, which still need to be compliant. Second, this applies to domestic and cross-border mandates.
For some background
The new framework was introduced in August 2019. Issuers (banks providing credit/debit cards to customers) were asked to set up an e-mandate system- allowing customers to create/ revoke/ modify e-mandates, requiring AFAs, sending pre and post transaction notifications, etc. In December 2020, the RBI issued a final deadline asking all non-compliant mandates to be discontinued by March 31st, 2021. Additionally this notification revealed that cross-border mandates were also in scope.
All existing mandates thus need to be migrated to this system. In addition, previous arrangements like reliance on PAs or merchants for e-mandates are impacted, moreso due to the card storage prohibition. Processing mandates involves multiple stakeholders. The migration therefore first requires infrastructure to be developed and then integrated across all these. This must be by banks (issuers/acquirers) and card networks first, followed by PAs and merchants (domestic/foreign) next.
As per industry news, banks were technically unprepared to make the transition by the deadline. This led to expectations of widespread disruption, a rush for alternate solutions (like BBPS), and even notifications to customers of cancellation of existing mandates.
What happens now
The news of the extension was thus welcome, allowing the industry time for a smoother transition. Turning to what happens now:
- First, the RBI has taken serious note of the non-compliance, and action may follow.
- Next, the extension is only for existing mandates. For new mandates the industry needs to have solutions in place right now. AutoPay, NACH and BBPS based solutions are some of the options immediately available.
- For card based mandates, solutions like card network provided solutions and tokenization need to be implemented on a priority.
- Last, cross-border mandates are in scope. Cross-border mandates are often processed even without an AFA, as per foreign laws applicable to the transaction. Under the new framework the responsibility for AFAs, etc. is now imposed on the Indian issuer, which will need to have an AFA system in place even in case of a foreign PA/PG, for both credit card and debit card transactions. Compliance here is a lot more challenging, like changes required at the card network level and enabling effective collaborations between issuers and foreign merchants.
PART III: NPCI’s Standard Operating Procedures for UPI Volume Caps
NPCI released the promised SOPs for implementing UPI volume caps. Summing up key features first:
|Max transaction volume per TPAP||30% of total NPCI UPI Volume|
|Means of control||Moderating (upto 50%)/restricting user on-boarding, applies on ‘Payer’ TPAP end alone, not ‘Payee’ TPAP receiving payments|
|Calculating total volume||All successful aggregate UPI transactions- including payments to UPI ID/ IFSC+account/ PPIs, one-time/recurring mandates, etc. Unsuccessful transactions to be reported monthly|
|3 tier monitoring & alert system||Level 1- 25-27%- TPAP must acknowledge|
Level 2- 27.1-30%- TPAP must show evidence of action taken
Level 3- >30%- On-boarding must stop
|Exemption on request on breaching volume cap||Granted on a case by case basis for smooth implementation of on-boarding restrictions with minimum user inconvenience, max 6 months unless extended further|
|Compliance Timeline||By 2023 for existing players exceeding the volume cap as of Dec 2020.|
Practically, TPAPs Google Pay and PhonePe together have approx. 80% market share. Plus they’ve been given 2 years to comply. Thus, unless another player catches up, the actual effect of the 30% volume cap on customer experience, etc., may only be seen after 2 years. A lot can change in 2 years- UPI volumes (as the NPCI hopes) can increase significantly thus downplaying the effects of the cap, NUEs can enter with innovative payment systems and completely change the space, or the NPCI may even reconsider the cap.
Assuming however that the caps do come into play as expected- the effect on an open market and the customer is important to consider. Not that the NPCI isn’t focussed on this. The exemption period, 3 tier alert system, focus on restricting new customers, enabling problem-free re-onboarding of existing customers (in case of device change, app upgrades, etc.), etc., all show a clear focus on reducing disruption for customers.
The NPCI anticipates that with over 50 UPI TPAPs in the market, customers who are unable to onboard will still have enough choice. The NPCI’s many aims range from preventing monopoly, addressing systemic risk from non-bank players, preventing infrastructure overload, etc. The actual impact however is on the customer and a market driven approach. Customers for example cannot freely choose the service provider they deem best. A restricted ability to grow can also impact the industry’s incentive to innovate and maintain competitive service levels. In the long-term, the sustainability of UPI’s revenue model, given zero MDR as well, also comes into question.
Lastly, how the players themselves deal with implementing the cap practically will have to be seen. For instance, what steps will be taken for existing users if moderating/restricting onboarding new users alone doesn’t bring volumes below the threshold? Similarly, could the cap incentivise existing players to turn to payments bank/ universal bank /other bank licenses so as to be exempt from the restrictions?
Others: TRAI SMS Regulations, RBI Committee for UBs/SFBs, UPI-Help
- TRAI’s SMS regulations and their impact on digital payments: TRAI’s anti-spam SMS regulations from 2018 were brought into effect this March following a February Delhi High Court order (One97 Communications vs UoI). For any entities sending SMSs, this is a blockchain based system involving pre-registered SMS templates, consent registers and also ‘scrubbing’ to prevent unregistered SMSs from being delivered. This scrubbing wreaked havoc in the financial sector, affecting OTPs, transaction alerts, registration confirmation, Aadhaar authentication, etc., following several entities including banks being unregistered. This actually forced a temporary suspension of the rules, now resumed from April. In view of factors like increasing mandatory AFA requirements (the recent Digital Payment Security Controls for eg. introduce several new ones), the incident reiterates the need for all players to register to prevent future disruption.
- RBI sets up a Committee for Universal Bank/Small Finance Bank applications: The RBI has set up an external Committee for evaluating universal bank and small finance bank (‘SFB’) applications. Any payment banks (‘PBs’) that have applied for conversion to SFBs must welcome some sign of progress. PBs it can be recalled, have long since been struggling due to the regulatory restrictions on their model (among other factors). The increase in balance limits to Rs. 2 lakhs this month is however a welcome change (we’ll discuss this in the next Digest).
- UPI-Help goes live: Last for this Digest, the NPCI has gone live with ‘UPI-Help’ on BHIM UPI, a part of its ‘Digi-Help Stack’. This allows instant filing of complaints, online resolution for P2P transactions and checking pending transaction status for customers straight from their BHIM-UPI apps. This is welcome given increasing UPI related complaints off-late.
- Article by Asheeta Regidi, Payments Digest by Cashfree: Feb 2021, Cashfree Blog.
- Case Law: One97 Communications v Union of India, W.P.(C) 3330/2020, Delhi High Court judgment dated 3 February 2021.
- Media Article by Pallavi Nahata: BQ Explains: Auto Debits Won’t Be So Automatic Anymore, Bloomberg Quint, dated 30 March 2021.
- Media Article by Romita Majumdar, Transaction Cap On UPI Apps: Is NPCI Stifling Innovation With Overregulation?, Inc42, dated 10 November 2020.
- Media Report by Forum Gandhi: Push e-mandate rules to June for smooth transition, say experts, The Hindu Business Line, dated 30 March 2021.
- Media Report by Prabhjote Gill, Leading private banks won’t support auto-debit payments from April 1 because they need more time to comply with RBI’s new mandate, Business Insider India, dated 31 March 2021.
- Media Report by Priyanka Iyer: RBI extends deadline for e-mandate on auto-debit payments as banks fail to comply, Times Now News, dated 31 March 2021.
- NPCI Notification: Standard Operating Procedure (SOP) – Market Share Cap for Third Party Application Providers (TPAP), NPCI/UPI/SOP-01/2020-21, dated 25 March 2021.
- NPCI Notification: UPI-Help for Digital Payments goes live on BHIM UPI, dated 15 March 2021.
- NPCI Website: UPI Ecosystem Statistics – UPI Apps (March ’21).
- RBI Notification: Framework for processing of e-mandates for recurring online transactions, RBI/2020-21/118, dated 31 March 2021.
- RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/2020-21/117, dated 31 March 2021.
- RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/DPSS/2019-20/174, dated 17 March 2020 (updated as on 17 November 2020).
- RBI Notification: Master Direction on Digital Payment Security Controls, RBI/2020-21/74, dated 18 February 2021.
- RBI Notification: Processing of e-mandate on cards for recurring transactions, RBI/2019-20/47, dated 21 August 2019.
- RBI Notification: Processing of e-mandates for recurring transactions, RBI/2020-21/74, dated 4 December 2020.
- RBI Press Release: RBI announces Standing External Advisory Committee for evaluating Applications for Universal Banks and Small Finance Banks, Press Release: 2020-2021/1282, dated 22 March 2021.
- RBI Press Release: RBI releases “Guidelines for ‘on tap’ Licensing of Small Finance Banks in the Private Sector”, Press Release: 2019-2020/1356, dated 5 December 2019.
- RBI Press Release: RBI releases the Report of the Internal Working Group to Review Extant Ownership Guidelines and Corporate Structure for Indian Private Sector Banks, Press Release: 2020-2021/667, dated 20 November 2020.
- RBI Press Release: Reserve Bank of India extends timeline for processing of recurring online transactions, Press Release: 2020-2021/1326, dated 31 March 2021.
- RBI Press Release: Statement on Developmental and Regulatory Policies, Press Release: 2021-2022/17, dated 7 April 2021.
- RBI Report: Annual Report of Ombudsman Schemes, 2019-20, dated 8 February 2021.
- TRAI Press Release: Press Release No. 82/2018, dated 19 July 2018.
- TRAI Press Release: Press release on implementation of the ‘Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018’, Press Release No. 20/2021, dated 26 March 2021.
- TRAI Press Release: Press release on implementation of the ‘Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018’, Press Release No. 13/2021, dated 12 March 2021.
- TRAI Press Release: Press release on implementation of the ‘Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018’, Press Release No. 17/2021, dated 23 March 2021.
- TRAI Press Release: Press release on implementation of the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, Press Release No. 24/2021, dated 1 April 2021.
- TRAI Press Release: Press release on the temporary suspension of implementation of Content template Scrubbing functionality as per the provisions of Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, Press Release No. 10/2021, dated 9 March 2021.
- TRAI Regulations: Telecom Commercial Communications Customer Preference Regulations, 2018 (6 of 2018), dated 19 July 2018.