Payments Digest by Cashfree- September 2021- Permitting card on file tokenisation

Asheeta Regidi Head, Fintech Policy at Cashfree.

Via our Payments Digest, we aim to provide a view on key developments with payments regulations each month. Discussions for Edition 9: The RBI permits card-on-file tokenisation- what changes? Aadhaar based UPI onboarding and eKYC by PSOs has been permitted- does this ease things? The NPCI has been taking several steps to make UPI & RuPay international- how do these ease cross-border payments, & more.


PART I: On RBI permission for card on file tokenisation & tokenised recurring payments

Quick take: Permitting industry-wide CoFT provides much needed relief from card storage restrictions but questions remain on implementation, from working of guest checkouts to EMI offers.

In September, the RBI permitted card on file tokenization (CoFT), a crucial development given restrictions on card data storage for merchants and payment aggregators (PAs) from the year-end. This with the new recurring payment framework mandate have impacted card payments, impacting related services like card-saving and SIs. Tokenisation was a recommended solution, but only device-based tokenisation was permitted till now. CoFT now allows the industry-wide tokenisation that the restrictions necessitate. Several questions however remain on implementation practically, from the working of guest checkouts to EMI offers. The industry including the card networks, payment system providers (PSPs), merchants and banks are working to resolve these by the deadline. 

Key Takeaways


For the payments industry in general

For banks and card networks

For merchants and customers
The Circular clarifies certain points, for eg. that now no entity in the payments chain apart from banks and card networks can store card data.

Issues arising include with the payments flow when customers don’t normally involve CoF data, for eg. guest checkouts. If old processes continue then card data will be shared. PAs can now store only the last 4 digits which prevents identifying relevant details (like credit/debit card?) needed for refunds, chargebacks, etc.

Similar issues arise with how card based SIs will work with the tokens. Yet another is with EMI offers at checkout depend on EMI eligible BIN lists shared by card networks.
Along with card networks, now issuing banks can also act as ‘token service providers’. This increases the availability of tokenisation services, say to smaller merchants who may not have direct access to card networks to avail the facility. A given TSP can provide services only for the cards it issues. NPCI has also recently launched tokenisation services for RuPay.

For banks changes will be necessitated to processes, for eg. processing both tokenised transactions without CVV and non-tokenised transactions (like guest checkouts) with CVV.

Another eg. is for supporting processing credit card payments with a token instead of the credit card numbers as per current processes.
CoFT greatly increases security of card data. Tokens for eg. will come with a limited period cryptogram, preventing use post expiry, thus limiting fraud.

From a customer perspective, not much will change with making card payments per se- customers will still directly enter card data at a merchant site.  The token creation, etc., will happen at the back-end. 

With the card data storage restrictions, customers would have needed to re-enter card data for all card payments, including every SI payment. CoFT will ease several services for customers which depend on saved card data, like card-saving, one-click payments, seamless checkouts, SIs, etc.

Related Read: The future of card storage and card based recurring payments in India


PART II: Increasing Aadhaar based onboarding- eKYC license for PSOs & Aadhaar OTP for UPI Linking

Quick take: Aadhaar based access to financial services will increase- use it now for eKYC for NBFC services, wallets, etc., and for linking bank accounts to enable UPI payments instead of debit cards alone.

In two key Aadhaar related developments, the RBI allowed NBFCs, PSPs and payment system participants to apply for Aadhaar eKYC authentication licenses. Next, the NPCI allowed Aadhaar based UPI onboarding, instead of via debit cards alone. Use of Aadhaar brings some specific benefits to merchants and customers alike, given its wider availability (as of July 2021: 90.6 crore debit cards in circulation, compared to Aadhaar numbers: 130.87 crore generated in total) and its digitised and paperless functionality. After the Aadhaar judgment restricted eKYC’s use, this adds to the gradually increasing list of entities permitted by regulators under Section 11A, PMLA, for its voluntary use (from banks to non-banks like SEBI for BSE, NSDL, CAMS, etc. or PFRDA for e-NPS, etc.). Together, these two steps help make financial services more accessible, affordable and convenient. 

Key Takeaways


For the payments industry

For merchants and customers

For BaaS players
Though Aadhaar OTP based KYC was permitted earlier, this was for limited use-cases (deposit – Rs.1L, loan- Rs.60k), and needed conversion to full KYC. Aadhaar eKYC on the other hand serves as full KYC. It thus brings allows remote and paperless onboarding for financial services and easy conversion to full KYC (like min. detail wallets needing conversion). This brings back some of the benefits to wallets, etc. that were lost post the Aadhaar verdict. 
 
For Aadhaar based onboarding for UPI, members are required to add the feature by December 15th, 2021. PSPs/TPAPs will only have access to the last 4 digits of the Aadhaar number, to be matched with the last 4 digits as entered by the customer. The NPCI will handle connecting with the UIDAI and issuer banks for seeking authentication, OTP issuance, etc.
With Aadhaar eKYC usable for payments, NBFC lending and other related services, customers will be able to enjoy simpler and remote onboarding processes, with increased and cheaper accessibility to financial services. 

UPI is a highly popular payment mode, and among its advantages is that it needs no KYC and only a linked KYC-ed bank account. By allowing Aadhaar onboarding in addition to the exist debit card based flow (last digits+ expiry date) increases accessibility to persons who don’t have or who have invalid debit cards. Customers will be able to do this only from an app on a mobile having the Aadhaar registered  mobile number, and the Aadhaar is linked to the bank account being linked.
The Aadhaar eKYC license also has benefit for BaaS facilities. Neobanking services for eg. may allow customers to link existing bank accounts or open new ones with underlying banking partners- the latter requires fresh KYC. Normally this process involves KYC data sharing arrangements, URL redirects, etc. enabling banks to conduct the KYC.

With more entities acting as KUAs, banks can hand over conducting KYC to infrastructure intermediaries (if otherwise eligible). S.14 of the RBI KYC Direction allows reliance on KYC done by a third party, thus allowing KYC sharing. This in turn allows the neobanks and infrastructure intermediaries to enable improved, seamless onboarding experiences for customers.

PART III: NPCI’s recent collaborations: Making UPI & RuPay international

Quick take: Multiple efforts by the NIPL to increase international payments acceptance of UPI/RuPay will soon allow direct cross-border payments from UPI apps, via QR codes or RuPay card payments.

Together with the release of the blueprint for Nexus, for global instant cross-border payments recently, the NPCI has been taking several steps to increase cross-border payments and international acceptance of UPI and RuPay payments. Each of these represent strategic partnerships with foreign regulators and banking/payments service providers towards this, on a reciprocal basis. The aims to be achieved range from strengthening tourism, trade and remittance flows between the countries involved. 

JurisdictionCollaborationDetailsDate of Announcement
SingaporeRBI- MAS projectLinking UPI-PayNow  for low-cost, instant funds transfers on a reciprocal basis without onboarding onto the other system14.09.2021
GeneralMandatory international merchant payments on all UPI appsAll member banks, PSPs, TPAPs to enable international merchant payments via UPI as a mandatory feature on UPI apps.08.09.2021
UAENIPL-Mashreq Bank partnership Enabling UPI app payments across UAE merchants and shops20.08.2021
BahrainNIPL-BENEFIT collaboration Enabling RuPay card acceptance across Bahrain ATM/PoS terminals in BENEFIT’s network05.08.2021
MalaysiaNIPL-MerchantTrade India partnershipReal-time UPI based remittances to India from MerchantTrade’s Network04.08.2021
BhutanNIPL-RMA partnershipEnable BHIM-UPI QR-based payments at all RMA acquired merchants13.07.2021
JapanNPCI-SBI-JCBSBI-RuPay-JCB Platinum Contactless Debit Card on RuPay network for ATMs & POS transactions across countries on the JCB network.01.12.2020
ChinaNPCI-UPIAcceptance of UnionPay payment cards at ATM/ POS terminals in India2018
SingaporeNPCI-NETS MoUNPCI-NETS linking for allowing RuPay cards/QR code payments at NETS acceptance points and vice versa2017
USANPCI-DFSAccess of Discover/ Diners Club International (DCI) cards at NPCI ATM/PoS terminals in India

RuPay cardholders to utilize DCI & PULSE networks internationally.
07.03.2012

Related Read: Payments Digest by Cashfree: July 2021- e-RUPI, Nexus & Non-bank CPS members


Others: Regulatory sandbox, AePS fraud liability, non-bank PPIs as NFS members & standardising UPI limits

  1. Regulatory Sandbox announcements: On the RBI Regulatory Sandbox, 3 announcements were made last month- (i) 1st Cohort on retail payments- 6 products are successfully tested and have exited the sandbox, REs can now consider these products for adoption, (ii) 2nd Cohort on cross- 8 entities are selected selection of 8 entities for the 2nd cohort’s test phase on cross-border payments, this includes a Cashfree Payments’ solution as well, and (iii) the third cohort will be on MSME lending, applications can be submitted between October 1st-November 14th.
  1. AePS fraud liability guidelines: The AePS plays an essential role in enabling payments access for the underprivileged using their Aadhaar and biometrics at any (say) business correspondent outlet. With increasing reports of frauds (siphoning DBT funds, fake biometrics, etc.), the NPCI has introduced guidelines. These essentially place the onus of reporting and bearing the fraud’s cost on the issuing/ acquiring banks depending on the error. Customers will receive a refund within 20 days of reporting.
  1. Non-bank PPIs NFS membership: Following up on recent moves to allow cash withdrawal from non-bank PPIs (instead of open bank PPIs alone), the NPCI has allowed non-bank PPI issuers to onboard with the National Financial Switch ATM network as a sub-member under the sponsorship model, and these can approach the NPCI for certification for enabling ATM transactions in the NFS network. 
  1. UPI Limit Standardisation: In view of varying UPI per transaction caps across member banks and apps, the NPCI has implemented consistent limits as provided below, thus standardising limits across the UPI ecosystem. Broadly, all UPI users will enjoy transaction caps of Rs. 1 Lakh now. The last date for compliance is October 31st, 2021:
Txn Category Txn TypeTxn limits
P2P/P2M
P2M Non verified online 
Collect ‘Share intent link and & pay’‘QR share & pay’2K
P2P/P2PM

P2M
Pay

All
1 lakh
P2M Verified Specific Categories(OC 82, OC 96)All2 lakh

That’s all for this edition. Stay safe.

This edition has been authored by Asheeta Regidi with inputs from Priya S. and others from the Cashfree team. Assisted by interns Urmil Shah and Unnat Akhouri. 


Bibliography

  1. Media Report by Dharmi Magdani, ‘Pay with RuPay’: How Modi’s RuPay card push in Bahrain may benefit India, Financial Express, dated 7 September 2019
  2. Media Report by Dinesh Unnikrishnan, HDFC Bank’s digital outages: 7 key takeaways from RBI action, MoneyControl, dated 3 December 2020
  3. Media Report: Can’t have lakhs in lurch for hours: RBI governor on HDFC Bank, Live Mint, dated 4 December 2020
  4. Media Report: HDFC Bank submits action plan to RBI, hopes to fix outage issue in 3 months, Business Standard, dated 23 January 2021
  5. Media Report by Asheeta Regidi: The future of card storage and card based recurring payments in India, The Economic Times, dated 30 March 2021
  6. Media Report by TradeArabia: UAE consumer appetite for digital payments takes off, Zawya, dated 6 May 2021
  7. NPCI Circular: Aadhaar OTP authentication in lieu of debit card for customer onboarding on UPI, NPCI/UPI/OC-116/2021, dated 8 September 2021
  8. NPCI Circular: International merchant payments acceptance through UPI – UPI Global, NPCI/UPI/OC-117/2021-22, dated 8 September 2021
  9. NPCI Press Release: ‘UAE a strategic growth market,’ says National Payments Corporation of India, dated 19 September 2019
  10. NPCI Press Release: Merchantrade Asia and NPCI International come together to offer real-time remittances to India through the UPI Platform, dated 4 August 2021
  11. NPCI Press Release: BENEFIT to power RuPay acceptance at ATM and POS in Bahrain, dated 5 August 2021
  12. NPCI Press Release: Mashreq Bank and NPCI International join hands to offer acceptance of Unified Payments Interface (UPI) in the UAE, dated 20 August 2021
  13. PFRDA Circular: Facility of NPS on-boarding through online Aadhaar e KYC, PFRDA/2021/13/SUP-CRA/10, dated 27 April 2021
  14. RBI Bulletin: Payment System Indicators, 2021-2022/882, dated 16 September 2021
  15. RBI Notification: Master Circular – ‘Know Your Customer’ (KYC) Guidelines – Anti Money Laundering Standards (AML) – ‘Prevention of Money Laundering Act, 2002 – Obligations of NBFCs in terms of Rules notified thereunder’, RBI/2015-16/108, dated 1 July 2015
  16. RBI Notification: Tokenisation – Card transactions, RBI/2018-19/103, dated 8 January 2019
  17. RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/DPSS/2019-20/174, dated 17 March 2021
  18. RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/2020-21/117, dated 31 March 2021
  19. RBI Notification: Prepaid Payment Instruments (PPIs) – (i) Mandating Interoperability; (ii) Increasing the Limit to ₹2 lakh for Full-KYC PPIs; and (iii) Permitting Cash Withdrawal from Full-KYC PPIs of Non-Bank PPI Issuers, RBI/2021-22/40,  dated 19 May 2021
  20. RBI Notification: Tokenisation – Card Transactions : Extending the Scope of Permitted Devices, RBI/2021-22/92, dated 25 August 2021
  21. RBI Notification: Tokenisation – Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services, RBI/2021-22/96, dated 7 September 2021
  22. RBI Press Release: Enabling Framework for Regulatory Sandbox, 2019-2020/417, dated 13 August 2019
  23. RBI Press Release: Regulatory Sandbox (RS): First Cohort on ‘Retail Payments’ – Exit, 2021-2022/852, dated 13 September 2021
  24. RBI Press Release: Regulatory Sandbox (RS): Second Cohort on Cross Border Payments – Test Phase, 2021-2022/853, dated 13 September 2021
  25. RBI Press Release: Reserve Bank Announces Opening of Third Cohort under the Regulatory Sandbox, 2021-2022/854, dated 13 September 2021
  26. RBI Press Release: India and Singapore to link their Fast Payment Systems – Unified Payments Interface and PayNow, 2021-2022/858, dated 14 September 2021
  27. SEBI Circular: Entities permitted to undertake e-KYC Aadhaar Authentication service of UIDAI in Securities Market, SEBI/HO/MIRSD/DOP/CIR/P/20, dated 12 May 2020.
Asheeta Regidi Head, Fintech Policy at Cashfree.