How India's payments rules invited chaos

India’s central banker first notified the new recurring card payments rule in August 2019 ostensibly to balance security of transactions with customer convenience.
India’s central banker first notified the new recurring card payments rule in August 2019 ostensibly to balance security of transactions with customer convenience.


  • Two back-to-back rules issued by the Reserve Bank of India have left businesses, banks and fintechs in a fix
  • The payments ecosystem was’t prepared for the 1 Oct deadline for the new recurring rule. Over 70% of all standing instructions failed on 1 Oct and they continue to fail, hurting businesses

NEW DELHI : On 6 October, Tanmoy Goswami who runs a website on mental health, Sanity by Tanmoy, posted a screenshot of his subscription dashboard on the social media platform Twitter. It showed a series of payment failures, worth 500 each, from subscribers of the site.

“This is what the dashboard looks like after the new recurring payments rule. I don’t know how I am going to recover from this," he tweeted.

The tweet elicited interesting responses. “RBI (Reserve Bank of India) has single-handedly wrecked the Indian subscription economy. Nothing less than a demonetization-scale impact for many folks," read one response to Goswami’s tweet.

What’s going on? The Reserve Bank of India’s new guidelines have disallowed recurring card payments without a one-time registration. In addition, India’s central bank has also made additional factor of authentication, or AFA, mandatory for all recurring transactions below 5,000 on debit cards, credit cards, unified payments interface (UPI), and other prepaid payment instruments or PPIs. The payments ecosystem and every stakeholder in the subscription economy had a deadline to comply: 30 September. But they didn’t.

Disgruntled companies, who depend on subscription renewals as their primary revenue model, have been venting on social media platforms since 1 October.

The payment ecosystem
View Full Image
The payment ecosystem

“My Indian subscription renewals are failing. I am too dejected to even check how many payments are failing," Goswami told Mint. He is writing back to the subscribers urging them to update their card details. However, it’s an effort and although it seems like it’s a small thing for a subscriber to do, the ease of transaction they are used to have disappeared, all of a sudden.

“I run a tiny platform. A significant part of my total subscription base is monthly. My readers are very loyal, but the problem is, the effort for this re-verification is disproportionate for them, because their life is not going to stop if they don’t subscribe to my platform," Goswami added.

India’s subscription industry, as Goswami notes, is not limited to the biggies we often hear about—Amazon Inc., Netflix Inc., Disney+Hotstar. There are plenty of small businesses, such as jewellers, who depend on subscriptions, for instance. Some of them run gold kitty schemes allowing customers to deposit as little as 1,000 per month systematically for a tenure of 11-36 months after which they are entitled to purchase jewellery at a discount. The recurring payments rule has hit them, too. Companies who sell holiday packages and allow customers to pay in instalments are also perplexed. “Since many standing instructions are failing, they don’t know whom to levy penalty and (charge) late fees from," said a person who didn’t want to be identified.

Not just businesses, even some customers have been grumbling. Some are angry because their Apple, or cloud storage, OTT (over-the-top) platform, music and newspaper subscriptions are getting rejected with many left clueless about what’s happening on the policy front.

But as of now, the greater impact is being borne by businesses and the payment’s industry that are reeling under the new dispensation, as they face the brunt of an ill-prepared banking system that failed to get its systems up and running before the 30 September deadline.

Harshil Mathur, co-founder and chief executive officer of payments firm Razorpay
View Full Image
Harshil Mathur, co-founder and chief executive officer of payments firm Razorpay

“The party which needs to invest in terms of building the technology is completely different than the party who is getting impacted. So, the whole action is required from the banks’ end but in case they don’t take any action, it is the merchants who risk losing their businesses," a senior executive from a large OTT company in India, said. He, too, didn’t want to be identified.

The question is: who is responsible for this mess? Can RBI be solely blamed? And why couldn’t the banking system gear up well before the deadline? Were they not given enough time to comply?

How and why

Every story has two sides. The Reserve Bank of India, on its part, had reasons to come up with the recurring payments rule. And the guidelines certainly didn’t come out of the blue—they were first notified in August 2019. Back then, RBI had said that the change was required to balance the safety and security of card transactions with customer convenience.

So, what happened between 2019 and now? Companies and industry bodies made a beeline to represent their views to the Reserve Bank of India. The central bank first ended up extending the compliance deadline from December 2020 to 1 April 2021.

Looks like the banking ecosystem didn’t take the extension seriously enough. The banks were supposed to work on the back-end infrastructure that would enable the new system but they clearly lagged. Instead, they banked on one more extension.

Fintech firms such as Razorpay are helping banks comply with new RBI guidelines
View Full Image
Fintech firms such as Razorpay are helping banks comply with new RBI guidelines

RBI was unhappy but relented, extending the deadline to 30 September but only for old mandates and not the new ones.

It’s been over a month since the new policy on recurring payments kicked in. The industry is still in a panic mode. More than 70% of all standing instructions failed on 1 October and they continue to fail.

“Recurring payments were not allowed in India but it was also never disallowed. It has been in the grey zone for long," Harshil Mathur, co-founder and chief executive officer of payments company Razorpay, said. “There were no structured guidelines around it. They (recurring payments) have only grown leaps and bounds in the past two-three years and a lot of banks started supporting it," he added.

RBI was well aware of this exponential growth. It grew increasingly worried that such a fast-paced growth would compromise customer protection considering India’s demographic. A large number of financially less-literate customers might be signing up for recurring payments mandate thinking it’s a one-off payment. They wouldn’t know whom to approach and how to approach to cancel such mandates.

Indeed, some merchants did make life difficult for customers. They started taking standing instructions on their platforms and made it difficult for subscribers to stop auto-debits.

“90% of merchants have a liberal policy in terms of refund and queries. However, 10% merchants started abusing the system," the executive from the OTT company quoted earlier said.

As a solution, RBI changed this entire model from merchant-led to bank-led. In the earlier era, consent was taken by the merchant and communication also took place with the merchant. The new guidelines state that the registration has to be executed by a bank, which will also handle customer escalation and send the necessary messages.

Some customers are indeed happy this happened—they can easily get rid of subscriptions they no longer need. “I have two-three subscriptions. I have a subscription with a global publication and it is too difficult to unsubscribe. You actually have to call them to unsubscribe. Finally, thanks to the new rules, my subscription has stopped as that was a big amount for me," said one happy customer who didn’t want to be quoted. Another user said that he subscribed to a reading app and found no way to cancel it. “I literally had to beg to cancel my subscription. I feel many platforms were doing this," he said.

The bank reality

Banks knew this was coming since 2019. Why weren’t they geared up with back-end technology? Banks were not ready as this was simply not a priority during 2020, a pandemic year. Rescuing businesses, extending line of credit, giving moratoriums during the raging pandemic took precedence over the recurring payments problem. In any case, recurring payments would just be one line of business for them.

As per the guidelines, the banks are required to take clear consent while registration and send notification 24 hours prior to customers giving them an option to opt-out. Only the top 10 banks are ready with the required infrastructure today—a longtail of banks are not. An executive at one of the largest private sector banks said that ICICI Bank, HDFC Bank and Axis Bank wrote to the central bank before the 30 September deadline stating that they were ready with the new infrastructure. Interestingly, ‘being ready’ is hardly uniform. On the recurring side, one is new registration transaction where issuers may have been ready to take fresh mandates. However, the major disruption was with existing transactions. The migration of old data is a tough task.

The payments industry has to adopt ‘tokenization’ from 1 January 2022, which is a process of replacing actual card details with a unique alternate code
View Full Image
The payments industry has to adopt ‘tokenization’ from 1 January 2022, which is a process of replacing actual card details with a unique alternate code

“Among the top-tier banks, some were ready only on the last day. The issuer (banks) ecosystem being ready was not enough because next, the payment aggregators and merchants needed time to integrate," said a payment gateway executive. He didn’t want to be identified either.

Ecosystem companies such as payment aggregators not only had to build the solution but also test it, get a sign-off from the banks and solution providers before they could go live. All this is time-consuming.

“SBI went live only on 30 September. Everything was happening at the last moment. There were a lot of hiccups," the OTT executive quoted earlier said.

Sanjeev Moghe, executive vice president and head of cards and payments at Axis Bank, said that the integrations of banks and merchants and other ecosystem players are not plug-and-play, they tend to take time. “This will stabilize in two months," he said.

Some bankers, however, argue that the deadline, even with the extensions RBI had granted, was too small a time frame to affect such a fundamental change in technology. And some are still grappling with the thought, why this change had to be done now.

“When a customer enrols for a standing instruction, they are the most elite customers in the digital payments space. If I have a HDFC card, I trust the bank but when I am allowing my card to be saved on a merchant platform and be charged periodically, then I have trust on the merchant. That trust needs to be built at the merchant level and not at the bank level," the OTT executive, whose business is now hugely impacted, explained.

“The problem is RBI doesn’t understand tier-1 customers very well," an executive from a payments company who didn’t want to be quoted said. “When we told them (RBI officials) that the customers will have to type the card number again and again, their response was ‘what’s the big deal? They were used to typing the card numbers earlier’," he added.

An email sent to RBI seeking clarifications on the points raised by the payments industry and merchants did not elicit any response.

To fintechs for help

All this chaos is giving rise to a new trend. It is drawing banks and the more disruptive fintech companies closer than ever before. To implement the new RBI guidelines, banks need help.

In April this year, the RBI said it may not extend the recurring pay deadline any further. That’s when one of India’s largest payment aggregators, Billdesk, started building a solution called SI Hub. Razorpay started building MandateHQ and PayU built Zion to help banks comply with the guidelines.

The fintech firms therefore became technology service providers for banks. Their solutions allowed banks to send notifications 24 hours prior to a payment, send customers links for cancellation of the mandate, and the links for customers to be able to see all the mandates that were registered with a particular bank.

Apart from banks, payment aggregators and merchants also need to be onboarded. For instance, Axis Bank has gone live on Billdesk SI Hub. In order to allow their merchants to support Axis Bank cards, other payment aggregators such as Razorpay or Cashfree will have to integrate with SI Hub. Billdesk will charge both bank and payments aggregators separately for its solution.

According to industry sources, SI Hub quotes somewhere between 12lakh and 15 lakh as one-time integration cost to the banks and charges anywhere between 1.2-1.5 per transaction. This is a one-time integration cost for five-seven years agreement. Then, there are expenses banks would incur for onboarding a customer, customers opting out and on every transaction.

Billdesk did not respond to a clarification on the pricing sought by Mint by the time the story went to press.

“These quotes (pricing) are without any negotiation. I am sure it can come down a few paise if there is volume," the founder of a Mumbai-based payment aggregator explained. “It will get passed on to merchants. Merchants operate through a payment aggregator. If an aggregator has 10 merchants who want recurring payments transactions, then the cost can be passed on to those merchants," he added.

In the middle of all the chaos, there’s a silver lining which many may be missing. With the new rules, standing instructions on debit cards are now allowed.

“In a country where there are 60 million credit cards and 800 million debit cards, the RBI now says one can use this framework to support recurring payments on debit cards, too. The number of customers that will be added to this ecosystem is going to be massive," hoped Swaroop Kulkarni, the director of products at PayU. The fintech company provides payment technology to online merchants.

Card storage rules

While the industry was struggling to deal with the standing instructions guideline, they were hit with yet another rule: the payment aggregator/payment gateway guidelines (PA/PG). The guidelines have many clauses and mandate that firms approved by the Reserve Bank of India can acquire and offer payment services to merchants. One condition was particularly troubling for the industry—no merchant will be allowed to store the Card-on-File (CoF)—the card information stored by the payment gateway and merchants to process future transactions.

“That was a shocker to the industry because when the regulations were drafted, the draft never indicated any such thing will apply," an executive at one of the major consumer payments companies with a payment aggregator licence, said. “Early this year in February, the RBI informed us that no non-banking entities will be allowed to store the card on file," he added. He didn’t want to be identified.

Further, RBI had earlier this year mandated that e-commerce companies and payment aggregators will no longer be allowed to store card details of a customer online. The mandate, which was supposed to come into effect starting July 2021, has now been pushed to the start of next year.

Apart from merchants and payment aggregators, this guideline will be a major blow for businesses such as Cred, Flipkart, Swiggy, Zomato, Amazon and other e-commerce businesses. The business model of all these companies depends on “frictionless one-click" payments to consumers. Under the new rules, companies such as Cred will need to compel its users to type in their card details every single time a payment has to be made.

On one hand, while the business of cards will be impacted, it opens up a new revenue line for the card networks as the entire industry has been asked to move to ‘tokenization’—a solution controlled by card networks such as Visa, Mastercard and others. Tokenization is a process of replacing actual card details with a unique alternate code called the ‘token’. Sensitive customer data such as card number and CVV (card verification value) are replaced with an algorithmically generated encrypted token. When they move around in a payments system, the tokens do so without disclosing any sensitive customer details. The customer data will, therefore, no longer be stored with either the merchant or the payment aggregator. Tokens, if breached, will have little value for hackers since these are randomly generated numbers. RBI has made card tokenization mandatory from 1 January, 2022.

Tokenization, however, presents the industry with a new challenge. One of the most popular ways credits cards are used is to convert big purchases into equated monthly instalment or EMIs. When cards migrate to tokenization, the credit card EMIs, instant payouts, and instant cashbacks may take a major hit. Why is that?

EMI is not a payments instrument such as debit card, UPI or net banking. There is no protocol in the infrastructure of card networks such as Visa and Mastercard to label a transaction as an ‘EMI transaction’.

So, when you buy a bag and choose EMI on a merchant platform, the payment gateway takes your consent, captures the information but goes ahead processing the transaction like any other credit card transaction. At the back-end, the payment gateway issues a file that requires your full card number to be sent to the issuer bank (whose card is used for payment) and convert the transaction into an EMI.

In industry parlance, this file processing process is known as the ‘offline EMI model’.

“80% of issuers operate in the offline EMI model. So, if we are not able to access the full card number, how will we access this file? Similarly, there are products like instant payouts and instants cashbacks that require the full card number. With tokenization, I am not sure if the process will be as smooth. Even in tokenization, the RBI says you need a clear consent from customers before tokenizing the card," an executive explained.

In short, the new rule may end up challenging the EMI model that is prevalent today. Or that is the fear.

Many industry officials are of the view that the recent data breaches at Juspay and MobiKwik were a trigger for the strict card storage rules. However, there is no guarantee that even with these changes, data breach will not happen as this rule also brings in concentration risk to the ecosystem, experts believed (more of this a bit later).

The implications

Tokenization has cost implications, too. Earlier, a simple card transaction used to cost a few paisa, divided among all ecosystem players. The cost for per saved tokenized card will shoot up to 6-7. These costs, ultimately, would be passed onto the merchants. The industry feels these cost will moderate once the technology settles down and is more widely used.

Apart from India, other countries have been trying to adopt a similar solution but it may take five-seven years for all the card transactions to migrate to tokenization. This migration is likely to happen in phases and not in a hurry.

“RBI has said that only the issuing bank and the card networks are allowed to do tokenization. The problem here is that no bank is ready with the tokenization. There is no system in place," an executive from a Bengaluru-based payments company said.

The larger view: if banks couldn’t prepare in time for the recurring payments guidelines in the last two years, adhering to tokenization guidelines will also remain a tall task. That leaves everyone in the ecosystem to depend on the network providers—Visa, Mastercard, Amex, Diners, the National Payments Corporation of India (NPCI).

At least two large card providers— Amex and Diners Club—aren’t ready with the complete solution yet, industry sources said. Both the companies did not respond to clarifications Mint sought until press time.

“There is no line of sight as to when will they be ready with tokenization and the only choice of cardholders will be to type in their card numbers every time they transact," the payments executive quoted above said. This leaves the industry with Visa, Mastercard and NPCI. All the three players are in various degrees ready in terms of technology, sources said.

Visa had in October launched India’s card-on-file tokenization services. Launched in partnership with Juspay, the CoF tokenization service will be available across e-commerce companies such as Grofers, Bigbasket and MakeMyTrip, the firm said. T.R. Ramachandran, group country manager, India and South Asia at Visa had commented: “The RBI’s move to allow tokenization for e-commerce payments will revolutionize digital payments across India’s e-commerce platforms. Having launched CoF tokenization services in over 130 countries globally, we are confident of the technology’s ability to build a safe, secure and seamless environment for digital payments."

Similarly, other card networks are expected to integrate their services with payment gateways. Razorpay has launched a tokenization solution, TokenHQ, in partnership with all the networks. PayU has just launched ‘PayU Token Hub’. Similarly, Cashfree, another payment gateway, is also expected to launch its solutions soon.

Praveena Rai, chief operating officer of NPCI, said that the company has released RuPay (NPCI’s card payment network) tokenization specifications and related implementation guides for the industry. “We have taken an approach in the technical design for minimal changes required by banks in order to mitigate major time and efforts at their end, especially given the timelines involved," she said. “NPCI is currently working with various ecosystem payment players to test and certify them as prescribed under the regulatory guidelines. The focus now is to work intensely with the payments ecosystem to provide support and enable online merchants in this regard, so they can start migrating customers from card-on-file to tokenized cards," she added.

Meanwhile, of the five card networks, three, including Mastercard, are barred from onboarding new customers due to non-compliance with India’s data localization rules. Some experts see a dichotomy here—the fact that the Reserve Bank of India is now trusting the same networks with card storage.

The move, nevertheless, is also expected to increase the market share concentration, in terms of card transactions, with Visa, Mastercard and NPCI. Visa controls 45% of the market share, Mastercard another 40%. Rupay is at about 13% share, the remaining being with Diner’s Club and Amex.

While all of what RBI wants is doable, the grumblings again are about time—or the lack of it. There is just not enough time to comply with these two heavy-duty guidelines one after another, bankers Mint spoke to reiterated. But then, one can’t fault the central banker from doing its duty.

“The regulator’s concern is always to protect the customer interest and if it calls for some tough measures in the interest of public good then that should prevail," Ritesh Pai, the former chief digital officer of Yes Bank, said.

“I think digital transactions come with its fair share of fraud and risk issues. Such measures (RBI’s) initially may sound unreasonable and realistic but will go a long way in providing trust and assurance," he added.

Catch all the Industry News, Banking News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates.



Switch to the Mint app for fast and personalized news - Get App