RBI stance on Recurring Payments: Boon or Bane?
Regulations can make or break companies and sometimes even industries. Take the example of auto sector in our country which is in a lot of distress due to evolving policies. In the payments industry, a regulation from RBI has the power to change the dynamics overnight. We have seen this happen time and again with a host of regulations pertaining to 2FA, UPI, Wallets, etc..
RBI’s recent circular on Recurring Payments has almost everyone in the payments industry wonder if this unshackles the market for recurring payments. At an immediate glance, it seems so: (1) opening up for all sectors (2) opening up for all types of cards: credit, debit, and prepaid (3) no limits except for per transaction limit of 2000 rupees. But it does come with a string of conditions to prevent abuse. Taken together, is it a silver lining or the beginning of yet another winter?
The circular can be availed here: https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11668&Mode=0
Background
The business of recurring payments has always been caught in the middle of two competing priorities: convenience vs safety. In 2009, RBI decided that every transaction has to be mandatorily authenticated by the customer. The only accepted authentication schemes are the ones approved by the Issuer of the said card. RBI did not explicitly endorse 3D Secure technology (the one adopted by the Banks). But since the card networks (and the card Issuers) already had this in place, it was convenient to simply enable this. And hence, the widespread adoption of Verified by Visa and MasterCard SecureCode.
Did the RBI achieve its goal?
Absolutely. RBI intended this to be the best way to protect the interests of the consumers. In a way, this is how our society organizes on most occasions. We lack trust with our institutions and hence defer to the principle of Prevention is better than cure. Unfortunately, it is the same with this particular decision as well. We will come to this at a later point in time. It suffices to say that RBI wanted to prevent fraud in the first place rather than letting the system address the same after it has happened.
Payment Fraud is a real and persistent problem across the globe with card payments. With this RBI move, Payment Fraud was reduced to near zero in India in a short span of time. But, it did come with a cost.
Collateral Damage
Online businesses were collateral damage due to the introduction of 3D secure. This is an indirect cost that we pay for a system where there is a pervasive lack of Trust. Success rates plummeted for almost all online businesses, thereby affecting their topline. When 2FA was mandated for IVR transactions too, Hrush Bhatt of Cleartrip penned an extremely harsh take condemning 3D Secure:
From the point of a Merchant, it is completely understandable. Their topline would have fallen by as much as the reduction in the Payment Success Rate.
Recurring Payments: the other casualty
The regulation automatically disqualifies any and all recurring payments. Since the user is not present in the renewal flow, payments cannot happen. There are a host of usecases that desperately need Recurring Payments such as SIP investments, Bill Payments, and Content Subscriptions.
Making amends; Dream of a summer
Mobile revolution has created tremendous opportunities for Indian businesses. Particularly for the content based apps, this is the golden period. Apps such as Hotstar & Amazon Prime are setting records. Subscription programs are the new battlefronts for large companies like Amazon, Flipkart, Swiggy, Zomato, Paytm. Not only can they boost e-commerce, but they also can fuel Mutual Fund investments, Lending businesses which will help grow the country’s financial health.
For RBI to bring back recurring payments, there can’t be any other reason but that regulation is suffocating such businesses. To put it in better words, it is perhaps time RBI worked towards enabling and supporting such businesses.
Devil is in the Detail; Always
While the intention is appreciable, the actions need to be equally glorious. From the notification, it is clear that RBI is unable to fully come out of the 2FA hangover. The following points, taken from the notification, could not mean anything but that:
8. As a risk mitigant and customer facilitation measure, the issuer shall send a pre-transaction notification to the cardholder, at least 24 hours prior to the actual charge / debit to the card.
10. On receipt of the pre-transaction notification, the cardholder shall have the facility to opt-out of that particular transaction or the e-mandate. Any such opt-out shall entail AFA validation by the issuer.
15. The issuer shall provide the cardholder an online facility to withdraw any e-mandate at any point of time following which no further recurring transactions shall be allowed for the withdrawn e-mandate.
From the above, we see that the onus for a safe implementation (safety here is actually debatable!) is with the card issuing banks. There are major problems here:
Card issuers have to develop & maintain additional software infrastructure
This capability for providing the customer safety net is not readily available in their system. And hence, they have to invest in development, testing, deployment & maintenance. In my opinion, it would take Issuers more than 6 months to exactly implement the requirements put forth by the RBI.
Fragmented UI and UX
Since the guidelines don’t spell out the exact requirements for UI/UX, expect a fragmented experience across the banks. Banks cannot be faulted for sub par UI/UX. Everyone (Customers, Merchants and Banks) loses here.
Periodicity is non-negotiable here
The start and end date of a subscription typically involves billing for partial month & hence varying amount. Since the transaction window is Issuer’s prerogative, Merchants will struggle to deal with this scenario.
Plan upgrades
While I may register for a Netflix mobile only subscription now, I would like to upgrade to a full HD plan later. That thought process would be absent for most Customers at the time of subscription. Upgrading later will involve recreation of Mandate which is quite cumbersome.
Max amount (for variable amounts) problem
This field doesn’t exist in most Card Acquiring systems. Even if it exists, it needs to be figured out how this information can flow in the card networks to reach the Issuers.
Different flows for India vs non-India issued cards
Merchants have to identify the country of issuance & accordingly present the users with different flows as non-India issued cards will not have the mandate flow implemented.
Card issuer is forced to be a party in the Buyer Seller relationship
The contract is between the Buyer and the Seller. At best, the card issuing bank is only incidentally related to this contract. At least, the acquiring Bank is an enabler to this Contract. When the customer wishes to switch the payment method, the journey is now almost that of creating a new Contract.
Why not enforce via Acquirers and Merchants?
Among all the options available to them, RBI went with the Issuer first approach. This would be the hardest to implement as all the Banks have to make amends to their system now.
Payment Fraud notwithstanding, subscription businesses are powered by contracts between the Merchant and the Customer. Merchants are empowered by Acquirers to collect online payments. Acquirers are directly accountable to RBI and operate as governed by the Payment Systems and Settlements Act.
21. It shall be the responsibility of acquirers to ensure compliance by merchants on-boarded by them in respect of all aspects of these instructions.
And yet, RBI places little trust on Acquirers to abide by their instructions in spirit and letter. It is the same old principle of “Prevention is better than Cure” which is again in play here. And this perhaps is going to cost us again. There is no clarity on when Issuers will be ready with the changes. This would inevitably delay the rollout. And hence a lost opportunity for the businesses.
My Wishlist for RBI to strengthen Digital Payments
Online commerce is registering exponential growth in the country. We are no longer what we used to be a decade ago. Any drastic measure by RBI will have far reaching implications for us. With this realisation, it would bode well for us if RBI strengthens all constituent parts of the payments ecosystem:
#1 Improve Customer support by Banks: This leaves a lot to be desired. RBI should monitor the NPS of various Banks and make them invest in Customer Support. Define SLAs for resolving various customer issues. Appreciate the good ones and heavily penalise the bad ones.
#2 Work more closely with Acquirers and Aggregators: The current scenario is that RBI is way too comfortable dealing with the Banks. They should open direct channels with all the Acquirers and Aggregators, discuss key issues and welcome creative ideas.
#3 Take more risks: With the increasing confidence in the payments ecosystem players, more calculated risks can be taken. For instance, take the current limit of 2000 rupees. Why not 5000 rupees?
#4 Be more data driven: Aggressively source Data and Inferences from ecosystem players. Use this as the basis for arriving at decisions.
#5 Prefer Penalty to Ban: In case of contract breaches, use Penalty as a tool to bring institutions in line rather than Ban. Use the Penalty proceeds to fund the safety net for Customers.
#6 Focus on UX: Last but the most important thing is to balance customer protection with customer experience. To save 1% of users from abuse, we cannot sacrifice good UX for 99% of the users.
Conclusion
RBI’s concerns are well placed and are definitely understandable. But at some point, one should let the child walk and overcome the fear of the child falling down, otherwise, the child may never learn to walk.
Disclaimer: The above are my personal views and do not represent that of any organization that I am associated with.