Technology Law Analysis
August 26, 2019
Recurring Online Payments via Cards and E-Wallets now a Reality!

  • E-mandates can be registered by users for recurring payments with merchants via debit / credit cards and e-wallets, subject to a limit of INR 2,000 (approx. USD 30) per transaction.
  • Additional factor of authentication applicable at the first instance, and not for subsequent successive payments.
  • Consumers have the option to modify or withdraw the e-mandate registered.

BACKGROUND

India is second only to China in terms of number of debit cards issued.1 As of February this year, the number of debit cards issued stood at 944.5 million and credit cards at 46.1 million, according to the Reserve Bank of India.2 On the purely digital front, the volume of e-wallet transactions stood at 334 million in June alone this year.3 The electronic and digital payments ecosystem in India has truly been thriving. However, one snag in the system was that recurring payments were neither a viable nor smoothly implemented by banks and payment service providers. This had a considerable impact on subscription-based OTT and digital services platforms that would prefer smooth, systematic and successful periodic payments to be consummated for continual provision of services to users.

RBI DIRECTIVE

The Reserve Bank of India (“RBI”), India’s apex bank has issued a directive4 (“Directive”) permitting e-mandates for recurring payments to be made to merchants, via debit / credit cards and e-wallets.

AFA would be required only during the e-mandate registration (or first transaction if simultaneous), or in the case of modification or revocation of the e-mandate. This should allow simple and automatic subsequent successive transactions. The offering of this e-mandate facility by an issuer would be subject to certain compliances, of which certain major ones are elucidated in the Annexure.

Importantly, the Directive is applicable to debit cards, credit cards and prepaid instruments including e-wallets. The maximum limit permitted per transaction under the e-mandate is INR 2,000 (approx. USD 30). No charges should be levied on the cardholders for availing this e-mandate facility.

POSITION PRE-DIRECTIVE

Pursuant to its introduction in 2011 and subsequent ‘reinforcement’ notifications by the RBI, all online transactions through credit / debit cards issued in India were subject to a mandatory ‘additional factor of authorization’ (‘AFA”).5 This ‘second factor’ authentication, as commonly known, is based on information known or available to the card holder but is not printed on the card. Since this mandate by the RBI, banks have implemented the AFA requirement primarily though one-time passwords being immediately sent to the users’ registered mobile number, or through use of internet passwords. Hence, recurring transaction payments were not smooth and required customers to undertake additional steps.

The RBI in 2016 directed6 that this AFA requirement may be relaxed, at the option of the consumer, for transactions of up to INR 2,000 (approx. USD 30). In such cases, AFA was conducted at the time of registration of the instruction by the user, or at the time of the first transaction, if simultaneous. However, this wasn’t fully implemented. Certain banks and card networks were not offering such a facility for debit cards and this had a considerable impact on digital platforms as credit cardholders in India are significantly lower in number as compared to debit cardholders.

ANALYSIS

One aspect that the RBI could consider is to increase the INR 2,000 limit per transaction somewhere down the line, once it is comfortable from a risk perspective. An increased limit may be conducive for less frequent but higher quantum transactions, such as in the case of yearly subscription payments. At present, the wordings of the Directive appear agnostic on the periodicity between recurring payments that can be made. Hence, recurring payments may be able to be made on a daily basis, unless specific periods are set out by banks registering the e-mandates. Further, one could argue that even if monthly subscription payments exceed the INR 2,000 limit; they could be broken down into multiple smaller transactions during the month, then each recurring payment would be below the prescribed limit and this may be permitted..

In the case of prepaid instruments,7 this is a first for this industry vertical and should be a big win for merchants, digital payment providers and users alike. Given the stringent wordings8 of the RBI Master Direction on Issuance and Operation of Prepaid Payment Instruments9 (“PPI Direction”), seamless recurring payments via PPIs including e-wallets were not possible as every successive payment transaction via an e-wallet is to be authenticated by the consumer via explicit consent. Given the Directive and that it may prevail over the PPI Direction in case of a contradiction, recurring payments via e-wallets should now be possible.

As a build-up, the National Payments Corporation of India (NPCI) had also recently announced that it had received approval from the RBI for implementation of e-mandates via internet banking and debit cards.10 This was to allow e-mandates for consumers, facilitated by banks towards limited purposes.11 Banks had until June 30, 2019 to implement the e-mandate facility. Some banks had implemented the e-mandate facility12 but not all banks and card providers had followed suit. Overall, this move by NPCI, although in the right direction, did not appear to benefit merchants and consumers by facilitating recurring payments. The Directive appears much broader in scope and framework for implementation.

Given the Directive, recurring payments via cards and e-wallets now seems a reality, as it is expressly permitted by the RBI and has the sanctity of law. This appears to be a big win for OTT and digital services platforms such as SAAS, cloud, audio and audio-video content platforms that largely depend on periodic subscription payments to be made by users. For instance, the video OTT market in India alone, which primarily comprises content streaming services - is likely to be ranked among the top 10 markets globally with a market size of USD 823 million by 2022.13 Hence, with the population and mobile and internet penetration in India, there is no ignoring the digital services industry and its potential. The introduction of the Directive should go a long way in improving user retention for platforms due to seamless payments that can now be made, and continued and uninterrupted service for the user.

As with most RBI directives, we must now wait for the banks and payment system players to implement!

 

– Aaron KamathVivek Kathpalia & Gowree Gokhale

You can direct your queries or comments to the authors


Benchmarking India’s Payment Systems; dated June 4, 2019. Available at: https://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=923#ANE

2 India had 46.1M credit cards, 944.5M debit cards in February 2019; dated April 22, 2019. Available at: https://www.medianama.com/2019/04/223-india-had-46-1m-credit-cards-944-5m-debit-cards-in-february-2019/

3 Payment companies seek better MDR deal; dated August 13, 2019. Available at: https://economictimes.indiatimes.com/industry/banking/finance/payment-companies-seek-better-mdr-deal/articleshow/70652136.cms

4 Directive on Processing of e-mandate on cards for recurring transactions; dated August 21,2019. Available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11668&Mode=0

5 Vide Notification RBI/2014-15/190 dated August 22, 2014; “Security Issues and Risk Mitigation measures related to Card Not Present (CNP) transactions”; available at: https://rbi.org.in/scripts/NotificationUser.aspx?Id=9183&Mode=0

6 Vide Notification RBI/2016-17/172 dated December 6, 2016; “Card Not Present transactions – Relaxation in Additional Factor of Authentication for payments up to ₹ 2000/- for card network provided authentication solutions”; available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10766&Mode=0. Our write up on this notification is available here.

7 Paragraph 2.3 of the PPI Direction defines ‘prepaid instrument’ as payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments.

8 Paragraph 15.3(c) provides that “Issuers shall introduce a system where every successive payment transactions in wallet is authenticated by explicit customer consent.”

9 Available at: https://www.rbi.org.in/ScriptS/BS_ViewMasDirections.aspx?id=11142

10 RBI Approves E-Mandates For Internet Banking, Debit Cards; dated April 26, 2019. Available at: https://inc42.com/buzz/rbi-e-mandates-internet-banking-debit-cards/

11 Such as B2B collections, investment and insurance products and utility payments, government payments, trade receivables, loan repayments, asset rentals and collection of education / society charges

12 Reference: https://www.kotak.com/content/dam/Kotak/about-us/media-press-releases/2019/media-release-kotak-mandate-22042019.pdf

13 Video OTT market in India to be among global top 10 by 2020touch $823 mn: Study; dated May 9, 2019. Available at: https://economictimes.indiatimes.com/industry/media/entertainment/video-ott-market-in-india-to-be-among-global-top-10-by-2020-touch-823-mn-study/articleshow/69251689.cms?from=mdr


Disclaimer

The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This Hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This Hotline does not substitute the need to refer to the original pronouncements.

This is not a Spam mail. You have received this mail because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a mail cannot be considered Spam if it contains the sender's contact information, which this mail does. In case this mail doesn't concern you, please unsubscribe from mailing list.


Technology Law Analysis

August 26, 2019

Recurring Online Payments via Cards and E-Wallets now a Reality!


  • E-mandates can be registered by users for recurring payments with merchants via debit / credit cards and e-wallets, subject to a limit of INR 2,000 (approx. USD 30) per transaction.
  • Additional factor of authentication applicable at the first instance, and not for subsequent successive payments.
  • Consumers have the option to modify or withdraw the e-mandate registered.

BACKGROUND

India is second only to China in terms of number of debit cards issued.1 As of February this year, the number of debit cards issued stood at 944.5 million and credit cards at 46.1 million, according to the Reserve Bank of India.2 On the purely digital front, the volume of e-wallet transactions stood at 334 million in June alone this year.3 The electronic and digital payments ecosystem in India has truly been thriving. However, one snag in the system was that recurring payments were neither a viable nor smoothly implemented by banks and payment service providers. This had a considerable impact on subscription-based OTT and digital services platforms that would prefer smooth, systematic and successful periodic payments to be consummated for continual provision of services to users.

RBI DIRECTIVE

The Reserve Bank of India (“RBI”), India’s apex bank has issued a directive4 (“Directive”) permitting e-mandates for recurring payments to be made to merchants, via debit / credit cards and e-wallets.

AFA would be required only during the e-mandate registration (or first transaction if simultaneous), or in the case of modification or revocation of the e-mandate. This should allow simple and automatic subsequent successive transactions. The offering of this e-mandate facility by an issuer would be subject to certain compliances, of which certain major ones are elucidated in the Annexure.

Importantly, the Directive is applicable to debit cards, credit cards and prepaid instruments including e-wallets. The maximum limit permitted per transaction under the e-mandate is INR 2,000 (approx. USD 30). No charges should be levied on the cardholders for availing this e-mandate facility.

POSITION PRE-DIRECTIVE

Pursuant to its introduction in 2011 and subsequent ‘reinforcement’ notifications by the RBI, all online transactions through credit / debit cards issued in India were subject to a mandatory ‘additional factor of authorization’ (‘AFA”).5 This ‘second factor’ authentication, as commonly known, is based on information known or available to the card holder but is not printed on the card. Since this mandate by the RBI, banks have implemented the AFA requirement primarily though one-time passwords being immediately sent to the users’ registered mobile number, or through use of internet passwords. Hence, recurring transaction payments were not smooth and required customers to undertake additional steps.

The RBI in 2016 directed6 that this AFA requirement may be relaxed, at the option of the consumer, for transactions of up to INR 2,000 (approx. USD 30). In such cases, AFA was conducted at the time of registration of the instruction by the user, or at the time of the first transaction, if simultaneous. However, this wasn’t fully implemented. Certain banks and card networks were not offering such a facility for debit cards and this had a considerable impact on digital platforms as credit cardholders in India are significantly lower in number as compared to debit cardholders.

ANALYSIS

One aspect that the RBI could consider is to increase the INR 2,000 limit per transaction somewhere down the line, once it is comfortable from a risk perspective. An increased limit may be conducive for less frequent but higher quantum transactions, such as in the case of yearly subscription payments. At present, the wordings of the Directive appear agnostic on the periodicity between recurring payments that can be made. Hence, recurring payments may be able to be made on a daily basis, unless specific periods are set out by banks registering the e-mandates. Further, one could argue that even if monthly subscription payments exceed the INR 2,000 limit; they could be broken down into multiple smaller transactions during the month, then each recurring payment would be below the prescribed limit and this may be permitted..

In the case of prepaid instruments,7 this is a first for this industry vertical and should be a big win for merchants, digital payment providers and users alike. Given the stringent wordings8 of the RBI Master Direction on Issuance and Operation of Prepaid Payment Instruments9 (“PPI Direction”), seamless recurring payments via PPIs including e-wallets were not possible as every successive payment transaction via an e-wallet is to be authenticated by the consumer via explicit consent. Given the Directive and that it may prevail over the PPI Direction in case of a contradiction, recurring payments via e-wallets should now be possible.

As a build-up, the National Payments Corporation of India (NPCI) had also recently announced that it had received approval from the RBI for implementation of e-mandates via internet banking and debit cards.10 This was to allow e-mandates for consumers, facilitated by banks towards limited purposes.11 Banks had until June 30, 2019 to implement the e-mandate facility. Some banks had implemented the e-mandate facility12 but not all banks and card providers had followed suit. Overall, this move by NPCI, although in the right direction, did not appear to benefit merchants and consumers by facilitating recurring payments. The Directive appears much broader in scope and framework for implementation.

Given the Directive, recurring payments via cards and e-wallets now seems a reality, as it is expressly permitted by the RBI and has the sanctity of law. This appears to be a big win for OTT and digital services platforms such as SAAS, cloud, audio and audio-video content platforms that largely depend on periodic subscription payments to be made by users. For instance, the video OTT market in India alone, which primarily comprises content streaming services - is likely to be ranked among the top 10 markets globally with a market size of USD 823 million by 2022.13 Hence, with the population and mobile and internet penetration in India, there is no ignoring the digital services industry and its potential. The introduction of the Directive should go a long way in improving user retention for platforms due to seamless payments that can now be made, and continued and uninterrupted service for the user.

As with most RBI directives, we must now wait for the banks and payment system players to implement!

 

– Aaron KamathVivek Kathpalia & Gowree Gokhale

You can direct your queries or comments to the authors


Benchmarking India’s Payment Systems; dated June 4, 2019. Available at: https://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=923#ANE

2 India had 46.1M credit cards, 944.5M debit cards in February 2019; dated April 22, 2019. Available at: https://www.medianama.com/2019/04/223-india-had-46-1m-credit-cards-944-5m-debit-cards-in-february-2019/

3 Payment companies seek better MDR deal; dated August 13, 2019. Available at: https://economictimes.indiatimes.com/industry/banking/finance/payment-companies-seek-better-mdr-deal/articleshow/70652136.cms

4 Directive on Processing of e-mandate on cards for recurring transactions; dated August 21,2019. Available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11668&Mode=0

5 Vide Notification RBI/2014-15/190 dated August 22, 2014; “Security Issues and Risk Mitigation measures related to Card Not Present (CNP) transactions”; available at: https://rbi.org.in/scripts/NotificationUser.aspx?Id=9183&Mode=0

6 Vide Notification RBI/2016-17/172 dated December 6, 2016; “Card Not Present transactions – Relaxation in Additional Factor of Authentication for payments up to ₹ 2000/- for card network provided authentication solutions”; available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10766&Mode=0. Our write up on this notification is available here.

7 Paragraph 2.3 of the PPI Direction defines ‘prepaid instrument’ as payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments.

8 Paragraph 15.3(c) provides that “Issuers shall introduce a system where every successive payment transactions in wallet is authenticated by explicit customer consent.”

9 Available at: https://www.rbi.org.in/ScriptS/BS_ViewMasDirections.aspx?id=11142

10 RBI Approves E-Mandates For Internet Banking, Debit Cards; dated April 26, 2019. Available at: https://inc42.com/buzz/rbi-e-mandates-internet-banking-debit-cards/

11 Such as B2B collections, investment and insurance products and utility payments, government payments, trade receivables, loan repayments, asset rentals and collection of education / society charges

12 Reference: https://www.kotak.com/content/dam/Kotak/about-us/media-press-releases/2019/media-release-kotak-mandate-22042019.pdf

13 Video OTT market in India to be among global top 10 by 2020touch $823 mn: Study; dated May 9, 2019. Available at: https://economictimes.indiatimes.com/industry/media/entertainment/video-ott-market-in-india-to-be-among-global-top-10-by-2020-touch-823-mn-study/articleshow/69251689.cms?from=mdr


Disclaimer

The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This Hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This Hotline does not substitute the need to refer to the original pronouncements.

This is not a Spam mail. You have received this mail because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a mail cannot be considered Spam if it contains the sender's contact information, which this mail does. In case this mail doesn't concern you, please unsubscribe from mailing list.