Healing from the automatic payments wound
Many of you would have received multiple communications from your banks in September informing you that the automatic payments for your online subscriptions may be discontinued from October 1, 2021, and would need re-registration. This was because in 2019, the RBI introduced a regime to register online automatic payments. The system required banks not to permit recurring payments unless the e-mandates were registered under the new regime.
On the face of it, two years seems an adequate timeline for implementation of the new regime. The reality, though, is that, reportedly, over 70% of standing instructions failed on October 1, 2021, and many continue to fail. This is primarily because banks did not implement the requisite infrastructure on a timely basis, as they were not legally mandated to by the RBI. Those affected were consumers: their subscriptions payments were interrupted and many were not able to re-register under the new regime. That forced users to do the payment procedure manually, leading to a reduced payment success rate and loss of revenues for merchants.
New conundrum to tackle on New Year’s day
Under a separate set of directives regulating payment aggregators, the RBI has prescribed that effective from January 1, 2022, neither payment aggregators nor online merchants can store customers’ card details and related data. The RBI in March this year further clarified that merchants cannot store “payment data” without defining or clarifying the meaning of such a term and the items of data included its scope.
Tokenization the talk of the town
Storage restrictions will require users to fill in their card or other payment instrument details for every online transaction. Manual filling would affect payment latency rates, user experience, continuity of customer service and revenues of online merchants. Furthermore, auto-recurring payments would not be possible. This would disrupt online subscription services, irrespective of whether the services are for consumers’ personal enjoyment or earning a livelihood. Examples include domain registrations and web-hosting services.
To remedy this inconvenience, card-on-file (CoF) tokenization can be considered. This system entails generation of a unique token that is device-independent and consists of the details of the card, the token requestor and the merchant. This token can be used to make a transaction without sharing the details of the card, making the process safer. However, tokenization comes with its own set of challenges.
Patience is key to efficiency
Tokenization involves multiple stakeholders, including the merchant, token requestor, payment aggregator, token service provider, card network and banks and, in some cases, technology infrastructure or services providers. While the RBI imposed restrictions on data storage in March 2020, CoF tokenization was permitted only in September 2021. Stakeholders essentially have only three months to design, implement and test viable infrastructure, which isn’t remotely enough. One weak link will cripple the entire infrastructure.
Industry players say that even if banks are ready with their technology integrations, merchants would need at least six months to integrate their systems for CoF tokenization. This additional time is important for merchants to conduct necessary testing on the new infrastructure for robust system functionality, security and performance.
Additionally, certain operational challenges need to be ironed out.
One issue pertains to the requirement of purging existing data, which may lead to issues in a merchant initiating refunds, redressing complaints and offering rewards or incentives to users who have not been able to register their payment instrument details via tokenization. RBI should prescribe a transitional timeline for purging of card data to prevent service disruption for the merchants as well as the consumers.
Secondly, tokenization of users’ payment instruments (like credit cards) requires their consent and additional validation, and the same process is required for a replaced or renewed instrument. This appears onerous because a user who gets a new card would need to re-register it, though the new card has the same cardholder details as the old one and is linked to the same bank account and customer ID. The RBI should consider a relaxation in re-tokenizing renewed/replaced cards linked to the same user account.
Thirdly, RBI has clarified that the last four digits of a card and the cardholder’s name can be stored for transaction tracking and reconciliation purposes. However, the first four or six digits that identify the bank (BIN) also have to be stored to identify the issuer. The RBI should permit BINs to be stored, at least for security, tracking and reconciliation purposes.
Fourthly, banks that have needed frequent nudges from the RBI and industry players should be mandated to implement the requisite infrastructure to enable tokenization.
The industry awaits much-needed clarifications from the RBI, and these can be issued in the form of FAQs for easy understanding.
Gowree Gokhale is Head-IP and TMT, Fintech; Huzefa Tavawalla is Head – Disruptive Technologies Practice & Fintech, and Aaron Kamath is Leader TMT and Fintech at Nishith Desai Associates.