September 30 new deadline to implement rules for recurring online payments

The Reserve Bank of India (RBI) on Wednesday extended the timeline for the implementation of the new rules for banks and payment system operators for recurring online transactions to September 30. 

The framework for the same was first issued in August 2019, applicable to cards and wallets. It then got extended to Unified Payments Interface (UPI) transactions in January last year. 

The regulator’s decision came in the wake of requests from the Indian Banks’ Association (IBA) for an extension to previous deadline of March 31, 2021. This will enable banks to complete the migration process while ensuring customer convenience. 

“The delay in implementation by some stakeholders has given rise to a situation of possible large-scale customer inconvenience and default. To prevent any inconvenience to the customers, Reserve Bank has decided to extend the timeline for the stakeholders to migrate to the framework by six months, i.e., till September 30, 2021,” the regulator stated in a note. 

The earlier deadline of March 31, 2021 was advised in December 2020. Given the delay in implementing the framework, the regulator added in today’s statement, “Any further delay in ensuring complete adherence to the framework beyond the extended timeline will attract stringent supervisory action. A circular advising the above is being issued by the Reserve Bank today.” 

The framework is being seen as a possible large-scale disruption to the digital payments ecosystem impacting banks, credit card networks and several other online businesses using recurring payment systems for services such as OTT streaming services, utility bills and even telecom services. 

Some of the new rules under the framework include a stricter two-step authentication process of recurring transactions on debit and credit card, which would earlier be automatically debited from the customers’ account. For payments above Rs 5,000, banks are expected to send a one-time-password (OTP) for approval before deducting payments from accounts. Moreover, the banks are expected to notify customers five days in advance before a recurring payment date is due.  

Though, the process has been made complex at the back end for the financial institutions, the RBI stands by its need to ensure and improve customer safety from cyber security threats, fraudulent transactions and overall experience, following a series of data breaches in several popular internet and payments companies lately. 

“The requirement of Additional Factor of Authentication (AFA) has made digital payments in India safe and secure. In the interest of customer convenience and safety in use of recurring online payments, the framework mandated use of AFA during registration and first transaction (with relaxation for subsequent transactions up to a limit of ₹2,000, since enhanced to ₹5,000), as well as pre-transaction notification, facility to withdraw the mandate, etc. The primary objective of the framework was to protect customers from fraudulent transactions and enhance customer convenience,” the RBI said in its statement. 

Most, recently MobiKwik was in a spot after facing data breach complaints, although the company denied the charges. Prior to this, in January, mobile payments and checkout solutions provider JusPay was hit by a similar data breach issue. In November last year, BigBasket and Chqbook were caught up in a similar situation wherein their customer data was allegedly leaked on the dark web.