Dear RBI, don’t penalise consumers and merchants for non-compliance by other stakeholders

Economic Times, November 29, 2021

By Pradeep S. Mehta,

While the RBI must be lauded for its visionary stance of mandating CoFT in the interest of promoting safe and secure digital payments for consumers, there exist implementation challenges, which may bear unintended adverse consequences for consumers and merchants.

Digital transactions in India have risen manifold in the past few years. The Reserve Bank of India (RBI) had done well to convert challenges thrown by demonetisation and the pandemic, into opportunities for promoting digital payments. Estimates suggest that India’s online retail market will reach USD 350 billion by 2030 from USD 45-50 billion at present, which may contribute nearly 40 percent of the USD 800 billion consumer digital economy. However, lack of timely and proper implementation of the RBI’s recent circulars may derail such growth.

The circular on ‘Processing of e-mandate on cards for recurring transactions’ (recurring payments) came into effect on October 1, 2021. The RBI would have taken note that many stakeholders in the ecosystem were not ready by this deadline. Consequently, a significant number of e-mandates for recurring payments have failed since October, causing immense inconvenience to consumers and merchants.

A similar fate awaits them, viz-a-viz the circular on ‘Card Transactions: Permitting Card-on-File Tokenisation (CoFT) Services’ (tokenisation), in case of the likely delay in operationalising CoFT by stakeholders involved in the card-based digital payments value chain. This is also likely to adversely impact the government’s vision of a digital and cashless India.

Citing concerns over risks of card data being stolen or compromised or leaked, the tokenisation circular, dated September 7, 2021, read with the ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’, bars merchants from saving consumers’ card details, w.e.f. January 1, 2022, and instead mandates CoFT. Furthermore, the circular directs merchants to purge the card details currently saved with them by this date.

While the RBI must be lauded for its visionary stance of mandating CoFT in the interest of promoting safe and secure digital payments for consumers, there exist implementation challenges, which may bear unintended adverse consequences for consumers and merchants.

The circular does not fix a technical deadline for card issuers (banks) and card networks for operationalising CoFT. Rather, it fixes a functional deadline for merchants to stop saving card details, and also purge the card details already saved with them.

In effect, it leaves merchants, and their consumers at the mercy of banks and card networks to operationalize CoFT by the deadline, else merchants will not be able to process consumers card-based digital payments through pre-saved cards. Consequently, end consumers may be forced to re-enter their complete card details every time they want to make a digital transaction. Alternatively, they would have to migrate to other modes of payments. This is likely to cause significant inconvenience to end consumers, which may lead to higher distrust in the digital economy, and nudge them to move back to the cash economy.

Moreover, new-to-digital consumers, particularly number illiterate consumers, senior citizens and persons with disabilities, are likely to face additional difficulties in entering the complete card details for every transaction, thereby becoming susceptible to intermediary and third-party fraud. Consumers interacting with foreign merchants, such as freelancers, researchers, and consultants, may also experience additional challenges.

As the RBI would already be aware, operationalising CoFT is a sequential procedure. First card networks and banks need to independently get relevant systems in place internally, integrate with each other, and subsequently reach out to payment aggregators and payment gateways. Final integration with merchants happens last, post which the tokenisation solution undergoes testing, fixing, and improvements.

This process is likely to take time, especially in light of a lack of technical deadline for the first step itself, i.e., for banks and card networks. However, the RBI has effectively given less than four months to the entire digital payment’s ecosystem to operationalise CoFT.

While some card networks claim to be ready or have launched CoFT, the larger digital payments ecosystem may require more time to implement the same, which is likely to exceed the deadline of end December 2021.

We acknowledge that the RBI has argued that introduction of CoFT will improve card data security, and continue to offer consumers the same degree of convenience as now. However, this is perhaps based on the premise of timely and complete implementation of tokenisation, which does not seem to be the case.

As has been seen in the case of recurring payments, end consumers and merchants are likely to face the brunt of non-implementation by banks and others in the ecosystem. Notably, this was cautioned against in the previous open letter, available here.

Accordingly, noting the complex interplay of interdependencies in implementing tokenisaton, we urge the RBI to work closely with all stakeholders, to ensure a consumer-friendly digital experience, which is in sync with the RBI’s vision of ‘inclusive’ and ‘equitable’ development.

In this light, Consumer Unity & Trust Society (CUTS) recommends the RBI to first set a deadline for banks, card networks, as well as payment gateways and aggregators, for complete implementation of CoFT. The RBI may adopt a carrot and stick approach with such stakeholders, to ensure timely compliance. Working closely with them during this period will help to understand compliance related challenges being faced by them, and to take steps to reduce the same.

Once the RBI is satisfied with such successful implementation, it may provide a reasonable period of time, to merchants for implementing CoFT, and subsequently require them to purge the card details currently saved with them. It will be imperative for the RBI to have inclusive consultation with merchants with diverging systems, capacities, and capabilities, as well as other stakeholders, while fixing such reasonable time, in order to ensure that there is no disruption in card-based digital payments, unlike the case of failing recurring payments.

It needs to be reiterated that many of unintended adverse consequences discussed above, could have been or can be avoided and minimised by having pre-circular consultation with consumer groups and other stakeholders, with respect to recurring payments, as well as tokenisation. Adopting a scientific regulation making process, by conducting Cost-Benefit Analysis would also have helped in this regard.

CUTS is keen to work with RBI to this effect, and is currently undertaking a consumer survey to bring forth their perspective on card-based digital payments. We would be sharing its findings and corresponding recommendations with the RBI soon, which would help us to collectively ensure retention of consumers trust on card-based digital payments.

The author is Secretary-General, CUTS International. Sidharth Narayan, Policy Analyst, CUTS International, contributed to the article.


This news item can also be viewed at: