The severity of complying with rules and regulations of the Reserve Bank of India (RBI) has been brought to the fore considering recent revelations as in the case of the taxi service provider Uber’s payment operations in India.
The notification that the RBI issued last week has made it clear that it is not only mandatory to follow the two-step additional authentication process for card not present (CNP) transactions, but also that linking such transactions to an overseas website or a payment gateway cannot form the basis to allow relaxations to implement the requirement prescribed for this category.
The RBI has clearly stated this time that for cards (issued by banks in India) that are used in CNP transactions towards payment of goods and services within the country, the money is to be routed through a bank in India and the transaction “should necessarily settle” only in INR.
The case in point
A first time user of the taxi service, Uber, is required to book the service using a mobile application. The customer is required to punch in the credit card details only the first time and this information is saved for subsequent usage. The transaction uses only a single step payment process, that is, it does not ask for an OTP, etc.
In October 2009, the RBI had issued a circular that directed banks to implement additional security features for CNP transactions as follows:
- A system of providing for additional authentication or validation based on information not visible on the cards
- A system of ‘Online Alerts’ to the cardholder when the transaction value is Rs. 5,000/ and above
Since then, the RBI has also repeated its stance periodically through various circulars. Moreover, the RBI has also been clear in stating that the bank that is required to ensure this two-step verification process shall be penalized in the case of any customer complaints.
In the case of Uber, primafacie the process it has adopted flouts two regulations that are required by the RBI. First off, it has not followed the two-step authentication process. Second, the payment mode has resulted in foreign exchange outflow.
As a result, this violates not just the directives under the Payment and Settlement Systems Act but also sections under the Foreign Exchange Management Act. Thankfully, the RBI appears to have given a breather to companies that have existing arrangements to comply with its instructions.
For a lot of startup companies, it is time to take note of this as in recent times there have been an increasing number of companies where the promoters are Indian but choose to be incorporated in foreign territories and provide services in India. This is especially the case with any information technology and related service companies. For the RBI, any movement of currency between countries invites the regulations under the Foreign Exchange Management Act.
No doubt that Ajay Shah and Suyash Rai have made an interesting analysis of monetizing the time involved in payment of goods and services. As they note in their article, India appears to have graduated to the two-step authentication process from the single step in a rather chronological manner.
Of course, the scenario needn’t be as dire as shutting down Uber. The RBI could go back to the drawing board or Uber could simply adhere to the rules by October 31 this year.