Experts weigh in on how RBI’s new digital payment guidelines can impact small businesses
Over the last 10 years, the amount of loss suffered by Indians due to credit and debit card frauds is roughly Rs 615 crore. And, more than 1.17 lakh cases of credit and debit card frauds have been registered in India between April 2009 to September 2019. However, the actual number could be much higher. To reduce fraud and help tighten security systems, the Reserve Bank of India issued a notification in March 2020, barring all merchants and payment aggregators from storing customer card information with effect from 1st January 2022. Further clarifications also mentioned that any such data stored previously should be purged. But, while the notification was first issued in March 2020, a viable alternative to card storage - Card on File Tokenization - was only permitted a couple of months ago. As a result, the impending implementation of the regulation is causing anguish among the merchant and consumer community due to the short timelines that have been set by the regulator.
In this context, The Quantum Hub (TQH), in association with Your Story, hosted a webinar on the ‘Future of Payments: Ecosystem readiness for no-card-storage norms’.
The discussion featured Dr. Aruna Sharma (Former Member, Digitisation Committee, RBI & Former Secretary, Ministry of Electronics & IT), Mr. Sijo Kuruvilla George (Executive Director, Alliance of Digital India Foundation), Mr. Vishal Mehta (Lead, Payments at Microsoft & Chairperson, Governing Council, Merchants Payments Alliance of India) and Ms. Gowree Gokhale (Partner, Nishith Desai Associates) as speakers who discussed RBI's new digital payment guidelines, its impact on the fintech ecosystem and implications for customers.
The challenges in implementing the guidelines
To implement the guidelines that the RBI has set a deadline for, merchants and other payment stakeholders need to make changes to tech systems and workflows. At the same time, the transition needs to be seamless as the chance of major disruptions is quite high if the shift is a hurried one.
What the RBI is proposing is a well-intentioned move and, as Dr Aruna stated, the aim is to increase data security and minimise the risk of data breaches at the merchant or the payment aggregator’s end. However, it is a significant deviation from current standard operating procedure for digital payments transactions and may need a major overhaul of existing tech systems.
Challenges faced by Merchants
While the panellists agreed that tokenisation is a better security measure, their key concern was the lack of readiness to implement tokenization based solutions amongst the various players in the payments ecosystem.
“Banks are the first to set the entire system in place, which will be followed by the intermediaries that are the payment systems and then merchants. So if the banks are going to take six to eight months, the merchants will take additional six months to be prepared for the change,” Dr. Aruna added.
Meanwhile, Sijo George stated that right from technology integration to re-onboarding existing customers again, the timeline provided by the apex bank to implement the changes is extremely short. Considering that the country is still grappling with the aftermath of COVID-19 and the disruptions caused due to ecosystem unpreparedness by the implementation of the e-mandate regulation in October this year, enforcement of no-card-storage rules may not be the best decision at this time. The implementation of these new regulations without systemic readiness for tokenization could further result in 30% to 40% losses in revenues for small enterprises; something that could put many of them out of business.
He went on to say that recurring transactions have never been an easy process for entities operating out of India. “Most SaaS companies consider recurring payments as the backbone of how they build their businesses. Not being able to offer recurring payments in a seamless fashion has already been the reason why some of these companies have decided to redomicile in alternate geographies across the world. The hasty application of the new regulations is likely to exacerbate this situation,” shared Sijo.
For any new set of guidelines to be implemented successfully, there needs to be an assurance from the regulator or the government that there will be continuity of business with minimum disruptions. This requires ecosystem preparedness with wholehearted compliance across various entities in the payments chain. The panellists also said that implementing tokenization is not something that can be controlled with an on/off switch, and the deadline set by the RBI seems unrealistic when one considers all the hindrances that merchants may encounter, and the state of readiness of the current ecosystem.
Agreeing with the point made by Dr. Aruna, Gowree Gokhale added, “With rushed implementation, there will be problems in the long term. These rules have only been made from the side of the merchants and not the banks and there are no incentives for the banks to implement tokenization.”
Vishal Mehta spoke about how the issuer is the king in the entire payments chain as they are the ones who have the power to decline or approve the transactions. “The RBI needs to consider merchants as part of the ecosystem. The apex bank should understand that there are going to be staggered timelines and sequential implementations. In an ideal scenario, they should provide graduated timelines and monitor the implementation rather than just give businesses a timeline and then ask them to comply with them.”
The panellists observed that many payment companies in India have slowly started offering solutions to help merchants speed up tokenization of card payments. But most of these solutions are at the token ‘provisioning’ stage, and there is still a long way to go before processing, scaling or enabling the system for special use cases such as EMIs, promotions etc. can be implemented.
The discussion ended with the panel putting forward some key recommendations for the RBI to enable a smooth transition to the new system. In particular, the panellists said that the RBI should prioritize compliance for banks and card networks by setting interim deadlines, while doing a phased implementation of the shift to the new system. They also suggested that the RBI create a project management unit to closely monitor, facilitate and incentivise all players in the ecosystem to implement the transition.
At this time though, the worry is that if all players are not able to meet their deadline to get the ecosystem ready, the digital payments system may come to a standstill on 1st Jan 2022.