“Dear customer, From Oct. 1, 2021, as per the RBI guidelines on e-mandate on cards, we will decline non compliant recurring transaction at merchant web/app on your bank credit/debit card.”
Have you received such a message from your bank? If you haven’t yet, you soon will.
For auto debits from credit cards, debit cards and UPI, you will have to complete an Additional Factor of Authentication starting Oct. 1. For subsequent transactions, you will receive a message with details regarding the impending debit, at least 24 hours before the transaction and another one after the transactions take place.
The deadline for this additional layer of safety, which was set to lapse on March 31 this year, was extended till Sept. 30, 2021 because banks and retail platforms were not prepared to implement it despite being given nearly two years of lead time.
While extending the deadline, the Reserve Bank of India left the industry with stern words.
“The progress of onboarding existing as well as new mandates of customers as per the framework is not satisfactory,” the central bank had stated on March 31. “Any further delay in ensuring complete adherence to the framework beyond the extended timeline will attract stringent supervisory action,” the central bank notification had said.
As such, it is unlikely that there will be another extension, said Mihir Gandhi, partner, leader-payments transformation, PwC.
A few banks are already fairly comfortable with the change, said Gandhi.
Technology will have to be configured to enable an additional factor of authentication at the time of initial mandate set-up and validation of that for every subsequent mandate transaction, he said.
Fali Hodiwalla, partner, financial services at EY, said that the larger private banks have been working on integrating technology enhancements necessary to comply with the RBI deadline. This readiness has also been enabled through centralized platform initiatives by a couple of large aggregators.
For transactions below Rs 5,000, a customer will have to complete a one-time additional factor authentication, Gandhi explained. Once the mandate is set up and authenticated, from the next time onwards, they will receive prior intimation at least 24 hours in advance so that a customer can opt out if they choose to.
For any transaction that is over Rs 5,000, there is now a need for an OTP for every transaction.
For UPI, the mandate is simpler. The customer can download an API and enable recurring payments, said Gandhi.
The country’s two largest private banks appear to be prepared.
“A common industry-wide platform has been developed, and HDFC Bank Ltd. has completed its internal development and integration,” said the largest private lender in FAQs posted on their website. “We are now working jointly with merchants to make it live for customers at the earliest.”
Until the common platform is live, the HDFC Bank portal provides two interim solutions to make payments:
You can make the payment on the merchant website or app by card and authenticate the transaction via OTP.
You can use the net banking portal to register your utility bills for auto payments via the bank’s BillPay service.
An official at ICICI Bank Ltd., speaking on condition of anonymity, said that 24 hours before any auto debit above Rs 5,000 kicks in, the lender will send a link to the customer asking them to separately approve a transaction so it does not fail.
There will be some adjustment period, but customers will get used to this process, or link the auto debit to their bank account, this official said.
This is not the first time the Reserve Bank of India has faced pushback on its attempt to make online payments more secure. A similar delay in implementation was faced when the regulator tried to prevent online merchants from saving credit card details. This is now being done via tokenisation.
Security is important; it can’t be ignored for the sake of convenience, Gandhi said.
While some friction is inevitable, educating and creating customer awareness helps smoothen the transaction, Gandhi said.
Teething issues are a given, said Kumar Rajagopalan, CEO of the Retailers Association of India. Customers still get themselves into knots every time such notifications come into effect, until service providers come up with faster alternatives, he said.
For merchants affected, it will take a few months for business to go back to normal, according to Rajagopalan. Customers may not enable auto debits and for businesses, money may not come on time, he said.
“There is an unsaid rule in retail. Whatever you create has to be done keeping a customer in mind,” he said. Such notifications always look more simple then they actually are, he added.