Two key Reserve Bank of India (RBI) guidelines whose deadlines are looming large, have startups and fintechs worried. One, that prohibits payment aggregators from storing customer card details, and another that adds friction to the structure of the recurring payment.
And startups and fintechs believe both these guidelines may increase compliance burden, and also significantly worsen the user experience on their platforms.
In March 2020, the RBI released guidelines for payment aggregators and payment gateways (PA/PG Guidelines) which also said that only non banking payment aggregators approved by the central bank could offer payment services to merchants. The deadline to comply with these guidelines is December 31, 2021.
Another RBI guideline which will kick in after September 30, adds an additional authentication layer for recurring payments, which is expected to disrupt firms that offer subscription-based services who fear that this added level of friction may result in some customers dropping out.
While the RBI’s motive to implement these guidelines was to improve the security of online transactions amid increasing cybersecurity risks, industry executives believe they have some unintended consequences.
Smaller e-commerce companies at a disadvantage
Large companies which have a payments component on their platform including the likes of Amazon, PhonePe, Zomato, and CRED have applied for a payment aggregator license with the RBI in order to have a greater level of control over payments taking place on their platform, said sources aware of the development.
Zomato’s plans to become a payment aggregator were revealed when the company went public. PhonePe confirmed to Entrackr that it will be applying for the license. CRED declined to comment and Amazon did not respond to queries until publication.
However, newer fintech entrants may be left out. “It’s easy for a Zomato or an Amazon to apply for this license, but it is obviously a natural deterrent for a small company. It is a pro incumbent regulation,” an industry executive from a fintech firm told Entrackr on condition of anonymity.
The fintech industry also believes that the PA/PG guidelines are skewered specifically against companies that manage customers’ cards but places no restriction on the UPI infrastructure.
“In the guidelines, you don’t find a reference to UPI at all. The entire regulation is imposed on credit cards. What is the fundamental difference between a UPI ID and the card number? Nothing. In fact a card number has more security features because of expiry date, CVV etc. From a systemic perspective, a card number is more secure by design,” a payments industry analyst said.
“The RBI inserted this other clause in the PA/PG guidelines that you can’t save card numbers but that doesn’t apply to the UPI ID. Due to that, e-commerce companies that rely on saving customers’ card numbers for a smoother experience are at a natural disadvantage,” an executive from an e-commerce company said.
The standards of security are also not the same for all payments instruments, two people from the fintech industry pointed out.
“The entire security rules in the PA/PG guidelines apply only on credit cards. However, a big reason why UPI has grown so exponentially is because it doesn’t require any security from the merchant side, just show a QR code and take the money. But the guidelines don’t address that,” one of these people said.
Increased compliance for Indian merchants
Since last year, the industry has repeatedly told the RBI that its guidelines are restricting cards, in fact, to a point where they actually put Indian merchants at a disadvantage.
“The regulation is on Indian merchants and processors. If you have a HDFC Bank card, you can store that on a service like Ali Express and there will be no problem. But you can’t store the same card details on a service like Zomato,” one of the sources said.
And RBI’s work around the restriction on storing card details has not been met with much fanfare. The central bank proposed the idea of using ‘tokenisation’, where a merchant can replace a customer’s card details with an alternative code.
“Tokenisation has a very limited practical use case and it could lead to a very bad user experience,” said Sandeep Srinivasa, founder and COO of fintech firm RedCarpet.
The future of subscription services
The restriction on storing card numbers and the added friction of seeking authorisation for initiating a recurring payment is expected to be a deterrent for subscription-based services, industry experts pointed out.
“The problem is that no card network in the world is structured to do that,” the first industry executive said. “What will happen is that in the short term at least, companies will stop the facility of automatic recurring payments altogether. Customers will have to pay each month separately and that could result in a breakdown in the customer experience.”