In a relief to banks and wallets, The Reserve Bank of India (RBI) on 31st March, 2021 extended the deadline to implement new rules for recurring transactions by six months (30th September, 2021). The RBI took this decision after several banks and payment gateways had sought additional time to comply with its directive on automatic recurring payments.
RBI in this recently released notification clearly said that, “it decided to extend the timeline for the stakeholders to prevent any inconvenience to the customers. And, any further delay in ensuring complete adherence to the framework beyond extended timeline will attract stringent supervisory action.”
What Has Happened? And What Exactly RBI does Want?
The RBI has asked scheduled commercial banks, payment banks, small finance banks as well as card issuing non-bank lenders, to adopt more stringent security measures for digital payments.
In a separate set of master directions issued on its website, the banking regulator came up with prescriptive guidelines for digital payment security. These guidelines specify security protocols to be adopted in internet banking, mobile applications of the entities mentioned above and cards issued by them. RBI further said, “While the guidelines will be technology and platform agnostic, it will create and enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner.” Through these new set of rules, the banking regulator wants to create a cyber safe environment for digital payment.
Stricter Payments, Customer Data Storage Norms
Under the new rules, the RBI wants to incorporate an additional factor authentication (AFA) for recurring payments through payments cards. Standing instructions (SI) registered on credit or debit cards for services such as Netflix, Amazon prime, Disney+ Hotstar as well as a host of other online services such as billers and insurance providers, among other things will get deactivated as the new rules kick in.
The banks will need to send out a notification to the customers, five days before recurring payment is slated, and allow debit to go through only after the customer agrees to the transaction. For auto-debit payments of over INR 5,000 banks will even need to send a one-time password (OTP) to the customer.
Regarding the data storage norms the new rule for e-mandates come as part of widespread changes in digital payments, mandated in RBI’s new guidelines for payment aggregators (PAs) and payment gateways (PGs). The new guidelines disallow these payments players from storing customer card details with them in order to tackle the increasing instances of data hacks and leaks.
The RBI has also prohibited merchants like Amazon, Microsoft, Netflix, Flipkart, Zomato and others to store customers’ credit card details and related data on their servers under the New payment aggregators and payment gateway norms.
Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.