RBI-mandated Additional Factor Authentication rules take effect from October 1, 2021
What will change?
Starting Friday, October 1, 2021, standing instructions that you may have left with your payments provider for certain recurring electronic payments may not be carried out without some additional steps.
Also read: Explained | Is RBI planning a digital currency for India?
To which kind of transactions do these rules apply?
For all recurring digital payments above ₹5,000 made via debit cards, credit cards, prepaid payment instruments – including wallets – and the Unified Payments Interface (UPI) facility, additional factor authentication rules kick in. For example, these apply to recurring digital payments made for services such as mobile phone recharge, utility payments and dues to OTT (Over The Top) providers like Netflix and Disney Hotstar.
What to expect from your provider?
This means that your provider would send you an alert – either in the form of an email or an SMS – at least 24 hours prior to the transaction about the imminent transaction. A one-time password (OTP) would be sent to the user to help authenticate the transaction. In other words, without the consumer’s approval, no funds would be debited from his or her account.
The rules apply to existing standing instructions left by the consumer with the payments provider as well as for new transactions.
What options does the consumer have when registering for e-mandates?
The consumer has the option of providing a validity period of the e-mandate. The facility to modify the validity period of the e-mandate at a later stage, if required, shall also have to be provided for, the central bank has said.
According to the RBI circular issued in August 2019, the pre-transaction notification to the user shall, at the minimum, inform him / her about the name of the merchant, transaction amount, date and time of debit, reference number of transaction and the reason for the debit, i.e., e-mandate registered by the consumer. In addition, he or she ought to have the option of changing the mode of receiving pre-transaction notification, ie via email or SMS.
The circular states: “On receipt of the pre-transaction notification, the cardholder shall have the facility to opt out of that particular transaction or the e-mandate. Any such opt-out shall entail AFA validation by the issuer. On receipt of intimation of such an opt-out, the issuer shall ensure that the particular transaction is not effected / further recurring transactions are not effected (as the case may be). A confirmation intimation to this effect shall be sent to the cardholder.”
The e-mandate arrangement shall apply only to recurring transactions and not for ‘once-only’ payments.
The user will also have the option to provide the e-mandate for either a pre-specified fixed value of recurring transaction or for a variable value of the recurring transaction.
What is the background to the development?
The Reserve Bank of India (RBI) had mandated in August 2019 that all banks, non-banking financial companies and payment gateways offering digital payments via recurring transactions – domestic or international – on cards and prepaid payment instruments would be allowed to continue the service only if they were compliant under the Additional Factor Authentication (AFA) rules. The limit up to which these transactions could go through without the AFA was ₹2,000, later revised to ₹5,000. This, it said was to protect the security interests of the paying consumer.
In January 2020, this mandate was extended to such payment made using the Unified Payments Interface (UPI).
The Reserve Bank has said that the rules mandating the AFA had made digital payments safe and secure. With the additional layer of security, the system aims to protect the consumer against fraudulent transactions. However, citing lack of readiness of payments providers, the central bank had extended the deadline several times, with the latest postponement pushing it from March 31 to September 30.
In its circular in March, it had said, “It is, however, noted that the framework has not been fully implemented even after the extended timeline. This non-compliance is noted with serious concern and will be dealt with separately. The delay in implementation by some stakeholders has given rise to a situation of possible large-scale customer inconvenience and default. To prevent any inconvenience to the customers, Reserve Bank has decided to extend the timeline for the stakeholders to migrate to the framework by six months, i.e., till September 30, 2021. Any further delay in ensuring complete adherence to the framework beyond the extended timeline will attract stringent supervisory action.”
Over the past few days, payments providers have been sending messages to their customers on the new rules. In its message, Citibank, for instance, said: “Please note that from October 1, RBI guidelines on recurring payments will come into effect…. As a result, we will process only those recurring payments (standing instructions) on your credit or debit cards that meet the new guidelines. You can either pay directly using your cards or set up a fresh recurring instruction at the merchant app/website as per the new guidelines.”
For all the latest business News Click Here
