The Reserve Bank of India (RBI) has extended the timeline for processing recurring online transactions from March 31, 2021 (today) to September 30, 2021. This development comes after several banks and payment gateways had sought additional time to comply with the central banks directive on automatic recurring payments.
RBI, in its recently released notification, said that it decided to extend the timeline for the stakeholders to prevent any inconvenience to the customers. However, any further delay in “ensuring complete adherence to the framework beyond the extended timeline will attract stringent supervisory action,” the central bank said.
Under the new rules, the RBI wants to incorporate an additional factor authentication (AFA) for recurring payments through payments card. Standing instructions (SI) registered on credit or debit cards for services such as Netflix, Amazon Prime, Disney+ Hotstar as well as a host of other online services such as billers and insurance providers, among other things will get deactivated as the new rules kick in.
The banks will need to send out a notification to the customers, five days before a recurring payment is slated, and allow the debt to go through only after the customer agrees to the transaction. For auto-debit payments of over INR 5,000, banks will even need to send a one-time password (OTP) to the customer.
Though RBI was all set to invoke the guidelines from April 2021 onwards, many banks and financial institutions did not have the technological capabilities to implement. According to a previous Inc42 report, customers who’ve in the past seen their monthly payments go through based on e-mandates on their credit or debit cards would now have to visit the web platforms of each of the services separately and make the payments since the banks did not have backend support.
RBI Tightens Payments, Customer Data Storage Norms
The new rules for e-mandates come as part of widespread changes in digital payments, mandated in RBI’s new guidelines for payment aggregators (PAs) and payment gateways (PGs). The new guidelines disallow these payments players from storing customers’ card details with them in order to curb the increased instances of hacks and data leaks affecting customers.
Besides this, the central bank has tightened its supervision norms over payments companies storing customer data. All the payment system operators (PSOs) will now have to submit detailed “compliance certificates” to the central bank twice a year from April 1, 2021, onwards. The documents have to be signed by their chief executive officer (CEOs) or managing directors (MDs), confirming the adherence to all the RBI regulations around security and storage of payment data.
The RBI has also prohibited merchants like Amazon, Microsoft, Netflix, Flipkart, Zomato and others to store customers’ credit card credentials “and related data” on their servers under the new payment aggregators and payment gateway (PA-PG) norms that come into effect this year. The guidelines also bar payment aggregators from storing customer card credentials within their database or the servers assessed by the merchants.