How to fix recurring payments under new RBI auto-debit norms

In the fourth season of the American sitcom Friends, Chandler wants to quit his gym membership. The gym staff plays all antics to not let him quit. Every month his bank account gets debited by $50. He even visits the bank to close his bank account, but to no avail.

We all have such stories—unwanted auto-debits happening each month that we just can’t close. Such auto-debits could not have stopped at the bank’s level. Only merchants, (in the case of Chandler the gym staff) could have closed it.

Not any longer. The Reserve Bank of India (RBI) has extended power in your hands to start, stop or modify such auto-debits. The big advantage of the latest RBI guidelines on recurring payments via credit or debit cards that got implemented on October 1 is that you don’t have to approach merchants. No denying that it has led to disruption in the payments space, but just for how long unregulated merchants could have had their own way!

“Cancelling or modifying a merchant mandate was a tough call. As a customer, you had no power. Even card issuers had no power. If the merchant does not close your subscription, auto-debits would have gone on forever. Under the new regulations, you can fix the amount and duration of the mandate. You may modify it whenever you want,” says Raman Khanduja, Co-Founder and CEO, Mintoak, the merchant payment app.

The new framework

Not all online payments require you to provide an OTP, especially when payments are recurring. The RBI has now made Additional Factor Authentication (OTP verification) mandatory for bill payments higher than ₹5,000. But even if your payment is less than ₹5,000, one-time additional factor authentication (AFA) has to happen when opting for auto-debits. So, if your monthly payment to, say, Netflix has not happened this month, you only have to re-register yourself for auto-debits. Netflix will do your AFA while registering. Future Bill Payments to Netflix up to ₹4,999 per transaction, can be processed without AFA.

For payments equal to or greater than ₹5,000, you will receive communication before due date on registered contact details with a link to approve/decline the transactions. Once approved, amount will be debited from the credit or debit card on the due date. In case of no response, the transaction will be declined.

This gives you power. If Chandler wants to discontinue his membership, he only has to decline the transaction when the bank alerts him about the next recurring payment.

“According to the RBI Annual Report 2019-20, the number of registered frauds (cards and net-banking) have been increasing at a CAGR of 14% while value of frauds has increased at a CAGR of 34% in the last three years. This is of serious concern. Merchants/Billers are storing card details in India in the name of providing single click convenience and auto pay facility for their recurring/subscription payments. The latest RBI regulations for recurring payments will curb such frauds,” says Digital Payment Strategist Ram Rastogi.

The guidelines put the responsibility on the card issuer banks to track recurring mandates and give flexibility to users to stop or modify such mandates.

What should you do now?

If your card-linked utility payments or insurance premiums are affected, you should contact your card issuing banks. HDFC Bank, ICICI Bank, Axis Bank or YES Bank, etc have created industry-wide platforms such as SI Hub, UPI AUTOPAY and Mandate HQ in collaboration with BillDesk, UPI-PhonePe and Razorpay, respectively.

These banks have sent detailed emails on how to generate merchant standing instructions to initiate recurring payments via net banking. One can look and manage all recurring payments in one place now. In the case of UPI AUTO-PAY, any UPI-enabled application would have a ‘Mandate’ section, through which customers can create, modify, pause as well as revoke auto-debit mandate.

Just the beginning

The only limitation now is that not all merchants will have joined the platform. If the merchant in question is not on the platform yet, you will have to make the payment directly to the merchant by visiting its website. It will have to do the additional factor authentication or it will provide you with an alternate payment option.

“Such industry-wide platforms have recently gone live. I don’t think the full list of merchants are yet registered, but on the issuer side most large banks are part of it now,” says Aman Ahuja, vice president, business solutions, India and global markets, Wibmo.

What about international payments? “In case of international merchants, either they become part of such platforms or there are international payment gateways to execute such payments,” says Rastogi.

Is it demonetisation of subscriptions?

Far from it. The banks had been given ample time to create a system to implement the guidelines. Most banks have created that system. Smaller banks are yet to move in that direction. The first time these guidelines were issued was in August 2019 stipulating a deadline of December 2020. The deadline was extended to March 2021 and later to September 2021.

Businesses that run on subscription models have seen cash flow declining this month. All they have to do is become part of the industry-wide system and sensitise subscribers about finding a way around this temporary disruption.

The new framework opens an opportunity for banks and acquirers to get more people on board to make digital payments. “World Bank reports show the lower-middle-income category in India pays an average of 42 utility bills a year, of which only three are paid digitally. The aspirational middle-market demands a simplified experience without compromising on security. If industry players educate them to get registered on such platforms offering cashback et al, more utility payments can happen digitally. There are 480 million households in India. It is a huge digital onboarding opportunity,” says Rastogi.

Card tokenisation from Jan 1

The RBI has taken the next step in card security, that is, card tokenisation. It is a process in which card issuers or payment networks will have to substitute sensitive customer data such as card numbers and CVV with an encrypted token. Card tokenisation will become mandatory from January 1. Any previously stored data (card-on-file) by merchants will have to be erased. Only banks and payment networks will be authorised to store card details.

Customers need not worry about its implementation. The security of a financial transaction will now be close to 10 on a scale of 1-10. If platforms such as Amazon or Flipkart get hacked, customer data will not get compromised because instead of card credentials, merchants will only have tokens stored with them.