Recurring payments on card to be disrupted from April 1, NPCI releases guidelines for UPI apps around 30% market cap, GST-registered entities to include dynamic QR codes in their invoices and more...

Welcome to MoneyRules, a fortnightly newsletter from Setu written by Atulaa Krishnamurthy and Vinay Kesari. Financial services is arguably the most regulated sector of every economy, which means that fintech companies looking to move fast and break things are likely to find themselves on a quick collision course with a powerful regulator. Let’s face it - regulatory changes can (and often do) make or break fintech products overnight, which means keeping on top of these changes are critical to your business. We aim to alert you to these changes, provide context, and demystify where necessary.

There’s a lot to unpack this fortnight: the NPCI’s standard operating procedure document for TPAPs exceeding the 30% market share cap, standing instruction transactions being in jeopardy owing to non-implementation of a 2019 RBI circular, and GST details soon to be incorporated within UPI QR codes. Let’s dive right in!

Major banks and networks to stop processing standing instructions on cards from 1st April following increased auth requirements

The TL;DR:#

ET reports that major banks, including HDFC, Axis and ICICI, and card networks like MasterCard and American Express, will begin to decline all standing instruction payments on cards from October 1, 2021 (Updated to add: RBI has extended the compliance timeline by 6 months). This is for want of compliance with certain pre-conditions set out in a 2019 RBI circular.

*The longer story: *

2021 may prove to be rough for customers accustomed to making seamless payments online. We highlighted in a previous newsletter that payment service providers are expected to stop holding card details on file in July (Updated to add: The RBI has extended this to December 31, 2021). Prior to this, cardholders who have set up standing instructions to pay subscription fees and utility payments may soon find their transactions declined.

Back in August 2019, to increase security around card-not-present transactions, the RBI issued guidelines on processing recurring payments set up on cards (and later, via UPI) (“Guidelines”). In short, the Guidelines require banks, prepaid instrument issuers and card issuers to (a) send a pre-transaction notification to a customer prior to adding any charge or debit to their card, and (b) carry out an additional factor of authentication (AFA), such as an OTP, each time a recurring payment instruction of over ₹5000/- is scheduled. These notifications also need to enable customers to opt-out of an upcoming payment.

In December 2020, the RBI stated that all such recurring transactions that do not comply with the Guidelines must be discontinued from April 1, 2021 (Updated to add: this is now October 1, 2021), and following the RBI’s refusal to extend this deadline, major banks and card issuers have been telling their customers as much. The RBI is not alone in issuing guidelines of this nature. The European Commission’s Second Payment Services Directive, or PSD2, placed similar additional auth requirements on entities processing recurring digital payments, albeit with exceptions for low-risk, low-value transactions, and for merchants ‘whitelisted’ by customers.

Allowing review before charging a card or debiting an account is undoubtedly customer-friendly, and aimed at reducing unauthorized transactions. Without a deadline extension however, customers are surely on the road to inconvenience, paved with good intentions though it may be.

It’s important to note that eNACH mandates are presently not covered under the scope of these guidelines, and hence SIP transactions and insurance premiums will not be affected. Merchants presently collecting recurring payments by card will have to consider alternatives, such as sending their customers collection requests via payment apps, BBPS or UPI.

UPI apps like Google Pay and PhonePe to cease onboarding of new customers and notify existing ones if they exceed 30% cap#

The TL;DR: Following its notification directing Third Party App Providers (“TPAPs”) to not exceed a 30% volume cap, the NPCI has issued a detailed SOP: it highlights how this market share will be calculated as well as the steps TPAPs need to take once they cross this threshold.

The longer story:

UPI presently facilitates transactions in excess of 2 billion a month, and NPCI expects this number to only rise exponentially. To reduce concentration risk with any one large player, the SOP proposes that each UPI app take steps to either moderate (i.e. reduce by 50%) or entirely restrict new customer onboarding once they have neared or reached the 30% transaction volume threshold. The NPCI also offers recommended notification language for apps to share with new customers to apprise them of why they cannot be onboarded (be sure to register this SMS template, TPAPs!):

Each UPI app’s total market share over a 3 month period is calculated as the ratio of total successful UPI transactions on the TPAP to the total volume of transactions in the UPI ecosystem, and apps will receive alerts when they cross a 25% threshold.

Existing players like Google Pay and PhonePe have until 31st December, 2022 to comply with the SOP in a phased manner, which the NPCI intends to monitor on a half yearly basis. Check out Medianama’s article on the subject for a more detailed overview of the SOP and consequences for UPI apps in case of non-compliance.

NBFCs go to court against the RBI’s current account guidelines#

The TL;DR: In a circular last year, RBI instructed banks to stop opening current accounts for entities who have any debt exposure at all to the banking system. Livemint reports that 14 NBFCs have moved high courts across the country against these guidelines citing operational limitations in maintaining a single current account.

The longer story:

In order to curb diversion of funds by large borrowers, the RBI imposed controls on opening of current accounts by banks in August 2020. To ensure that a company’s banking activity is limited to accounts with its key lenders, the guidelines require banks to apply the below decision matrix:

To sum up, if a customer already has a cash credit/overdraft account with any bank, no current account can be opened (except if required under any specific law). If a customer does not have a CC/OD account already, a bank's ability to open a current account depends on the total credit facilities availed by the customer with other banks.

As a consequence, banks will need to monitor aggregate borrowings of customers, based on self-reporting or through CRILC and other Credit Information Companies. This will need diligence at the current account opening stage as well as on an ongoing basis, in case the customer crosses the 5 crore or 50 crore credit limits. As for the NBFCs challenging the notification in court, the challenge is having proper reconciliation done on a daily basis when funds are routed from their multiple branches to a single current account.

While courts have posted these hearings for later dates, fintechs offering current account products will need to bear the notification in mind.

GST details to form part of UPI QR codes#

The TL;DR: Dilip Asbe, CEO of NPCI, announced that dynamic UPI QR codes would soon incorporate GST details, enabling display of GST amount separate from the transaction amount, and allowing businesses to avail of real-time discounting. On a related note, the Ministry of Finance issued clarifications to its 2020 notification mandating that large companies include such dynamic QR codes in their B2C invoices.

The longer story:

Starting from July 1, 2021, GST-registered entities with an aggregate turnover of over INR 500 crore in an FY are required to include dynamic QR codes on the invoices they issue to customers. If the QR is shared with the customer in a digital display, the B2C invoice generated following payment must cross-reference details of the transaction.

These QR codes need to contain details such as the GSTIN of the entity, its UPI ID, invoice value, GST amount with breakup, payee details, etc.

The purpose of these QR codes is to incentivize digital payments without the friction of the customer entering the invoice amount, and to promote ease of GST compliance among registered entities.

News that caught our attention this past fortnight:#

In news relevant to fintechs harbouring SFB license aspirations, the RBI announced the formation of a Standing External Advisory Committee to screen Universal Bank and Small Finance Bank applications. This is also pertinent for entities such as Jio, given that RBI’s on-tap licensing guidelines for Universal Banks allow large industrial houses to hold up to 10% in an applicant company.

The Competition Commission of India has ordered an investigation into Whatsapp’s privacy policy update from earlier this year. This isn’t Whatsapp’s first rodeo: back in 2017, the CCI acknowledged Whatsapp’s dominant position, but held that there was no abuse of dominance because its policy of sharing data with Facebook contained an ‘opt-out’ provision. Its contents notwithstanding, the ‘take-it-or-leave-it’ nature of the 2021 policy might augur a different outcome this time around.

In crypto news, the Ministry of Corporate Affairs has directed companies to disclose their holdings in cryptocurrency, and include crypto-related transactions in their profit and loss statements starting from FY 2021-22, and Nandan Nilekani endorsed cryptocurrency as an asset class in a Clubhouse chat organized by the Indian Venture Capital Fund.

These are all our updates for the fortnight, folks! Both of us (Atulaa and Vinay) are on twitter, so feel free to DM us with feedback and topics to include in the next edition. If you liked this, please share it with people interested in Indian fintech regulation!