By: Probal Bose
The Reserve Bank of India (RBI) issued new Master Directions on the Issuance and Operation of Prepaid Payment Instruments (Directions) last month, to rationalise the existing operational guidelines for Prepaid Payment Instruments (PPIs). (Read our earlier article on PPIs here). The Directions are based on various stakeholder recommendations received by the RBI on the proposed draft guidelines issued in March, 2017 and seeks to encourage competition and innovation, strengthen safety and security of operations, besides improving customer grievance redressal mechanisms for PPIs.
While the Directions are a directed effort by the RBI to promote the digital economy, the main focus is towards ensuring the security of wallet based transactions and a regulated mobile wallet industry. With the ever-increasing number of data security breaches across the globe in the last couple of years, such a stance of the RBI has been on anticipated lines. However, the Directions have also introduced certain entry barriers for new entrants to the wallet space.
We take a look at some of the key provisions in the Directions below:
Capital Requirements: Under the previous framework, an entity applying for a PPI license was required to have a minimum paid up capital of INR 5 crores and a minimum positive net-worth of INR 1 crore. While there are no specific paid-up capital requirements under the Directions, the net-worth requirement has now been revised to INR 5 crores at the time of applying for a license and which further has to be increased to INR 15 crores within three financial years.Clearly, the RBI has paid heed to the stakeholder responses to the proposed draft guidelines issued earlier this year where the proposed capital requirement for all PPI issuers applying for licenses (being a net-worth requirement of INR 25 crores) was criticised as being arbitrary and irrational. However, the five-fold increase in the net-worth requirement can still be a major entry barrier, though the RBI’s view is more in line with ensuring a stable wallet market and mitigating the chances of failure of the market participants due to their larger size.
Security, Fraud Prevention and Risk Management Framework: The Directions provide an exhaustive list of minimum security requirements and risk management framework for all PPI issuers. While measures like option to customer to set a maximum cap on the number of transactions and a system of SMS alerts for all activities undertaken by a PPI are essential keeping in mind the increasing cases of hacking and data breach, the need for full KYC and additional factor authentication may at best turn out to be a duplication of efforts and perhaps, unnecessary.
Communication for change in management: Under the Directions, the PPI issuers are required to communicate to the RBI about any takeover or acquisition of control or change in management of non-bank entities issuing PPIs whereby the RBI has the power to impose restrictions on the PPI if it does not deem that the new management is ‘fit and proper’. This can be construed as an attempt by the RBI to exercise a level of control in the functioning and management of PPIs.
Compulsory KYC: While moving to a Full KYC regime for wallets was on expected lines, whether such a requirement was indeed necessary is not entirely clear. Wallets, so far as they operate in India, are all run through mobile phones and therefore, the fact that it is registered with a valid mobile number implies that KYC requirements are already met by the user. Moreover, e-KYC is only possible for Aadhaar card holders and therefore, there is an added cost for PPI issuers to send personnel to such users who do not have an Aadhaar, to perform an in-person KYC check. Therefore, this may not only be duplication of work, it may well be required to be done by PPI issuers at an extra, albeit unnecessary, cost.
Additional Factor Authentication (AFA): While the proposed draft regulations provided for 2FA for all PPI transactions, the Directions provide that “Cards (physical or virtual) shall necessarily have Additional Factor of Authentication (AFA) as required for debit cards”. As PPI cards (physical or virtual) do not have similar functionalities as that of a credit/debit card, the AFA requirement for all such PPI cards remains unclear. Alternatively, an AFA may have been introduced for transactions involving amounts beyond a prescribed limit.
Interoperability: One of the most positive changes under the Directions is the prospect of interoperability of wallets. The Directions have not only contemplated allowing interoperability of PPIs with other PPIs, where money can be transferred from one PPI to another, PPIs will now be allowed to interoperate with banks as well.
There has been a long-standing demand for interoperability by industry players for a while now as it allows more flexibility to the mobile wallet businesses. For example, if you are using a wallet (A) but the vendor’s website only gives you the option for wallet B, you can now directly transfer money from wallet A to B. The specific guidelines with regard to interoperability will be issued by the RBI at a later date.
While the new Directions are in line with the RBI’s vision for a “less-cash India”, some aspects tend to be overarching as highlighted above. We will have to wait and watch whether these new Directions are effective enough to allow PPI issuers survive their more functional competing systems like the UPI and IMPS or if over-regulation dampens the independent mobile wallet business.