An Update on MRC Advocacy in India

Merchant Risk Council
Jan 10, 2022
MRC News

*UPDATE*

New Year, New Deadline: Indian Financial Regulator Extends CoF Tokenization Implementation Deadline

We are pleased to inform readers that the Reserve Bank of India (RBI) has extended the upcoming card payment regulation compliance deadline, discussed below, by six months from 31 December 2021 to 30 June 2022.

According to the RBI, “In light of various representations received in this regard, the timeline for storing of CoF data is extended by six months, till June 30, 2022.”

The MRC has been engaging the RBI, merchant members, regulating bodies and other industry organizations in the country throughout 2021, advocating for an extension to the compliance deadline regarding the storing of card on file (CoF) data and tokenization requirements.

In addition to these discussions, the MRC facilitated a Merchant Round Table meeting with leading retail brands operating in India, also attended by RBI representatives. These efforts, along with a follow-up MRC webinar on the topic delivered by Microsoft and Google, helped inform the Regulator and pave the way for this decision.

For more detail regarding these regulations and the extensive efforts of the MRC to act as the voice of the merchant in APAC and beyond, continue reading below.


India’s Financial Regulator, the Reserve Bank of India (RBI) introduced new payments regulations which take effect this year. These include an e-mandate on recurring transactions, effective 30 September, and guidelines relating to Card on File which are required to be implemented by 31 December.

These new regulations were designed to provide consumer protection. However, eCommerce merchants operating in India have raised concerns about the deadlines for the new laws, specifically the lack of time available to make changes within the payments ecosystem to enable compliance. The concerns also focus on the challenge for impacted merchants to manage basic functions such as dispute resolution (chargebacks). If card details can no longer be held, transactions will be more difficult to identify.

With card issuers and acquirers being the regulated parties, it is a challenge for retailers to be heard, and for the real impact on consumers to be recognized. Generally, the issuer response in India has been to cease enabling recurring transactions. Rather than work together with merchants to reach a suitable outcome for issuers, merchants, and consumers, the answer was to just stop the transactions altogether.

Card issuers in the region also failed, within the given timelines, to notify their customers that they had ceased all recurring transactions. This means that consumers who are accustomed to subscriptions being automated now find they need to authorise every single transaction separately. This is a time consuming and costly exercise for both the consumer and the merchant.

As with all such regulations, the payments industry welcomes any movement to help reduce payment fraud. These regulations are no different, however the timelines provided for implementation were/are impossible for the payments ecosystem to meet.

With more time, the industry can make relevant changes and protect the customer experience.

The Guidelines for the storage of Cards on File were updated in September, with the RBI allowing the use of tokenization and the storage of tokens on file. This is all well and good, but essentially communicated to merchants that they had three months to change their internal data storage systems, as well as their interoperability with third party vendors and the industry partners required to make transactions work.

An impossible task, for any business.

The regulations require substantial logistical changes that could take years to properly execute even without the added burden of the COVID-19 pandemic restrictions.

The MRC has heard from organizations in India about the lack of preparedness in the region’s payments ecosystem for these regulations. The consumer impact is negative, and merchants are scrambling desperately to find a work-around.

The MRC has prioritized advocating for merchants on this topic, and to further that goal, invited merchants including Spotify, Google, Microsoft and Netflix to frankly discuss the challenges this regulation poses in a closed-door merchant round table discussion held on 23November. Representatives from the RBI were present to hear the concerns raised and the asks of the industry.

The meeting was remarkably productive, and clearly illustrated the importance of industry-wide cooperation when adapting to the global regulatory landscape.

There were 42 participants including from merchants, card issuers, PSPs, retail associations and four representatives from the Indian Financial Regulator (RBI). It was clear all participants want to collaborate, to facilitate enablement across the ecosystem, but it was recognised that all stakeholders need to cooperate to reach a level, compliant playing field.

The importance for the regulated entities in India to comply in a timely manner with tokenization (because tokenization is an alternative to no card storage, and no card storage has a deadline of 31 December 2021) rules was noted however merchants will need more time (more than the 3-months’ notice provided from 7 September) to make the required technical updates, carry out testing scenarios, work with 3rd party providers and network partners to ensure the changes made by all parties work together. Merchants can do all this, only after card schemes, banks and payment processors have completed their technical developments, design, testing and fixing, and then provided merchants with the necessary stable state clarifying documentation.

All merchants recognize the importance of the RBI’s vision for a digital India and wish to ensure a level of comfort and confidence for consumers, especially those new to eCommerce. Consumer education is very important. All parties wish to ensure consumers understand what is happening with their payments and there is no disruption to their engagement with subscription merchants from the New Year.

All stakeholders wish to avoid customer disruption. 

On the regulation deadlines, the group asked for two key timeline changes specifically, the first date to ensure compliance by RBI’s regulated entities and the following 6-months to prepare the ecosystem for 100% readiness.

Next steps were noted to include that MRC will write to the RBI again, with the concerns raised during the session and the genuine ask from merchants.

This meeting was an excellent example of how advocacy can increase communication and transparency for all stakeholders by facilitating constructive multi-lateral conversation.

In addition to this meeting, the MRC has organized a webinar scheduled for 1 December, featuring key merchants and relevant stakeholders further discussing this important topic.

Blue-tinted background of a man watching a webinar

Host a Webinar with the MRC

Help the MRC community stay current on relevant fraud, payments, and law enforcement topics.
Submit a Request

Publish Your Document with the MRC

Feature your case studies, surveys, and whitepapers in the MRC Resource Center.
Submit Your Document

Related Resources

There are no related Events

There are no related Presentations

There are no related Surveys

There are no related Webinars

There are no related Whitepapers