CIOInsider India Magazine

To this date, there are many who are still hesitant when making online payments for the first time, since most apps ask for the entry of bank card details, injecting the fear of possible online thefts. Since in most cases, the hacker or cybercriminal is as advanced as firms specializing in providing cybersecurity solutions. To eliminate that fear, certain e-commerce firms, fintech and tech giants have introduced an option called ‘Tokenization’, which just requires a code for each user rather than card details. The idea sounds safe, yet the only obstacle in the way is complying with the requirements of the Reserve Bank of India (RBI).

Fortunately, the RBI has sanctioned six months time, that is, until july 30, 2022, firms have to sign up under the regulatory’s demands and commands. However, since humans have a natural tendency to reason, certain voices have expressed concerns of added complexity over otherwise secure payment systems. Hence, it is important to know the kind of changes consumers will have to experience no sooner this new method of digital payment is initiated.

How Tokenization Impacts Consumers
rsIf online merchants are unable to apply the modifications at their backend, at least a million users who have kept their card details for online purchases could be impacted. Merchants, banks, card providers, and payment gateways have complained that there has not been enough time to implement the backend improvements needed to safeguard cards from fraud, as announced in September.

E-commerce platforms, internet service providers, and small businesses may be particularly vulnerable. The RBI now expects the systems to be ready for a flawless launch in six months, according to the latest extension.

Furthermore, on the Visa platform, 90 percent of institutions are ready for tokens, but Mastercard has yet to catch up. On July 14, this year, the RBI barred Mastercard from issuing any new cards for failing to comply with data localization standards. Even though the CoF is being converted to a tokenized number, the system is not ready to handle the tokens since merchants are not ready.

According to the Alliance of Digital India Foundation (ADIF), “if implemented in the present state of readiness, the new RBI mandate could cause major disruptions and loss of revenue, especially for merchants”.

How it Works
Customers may receive a notification from card service providers five days before to the payment deadline, according to the rules. Only once the customer has approved the payment will the debit be permitted.

Every user who signs up for auto payments will receive a five-day reminder with the merchant's name, amount, due date, and reference number, as well as a link to a page where you may inspect, alter, or cancel the payment.

Through the link, users will be able to opt out of the transaction or mandate. The transaction will not be completed if you choose to disregard the notification. This is only applicable to recurring payments of less than Rs 5,000.

The new rules mandates banks to issue customers a one-time password (OTP) for recurring payments above Rs 5,000. The bank will also have to issue a pre-debit notification five days before the money is scheduled to be debited for all subsequent transactions within this threshold. Only once the customer has approved the payment will the debit be permitted.

Meanwhile, these new rules will have no effect on auto debit accounts for mutual funds, SIPs, or equivalent monthly installments for loans.

Some Safety Aspects to Eliminate that Anxiety
It can be used to make contactless card transactions and QR code payments at point-of-sale (PoS) terminals, as well as reduce the risk of fraud caused by sharing credit card information.

Tokenization requires just that the cardholder submit a request through the token requestor's app. With the card issuer's consent, the token requestor will transmit the request to the card network, which will issue a token corresponding to the card, the token requestor, and the device. According to the RBI, tokenization is now viable for all use cases and channels, including contactless card transactions, QR code payments, and apps, via mobile phones or tablets. Token Service Providers (TSPs) like Visa and MasterCard are already developing tokens and distributing them to mobile payment and e-commerce platforms, allowing them to use them instead of a customer's credit card information during transactions.

When consumers enter their credit card information into a virtual wallet like Google Pay or PhonePe, one of these TSPs requests a token. TSPs will first verify the information with the customer's bank. Once the data has been confirmed, a code is generated and sent to the user's device. The unique token is permanently tied to the customer's device once it is generated and cannot be changed. As a result, whenever a customer makes a payment with their smartphone, the platform will be able to authorize the transaction simply by sharing the token, rather than revealing the user's real information. Tokens can be used to secure payments in mobile wallets, as well as in physical and online stores like Amazon.

The Big Worry
While the main argument for allowing corporate presence in banking is that they can bring capital, business experience, and managerial competence, there are concerns that supervisors will find it difficult to prevent or detect self-dealing or connected lending since banks can hide connected party or related party lending behind complex company structures and subsidiaries, or by lending to promoters' and their group companies' suppliers. These loans may become bank bad assets as a result. Furthermore, heavily financed and politically connected corporations will have the strongest motive and ability to obtain licenses.

Also, connected lending occurs when a bank's controlling owner gives loans to themselves or their related parties, and group firms on favorable terms. Business groups want funding, and if they have an in-house bank, they may obtain it quickly and without inquiry. Companies can utilize the bank as a private pool of immediately available funds, in other words. Even without becoming promoters of a bank, large business groups account for a significant portion of non-performing assets (NPAs) in the banking sector.

Individuals and firms directly or indirectly linked to significant industrial houses are allowed to contribute up to 10 percent in the equity of a new private sector bank, according to the central bank, but they must not own a dominant interest in the bank. The RBI stated in its Guidelines for 'on tap' Licensing of Universal Banks in the Private Sector issued in August 2016 that such shareholders should not have any Director on the bank's board of directors due to shareholder agreements or otherwise. The RBI defined a major industrial house as a company having assets of Rs 5,000 crore or more and a non-financial business that accounts for 40% or more of total assets or gross income.