Actionable insights on equities, fixed-income, macros and personal finance Start 14-Days Free Trial
Actionable investing insights Get Free Trial

RBI May Allow Small Value Transactions Without Two Factor; Merchants To Take Abuse Risk

I’m going soft on the RBI.

I really, really, really like Rajan’s presentation – I mean just the slides, since I wasn’t actually there – that were released today, as part of his speech at the FICCI-IBA Annual Conference. The clarity of thought is appealing, and that he sought to clear misconceptions about regulation, even more. (I’m not the kind of guy given to superlatives, especially not when it comes to the RBI, so I’ll just stop here)

I’ll highlight three parts of his presentation that I found quite interesting, in three quick posts. Firstly, two slides on the two-factor authentication issue that’s plagued the Indian startup space recently about how RBI is being a dick. (I have argued that what companies like Uber are doing is “cheating” the regulation, which has a good solid reason.)


The case for regulation is obvious – if everyone else in India has to do this, then no one should be able to by-pass it. But yes, there’s a need to ease the issue for faster processing, especially where the value of a service is not known at the time of booking (like in a taxi ride).

The RBI process of “doing better” is interesting because:

  • It will allow companies like Uber to operate if they bear the costs of misuse!
  • The small payment (like Uber which is likely to be less than 1000 rupees) is going to have some kind of exemption. This is also good news.

I do not want any company to be able to use just card information to charge me even if it’s just Rs. 10. Let me tell you why.

This still invites abuse in the sense that I need to call up my bank for each such abusive transaction, even if it’s small value. If my credit card information is read and a merchant were to charge a Rs. 10 fee, then he might be willing to take the risk that he has to pay it back if I refute it, but I still must spend the time trying to refute the charge!

If anyone has tried to call up their bank and refute transactions they will not have spent less than half an hour on hold or without having to type at least 10 different numbers and 6 IVR levels and pressed 9,0,# or anything in frustration. I would rather pull my hair out one by one than have to do this kind of thing for every abusive transaction. And that’s for those of us that are educated; if it frustrates us, how does it work for those that don’t have such knowledge?

Exactly ZERO of all the cards I own has a toll free number – all support numbers are charged and half an hour to a landline is an expensive proposition. Paying Rs. 30 on a phone bill to refute a Rs. 10 transaction is, honestly, silly. (Heck, phone companies could charge you Rs. 10 each time and then pay you back the refuted charge after you’ve paid them the money to make the call…wait, let me not put ideas in their head)

I would suggest to the RBI that a small value transaction system without 2-factor must require banks to have toll free and very quick resolution frameworks for all cards, including by phone, SMS, email and the web. That means I should be able to dispute a transaction by just sending an SMS back with a unique transaction ID (which they generate when they send me an SMS of every transaction in the first place).

As an extension, the RBI should require all banks to adhere to a common “refute and report” protocol, which every credit card holder can access to refute non-two-factor authenticated charges. Every bank must be required to accept requests to refute such transactions in a common format, and have to respond with an okay (must allow refute unequivocally, as risk is with the merchant). So private parties can write apps to ease the dispute process further, because we can no longer trust our banks to do anything useful without beating them on the head with regulation.

Oh yes, easy “refute” can hurt the merchant but the merchant took the no-two-factor risk, remember?

With enforced quick refute/resolution in place, some merchants should be able to take the risk on smaller value transactions (say below Rs. 1000, or better, leave it to the banks to figure the lower limit per account). We could finally get:

  • a Uber or Ola style taxi ride with no need to pay at the end, credit card automatically charged
  • a prepaid recharge with automatic “reuse my credit card with rs. 330 when balance goes below 10”
  • a subscription of say Rs. 100 per month (newspapers, magazines)
  • a grocery charge that’s automatically charged to your account after delivery (instead of paying cash to the delivery guy)
  • renting small things (books, cycles, gear) leaving just your credit card information, which is charged on a daily/weekly basis.

And so much more – all of these are small payments which are currently done with cash or the more painful two-factor auth card system, which can be eased and made substantially more attractive.

The implications of the RBI rule change will be massive. We would love to have customers pay monthly for Capital Mind Premium, for instance, with an auto-billing service they can cancel when they like. (We are happy to bear the costs of any refutes – we will not charge customers for what they no longer want)

  • DJ says:

    1) Good that RBI is coming around to the same position I posted about in the last article that they need to make allowances for certain business models.
    2) Enforcing rules blindly is stupid (especially when the rules are stupid too) and indeed if it impedes innovation then RBI is only stupid entity here. That is plain and simple. And, RBI has conceded as much by admitting that it can do better. So, it contradicts itself and agrees that its rules are not ideal and need exceptions so why are they harping about rules then? LOL. Well if they are saying that they could have done better, then why didn’t they do it in the first place? Why did people have to prod them into being reasonable? They need to get moving. The world isn’t going to wait for them to get their act together.
    3) I disagree with the way RBI presented the second slide. They should be talking about 0 customer liability (regardless of authentication used or not) so that customer can request a cancellation, no questions asked and the customer does not face the onus of proving that the transaction was fraudulent. This is pretty much what this post says but not as categorically. If customers misuse this, it should reflect in their credit history. Problem solved. This is nothing special to ask for – its the norm in most developed countries and as pointed out RBI itself, this is the way to go. The entire slide is meaningless if they don’t even talk about this:
    I would rather listen to Mr. Padmanabhan than Mr Rajan on this issue.
    Can we do better? should have this as the first point. Rest all falls into place.
    4) The preaching tone in the slides in unacceptable. It is a citizen’s right to demand things that other people in the world have. It is RBI’s job to see how to achieve it if reasonable (which they have admitted that it is) by taking into account the totality of systems and provide a reasonable excuse (which they could not provide in this case) if it should not be done. It is not an individual’s responsibility to think about totality of systems.

    • DJ – I broadly agree with you. But just because rules are faulty cannot mean some people can be allowed to violate them. Best to change teh rule set, like RBI has been doing. THe problem with RBI is they take MONTHS to get to a darn regulation, and get feedback from hajaar people.
      I think 0 customer liability is a possibility if they get insurance going on some of these things. I hope they move to that – the slide is not about zero liability to customers (which should be possible anyhow) but about the two factor rule being specifically required. I personally like the rule because, as I said, refuting transactions is a major pain, and I would much rather have two factor than try to deal with this kind of crap every few days. (Legal systems to catch and put people in Jail in India are very slow, and that might really be the only deterrence for fraudsters)
      Yes, demanding stuff is our right. But if their defense is about totality of systems then it will just end there, unless we also go in and try to help them address totality. In this case, it should be an open discussion. I think the slide tone is excellent- it forces debate.

      • DJ says:

        1) “THe problem with RBI is they take MONTHS to get to a darn regulation, and get feedback from hajaar people.”
        You said it yourself. RBI deserves 0 respect because of their own lack of expertise. Breaking rules (when they don’t make sense) is 100% right and I’m NOT going to agree with you on this, even a smidgen. Let them go ahead and prosecute and incur court fees, that’s fine. I wish there were some sensible groups in our country who would actually sue RBI for its discriminatory regulations.
        2) I don’t understand your second point because if we have 0 liability then where is the process pain of refutation?
        a) “But if their defense is about totality of systems” – that isn’t their defense, they just stated themselves by saying that they can do better.
        b) “unless we also go in and try to help them address totality.” – not an individual’s problem because even if we tried we would be ill equipped to do so. And, it is downright insane to suggest this due to impracticality.
        c) “I think the slide tone is excellent- it forces debate.” – quite the opposite. The already vigorous debate forced those slides and forced RBI to be more rational.

        • 1) I disagree; but then we agree to disagree. I don’t say don’t break rules – I mean that enforcement of rules is necessary, and should be uniform. In the process of enforcement if you find that the rules need to be changed and the regulator is open minded, things can change. Without enforcement the rules are just potential future rent seeking, that’s all.
          2) For zero liability you still have to refute. If I have a charge on my card I didn’t do, I have to refute. If I have 10 charges in 10 days I have to refute each day separately, or cancel my card or something.
          3) That they can do better can still exist in the totality of systems. I don’t think it’s insane to suggest that we look at this. I would. I think others should not ignore it either. Again, I don’t want to keep driving my point when it’s simply a disagreement on whether it is insane or not – You’re free to say I don’t care and I’m going to keep saying if you don’t, they won’t listen to you. It’s important to bring the two sides together to reach a solution that isn’t a compromise.
          The slide tone also is another point we’ll disagree, and honestly, I don’t think our opinion on the tone is relevant to a solution 🙂 So let that be too.

      • DJ says:

        Let me explain why breaking a rule like this is good. Because it has forced a debate, a rationalizing of the regulation. Merchants could have instead asked the RBI for exceptions and we all know how long that would have taken with perhaps a negative outcome as well. Breaking the rule has led to a better outcome all around, and that is not a small achievement.

  • DJ says:

    Actually, I am now even more super-annoyed with RBI. If RBI is now going to make an allowance for Uber-like business models now, then why did I waste so much of my time arguing for the same thing in the last post? Why didn’t they just put the caveats in their stupid circular so we would all get on with our lives.

  • Rahul says:

    Thanks Deepak for this very informative article. I am also the credit card user in India and this step by RBI is welcome step. But I am still confused with the following:
    1) What about the purchase of online digital contents from sites like Google play, Apple iTunes or auto renewal transactions of music service, magazines etc. Do they also come under two factor authentication. As a customer, how can I judge which transactions/ merchant should come under the two factor authentication & which should not? This will help customer’s in being vigilant of making transactions and can also report the same to the bank which does not comply with the RBI directive.
    2) Has RBI also put any measure to secure physical transactions in India? Though most of the credit card companies are issuing the CHIP+PIN credit cards, but many establishments in India though do the transactions through CHIP, don’t ask for the PIN. In such a scenario, if the trx is disputed, what are the RBI guidelines regarding the same? Is PIN mandatory or not?
    3) What about the pre-authorization amount that hotels deduct at time of check-in? is their any security in that, either OTP or PIN.
    Hope you will clarify so that customers like me can be more vigilant of their credit card protection & rights.

    • Thanks Rahul.
      1) Google play etc are okay, and don’t require 2FA, because it’s services provided from another country. I think the spirit is that if the merchant/customer relationship is in India, money needs to be paid through an Indian 2FA system.
      2) CHIP+PIN is now compulsory for new cards. Old cards can do the CHIP+Signature, I think. Disputes involve arbitration but customer MAY be liable, if it’s proved that he did receive a service.
      3) Pre-auth amounts can be done through OTP/PIN – the actual amount can be used later.