One can’t help but feel a bit of sympathy for these companies. They were on the forefront of the first digital banking wave India witnessed in the early 2000s. For the first time, bank customers could experience the convenience of carrying their bank accounts in the pocket.
The writer is a bankerInternational card companies are caught between a rock and a hard place called India. Visa, Mastercard, etc, have been subject to several regulatory yellow and red cards over the last few years. One of them was forced to discontinue fresh card issuances while another scampered to petition the US government. This period also saw the coming of age of RuPay, India’s own home-grown card payment system.
One can’t help but feel a bit of sympathy for these companies. They were on the forefront of the first digital banking wave India witnessed in the early 2000s. For the first time, bank customers could experience the convenience of carrying their bank accounts in the pocket. The wallets became thinner and multi-slotted as wads of cash gave way to an array of cards. Of course, a virtual duopoly and certain unhealthy tendencies started to emerge.
The near total reliance on two US companies carried serious political risks as well, as became evident when the Society for Worldwide Interbank Financial Telecommunication (SWIFT) unplugged Iranian banks from the network in deference to US wishes. So, there was a compelling case to have a desi player in the card payments arena, which eventually led to the launch of RuPay cards in 2012.
Paired with Aadhaar, the National Payments Corporation of India’s (NPCI) RuPay cards unleashed a banking revolution, giving millions of Indians their first-ever bank account. NPCI would go on to create the Unified Payments Interface (UPI), arguably the most disruptive payments platform in the world. The troubles faced by foreign card companies started to mount almost at the same time. The first signs came in 2018, when RBI asked all payment system operators to store data related to intra-India payments in India only.
Indisputably, regulators and law enforcement agencies such as the Central Bureau of Investigation (CBI) and Enforcement Directorate (ED) needed to have unfettered access to data for supervision and crime control. The challenges some investigating agencies had faced in getting hold of data relating to Blackberry messages provided the most irrefutable argument for local storage of data. But instead of mandating that a full replica of the data should be stored in India at all times, RBI went on to prescribe that data should be stored only in India, a far too onerous diktat that threw companies out of gear. This meant no data, originals or copies, could be held in foreign servers even for business continuity.
The requirements were so onerous that Mastercard was forced to stop fresh card issuances in India. The directive went way beyond ensuring mere access to data. No wonder some observers labelled this as a disguised non-tariff barrier.
Troubles for card companies were only starting. Another regulation relating to auto-debits – repeating periodic payments for subscriptions and other services – tested their mettle once again. The intent could not be faulted. But what really hurt was that the new guidelines were made applicable for existing running mandates also, instead of grandfathering them. It was a kind of retrospective regulation that caused serious heartaches not only to the card companies but also to numerous cardholders who found their payments – ranging from domain registration to OTT services – getting cancelled due to payment failures.
Tokenisation is the latest regulatory disruption – currently deferred from its original date of January 1, 2022, by six months – in this line. The term ‘tokenisation’ denotes the process of encryption and decryption of card details such as the name of holder, card number and expiry date. Starting July 1, all card data stored on third-party sites are sought to be in tokenised form, leaving card companies with the job of creating the necessary encryption-decryption systems and back-end infrastructure.
Once again, the avowed objectives of customer protection and data privacy are honourable. But the solution looks like an overkill. Tokenisation is certainly a good-to-have feature, but not something so desirable as to be enforced through disruptive rule-making. A more nuanced and pragmatic approach in such matters would benefit all. Customers cannot be treated as hapless babes who need to be sheltered and protected at all costs.
Some responsibility for acting with prudence and safeguarding their own money and data should rest with customers. What is needed is light-touch regulation, and not just for payments. There is a fine line between assertive regulation and permit raj. Lawmakers and regulators have to be mindful that in their enthusiasm for doing good, they don’t tip over to the other side.