Customer Protection, Convenience, Complaint Redress in payment systems

Customer protection

Customer interest has always been the overriding principle for RBI. Some initiatives introduced decades ago in payment systems to safeguard the interests of customers are valid even today. Mandating PAs to open escrow accounts, AFA, e-mail / SMS alerts, digital ombudsman, etc., have not only added security to payment transactions but also increased customer confidence in PSS, thereby helping in increasing digital footprints.

Security for card transactions

Use of cards (both credit and debit) has been growing over the last few years. Non-empirical evidences show that cards are the first mode of on boarding a person into the digital fold. This makes it very important to ensure safety and security of card transactions so that frauds are minimised. To this end, RBI has been taking several measures to enhance the security of card transactions which has helped in containing card related frauds in India. These include the requirement of AFA for all online or CNP transactions, need to obtain PIN for physical / face-to-face or CP transactions, need to provide alerts to the cardholder for all card transactions, irrespective of the amount and channel, etc.

Additional Factor of Authentication (AFA)

Authentication is important to prevent fraudulent transactions in the e-Commerce environment. It improves (a) trust between the merchant and the customer, and (b) security in a world where cyber security has become a major issue. With effect from August 1, 2009, banks were mandated to ensure that online transactions using credit and debit cards are authenticated using AFA, the additional factor based on information not visible on the card. This mandate applies to all transactions using cards issued in India, for payments on merchant site where no outflow of foreign exchange is contemplated.

RBI has also mandated PIN based authentication for all card transactions at PoS terminals. This mandate for AFA / PIN is relaxed in case of PPI - Mass Transit System (PPI-MTS) transactions and also for contactless transactions for values up to ₹ 2,000/- performed using NFC-enabled EMV Chip cards. The limit was subsequently revised to ₹ 5,000/- effective from January 01, 2021.

To prevent fraudulent withdrawal at ATMs, RBI has mandated requirement of PIN entry for every transaction, including balance enquiry transactions.

EMV Chip and PIN cards

An EMV chip is an embedded microprocessor chip in payment cards such as credit and debit cards which stores and protects cardholder data. EMV chip technology was originally developed by Europay, Mastercard and Visa (which is how the acronym EMV came to stay), with the EMV chip storing data on integrated circuits rather than in magnetic stripes. EMV chip card transactions improve security against fraud compared to magnetic stripe (magstripe) card transactions that rely on the holder's signature and visual inspection of the card to check for features.

RBI mandated the use of only EMV Chip and PIN based debit and credit cards with effect from January 1, 2019 and banks were advised to disable all magstripe cards issued earlier. Further, banks and WLAOs have been advised to ensure that all ATMs / micro-ATMs (which are enabled to handle card-based transactions) deployed by them are enabled for processing EMV Chip based transactions.

Online Alerts

In order to enhance the security of online card transactions, with effect from August 1, 2009, banks were required to put in place ';Online Alerts'; to the cardholder for all CNP transactions of the value of ₹ 5,000/ and above. This measure has been generally welcomed by customers, which enabled them to take prompt action if the card was misused and went a long way in arresting further perpetration of such fraudulent transactions. To further strengthen the system, banks were mandated to put in place with effect from June 30, 2011, a system of online alerts for all types of transactions irrespective of the amount, involving usage of cards at various channels.

Tokenisation

While performing a card transaction, a customer either enters the card details manually (for e-commerce transactions) or swipes / dips the card at a PoS terminal. There are situations when the card holder hands over the card to a staffer of a merchant establishment (say, a restaurant) for payment. There is a possibility of data breach and the card holder's data could be at risk and susceptible to misuse. One of the means of enhancing security is ';Tokenisation';, a process whereby a card's 16-digit Primary Account Number (PAN) is replaced with a unique alternate code (called as ';token';). This token is unique for a combination of card, token requestor (i.e., third party app provider) and device (i.e., mobile, tablet, etc.). Thereafter, payment transaction is performed using the token, instead of the actual card data. Thus, in a tokenised card transaction, the actual card details are neither sought for nor captured at the merchant's end. This enhances safety and security of the card transaction.

In January 2019, RBI issued a framework for tokenisation of card transactions which allowed all authorised card networks to offer tokenisation services, irrespective of the app provider, use case, etc., subject to certain conditions and responsibilities. The use of tokenisation, however, does not dilute the instructions in place for AFA. Registration for tokenisation service is purely voluntary for customers and they need not pay any charges for availing this service. For the present, this facility is offered only through mobile phones / tablets.

Facility to switch on / off transaction rights

RBI continuously evaluates the systems in place to provide more safety to cardholders and the card transaction chain. The following additional safety measures were mandated that have come into effect from October 1, 2020:

• At the time of issue / re-issue, all cards (physical and virtual) should be enabled for use only at ATMs and PoS devices within India.
• For existing cards, issuers may take a decision, based on their risk perception, whether to disable the CNP / online (domestic and international) transactions, CP / face-to-face (international) transactions and contactless transaction rights. Existing cards which have never been used for CNP / international / contactless transactions shall be mandatorily disabled for this purpose.
• The issuers shall provide to all cardholders a 24x7 facility to switch on / off and set / modify transaction limits for all types of transactions, through multiple channels - mobile application / internet banking / ATMs / Interactive Voice Response (IVR), as also at branches / offices; alerts / information / status, etc., shall be sent to cardholders as and when there is any change in status of the card.

Positive Confirmation

In order to remove any ambiguity for funds transferred through NEFT, an element of positive confirmation was introduced with effect from March 1, 2010. The new message format was introduced to relay to the originating bank an acknowledgment containing the date and time of credit, immediately after the credit is afforded to beneficiary accounts. The originating banks, on receipt of positive confirmation from the destination banks, are required to initiate a mobile SMS or generate an e-mail to the originator to convey the fate of the transaction. Positive confirmation was mandated for RTGS with effect from January 15, 2019. This is a unique feature in NEFT and RTGS systems in India.

Data Storage

There has been a considerable growth in the payment ecosystem in India, particularly in the realm of digital transactions. Ensuring safety and security of payment systems has always been the cornerstone of RBI's approach towards payment system regulation and development.

Towards this end, and to have unfettered supervisory access to data stored with the system providers, as also with their service providers / intermediaries / third party vendors and other entities in the payments chain, RBI has, vide circular dated April 6, 2018 on ';Storage of Payment System Data';, mandated all system providers to store the entire data relating to payment systems operated by them in systems only in India. This data pertains to full end-to-end transaction details and information processed as part of the payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.

Harmonisation of Turn-Around Time (TAT) for failed transactions

Many customer complaints are due to unsuccessful or failed transactions (caused by disruption in communication links, non-availability of cash in ATMs, time-out of sessions, non-credit to beneficiary's account due to various causes, etc.). The instructions on TAT and the compensation framework cover failed transactions at ATMs and non-credit / delayed return of transactions through NEFT and RTGS. Since there were no prescriptions for TAT for other authorised payment systems such as cards, UPI, IMPS, etc., there was no uniformity in reversing failed transactions.

Therefore, in September 2019, RBI introduced a framework on TAT and customer compensation for resolution of failed transactions across all authorised payment systems. The framework seeks to ensure, (a) reversal within a specified time without the need for lodging of complaint by the customer, and (b) compensation to customer for delay in reversal of such failed transactions, which are not directly attributable to the customer. Domestic transactions i.e., those where both the originator and beneficiary are within India, are covered under this framework. The salient features of the framework are:

• The prescribed TAT is the outer limit for resolution of failed transactions;
• Definition of a failed transaction includes credits which could not be effected to the beneficiary due to lack of full information or lack of proper information and delay in initiating a reversal transaction;
• Wherever financial compensation is involved, it shall be effected to the customer's account suo moto, without waiting for a complaint or claim from the customer;
• If the transaction is a 'credit-push' funds transfer and the originator's account is debited without a credit to the beneficiary account, a reversal should be effected within the prescribed time period failing which, a penalty has to be paid to the beneficiary;
• If there is delay in initiation of a transaction at the originator bank's end beyond the TAT, penalty is to be paid to the originator.

e-Mandates / Standing Instructions - Cards / UPI / PPIs

A framework to facilitate e-mandates on cards and PPIs was issued in August 2019 to encourage digitisation of recurring payments like monthly subscriptions, insurance premia payments, systematic investment plans, bill payments, etc. It couples convenience with adequate safety like AFA for the first transaction, e-mandate registration, modification and revocation. This framework was subsequently extended to cover UPI based payments.

Customer convenience

Cash withdrawals at merchant locations using PoS and UPI

For over a decade, banks had been permitted to extend small value ';cash withdrawal'; facilities at PoS devices at merchant establishments. Under this facility, using debit cards and open-loop prepaid cards, banks can, subject to approval by their respective Boards, permit cardholders to use PoS devices deployed by them for withdrawing up to ₹ 2,000/- per day per card in Tier III to VI centres (₹ 1,000/- per day per card at Tier I and II centres). The charges, if any, levied on the cardholders for this purpose should not exceed 1% of the transaction amount at all centres irrespective of the withdrawal limit. This facility provides an additional option to cardholders to withdraw cash from nearby merchant establishments; the merchants may earn extra income apart from circulating their cash collections without visiting a bank.

The facility of cash withdrawal at merchant locations was extended to UPI as well. It seeks to provide another interoperable solution for making cash available for contingent requirements of individuals as also enable better cash management avenues to merchants.

Digital Literacy - e-BAAT

Digital payments penetration and adoption need to be supported by digital literacy. In terms of PSS Vision 2019-21, RBI is committed to encourage greater use of electronic payments by all sections of the society to increase the digital footprints and achieve a ';less-cash'; payment ecosystem. As part of a customer centric approach, RBI's focus is on enhancing customer education and awareness, so that customer confidence in payment systems is reposed with usage combined with better awareness of the product and processes.

A well-informed customer base would also facilitate faster migration away from cash and other paper-based payments. To achieve this, it is RBI's endeavour to enhance customer awareness through structured electronic Banking Awareness and Training (e-BAAT) programs, in collaboration with all the stakeholders. The focus of e-BAAT program is basically to educate the masses to shift their focus of payments from paper to electronic payments through different modes. RBI is also creating customer awareness through press, A-V media and social media platforms e.g., RBI Kehta Hai and arranging media workshops.

Intervention in charges

Merchant Discount Rate (MDR)

MDR refers to the fee charged by an acquiring bank (bank that sets up the payment infrastructure) for providing the facility of accepting payments performed using cards, UPI, BHIM Aadhaar Pay, PPIs, etc. This fee is payable by merchants and MDR so charged, is divided among issuers (called as issuer interchange), card networks (called as network fee), acquirers and any other entity involved in payment transaction chain (like payment aggregators). Charging MDR is considered necessary to ensure viability of banks / service providers in the payments chain.

RBI issued a framework for MDR for debit card transactions which came into effect from September 2012. This framework was subsequently revised in 2017. The revised framework categorises merchants based on turnover, adopts a differentiated MDR for QR-code based transactions and specifies a ceiling on the maximum permissible MDR for both CP and CNP transactions. This framework is not applicable for credit cards, PPIs, UPI, BHIM Aadhaar Pay, etc.

As stated earlier, MDR should be borne by merchants and not passed on to the customers. After demonetisation, to promote digital transactions, the Central Government, till December 2019, reimbursed MDR charges on transactions with values up to ₹ 2000 made through debit cards, BHIM UPI and Aadhaar-enabled payment system. As per Central Government announcement, no charge, including MDR, shall be applicable on or after January 1, 2020 on payment made through prescribed electronic modes, viz., debit card powered by RuPay, UPI (BHIM - UPI) and UPI QR Code (BHIM - UPI QR Code).

ATM Interchange

In order to enable citizens to have access to cash withdrawals on an 'anytime and anywhere' basis, ATMs have been deployed by banks during the last two decades. ATMs have gained prominence as a delivery channel for banking transactions in India. Commensurate with the branch network, larger banks have deployed more ATMs. Most banks have entered into bilateral or multilateral arrangements with other banks to have inter-bank ATM networks as banks prefer to deploy ATMs at locations where they have a large customer base or expect considerable use. It is but natural that banks levy charges for usage of the infrastructure set up by them. These charges, called ATM interchange charges / fees, are often passed on to the customers.

The charges levied on customers vary from bank to bank and also vary according to the ATM network that was used for the transaction. Consequently, a customer is not aware, beforehand, of the charges that would be levied for a particular ATM transaction, while using an ATM of another bank. To bring about transparency in charges, in March 2008, RBI brought out a framework of service charges, according to which, the charges that can be levied by banks for use of ATMs are as follows:

With increase in transaction cost at ATMs, and the limits on the amounts that can be charged from customers, banks are of the view that ATM operations have become a loss-making activity for them. Even though there is still an unmet demand for ATMs in India, more so in the semi-urban and rural (SURU) areas, the total number of ATMs deployed has remained stagnant over the last two years. On the other hand, customers complain that banks levy charges on any service offered by them through ATMs.

Complaint Redressal 

Digital Ombudsman

The grievance redressal mechanism of a system is a measure of its efficiency and effectiveness as it provides important feedback on the working of that system. The grievances relating to digital mode of financial transactions accounted for 19 per cent of total complaints during 2016-17 which went up to 28 per cent till end June 2018, mostly due to inclusion of deficiencies in mobile banking service as a ground of complaint under the scheme with effect from July 1, 2017. Considering the growing trend and increasing complexity of such complaints along with the emergence of non-bank service providers in the digital payment space, RBI introduced the Ombudsman Scheme for Digital Transactions on January 31, 2019 in order to have a dedicated scheme for redressal of such grievances.

The Ombudsman Scheme for Digital Transactions facilitates the redressal of complaints regarding digital transactions undertaken by customers of a Payment System Participant viz., any person other than a bank participating in a payment system (banks are covered under the Banking Ombudsman Scheme). It is an expeditious and cost-free apex level mechanism for resolution of complaints regarding digital transactions.

For redressal of grievance, the complainant must first approach the system participant concerned. If the system participant does not reply within a period of one month after receipt of the complaint, or rejects the complaint, or if the complainant is not satisfied with the reply given, the complainant can file the complaint with the Ombudsman for Digital Transactions within whose jurisdiction the branch or office of the System Participant complained against, is located. For complaints arising out of services with centralised operations, the same should be filed before the Ombudsman for Digital Transactions within whose territorial jurisdiction the billing / declared address of the customer is located.

Internal Ombudsman

The advent of non-bank entities in the payment landscape has helped further advance the rate of adoption of digital payments in the country. To build customer confidence in the system and safeguard the interest of the consumers, RBI mandated that large non-bank PPI issuers (with more than one crore outstanding PPIs) should put in place an Internal Ombudsman Scheme. The scheme was intended to ensure that complaints of customers are redressed at the level of the PSO itself by an authority placed at the highest level of the PSOs grievance redressal mechanism. The eligible PSPs were required to make the scheme operational by January 20, 2020. The Internal Ombudsman Scheme for non-bank System Participants was put in place under section 18 of the PSS Act.

Online Dispute Resolution (ODR)

Increase in number of complaints and disputes is an expected outcome of the exponential increase in number of digital transactions. The most efficient option to handle such instances, however low in proportion they may be, is to have recourse to technology-driven dispute redressal mechanisms that are rule-based, transparent, customer-friendly and involve minimum (or no) manual intervention. Given the complexity in implementing such an ODR System across various payment systems, a phased approach by way of implementing an ODR System for failed transactions for all authorised Payment Systems was announced in August 2020 with PSOs required to implement the same by January 01, 2021. Based on the experience gained ODR arrangement would later be extended to cover disputes and grievances other than those related to failed transactions.

Source : RBI