Winners And Losers Of The Recurring Payments Shake-Up

The Reserve Bank of India regulations on e-mandates for recurring payments seeks to address a pain point that has haunted recurring payments for long, from a consumer point of view – control. Recurring payments solve three big problems for both businesses and consumers - affordability, certainty, and trust. Affordability to consumers because they don’t have to commit to paying for a service upfront when they are unsure about quality and delivery. Certainty for businesses if they can deliver the service and earn consumer trust in the process and thus get a guarantee on cash flows.

The technical solution for this problem is hence simple – create a token, which is an opaque identifier and has no information about the card details. The policy problem then becomes – who will implement it? In a card transaction when it comes to recurring payments, there are essentially four players: Issuers of the card (bank); consumers to whom the card is issued (users); businesses that offer the service, which the user offers their card for registering a recurring subscription; payment intermediaries who take care of not only the complexity of collecting payments from users and remitting it to the businesses but also ensure that card details are not stored by the businesses.

The RBI regulations were clear that this responsibility falls upon the issuing bank. But they were not ready to roll out the changes. The RBI then invoked the nuclear option of mandating recurring payments only through the new indirection approach from Oct. 1 onwards, and decline all existing recurring payment requests made via payment intermediaries.

The impact of this nuclear option has been immediate – existing subscriptions stopped working immediately for both users and businesses. Further, it had also eviscerated business plans because users have to be re-acquired all across the supply chain and has had an impact on valuations of these budding businesses in the short term, their fund-raise plans, and hence their survivability.

Data Security Concerns

The data flow change also inverts well-established security practices. The card number is supposed to be a secret between the issuer and user, especially after the upcoming mandatory tokenisation directive.

SI-Hub for instance does not have PCI-DSS certification displayed on-page and the privacy policy and terms of use are blank links. The quick-fix solution of putting bank logos on an unrelated third-party website has made global threat detectors flag it as a potential phishing site. Further, some businesses have also auto-created mandates (here, here, and here), with exceeding a large value of authorisation (over Rs 1 crore), despite the regulation requiring additional factor of authentication for any debit higher than Rs 5,000. Hence, the regulations on e-mandates have created a clear set of losers – businesses and users.

A New Bureaucracy

Who are the winners though? The new intermediaries whom the banks have to tie up with in order to provide the regulatory compliance mandated by the RBI. These intermediaries are now the new bureaucracy, thus adding one more new addition in the earlier four-party transaction of issuers, businesses, users, and payment intermediaries.

That existing payment intermediaries such as Razor Pay (Mandate HQ), Bill Desk (SI-Hub), have created solutions that offer this compliance-ware hence is not a surprise. Businesses that depend upon subscription have no choice but to integrate with any one of the above or else they would not be able to offer recurring subscriptions via cards, thus further tilting the market towards UPI, where PhonePe and G-Pay are already winners. Hence, this also means that users have no choice but to centrally store their card details on these platforms, thus making them a super-platform connecting both sides of the market.

The data trails that would these platforms hence have visibility would allow them to up-sell services, which others will not be able to. Consider for instance Netflix, which has now tied with SI-Hub for recurring payments. In a case where, in some distant future, Netflix is not happy with SI-Hub, switching to others will not be easy as all the users of Netflix will have to register their cards with the new platform. While Netflix may be able to absorb the cost, other businesses may not be able to, thus providing a permanent lock-in for both users and merchants, in that platform.

The regulatory intervention thus has become a blessing for Bill-Desk and RazorPay and has allowed them to increase their customer base on both sides of the payment transaction – users as well as Businesses.

After all, RazorPay X, already offers a current account for businesses (via RBL Bank) where the user experience is several notches better than RBL Bank. It offers tax payments via ICICI Bank and is in the process of doing deep integrations with accounting software (Quickbooks, Tally, Zoho) and also offers easy-to-use APIs for enterprise resource planning integration. With tie-ups from NBFCs, it offers working capital loans as well as corporate credit cards. Hence, one can argue that it already has all the trappings of a bank, but without a banking license.

While BillDesk may not be as sophisticated in terms of tech chops, when compared to RazorPay, being a payment aggregator and the preferred destination for collecting bills, the forcible push of banks on users to register their cards on SI-Hub, has consolidated BillDesk’s hold on users further.

A Question Of Agility

As these entities become more and more entrenched in the banking supply chain, a natural option then presents itself – why not move up the value chain and become a bank themselves by applying for a payment bank license and get rid of the tenuous dependency on banks, which at this point in time, only provide a store for parking money via accounts?

Perhaps we are seeing a new reality dawning in the banking sector, albeit slowly.

Newer institutions that address these problems egged on by regulatory interventions (demonetization, e-mandates, etc.) can then address these changing needs, obtain a significant market share by capturing both sides of the market and can then become banks themselves, by unbundling and re-bundling the products and services across deposits and loans in innovative ways.

Maybe, for banking to grow and evolve, banks as we know it must die.

Anand Venkatanarayanan is a software security researcher, and Strategic Advisor in DeepStrat LLP.

The views expressed here are those of the author and do not necessarily represent the views of BloombergQuint or its editorial team.