For auto-payments from debit and credit cards or via wallets, an additional authentication by the customer will be required from 1 April. "A cardholder desirous of opting for e-mandate facility on card shall undertake a one-time registration process, with AFA validation by the issuer," RBI said.
The limit for auto-debit from cards and wallets is set at ₹5,000. For transactions above the cut-off, an additional one-time password (OTP) will be needed.
The new rule will be applicable for transactions performed using all types of cards – debit, credit, UPI and PPIs, including wallets, the central bank earlier mentioned.
The regulator earlier asked the banks to introduce additional factor authentication by 31 March, 2021. In a circular issued on 4 December, 2020, RBI said, "Processing of recurring transactions (domestic or cross-border) using cards/PPIs/UPI under arrangements/practices not compliant with the aforesaid instructions shall not be continued beyond 31 March, 2021."
The issuer has to send a pre-transaction notification to the cardholder, at least 24 hours prior to the actual charge or debit to the card. The user will have an option to choose a mode among available options (SMS, email, etc.) for receiving the pre-transaction notification, the regulator said.
To proceed the transaction, customer's consent is must. The cardholder will also have an option to "opt-out of that particular transaction".
The issuer shall provide the cardholder an online facility to withdraw any e-mandate at any point, RBI said. "No charges shall be levied or recovered from the cardholder for availing the e-mandate facility on cards for recurring transactions," the bank noted.
Banks have started informing its customers about this new rule. “In accordance with regulatory requirements, processing of e-mandates for recurring transactions, which have been registered on your credit or debit card without Additional Factor of Authentication (AFA), will be discontinued w.e.f. April 1, 2021. You may make payments directly through your card at the merchant website or application," read a communication sent by Axis Bank.
RIP to the people who pay on int'l websites that costs more than ₹5000 without OTP
WTF man, while these rules are good, it shouldn't be applicable on intl transactions, or at least allow people to increase the limit 5k is too low.
Just because some people get scammed not knowing how things work, does not mean I should suffer because of them.
Regulatory institution has every right to threaten and make the institutions comply with the orders in the interest of larger consumer benefits and safety. That's their job. You cannot call them mafia. Further to make things simple, you cannot call your boss a mafia agent if (s)he has threatened you with consequences provided, you're not complying with the orders within the purview of your work.
I am just curious. Has RBI done anything since the mobikwik leak happened? Called Mobikwik officials to explain what's going on? Issued any guidelines to banks or public on what to do about leaked data? This data is out no matter what the leakers claim about deleting it at their end. What is RBI going to do about it? Because Mobikwik does not seem to be interested in doing anything.
You're mixing two separate things. Mobikwik breach is separate thing and laxity of banks in complying with already issued orders is separate thing. The laxity of banks needs to be punished and for this RBI can act in any manner available within it's domain.
This is no existing Data regulation (both sensitive and non sensitve) in our country, the Govt needs to work with various stakeholders involved[For eg: SEBI, RBI, UIDAI, MoH]. We cannot simply blame RBI alone for inaction, what is Govt doing ? or what has been Meity or ministry doing?. Plus there is also CertIn organization for cybercrimes, what has been its response till date ?
The regulation is not quite clear in these things so better work with our parliamentarians in providing us with a clear data regulation on the lines of GDPR of EU. The last I read was it was work in progress and Raisina Dialogue for this is year is scheduled inviting the promoters of EU's GDPR. Further, we might not know what Govt and RBI is doing behind closed doors.
Tbh certin is also a joke. It's in the same state as bsnl. Where all high positions are occupied by old people who have the "sarakari naukri" attitude and don't know anything about the new tech or don't care since they know for sure they won't be fired/replaced.