loader image
Plastic money abstract concept vector illustration.

What are the new RBI norms with regard to recurring card payments? – All you need to know

Have you recently started receiving mails/SMS from various banks and service providers asking to re-register your e-mandates for automated payments such as OTT, newspaper subscriptions, etc?. This is because of the new RBI guidelines with regard to recurring transactions, coming into force from October 1, 2021. 

 

What are these new RBI norms?

 

In another step to secure digital transactions via credit/debit card, PPI or UPI, RBI has implemented the new auto debit rules. As per the new norms, all such transactions will have to be further secured with an additional factor of authentication (AFA) – 2-factor authentication. Any transaction, whether domestic or cross-border, using cards, without AFA, would be discontinued.

 

New rules for Automatic Payments – A Snapshot

 

Process
Transaction amount <= INR 5,000
Transaction amount > INR 5,000
Registration of e-mandate
A one-time registration process of card, with AFA validation, irrespective of transaction amount 
Processing of first transaction
Transaction will be processed, with AFA validation
Pre-transaction notification for subsequent transactions
  • Customer will receive a notification giving information about the debit 
  • Nothing further has to be done & the debit will be executed
  • Customer will receive a notification, at least 24 hrs prior to actual debit for approval
  • Approval through 2-factor authentication
  • Post successful AFA, card will be charged
Managing of e-mandates
The issuer to provide online facility to pause/cancel the e-mandate at any point of time, requiring AFA 

Source: RBI

 

Further to this, the bank/issuer is required to take additional information such as the validity period of the e-mandate, etc at the time of registration. And if required, the facility to modify the validity period, shall also be provided.

 

The banks also need to send a post-debit notification to the cardholder, once the auto-debit is processed. And, finally set up a redressal mechanism to address customer grievances related to this.

 

What will be its impact on payments?

 

This move is introduced in an attempt to protect consumers with regard to safeguarding of pre-stored data relating to cards and avoiding digital frauds. And especially those consumers who hastily give their consent to unnecessary automated payments and fall prey to data breaches.

 

With the new guidelines coming into implementation, all such recurring payments need to be reviewed and re-registered with respective issuing banks to avoid transaction failure.

 

However, these will only impact standing instructions (SIs) on cards. The automated instructions under UPI Autopay, e-NACH and other SIs to banks will not be impacted.

 

The directive will empower card users and will give them more control over their transactions. They can now determine and set the amount, velocity, etc, thereby managing such recurring mandates efficiently.

 

Way forward

 

For end consumers

 

Initially, this will impact customers to some extent, as the previous payment mode was meant to provide them with a seamless experience (especially for transactions above the INR 5,000 cap in B2B usage). Also, such payments may move to other alternate modes of payment such as e-NACH, UPI, etc for a better customer experience. However, in the long run with awareness they will realize that such regulations are for their benefit as it will eventually increase the security on card transactions. 

 

For Businesses

 

These guidelines will encourage businesses particularly, small & medium sized businesses to reach out to untapped customer base and build new business models in and around subscription payments and help grow this market multi-fold in the coming years.

 

To sum it up, the entire payments ecosystem is going through changes due to these regulations and all stakeholders are getting impacted in one way or the other. It will require banks/card companies/fintechs in the payments space to provide such portals to comply with the new regulations. However, there is still a long way to go as not only the banks/card companies, but the merchant/merchant aggregators’ ecosystem also needs to be in a state of readiness for its successful implementation. 

 

Learn More

Account Aggregators – Digitizing Transactions

What is an Account Aggregator?

 

Account Aggregator (AA) is a compilation of all the Financial data from bank accounts, credit cards, any investment accounts and other accounts in one place. Currently, the same can be pulled out through the help of an API, etc.

 

AA will help consumers to share all financial data including information on pension, brokerage, tax, insurance, etc. Currently, it is restricted to the financial sector only, however, this model will eventually help consumers sharing data in sectors like healthcare, telecom, etc. 

 

Difference between the AA and Traditional process

 

AA is different from the earlier process of Aadhaar data sharing and other CKYC platforms. Through AA, sharing of information like bank statements (Savings, Deposits, CA) or transactions data is available. However, in earlier methods like CYKC and Aadhaar, the financial institutions only get access to the ID of the customer (address, name, gender, etc).

 

Steps involved for opening an account with AA

 

  1. Open account with the AA (can be an individual or business). Post which AA will link all the financial data (accounts/credit card accounts/brokerage accounts/etc)
  2. Consent provided to  AA
  3. Post consent, the AA will seek for an approval from the financial data providers to access the customer accounts
  4. Once the approval is in place, the AA provides the data to the customer for his/her ease of various transactions

 

Currently, in India we have 8 AAs: Axis Bank, HDFC Bank, ICICI Bank, IndusInd Bank, SBI, Kotak Mahindra Bank, IDFC Bank and Federal Bank.

 

Is AA secure? 

 

The data extracted via AA is encrypted and the same can be decrypted only by the recipient. Digital signatures of the individual while accessing the data provided by AA makes it secure and convenient for the user.

 

Commercials Involved for AA service? 

Depends on the service provider. Some may charge the end customer for providing the service.

 

Benefits of AAs

 

  1. Account management: As of today, the financial data of an individual is stored in various places. The same can be viewed in a single window by the help of an AA eventually leading to one single platform which has access to all accounts/transactions.
  2. Quicker access to loans: Getting a loan from a bank will become much simpler. An individual can give a consent to a bank and data like number of accounts, balances, statements, assets given for a previous loan, etc can be extracted through the help of an AA.

 

Way forward with AAs

 

As of today, the consumers have to go through a long process and in silos of sharing the stamped/notarised documents, signed bank statements, sharing the usernames and passwords with financial organisations to check the history (which is a 3rd party in this case). With AA coming into picture, the process becomes much simpler and a secured digital way to share your data with 3rd party in a single access after consent.

Well, this will also create new types of loan opportunities in the market.

AA will create a repository of information which will be available easily for the institutions/etc (of course after the consent).

Currently, the AA is only available for the financial sector; the same will be provided for other sectors eventually too.

Learn More

Banking as a Service (BaaS) – Entering into a New Era of Financial Ecosystem

From the past few years, there has been an increase in the number of sectors like Travel, Retail, SAAS, etc expanding themselves into financial services.

 

Well, Banking and Fintech is a collaboration that is still very new in the Indian economy. The new normal has definitely shaken up the world and it has impacted the traditional banking system. From visiting a branch to opening an account online has been a major revamp in the industry – to be honest, this is just the start.

 

New Fintechs every day are disrupting the old traditional ways of banking and challenging our generation to think something out of the box now and then.

 

BaaS is a vast topic and the meaning of this is changing as per the ask of the end customer every day. Let’s try addressing the details one by one.

 

What is BaaS? 

 

In layman’s terms – BaaS is a process that allows fintechs and third parties to connect with banks via APIs. From opening an account to creating FD’s, etc everything can be done with the help of BaaS. 

 

Offering these services to an end customer is not so easy and requires a lot more regulatory processes to be in place. For eg: issuing prepaid cards – requires PPI license, giving credit to customers – requires NBFC license, and so on and so forth.

 

How does this work?

 

Banks obviously have licenses to offer various services, so they expose their systems to BaaS providers and these providers in return pay to banks for using their services. BaaS will allow businesses to fit the financial technologies and then the businesses will provide new solutions to end customers as per their needs and requirements.

 

Generally, the BaaS model begins with Fintechs, banks or Third party Providers paying fees to the BaaS platform. The financial institutions will open up their APIs to TPPs, thereby giving permission to access the systems and information required to build new banking products or offer white label banking services. 

 

Let’s understand how this is different from old traditional ways of banking

 

In today’s era, opening an account is just a matter of a few minutes compared to the days where opening a bank account required walking to the branch. 

 

Today, if someone has to send money to their children/relatives sitting abroad – trust me, it’s not a task anymore. Of course, this requires the regulatory practices to be in place, however, there are fintechs who are supporting this while simultaneously abiding by the regulatory guidelines.

 

To change the entire structure in the back end and front end for banks is not an easy task and requires a lot of investment. In this case, the banks approach BaaS or Tech service providers to plug in the system and provide end-to-end services to the customer. 

 

Future of BaaS

 

Everyday the financial industry is coming across a new development, the landscape is changing rapidly. Banks, Fintechs and businesses are coming across new requirements frequently. Reaching out to new segments of customers and solving a problem statement is also a new revenue stream for the banks as well as fintechs. 

 

Banks teaming up with the service providers and reaching out to end customers for providing innovative solutions is much required. APIs and applications play a major role in bringing these changes and need to be developed in a responsible way to provide long-term efficiency and scalability.

Learn More

3-D Secure 2.0 – Making transactions Simpler and Safer

Preventing fraud plays a significant role in the digital payments space. We must have encountered many frauds, both online and offline, during our lifetime.

 

Unfortunately, the search for effective methods to eradicate fraud never ends. Fraudsters will always find new methods to commit crimes. There are many tools available to end the same, the latest one being 3-D Secure. 

 

What is 3-D Secure?

 

Putting it simply, 3-D Secure is an additional layer of cardholder authorisation added to an online transaction. VISA and Mastercard offer this tool, and it is known as ‘Verified by Visa’ and ‘MasterCard SecureCode,’ respectively.

 

3-D Secure is a three-sided security system that provides security while performing transactions and transferring payment data amongst 

 

  1.     Issuing Bank
  2.     Acquiring Bank
  3.     Payment Gateway (link that connects acquirer and issuer)

 

How does it work?

 

Several steps are involved when conducting an online transaction. A few additional steps for 3-D Secure can significantly reduce the risk of online fraud:

 

  1.     A cardholder enters payment information on a webpage
  2.     Payment provider sends request to check whether 3-D Secure technology is active
  3.     If Yes, the customer is redirected to the 3-D Secure page
  4.     The cardholder who receives the OTP must enter it in the appropriate field
  5.     The result comes in the form of a response to the server of the payment provider
  6.     The payment provider sends data to the acquiring bank
  7.     The acquiring bank authorises the transaction and informs the customer whether the transaction was successful or not

 

3-D Secure 1.0 v/s 2.0

 

3-D Secure 2.0 is replacing 1.0 to provide a better user experience, which will eventually lead to successful transaction conversion. The need to enter static passwords is replaced by other methods such as biometrics in 3D Secure 2.0.

 

3-DS 2.0 examines over 120 data points. If the transaction is deemed low risk, no further action is required; if the transaction is deemed high risk, 3D Secure requires customers to verify their identity through biometrics or two-factor authentication.

 

Benefits of 3-DS 2.0

 

With the 3-DS 2.0 update, customers will have a more fluid experience when conducting transactions on both mobile and desktop/laptop devices. Benefits of the latest update are:

 

  1.     Better User Experience
  2.     Increase in Online transactions
  3.     Higher conversion rates
  4.     Multiple Device support

 

Conclusion

 

Security is of the utmost importance, especially when customers conduct online transactions. Today, there is a significant shift toward online transactions, and customers must have mental comfort while making these transactions. 3-DS 2.0 makes the transactions safe, seamless and efficient, while also providing a better user experience.

Learn More

Secure Online Payment Processing Concept - Making Secure Payment

Tokenization: Creating a stir in the Payments Industry

In today’s world, increasing online frauds and cyberattacks are causing security and trust issues among the general public in the adoption of digital payments, and these data security issues have become a major concern for online service providers. The service provider has been looking into ways to reduce this risk. One such solution is “Tokenization,” a new buzzword in the payments industry. Tokenization adds an extra layer of security to users’ sensitive data and prevents online and digital data breaches.

 

The concept of digital tokenization is inspired by the concept of physical tokenization, which has existed since the invention of currency. Token coins replace actual coins or banknotes in physical tokenization. These token coins have a real identity and value, but they only have meaning in a limited and controlled space. For example, casino tokens have no value outside of the casino’s premises.

 

The payments card industry is using digital tokenization to protect users’ sensitive data and provide better customer assurance in order to increase their trust. It is a low-cost and simple-to-implement solution for merchants.

 

What is Tokenization?

 

Tokenization is the process of encrypting sensitive data by replacing it with an unreadable token. The tokens can then be passed through the internet or the various wireless networks required to process the payment without exposing actual bank details. The actual bank account number is kept secure in a token vault.

 

Tokenization is commonly used to combat credit card fraud. It relieves merchants of the burden of storing sensitive card data of users, reducing the work and effort required to be PCI DSS compliant.

 

How does it work?

 

A customer makes an online purchase through an e-commerce website or offline through a merchant POS and then chooses a credit card payment method. The customer enters sensitive data on the portal, such as card number, CVV and cardholder name or enters a PIN on the POS machine. The card data collected is stored on the tokenization server rather than the e-commerce website server. The tokenization server processes the card data, stores the original card data on the Secure token server and generates a token of the same length from a random alphanumeric string. The token is then forwarded to the merchant’s acquiring bank. The acquiring bank sends the token to the card network, which processes it and shares card details with the issuing bank for payment authentication. Payment is completed when the issuing bank responds to the card network. The Card Network is the only entity that can read the token.

 

Tokenization Vs Encryption 

 

Data encryption and tokenization are similar in the sense that they both replace original data with a random code, but they are vastly different in terms of ciphering mechanism. 

Sensitive data is mathematically changed into a new code in data encryption, but the original data can be deciphered with the appropriate key. However, because there is no relationship between the token generated and the original data, the token cannot be reversed in the case of tokenization. Even if hackers obtain the token details, they will be unable to retrieve original data from that information, rendering the token meaningless and useless to them.

Tokenization is widely used by the payments industry across the globe due to its data security offering. Furthermore, it provides the following benefits to all stakeholders involved in the transactions. 

  • Customers can develop trust in online transactions as the likelihood of theft or leakage of sensitive data decreases significantly.
  • The merchant, acquirer and processor do not need to be concerned about the user’s sensitive data being compromised even in the event of a cyberattack because they do not store any such information. 
  • Merchants can provide a trusted and secure payment environment for their customers without obtaining PCI DSS certification, saving them the cost of such certification.
  • Tokenization of payments creates a safe and secure environment for users, merchants, payment gateways, financial institutions and regulatory bodies.

Tokenization is currently only available with Networks in India. Issuers must still evolve to make this a reality. 

 

The RBI issued a directive in 2020 stating that merchant payment aggregators and payment gateways could no longer store card credentials. To increase cardholder safety, RBI guidelines require a full-time shift, which is why tokenization must be implemented. And now there will be a plan in place for every issuer, merchant and network to implement this.

Learn More

PCI DSS: The standard for card security

Buoyed by the festival season euphoria, credit card transactions for the first time crossed INR 1 Lakh Crore in October 2021 and debit card transactions were upwards of INR 7.5 Lakh Crore during the same period. With such exponential growth in cashless payments, information security and privacy of cardholder data is of utmost importance. Ever wondered how it is managed? What are the guidelines regarding data security for card based transactions? How does an entity comply with these guidelines? That’s where PCI DSS requirements come into play. 

 

So what is PCI DSS? Who formed these standards? What requirements does it prescribe? And who is responsible for adherence to these requirements? We will respond to these questions below:

 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit card information maintain a secure environment for processing transactions. PCI DSS was developed to encourage and enhance cardholder data security, as well as to facilitate the global adoption of consistent data security measures. Payment Card Industry Security Standard Council (PCI SSC), an independent body created by Visa, MasterCard, American Express, Discover and JCB to standardise and improve account security throughout the transaction process, launched PCI DSS in September 2006; the latest version was debuted in May 2018.

PCI DSS applies to all payment card processing entities, including merchants, processors, acquirers, issuers and service providers. It also applies to any other entity that stores, processes or transmits cardholder data or sensitive authentication data.

 

12 Standards of PCI DSS

 

PCI DSS specifies 12 standards to which all entities must adhere. The following is an overview of these standards:

 

Objective Standard
Build and Maintain a Secure Network and Systems 1. Configure and maintain a firewall to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect Stored Cardholder Data

4. Encrypt Transmission of Cardholder Data across open, public networks

Maintain a Vulnerability Management Program 5. Protect all systems against malware and update anti-virus software or programs on a regular basis

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 

8. Identify and authenticate system component access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks  10. Track and monitor all network resource and cardholder data access

11. Test security systems and processes on a regular basis

Maintain an Information Security Policy  12. Maintain an information security policy for all personnel

 

Let’s delve deeper into each standard to better understand the goal:

 

Install and maintain a firewall configuration to protect cardholder data

A firewall is a network security system that monitors and controls network traffic, both incoming and outgoing. Firewalls prevent foreign or unknown entities from accessing private data. These anti-hacking systems are frequently the first line of defence against hackers. Because of their effectiveness in preventing unauthorised access, firewalls are required for PCI DSS compliance.

 

PCI SSC provides a detailed step-by-step process for configuring and maintaining a firewall.

 

 

Do not use vendor-supplied defaults for system passwords and other security parameters

 Routers, modems, POS systems and other third-party products frequently include generic passwords and security measures that are easily accessible to the general public. Businesses frequently fail to secure these vulnerabilities. Before installing a system on a network, businesses must change the vendor-supplied default passwords and remove or disable any unnecessary default accounts.

 

Keeping a list of all devices and software that require a password is one way to ensure compliance in this area (or other security to access). In addition to a device/password inventory, basic precautions and configurations should be carried out on a regular basis. (For example, changing the password). 

 

Protect Stored Cardholder Data

The third PCI DSS compliance requirement is two-way data protection for cardholders. Cardholder data protection methods such as encryption, truncation, masking and hashing are critical components. If an intruder gets around other security measures and gains access to encrypted data, the data is unreadable and unusable to that person without the proper cryptographic keys.

 

The PCI SSC recommends that entities implement data retention and disposal policies to keep cardholder data storage to a minimum. It also requires entities not to store the card verification code or value (a three- or four-digit number printed on the front or back of a payment card that is used to verify card-not-present transactions) after authorization. That is why CVC/CVV is required to be entered by the customer every time an online transaction is made.

Furthermore, when PAN (Permanent Account Number or Card Number) is displayed, entities must mask it (the first six and last four digits are the maximum number of digits to be displayed), so that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.

 

To further prevent entities from storing cardholder data, the RBI has mandated tokenization for all card-based transactions. No entity in the card transaction / payment chain, other than card issuers and / or card networks, shall store the actual card data beginning January 1, 2022.

 

 

Encrypt Transmission of Cardholder data across open, public networks

Cardholder data is transmitted via multiple channels (i.e., payment processors, home office from local stores, etc). Malicious individuals continue to target misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols in order to gain privileged access to cardholder data environments. When this data is transmitted over networks, it must be encrypted. PCI SSC defines cryptographic algorithms, keys and certificates for use in encryption.

 

Protect all systems against malware and regularly update anti-virus software or programs

Malicious software, also known as “malware,” including viruses, worms and Trojans, enters the network through a variety of business-approved activities such as employee e-mail and Internet use on mobile computers and storage devices, resulting in the exploitation of system vulnerabilities. To protect systems from current and evolving malicious software threats, antivirus software must be installed on all systems that are commonly infected by malware. Furthermore, all antivirus software must be updated on a regular basis, and an audit log must be kept.

 

 

Develop and maintain secure systems and applications

To protect against the exploitation and compromise of cardholder data by malicious individuals and software, all systems must have all necessary software patches. All software and applications must be updated on a regular basis with security patches to address system vulnerabilities.

 

 

Restrict access to cardholder data by business need to know 

To ensure that only authorised personnel have access to critical data, systems and processes must be in place to limit access based on need to know and job responsibilities. All employees, executives and third parties who do not require access to this information should not have it. The roles that require sensitive data should be well-documented and updated on a regular basis.

 

 

Identify and authenticate access to system components

 Individuals with access to cardholder data should have their own credentials and identification. For example, there should not be a single login to the encrypted data with multiple employees having access to the username and password. By assigning a unique identification (ID) to each person with access, you ensure that each individual is held individually accountable for their actions. When such accountability is in place, critical data and system actions can be traced back to known and authorised users and processes. In the event that data is compromised, unique IDs reduce vulnerability and speed up response time.

 

 

Restrict physical access to cardholder data

Any cardholder information must be physically stored in a secure location. Data that is physically written or typed, as well as data that is stored digitally (e.g., on a hard drive), should be kept in a secure room, drawer or cabinet. Not only should access be restricted, but any time sensitive data is accessed, a log should be kept to ensure compliance.

 

Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting and mitigating the effects of a data breach. When something goes wrong, the presence of logs in all environments allows for thorough tracking, alerting and analysis. Without system activity logs, determining the cause of a compromise is extremely difficult, if not impossible.

 

 

Regularly test security systems and processes

All ten of the preceding compliance standards involve a variety of software products, physical locations, and, most likely, a few employees. Many things can break down, become out of date or suffer from human error. These threats can be mitigated by complying with the PCI DSS requirement for regular system and process scans and vulnerability testing.

 

To ensure that security controls continue to reflect a changing environment, system components, processes and custom software should be tested on a regular basis.

 

Maintain a policy that addresses information security for all personnel

For compliance, an inventory of equipment, software and employees with access must be documented. Access to cardholder data logs will also necessitate documentation. The flow of information into a company, where it is stored and how it is used after the point of sale must all be documented. 

A strong security policy establishes the security tone for the entire organisation and informs employees of what is expected of them.

 

Levels of PCI DSS

In addition to adhering to these standards, organisations must assess and submit a Report on Compliance (RoC) based on the number of transactions handled each year:

  • Level 1: Merchants who process more than 60 Lakh card transactions per year
  • Level 2: Merchants who process 10 Lakh to 60 Lakh transactions per year
  • Level 3: Merchants who process between 20,000 and 10 Lakh transactions per year
  • Level 4: Merchants with fewer than 20,000 transactions per year

The assessment for Level 1 merchants should include an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). They will conduct an on-site evaluation of the organisation in order to:

  • Validate the scope of the assessment
  • Review your documentation and technical information
  • Determine whether the PCI DSS requirements are being met
  • Provide support and guidance during the compliance process
  • Evaluate compensating controls

 

To demonstrate compliance, the auditor will then submit a RoC to the organization’s acquiring banks. 

To confirm compliance with PCI DSS requirements, Level 2 merchants must only submit a self-assessment questionnaire (SAQ) and a self declared ROC rather than an external audit.

Level 3 and 4 merchants are only required to fill out a self-assessment questionnaire (SAQ).

 

Benefits of PCI DSS Compliance

 

At the very least, complying with PCI Security Standards appears to be a daunting task. The tangle of standards and issues appears to be too much for even large organisations, let alone smaller businesses. However, compliance is becoming more important and may not be as difficult as one might think, especially with the right tools. The following are some of the advantages of being PCI DSS compliant:

  • Your systems are secure, and your customers can put their sensitive payment card information in your hands; trust breeds customer confidence and repeat businesses.
  • It prevents data breaches. Each PCI-compliant business represents a less valuable target for cybercriminals. They will not only have a much more difficult time hacking your network, but they will also not find the data they are looking for!
  • Comply with global data security standards. The PCI DSS regulations were initiated by five of the world’s leading credit organisations in order to provide consumers with a mandatory level of protection by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. Obtaining PCI compliance allows you to join the ranks of other international businesses dedicated to data security and consumer protection.

 

Non-compliance with these standards will result in fines imposed by the networks on acquiring banks, which will then be passed on to the organisation in question. Repeated violations may result in the merchant’s ability to accept payments using their cards being revoked entirely.

Learn More

Money lending abstract concept vector illustration.

Embedded Credit – A great lever for B2B e-commerce platforms

Merchants & retailers rely on credit to run and grow their businesses and expand their customer base. Easy access to credit, facilitated by embedded finance, enables merchants to purchase more stock, widen their product portfolio, respond to fluctuating demand, buy high-value SKUs (which could be slow-moving), and increase the space and assets in their store. Embedded Finance has shown to double the Average Order Value and Customer Lifetime Value for B2B E-Commerce platforms, depending on the sector (whitegoods, groceries, pharma, apparel, etc). 

Embedded Credit is basically when non-financial companies offer their customers access to credit through their technology platform. Popular examples in India are Khatabook, Arzooo etc. who are facilitating working capital loans to their partner merchants/retailers. Embedded finance also enables banks, insurers, and wealth management companies to form valuable partnerships to distribute their products and services. According to one Forrester report 2020, embedded finance is touted to be a USD 7 trillion opportunity globally by 2030.

Very few merchants are approved for loans by formal channels and have to acquire credit from informal sources. Such credit is either too small to have an impact or offered at terms that don’t facilitate their growth in the long term. B2B E-Commerce platforms that have the ability to offer credit can relieve these bottlenecks for merchants and unlock growth for both, their merchants and themselves.

 

So how do B2B e-commerce platforms facilitate embedded credit?

 

Digital platforms catering to merchants and distributors can offer tailored credit products in-context at the point of demand creation on their platform. Few examples of fintechs operating in this space and facilitating embedded credit options are retail-tech Arzooo, Accounting-tech Khatabook to name a few. Please find an illustrative flow chart for better understanding.

 

 

 Advantages for all the parties involved 

 

Lender Partner
B2B E-commerce Marketplace
Retailer Partner
  • Gets access to increase the portfolio of disbursals via B2B e-comm partner
  • Streamlined pipeline of leads who have fund requirement
  • Open up new revenue streams
  • B2B e-comm partner provides risk sharing
  • Facilitates lines of credit through mobile app 
  • Helps increase wallet share from retailer
  • Increase retailer retention
  • Become a preferred supplier to retailers
  • Access to working capital loans through mobile app
  • Helps merchants better manage cash flows for SKU purchase & other business related expenses with flexible repayment plans

 

The key in this scenario is to provide tailored credit products as part of the digital platform.

                                                              

Line of Credit  
  Merchant Cash Advance  
  Working Capital Loans
Fulfil demand hikes due to seasonality & festivals Merchants can meet their short-term liquidity requirements from lender partners wherein the lender partner settles the outstanding invoice amount with the supplier Avail working capital loans from lender partners of the B2B platform to meet contingencies, better manage cash flows & expand their business

 

Why Embedded Finance?

 

Embedded Finance Infrastructure natively enables credit for all merchants within a B2B E-Commerce platform. It handles the end-to-end lending flow, including the customer journey, loan offer generation, lender partnerships, and third-party integrations, repayment etc.

                                             

Digital lending platform
Increased approval Rates
Best Loan Offers
Customised Credit products
Intuitive UI/UX for each stage of the loan lifecycle – loan application, post-approval & post disbursal. The loan application process is completely mobile app native. Embedded Finance combines lending expertise, alternative data writing and data from the B2B e-comm platform to credit score & underwrite merchants & approve more disbursals. Embedded Finance connects digital platforms to a large and diverse lender network which ensures that your merchants get the best loan offers and have a high probability of being approved. Embedded Finance enables platforms to innovate, evolve & tailor credit products to serve the various use-cases of customers in deep collaboration with the anchor platform.

 

In conclusion

 

Ultimately, Embedded Finance enables digital platforms to leverage their unique position to help their merchants. It empowers B2B E-Commerce businesses to innovate for their customers, offer effective credit products, and provide credit to customers who otherwise wouldn’t be able to access it. This sharply accelerates their own growth and the growth of their retail partners.

Learn More

Will the internet-free digital payments UPI Lite take off in India?

What is UPI Lite?

 

The National Payments Corporation of India (NPCI) is working on a new solution called UPI Lite that will allow small digital payments to be made without the need for an active internet connection. The RBI announced on January 5 that digital payments of up to 200 could be made without an internet connection.

 

How does it work?

 

UPI Lite will allow feature phone users to use their phones to connect to UPI networks and make digital payments directly from their bank accounts. There are currently two key solutions being evaluated. The first is a SIM Overlay, while the second is a software-provisioned solution that will use Over-the-Air (OTA) updates.

 

SIM Overlay is a technique that extends a phone’s SIM card’s capabilities, allowing payments and other services to be completed even when there is no data connection. On the other hand, OTA will deliver the solution straight to the device’s firmware.

 

Users will be required to create a 4-digit or a 6-digit pin, depending on the protocols implemented by their banks. Payments made via the SIM overlay technique will be routed through the NPCI’s UPI system to servers operated by the NPCI, and transactions will then take place over the standard UPI network. Instead of using the internet, the entire procedure will run over SMS networks.

 

How does it affect the Indian ecosystem?

 

Since the demonetisation of banknotes in 2016, India has experienced a surge in digital payments. According to a survey, tier-II and -III cities in India accounted for more than half of all online transactions in the quarter ending March 2021. In villages and towns, though, cash still reigns supreme.

 

According to an industry expert, an alternative, secure, low-cost mode of payments with a near-cash-like characteristic will be provided by small value offline mode for digital payments, improving consumer confidence as a preferred option for small retail payments. It has the potential to promote various creative retail payment use cases, such as tickets, product bundling and non-standardised pricing.

 

Given that feature phones still account for half of the market, this will improve payments in areas where internet penetration is low.

 

This is not the first time the NPCI has attempted to promote offline payments in rural areas. In 2012, it launched UPI-led offline payments over Unstructured Supplementary Service Data (USSD) networks. However, due to SMS charges, it failed to take off in a large way. 

According to NPCI data, the USSD system was used for transactions worth 1.21 lakh in 2021. Around 83 banks were using the USSD system as of December 2021.

If NPCI’s current experiments go as planned, about 350 million feature phone users in India will be able to make digital payments without the need for an internet connection.

Learn More

Union Budget 2022 laid the foundation and gave a blueprint of the economy for the next 25 years – from India at 75 to India at 100, with the focus on fast-tracking the economy, providing opportunities to businesses, and creating six million new jobs.

 

Among the range of significant announcements, the reforms on Digital currency finally caught everyone’s attention.

 

With the tremendous increase in transactions of virtual digital assets worldwide, the Indian Government in the Budget 2022 has proposed to launch digital rupee by the central bank in FY 2022-23. It also plans to tax income from digital asset transfers at 30%.

 

The introduction of these reforms clearly is a big boost to the digital economy. The government providing the basic infrastructure and rails for CBDC will lead to a more efficient and cheaper currency management system. All this will eventually lead to elimination of cash to a great extent and promote all such digital assets in future.

 

Further to increase its adoption in future, the regulatory authorities should incentivize players/stakeholders in the payments ecosystem for building the required infrastructure.

Learn More

CBDC: Analyzing the nascent experience in China, Nigeria, and Sweden

The Reserve Bank of India (RBI) will debut the Digital Rupee in the Financial Year 2022-23, according to the Hon’ble Finance Minister of India’s Union Budget Speech on February 1, 2022. Meanwhile, China’s e-Yuan, currently in pilot mode, had its global premiere at the Beijing Winter Olympics 2022 when most foreign athletes got to experience a Central Bank Digital Currency (CBDC) for the first time. However, the Bahamas and Nigeria were among the first to establish CBDCs. Given that recent economic sanctions against Russia have granted governments additional reasons to implement alternative payment systems, such as CBDCs, it’s more vital than ever to understand and evaluate the experience of a few countries that are already ahead of the curve.

 

 

Source: https://www.atlanticcouncil.org/cbdctracker/

 

But, before we go any further, you need to familiarize yourself with what a CBDC is, as well as its pros and cons – read up on our previous blog post. Additionally, a few key terms can help in laying the groundwork:

  • Possible Use Cases: A CBDC can be issued for either Retail purposes, implying that it can be used for all transactions by the public, or Wholesale, suggesting that it can only be used for bank-to-bank transactions and settlement. A Wholesale CBDC is expected to improve efficiency in large-value interbank settlements while also being programmable. A Retail CBDC is projected to promote a far broader cause of financial inclusion, bolster digital economies, and improve the efficiency of retail payment systems.
  • Architecture: A CBDC can have one of three legal structures:
Payment Facilitators Direct Liability of
Central Bank Financial Intermediaries
Central Bank Direct CBDC NA
Financial Intermediaries Hybrid CBDC Synthetic CBDC

 

A Direct CBDC may cause financial disintermediation because commercial banks and non-banks will have no participation in its operation, but a Synthetic CBDC may limit monetary policy permeability and increase the risk of financial instability. A hybrid CBDC, on the contrary, is based on a time-tested paradigm in which both the central bank and financial intermediaries play active roles in the delivery of financial services while also promoting innovation.

  • Infrastructure: Depending on how the security and verification aspects of transactions are defined, a CBDC can be built on a centrally controlled database or distributed ledger technology, which saw a breakthrough with crypto assets.
  • Access: A CBDC can be accessed and used to make payments using either an account-based system, similar to our bank accounts, or digital tokens, which are more like physical cash. A fundamental distinction between the two is that, unlike an account-based CBDC, a digital token can retain the anonymity of cash.

 

Any central bank would strive to support the advantages of both physical cash (anonymity, settlement upon payment) and electronic payment systems (low cost, efficient and difficult to counterfeit), regardless of which mix of the above is chosen to construct a CBDC.

Let’s look at what it’s been like on the ground. We chose three countries to highlight out of the many that are experimenting with CBDC: China because it was the first to publicly announce its CBDC ambitions and has covered a lot of ground; Nigeria, because it is the largest country by population to have formally launched its CBDC; and Sweden, because of its unique objectives and differentiated design.

 

China’s e-CNY (under pilot):

 

Use Case Architecture Infrastructure Access
Retail Hybrid CBDC Centralized Management Account-based

China started working on the CBDC in 2014 and has been testing e-CNY pilots in cities across the country since December 2019. Given the early start and China’s stated desire to promote Yuan internationalization, it was widely assumed that e-CNY would hasten the process. However, all such speculations were dispelled by the People’s Bank of China’s (PBOC) research paper, which was published in July 2021. It said categorically that e-CNY is intended to “bolster the domestic economy, promote financial inclusion and make monetary and payment systems more efficient”. Meanwhile, e-CNY had been successfully tested across several use cases aligned with its objectives. By the end of June 2021, e-CNY transaction volume had already clocked 70.75 million, with a total value of RMB 34.5 billion (~$5.4 billion)!

Some distinguishing features of the e-CNY system are:

  • Allows those without bank accounts to enjoy basic financial services
  • Supports offline payments
  • Supports ‘managed anonymity’ despite embracing an ‘account-based’ access model – small-value payments are expected to be anonymous

According to PBOC, e-CNY will now be tested across a broader range of use cases, involving all relevant stakeholders in the ecosystem. Prior to the commercial debut, it will expand its research on the influence of e-CNY on monetary policy and financial stability. Furthermore, China is taking an active part in the worldwide CBDC standard-setting, having joined the Multiple CBDC Bridge (mCBDC) headed by the BIS Innovation Hub, where it is jointly exploring various CBDC possibilities with other central banks.

 

Nigeria’s eNaira (launched):

 

Use Case Architecture Infrastructure Access
Retail Hybrid CBDC Distributed Ledger Technology Account-based

Nigeria’s CBDC, eNaira, was launched with much fanfare in October 2021. While the project is still in its infancy, news reports suggest that the initial enthusiasm has waned. Nonetheless, its motivations for introducing eNaira are similar to those of other emerging nations that are likely to be keeping a close eye on the currency’s success. The following are some of the motivations:

  • Promoting financial inclusion – While a bank account is required to use eNaira in the first phase, the second phase is planned to eliminate the requirement
  • Reduce the amount of cash in circulation and, consequently, the cost of processing cash — the eNaira will contain all the characteristics of cash, such as direct claims on the central bank, no interest payable, and so on
  • Enabling direct welfare payout to citizens — eNaira’s account-based capabilities enable welfare funds to be delivered directly to recipients without the risk of theft
  • Increasing tax collection – As the economy becomes more organized as physical cash is phased out, tax revenues are likely to rise
  • Facilitating diaspora remittances — eNaira is supposed to be a more efficient, secure, and cost-effective way to send money back home

In the first phase, eNaira was launched with a few basic functionalities. Depending on input from eNaira users and regular calibration of perceived threats from typical CBDC issues, the Central Bank of Nigeria is projected to gradually introduce many more functions to meet its core objectives.

 

Sweden’s eKrona (under pilot): 

 

Use Case Architecture Infrastructure Access
Retail Hybrid CBDC Distributed Ledger Technology Digital Token

While financial inclusion is a driving force behind e-CNY and eNaira, eKrona is being created to solve a different problem: the decline in cash usage! Yes, the Riksbank, Sweden’s central bank, recognizes that the decline in cash may limit its direct role in the payments ecosystem, making its goal of fostering a secure and efficient payment system more difficult. As a result, the Riksbank started testing eKrona in a closed system with simulated participants (intermediaries like commercial banks), end-users, and payment instruments in 2020. The first part of the pilot’s findings was positive, indicating that digital tokens appear to enhance cash use and hence improve Riksbank’s direct role in controlling the money supply. The Riksbank, nevertheless, recognizes that the pilot must now go on to the next stage, in which it intends to:

  • Integrate with systems of actual participants
  • Create an offline function so that digital tokens can be exchanged without the need for a network
  • Test out various options by storing tokens and their keys in different ways that can be used for a variety of purposes
  • Evaluate and improve the eKrona network’s performance and scalability

The ecosystem of a CBDC will be newly established and will act as an alternative to the existing electronic payment infrastructure, which is a common benefit of having one. The ramifications of the CBDC for monetary policy, financial stability, and financial disintermediation, on the other hand, are still uncertain. Even the legal aspects of a CBDC, which is neither whole cash nor equivalent to a deposit in a bank account, as well as data governance mechanisms, must be thoroughly examined before its use grows.

 

We’ll keep a close eye (with a magnifying glass!) on the various central banks’ evolving experiences. For the time being, we eagerly anticipate the RBI’s next steps on the Digital Rupee, which will detail its objectives, design elements, and commercial launch timeline.

 

References:

CBDCs: an opportunity for the monetary system –  https://www.bis.org/publ/arpdf/ar2021e3.htm

Progress of Research & Development of E-CNY in China – http://www.pbc.gov.cn/en/3688110/3688172/4157443/4293696/2021071614584691871.pdf

eNaira Design Paper – https://www.enaira.gov.ng/about/design

E-krona pilot phase 1 – https://www.riksbank.se/en-gb/payments–cash/e-krona/e-krona-reports/e-krona-pilot-phase-1-report-3/

 

 

Learn More