Aug 26, 2019

RBI Directive – Relaxation Of The AFA Requirement For Recurring Transactions

Over the past decade, the Reserve Bank of India (“RBI”) has put in place various safety and security measures for card payments, including introduction of the additional factor of authentication (“AFA”) (also popularly known as the 2FA) for card-not-present transactions.

Recently, the RBI has issued a directive (“Directive”) to relax the AFA requirement for recurring transactions up to INR 2000 made using debit cards, credit cards and pre-paid payment instruments (PPIs) including e-wallets (collectively “Cards”). This Directive will come into effect from September 01, 2019.

Some of the most common use-cases of recurring transactions include periodic payments made by customers to avail subscription based digital content related services, utility payments etc.

What is the AFA requirement?

Typically, when a cardholder makes an online transaction (i.e. where the card of the customer is not presented physically), such cardholder is required to first enter the card details (including CVV) on the merchant’s platform, and then use the one-time password (OTP) received on his/ her registered mobile number or pre-set personal identification number (PIN) to authenticate the payment transaction. This use of the OTP/ PIN by the cardholder for validation of the transaction is known as AFA.

Over the years, the RBI has made it clear that this AFA mandate is also applicable to recurring transactions based on standing instructions given to merchants by cardholders.

What is the AFA relaxation for recurring transactions that has been introduced by the Directive?

Keeping in mind the changing payment needs and the requirement to balance the safety and security of Card transactions with customer convenience, the RBI has introduced the Directive to permit Card issuers (like banks) to:

• process e-mandate on Cards for recurring transactions (merchant payments) by requiring the cardholders to undertake AFA validation for the first transaction (while registering for the e-mandate facility) or for modification or revocation of such e-mandate; and

• thereafter perform subsequent successive transactions in the series without any AFA.

In other words, once a cardholder successfully completes AFA validation at the time of enabling the e-mandate facility (for recurring transactions), such cardholder is not required to undertake AFA validation for subsequent transactions – his / her Card will be charged for the successive transactions automatically.

What are the key conditions prescribed by the RBI for processing of e-mandate on Cards for recurring transactions?

The key conditions include:

• The e-mandate facility can only be used for recurring transactions and not for one-time (once only) payments.

• The maximum permissible limit for a transaction under this e-mandate is INR 2000.

• As a risk mitigation measure, the Card issuers need to send pre and post-transaction notifications to the cardholders with the details of the recurring transaction.

• The cardholder can choose to opt-out of or withdraw from the e-mandate facility for recurring transactions by undertaking the AFA validation.

Concluding Remarks

The AFA relaxation for recurring transactions is a welcome step by the RBI, which is likely to boost businesses that heavily rely on recurring payments (such as bill payments, online video / content streaming and subscription-based models). This will also pave the way for customers to have a seamless experience while making automated payments for repeat transactions to the merchants.


Rohan Bagai, Partner
Poojan Sahny, Senior Associate





These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.