The Reserve Bank of India on 6 December 2016 issued a notification stating that the requirement of an “additional factor of authentication” (AFA) for card not present (CNP) transactions up to ₹2,000 (US$30) could be relaxed by banks and authorized card networks, at the option of the customer. Customers opting for this facility would need to go through a one-time registration process with the issuing bank. Further, lower transaction limits may be set by the customer in opting out of the AFA requirement.
Earlier, the RBI had directed banks to put in place an AFA based on information that is not visible on the credit/debit cards used in CNP transactions. This “second factor” authentication is based on information that is known or available to the card holder but is not printed on the card.
In adhering to the new notification and facilitating and giving customers an opportunity to opt out of the AFA requirement, banks and authorized card networks would need to:
- Conduct “velocity” checks to ascertain the value and frequency of transactions in which the AFA requirement is not applied;
- Educate and make customers aware that they can retain or opt out of the AFA requirement and that they are free to use other forms of AFA requirements (although the RBI has not specified other forms of AFA requirements that may be adopted);
- Educate and make customers aware of the mechanism and risk involved in opting out of the AFA requirement; and
- Indicate the maximum liability of the customer in the event of their opting out of the AFA requirement.
In addition to the above, the notification provides that banks and authorized card networks should bear the full liability in the event of a security breach or compromise in the authorized card network.
The business law digest is compiled by Nishith Desai Associates (NDA). NDA is a research-based international law firm with offices in Mumbai, New Delhi, Bengaluru, Singapore, Silicon Valley and Munich. It specializes in strategic legal, regulatory and tax advice coupled with industry expertise in an integrated manner.