Payment Regulations, the case of Uber in India & the impact on other startups.

Reserve Bank of India issued a notification, specific to the case of Uber’s operation in India, enforcing the use of 2-factor-authentication for card not present transactions.

Because we provide SaaS Subscription Billing service to customers worldwide, several tech startups incorporated outside India have been asking, if they will have any issues in serving their Indian consumers.

Short answer is NO for most companies. Read on for more details.

Here is why they will not be affected based on my understanding of regulations.

To give some context:

• Since 2009, there has been a series of regulations / clarifications that basically stops Indian Resident entities from doing repeat transactions without user’s approval for each transaction.
• Indian businesses selling to customers outside India, continue to use PayPal, 2Checkout & such options.
• Or Indian businesses setup an entity outside of India — in US / Singapore 1. to workaround recurring payments 2. for easier funding 3. to offer Terms of Service in a country where arbitration is easier for trust etc.,

Uber used the loophole that allowed foreign entities to transact on behalf of Indian businesses without 2FA. Uber is not the first & I have experienced this first hand in different sectors including hotel bookings in India. They were all flying under the radar but Uber’s grand entry and a case filed by one of their Indian competitors brought this to RBI’s attention.

Uber is setup as a Netherlands based entity. Here is Uber’s Terms. Let us say, XYZ taxi service in India operates and serves Indian customers. Uber collects payments on their behalf in INR and pays the XYZ taxi service in India.

Technically it is a service by an Indian entity to another Indian consumer, facilitated by Uber B.V. Here is a sample invoice snippet (thanks Peter):

This specific statement in the notification provides clarity that 2-factor-authentication is not waived off.

“It was clarified that the mandate shall apply to all transactions using cards issued in India for payments on merchant sites where no outflow of foreign exchange is contemplated. It was further stated that the linkage to an overseas website/payment gateway cannot be the basis for permitting relaxations from implementing the mandate.”

In the case of companies that sell to Indian consumers, using their foreign entities (i.e., customer enters into ToS with the foreign entity), there is outflow of funds and it is a transaction between a non-resident entity & an Indian consumer. It is same as purchase of goods / service by an Indian consumer from Amazon Web Services or Google, even if there is a subsidiary in India.

There is clear intent to collect payments by a service outside India and the relationship between Indian entity & US entity is more of a service provider / parent relationship in most cases. And the two Indian residents — consumer and Indian subsidiary are not directly involved with each other in payment transaction, in any direct way.

Ideally, RBI should have created a level playing field by de-regulating the space and let Indian businesses compete with Uber. We badly need this deregulated for the sake of SaaS startups as well, for which we have been making a representation via NASSCOM & other industry bodies.

The focus should be to prevent fraud, but let innovation thrive by deregulating the space. Hope this helps in understanding if your setup comes under the recent regulation or not.