Paging RBI EMandate – Is There Anybody Out There?

by

I bought a paid plan of a SAAS software, with the fixed monthly subscription fees payable with credit card.

This is a canonical example of a recurring payment subject to RBI Emandate that came into effect on 1 October 2021.

According to Reg Emandate:

Every credit card and debit card based mandate for recurring payment and auto debit (“Standing Instruction”) will need to be re-initiated by the merchant in accordance with the new rules (henceforth “RegEM”), and processed by the issuer bank differently from before.

RegEM stipulated the following workflow of a card-based recurring payment.

EXHIBIT 1

The red box describes the rules for onetime registration of mandates, and the blue box, the rules for processing of ongoing transactions under the mandates.

Now these are the rules.

Let’s see what happens in practice.

Onetime Registration

During the aforementioned purchase, I went through the following steps on the merchant’s website:

  • I opted to pay with credit card.
  • The website asked for standard details like credit card number, expiration date, cardholder name and CVV. The screen looked no different from checkout screens for onetime purchases on ecommerce websites like Amazon. It did not mention the validity period, maximum amount and other details specified in the Onetime Registration column of EXHIBIT 1 above.
  • I hit the SUBMIT button
  • The payment went through successfully.

I got an email from the merchant (and also from my credit card issuer bank IIRC) saying that the recurring payment mandate was successfully set up. However, I could not spot this recurring payment on the SI Hub of my credit card issuer bank. (For the uninitiated, according to Reg EM, every credit card issuer bank is required to display the list of standing instructions issued for recurring payments with its credit card and enable the credit cardholder to view / modify / approve / pause / cancel the SIs right there i.e. without going to the merchant.)

EXHIBIT 2

In short, this recurring payment mandate got registered although neither the merchant nor the bank had ostensibly complied with the rules stipulated under Reg EMandate.

Ongoing Transactions

Every month I get the following email from the merchant saying it tried to charge my credit card.

EXHIBIT 3

There’s a Pay Now button at the bottom of this email.

EXHIBIT 4

When I click this button, I’m taken to the following page on the merchant’s website, where I see my various credit cards on file.

EXHIBIT 5

When I click the first credit card, the payment goes through successfully – without any CVV or OTP.

EXHIBIT 6

Since the amount is below ₹5000, this transaction may not require 2FA. This might explain the lack of CVV and OTP steps but I found it strange that I didn’t receive the SMS from my bank informing me of the upcoming charge on my credit card. AFAIK the SMS is mandatory for any and all charges.

In short, this recurring payment mandate has executed successfully every month although neither the merchant nor the bank had visibly complied with the rules stipulated under Reg EMandate.

Going by this experience, I’m wondering if RBI has withdrawn Reg Emandate and / or stopped enforcing the regulation. If it has, I’ve mixed feelings.

There are two more regulations / enforcement actions in ambivalent state.

Stripe & Merchant Aggregator 

Merchants need a Merchant Account to accept credit card payments. Merchant Account is essentially a line of credit extended by an Acquirer Bank to the Merchant. Since credit card transactions pose “Acquirer Risk”, acquirer banks reject merchant account applications of nano, micro and mini merchants. As a result, small merchants cannot accept credit card and lose out on high value sales to high income customers who typically pay with credit card.

To solve this problem, the retail payments industry came up with the innovative concept of Merchant Aggregation whereby a well-capitalized fintech like PayPal or Square inserts itself between the acquirer bank and merchant, obtains a Master Merchant Account from the acquirer, and issues sub-merchant accounts to high-risk merchants. By taking over the acquirer risk from small merchants, the so-called Merchant Aggregator enables small merchants to accept credit card payments (see footnotes 1 and 2).

The merchant aggregation business has been around in USA for decades (at least since the launch of PayPal in circa 1998). India’s banking regulator RBI announced Reg Payments Aggregator a couple of years ago. Until then, small merchants like landlords could not accept credit cards, and tenants paid rent with cash, cheque, NEFT or UPI. After Reg PA came into force, fintechs like Stripe entered India and signed up small merchants like landlords. Tenants switched to paying rent with credit card, no doubt enticed by mouthwatering rewards they earned on what’s arguably the biggest single payment made by them during a month. Then, out of the blue, RBI cracked down on fintechs saying how can they enable merchants without merchant accounts to collect payments via credit card, thereby questioning the very raison d’être of Merchant Aggregation.

Jane Street & Market Manipulation

In its response to the allegations of market manipulation by the securities market regulator SEBI, the American proprietary trading firm Jane Street questioned the regulator’s understanding of its business. According to Economic Times article entitled Sebi order reflects misunderstanding of standard hedging practices: Jane Street:

US-based Jane Street said the Indian capital market regulator’s order accusing the trading firm of manipulative trading in equity derivatives reflects a ‘misunderstanding of standard hedging practices and the interrelationships between derivative and underlying markets’.

That SEBI has still not yet issued its final / adjudicated order suggests that Jane Street’s argument may have legs. Interestingly, Ananth Narayan, the Wholetime SEBI Director who brought the intermediate / preliminary charge against Jane Street, was shunted out from SEBI in October 2025.


I couldn’t locate any publicly confirmed update indicating whether the Securities Appellate Tribunal (SAT) hearing for Jane Street Group vs SEBI scheduled on 18 November 2025 was conducted, cancelled or postponed.

The subtext of these cases is that financial regulators don’t fully understand the businesses they’re tasked with regulating and / or are showing the tendency to “shoot first, ask questions later”.

It’s not only financial regulators. Nikhil Pahwa, Founder of MediaNama, suggests the same of the telecom regulator in his oped entitled So, Telecom Binds Digital in Economic Times dated 3 December 2025:

The regulation (Reg SIM Binding) illustrates that the ministry simply doesn’t grasp how millions actually use these services. It not only doesn’t have a legal basis for regulating online services, it also doesn’t deserve to.

That said, and in the spirit of “credit where credit is due”, I did find some brilliant flashes of insight about capital markets in a recent interview with the new chairman of SEBI, the regulator for this industry.


FOOTNOTE(S):

  1. Merchant Aggregation is a good example of both Business Model Innovation and Distribution Innovation described in my blog post Innovation Is Not Invention.
  2. Financial services industry is full of innovations involving risk transfers via intermediaries. Another example of financial engineering is the SPV route used in infrastructure project finance. Meta used it recently to raise funds for its AI data center buildout. The nature of the asset makes it unsuitable for venture capital and tailor made for debt. However the scale of debt will erode the credit rating of Meta if it’s on its balance sheet. Enter Special Purpose Vehicle. SPV provides a dual perspective: It is debt and provides guaranteed returns that lenders seek but it also appears like equity, so it won’t ding the issuer’s credit rating. Doomers might point to Enron which used such an off-balance sheet vehicle to conceal its shenanigans and losses but, for every Enron, there are dozens of companies who have taken the SPV route to raise funds, built ports, bridges, roads and other infrastructure projects, and repaid the loans in full with interest.

UPDATE DATED 23 JANUARY 2026:

When I got the payment failed email from Pictory this month, I clicked the Pay Now button as usual and landed on the customary screen showing my two credit cards on file. When I clicked the first one, it went into a tizzy for a minute or so after which I got a error message saying “Payment did not succeed. Try with another method of payment”. I tried the second credit card, the same thing repeated. I was wondering if someone in RBI read this blog post and clamped down on Pictory’s Emandate infringement. But it was not to be. When I tried the first credit card after a few hours, I got the customary “Your payment was successful!” message! I am chalking it down to the non-deterministic aka stochastic behavior of credit card fraud detection and prevention systems. The first time around, something happened that must have indicated high risk and the payment failed whereas the second time around, something else happened that must have indicated normal risk and the payment succeeded.

On a side note, this payment provides a convenient way to track USD:INR exchange rate from month to month, since it has a convenient value of $1. As soon as the payment goes through, I get an SMS alert from the issuer bank displaying the equivalent transaction value in INR. For the past three months, they were 89.59 (Nov 2025), 89.78 (Dec 2025), 91.69 (Jan 2026).