Payment Aggregators & Payment Gateways under RBI’s Regulatory Supervision
Sai Krishna Muthyanolla
March 26, 2020
With increasing number of digital
transactions, the reliance on payment aggregators & payment gateways is
more than ever. The RBI has recently issued guidelines for regulating both
Payment Gateways & Payment Aggregators.
On 17 March 2020, the Reserve Bank of India (RBI)issued Guidelines on Regulation of Payment
Aggregators (PA) and Payment Gateways (PG). In this article, we take a quicklook at the RBI guidelines and understand the ensuing changes for users.
From now on, payment gateways & aggregators suchas Paytm, Pay Pal, Mobikwik, Razorpay, PayU, CCAvenue etc. will be regulated byRBI to ensure the safety of all our online transactions. The guidelines havebeen issued under Section 18 of the Payment and Settlement Systems Act
2007 and shall come into effect from April 1, 2020.
In common parlance, PGs are entities that providetechnology infrastructure to route and facilitate processing of an onlinepayment transaction without any involvement in handling of funds. PAs areentities that facilitate e-commerce sites and merchants to accept variouspayment instruments from the customers for completion of their paymentobligations.
In its earlier notification and discussion paper, RBI had taken intoaccount the important functions of these intermediaries in the online paymentsspace. The Discussion Paper, released on 17 September 2019, also explored theavenues of regulating these intermediaries by proposing different approaches. Inview of their role in handling funds, it has been decided to regulate inentirety the activities of PAs as per the guidelines and to provide baselinetechnology-related recommendations to PGs.
What do the guidelines prescribe?  Guidelines at a glance: (i) For PAs, theguideline mandate PAs to obtain authorisation from the RBI and prescribesdetailed technology and operational guidelines such as merchant onboarding,data sovereignty, customer data access, audit obligations, etc.  (ii) For PGs, baseline technology-relatedsecurity recommendations have also been made for optional adoption.
Applicability: PAs and PGs.
Exemptions: Bank PAs, cash on deliverye-commerce model.
Authorisation: Entities which want toundertake Payment Aggregation and Payment Gateway activity should be a companyincorporated in India under the Companies Act, 1956/2013. Existing non-bank PAshave to obtain authorisation from the Department of Payment System andSettlement, RBI by 30 June 2021. PGs do not require authorisation but arerecommended to comply with guidelines issued by the RBI on ‘Managing Risks andCode of Conduct in Outsourcing of Financial Services by banks’ and baselinetechnology requirements.  Furthermore,e-commerce marketplaces providing PA services would be separated as an entityand would be identified as technology service providers or ‘outsourcingpartners’ for banks or non-banks.
Compliance: The Know Your Customer(KYC)/ Anti-Money Laundering/ Combating Financing of Terrorism guidelinesissued in the ‘Master Direction – Know Your
Customer Directions’ shall apply to all entities.
Capital requirements: Existing PAs to achievea net worth of INR 15 crores by 31 March 2021 and a net worth of INR 25 croresby the end of the third financial year, i.e., on or before 31 March 2023, andshall be maintained at all times thereafter. New PAs to have a minimum networth of INR 15 crores at the time of application for authorisation and shallattain a net worth of INR 25 crores by the end of the third financial year ofgrant of authorisation. This shall be maintained at all times thereafter.
Merchant, onboarding and settlement: PAs shall undertakebackground and antecedent check of merchants to ensure that such merchants donot have any malafide intention. Non-bank PAs shall maintain the amountcollected by them in an escrow account with any scheduled commercial bank. Theobligation to settle a transaction has been clearly outlined in the guideline.
What is in it for users?
Continuation of existing PAs: RBI has permittedcontinuance of operations by existing PAs until authorisation.
Customer Grievance: PAs are directed to putin place a formal, publicly disclosed Customer Grievance Redressal and DisputeManagement Framework. A Board approved policy for customer grievance(comprising disposal of complaints/ dispute resolution mechanism/ timelines forprocessing refunds, etc.), merchant onboarding, information security, etc., tobe put in place.  PAs shall appoint aNodal Officer responsible for regulatory and customer grievance handlingfunctions, details of whom shall be prominently displayed on their website.
Security incident reporting: Security incidents/card- holder data breaches to be reported to the RBI within the stipulatedtimeframe.
Cyber security audit and reports: PAs shall carry out andsubmit quarterly internal and annual external audit reports to the IT Committee;bi-annual Vulnerability Assessment/ Penetration Test reports; PCI-DSS,including Attestation of Compliance and Report of Compliance.
Data sovereignty: A strong risk management system is necessary to meet the challenges of fraud and ensure customer protection. PAs shall take preventive measures to ensure storing of data on infrastructure that does not belong to external jurisdictions. PAs are also required to put in place adequate information and data security infrastructure and systems for the prevention and detection of frauds.
Featured Image: Guidelines on Regulation of Payment Aggregators