Payment Aggregators & Payment Gateways under RBI’s Regulatory Supervision

With increasing number of digital transactions, the reliance on payment aggregators & payment gateways is more than ever. The RBI has recently issued guidelines for regulating both Payment Gateways & Payment Aggregators.

On 17 March 2020, the Reserve Bank of India (RBI) issued Guidelines on Regulation of Payment Aggregators (PA) and Payment Gateways (PG). In this article, we take a quick look at the RBI guidelines and understand the ensuing changes for users.

From now on, payment gateways & aggregators such as Paytm, Pay Pal, Mobikwik, Razorpay, PayU, CCAvenue etc. will be regulated by RBI to ensure the safety of all our online transactions. The guidelines have been issued under Section 18 of the Payment and Settlement Systems Act 2007 and shall come into effect from April 1, 2020.

In common parlance, PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds. PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations.

In its earlier notification and discussion paper, RBI had taken into account the important functions of these intermediaries in the online payments space. The Discussion Paper, released on 17 September 2019, also explored the avenues of regulating these intermediaries by proposing different approaches. In view of their role in handling funds, it has been decided to regulate in entirety the activities of PAs as per the guidelines and to provide baseline technology-related recommendations to PGs.

What do the guidelines prescribe?

Guidelines at a glance: (i) For PAs, the guideline mandate PAs to obtain authorisation from the RBI and prescribes detailed technology and operational guidelines such as merchant onboarding, data sovereignty, customer data access, audit obligations, etc.  (ii) For PGs, baseline technology-related security recommendations have also been made for optional adoption.

Applicability: PAs and PGs.

Exemptions: Bank PAs, cash on delivery e-commerce model.

Authorisation: Entities which want to undertake Payment Aggregation and Payment Gateway activity should be a company incorporated in India under the Companies Act, 1956/2013. Existing non-bank PAs have to obtain authorisation from the Department of Payment System and Settlement, RBI by 30 June 2021. PGs do not require authorisation but are recommended to comply with guidelines issued by the RBI on ‘Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks’ and baseline technology requirements.  Furthermore, e-commerce marketplaces providing PA services would be separated as an entity and would be identified as technology service providers or ‘outsourcing partners’ for banks or non-banks.

Compliance: The Know Your Customer (KYC)/ Anti-Money Laundering/ Combating Financing of Terrorism guidelines issued in the ‘Master Direction – Know Your Customer Directions’ shall apply to all entities.

Capital requirements: Existing PAs to achieve a net worth of INR 15 crores by 31 March 2021 and a net worth of INR 25 crores by the end of the third financial year, i.e., on or before 31 March 2023, and shall be maintained at all times thereafter. New PAs to have a minimum net worth of INR 15 crores at the time of application for authorisation and shall attain a net worth of INR 25 crores by the end of the third financial year of grant of authorisation. This shall be maintained at all times thereafter.

Merchant, onboarding and settlement: PAs shall undertake background and antecedent check of merchants to ensure that such merchants do not have any malafide intention. Non-bank PAs shall maintain the amount collected by them in an escrow account with any scheduled commercial bank. The obligation to settle a transaction has been clearly outlined in the guideline.

What is in it for users?

Continuation of existing PAs: RBI has permitted continuance of operations by existing PAs until authorisation.

Customer Grievance: PAs are directed to put in place a formal, publicly disclosed Customer Grievance Redressal and Dispute Management Framework. A Board approved policy for customer grievance (comprising disposal of complaints/ dispute resolution mechanism/ timelines for processing refunds, etc.), merchant onboarding, information security, etc., to be put in place.  PAs shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions, details of whom shall be prominently displayed on their website.

Security incident reporting: Security incidents/ card- holder data breaches to be reported to the RBI within the stipulated timeframe.

Cyber security audit and reports: PAs shall carry out and submit quarterly internal and annual external audit reports to the IT Committee; bi-annual Vulnerability Assessment/ Penetration Test reports; PCI-DSS, including Attestation of Compliance and Report of Compliance.

Data sovereignty: A strong risk management system is necessary to meet the challenges of fraud and ensure customer protection. PAs shall take preventive measures to ensure storing of data on infrastructure that does not belong to external jurisdictions. PAs are also required to put in place adequate information and data security infrastructure and systems for the prevention and detection of frauds.

Featured Image: Guidelines on Regulation of Payment Aggregators