The Reserve Bank of India (“RBI”) with effect from April 1, 2020 will be regulating the activities of Payment Aggregators (“PAs”) and Payment Gateways (“PGs”)[1]. Until April 1,2020, intermediaries such as PAs and PGs, did not require registrations from the RBI and only banks were regulated while operating the accounts of such intermediaries.
Under the Guidelines on Regulation of Payment Aggregators and Payment Gateways, effective April 1,2020 (“Guidelines”), PAs are defined as:
PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.
And PGs as,
PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.
Applicability
The Guidelines are applicable to PAs, and compliance with respect to the PGs is recommendatory in nature as a good practice measure. PAs shall also adopt the Base line technology-related recommendations as provided in the Guidelines. These include Security related recommendation, relating to information security governance, data security standards, cyber security audit and reports, risk assessment, among others.
Registration
PAs need to be a company incorporated in India, and existing non-bank PAs (including e-commerce marketplaces proving PA services) need to apply for authorization on or before June 30, 2021. They shall be allowed to continue their operations till they receive communication from RBI regarding the fate of their application.
Capital Requirement
Existing PAs / New PAs need to have a minimum networth of Rs 150,000,000 (approx. USD 2 million) by March 31, 2021 and a minimum net worth of Rs. 250,000,000 (approx. USD 3.3 million) by or before March 2023 and thereafter. Failure to comply to the foregoing criteria, will require the PAs to wind up their operations.
Governance
The Guidelines provide that PAs shall be professionally managed. The promoters of the entity shall satisfy the fit and proper criteria prescribed by RBI, including instances of change of control of a PA and the resultant new management being appointed. RBI shall also check ‘fit and proper’ status of the applicant entity and management by obtaining inputs from other regulators, government departments, etc., as deemed fit.
PAs shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions. PAs shall prominently display details of the nodal officer on their website. PAs also need to be in compliance with the Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines issued by RBI.
Merchant On-boarding
The Guidelines provides for the number checks and balances that are required by the PAs to maintain for on-boarding merchants. For instance, PAs shall undertake background and antecedent check of the merchants, to ensure that such merchants do not have any malafide intention of duping customers, do not sell fake / counterfeit/ prohibited products, etc.PAs shall be responsible to check Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded.Merchant site shall not save customer card and such related data.Agreement with merchant shall have provision for security / privacy of customer data.
Settlement and Escrow Account Management
The amounts collected by the Non-bank PAs are required to be maintained with only one scheduled bank at any given point of time. The Guidelines also provide timelines for the final settlement with the merchant by the PA, including for the reversed transactions. It has been made been explicitly mentioned that the escrow account shall not be operated for ‘Cash-on-Delivery’ transactions and also that the settlement of funds with merchants shall not be co-mingled with other business, if any, handled by the PA.Further, no interest shall be payable by the bank on balances maintained in the escrow account, except when the PA enters into an agreement with the bank maintaining the escrow account, to transfer “core portion” of the amount. The Guidelines provide for the methodology for the calculation of the “core portion” indicated above.
Security, Fraud Prevention and Risk Management Framework
The Guidelines provides for a robust security, fraud prevention and risk management framework to be put in place by the PAs. PAs shall put in place Board approved information security policy for the safety and security of the payment systems operated by them and implement security measures in accordance with this policy to mitigate identified risks.PAs shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and breaches. The same shall be reported immediately to the RBI and also to CERT-In (Indian Computer Emergency Response Team) as per the details notified by CERT-In. Further, PAs shall not store the customer card credentials within their database or the server accessed by the merchant. They shall comply with data storage requirements as applicable to Payment System Operators.
The Guidelines make registration compulsory for PAs and provides for the capitalization requirements that new / existing PAs need to adhereto, in a time bound manner. These requirements along with the robust security requirements and related compliances that are required to be adhered to by PAs may cause difficulty to new companies in or planning to get into the PAs space, in reference to the costs going up. However, these requirements will be essential to provide a robust and a safe ecosystem for the PAs to operate in and will give impetus to the other industries around this ecosystem, such of that IT security, data privacy, forensics etc.
Whilst the nomenclature of the Guidelines give an impression that it is meant to regulate PAs and PGs, however, as also indicated above, the PAs need to compulsorily comply with the Guidelines and for the PGs, the compliance to the Guidelines are discretionary in nature and may be incorporated by the PGs, as only as measure of best practice. It will be interesting to note this dichotomy being created by the RBI and also to understand the regulators views on the same. Further, the Guidelines excludes entities that that are not directly involved with direct cash touch points.
It is suggested that all regulations pertaining online payment ecosystem should be collated and avoid possibilities of regulatory overlap / conflicts. For instance, these Guidelines so not replace the Intermediaries circular dated November 29, 2009 issued the RBI, which deal with regulations applicable to the banks for opening and operation the accounts for such intermediaries.
[1]https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11822&Mode=0
