The Reserve Bank of India (RBI) recently issued guidelines to regulate payment aggregators (PA) and payment gateways (PG) that act as intermediaries facilitating online payments. The guidelines go into effect from April 1, 2020.
Who is Covered?
The guidelines define PAs as entities that facilitate e-commerce sites and merchants to accept various payment instruments from customers for completion of their payment obligations, without the need for merchants to create a separate payment integration system of their own. PAs help merchants connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.
Under the guidelines, PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction, without any involvement in handling of funds.
What Does Coverage Entail?
The guidelines are mandatory for all PAs (including PAs that facilitate the domestic leg of foreign trade related payments). As bank PAs are already licensed under separate banking regulations, the guidelines are primarily targeted at non-bank PAs.
PGs are considered technology providers or outsourcing partners of banks and non-banks under the guidelines and are advised to adhere to the base-line technology related recommendations set out in a schedule to the RBI guidelines. Here too, for PGs that are bank, the RBI guidelines issued to banks (i.e., on managing risk and setting out a code of conduct for outsourcing financial services by banks) would apply.
Specific Compliance Requirements
As a result of the above, all non-bank PAs are now required to obtain RBI licenses and comply with the guidelines’ requirements on: (i) net worth, (ii) governance, (iii) know-your customer (KYC) / anti-money laundering and combatting the financing of terrorism (AML-CFT), (iv) merchant onboarding, (v) settlement timelines and escrow account management, (vi) customer grievance and dispute management, (vii) security, fraud prevention and risk management, and (viii) reporting and other issues.
These requirements are summarised in the annex to this note.
The guidelines subject non-bank PAs to standards affecting both their governance and their daily operations. Existing non-bank PAs should review their current governance procedures, net worth, contractual provisions (including in contracts with banks and merchants) and their other operations to bring their operations into line with the guidelines. As further summarised in the annex to this note, the RBI has provided these businesses adequate time to bring their operations into compliance, so as to ensure a smooth transition into a much needed, regulated environment.
Annex: Summary of Specific Compliance Requirements for Non-Bank PAs
1. RBI Licensing: All non-bank PAs need to be companies that are incorporated under Indian law. The non-bank PAs must also apply for RBI authorization, under the Payment and Settlement Systems Act, 2007 (PSSA). The applications have to be submitted by June 30, 2021(and existing nonbank PAs can continue their operations till the hear back from the RBI on their applications). This said, e-commerce marketplaces providing PA services shall not continue this activity beyond June 30, 2021
unless the PA activity is separated from the marketplace business, and they apply for authorisation on or before June 30, 2021. The PAs’ operations are deemed to be ‘designated payment systems’ under the PSSA.
2. Net Worth Requirements: The guidelines mandate that existing PAs should achieve a networth of INR 150 million by March 31, 2021 (or the date of their application, whichever is earlier) and a net-worth of INR 250 million by March 31, 2023. Thereafter the net worth of INR 250 million has to be maintained at all times. New applicants must have a minimum net-worth of INR 150 million at the time of applying for authorisation, and attain a net-worth of INR 250 million by the end of the third financial
year, which minimum net worth has to be maintained thereafter. Preference capital will be included in net worth only if it is compulsorily convertible into equity and withdrawal of the preference capital is specifically prohibited. Revaluation reserves or the book value of intangible assets cannot be included in the net worth for this purpose. The PA’s net worth needs to be certified by a chartered accountant.
3. Governance: The guidelines require PAs to be professionally managed with their promoters satisfying the “fit and proper criteria” stipulated by the RBI. Directors of the PA are required to submit a declaration on their “fit and proper” status. Any acquisition, change of control or change in management of the non-bank PA has to be notified to the RBI within 15 days (along with declarations from new directors, if any). Agreements between PAs, merchants, acquiring banks and other stakeholders need to clearly delineate roles of each parties in dealing with complaints, refunds / failed transactions, customer grievances, reconciliation, dispute resolution and other specified matters. PAs are required to provide comprehensive information regarding merchant policies, customer grievances, privacy and other terms and conditions on their website and mobile applications. They should also have board approved policies for disposal of complaints, dispute resolution mechanism, timelines for processing
refunds, etc (as per RBI instructions), and appoint (and publicly provide details of) a nodal officer responsible for regulatory and customer grievance handling functions.
4. KYC / AML-CFT Compliance: PAs must comply with the KYC and AML-CFT guidelines issued by the RBI and the provisions of the Prevention of Money Laundering Act, 2002 and corresponding rules.
5. Merchant On-Boarding: PAs will be required to have board approved policies for merchant on-boarding. PAs will need to undertake background and antecedent check of the merchants and to check merchant compliance with payment card industry and payment application data security standards (PCI-DSS and PA-DSS). Agreements with merchants will need to include provisions on safeguarding customer security and privacy and on compliance with PA-DSS and incident reporting obligations. PAs will also need to carry out security audits of merchant sites to ensure merchant sites are not saving customer card and related data.
6. Settlement and Escrow Account Management: The guidelines also require that PAs maintain all accounts collected by them in an escrow account with a scheduled commercial bank, and set out procedures and timelines for transaction settlement and regulation on the operation of the escrow accounts (including in relation to permitted debits and credits).
7. Customer Grievance Redressal and Dispute Management Frameworks: The guidelines stipulate that the PAs have to maintain formal, publicly-disclosed customer grievance redressal and dispute management frameworks, including designating a nodal officer (whose details are prominently displayed on the PA’s website) to handle customer complaints and grievances, and providing an escalation matrix for grievances. Furthermore, PAs are required to put in place a dispute resolution mechanism binding on all participants, which contain numerous details specified in the guidelines (including details on turnaround times).
8. Security, Fraud Prevention and Risk Management Frameworks: The guidelines mandate that PAs put in place board approved information security policy for the safety and security of the payment systems operated by them. They are required implement security measures in accordance with the guidelines to mitigate identified risks.
9. Reporting and General Instructions: Apart from the net worth certifications and governancerelated declarations, PAs are also required to provide periodic reports to the RBI on escrow account balances (quarterly and annual) and statistics of transactions handled (monthly). The guidelines also mandate that PAs follow the RBI’s instructions with regard to merchant discount rates and that no limits are placed by the PAs on transaction amounts for a specific payment mode. Furthermore, PAs are
required to disable ATM PINs as authentication in case of ‘card-not-present’ transactions and to ensure that all refunds are to be made in the original mode of payment unless agreed otherwise.