RBI’s Guidelines on Regulation of Payment Aggregators and Payment Gateways

[Abhishek Tripathy is a fourth year law student at the Institute of Law, Nirma University]

In March 2020, the Reserve Bank of India (“RBI”) issued the Guidelines on Regulation of Payment Gateways and Aggregators, which issued in furtherance of a discussion paper released by the RBI in September 2019. The guidelines have been made effective from 1 April 2020.

The extensive use of electronic modes of payment by customers is facilitated by the banks with the help of intermediaries like payment aggregators and payment gateway service providers. The RBI issued the present guidelines according to the power vested in it under section 18 read with section 10(2) of the Payment and Settlement Systems Act, 2007 (the “PSS Act”). The PSS Act was enacted to ensure a secure, accessible, and efficient system of payments and settlement. The payment infrastructure in the country has evolved over time with increased competition and technologically driven business models. This post attempts to track the evolution of payment aggregators and gateways in India, and assesses the necessary regulatory compliances in light of the recent guidelines.

Setting the Context

At the time of the PSS Act, the use of electronic payment system was still at a nascent stage as transactions were mostly dependent on cash or bank transfer. To match up to the ever-evolving change in technology, the RBI had sought to address the lacunae in the PSS Act through various notifications and regulatory interventions. Prior to the issuance of the present guidelines, RBI regulated entities enabling electronic payments between two customers or merchants by way of its notification released in November 2009.

The notification, also christened as intermediary directions, defined intermediaries to include “all entities that collect monies received from customers for payment to merchants using any electronic/online payment mode, for goods and services availed by them and subsequently facilitate the transfer of these monies to the merchants in final settlement of the obligations of the paying customers.” All kinds of electronic payment systems were covered under the umbrella of intermediaries, and there was no differentiation as to the structure and working of payment gateways and payment aggregators.

The RBI had earlier expressed the need to review the existing regulatory mechanism for electronic payment intermediaries in its monetary policy statement. After various assessment and suggestions, the RBI in the recent guidelines enforces a more stringent and direct form of regulation to regulate the system of electronic payments in India.

Analysis of the RBI Guidelines

Defining PAs and PGs

The RBI guidelines take a shift from the intermediary directions by providing a definition to payment aggregators (PA) and payment gateways (PGs), and thereby establishing the scope of operation. The guidelines define payment aggregators as “entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own.” Whereas payment gateways are defined as “entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.” It is imperative to note that payment aggregators ensure the facilitation of receiving, pooling and transferring the payment to the merchant, which might be periodic in nature. Payment gateways only need to maintain the necessary technical assistance or infrastructure as they do not store or pool the payments.

Authorisation Requirements

Prior to the guidelines, the entities operating as intermediaries were not required to obtain a prior authorisation from any regulator. However, the guidelines now make it mandatory for the payment aggregation services (except licensed banks) to receive authorisation from the RBI. Payment aggregators are now obliged to fulfil the ‘fit and proper’ criteria to be eligible for authorisation from the RBI. A standard concept of corporate governance in financial institution, ‘fit and proper’ criteria mandate specific requirements for evaluating managers, directors and office bearers to efficiently meet their duties while assuring their integrity and suitability for the post. With the adoption of ‘fit and proper’ criteria’, the electronic payment infrastructure will now be responsible to the regulators and customers for its governance and decision-making.

A deadline of 30 June 2020 has been set for the existing players to meet with the requirements of the guidelines. Moreover, the guidelines mandate a minimum capital requirement both at the time of the application and at the expiry of three years. It is essential to note that the capitalisation requirements are nominal as compared to the recommendation in the discussion paper. This process of authorisation will specifically ensure that the RBI has direct supervision on the working of payment aggregators.

Settlement and Escrow Account Management

The RBI’s intermediary directions issued in 2009 required the intermediaries to maintain a nodal account, in the form of internal account of the bank to keep a record of the credit settlement cycle with the merchants. The guidelines now mandate the use of an escrow account wherein funds are held in trust whilst two or more parties complete a transaction. The account must be maintained with any (one) scheduled commercial bank and not be used for any other business related purposes. The guidelines also allow for pre-funding of the escrow account. To ensure additional protection to the funds maintained in the escrow accounts, the use and operation of escrow account has been categorised as “designated payment system” as in terms of section 23A of the PSS Act. However, this requirement for payment aggregators to maintain an account in one bank can adversely affect the working and operation if the designate bank is under regulatory moratorium or any other similar action.

Compliances

The guidelines ensure transparency by prescribing disclosure compliances and a comprehensive customer redressal mechanism. They also mandate payment aggregators to have the adequate infrastructure and facilities for fraud detection and to abide by other technological requirements like proper data management, data security, etc. The payment aggregators are also required to abide by the norms of data localisation except in certain circumstances.

Conclusion

The RBI guidelines are the future regulatory framework for payment aggregators in India. There is prevailing uncertainty over the relevance of the intermediary directions, as they have not been expressly repealed. Prior to the guidelines, the intermediaries were only subject to certain operational compliances without an exhaustive policy. The guidelines suggests the delineation of market places from payment aggregation services to keep better track of the payment system. The change in regulatory stance also introduces an array of new compliances and check mechanisms.  Though more clarifications need to be provided for the incorporation of these guidelines, it is the first step towards a more transparent and accountable payment structure in India.

Abhishek Tripathy

About the author

3 comments

  • The post by Abhishek Tripathy clearly analyses the RBI guidelines for the payment gateways. It has the proper research input to make the study more convincing. More importantly, it includes the element of social utility as the post gives the readers an understanding of the online payment system.

  • There are several issues with these regulations.

    For one, the regulations have been issued under Section 10 and Section 18 of PSSA. These sections can be invoked only if a person is a “payment system operator”. So, this means that the RBI had always considered the existing payment aggregators / payment gateways operating in the market as “payment system operators”. If this was indeed the case then these PAs / PGs are liable to be penalised for carrying out the business of a “payment system operator” without registration under Section 4. This may be a moot point if the RBI never penalizes any PA / PG – but the lack of clarity doesn’t help. The inclusion of an explicit grandfathering clause would have gone a long way. So, this will mean that in any PE / M&A transaction this technical issue will come up for discussions during the diligence and documentation. Admittedly, this is a technical issue but I’m surprised the RBI did not catch it.

    Secondly, the tone of the regulations implies that all PAs undertake B2C business. I am involved with a company which falls within the definition of a PA but which doesn’t carry out B2C business. This has lead to much confusion and has the regrettable impact of substantially increasing the cost of compliance for the company in question.

    Thirdly, requiring KYC compliance by PAs / PGs has a huge impact on the commercials of these entities. Given that in both situations, the flow of money is being handled by a bank, I’m not really sure what will be achieved by having another layer of KYC other than increasing cost of compliance.

    Lastly, for the life of me, I don’t understand how the RBI expects a company to adopt operationalize a framework for undertaking KYC, procure and go-live with IT infrastructure, and deliberate and adopt several policies; all within a period of less than 15 days – as the regulations were notified in mid-March and most of the provisions were made effective from 1 April 2020.

  • Is this guidelines also applies to physical merchant transactions happened through a POS machine. (Debit Card / Credit Card / UPI)

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Top Posts & Pages

Topics

Recent Comments

Archives

web analytics

Social Media