x

20 March 2020

Guidelines on regulation of Payment Aggregators and Payment Gateways

The Reserve Bank of India (RBI) has vide its circular dated March 17, 2020 issued ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’. In terms of the said circular, the RBI has prescribed (a) guidelines for regulating activities of payment aggregators (PAs); and (b) baseline technology recommendations for payment gateways (PGs).

The key highlights of the guidelines are as follows:

  • Key Terms:  Payment Aggregators (PAs) are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers. They receive payments from customers, pool and transfer them on to the merchants after a time period.Payment Gateways (PGs) are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.
  • Applicability:  While the guidelines and the technology related recommendations are mandatory for PAs, adherence to the technology related recommendations by PGs seems to be recommendatory.While, cash on delivery (COD) based e-commerce transactions have been exempted, the circular also aims at bringing regulation of domestic leg of import and export related payments facilitated by PAs under its ambit.
  • Entity Structure:  A non-bank PA has to be a company incorporated under the Companies Act with the PA activity forming part of its objects.
  • Authorisation:  Banks carrying on the activity of a PA do not need a separate authorisation.Existing non-bank PAs need to apply for an authorisation under the Payment and Settlement Systems Act, 2007 (PSS Act) prior to June 30, 2021 and will be allowed to operate until they are granted/ refused an authorisation.E-commerce marketplace entities providing PA services shall segregate their PA business from the marketplace business and apply for an authorisation on or before June 30, 2021.
  • Net-worth:  Existing PAs must ensure a net worth of INR 15 crores by March 31, 2021 and INR 25 crores by March 31, 2023. For the new PAs, a net worth of INR 15 crores is required for making an application for grant of authorisation and they must achieve a net worth of INR 25 crores by the third financial year-end occurring after the application is made. A net worth of INR 25 croresis to be maintained at all times thereafter. The guidelines also prescribe the components for computation of the net worth. Banks maintaining the escrow/ nodal accounts of the PAs have been mandated to report compliance of this requirement.
  • Governance:  PAs will need be professionally managed and the promoters will be required to satisfy the ‘fit and proper criteria’as prescribed by RBI. Any takeover or acquisition of control or change in management of a non-bank PA has to be communicated to the Chief General Manager (DPSS), RBI within 15 days. Agreements between PAs, merchants, acquiring banks and other stake holders are required to clearly set out the understanding with respect to roles and obligations of the parties vis-à-vis handling complaints and unsuccessful transactions, return policy, grievance redressal, dispute resolution, etc.
  • Checks for on-boarding merchants:  PAs must ensure to have a board approved policy for merchant on-boarding andundertake background checks before on boarding the merchant. PAs will be responsible for ensuring that the merchant’s infrastructure complies with the data security standards (PCI-DSS and PA-DSS) and does not store customer data. Agreements between PAs and merchants must also provide for privacy of customer data.
  • Settlement and Escrow:  Non-bank PAs will maintain the amount collected by them in an escrow account with only one scheduled commercial bank at any point in time. For the purpose of maintenance of the escrow account, the operations of PAs shall be deemed to be ‘designated payment systems’ under the PSSAct.The guidelines also prescribed the permissible credits and debits to the escrow account and the timelines for settlement with the merchant.The funds lying in the escrow accounts are not be co mingled with those relating to other businesses handled by the PA and should be appropriated for settlements with the merchants.Escrow accounts are not be operated for COD transactions.
  • Applicability of other regulations:  All PAs will have to adhere to the KYC/ Anti-Money Laundering/Combating Financing of Terrorism guidelines issued by RBI and provisions of Prevention of Money Laundering Act, 2002 will also apply on PAs.Provisions of the FDI Policy and FEMA will apply to PAs having foreign investment.
  • Consumer grievance redressal and dispute resolution:  The PAs  will need to ensure that policies regarding disposal of complaints, dispute resolution mechanism adhering to RBI instructions on Turn Around Time for resolution of failed transactions are in place. The PAs will also need to disclose information regarding interalia merchant policies, customer grievance on the website or mobile applications. PAs will need to appoint a nodal officer responsible for regulatory and customer grievance handling and display his details on their website.
  • Risk management and general guidelines:  PAs will cater for providing an infrastructure information and data security with systems for prevention and detection of frauds in placein accordance with Board approved information security policy. PAs cannot store the customer card credentials within their database or in the server accessed by any merchant. PAs will adhere to following the extant instructions for Merchant Discount Rate. While PAs cannot imposelimits on transaction amount for any payment mode, the banks would be responsible for placing these limits. PAs alsocannot provide ATM PINs as factor of authentication for card-not-present transactions.
  • Technology related recommendations:  The RBI has also prescribed requirements for the IT systems of the PAs and PGs which cover aspects including information security, incident reporting, data security standards, cyber security audits, board monitored IT governance, data sovereignty, etc. While PGs have been recommended to adhere to such requirements, it is mandatory for the PAs to ensure compliance with all the technology related recommendations.
  • Compliances:  The RBI has prescribed formats for seeking authorization, net-worth certificate, director’s undertaking, auditor’s certificate on maintenance of balance in escrow account and a format for capturing the statistics of transactions handled by PAs every month.

The guidelines clearly seem to indicate that RBI has chosen to comprehensively regulate the payment aggregators without any exemptions (as was envisaged under the discussion paper). However, the reduction in the minimum net-worth threshold from INR 100 crores to INR 25 crores (INR 15 crores for commencement) and a longer time period for achieving the said net worth is a welcome step and will provide a level playing field to the smaller players in the industry. The RBI has also reinforced its objective of prioritizing consumer protection and safeguarding of consumer data by providing detailed provisions for the same and making the PAs and the banks responsible for ensuring compliance.

}