An Analysis of the Reserve Bank of India’s Master Direction on Regulation of Payment Aggregators, 2025

Introduction

On September 15, 2025, the Reserve Bank of India (“RBI“) issued the Master Direction on Regulation of Payment Aggregators, 2025 (“Master Direction“), a framework governing both bank and non-bank entities engaged in the business of payment aggregation (“Payment Aggregators” or “PA“). This Master Direction replaces earlier guidelines issued in 2020, 2021, and 2023, thereby creating a single, comprehensive regime for domestic and cross-border Payment Aggregators.

The Master Direction addresses authorisation requirements, governance, security measures, dispute resolution, escrow accounts, and reporting obligations. Through the Master Direction, the earlier circulars on the matter, including the 2010, 2013, and 2015 FEMA-related circulars on online gateway payments, as well as the 2009 circular on intermediaries have been repealed. However, actions already taken under the repealed circulars remain valid.

Applicability

Under the Master Direction, a Payment Aggregator is defined as any entity that facilitates customer payments to merchants through one or more payment channels, and then subsequently settles these funds with the merchants. The Master Direction provides for three sub-categories of Payment Aggregators, namely (i) PA-Physical (“PA-P“) for proximity-based transactions; (ii) PA-Online (“PA-O“) for remote transactions; and (iii) PA-Cross Border (“PA-CB“) for inward and outward aggregation of cross-border payments.

The Master Direction applies to all banks and non-bank entities undertaking Payment Aggregator business, as well as authorised dealer banks and scheduled commercial banks that interact with Payment Aggregators.

Authorisation and Capital Requirements

Under the Master Direction, all non-bank entities engaging in the Payment Aggregator business must obtain explicit RBI authorisation through its online Pravaah portal. The non-bank entities seeking approval must be incorporated under the Companies Act, 2013, with their Memorandum of Association must reflect that they are undertaking Payment Aggregator activity. Conversely, banks have been granted exemption from obtaining such authorisation.

The Master Direction also reinforces the earlier implemented phased capital adequacy requirement, wherein a minimum net worth of Rs. 15,00,00,000 (Rupees Fifteen Crore only) is required at the time of filing the application on the Pravaah portal, and a minimum net worth of Rs. 25,00,00,000 (Rupees Twenty-Five Crore Only) is required within three years of the grant of authorisation by the RBI. In this regard, the “net worth” has been defined in the Master Direction to include compulsorily convertible preference shares, subject to specific restrictions. It is also stated that entities with Foreign Direct Investment (“FDI“) must additionally comply with India’s Consolidated FDI Policy and FEMA regulations.

Conduct of Payment Aggregator Business

The Master Direction states that promoters and directors of a Payment Aggregator must satisfy the ‘fit and proper’ criteria, ensuring integrity, financial soundness, and absence of criminal or regulatory disqualifications. Further, every Payment Aggregator is required to establish a dispute resolution framework, including timelines for refunds and adherence to RBI’s prescribed turnaround times for failed transactions.

Additionally, Payment Aggregators are required to issue a board-approved information security policy and must ensure PCI-DSS/PA-DSS compliance, undertake annual security and cyber audits, and report incidents to RBI. They are also required to follow RBI’s 2024 Cyber Resilience Directions for Non-Bank PSOs.

Key Restrictions and General Directions

The Master Direction has put in place certain restrictions on the conduct of business by Payment Aggregators, including the following:

1. Payment Aggregators may only aggregate funds for merchants with whom they have contracts;
2. Payment Aggregators cannot engage in marketplace businesses;
3. Refunds by Payment Aggregators must be made to the original payment method unless directed otherwise by the payer; and
4. The use of ATM PIN for card-not-present transactions is prohibited.

Further, it is now mandatory for PA-CBs to maintain separate Inward Collection Accounts (“InCA“) and Outward Collection Accounts (“OCA“) with Authorised Dealer-I banks, and the PA-CBs are not allowed to combine inward and outward transaction funds. Further, each cross-border transaction has now been capped at Rs. 25,00,000 (Rupees Twenty Five Lakh Only).

KYC and Due Diligence

The Payment Aggregators are mandated to conduct Customer Due Diligence (“CDD“) of merchants per the Master Direction on KYC, 2016. Merchants with an annual domestic turnover below Rs. 40,00,000 (Rupees Forty Lakh Only) or an annual export turnover below Rs. 5,00,000 (Rupee Five Lakh Only) may be onboarded with simplified checks by the Payment Aggregators, by using PAN verification, contact point verification, or with collection of officially valid document. It is also noted that, under the Master Direction, non-bank Payment Aggregators are required to register with the Financial Intelligence Unit-India (FIU-IND).

On the other hand, banks which onboard merchants are required to ensure compliance with their merchant acquiring policies, but are not obligated to conduct CCD independently.

Settlement of Funds and Escrow Accounts

In accordance with the Master Direction, any funds collected by Payment Aggregators must be held in escrow accounts with scheduled commercial banks. Additionally, it is stated that escrow accounts cannot be used for cash-on-delivery transactions, and a separate certification by statutory auditors must confirm compliance with escrow norms.

Impact on Payment Aggregators

The Master Direction represents a paradigm shift in the regulation of Payment Aggregators, with the following key impacts:

1. Stricter Compliance Burden: Non-bank Payment Aggregators will have to invest significantly in KYC infrastructure, cyber security, risk management systems, and audit compliance, which will increase operational costs.
2. Transparency and Merchant Accountability: With the segregation of escrow accounts and the requirements of carrying out due diligence, Payment Aggregators will be obligated to implement stricter onboarding checks.
3. Cross-Border Transactions: By setting a cap on cross-border transactions and requiring separate InCA and OCA accounts, the RBI has introduced clearer FEMA compliance norms.
4. Customer Protection: Mandatory dispute resolution timelines, restrictions on misuse of refunds, and strict cyber-security controls will increase the compliance burden on Payment Aggregators.

Conclusion

The Master Direction consolidates and rationalises multiple earlier circulars into a single framework. By addressing authorisation, governance, security, KYC, escrow management, and cross-border compliance, the Master Direction aims to balance innovation in digital payments with systemic stability and consumer protection. For Payment Aggregators, this heralds an era of stricter compliance and greater accountability.