In recent years, the digital payments space has grabbed eyeballs across India, with the upsurge in the use of debit cards, credit cards and UPI payments. The increase in the use of digital payments can be largely attributed to the increase in access to the internet, e-commerce websites, mobile applications and the pandemic that forced several individuals to shop online, even for basic necessities. This magnified growth in the use of digital payment systems resulted in the Reserve Bank of India (RBI) issuing guidelines to regulate payment aggregators and payment gateways, bringing them under its wing.
Back in 2020, the RBI issued the Guidelines on Regulation of Payment Aggregators and Payment Gateways (“Guidelines“) that mandated RBI approval for entities looking to provide payment services to merchants, in accordance with these Guidelines. While the Guidelines do acknowledge that that banks, and well as non-banking entities, handle payment services as part of their activities, however it mandates that only non-banking entities would require approval from the RBI to continue providing payment aggregator services.
As per the Guidelines, payment aggregators are entities that facilitate the acceptance of various payment instruments from the customers of e-commerce sites and merchants for the completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. Payment aggregators facilitate the connection between merchants and acquirers. In the process, they receive payments from customers, pool and transfer them to the merchants after a period of time. In contrast the Guidelines elaborate that payment gateways are entities that only provide technology infrastructure to route and facilitate the processing of an online payment transaction without any involvement in handling of funds. Payment gateways were to be considered only as ‘technology providers’ or ‘outsourcing partners’ of banks or non-banks, as the case may be.
The Guidelines mandated that non-bank payment aggregators shall require authorisation from RBI under the Payment and Settlement Systems Act, 2007 and that such authorisation would be provided basis some of the following criteria:
- The payment aggregator needs to be a company incorporated in India under the Companies Act, 1956 / 2013. The Memorandum of Association (MoA) of the applicant entity must cover the proposed activity of operating as a payment aggregator.
- Existing non-bank entities offering payment aggregator services need to apply for authorisation on or before June 30, 2021 (which was later extended to September 30, 2021). The Guidelines generously permit all entities providing payment aggregator services (as of the date of the Guidelines) to continue their operations till they receive communication from the RBI regarding their application.
- E-commerce marketplaces providing payment aggregator services shall not continue this activity beyond the prescribed deadline of June 30, 2021. If such entities wished to pursue providing payment aggregator services, these services were to be separated from their marketplace business and thereafter the entities could apply to the RBI for authorisation.
- Payment aggregators existing as on the date of the Guidelines were required to achieve a net-worth of ₹15 crore by March 31, 2021 and a net-worth of ₹25 crore by the end of the third financial year, i.e., on or before March 31, 2023. A net-worth of ₹25 crore is to be maintained at all times thereafter.
- New payment aggregators are required to have a minimum net-worth of ₹15 crore at the time of application for authorisation and attain a net-worth of ₹25 crore by the end of the third financial year from the grant of authorisation. A net-worth of ₹25 crore is to be maintained at all times thereafter.
- Payment aggregators, as per the Guidelines, are also required to adopt the technology-related recommendations prescribed.
- Payment aggregators under the Guidelines are to formulate a board approved policy for merchant on-boarding. Amongst other merchant related responsibilities of payment aggregators, payment aggregators under the Guidelines are required to run mandatory background checks and antecedent check of the merchants, to ensure that such merchants: (i) do not have any malafide intention of duping customers, do not sell fake / counterfeit / prohibited products, etc; (ii) comply with the Payment Card Industry-Data Security Standards (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS); and (iii) do not save customer card and such related data.
- Non-bank payment aggregators are required to maintain the amount collected by them in an escrow account with any scheduled commercial bank.
- Payment aggregators are mandated to have in place a customer grievance redressal and dispute management framework including designating a nodal officer to handle customer complaints / grievances and a dispute resolution mechanism binding on all the participants which shall contain a transaction life cycle, detailed explanation of types of disputes, process of dealing with them, compliance, responsibilities of all the parties, documentation, reason codes, procedure for addressing the grievance, turn-around-time for each stage, etc.
- Payment aggregators are also mandated under the Guidelines to put in place adequate information and data security infrastructure and systems for prevention and detection of frauds as well as have a Board approved information security policy which covers a mechanism for monitoring, handling and follow-up of cyber security incidents and breaches. the details
- Payment aggregators are strictly prohibited from storing customer card credentials within their database or the server accessed by the merchant.
Upon the issuance of the Guidelines, a spate of entities applied to the RBI for a payment aggregator license. Over the past few months, the RBI has been holding presentations with firms that had applied for the licence. During its presentation with such firms, the RBI is said to have also verified aspects related to the firm’s business and financials including what percentage of the business revenue of the applicants came from unregulated entities such as online gaming/betting or crypto exchanges. It also evaluated money-laundering concerns as well as whether these aggregators were compliant with the RBI’s tokenisation norms. Multiple online payment gateways that were seeking the licence had come under intense scrutiny for Know-Your-Customer (KYC) related issues, past dealings with cryptocurrency exchanges and gaming apps, as well as for not complying with the minimum net-worth criteria set out by the RBI. Earlier this year, the RBI reportedly decided to reject the payment aggregator licence of ZaakPay, which runs fintech company MobiKwik, allegedly due to its crypto partnerships and failure to meet the minimum net-worth criteria laid down in the Guidelines1.
Earlier this week (July 2022), Pine Labs, Razor Pay, Stripe and 1-Pay received in-principle approval from the RBI for their payment aggregator licenses. As per reports, the RBI has asked the companies that have received the in-principal approval to conduct an audit within the next six months to get the final sign-off. Getting the RBI’s nod for a payment aggregator’s licence essentially means that these entities will now be directly under the purview of the RBI while rendering payment services to merchants. This development will lead to a more standardised, centralised and regulated payments ecosystem, facilitating more secure, trustworthy and accessible digital payment options to the average person. The grant of the licence is crucial for payment companies to operate and be able to offer their platforms and technology solutions to merchants, who can then integrate it on their websites, thereby offering customers a myriad of payment options for their products and services by way of credit and debit cards, UPI, digital wallets, EMI, net banking, etc. The grant of the RBI licence to entities would mean the ability to do business and offer licenced payment services to other businesses. While the journey to receiving a payment aggregator license may be long and arduous for the applicants, the benefits reaped by the users cannot be overstated. The regulation of payment aggregators by the central bank is an essential step forward in strengthening the fiduciary relationship between payment aggregator and their customers, increasing the transparency of their operation and ensuring users that their hard-earned money is, in fact, in good hands.