On March 17, 2020, the Reserve Bank of India (“RBI”), India’s federal bank, released guidelines (“Guidelines”) for the regulation of payment aggregators (“PAs”) and payment gateways (“PGs”). These Guidelines, issued under section 18 read with section 10(2) of the Payment and Settlement Systems Act, 2007 (“PSSA”), came into effect from April 1, 2020, and regulate operations of PAs and PGs. Prior to this, RBI indirectly regulated PAs through the banks who maintained the accounts of these intermediaries. This write-up aims to give an overview of the Guidelines and its impact on the payments sector.
2. Definition of PAs and PGs
- PA is a legal entity that allows e-commerce websites and merchants to accept various payment instruments from the customers. PAs receive payments from customers and then pool and transfer them on to merchants/e-commerce websites, as the case may be. As per the Guidelines, a PA must be incorporated as a company under the Companies Act, 1956/2013.
- PGs are platforms used by PAs for providing technology infrastructure to route and facilitate processing of an online payment.
3. Applicability of Guidelines
- Mandatory for both bank and non- bank PAs.
- Covers domestic leg of import and export related payments facilitated by PAs.
- Not applicable to PGs but they are advised to adopt baseline technology recommendations provided under Annex 2 of the Guidelines.
- Bank PGs will be governed by the guidelines dated November 3, 2006, on “Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks”.1
- Till now, PAs were treated as “intermediaries” under the Directions for Opening and Operation of Accounts and Settlement of Payments for Electronic Payment Transactions involving Intermediaries dated November 24, 2009. It defined “intermediaries” to include all entities that collect monies through electronic/online payment mode and facilitates its transfer to merchants.
- No notification has been released by the RBI to revoke the previous 2009 directions, though, eventually they are likely to be eclipsed by the current Guidelines.
4. Registration and Eligibility Registration:
- Bank PAs do not have to apply for RBI approval.
- Non-Bank PAs have to apply for authorization from RBI under “Form A” of the PSSA.
- Existing PAs need to apply on or before June 30, 2021.
- E-commerce marketplaces have to demarcate PA services from the marketplace business before applying for authorization, failing which they would not be allowed to operate after June 30, 2021.
- Existing PAs who achieve a net-worth of INR 15 crores2 by March 31, 2021, are eligible for authorization.
- New PAs who have a net-worth of INR 15 crores at the time of application for authorization.
- PAs should achieve a net-worth of INR 25 crores3 by the end of the third financial year (March 31, 2023 for existing PAs) that shall be maintained at all times thereafter.
- Net-worth consists of paid-up equity capital, preference shares that are compulsorily convertible to equity, free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets. The reserves created by revaluation of assets would not be taken into account.
5. Policies & Governance
- PAs should be professionally managed. The promoters have to satisfy the “fit and proper criteria” prescribed by the RBI, i.e. they should have at least 10 years of experience in the sector, credential should be sound and of integrity, and should have a sound successful track record.
- If there is any change in management of a non- bank PA due to a takeover or acquisition of control, then such change has to be communicated to the Chief General Manager (DPSS), RBI, within 15 days.
- PAs need to have a board-approved policy for merchant on-boarding, customer grievance (comprising disposal of complaints/dispute resolution mechanism/timelines for processing refunds, etc.), information security4 and IT policy.
6. Merchant On-Boarding
- PAs have to undertake background checks of the merchants, to ensure that such merchants do not have any malafide intention of defrauding customers.
- PAs have to ensure that merchants comply with Payment Card Industry-Data Security Standard (PCI-DSS)5 and Payment Application-Data Security Standard (PA-DSS)6 and do not store customer data.
- The PAs should obtain periodic security assessment reports from the merchants.
7. Money Laundering
- Provisions of Prevention of Money Laundering Act, 2002 and the Know Your Customer (KYC)/Anti-Money Laundering (AML)/Combating Financing of Terrorism (CFT) guidelines issued by RBI, in their “Master Direction – Know Your Customer (KYC) Directions” to be applicable to all entities.
8. Dispute Resolution
- A publicly disclosed customer grievance redressal and dispute management framework has to be put in place.
- A nodal officer has to be appointed for handling customer grievances. Details of the officer
- should be visible on PA’s website.
- In their agreements with merchants, acquiring banks and other stakeholders, PAs should delineate the roles and responsibilities of parties involved in sorting/ handling complaints, refund/ failed transactions, return policy, customer grievance redressal, dispute resolution mechanism, reconciliation, etc.
- The policy for consumer dispute resolution must conform to the RBI instructions dated
- September 20, 2019, on “Turn Around Time (TAT) for resolution of failed transactions.” 7
9. Settlement and Escrow Account Management
- Non-bank PAs have to maintain the amount collected by them in an escrow account with any one scheduled commercial bank.
- PAs can pre-fund the escrow account with their own/ merchant’s funds.
- No interest is payable by the banks, except when the PA agrees with the bank maintaining its escrow account, to transfer the “core portion” of the amount, in the escrow account, to a separate account on which interest is payable. Core portion is the average of the lowest outstanding balance in an escrow account for 26 fortnights.
- If PA is responsible for the delivery of goods/ services, the payment should not be later than the day after the date of intimation by the merchant to the intermediary about shipment of goods.
- Where the merchant is responsible for delivery, the payment to the merchant should not be later than on Td + 1 basis.8
10. Risk Management Framework
- A data security infrastructure and system for prevention and detection of frauds has to be put in place.
- Incidents of cyber breach should be reported to DPSS and CERT-In.
- PAs have to submit a System Audit Report, including a cyber security audit within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.
- PAs cannot place limits on transaction amount for a particular payment mode.
- All refunds have to be made to the original method of payment unless specifically agreed by the customer to credit to an alternate mode, for instance, merchant’s e- wallet.
- PAs cannot provide ATM PIN as a factor of authentication for card-not-present (CNP) transactions.
- PAs cannot store the customer card credentials within their database or the server accessed by the merchant.
- Data storage requirements provided in RBI’s notification dated 6th April, 2018, have to be complied with. It requires all payment related data10 to be stored in a system located in India. In case the processing of payment is done abroad, the data should be deleted from the systems abroad and brought back to India not later than 24 hours from payment processing. These directions apply to Bank PAs as well.
11. Baseline Technology-related Recommendations (Annexure 2)
- Mandatory for PAs and recommended for PGs.
- PAs should conduct comprehensive security risk assessment of their people and onboarding merchants to identify risk exposures and its report shall be presented to the Board.
- Monthly cyber security incident reports with root cause analysis and preventive actions undertaken have to be submitted to the RBI.
- An IT Steering Committee and an Enterprise Information Model should be established.
- An Enterprise Data Dictionary incorporating the organization’s data syntax rules has tomaintained.
- Cryptographic requirement: Only encryption algorithms that are well established according to international standards can be used.
12. Impact on industry
- By bringing the non-bank PAs under its regulation, RBI is attempting to organize PAs. RBI’s main objective behind introducing these Guidelines is to minimize frauds and to protect customers’ interest. Placing the burden on PAs to ensure that merchants are genuine and do not have any malafide intent will go a long way in eliminating dishonest merchants from the market, thereby protecting the interest of customers.
- Prohibiting PAs from asking customers for their ATM PIN as an option for authentication of online payments will safeguard the interest of customers in case their card data and PIN is compromised.
- Guidelines direct PAs to credit refunds back to the original payment source and not into the e-wallet account. Earlier, refunds were credited to e-wallet which made it difficult for customers to use those funds elsewhere.
- Although, RBI has lowered the required net-worth from INR 100 crores11 (as discussed in its working paper) to INR 25 crores, it will not be enough for small-sized entities (like startups) that are looking to enter into the market. Many existing players will also have to leave the market in case of failure to comply with net worth requirements. Further, small companies operating as PAs would find it challenging to implement the mandatory baseline technology recommendations as the implementation cost would be high. This will lead to the elimination of competition in the market, thereby resulting in oligopoly which can hamper the interests of merchants in the long run.
- RBI’s order to have an escrow account with only 1 bank could possibly be quite troublesome in current times where banks are suffering from frauds and NPAs. Without any secondary banking partners, a PA’s system uptime will be dependent upon the bank’s system uptime.
- The Guidelines bring a significant development in the Indian fintech ecosystem and ensure that the overall interest of consumers is well protected.
This Bulletin is prepared by Bhoomika Agarwal, a third year student at Amity Law School, GGSIP University, Delhi (under the guidance of Dhruv Suri, Partner) who is pursuing her internship at PSA
1 As per these guidelines, banks don’t require approval from RBI to outsource services but the liability is on the bank for any outsourced activity. It explains the role of the Board and senior management in outsourcing services. Banks need to have a Board approved outsourcing policy and grievance redressal mechanism in place to address complaints of customers
2 US$ 2M approx.
3 US$ 3M approx.
4 For the safety and security of the payment systems operated by them
5 A set of security standards designed to ensure that all companies that accept, process, store or transmit card information maintain a secure environment
6 A security standard for software vendors that develop payment applications. The standard aims to prevent storage of prohibited secure data (CVV2, PIN magnetic stripe)
7 It stipulates time period (TAT) within which money has to be credited back to the customer’s account in case of a failed transaction. In case of a failure to comply with the TAT, compensation would have to be paid by such entity. For e-commerce transactions where the customer’s account is debited but confirmation is not received at the merchant’s system, the amount would have to be reversed within 5 days of the failed transaction, failing which entities would have to pay INR 100 per day to the account holder.
8 Td is the date of confirmation by the merchant to the intermediary about delivery of goods to the customer
9 CNP transaction occurs when the buyer and the card (credit/ debit) are not physically present at the time of purchase such as in case of online shopping
10 The data includes end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered / transmitted / processed as part of a payment message / instruction. This may, interalia, include – Customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc. as applicable); Payment sensitive data (customer and beneficiary account details); Payment Credentials (OTP, PIN, Passwords, etc.); and, Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).
11 US$ 13M approx.