Introduction
India has experienced a phenomenal growth in digital payment transactions in the last few years. Online or digital payments between customers and providers of goods and services (merchants) are facilitated through intermediaries such as 'Payment Aggregators' (PAs) and 'Payment Gateways' (PGs). These entities provide the technological infrastructure to route and/ or facilitate processing of digital transactions between the customers and the merchants without actually handling the funds1.
With an aim of regulating electronic payments involving intermediaries, the Reserve Bank of India (RBI) issued the "Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries" of 24 November 2009 (Erstwhile Circular) to set out the guidance in relation to setting up and operation of PAs and PGs. The Erstwhile Circular did not require PAs and PGs to obtain an authorisation from the RBI, and stipulated an obligation on banks to maintain nodal accounts with these intermediaries and also provided timelines for settlement of credits and debits.
In view of the expansive growth of digital payments as a result of innovation, fintech evolution and expansion in e-commerce activities, the RBI released a Discussion Paper2, addressing various facets of the activities of PGs and PAs. This Discussion Paper also set out various options regarding the regulation of such entities. After analysis of the feedback received on the Discussion Paper, the RBI issued the "Guidelines on Regulation of Payment Aggregators and Payment Gateways" of 17 March 2020, effective from 01 April 2020 (Guidelines), thereby providing an extensive framework governing PAs including, inter alia, the net-worth and other registration requirements , requisite corporate governance measures, security standards to be followed and periodical reporting requirements.
Definition of PAs and PGs
The Guidelines define a PA as an entity that facilitates e-commerce sites and merchants to accept various payment instruments from the customers, and receive, pool and transfer such funds to merchants after a specified time period3. The Guidelines now require PAs to be authorised by the RBI and sets out a regulatory framework for PAs, merchants and other stakeholders involved with the PA.
On the other hand, the Guidelines define PGs to be entities which act as 'technology providers' or 'outsourcing partners' of banks and non-bank entities, and the Guidelines do not require PGs to be registered with the RBI. However, the Guidelines provide that PGs should be engaged in compliance with the outsourcing framework of RBI set out under the "Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks" of 3 November 2006 and recommends such PGs to comply with the baseline technological recommendations set out under the Guidelines4.
Requisites for Registration
The Guidelines create a distinction between banks and other entities providing PA services and stipulate that banks providing PA services as part of their normal banking relationship will not require a separate authorisation from the RBI5. However, all non-banking entities operating as PAs are required to obtain registration as an authorized payment system under the Payment and Settlement Systems Act 2007 by 30 June 2021.
The requirements to be fulfilled for registration as a PA are summarised below:
a) PA should be a company incorporated in India under Companies Act 2013 (or erstwhile Companies Act 1956);
b) The memorandum of association of the applicant PA must cover the proposed activity of operating as a PA;
c) Existing PAs seeking authorization are required to have a minimum net-worth of ?15 crore by 31 March 2021, and net-worth of ?25 crore by 31 March 2023. New PA entities are required to ensure a minimum net-worth of ?15 crore at the time of application for authorisation and attain a net-worth of ?25 crore by the end of the third financial year of grant of authorisation from the RBI. Applicant PAs are required to submit a chartered accountant certificate evidencing compliance with the net-worth requirement stipulated under the Guidelines6;
d) Applicant PAs regulated by other financial sector regulators are required to obtain a 'No Objection Certificate' from their respective regulators. The registration application is required to be made within 45 days of obtaining such clearance.
Segregation between e-commerce and PA activities
The Guidelines stipulate that e-commerce entities providing PA services shall not continue this activity beyond 30 June 2021. However, such e-commerce entities may obtain authorisation to act as PA by segregating their e-commerce activities from their PA activities, before applying for PA authorisation.
Escrow Account
PAs are required to have an escrow account for parking of funds with only one scheduled commercial bank7. In this regard, PAs are required to have written arrangements with such banks for providing escrow account services in compliance with the provisions of the Guidelines.
Merchant Related Obligations
PAs are required to enter into written agreements with merchants for provision of services, stipulating, inter alia, security and privacy of customer data, compliance with the PCI-DSS norms and incident reporting obligations8. PAs are required to undertake due-diligence of the merchants and ensure that the merchant is not involved in selling of prohibited or fake items. Further, the PA is also required to ensure that the merchant's website does not save customer's card details and other related data.
Corporate Governance
The Guidelines stipulate that PAs are required to comply with the following norms while operating their business:
a) Promoters are required to be 'fit and proper' per the criteria prescribed by the RBI9;
b) PAs are required to have board approved policies on customer grievance/ dispute resolution, timelines for processing of refunds, information security and merchant on-boarding10;
c) PA websites are required to disclose comprehensive information regarding merchant policies, customer grievances, privacy policy and other terms and conditions on the website and/or their mobile application;
d) Prior approval of the RBI is required for takeover or acquisition of control or management of the non-bank PA entity;
e) PAs are also required to comply with KYC norms stipulated under applicable law11;
f) PAs are not permitted to store the customer card credentials within their database or the server accessed by the merchant, and are required to comply with data storage requirements as applicable to payment system operators12;
g) PAs are required to establish a mechanism for monitoring, handling and following-up of cyber security incidents and breaches and also ensure timely reporting to CERT-in as per applicable guidelines13;
h) In the event of occurrence of a cyber security incident, PAs are required to submit a cyber security incident report to the RBI with a root cause analysis and preventive actions undertaken, by the 7th day of the month after the incidence month14.
Customer Grievances
PAs are required put in place a formal, publicly disclosed customer grievance redressal and dispute management framework. Further, PAs are required to designate a nodal officer to handle the customer complaints/grievances, whose details are required to be published on the PAs website15.
Periodical Filings
The Guidelines set out the periodical filings that are required to be completed by a PA, including, inter alia, filing of an annual net-worth certificate and cyber security audit report, quarterly submission of auditors' and bankers' certificate on details of escrow account, and monthly submission of transaction statistics16.
Concluding Remarks
The Guidelines seek to provide norms on regulation of PAs and limited regulation of PGs. The Guidelines can be seen as an attempt by the RBI to address the emerging concerns towards data privacy and cyber security related incidents, given the increase in digital transactions in India, following demonetisation. The Guidelines further provide comfort to customers and merchants to engage in digital transactions through duly regulated entities, which are required by law to ensure security of customer data.
Many stakeholders believe that the Guidelines have been issued at an apt time, as India is expected to observe peak upsurge in digital transactions. The reaction of the market participants with respect to increased regulatory oversight, however remains to be seen.
Footnotes
1. ¶2.2 of the Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators issued by RBI.
2. Ibid.
3. ¶1.1.1 of the Guidelines.
4. ¶1.1.2 of the Guidelines.
5. ¶3 of the Guidelines.
6. ¶4 of the Guidelines.
7. ¶8 of the Guidelines.
8. ¶7 of the Guidelines.
9. ¶5.1 of the Guidelines.
10. ¶5.1 and ¶7.1 of the Guidelines.
11. ¶6 of the Guidelines.
12. ¶10 of the Guidelines.
13. Ibid.
14. Annex 3 of the Guidelines.
15. ¶9 of the Guidelines.
16. Annex 3 of the Guidelines.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
