On March 17, 2020, the Reserve Bank of India ("RBI") issued guidelines on the Regulation of Payment Aggregators and Payment Gateways (the "Guidelines"). The Guidelines have been issued under the Payment and Settlement Systems Act, 2007 ("the Act"). The Guidelines propose to regulate the activities of payment aggregators and payment gateways in India and shall come into effect on April 01, 2020.
- Payment Aggregator - entities that facilitate e-commerce sites and merchants to accept various payment instruments from customers for completion of their payment obligations without the requirement for merchants to create a separate payment integration system of their own. Payment Aggregators facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants.
- Payment Gateways - entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.
The salient features of the Guidelines are:
- The Guidelines and technology stipulations are strictly applicable to all payment aggregators, whereas payment gateways are only required to adhere with the technology related recommendations as a good practice measure and comply with the RBI guidelines on outsourcing of financial services.
- Payment aggregators are required to obtain a licence from the RBI to carry on the activity of a payment aggregator in India. Existing payment aggregators have been granted time until June 30, 2021 to apply for the licence and have been permitted to continue their activities until their applications are decided on. Since banks provide payment aggregator services as part of their routine services, they are not required to additionally obtain this licence.
- Entities regulated by any financial sector regulator, (Example - Securities Exchange Board of India), must obtain a 'No Objection Certificate' from their respective regulator prior to making the application with RBI.
- The payment aggregator must be a company incorporated in India and its charter documents must specifically mention the activity of operating as a payment aggregator.
- The Guidelines impose certain capital and net-worth requirements on non-bank payment aggregators which they are required to achieve within a three-year time frame, which are:
- For existing payment aggregators, a net-worth of INR 150 million which is to be achieved by March 31, 2021 and a net-worth of INR 250 million on or before March 31, 2023.
- For new payment aggregators, a minimum net-worth of ₹150 million at the time they apply for the license and a net-worth of ₹250 million by the end of third financial year from the date of grant of licence.
- Payment aggregators are required to submit to the RBI, certificates from their chartered accountants evidencing compliance of the net-worth requirements.
- Payment aggregators are required to have board-approved policies for disposal of complaints, dispute resolution, processing refunds, merchant on-boarding, information security etc.
- Appointment and display of details of a nodal officer responsible for regulatory and customer grievance is mandatory.
- Payment aggregators are required to maintain the amounts collected by them in an escrow account with only one scheduled commercial bank, at a given point in time.
- The Guidelines provide for specific instances when monies can be debited and credited from the escrow account. There are also separate time frames within which the amounts debited from the customer must be remitted to the escrow account and to the merchant for final settlement.
- The monies dealing with the settlement of funds with merchants cannot not be combined with any other business carried on by the payment aggregator.
- Payment aggregators cannot store the customer card credentials within their database or the server which is accessible by the merchant and are required to comply with the data localization norms as applicable to payment system operators i.e., storage of complete end-to-end transaction data in systems only in India and deletion of any data processed abroad and bringing the same back to India within 24 hours.
- Payment aggregators are required to comply with the RBI regulations on Know your customer (KYC), Anti money laundering (AML), etc.
- RBI also requires payment aggregators to inform RBI of any takeover or acquisition of control or change in management of a non-bank payment aggregator within 15 days with complete details.
- Payment aggregators must ensure that the instructions with regard to Merchant Discount Rate (MDR) i.e., rates charged by payment aggregators for payment processing services on transactions, are followed.
- The Guidelines provide for specific IT security related requirements such as – (i) risk assessment of systems, processes, merchants, vendors etc., (ii) compliance with data security standards (PCI-DSS etc.), (iii) security incident reporting, (iv) security assessment while onboarding merchants; (iv) cyber security audits and reports, (v) review of information security policy annually, (vi) maintenance of IT policy for management of IT functions, (vii) formation of IT Steering committee for implementing IT strategies, (viii) preparation of crisis management plans; (ix) data security in outsourcing etc. These are mandatorily required to be followed by payment aggregators and should be followed as a good practice by payment gateways.
- < There are also stringent reporting obligations imposed on the payment aggregators.
Prior to the issuance of the Guidelines, payment aggregators were required to adhere to the directions for opening and operation of accounts and settlement of payments for electronic payment transactions involving intermediaries ("Directions") issued by the RBI in 2009.
Under the 2009 Directions, the settlement of amounts with the merchant was to take place only on completion of the transaction with the customer. Merchants and customers had the freedom to decide when a particular transaction would be complete. The new Guidelines impose obligations on payment aggregators to settle amounts not upon completion of the transaction but based on other factors such as - the date of intimation by the merchant of delivery of goods to the customer, intimation of shipment of goods to the aggregator and expiry of refund period (wherever agreed).
The new Guidelines also require that payment aggregators undertake a thorough background and antecedent check of the merchants to ensure that merchants do not have malafide intentions of cheating customers, selling fake / counterfeit / prohibited products, etc. Further, the merchant's website is required to indicate the terms and conditions of the service and timeline for processing returns and refunds. These are additional measures which the payment aggregator is required to comply with, which was not covered within the 2009 Directions.
Given the boom in digital payments, the RBI has recently been more focused on regulating the payments sector in India, more so where intermediaries are involved. Further, the Government of India has recently mandated companies with turnover of more than INR 500 million to provide payment facility to customers using RuPay debit cards and UPI and have also mandated the waiver merchant discount rates charged on transactions through RuPay or UPI. The government has in effect taken away a substantial revenue stream for these payment aggregators. On February 2020, payments through UPI constituted INR 2,200 billion of payment transactions in India, which shows the extent of revenue loss that is likely to occur on waiver of the MDR. With these restrictions in place, and the imposition of additional obligations on payment aggregators such as maintenance of net worth requirements imposed by the Guidelines, it is yet to be seen on how payment aggregators will be able to innovate and grow in the market.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.