In a long-awaited move, the Reserve Bank of India (RBI) recently released its guidelines for the regulation of payment aggregators and gateways. These guidelines were issued exactly six months after the RBI published its initial discussion paper, which proposed, for the first time, several possible approaches to regulate payment intermediaries. While several industry players have welcomed the RBI's announcement as a step in the right direction, a closer look at the guidelines raises several unsettling questions.

What happens to old-fashioned intermediaries?

The RBI has, to everyone's relief, distinguished between pure-play technology providers (payment gateways) and more involved players (payment aggregators). The regulator has chosen to limit the scope of the guidelines to the latter, i.e. entities that are actively involved in the flow of funds during payment transactions. However, these guidelines don't explicitly supersede or replace the RBI's 2009 circular on payment intermediaries which required money collected by intermediaries on behalf of merchants to be stored in 'nodal accounts'. As a result, it remains unclear whether entities that aren't necessarily payment aggregators but are nevertheless involved in the fund flow (several e-commerce platforms, for instance) would continue to be bound by the RBI's 2009 circular. If these two regulations are meant to co-exist and operate in parallel, a customer's funds would first flow through the payment aggregator's escrow account, and then through an intermediary's nodal account, before finally reaching the merchant. Stakeholders in the digital payments space would need to carefully consider the impact of such structures on their settlement timelines and user experience.

What are the timelines for implementation?

A major concern raised by several stakeholders is the timeline prescribed by the RBI for compliance. While the regulator has given existing payment aggregators and e-commerce platforms time until June 30, 2021 to apply for authorisation under the Payment and Settlement Systems Act, 2007, it appears as though these entities would need to comply with the substantive requirements of the guidelines from April 01, 2020. As a reminder, these requirements include opening an escrow account for pooling funds, ensuring PCI-DSS and PA-DSS compliance, and implementing a robust corporate governance and information security framework. Needless to say, a comprehensive overhaul of an aggregator's corporate, commercial and technical architecture, in the manner proposed under the guidelines, requires significant time. In this context, an effective timeline of less than two weeks appears patently unreasonable.

What happens to merchant onboarding?

The RBI's guidelines seek to impose several obligations on payment aggregators regarding merchant on-boarding. An aggregator is now required to carry out a background check on each merchant that it on-boards to protect customers from mala fide merchants. The aggregator would also need to obtain periodic security assessment reports from merchants to verify their technical capabilities and data privacy standards. While such obligations appear innocuous, or even beneficial at first sight, several stakeholders expect them to have an extremely detrimental impact on the industry's growth. Around the world, payment aggregators act as mere intermediaries whose functions are limited to facilitating transactions between willing participants. In contrast, the proposed merchant on-boarding requirements require payment aggregators to act as sentries, or watchdogs looking out for consumer interests. These obligations are ill-suited for the role played by aggregators in the payment ecosystem. They would only increase the cost of compliance and hinder the merchant acquisition process, without having any appreciable impact on consumer welfare. As a result, a fintech start-up launching a payment app would be bogged down by requirements to verify the antecedents and IT frameworks of (typically) much larger e-commerce merchants and platforms. It may also be noted that such merchants are likely to have undergone detailed due-diligence and KYC processes while opening their respective bank accounts. What more a payment aggregator's due diligence is likely to achieve is presently unclear.

What about KYC/AML obligations?

The guidelines state that the RBI's existing directions on know your customer (KYC) / anti-money laundering (AML) / combating financing of terrorism (CFT) would apply mutatis mutandis to all payment aggregators. The RBI hasn't, however, clarified how and to what extent a payment aggregator, an entity that only interacts with customers for the purpose of collecting payments, would be expected to comply with the said KYC obligations. This ambiguity has existing payment companies worried. Requiring such entities to conduct any form of verification or due diligence on individual customers would be disastrous and would introduce significant friction to the digital payment process.

While the guidelines certainly provide clarity on some matters that have haunted the Indian payments ecosystem, the regulator would need to follow-up with more detailed regulations to address the concerns and questions listed above. To ensure a smooth transition to the new licensing framework, the RBI could consider providing immediate clarity through FAQs, a tool that the regulator has put to good use in the recent past.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.