The Reserve Bank of India (the "RBI"), vide its Circular dated March 17, 2020, has issued the 'Guidelines on Regulation of Payment Aggregators and Payment Gateways' (the "Guidelines"),1 through which, the RBI has decided to (a) regulate in entirety, the activities of payment aggregators; and (b) provide baseline technology-related recommendations to payment gateways.
The Guidelines shall come into effect from April 1, 2020 other than the provisions with respect to obtaining an authorisation from the RBI thereunder and maintenance of minimum net-worth requirements, for which separate timelines have been prescribed (discussed below).
The RBI had, in September 2019, released a discussion paper on the aforesaid Guidelines2 (the "Discussion Paper"), which recognized the crucial role of intermediaries like payment gateways and payment aggregators in electronic/ online payment methods, in particular, with respect to their role as a bridge between merchants and customers in the transaction flow in online payments, and specifically differentiated between those intermediaries that provide technology infrastructure to facilitate online payment processing without handling of funds, and those that facilitate merchants to receive payments from customers where such entities may handle funds.
In this regard, possible regulatory approaches for regulating payment aggregators and payment gateways in India were outlined under three categories: (1) continue with the extant instructions, i.e. indirect regulation of the RBI through the Payment and Settlement Systems Act, 2007 (the "PSSA") and the Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries, 20093 ("Intermediary Guidelines"); (2) limited regulation of such entities on specific aspects pertaining to minimum net-worth, merchant on-boarding, timelines for settlement of funds, maintenance of escrow account, security and submission of returns to RBI; in addition to licensing/ registering in a phased manner, over a period of time; or (3) full and direct regulatory supervision of RBI pertaining to requirement of authorization, capital, governance, anti-money laundering (AML), know your customer (KYC), consumer grievance redressal and dispute management, security, fraud, risk management, and submission of reports to RBI.
Upon our review of the Guidelines, we note that the RBI has opted for the third approach, however, only so in the context of 'payment aggregators'.
3. KEY PROVISIONS OF THE GUIDELINES
3.1 Definition of payment aggregators and payment getaways
The Guidelines create a marked distinction between 'payment aggregators' and 'payment gateways', the differentiating criteria being the entity's involvement in the handling of funds. Consequently, payment gateways have been limited to entities which provide technology infrastructure to route and facilitate the processing of an online payment transaction without any involvement in handling of funds.
The definition of 'payment aggregators', on the other hand, provides a wider coverage and extends to all entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. Payment aggregators will now be recognized as entities which facilitate merchants to connect with acquirers and which, in doing so, receive payments from customers, pool and then transfer them on to the merchants after a time period.
3.2 Applicability of the Guidelines to payment aggregators
The Guidelines have been issued to regulate in entirety the activities of payment aggregators. In this regard, the RBI has also mandated payment aggregators to adopt the technology-related recommendations provided in the Guidelines. While the RBI has clarified that the domestic leg of import and export related payments facilitated by payment aggregators shall also be governed by these Guidelines, these Guidelines will not regulate Cash on Delivery (COD) payments.
The RBI, as a measure of good practice, has stated that payment gateways may adhere to the baseline technology-related recommendations provided in the Guidelines.
3.3 Authorisation for non-bank payment aggregators
The Guidelines require all existing non-bank entities offering payment aggregator services to seek an authorization from the RBI under the PSSA on or before June 30, 2021. They will, however, be allowed to continue their operations till they receive communication from the RBI regarding the fate of their application.
The Guidelines further provide that any entity seeking to make an application for authorization must be a company incorporated in India under the Companies Act 1956/ 2013 and shall ensure that the business activity of operating as a payment aggregator is covered under the scope of its memorandum of association. Here, the objectives of the RBI as highlighted in the Discussion Paper along with the detailed Guidelines are crucial for applicant entities to understand and as such, applicant entities would need to show how they conform to such objectives to the satisfaction of RBI, in order to get authorised in accordance with the Guidelines.
3.4 E-commerce marketplace entities providing payment aggregator services
E-commerce marketplaces providing payment aggregator services have been mandated to discontinue this activity before June 30, 2021. If such entities desire to pursue payment aggregator services, they can do so only through a separate business from the marketplace business, and shall apply for authorisation with the RBI on or before June 30, 2021 through the separate business.
3.5 Minimum net-worth requirements
The Guidelines prescribe for a strict minimum net-worth criteria, which if not complied with, will require the relevant entity to wind up its payment aggregation business. The obligation of monitoring and reporting non-compliance with this criteria has been bestowed upon banks maintaining escrow accounts of payment aggregation entities.
With regard to the above, payment aggregators existing as on March 17, 2020 are required to achieve a net-worth of INR 15 crore by March 31, 2021, and a net-worth of INR 25 crore on or before March 31, 2023, which must be maintained at all times thereafter.
New payment aggregators need to have a minimum net-worth of INR 15 crore at the time of application for authorisation and a net-worth of INR 25 crore by the end of third financial year of grant of authorization, which must be maintained at all times thereafter.
Non-bank payment aggregators are required to annually submit a certificate to the RBI evidencing compliance with the applicable net-worth requirement.
The net-worth requirements have been substantially reduced, as opposed to the Discussion Paper that had recommended a minimum net-worth requirement of INR 100 crore.
Lastly, the Guidelines require that the net-worth consist only of paid-up equity capital, preference shares that are compulsorily convertible to equity ("CCPS"), free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets but not reserves created by revaluation of assets adjusted for accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any. In this regard, the CCPS can be either non-cumulative or cumulative and the shareholder agreements should specifically prohibit any withdrawal of this preference capital at any time.
3.6 Governance prescribed under the Guidelines
The Guidelines provide a comprehensive governance framework for payment aggregators, key elements of which have been summarised below:
- Payment aggregators should be professionally managed. To this extent, promoters of the payment aggregator entity shall need to satisfy the fit and proper criteria prescribed by the RBI. RBI shall also check the 'fit and proper' status of the applicant entity and management by obtaining inputs from other regulators, government departments, etc., as deemed fit.
- Any takeover or acquisition of control or change in management of a non-bank payment aggregator shall need to be promptly communicated to the RBI, in order to ensure compliance with the fit and proper criteria of the management.
- Payment aggregators will now have to enter into direct agreements with all merchants, acquiring banks and other stakeholders, which will need to delineate the roles and responsibilities of the involved parties in sorting/ handling complaints, refund/ failed transactions, return policy, customer grievance redressal (including turnaround period), dispute resolution mechanism and reconciliation etc.
- Payment aggregators will need to have a Board approved policy for disposal of complaints/ dispute resolution mechanism/ timelines for processing refunds etc. as per the RBI instructions on Turn Around Time for resolution of failed transactions.4
- Payment aggregators are required to appoint a nodal officer responsible for regulatory and customer grievance handling functions.
3.7 Applicability of KYC/ AML/ CFT provisions
The know your customer (KYC), anti-money laundering (AML)/ combating financing of terrorism (CFT) guidelines issued by RBI5 shall apply mutatis mutandis to all entities, along with Prevention of Money Laundering Act, 2002 and Rules framed thereunder.
3.8 Merchant on-boarding
All payment aggregators are required to put in place an approved 'board approved policy' for merchant on-boarding that includes undertaking background and antecedent check of the merchants, which includes the onerous obligation of ensuring that merchants on-boarded do not have the malafide intent to dupe customers and that they do not sell fake/ counterfeit products.
Another onerous responsibility placed on payment aggregators is to check the Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of each of the merchants on-boarded.
Importantly, merchant sites have been mandated not to save customer card and such related data. While the Guidelines specify governance responsibilities for merchants, the general obligation for ensuring that the merchant's compliance therewith, appears to be solely on the payment aggregator.
3.9 Settlement and escrow account management
The RBI has further provided some guidelines with respect to settlement and escrow account management, including a requirement that non-bank payment aggregators shall maintain the amount collected by them in an escrow account with a single scheduled commercial bank.
Amounts deducted from customer accounts are required to be remitted to the escrow account on T+0 or T+1 basis, with 'T' being date of debit to the customer's account against purchase of goods/services. The payment aggregator has to ensure that final settlement with the merchant is effected as follows:
- Where the payment aggregator is responsible for delivery of goods/services, no later than T+1 basis, 'T' being date of intimation by merchant about shipment of goods;
- Where the merchant is responsible for delivery of goods/services, no later than on T+1 basis, 'T' being date of confirmation by merchant of delivery of goods to customer;
- Where the agreement with merchant provides for the payment aggregator holding the amount till expiry of refund period, no later than T+1 basis, 'T' being date of expiry of refund period, as fixed by merchant.
All credits for reversed and refund transactions shall be routed back through the same escrow account, unless the merchant is responsible for managing refunds under the merchant agreement and the customer is aware of this arrangement.
The Guidelines list out the permissible credits into and debits from the escrow account. No interest shall be payable by the bank on balances maintained in the escrow account, except under certain circumstances outlined in the Guidelines. Importantly, the escrow account cannot be operated for 'cash-on-delivery' transactions, and settlement of funds with merchants must not be co-mingled with other business, if any, handled by the payment aggregator.
All payment aggregators shall submit certificate signed by the auditor, to the regional office of the RBI, where the registered office of the payment aggregator is situated, certifying that they have been maintaining the balance in the escrow account in compliance with the Guidelines.
3.10. Customer grievance redressal and dispute management framework
The payment aggregators need to put in place a formal, publicly disclosed customer grievance redressal and dispute management framework, including the designation of a nodal officer to handle the customer complaints/ grievances and the escalation matrix. The nodal officer details shall be prominently displayed on the website of the payment aggregator.
3.11. Security, fraud prevention and risk management framework
As a part of the mandatory requirement of adopting the technology-related recommendations provided in the Guidelines, all payment aggregators are required to put in place adequate information and data security infrastructure and systems for prevention and detection of frauds, which must be aligned with its Board approved information security policy for safety and security of the payment systems operated by them. To this extent, payment aggregators are required to comply with data storage requirements as applicable to payment system operators6, which also includes obligations pertaining to data sovereignty.
Payment aggregators have additionally been directed not to store any customer card credentials within their database or server, which can be accessed by the merchant.
3.12. Other General Instructions
Payment aggregators can no longer provide an option for an ATM PIN as a factor of authentication for card-not-present transactions.
Further, payment aggregators must ensure that the extant instructions with respect to merchant discount rate are followed and must display upfront all information on other charges such as convenience fee, handling fee, etc., if any, being levied.
3.13. Payment Gateways
Payment gateways have been considered as 'technology providers' or 'outsourcing partners' of banks and non-banks, as the case may be and have been advised to adopt the baseline technology-related recommendation provided in the Guidelines. To this extent, payment gateways may desire to adhere to the prescribed minimum standards in order to remain at power with similar IT and security standards adopted by non-bank payment aggregators and other stakeholders in the digital payment ecosystem. This practice of uniform adoption of IT requirements would be in line to address RBI's concern highlighted in the Discussion Paper with respect to variations in the technology architecture of various payment gateways and payment aggregators.
Bank payment gateways are further subject to RBI Guidelines on 'Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks'7.
4. INDUSLAW VIEW
Following up on the Discussion Paper, the Guidelines clearly indicate that the RBI has chosen the option of full and direct regulatory supervision of payment intermediaries. However, unlike the Discussion Paper, the RBI has chosen to comprehensively regulate only payment aggregators, albeit in the entirety of their activities. What remains unclear is whether the Intermediary Guidelines have been repealed by the Guidelines, to the extent they are applicable to payment aggregators and payment gateways.
What is also problematic is that in accordance with the Intermediary Guidelines, all intermediaries (including several e-commerce entities) currently collect consumer funds into nodal accounts – i.e. internal accounts of the banks where such accounts are not maintained or operated by the intermediaries, thereby not warranting any registration from the RBI. It seems onerous to suggest that all such entities will now be required to shift from nodal accounts to escrow accounts for the purpose of compliance of these Guidelines by the extremely short timeline of April 01, 2020.
In its Discussion Paper, the RBI had highlighted certain concerns with regard to consumer protection in online payment transactions, including customer confidence, lack of a proper and uniform redressal mechanism and the need for appropriate delineation of roles and responsibilities of different stakeholders. In response to these concerns, the RBI, vide the Guidelines, has strongly reinforced its objective of safeguarding consumer protection through several provisions, including the responsibility of payment aggregators to structure an effective consumer grievance redressal mechanism, appointment of nodal officer, obligation on payment aggregators to conduct a background check before merchant onboarding, and check compliance of merchants with PCI-DSS and PA-DSS, amongst other requirements.
The RBI's Circular issuing the Guidelines clearly indicates that the decision for introducing an authorisation requirement for non-bank payment aggregators is based on the crucial role such intermediaries play in handling of funds of consumers making online payments. This is evident by the differentiation in the definitions provided in the Guidelines, i.e. while payment aggregators have been defined to include those intermediaries involved in handling of funds (i.e. they receive payments from customers, pool and transfer them onto the merchants after a time period), payment gateways have been defined to only provide technology infrastructure without any involvement in handling of funds.
Adequate time has been provided for non-bank payment aggregators to apply for authorisation , i.e. on or before June 30, 2021 – which would allow such entities to reorganize and conform to this requirement in addition to the minimum net-worth thresholds. However, since other provisions of the Guidelines are effective from April 1, 2020, the RBI should give all payment aggregators a reasonable time period to comply with the Guidelines, so that the operations of payment aggregators are not disrupted during this period of transition and compliances.
Lastly, the reduction in the minimum net-worth requirement is a welcome step as it eases the financial burden on smaller players in this space, encouraging entry into and maintaining a level playing field in the payment aggregation space.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.