The RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways (the “Guidelines”) defines Payment Aggregators as “entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. Payment Aggregators facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.”
Payment Aggregators differ from Payment Gateways on the ground that payment gateways provide technology that offer support or infrastructure for facilitating the process of online payments. Payment Gateways have no role to play in the handling of funds, unlike Payment Aggregators.
The Guidelines are applicable to Payment Aggregators who are required to adopt the technology related recommendations provided therein. The said guideline also applies to domestic half of import and export related payments which are facilitated by the Payment Aggregators.
In the present article, we shall be discussing in detail about the process of authorization of Payment Aggregators, regulatory compliances, grey areas, and its know-hows pertinent to be accustomed with.
AUTHORIZATION OF PAYMENT AGGREGATORS
Clause 3 of the Guidelines lays down the criteria of authorization of Payment Aggregators which has been arrived at based on the role of the intermediary in handling the funds.
Since banks provide Payment Aggregators services as a part of their ordinary course of business, they do not require a separate authorization from RBI with regards to providing services as a Payment Aggregator.
The Guidelines further prohibited e-commerce marketplaces from providing Payment Aggregators services beyond June 30, 2021 unless they separated the Payment Aggregator services from the marketplace business and apply for authorization before or on the aforementioned date.
Non-bank Payment Aggregators require an authorization from RBI under Section 4 of Payment Settlement Systems Act, 2007. Non-bank entities currently providing Payment Aggregator services shall apply for authorization on or before the said date.
Process of Authorization from RBI
An application in Form A, attached with the Guidelines, shall be submitted to the Department of Payment and Settlement Systems, Mumbai by any entity seeking an authorization from RBI under the Payment Settlement Systems Act. Applicants regulated by a financial sector regulator shall, in addition to Form A, submit a “No Objection Certificate” from the respective sector regulator and the entire process has to be within 45 days of clearance from the said regulator.
The necessary documents for obtaining a Payment Aggregator license are Certificate of incorporation of Company, PAN Card or Address Proof of the directors, the director’s DSC and DIN, address proof of the place of business of the company, details of the bank account of the company, its business plan for five years and code testing report by a software agency.
KEY REGULATORY COMPLIANCES
- Capital Requirements
Initially, the existing Payment Aggregators were required to attain a net-worth of Rs. 15 Crores by March 31, 2021. However, presently, they should achieve a net-worth of Rs. 25 Crores by March 31, 2023 which shall be maintained for all times thereafter.
For authorization, the new Payment Aggregator shall now have a net-worth of minimum Rs. 15 Crores at the time of application. However, it shall attain a net-worth of Rs. 25 Crores by the end of third financial year starting from the year of grant of authorization.
The net worth consists of paid-up equity capital, compulsorily convertible preference shares, free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets, intangible assets’ value and deferred expenditure, if any. It shall not consist reserves created by revaluation of assets adjusted for accumulated loss balance.
Consolidated Foreign Direct Investment policy and the foreign exchange management regulations shall govern the entities having Foreign Direct Investment. In case of non-banking aggregators, they have to submit a certificate, showcasing compliance with required net-worth, annually to RBI.
The Payment Aggregators unable to meet the net-worth requirements have to wind-up their Payment Aggregator business. The burden of regulating the Payment Aggregators in respect to compliance with net-worth threshold is on the banks who maintains their nodal/escrow accounts.
- Governance of Payment Aggregators
The RBI Guidelines lay down a comprehensive framework for the governance of Payment Aggregators. The Payment Aggregators shall be professionally managed and its promoters shall satisfy ‘fit and proper’ the criteria prescribed by RBI.
The “fit and proper” status of the applicant and its management shall be inspected by RBI with the help of inputs from other regulators or Government departments.
Any change in management through a takeover or acquisition of control or any other means shall be communicated to the Chief General Manager of the Department of Payment and Settlement Systems, RBI. The communication has to be done within 15 days of the change in management and should be accompanied with complete details including the ‘Direction and Undertaking’ of the new directors.
The agreements between the Payment Aggregators, merchants, acquiring banks and other stakeholders shall clearly delineate each parties’ role and responsibility. The Payment Aggregators are required to disclose all the relevant information related to merchant policies, customer grievances and other terms on their website or applications.
The Payment Aggregators are also required to have a policy approved by its board for disposal of complaints, dispute resolution mechanism, and timelines for processing refunds,etc. as per the notification of RBI onHarmonization of Turn Around Time (TAT) and Customer Compensation for Failed Transactions Using Authorized Payment Systems.
A Nodal Officer has to be appointed for regulating and handling customer grievances and the officer’s details shall be displayed on the website.
- Anti-Money Laundering
Payment Aggregators have to mandatorily follow all the requirements set out in RBI’s Master Direction – Know Your Customer Directions, which has been discussed in our previous blog. The requirements under Prevention of Money Laundering Act, 2002 in so far as much they are applicable to banks, financial institutions and other payment system providers shall be applicable to Payment Aggregators.
- Merchant On-boarding
All Payment Aggregators are mandated to have a Board approved policy for merchant on-boarding. The Aggregators are required to undertake background and antecedent check of the merchants to prevent them from defrauding the customers or sell prohibited products. It is the responsibility of the Payment Aggregator to check Payment Card Industry-Data Security Standard and Payment Application Data Security Standard compliance of the infrastructure of the merchants on-boarded.
- Settlement and Escrow Account Management
Aligning with the objectives of the guidelines, RBI has included stringent guidelines to the Payment Aggregators to maintain an escrow account. Non-bank Payment Aggregator is required to maintain an escrow account, for the amount collected by it, with any scheduled commercial bank.
The escrow account can be used for credit and debit transactions; however it cannot be used for COD transactions. Permitted credit transactions include payment from customers as consideration for goods/services, pre-funding by merchants, transfer representing refunds for failed, disputed or retuned transactions and payments received for onward transfer to merchants under promotional activities.
On the other hand, debit transactions include payment to merchants or service providers, payment made on specific directions of the merchant, transfer representing refunds for failed or disputed transactions, payment at pre-determined rates to intermediaries and payment of amount received under promotional activities.
The bank is not liable to pay interest to the Payment Aggregators for the balances maintained in the escrow account except in cases where the Payment Aggregator enters into an agreement with the bank to transfer a “core portion” of the amount from the escrow account to a separate account. The Guideline lays down the method of calculation “core portion” which has to be verified by the banks.
- Security, Fraud Prevention and Risk Management Framework
In order to protect the consumers from potential fraud, the Payment Aggregators are mandated to put in place a strong risk management system and data security infrastructure. A Board approved security policy shall be put in place for the security and safety of the payment systems operated by the Payment Aggregators. Additionally, a mechanism for monitoring, handling, and following up of cyber-security incidents and breaches shall be established.
The Payment Aggregators are strictly restrained from storing customer card credentials on their database or the server accessed by the merchant. They are further required to comply with the data storage requirements as applicable to Payment System Operators under the Payment and Settlement Systems Act. They also shall localize all payment data in India under the conditions stipulated in the RBI Notification on Storage of Payment System Data.
A mechanism for monitoring, handling and following-up breaches of cyber security incidents and breaches shall be established. It shall be reported to the Department of Payment and Settlement Systems and CERT.
- Consumer Grievance Redressal and Dispute Management
A formal, publicly disclosed Customer Grievance Redressal and Dispute Management Framework, along with a Nodal Officer for handling the customer grievances shall be mandatorily put in place by the Payment Aggregator. Any grievance redressal facility shall be made clearly available on website or mobile applications.
The Payment Aggregators are mandated to have a resolution mechanism which will be binding on all the parties. The customer and merchant complaints, as and when received, shall be handled promptly or disposed by the Payment Aggregators as per the policy approved by the Board or within a period of 7 (seven) working days of the receipt of the said complaint.
Furthermore, Reserve Bank of India (Digital Payment Security Controls) Directions, 2021 states that a real time or a near-real time reconciliation framework for all digital payment transactions between the Payment Guarantor and Regulated Entities shall be established for detection and prevention of suspicious transactions.
TIMELINE FOR SUBMISSION OF FINANCIAL REPORTS
Annexure 3 of the Guidelines lays down the reports which are to be submitted by Authorized Payment Aggregators.
|1||Audited Annual Report||Annually||September 30|
|2||Cyber Security Audit Report||Annually||May 31|
|3||Auditor’s Certificate on Maintenance of Balance in Escrow Account||Quarterly||By 15th of the month following the quarter end|
|4||Banker’s Certificate on Escrow Account Debits and Credits||Quarterly||By 15th of the month following the quarter end|
|5||Statistics of Transactions Handled||Monthly||By 7th of every month|
|6||Declaration and Undertaking by the Director||NA||As and when it happens|
|7||Cyber Security Incident Reports||NA||By 7th of next month of incidence month|
- Lack of overriding powers
The Guidelines will be in force along with the Intermediary Directions which have not been amended or repealed. This is likely to create a conflict between the two directions resulting in a regulatory uncertainty.
Before the said Guidelines came into effect, the Payment Aggregators wereto comply with the Intermediary Directions that were in place. Intermediaries within their ambit include both e-commerce marketplaces and payment aggregation service providers. Prima facie, it seems that the Guidelines were to replace the Intermediary Directions, however lack of a non-obstante clause has created an ambiguity surrounding dual regulation.
- Definition of Payment Aggregators
Even though the Guidelines include a definition of Payment Aggregators, the definition fails to cover Payment Aggregator services concerning instant delivery on payment such as purchase of tickets online, movie tickets, etc.
- Role of Payment Aggregators
Considering that the role of the Payment Aggregators is to merely act as a facilitator between the customer and merchant, the obligation created by the Guidelines to monitor the merchant to ensure that no counterfeit products are sold seems an onerous task. Furthermore, no defined criteria have been provided to guide as to how to assess the mala fide intent on the part of the merchant.
The burden is on Payment Aggregators to be extremely cautious while on boarding such merchants in order to not be held liable under the Guidelines for breach of this obligation. For now, it is advisable for Payment Aggregators to explore other structures such as asking for a security deposit from the merchants or any post-dated cheques which would cover the amount of which the liability may be imposed on the Payment Aggregator or other amounts as they may mutually agree.
Several FinTech companies have applied and submitted their proposals to the RBI for authorization post the 2020 directions of the Guidelines. The companies which will be authorized to function as Payment Aggregators in India will come under the radar of RBI directly.
The above-discussed 2020 directions are elaborative RBI regulations to regulate the payment aggregator services in its entirety as against the Interim Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries issued in November, 2009. The ambiguity surrounding the directions have been further clarified with additional guidelines issued through a notification on March, 2021. The prime motive behind the Guidelines is to have an enhanced control and supervision over the Payment Aggregators in India.
For any queries or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org.