ARTICLE
30 May 2024

Back To The Drawing Board: RBI Proposes Major Changes To The Payment Aggregator Framework

KC
Khaitan & Co LLP

Contributor

Khaitan & Co LLP logo
  • A leading full-service law firm with over 560 professionals with Pan-India coverage through offices in Mumbai, Delhi, Bengaluru and Kolkata
  • Lawyers and trusted advisors to leading business houses, multinational corporations, global investors, financial institutions, governments and international law firms
  • Responsive and relationship driven approach to client service on critical issues and along the business life cycle
  • Specialists with deep sector, domain and jurisdictional knowledge to provide effective business solutions
Explore
The Reserve Bank of India (RBI) on 16 April 2024 issued two draft directions (Draft Directions) on regulation of payment aggregators (PAs), viz., (i) draft directions...
India Finance and Banking
Photo of Sanjay Khan Nagra
Photo of Prashanth Ramdas
Photo of Smita Jha
Photo of Riddhiman Sarkar
Photo of Ishani Sahai
Photo of Jino Mathews Raju
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Introduction

The Reserve Bank of India (RBI) on 16 April 2024 issued two draft directions (Draft Directions) on regulation of payment aggregators (PAs), viz., (i) draft directions (Draft PA-P Directions) on regulation of PA – Physical Point of Sale (PA-P / Offline PA); and (ii) draft amendments (Draft Amendments) to the existing Guidelines on Payment Aggregators and Payment Gateways, dated 17 March 2020 (PA-PG Guidelines).

These Draft Directions have been issued in furtherance of RBI's Statement on Developmental and Regulatory Policies dated 30 September 2022, wherein the RBI had emphasised on the need to regulate PAs undertaking proximity / face-to-face transactions, as the PA-PG Guidelines only regulated PAs processing online or e-commerce transactions (PA-O / Online PA). Through the Draft Directions, the RBI has made clear its intent to have a consolidated and harmonised legal framework for regulating the activities of both Online PAs and Offline PAs.

KEY HIGHLIGHTS

The Draft Amendments read with the Draft PA-P Directions proposes to bring forth an overhaul in the existing regulatory framework governing payment aggregation activities by bringing Offline PAs processing physical Point of Sale (PoS) transactions, who were hitherto unregulated, under the same regulatory regime as that of Online PAs who are engaged in processing online transactions for merchants and e-commerce sites. We have outlined below a few key aspects of the Draft Directions, including the proposed deviations from the existing regulatory framework:

(a) What is a PA?

  • Definition of PA; PA-O and PA-P. The Draft Amendments seek to revise the definition of a PA. While the most apparent revision in the definition is with respect to inclusion of a PA-P facilitating physical PoS payments, there are a few other notable proposed changes, viz. (i) removal of 'facilitating acceptance of various payment instruments from customers' and inclusion of specific reference to 'facilitation of aggregation of payments made by customers'; (ii) specific clarification that facilitation of payments would be undertaken on the merchant's interface (physical or virtual). Further, it has been clarified that PA-Os are PAs facilitating e-commerce transactions in non-Delivery versus Payment (DvP) mode, while PA-Ps would be PAs facilitating face-to-face / proximity payment for DvP transactions.
  • Definition of merchant. Further, the term "merchant" is proposed to be defined as an entity which sells / provides goods and services purchased by the customer, including a marketplace (an electronic e-commerce entity facilitating transactions between buyers and sellers). Merchants have been further classified into 'small merchants' and 'medium merchants', the former being physical merchants with business turnover of less than INR 5 lakhs per annum and not registered under Goods and Services Tax (GST) (Small Merchants), while the latter are merchants (both physical and online) other than Small Merchants, with business turnover of less than INR 40 lakhs per annum and not registered under GST (Medium Merchants).

COMMENTS:

While the amendment to include PA-Ps in the definition of PA is consequent to the regulations of PA-Ps under the proposed regime, the other changes appear to be aimed at clarifying the permitted activities and functions of a PA in general.

The current definition states that PAs are entities that facilitate merchants to accept various payment instruments from the customers thereby restricting the scope of payment aggregation activities to online medium, i.e., fund aggregation business enabled by payment gateway technology. By replacing the same with the reference to 'facilitation of aggregation of payments', the guidelines have been harmonised to avoid any contradiction its applicability to PA-Ps.

Further, by way of the proposed revisions, the RBI has also attempted to emphasise that any fund aggregation undertaken by the PA must relate to funds that originated from payments made on the relevant merchant's platform itself. This furthers the intent of prescribing stringent merchant onboarding requirements, including the requirement to ensure Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded by the PA.

(b) PA-Ps under regulatory ambit.

  • Authorisation by RBI. While PA-Ps operated by banks will not require separate authorisation from the RBI, non-bank PA-Ps would need to intimate RBI within 60 days of the directions coming into force1 about their intention to seek authorisation, and apply for such authorisation by 31 May 2025. Similar to the PA-O regime, PA-Ps already providing physical PoS aggregation services would be allowed to continue their operations until the RBI rejects their application for authorisation.
  • Compliance with existing guidelines. Existing PA-Ps intending to obtain authorisation and continue their operations will be required to ensure compliance with the PA-PG Guidelines (as applicable to them) within 3 months of the of the directions coming into force. Thereafter, the PA-Ps will be obligated to ensure continuous compliance of the PA-PG Guidelines.
  • Net worth criterion. The Draft PA-P Directions prescribe the following net-worth criterion for PA-Ps intending to obtain authorisation.

Non-bank entity

Date of achieving INR 15 crores net-worth

Date of achieving INR 25 crores net-worth

Existing non-bank PA-P

At the time of submitting the application for authorisation

31 March 2028

New non-bank PA-P (entities not having PA-P services as on date of the circular)

At the time of submitting the application for authorisation

By the end of 3rd financial year of grant of authorisation
  • Consequence of default. Existing non-bank PA-Ps not able to submit their application for authorisation within the stipulated time or achieve the prescribed net-worth criterion are mandatorily required to wind-up their PA-P activities by 31 July 2025. Banks have been mandated to close the accounts of the existing PA-Ps by 31 October 2025, unless such entities produce evidence regarding their application for authorisation.

COMMENTS:

PA-Os are recognised Payment System Operators (PSOs) governed by the Payment and Settlement Systems Act, 2007 (PSS Act), and other applicable laws, setting the contours of their permissible business activities and functions. However, operations of PA-Ps are presently outside the scope of a defined regulatory framework. Further, PA-Ps have no specified compliance obligations in respect of, inter alia, merchant onboarding, dispute management framework, baseline technology recommendations, security norms etc., while PA-Os are required to follow strict mandatory compliances under the PA-PG Guidelines, thereby resulting in a differential regulatory standard for entities operating similar businesses in the physical and online domains.

With the Draft Directions, the RBI attempts to harmonise and standardise most regulatory obligations on all entities engaged in payment aggregation and settlement services irrespective of the domain they operate in, categorising all such entities as PSOs and consequently binding them by the applicable payments regulations in India uniformly.

(c) Use of escrow account(s).

  • Use in PA-O and PA-P activities. The Draft Amendments clarify that the escrow account opened by a PA under the PA-PG Guidelines can be used for both PA-O and PA-P activities.
  • DvP and cash-on-delivery payments. Further, it specifies that funds in respect of DvP transactions, which were hitherto exempted under the PA-PG Guidelines, shall also be routed through such escrow account(s). However, cash-on-delivery payments remain outside the scope of the proposed regulations, and hence should not be routed through the escrow account.
  • Restriction on permitted debits. The PA-PG Guidelines provided for certain permitted credits and permitted debits from the escrow account, which the PA could undertake for and on behalf of the merchant. One such permitted debits includes "payment to any other account on specific directions from the merchant". The Draft Amendments proposes to delete the said permitted debit with immediate effect.

COMMENTS:

Existing PA-Ps as on date adopt fund-flows involving an escrow account for onward settlement with the merchants. However, by virtue of being required to adhere to the PA-PG Guidelines mutatis mutandis under the Draft Directions, PA-Ps would be required to open such escrow account(s) subject to the stipulations under the PA-PG Guidelines, which includes the requirement of the escrow account to be mandatorily maintained with a scheduled commercial bank.

Further, operation of the PA-Ps for the purpose of maintenance of the escrow account(s) would be deemed to be 'designated payment systems' under the PSS Act, thereby subjecting the PA-Ps to RBI's instructions in relation to its activities through the escrow account. That being said, permitting the PAs to operate the same escrow account for PA-O and PA-P would enable operational ease for PAs offering both online and offline aggregation services.

Notably, it has been explicitly mandated under the Draft Amendments to route all payments for DvP transactions through the escrow account going forward. Pursuant to the same, while it is clear that PA-Ps would be mandated to route all its physical PoS DvP transactions through the escrow account, it is unclear as to whether DvP transactions enabled by PA-Os (which are defined as PAs not enabling DvP transactions) in online mode would also be now required to be routed through their escrow account going forward. A clarity in this regard by the regulator prior to issuance of the circular is much needed for entities offering online DvP transactions, which include entities offering immediate or simultaneous delivery of products / services against payment by customer, such as, inter alia, ticket bookings and subscription payments, rent payments, etc.

The removal of the permitted debit in respect of 'payment to other account(s) on specific directions of the merchant' is significant. Such permitted debits on specific authorisation by merchants enabled the PAs to settle payment obligations of the merchant with the relevant beneficiary directly upon the merchant's instructions, without settling it to the merchant's account. Obtaining the authorisation for such permitted debits enables lenders / vendors / other service providers to provide their products / services to the merchant with the contractual comfort of receiving timely payments directly from their regular cash-flows of the merchant, without having to rely on the merchant manually honouring their payment commitments. The removal of the said permitted debit would greatly impact the merchant's ability to avail immediate commitment-based product / services, including short-term merchant loans.

(d) Revised due diligence requirements.

  • Applicability of KYC Master Directions. All PAs (PA-Ps and PA-Os) would be required to undertake Customer Due Diligence (CDD) in accordance with the Master Directions on Know Your Customer, 2016 (KYC Master Directions). Assisted Video based Customer Identification Process (V-CIP) is permitted with the help of an agent facilitating the process at only the merchant's end. The PA must undertake ongoing monitoring of the merchant(s) and lay down risk-based payment limits for the merchants.
  • CDD requirements. CDD requirements for the different kinds of merchants would be as follows:

#

Type of merchant

CDD requirement standard
 

Small Merchant

Undertaking Contact Point Verification (CPV) of the business establishment (physically verifying the business at their premises) and verifying the bank account in which funds of the merchant is settled.
 

Medium Merchant

Undertake CPV of the business established and obtain and verify one Officially Valid Document (OVD) of the proprietor / beneficial owner / person holding attorney and verify one OVD of the business.
  • Additional KYC compliances. PAs are obligated to not collect and settle funds for the marketplaces, other than for services offered through their platform. PAs are also required to ensure complete and ongoing compliance to the wire transfer guidelines under the KYC Master Directions.
  • Registration with FIU-IND. Registration with the Financial Intelligence Unit – India (FIU-IND) has been explicitly called out as a requirement for all PAs.
  • Merchant and PA name disclosure. As per the Draft Amendments, PAs would need to ensure that the name of merchant as well as the PA are displayed on the payments page and payment confirmation page, or the charge slip (as the case may be). This requirement is to be complied with within 3 months of the Draft Directions coming into force.
  • Timeline for compliance. The Draft Amendments provide for a glide path (based on the gross processing value processed by the PA) for ensuring completion of due diligence of all existing merchants by the existing PA-Os and PA-Ps. Existing PA-Os (both authorised entities, as well as entities whose application is pending with the RBI) would be required to complete the due diligence of all its merchants as prescribed under the circular by 20 September 2025, whereas all existing PA-Ps as on date of the circular would be required to complete the due diligence process within 12 months of the date of submission of their application for authorisation.

COMMENTS:

With respect to the CDD requirements, the present requirement for PA-Os (as set out in the clarifications to the PA-PG Guidelines dated 31 March 2021) is to follow the standards prescribed in the KYC Master Directions as applicable any other entity regulated by the RBI; provided however that they are not required to carry out the entire KYC process in case the merchant already has a KYC compliant bank account which is being used for settlement of the transactions. To this end, the prevalent market practice has been to conduct a 'penny drop' verification of the bank accounts of the merchants at the time of onboarding. Resultantly, the information available with the PA-Os of the merchants onboarded by them is not as exhaustive as the information available with other regulated entities of their customers (since such regulated entities have not been provided with any leeway in terms of conducting CDD). We understand that the lack of exhaustive information available with PA-Os of their merchants has been highlighted as a concern by law enforcement agencies to the RBI. Keeping in mind such concerns, the RBI now proposes to take away the previously granted leeway and requires PAs to conduct CDD strictly in compliance with the KYC Master Directions, except when the merchants onboarded by them qualify as a Small Merchant or a Medium Merchant, in which case PAs will be required to conduct a limited CDD exercise as detailed above.

On a prima facie basis, it would seem that the leeway granted for onboarding Small Merchants and Medium Merchants would be beneficial for PAs, both from a costing perspective and an administrative convenience perspective. However, the requirement to conduct CPV checks (which is only mandatory for onboarding sole proprietary firms under the KYC Master Directions): (i) would result in higher costs for PAs; and (ii) may result in greater administrative difficulties, specially when CPV has to be conducted on merchants based out of remote areas.

It is also notable that the Draft Amendments require verification of OVD of the business in case of onboarding a Medium Merchant. However, an OVD under the KYC Master Directions include a passport, driving license, proof of procession of Aadhaar number, voters identity card, and NREGA job card; all of which relate to an individual and not a business entity. Therefore, for CDD of Medium Merchants, the intent of RBI would have been to require a 'proof of business' or other documents as required for a CDD of a company under the KYC Master Directions, and not an OVD.

The stipulation that PAs are not permitted to collect and settle funds for marketplaces other than for the services offered by them appears to be more far reaching than just a KYC requirement, as it bars any marketplace from accepting payments for any goods / services offered by any entity other than itself. This ties in with the RBI's larger intent to restrict the activities of PAs to what was originally envisaged, i.e., an intermediary responsible for pooling payments from buyers and settling such payments with the relevant sellers within agreed upon timelines. However, the said restriction appears to be applicable only on marketplaces (i.e., online e-commerce platforms as onboarded by PA-Os), and not merchants onboarded by PA-Ps, as the restriction is specific to marketplaces only. Hence, it is unclear whether offline merchants are permitted to engage a PA-P for settlement of payments for goods / services offered by entities other than such merchants. Such a lacuna might pave way for offline merchants accepting payments for other merchants on their PoS device, and further settling it with such other merchants, thereby themselves undertaking aggregation services.

Under the Prevention of Money Laundering Act, 2002 (PMLA), all 'reporting entities' are required to mandatorily register with the FIU-IND. Reporting entities include, inter alia, a financial institution, which in turn includes, inter alia, a PSO. By virtue of PA-Os as well as PA-Ps being recognised as PSOs under the Draft Directions, all PA-Os and PA-Ps would be mandatorily required to register with the FIU-IND and be subject to all compliance obligations placed on reporting entities under the PMLA and the rules thereunder.

The requirement to display the name of the merchant and the PA involved in the transaction on the payments web page appear to be stemming from the overall customer protection intent of the PA-PG Guidelines. It would ensure that the customer is aware of the relevant responsible entities for the handling of their funds and delivery of goods / services, thereby enabling them to raise disputes with the relevant entity with ease and appropriate reference.

(e) Appointment of Agents.

  • Non-bank PAs will be permitted to engage agents for assistance in merchant onboarding. However, such engagement of agents would be subject to certain conditions, (i) Board approved policy on agent engagements; (ii) due diligence on the agents; (iii) assuming responsibility for the agent's actions and omissions; (iv) ensuring customer confidentiality; and (v) regular monitoring of the agents' activities and review of performance at least once a year.

COMMENTS:

The leeway for appointment of agents by PAs is a welcome move, particularly in the offline domain, as assisted onboarding process (including for V-CIPs) would greatly aid in onboarding offline DvP merchants in rural areas and areas with limited financial awareness and reach. In such regions, agents of non-bank PAs would act similar to a banking correspondent to a bank, enhancing financial inclusion and access, as well as reach of technology to merchants. However, the conditions for appointment of an agent appear rather broad in the Draft Amendments, and do not spell out specific contractual clauses required in the agreement between the PA and the agent.

(f) Card-on-File (CoF).

  • Restriction on CoF. For card payments in proximity payment transactions, only the card issuers and / or card networks are permitted to store CoF data from 1 August 2025, and any such data stored by any other entity previously must be purged as per the Draft Amendments.
  • Limited access. Entities may store limited data, such as last 4 digits of card number and card issuer's name for tracking / reconciliation purposes.

COMMENTS:

The PA-PG Guidelines already placed a prohibition on the PA-Os on storing customer card credentials within their database or the serves accessed by the merchant. The Draft Amendments further the same restriction on PA-Ps as well and imposes on the PA-Ps to purge any CoF data already present. Thus, the Draft Amendments seek to place PA-Ps and PA-Os on the same footing when it comes access to sensitive data of the customers, and obligation to ensure customer confidentiality and security.

(q) Involvement of multiple PAs.

  • The RBI has now clarified that if a payment transaction is facilitated by two or more authorised PAs in the transaction chain, then both PAs shall be bound by RBI's instructions on PAs.

COMMENTS:

The clarification appears to be aimed at arrangements wherein the relatively nascent PAs tie up with established PAs having the necessary API infrastructure and other merchant onboarding facilities to acquire and onboard merchants, while themselves only handling the escrow account in the backend. Such arrangements could pose the risk of the backend PA not having access to merchant KYC details, thereby flouting the merchant onboarding and KYC stipulations applicable to PAs. The clarification now makes it explicitly clear that all the PAs, operating in the backend or otherwise, in the same transaction chain, must comply with all applicable directions including in respect of merchant onboarding.

CONCLUDING REMARKS

The Indian regulatory framework on payments has been witnessing systematic consolidation, shifting the space to a rather measured growth which balances innovation while being anchored by principles of customer protection and accountability. This is witnessed by the circular on 'Regulation of Payment Aggregator – Cross Border (PA – Cross Border)' (PA – CB Directions) issued by the RBI on 31 October 2023 (analysed by us here), and now the Draft Directions, which propose to consolidate the regulatory framework for both online and offline domestic payment aggregation activities.

While the implications of the Draft Directions are generally clear, there are certain aspects which require further clarity (as detailed above). In this regard, the RBI's approach of providing stakeholders with the opportunity to provide comments / feedback on the Draft Directions by 31 May 2024 is appreciable. In the aftermath of receiving such comments / feedback, the RBI may (i) make suitable changes to the final regulatory framework which is notified, and / or (ii) provide further clarity in the form of responses to frequently asked questions / clarifications. In doing so, the RBI would enable relevant stakeholders to ensure compliance with the applicable regulatory framework, both in letter and in spirit.

Footnote

1. Please note that the Draft Directions do not have the force of law yet and consequently, do not impose any obligations on entities engaged in payment aggregation activities.

The content of this document do not necessarily reflect the views/position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up please contact Khaitan & Co at legalalerts@khaitanco.com

Authors
Photo of Sanjay Khan Nagra
Sanjay Khan Nagra
Photo of Prashanth Ramdas
Prashanth Ramdas
Photo of Smita Jha
Smita Jha
Photo of Riddhiman Sarkar
Riddhiman Sarkar
Photo of Ishani Sahai
Ishani Sahai
Photo of Jino Mathews Raju
Jino Mathews Raju
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More