After first raising its intention to bring payment aggregators (PA) and payment gateways (PG) under its regulatory purview in its discussion paper of September 2019, the Reserve Bank of India (RBI) on 17 March 2020, issued the Guidelines on Regulation of Payment Aggregators and Payment Gateways, effective from 1 April 2020 (guidelines). These regulate the activities of the PAs in entirety and provide baseline technology related recommendations to PGs.
PAs and PGs are now clearly defined. PAs and PGs have been distinguished from each other, primarily on the basis that PAs handle funds, whereas PGs do not. PAs receive, pool and transfer funds to merchants and PGs only provide the technology infrastructure for such payments. Because of this important distinction the guidelines prescribe stringent compliance requirements for PAs, but only provide baseline technology related recommendations for PGs. The guidelines, including the technology related measures set out therein, are binding on PAs. However, PGs are encouraged to adopt the technology related measures as best practice. The guidelines also govern the domestic legs of import and export related payments facilitated by PAs, but do not apply to cash on delivery e-commerce models.
All non-bank PAs require authorization from the RBI under the Payment and Settlement Systems Act, 2007. Existing non-bank PAs are required to apply for authorization, on or before 30 June 2021, but in the interim are permitted to continue their operations. Compliance with all other provisions, except capital requirements, of the guidelines, however, became mandatory from 1 April 2020. E-commerce marketplaces that currently undertake PA activities are required to separate their PA activities from their marketplace business and to make applications for authorization on or before 30 June 2021. Banks which undertake PA activities are not required to obtain a separate authorization as they handle funds as part of their normal banking business.
All PAs must be companies incorporated under the Companies Acts, 1956 and 2013, with their memorandums of association specifically covering PA activities. Existing PAs are required to achieve a net worth of ₹150 million (US$1.9 million) by 31 March 2021 and ₹250 million by 31 March 2023. New PAs are required to have a minimum net worth of ₹150 million on filing an application for the authorization and should achieve a net worth of `250 million by the end of the third financial year from the grant of the authorization. PAs must maintain their net worth of ₹250 million at all times thereafter. PAs that are unable to meet and maintain these net worth requirements will have to be wound up.
The guidelines set out required governance measures, including a board approved policy for dealing with complaints, a dispute resolution mechanism, a professional management with promoters required to meet the fit and proper criteria, supported by an undertaking from the directors, all contractual arrangements to contain a clear delineation of roles and the appointment of a nominated officer to handle grievances. Additionally, any takeover, acquisition or change in control of a non-bank PA should be notified to the RBI within 15 days with complete details. If the RBI is not satisfied with the fit and proper status of the new management, it may impose suitable restrictions.
PAs should adopt a board-approved policy for on-boarding merchants, conduct background checks prior to such on-boarding and make a provision in contracts for the security and privacy of customer data.
Non-bank PAs are required to hold an escrow account with only one scheduled commercial bank, to receive payments. PAs cannot deal with these amounts for any purposes other than permitted credits and debits. The guidelines also provide timelines within which final settlements to merchants are to be made. PAs shall put in place a board approved policy relating to information security and a mechanism for monitoring, handling of and following up cyber security incidents and breaches. They will not be permitted to store customer card credentials on systems that may be accessed by merchants. Specific reporting requirements, among other matters, in respect of the escrow account, security measures, and so on must be undertaken by PAs. ATM PINs cannot be used as authentication factors for card not present transactions.
Some of the more important changes, such as the reduction in the net worth requirements, the differentiation between PAs and PGs, the shift from nodal accounts to escrow accounts as set out in the guidelines have been readily welcomed. It will now be interesting to see how these guidelines impact the e-commerce industry and the online payment structure.
Juhi Mehta is a counsel and Manali Kakatkar is a senior associate at Samvad Partners.
Bengaluru | Chennai | Hyderabad | Mumbai | New Delhi
Bengaluru | Tel: +91 80 4268 6000
Chennai | Tel: +91 44 4306 3208
Hyderabad | Tel: +91 40 6721 6500
Mumbai | Tel: +91 22 6104 4000
New Delhi | Tel: +91 11 4172 6200