The Reserve Bank of India (“RBI”) vide circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 issued guidelines (“Guidelines”) to regulate payments aggregators (“PA”) and provide technology-related recommendations to payment gateways (“PGs“). The Guidelines will come into force with effect from April 01, 2020.
PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.
PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in the handling of funds. This post only deals with the requirements of PAs.
You may like: Supreme Court Judgement on Virtual Currencies Ban by RBI
Key Highlights on Regulation of Payment Aggregators
Authorization: As per the Guidelines, Banks do not require a separate authorization from RBI to undertake payment aggregation services. However, all non-bank PAs will require authorization from RBI in order to provide aggregation services. Existing PAs are required to apply for authorization on or before June 30, 2021, but will be allowed to continue their operations till they receive acceptance or rejection of their application. The e-commerce marketplaces providing payment aggregation services are required to separate aggregation from the marketplace business by June 30, 2021.
NetWorth: PAs existing as on March 17, 2020, shall achieve a net-worth of ₹15 crore by March 31, 2021, and a net-worth of ₹25 crore by the end of the third financial year, i.e., on or before March 31, 2023. New PAs shall have a minimum net-worth of ₹15 crore at the time of application for authorization and shall attain a net-worth of ₹25 crore by the end of the third financial year of grant of authorization. The net-worth of ₹25 crore shall be maintained at all times thereafter. PAs that are not able to comply with the net-worth requirement within the stipulated time frame shall wind-up payment aggregation business. The banks maintaining nodal / escrow accounts of PAs shall monitor and report compliance of the net worth requirement.
Governance: The Guidelines mandate that PAs shall be professionally managed. The promoters of the applicant entity must satisfy the fit and proper criteria prescribed by the RBI. RBI will also check the ‘fit and proper’ status of the applicant entity and management by obtaining inputs from other regulators, government departments, etc. Any takeover or acquisition of control or change in management of a non-bank PA shall be communicated by way of a letter to RBI within 15 days with complete details, including the ‘Declaration and Undertaking’ by each of the new directors.
Agreements between PAs, merchants, acquiring banks, and all other stakeholders must clearly delineate the roles and responsibilities of the involved parties in sorting or handling complaints, refund or failed transactions, return policy, customer grievance redressal (including turnaround time for resolving queries), dispute resolution mechanism, reconciliation, etc. PAs must have a Board approved policy for disposal of complaints, dispute resolution mechanisms by complying TAT as per the directions of RBI, timelines for processing refunds, etc. PAs are required to appoint a nodal officer who shall be responsible for regulatory and customer grievance handling functions.
KYC/AML/CFT guidelines issued by the Department of Regulation, RBI, issued from time to time, shall apply mutatis mutandis to PAs. Provisions of PMLA and rules framed thereunder, as amended from time to time, shall also be applicable.
Merchant Undertaking: The Guidelines state that Merchants must not save customer cards and such related data. The Guidelines mandate PAs to adopt a Board approved policy for merchant onboarding and must undertake background and antecedent checks of the merchants. The merchant websites should clearly indicate the terms and conditions of the service and timeline for processing returns and refunds. The Guidelines state that PAs will be responsible to check PCI-DSS and PA-DSS compliance by the merchants on-boarded. The PAs may conduct a security audit of the merchant periodically. The agreements signed by PAs with merchants have provisions for security and privacy of customer data. The agreements must also include compliance to PA-DSS and incident reporting obligations.
Settlement: The Guidelines require non-bank PAs to maintain the amount collected by them in an escrow account with a scheduled commercial bank. For the purpose of maintenance of the escrow account, the operations of PAs shall be deemed to be ‘designated payment systems’ under Section 23A of the PSSA. PAs can shift the escrow account from one bank to another in a time-bound manner without impacting the payment cycle.
Security Risk: The Guidelines mandate PAs to put in place adequate information and data security infrastructure and systems. PAs must also put in place a Board-approved information security policy for the safety and security of the payment systems operated by them and implement security measures accordingly. PAs are prohibited from storing customer card credentials within their database or the server accessed by the merchant. Further, PAs must establish a mechanism for monitoring, handling, and follow-up of cybersecurity incidents and breaches. All cybersecurity incidents must be reported immediately to the DPSS, RBI, Central Office, and CERT-In.
PAs are required to comply with data storage requirements as applicable to Payment System Operators. PAs shall submit the System Audit Report, including a cybersecurity audit conducted by CERT-In empanelled auditors, within two months of the close of an FY to the respective Regional Office of DPSS, RBI.
General Instructions: PAs shall not place limits on transaction amounts for a particular payment mode. The responsibility therefor shall lie with the issuing bank/entity. PAs shall not give an option for ATM PIN as a factor of authentication for card-not-present transactions. All refunds shall be made to the original method of payment unless specifically agreed otherwise by the customer.