Guidelines on Regulation of Payment Aggregators and Payment Gateways

Reserve Bank of India has vide its Circular DPSS.CO.PD.No.1810/02.14.008/2019-20March 17, 2020 issued the above guidelines to all the  Payment System Providers and System Participants in India. These guidelines have been issued for regulating the entire activities of the Payment Aggregators as well as to provide baseline technology-related recommendations to Payment Gateways.

Key Terms

Payment Aggregators (PAs): are defined as those entities which facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations. PAs also facilitate merchants to connect with acquiring banks. In the process, they receive payments from customers, pool and transfer them on to the merchants in due course.

Payment Gateways(PGs): are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

Applicability of the Guidelines:

These guidelines are mandatory and fully applicable to PAs. They need to seek the RBI authorization for doing the business of PAs along with compliance of other mandatory conditions including adopting technology related standard into its business model. Also, only a company incorporated in India under the Companies Act, 1956 / 2013 may apply to RBI for operating as a PA and the Memorandum of Association (MoA) of the applicant entity must cover the proposed activity of operating as a PA.

It is also pertinent to highlight here that though both  banks as well as non-bank PAs handle funds as part of their activities, however, banks which provide PA services as part of their normal banking relationship would not be required to seek separate authorization from the RBI.  

Additionally, as regards the PGs, there is no requirement for them to get authorization from RBI. Further, their adherence to the baseline technology-related recommendations.is not mandatory. PGs are however advised to adhere to these recommendations, as a measure of good practice.

Capital Requirements:

Existing PAs are required  to achieve a net-worth of Rs.15 crore and a net-worth of Rs.25 crore in a phased manner. Thereafter, the net-worth of Rs.25 crore has to be maintained at all times.

Whereas, the New PAs should have a minimum net-worth of Rs.15 crore at the time of application for authorisation and should attain a net-worth of Rs.25 crore by the end of third financial year of grant of authorisation. Thereafter the net-worth of Rs.25 crore has to be maintained at all times.

Mandatory Governance Compliance

There are some prescribed conditionalities under the guidelines which stipulate following mandatory compliance for ensuring good governance practices by PAs:

• PAs should be managed professionally. The applicant entity and its promoters have to satisfy the ‘fit and proper’ criteria prescribed by RBI.
• Any takeover or acquisition of control or change in management of a non-bank PA has to be   advised to the Chief General Manager, Department of Payment and Settlement Systems (DPSS),   RBI, Central Office, Mumbai. RBI will examine the ‘fit and proper’ status of the management   and, if necessary, may place suitable restrictions on such changes.
• Agreements between PAs, merchants, acquiring banks, and all other stake holders should be clear about the roles and responsibilities of the involved parties.
• PAs have to disclose comprehensive information regarding merchant policies, customer grievances, privacy policy and other terms and conditions on their website/mobile application.\
• PAs have to frame a Board approved policy for disposal of complaints / dispute resolution mechanism / time-lines for processing refunds, etc., as per RBI instructions on Turn Around Time (TAT) for resolution of failed transactions.
• PAs have to appoint a Nodal Officer responsible for regulatory and customer grievance handling functions and display details thereof on their website.
• The RBI would also check ‘fit and proper’ status of the applicant entity as well the management through inputs from other regulators, government departments etc. 

Safeguards against Money Laundering (KYC / AML / CFT) Provisions

PAs have to follow Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines  issued by RBI before making any agreements with the merchants and shall follow the same precisely Further, provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time, are also applicable to them.

Merchant On-boarding

PAs should have a Board approved policy for merchant on-boarding. Further, PAs should undertake background and antecedent check of the merchants, to ensure that such merchants do not have any malafide intention of duping customers and do not sell fake / counterfeit / prohibited products, etc.

Security / privacy of customer data

It is the responsibility of the PAs to check Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded. Further, Merchant site should not save customer card and such related data. A security audit of the merchant may be carried out to check compliance, as and when required.

Agreement with merchant should have provision for security / privacy of customer data. PAs agreement with merchants shall include compliance to PA-DSS and incident reporting obligations.

Settlement and Escrow Account Management

Non-bank PAs have to keep the amount collected by them in a non-interest bearing escrow account with any scheduled commercial bank. Escrow account balance has to be kept with only one scheduled commercial bank at any point of time. Amounts deducted from the customer’s account should be remitted to the escrow account maintaining bank on Tp+0 / Tp+1 basis. Final settlement with the merchant by the PA shall be effected as under:

• Where PA is responsible for delivery of goods / services the payment to the merchant should not be made later than on Ts + 1 basis, where ‘Ts’ stands for date of intimation by the merchant to the intermediary about shipment of goods.
• Where merchant is responsible for delivery, the payment to the merchant should not be made later than on Td + 1 basis, for where ‘Td’ stands date of confirmation by the merchant to the intermediary about delivery of goods to the customer.
• Where the agreement with the merchant provides for keeping the amount by the PA till expiry of refund period, the payment to the merchant should not be made later than on Tr + 1 basis, where ‘Tr’ stands for date of expiry of refund period as fixed by the merchant.
• At the end of the day, the amount in escrow account should not be less than the amount already collected from customer or the amount due to the merchant.
• PAs are permitted to pre-fund the escrow account with own / merchant’s funds. However, in the latter scenario, merchant’s beneficial interest should be created on the pre-funded portion.
• The escrow account should not be operated for ‘Cash-on-Delivery’ transactions.

Important: A certificate signed by the auditor(s), shall be submitted by the authorised entities to the respective Regional Office of DPSS, RBI, where the registered office of the PA is situated, certifying that the entity has been maintaining balance in the escrow account in compliance with these instructions, as per the periodicity prescribed under the guidelines.

 Permitted credits / debits to the escrow account shall be as set out below:

 Credits

• Payment from various customers towards purchase of goods / services.
• Pre-funding by merchants / PAs.
• Transfer representing refunds for failed / disputed / returned / cancelled transactions.
• Payment received for onward transfer to merchants under promotional activities, incentives, cash-backs etc

 Debits

• Payment to various merchants / service providers.
• Payment to any other account on specific directions from the merchant.
• Transfer representing refunds for failed / disputed transactions.
• Payment of commission to the intermediaries. This amount shall be at pre-determined rates frequency.
• Payment of amount received under promotional activities, incentives, cash-backs, etc.
• Settlement of funds with merchants should not be co-mingled with other business, if any, handled by the PA.

Customer Grievance Redressal and Dispute Management Framework

Another, important disclosures requirement is that PAs have to put in place a formal, publicly disclosed customer grievance redressal and dispute management framework, including designating a nodal officer to handle the customer complaints / grievances and the escalation matrix.

PAs should have a dispute resolution mechanism binding on all the participants.

Security, Fraud Prevention and Risk Management Framework

• PAs should put in place adequate information and data security infrastructure and systems for  prevention and detection of frauds.
• PAs should put in place Board approved information security policy for the safety and security of the payment systems operated by them and implement security measures in accordance with this policy to mitigate identified risks.
• PAs should establish a mechanism for monitoring, handling and follow-up of cyber security incidents and breaches.
• PAs should not store the customer card credentials within their database or the server accessed by the merchant.

 Compliance within Transition Period

  

Net-worth compliance:

• Existing PAs must ensure a net worth of INR 15 crores by March 31, 2021 and INR 25 crores by March 31, 2023. For the new PAs, a net worth of INR 15 crores is required for making an application for grant of authorization and they must achieve a net worth of INR 25 crores by the third financial year-end occurring after the application is made. A net worth of INR 25 crores is to be maintained at all times thereafter.
• The PAs that are not able to comply with the net-worth requirement within the given time frame would have to wind-up their payment aggregation business. biggest examples of this- PhonePe, a Flipkart company, and Paytm’s payment aggregator business are already separate entities from the marketplace models.

Authorization Compliance

• Existing non-bank PAs need to apply for an authorisation under the Payment and Settlement Systems Act, 2007 (PSS Act) prior to June 30, 2021 and will be allowed to operate until they are granted/ refused an authorization
• E-commerce marketplace entities providing PA services shall segregate their PA business from the marketplace business and apply for an authorisation on or before June 30, 2021.

Digest for mind:

It appears that many of the prescribed compliances as per the Guidelines are similar to those already prescribed by the RBI for payment system operators, such as e-wallet and gift card issuers, and it appears that the RBI is placing PAs on the same pedestal as such payment system providers in terms of regulation.

Also, providing the transition period to match the prescribed Net worth and authorization, is to allow the PA to ensure the full-fledged adoption of these guidelines in true spirit of objective. However, these Guidelines don’t contain the provision stating whether existing PAs should continue to comply with the Intermediary Directions or comply with the Guidelines by April 1, 2020. How, the PAs would be able to conduct the full-fledged background checks of merchant’s history to ensure the compliance of these guidelines.

It is imperative to state that trade associations including NASSCOM made the representation before the RBI on extending the implementation date of these guidelines amid the scenario of lockdown announced by the Government in wake of combating the spread of COVID-19 as the same is applicable from 01.04.2020.

Lastly, while concluding the write up, it is relevant to mention that vide these guidelines, the RBI brought forth comprehensive regulations to control the functioning of payment aggregators, in India, which would led to significant change in e-commerce industry in coming time.

Available at: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11822&Mode=0.

This Article has been Compiled by GD Chugh (Associate Partner) and Deepika Sharma (Senior Associate)

You can direct your queries or comments to the authors at gdchugh@factumlegal.com

Disclaimer-

The contents of this article should not be construed as legal opinion. This article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. We expressly disclaim any financial or other responsibility arising due to any action taken by any person on the basis of this article.