Direct Tax
Consulting
ESG Advisory
Indirect Tax
Growth Advisory
Internal Audit
BFSI Audit
Industry Audit
Valuation
RBI Services
SEBI Services
IRDA Registration
AML Advisory
IBC Services
NBFC Compliance
IRDA Compliance
Finance & Accounts
Payroll Compliance Services
HR Outsourcing
LPO
Fractional CFO
General Legal
Corporate Law
Debt Recovery
Select Your Location
The evolution of the Reserve Bank of India (further denoted as RBI) dates back to the pre-independence period. On 25 August 1920, the Royal Commission on the Indian Currency and Finance suggested the establishment of a central bank of India, which later on, in 1931, was backed by the Indian Central Banking Inquiry Committee. This continuous discussion resulted in the establishment of the RBI in the year 1935. Initially, it was a private shareholders bank with an office situated in Calcutta; later, it was shifted to Bombay. Initially, the printing of currency notes was the sole responsibility of the RBI, and in the year 1938, the currency notes of the denomination Rupees 5 and 10 were introduced. In the same year, a second batch of currency notes with denomination of Rs. 100,1000,10000 were issued. Post-independence, the Reserve Bank (Transfer of Public Ownership) Act of 1948 nationalized the RBI in 1949, and the two main functions of the Reserve Bank were carrying out the business of banking by the provisions of the act and managing the currency.
It is authorized to make payments on behalf of the central government; all the money of the central government, its exchange, remittance, repo, and reverse repo are all dealt with by the RBI.
In the interest of the public, the reserve bank is empowered to formulate banking policies, including the policies related to advances, rate of interest, terms, and conditions upon the advances.
Any banking business in India needs to have a license issued by the RBI; along with the power of granting licenses, the RBI also has the power to cancel the grant of a license or an already granted license.
To maintain the country’s monetary stability, the RBI maintains a cash reserve ratio of the banks listed in the second schedule and the nonscheduled banks. It makes loans and advances to scheduled banks or any financial institution.
It Regulates, Prohibits, and Restricts The Dealing In Foreign Exchange, Issues licenses to banks and other institutions, and acts as an authorized agency of India in the foreign exchange market.
In a particular online transaction, once the customer performs the payments, the funds go to the payment aggregators. From them, they go to the merchant, based upon the criteria for settlement of transactions or the shipment of goods.
Nowadays, payment aggregators are all around us; any entity involved in business and dealing with customers is majorly working as a payment aggregator, and the funds get credited to their escrow account. Entities like Paytm, Phonepe, and Google are all payment aggregators.
Whereas the work of payment gateways is to facilitate a particular transaction, they take the merchant ID of a particular merchant and forward the transaction to his bank account.
Payment aggregators are financial organizations that accept payments from merchants and offer in-person or on-call solutions. They connect the merchant account and payment gateway with card networks. They offer a variety of online options to make a payment, for example, bill desk and payUmoney.
Whereas payment gateways are cardless transactions that take place online or through a mobile application. They are software that makes a passage for a safe and secure transfer of money from a customer’s bank to the merchant’s bank account, for example, HDFC, ICICI, Razorpay, etc.
In the Indian ecosystem, mostly the payment aggregators’ model is followed, which is why RBI, in its guidelines, emphasizes the payment aggregators and the controls and governance that need to be imposed upon them.
Payment infrastructure is mainly divided into two parts-
Global payments involve transactions that are to be done from India to somewhere outside India. The payment chain starts with a buyer who shops from a merchant. The merchant asks for payment details, and these payment details are provided to the payment service provider, who, through a payment gateway, asks for payment details from the acquiring bank for approval. This approval is sought through a VISA or master card, and after their approval, the approved decision goes to the issuing bank to complete the transaction.
Transaction by a customer/buyer who makes a payment order through the UPI payment gateway provides a network to the payment aggregator who raises an authorization request to the payment aggregator partner bank. This partner bank sends an authorization request to NPCI (National Payments Corporation of India)1. Then it sends an authorization request to the payer’s bank, thereby the payer receiving a debit request and then a debit notification completing the process of payment.
To complete an online payment, third-party payment processors such as payment service providers, payment facilitators, and payment aggregators are responsible for processing transactions. The involvement of so many entities made the digital payment ecosystem advance, resulting in ease of payment but at the same time, caused security concerns for protecting and securing the sensitive data of the users; this was the main reason that accelerated the need for regulating the business of payment gateways and payment aggregators. It became necessary for Payment aggregators and gateways to have a robust system, security frameworks, and risk management policies and tools and apply these security controls and measures to both global and local payments.
In October 2016, India faced a major data breach when several banks announced that they would be recalling millions of debit cards because of a data breach that affected the backend of software that powered an ATM Network. These banks completely missed the warning signs of these data breaches until millions of fraud cases were detected. Similarly, In 2018, the Indian government database was breached, leaking the personal information of over 1 billion users. In January 2019, multinational financial institutions faced a data breach where the sensitive information of 3 million users was compromised. In April 2021, payment data of around 11 crore Indian card holders was infringed because of a payment aggregator.
Cases of continuous data breaches were at their peak, and no specific guidelines and measures were there to safeguard against future challenges; due to this, RBI issued guidelines to control and regulate the payment gateways and aggregators so that the right to privacy of an individual and their trust in the government and banking system could stay intact.
The RBI guidelines for the regulation of payment aggregators and payment gateways first came in the form of a notification dated 17th March 2020, and then a further revised circular was issued on March 31, 2021; the consolidated guidelines issued by those were about directions for opening, operation of accounts, and settlement of payments for electronic payment transactions involving intermediaries because of the rise in purchasing of online goods and services and making their payments through online mode and to safeguard these transactions and to make sure that the intermediaries receiving such payment remit such payment into the accounts of the merchants the buyer is buying goods and services online without any delay and RBI considering this a serious issue formulated guidelines under section 18 of the payments and settlements systems Act,2007 which states that RBI in public interest can regulate the management and operations of payment systems.
The RBI mandated that the payment aggregators and payment gateways must comply with the KYC ( know your customer ) related mandates as prescribed under the Prevention of Money Laundering Act,2002, which prescribes a customer acceptance policy, customer identification procedures, monitoring of transactions and risk management related measures and safeguards.
Entities that are operating as online payment gateway service providers(OPGSP) and undertaking cross-border transactions must ensure the timelines for their transactions, must maintain the authorized mode of collection, and must adhere to the OPGSP) guidelines
Cyber security controls involve two angles within them: robust mechanisms for risk management and controls for incidence response, making forensics part of these controls.
Controls which must be followed.-
Controls which aren’t must be followed-
Reports To Be Submitted-
Annually-
Quarterly
Monthly
Non-periodic
The guidelines issued by the RBI in order to control and regulate the payment aggregators and payment gateways are serving their purpose, considering the significant increase in the role of payment aggregators and payment gateways for online transactions, but these notifications were the result of damage already caused when the reports of data breach circulated PAN India. In order to ensure the public good, It is the responsibility of The RBI to foresee the areas where their expertise and interference are needed from time to time to avoid the occurrence of any such damage.
From time to time, RBI bans payment gateways they find are not abiding by the guidelines; recently, on February 23, 57 payment aggregators were banned by the RBI.
Entities that stick to the guidelines of the RBI regarding payment aggregators and payment gateways get approved by the RBI. Recently, in February 2023, 50 more payment aggregators were approved by RBI.
The RBI bars foreign card payment network companies
In January 2023, PayU was given a time of 120 days to reapply for the payment aggregator's license, which they did, making them an approved entity by RBI.
No, it is free of charge. You must reapply as a payment aggregator to receive a payment aggregator license from RBI.
Incorporation under the Companies Act 1956, 2 members, 2 directors, PAN of the company, Address proof, 5-year business plan are certain rules for the establishment of a payment gateway.
RBI guidelines for payment gateways are in relation to escrow accounts, cyber security, merchant onboarding payment, safeguard measures against fraud, etc.
It should be a private or public limited company, must have PCI-DSS certification, net worth should be 15 crores, and must increase by 25 crores within 3 years of operation.
The biggest limitations of a payment gateway are that they keep their fee structure hidden, don't provide options for recurring payments, etc.
Customers need to fill in certain details like credit or debit card numbers, expiry date, and CVV to make a payment gateway transaction successful.
Yes, RBI issued separate guidelines in March 2020 to regulate payment gateways in India.
RBI notification of March 2020 regulates India's payment gateways and payment aggregators.
RBI, by way of a notification in March 2020, issues detailed guidelines to regulate the payment and its compliance with the payment regulators.
In India, it is the sole responsibility of RBI to make laws concerning organisations involved in electronic transactions related to business.
Google India, Razorpay, cashfree payments India ltd. Are certain businesses who are approved payment gateways by RBI
PCI-DSS, i.e. the payment card industry data security standard, is the compliance required as a payment gateway.
The payment card industry data security standard (PCI-DSS) is payment gate compliance.
Payment gateways use front-end technology, which involves payment through cards, i.e. debit or credit card.
The user doesn't need to be PCI compliant; the payment gateway needs to be PCI-DSS compliant, i.e., it must comply with the payment card industry data security standard.
The NBFCs are a crucial part of India's financial structures, especially for the rural economie...
Debt funds primarily invest in fixed-income assets such as bonds, treasury securities, and corp...
An implementation of a "Liquidity Window Facility" for debt securities investors via a stock ex...
In the last 10 to 15 years, forensic audit practice has evolved to cover a broad spectrum of ac...
The GST return filing has significantly changed since September 2024. The key changes mad...
Are you human?: 5 + 2 =
Easy Payment Options Available No Spam. No Sharing. 100% Confidentiality
In the year 2000, the Government of India established a scheme for setting up of business zones or units to increas...
20 Nov, 2021
Peer-to-Peer Loan Business is done by lending, loans commonly known as Peer to Peer Lending (P2P). It is an alterna...
10 Sep, 2022