RBI

RBI Compliance for Payment Aggregators and Payment Gateways

The evolution of the Reserve Bank of India (further denoted as RBI) dates back to the pre-independence period. On 25 August 1920, the Royal Commission on the Indian Currency and Finance suggested the establishment of a central bank of India, which later on, in 1931, was backed by the Indian Central Banking Inquiry Committee. This continuous discussion resulted in the establishment of the RBI in the year 1935. Initially, it was a private shareholders bank with an office situated in Calcutta; later, it was shifted to Bombay. Initially, the printing of currency notes was the sole responsibility of the RBI, and in the year 1938, the currency notes of the denomination Rupees 5 and 10 were introduced. In the same year, a second batch of currency notes with denomination of Rs. 100,1000,10000 were issued. Post-independence, the Reserve Bank (Transfer of Public Ownership) Act of 1948 nationalized the RBI in 1949, and the two main functions of the Reserve Bank were carrying out the business of banking by the provisions of the act and managing the currency.

Functions of the Reserve Bank

Banker to the Government

It is authorized to make payments on behalf of the central government; all the money of the central government, its exchange, remittance, repo, and reverse repo are all dealt with by the RBI.

Right to Issue Banknote

• It is the sole authority to issue banknotes in India
• Issue department is responsible for the issuance and conduction of banknotes
• The central board of the RBI is responsible for matters relating to issuing and discontinuing any denomination of bank notes.
• The central board of the RBI then informs the central government regarding the denomination to continue or discontinue.
• The central government will approve the design, form, and material of the bank notes.

Formulates Banking Policy

In the interest of the public, the reserve bank is empowered to formulate banking policies, including the policies related to advances, rate of interest, terms, and conditions upon the advances.

Licensing Authority

Any banking business in India needs to have a license issued by the RBI; along with the power of granting licenses, the RBI also has the power to cancel the grant of a license or an already granted license.

Bankers Bank

To maintain the country’s monetary stability, the RBI maintains a cash reserve ratio of the banks listed in the second schedule and the nonscheduled banks. It makes loans and advances to scheduled banks or any financial institution.

Regulation and Management Of Foreign Exchange

It Regulates, Prohibits, and Restricts The Dealing In Foreign Exchange, Issues licenses to banks and other institutions, and acts as an authorized agency of India in the foreign exchange market.

Understanding the Origin and Concept Of Payment Aggregators And Payment Gateways

Who are Payment Aggregators and Payment Gateways

In a particular online transaction, once the customer performs the payments, the funds go to the payment aggregators. From them, they go to the merchant, based upon the criteria for settlement of transactions or the shipment of goods.

Nowadays, payment aggregators are all around us; any entity involved in business and dealing with customers is majorly working as a payment aggregator, and the funds get credited to their escrow account. Entities like Paytm, Phonepe, and Google are all payment aggregators.

Whereas the work of payment gateways is to facilitate a particular transaction, they take the merchant ID of a particular merchant and forward the transaction to his bank account.

Key Differences between Payment Aggregator and Payment Gateway

Payment aggregators are financial organizations that accept payments from merchants and offer in-person or on-call solutions. They connect the merchant account and payment gateway with card networks. They offer a variety of online options to make a payment, for example, bill desk and payUmoney.

Whereas payment gateways are cardless transactions that take place online or through a mobile application. They are software that makes a passage for a safe and secure transfer of money from a customer’s bank to the merchant’s bank account, for example, HDFC, ICICI, Razorpay, etc.

In the Indian ecosystem, mostly the payment aggregators’ model is followed, which is why RBI, in its guidelines, emphasizes the payment aggregators and the controls and governance that need to be imposed upon them.

Understanding the Concept of Payments

Payment infrastructure is mainly divided into two parts-

• Global payment

Global payments involve transactions that are to be done from India to somewhere outside India. The payment chain starts with a buyer who shops from a merchant. The merchant asks for payment details, and these payment details are provided to the payment service provider, who, through a payment gateway, asks for payment details from the acquiring bank for approval. This approval is sought through a VISA or master card, and after their approval, the approved decision goes to the issuing bank to complete the transaction.

• Local payment–

Transaction by a customer/buyer who makes a payment order through the UPI payment gateway provides a network to the payment aggregator who raises an authorization request to the payment aggregator partner bank. This partner bank sends an authorization request to NPCI (National Payments Corporation of India)¹. Then it sends an authorization request to the payer’s bank, thereby the payer receiving a debit request and then a debit notification completing the process of payment.

Why a Robust Infrastructure Is Required By A Payment Aggregator & Payment Gateway

To complete an online payment, third-party payment processors such as payment service providers, payment facilitators, and payment aggregators are responsible for processing transactions. The involvement of so many entities made the digital payment ecosystem advance, resulting in ease of payment but at the same time, caused security concerns for protecting and securing the sensitive data of the users; this was the main reason that accelerated the need for regulating the business of payment gateways and payment aggregators. It became necessary for Payment aggregators and gateways to have a robust system, security frameworks, and risk management policies and tools and apply these security controls and measures to both global and local payments.

 RBI Guidelines to Regulate Payment Aggregators & Gateways

In October 2016, India faced a major data breach when several banks announced that they would be recalling millions of debit cards because of a data breach that affected the backend of software that powered an ATM Network. These banks completely missed the warning signs of these data breaches until millions of fraud cases were detected. Similarly, In 2018, the Indian government database was breached, leaking the personal information of over 1 billion users. In January 2019, multinational financial institutions faced a data breach where the sensitive information of 3 million users was compromised. In April 2021, payment data of around 11 crore Indian card holders was infringed because of a payment aggregator.

Cases of continuous data breaches were at their peak, and no specific guidelines and measures were there to safeguard against future challenges; due to this, RBI issued guidelines to control and regulate the payment gateways and aggregators so that the right to privacy of an individual and their trust in the government and banking system could stay intact.

Guidelines

The RBI guidelines for the regulation of payment aggregators and payment gateways first came in the form of a notification dated 17^th March 2020, and then a further revised circular was issued on March 31, 2021; the consolidated guidelines issued by those were aboutdirections for opening, operation of accounts, and settlement of payments for electronic payment transactions involving intermediaries because of the rise in purchasing of online goods and services and making their payments through online mode and to safeguard these transactions and to make sure that the intermediaries receiving such payment remit such payment into the accounts of the merchants the buyer is buying goods and services online without any delay and RBI considering this a serious issue formulated guidelines under section 18 of the payments and settlements systems Act,2007 which states that RBI in public interest can regulate the management and operations of payment systems.

General Guidelines

1. In these guidelines, RBI defined the important terminologies, clarifying which were needed for a customer involved in an online transaction.
2. Intermediaries were defined as entities that collect monies, i.e. money from the customers for the payment of goods and services received from the merchant.
3. These intermediaries will be considered only when a transaction is made online.
4. A contractual obligation lies between a merchant and an intermediary, and the banks must make sure that no internal account is opened by the intermediary about the business conducted by the merchant.
5. The merchants were defined as providers of goods and services in electronic form and receiving the payments of the transaction involving their goods and services in electronic form only.
6. The bank accounts created for receiving payment from the customers through the intermediaries will be the internal accounts of the banks.
7. The banks must make sure that no intermediary is operating or maintaining these bank accounts.
8.  It was considered necessary to expedite the process of settlement from the bank to the merchant. The formula of T+2 was formulated for all the payments to the merchants that do not involve the transfer of funds to nodal banks, in this formula T being the date of intimation regarding the completion of the transaction plus 2 days and payments to merchants involving nodal banks involved a settlement cycle of T+3.
9. If there’s any balance fund in these internal accounts, they shall be used for the computation of net demand and time liabilities of the bank.
10. A concurrent audit will be conducted of these accounts, and the report shall be submitted to the Department of Payment and Settlement System RBI every quarter.
11. Compliance with these rules was made compulsory for all the intermediaries and merchants involved in these transactions.

Capital and Net Worth Related

1. Any payment aggregator will be authorized only when he abides by the minimum net worth criteria, which are rupees 15 crores at the time of application for authorization and 25 crores by the end of the third financial year of grant of authorization.
2. Nonbanking payment aggregators, i.e. which are third-party and not provided by the banks, need to provide a certificate from a chartered accountant as evidence of compliance that they fulfil the net worth requirement.
3. Payment aggregators who are newly incorporated and don’t have an audit statement of their finance accounts need to submit proof of their current net worth along with a provisional balance sheet, both approved and certified by a chartered accountant.
4. Those entities that have not attained the required net worth criteria will have to wind up their payment aggregation business.
5. The payment aggregators whose escrow accounts are maintained by the banks themselves need not provide any additional documents, and the bank needs no monitoring in these cases.

Governance

1. It is compulsory for a payment aggregator to be managed professionally, and the directors of these entities must confirm that they are as per the fit and proper criteria of the RBI. A declaration by the director in a requisite format needs to be submitted by the promoters of the payment aggregators.
2. The payment aggregators need to disclose information regarding merchant policies, customer grievances, privacy policies, and other terms and conditions on their websites and mobile applications.

KYC and Merchant Onboarding

The RBI mandated that the payment aggregators and payment gateways must comply with the KYC ( know your customer ) related mandates as prescribed under the Prevention of Money Laundering Act,2002, which prescribes a customer acceptance policy, customer identification procedures, monitoring of transactions and risk management related measures and safeguards.

Online Payment Gateway Service Providers for Cross-Border Transactions

Entities that are operating as online payment gateway service providers(OPGSP) and undertaking cross-border transactions must ensure the timelines for their transactions, must maintain the authorized mode of collection, and must adhere to the OPGSP) guidelines

Security, Fraud Prevention, and Risk Management Framework Controls

1.  Payment aggregators need to make an information security policy, which is to be approved by the board and, once approved, must be followed.
2. Any cyber security incident should be monitored and handled robustly, and a follow-up report must be kept of such incidents.
3. The payment system operators need to comply with the data storage requirements.
4. A system audit report is to be formed, which should include a cyber-security audit; the mandate for this audit is that the CERT-in empanelled auditors should conduct it.
5. It was directed to the payment aggregators that an option of ATM PIN as an authentication factor shall not be given in case a card is not present in transactions.

Controls for Merchant Onboarding for Payment Aggregators

1. A policy must be formed for merchant onboarding, and the board should approve it.
2. PCI-DSS and PA-DSS compliance of the merchant’s infrastructure, PADSS is not in existence anymore, and the framework of S3 is to be followed as compliance for merchant infrastructure.
3. It was directed to the merchant that his site must not save customer cards.
4. The Payment aggregators must vet their agreements with the merchants and must obtain periodic security assessment reports, i.e. the internal audits that have been made must be reported to the Payment aggregators and Payment gateways.
5. It must be ensured by the payment aggregators and payment gateways that instructions regarding merchant discount rate (MDR) are followed.
6. No limits should be placed on the transaction amount for a particular mode of payment.
7. An option of ATM PIN will not be a factor for authentications in case of transactions where cards are not present.
8. The refund policy must specify that the refund will be made to the original payment method unless the customer agrees to any other option.

Cyber Security Controls

Cyber security controls involve two angles within them: robust mechanisms for risk management and controls for incidence response, making forensics part of these controls.

 Controls which must be followed.-

• Information security governance
• Data security standards
• Security incident reporting
• Merchant onboarding
• Cyber security audit and reports
• Information security
• IT Governance, including the involvement of the board, IT steering committee, enterprise information model, and cyber crisis management plan

Controls which aren’t must be followed-

• Enterprise data dictionary
• Access to the application
• Competency of staff
• Vendor risk management
• Maturity and roadmap
• Cryptographic requirement
• Forensic readiness
• Data sovereignty
• Data security in outsourcing
• Payment application security

1. Applicable Compliances are
2. CERT-IN for System audit report and cyber security audit
3. PCI-SSC  & PA-DSS(S3)
4. Internal Audit – IS & IT AUDIT
5. ISO 27001 & COBIT (not a mandate)

Reports To Be Submitted-

Annually-

• Net worth certificate
• IS audit report and cyber security audit report

  Quarterly

• Auditor certificate on maintenance of balance in escrow account
• Bankers certificates on escrow account debits and credits

Monthly

• Statistics of transactions

   Non-periodic

• Declaration and undertaking by the director
• Report from banks in compliance with para 3.6
• Cybersecurity incident reports

Conclusion

The guidelines issued by the RBI in order to control and regulate the payment aggregators and payment gateways are serving their purpose, considering the significant increase in the role of payment aggregators and payment gateways for online transactions, but these notifications were the result of damage already caused when the reports of data breach circulated PAN India. In order to ensure the public good, It is the responsibility of The RBI to foresee the areas where their expertise and interference are needed from time to time to avoid the occurrence of any such damage.

FAQ’s

1. https://www.npci.org.in/