RBI Extends timelines for payment system compliance by payment intermediaries

Varun Hariharan

09 Jun, 2020

In the era of digitization, the financial services sector in India has disrupted traditional modes of dealing with customers. Customers prefer using mobile-based applications when compared to visiting banks. In the same way, payment intermediaries have evolved their operations with time. Payment intermediaries have taken over the working of the financial system in India.

What are payment intermediaries?

Payment System intermediaries or payment intermediaries are companies and operators that facilitate the payment systems. They are the primary operator for payment systems in the country. In simple terms, a payment intermediary is a connector between the Merchant Bank and the customer. Previously, payment systems in the country were dependant on traditional banking services. With the evolution and digital lending, payment intermediaries have become more revolutionized.  In the past, there was no regulation governing the operation of payment intermediaries and payment system intermediaries. 

With the development of technology and finance, regulating payment systems is a crucial need for society. The Reserve Bank of India (RBI) came out with specific requirements for the operation of payment system intermediaries. This was considered in a white paper that was introduced in 2009 to facilitate the operation of payment system intermediaries.

Regulation for Payment Intermediaries

The common topics stressed in the white paper were on Payment Gateways and Payment Aggregators. The existing regulation was not systematic regarding the operation of payment intermediaries. Furthermore, there is no clarity in this regulation. Market participants in the discussion were uncertain about the regulation. Lack of transparency in the payment system regulation does not provide scope whether payment intermediaries were regulated by limited means or by full means.

Because of this, the RBI brought out final guidelines for the operation of payment intermediaries. These guidelines were brought out on March 17, 2020. However, they have come into force in April 2020. Some of the recommendations in these guidelines were focussed on technological innovations.

What is a Payment Gateway?

A payment gateway is a software or API (Application Programming Interface) that acts as a link between two or more websites. Therefore, the payment gateway acts as a connection between two websites. Whenever an online transaction takes place, then the payment gateway comes into operation. In other words, the payment gateway is considered as an e-interface for carrying out payment transactions using the software.

Payment Gateway is considered more to be an online channel for carrying out financial transactions. According to the RBI, Payment Gateways are just entities that channel the funds using software without having access to the actual funds of the customer.

What is a Payment Aggregator?

A Payment Gateway is merely a technological base for carrying out payment transactions on behalf of customers. Payment aggregators, in simple terms, are considered as a software back end operator. The operation is carried out by a company or a software firm. This is considered as a payment aggregator. For a payment aggregator, a merchant account has to be opened by the bank. Several merchant accounts can be opened for the payment aggregator. Apart from a merchant account, one Escrow account is opened. 

If one escrow account is opened, then multiple merchant accounts are not required to be opened. The RBI enunciates the meaning of payment aggregator as a company that allows e-commerce and merchant sites to meet their payment obligations by carrying out various transactions. These transactions are carried out without having to create a payment integration system of their own. Therefore, payment aggregators play the role of handling funds of the customer. However, the payment gateway is not privy to handling funds of the customer.

On further interpreting the definition provided by RBI, two meanings can be devised for payment aggregator. The payment aggregator comes under the meaning of an e-commerce company. However, there is a separate regulation for payment intermediaries. Therefore if the RBI definition for payment aggregator is considered, then there are two separate meanings for the term payment aggregator, which would bring up dual regulation for payment aggregator.

How do Payment Aggregators work?

The settlement of cash transactions works through the electronic process transactions system, which applies to intermediaries. The process of the payment aggregator is driven by technology, and this does not include systems where the customer provides cash for the delivery of payment services.

E-Commerce transactions for retail goods have the system where the customer can make payment using cash on delivery. However, this cannot be applied to payment systems. The use of cash on delivery for payment systems integration was also excluded in the discussion paper of the RBI. The above guidelines apply to payment intermediaries that cover both banking and non-banking companies.

How to start payment intermediaries?

Typically the individual who wants to incorporate a payment intermediary has to set up a company under the Companies Act 2013 or previous company law. Along with the incorporation documents, the company has to submit documentation such as a memorandum of understanding and articles of association to the Registrar of Companies (ROC). Apart from this, the payment aggregator has to also register with the RBI as per the Payment and Settlement Systems Act, 2007 (PSSA Act). Registration should be made on Form-A of the PSSA Act.

For starting a payment aggregator, the minimum net worth required for the company is 15 crore (for making a new application) and 25 crores (for existing payment aggregators). This requirement must be met by the end of the third financial year of March 31, 2023. According to the RBI in their discussion paper, initially, the working capital and net worth requirement of a payment aggregator was 100 crore. However, this amount has been reduced, considering the changing circumstances of finance.

To ensure that compliance is maintained regarding the above, a certificate from a statutory auditor is also required for the same.

What are the policies offered by payment intermediaries?

The policies offered by the payment aggregator must be according to the norms which are prescribed by the board.

The following are the policies that can be considered by a payment aggregator.

• On-Boarding Services which are offered by Merchant banks.
• Disposal of complaints, grievance handling procedure, governance procedures, disciplinary committees, refund policy as per the requirement of the company, Turn around Time (TAT) requirements according to the needs of the RBI.
• Security policy for information which is stored by the payment aggregator.
• Baseline technology recommended IT Policy.

Risk Management Policy

The payment aggregator has to also make sure a proper risk management framework is in place with the company. Payment Aggregators have to ensure that proper systems are present for reporting cybersecurity threats. Payment aggregators are not allowed to have credit card information or customer PINs stored on their servers.

Compliance with the KYC requirements

Payment aggregators have to maintain a database with the details of all merchants. Before taking a merchant, the payment aggregator has to ensure that merchants on boarded have Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance. The payment aggregator also has to make sure that the grievance procedures followed are as per the RBI TAT^[1]. These procedures are similar to that of the grievance mechanism operated by NBFCs.

Reporting compliances that have to be carried out by payment intermediaries

Like all entities, payment intermediaries such as payment aggregators are also required to report compliances under various laws.

The various compliances that have to be followed by a payment aggregator are as follows:

• The monthly, quarterly, and annual compliances are to be compulsorily followed by a payment aggregator.
• A chartered accountant is required to provide a report on the compliances followed by a payment aggregator.
• IS Audit Report and cybersecurity compliance are required to be produced by the payment aggregator.
• A certificate is required for quarterly reports.
• For all transactions which are carried out monthly, a monthly report is required to be produced.
• Reporting on any form of material adverse change in the company must be reported by the company. This form of reporting includes the changes in the directors and management of the company. A declaration and undertaking are required to effect such change. The change must be reported to the RBI within 15 days.
• Periodic reports, as well as non-periodic reports, are required to be submitted by the payment aggregator.
• Apart from the above reports a systems audit report, cybersecurity report as per the CERT specification must be submitted within two months of the financial year’s ending. This must be submitted to the office of the DPSS, RBI.
• Under this system, payment aggregators are required to maintain an escrow account for conducting transactions on behalf of customers. The guidelines specify that all payment aggregators have to open an escrow account with a scheduled commercial bank. This is according to the requirement of the PSSA Act.
• There is no requirement of maintaining a nodal account under the system; instead, the payment aggregator has to maintain an escrow account. The benefits of the nodal account are transferred to the escrow account.

Therefore a payment aggregator operates as a medium between the merchant bank and the customer. One can say that the relationship which the payment aggregator maintains with the customer and the merchant bank is a tripartite agreement. The payment aggregator handles all payment transactions on behalf of the customers. The above compliances have to be reported by a payment aggregator.

Extension of compliance timeline for reporting by payment intermediaries

The effect of the Covid-19 pandemic has severely affected the Indian economy. Covid-19 is taking a toll on the global economy and has caused widespread recession, which none have witnessed. Various regulatory authorities such as the Ministry of Corporate Affairs (MCA) and ROC have extended their deadlines for filing compliances. The income tax department has also taken this measure to extend submission of income tax returns.

The RBI has taken similar steps for extending the deadline for reporting compliances for payment intermediaries.

The extension of time is carried out for the following:

• Issuance and Operation of Prepaid Payment Instruments (PPIMD),
• Enhancing Security of Card Transactions, on Harmonisation of Turnaround Time (TAT),
• Customer Compensation for Failed Transactions using Authorised Payment Systems,
• Guidelines on Regulation of Payment Aggregators and Payment Gateways.

Due to the current situation of Covid-19, the RBI has extended the compliance reporting requirements. The following are the extensions made by the RBI:

The RBI has extended the time for reporting compliance for payment aggregators seeing the current scenario related to Covid-19. This is to ensure that payment aggregators follow compliances to avoid penalties by various regulatory bodies like the RBI.

Conclusion

Also, read: Guidelines mandated by RBI on Regulation of Payment Aggregators