Direct Tax
Consulting
ESG Advisory
Indirect Tax
Growth Advisory
Internal Audit
BFSI Audit
Industry Audit
Valuation
RBI Services
SEBI Services
IRDA Registration
AML Advisory
IBC Services
Recovery of Shares
NBFC Compliance
IRDA Compliance
Finance & Accounts
Payroll Compliance Services
HR Outsourcing
LPO
Fractional CFO
General Legal
Corporate Law
Debt Recovery
Select Your Location
The rapid growth of digital payment systems in India has transformed the financial sector in the last few years. Debit and credit cards, net banking, digital wallets, and online transactions have become an integral part of everyday life. Payment aggregators (PA) and payment gateways (PG) play a crucial role in this digital payment system. Any non-bank entity that want to operate as a payment aggregator in India must obtain a payment aggregator license, commonly referred to as RBI PA Authorization, before undertaking payment aggregation activities.
With increasing transaction volumes, ensuring security, customer protection, and financial stability has become essential. So, the Reserve Bank of India (RBI) is strengthening the regulatory framework. In September 2025, the RBI issued the Reserve Bank of India (Regulation of Payment Aggregators) Directions, 2025. It consolidates various directives into a unified regulatory framework.
Today, RBI audits are an important part of running a safe and trustworthy business for fintech companies, e-commerce platforms, and payment service providers.
A Payment Aggregator (PA) is an organization that helps merchants accept various types of digital payments. When a customer pays for an online purchase, the payment aggregator receives the money and later sends it to the merchant at a specified time.
There are three types of payment aggregators:
Since payment aggregators handle customer funds directly, the RBI has more control over them.
A Payment Gateway (PG) is a technical infrastructure provider. It helps in exchanging payment information between the customer, the merchant, and the bank.
It does not hold or handle any funds. Its main function is to route payment data securely and help in completing transactions successfully. So, a payment gateway is considered a technology service provider.
So, a payment aggregator handles money, while a payment gateway provides technical connectivity. The regulatory and audit obligations for payment aggregators are much higher.
After India’s digital payment ecosystem expanded rapidly, the RBI issued its first important guidelines in 2020 to regulate this sector. These guidelines regulate the activities of payment aggregators and set some basic technical security standards for payment gateways.
The RBI issued various circulars and instructions before consolidating them in the 2025 directions. However, confusion arose in many cases due to multiple rules. RBI issued the Master Direction on Regulation of Payment Aggregators in September 2025. It has created a single regulatory framework by combining various previous guidelines and circulars. Currently, it is considered the most important regulatory document related to payment aggregators.
Key Objectives of the RBI Framework
The key objectives of this regulatory framework of the RBI are:
Applicability of the Master Direction
Through this master direction, RBI has brought the entire payment aggregator ecosystem under a common regulatory framework. It helps to build a safe and transparent digital payments environment.
It is mandatory to obtain the RBI’s approval to operate a non-bank payment aggregator (PA) in India. This approval is granted under the Payment and Settlement Systems Act, 2007. The applicant entity must be a company registered under the Companies Act, 2013, and must have payment aggregation activities as part of its business.
Also, the directors, promoters, and key management personnel of the entity must meet RBI’s Fit and Proper criteria. RBI assesses the financial condition, business history, reputation, and management capacity of the applicant before approving.
RBI wants payment aggregators to be financially strong. Hence, they must have a minimum net worth of ₹15 crore at the time of application. This will have to be increased to ₹25 crore within three years of approval and will have to be maintained thereafter.
Payment aggregators that have foreign direct investment (FDI) is required to comply with the RBI as well as FEMA compliance and applicable FDI policies. RBI expects FDI entities to comply with all the requirements related to ownership structure, source of funds, and regulatory reporting.
The RBI Payment Aggregators and Payment Gateways Audit is a comprehensive compliance and security assessment process. This audit verifies whether an entity is properly following RBI guidelines, cybersecurity standards, and operational rules.
This audit is especially critical for payment aggregators because they handle customer funds. PGs are mainly assessed from a technology and security-control perspective. Regular audits assess the security measures, risk management processes, and regulatory compliance status of the institutions.
At this stage, the institution’s IT Governance Framework, Information Security Policy, IT Steering Committee, and technology management policies are reviewed. This helps to understand the effectiveness of managing technological risks.
A crucial part of the audit is the cybersecurity assessment. Access control, network security, encryption, vulnerability assessment, and other security controls are tested here.
All payment data must be stored and processed in India as per RBI guidelines. During the audit, issues related to data storage, data flow, and data localization are verified in detail.
The merchant onboarding process, KYC verification, customer due diligence (CDD), and AML-related controls are assessed. This identifies fraudulent and high-risk merchants.
Payment aggregator’s escrow account management, fund segregation, settlement timeline, and transaction reconciliation are tested. This helps keep the money of the customer and merchant safe.
Reports, audit documents, net worth certificates, escrow certificates, and other compliance documents submitted to RBI are verified. This ensures the accuracy and timely submission of reporting.
One of the most important parts of the RBI payment aggregator framework is cybersecurity and regular security audits. A huge amount of financial information is exchanged every day in the digital payment ecosystem. So, RBI has prescribed various mandatory security measures to keep customer information safe and protect the system from cyber threats.
As per the RBI guidelines, payment aggregators are required to complete a cybersecurity audit every year. This audit must be conducted by a CERT-In empaneled auditor. The organization’s security arrangements, risk management, and regulatory compliance are verified through an independent and impartial assessment. The audit report is to be submitted to the RBI within the stipulated time after the end of the financial year. Generally, the IS audit and cybersecurity audit reports are expected to be completed by 31st May every year.
Payment aggregators must comply with PCI-DSS and PCI-SSF security standards, as applicable. These standards are designed to protect cardholder data, prevent data theft, and ensure a secure payment environment. RBI places special emphasis on compliance with these standards.
VAPT identifies vulnerabilities in an organization’s network, applications, and technical infrastructure. As per RBI guidelines, payment aggregators should conduct VAPT every six months so that potential security risks can be identified and addressed in advance.
In addition to external audits, payment aggregators are required to conduct internal security audits every quarter. This allows for regular monitoring of security controls, user access, and operational risks.
If any cyberattack, data breach, or security incident occurs, it must be reported to RBI and CERT-In immediately. Delay in reporting may lead to regulatory action. Therefore, organizations need to have an effective incident response framework.
Payment aggregators are required to keep the funds received from the customers in an escrow account. This account is to keep the customer funds separate from the organization’s own business funds. As per RBI rules, the escrow account must be opened with a scheduled commercial bank (SCB).
Payment aggregators are required to submit specific reports related to the escrow account to the RBI every quarter. This includes the Auditor’s Certificate and the Banker’s Certificate. These documents are used to verify the balance and fund management of the escrow account. These reports are to be submitted to RBI by the 15th of the month following the end of each quarter.
Additional rules apply to cross-border payment aggregators. They are required to maintain separate escrow accounts for inward and outward transactions. RBI does not allow netting-off, and international transactions are subject to FEMA and foreign exchange regulations.
RBI has made regular reporting mandatory for payment aggregators. These reports help RBI monitor the financial health, security arrangements, and operational activities of the institution.
Every year, payment aggregators are required to submit a net worth certificate, system audit report, cybersecurity audit report, and other necessary compliance documents to the RBI. These reports help in verifying the financial strength and regulatory compliance of the institution.
The auditor’s certificate and banker’s certificate are required to be submitted every quarter. These reports are used to verify the accuracy of escrow account balance, fund management, and transaction reconciliation.
Payment aggregators are required to submit transaction statistics, transaction volume, and other activity information to the RBI every month. The regulatory authority can monitor the market activities through this.
The RBI Payment Aggregator (PA) and Payment Gateway (PG) audit is a well-organized process. The audit process follows the following steps:
First, the scope of the audit is determined by the systems, processes, and compliance areas that will be reviewed are identified. The necessary information exchange between the auditor and the organization is also completed in this step.
In this step, policies, security documents, reports, and other compliance records are reviewed. In addition, potential gaps are identified by comparing the existing system with the requirements of RBI.
System security, access control, data protection, and regulatory compliance are tested. Technical vulnerabilities and security risks are also assessed.
Escrow account management, fund segregation, settlement process, and financial control system are verified.
The risks, weaknesses, and compliance deficiencies found during the audit are analyzed. Their potential impact is also assessed.
A detailed audit report is prepared with all the observations and recommendations and submitted to the RBI as required.
Corrective actions are taken to resolve the issues found in the audit. The next stage is to conduct a follow-up review to ensure that the corrections have been implemented.
Some common compliance errors are often found during audits. If these errors are not resolved in a timely manner, they can create regulatory risks.
Failure to follow RBI’s audit and compliance requirements may result in various regulatory and business issues for the organization.
RBI’s Payment Aggregator and Payment Gateway regulations are extensive and constantly changing. Many organizations face challenges in approval, audit preparation, reporting, and ongoing compliance management. Enterslice helps simplify and streamline the entire process. Our experienced professionals provide the necessary guidance and support to operate a business in line with the RBI regulatory framework.
Our Services-
India’s digital payments sector is evolving, and the RBI is strengthening the regulatory framework. It is expected that more emphasis will be placed on cybersecurity, data protection, and risk management in the future.
Some of the key trends are:
The RBI Payment Aggregator and Payment Gateway Audit is an important part of ensuring the security, transparency, and reliability of the digital payment ecosystem. Through this audit, the regulatory compliance, technical security, and operational capabilities of the institutions are assessed.
Some special focus needs to be given to a few key issues, such as RBI authorization, cybersecurity audits, escrow account compliance, regulatory reporting obligations, and merchant due diligence. If institutions adopt effective compliance management in advance, they can reduce regulatory risks and ensure business sustainability.
Enterslice helps institutions meet RBI Registration, Regulatory Approvals, Cybersecurity Compliance, Audit Readiness, FEMA and FDI Compliance, and ongoing legal and regulatory obligations. This allows payment aggregator and payment gateway service providers to operate with more confidence in India’s changing digital payment landscape.
The primary difference between a Payment Aggregator (PA) and a Payment Gateway (PG) audit is the financial management aspect. A payment aggregator receives customer funds and settles them with the merchant. Their audit examines the escrow account, settlement process, financial reconciliation, and capital requirements in detail. On the other hand, the Payment Gateway does not handle funds. Their audit focuses on system security, data protection, and technical controls.
Yes, all non-bank payment aggregators are required to obtain authorization from the RBI as per the current RBI rules. This authorization is granted under the Payment and Settlement Systems Act, 2007. However, banks do not require separate authorization to operate as payment aggregators. Operating payment aggregation activities without RBI authorization is a regulatory violation for non-bank PAs.
As per RBI rules, the minimum net worth of the organization while applying as a payment aggregator should be ₹15 crore. This net worth should be increased to ₹25 crore by the third financial year after getting approval. The organization should always maintain a net worth of at least ₹25 crore. RBI wants to ensure that only financially stable organizations are working in this sector through this.
The RBI PA-PG System Audit can be conducted only by a CERT-In empaneled auditor. Only authorized auditors of the Indian Computer Emergency Response Team (CERT-In) can complete this audit. The organization's internal IT team or a general finance auditor cannot issue the required independent system audit report unless duly qualified/empaneled as required. RBI has imposed this condition to ensure an independent and impartial assessment.
Payment aggregators are required to complete a cybersecurity audit at least once a year. This audit assesses the organization's security measures, risk controls, and technical infrastructure. As per RBI guidelines, the audit report has to be submitted within the stipulated time frame. It is possible to identify potential security vulnerabilities through regular audits.
RBI has made various types of security assessments mandatory for payment aggregators. A system audit and a cybersecurity audit have to be done every year. Vulnerability Assessment and Penetration Testing (VAPT) need to be conducted every six months. It is also considered a good practice to conduct a quarterly internal security review. These tests play an important role in maintaining the security of the system.
Yes, as per the RBI's data localization policy, both payment aggregators and payment gateways have to store payment-related data in India. During the audit, it is verified whether transaction logs, customer data, and security credentials are stored on servers located within the country. This rule makes data protection and regulatory oversight more effective.
Payment aggregators are required to submit various types of reports to the RBI regularly. These include the Annual Cybersecurity Audit Report, Net Worth Certificate, Quarterly Escrow Certificates, and Monthly Transaction Reports. In addition, additional information may be required to be submitted in certain situations. Timely and accurate reporting is an important part of RBI compliance.
If a payment aggregator fails the audit or fails to meet important compliance conditions, the RBI can take strict action. This may include monetary penalties, additional supervision, suspension, or cancellation of authorization. In severe cases, the institution may also have to stop payment aggregation activities.
No, as per RBI rules, an entity cannot operate as an e-commerce marketplace and a payment aggregator under the same legal framework. To operate payment aggregation activities, a separate legal entity and the necessary RBI authorization must be in place. This ensures transparency and risk management.
Any major cybersecurity incident, data breach, or system compromise must be reported to RBI and CERT-In immediately. RBI expects to report the incident as soon as possible. Delayed reporting may raise regulatory concerns, and additional investigation or action may be taken when necessary.
In terms of financial compliance, payment aggregators have to demonstrate a minimum net worth of ₹15 crore at the time of application. This amount must be increased to ₹25 crore by the end of the third financial year after authorization. Moreover, the net worth of ₹25 crore has to be maintained continuously thereafter. This issue is verified during the audit.
Auditors check the turnaround time (TAT) of merchant settlement. They review sample transactions to ensure that the customer's money has reached the merchant within the stipulated time. Adhering to the settlement timeline is very important for payment aggregators, as it helps in maintaining the trust of customers and merchants.
Payment aggregators should conduct regular internal reviews, security assessments, and compliance checks to prepare for the RBI audits. It is good practice to keep documentation up to date, properly perform escrow reconciliation, maintain KYC records, and coordinate with CERT-In auditors in advance. This simplifies the audit process and reduces compliance risks.
Enterslice assists payment aggregators with registration, RBI authorization, compliance assessment, and audit readiness. It also assists with cybersecurity compliance, escrow reporting, FEMA and FDI compliance, regulatory documentation, and ongoing legal compliance management. This enables organizations to conduct business more efficiently with RBI regulations.
The rapid growth of digital payment systems in India has transformed the financial sector in th...
From a small-scale apparel seller to a mid-level online saree distributor, online global opport...
Choosing the right company structure is crucial for expanding your business in Europe in 2026....
Many entrepreneurs do not want to be limited to their own country's market. They want...
Oman has emerged as one of the most promising destinations to establish a b...
Are you human?: 2 + 1 =
Easy Payment Options Available No Spam. No Sharing. 100% Confidentiality
The Reserve Bank made an announcement recently on a nationwide framework for implementation of offline retail digit...
20 Oct, 2021
A new chapter has dawned in India’s financial sector with the Reserve Bank of India (RBI) newly launching the Uni...
28 Oct, 2025
9870310368 
8860712800