RBI to regulate the operation of Payment Intermediaries

Ashish M. Shaji

24 Jun, 2020

For regulating the activities of Payment intermediaries and providing technology-related recommendations to payment guidelines, the Reserve Bank of India issued final guidelines on March 17, 2020.  This article covers the concept of payment aggregators and payment gateways and further covers various requirements under the guidelines.

Payment Aggregator and Payment Gateway

In simple words, Payment Gateway is a software that allows online transactions. It serves as a gateway or channel that opens up when making an online transaction to transfer money from the payer’s wallet or debit/credit cards to the receiver.

Payment Aggregator is a service provider that includes all the payment gateways. Payment Gateway is just a technological base that requires a back end operator, and this function is fulfilled by the payment aggregator.

RBI guidelines have distinguished payment gateways as providers of technological infrastructure and payment aggregators as the entities facilitating the payment. The existing Payment Aggregator and Payment Gateway have different technological setup, and their infrastructure also changes frequently for providing a seamless customer experience.

Coverage of Guidelines: Payment Intermediaries

RBI has intended to directly regulate payment aggregators, and it has provided an indicative baseline technology-related recommendation only. The guidelines issued by the RBI exclude Cash on Delivery e-commerce model from its purview. The guidelines came into effect from April 1, 2020, except for requirements for which a particular deadline has been prescribed.

Registration Requirement: Payment Intermediaries

The guidelines prescribe certain requirements that must be fulfilled by the payment aggregators within the specified time. The guidelines instruct non-bank entities providing the services of payment aggregators to be incorporated as a company under the Companies Act, being able to carry out the activity of functioning as payment aggregator according to its charter documents. Such entities must register themselves under the Payment and Settlements Act, 2007^[1], in Form A.

Capital Requirement: Payment Intermediaries

RBI has laid down the capital requirements that are required to be followed by existing and new payment aggregators. The new Payment Aggregator and existing Payment Aggregator by March 31, 2021, must have a net worth of 15 crore rupees and 23 crore rupees by the end of the third financial year and thereafter. Non-compliance with the capital requirements will lead to winding up of the Payment Aggregators’ business.

With a view to supervising the implementation of the guidelines, a certification must be obtained from the statutory auditor to the effect certifying the compliance of the capital requirements.

Policy formulation

The guidelines require the formulation and adoption of a board-approved policy for-

• Merchant on-boarding.
• Complaints disposal, dispute resolution, timelines for processing refunds, etc.
• Information security policy operated to implement security measures to mitigate identified risks.
• IT policy (according to the Baseline Technology related recommendations).

Merchant onboarding and KYC compliance

To deter the malafide intent of the merchants, the payment intermediaries (payment aggregator) must undertake background check of the merchants and must check Payment Card Industry Security Standard and Payment Application Data Security Standard compliance of the infrastructure of the merchants on board and carry a KYC of the merchants on board. Further, it provides for the incorporation of mandatory clauses in agreement to be executed with merchants. 

Reporting Requirements

The guidelines provide for reporting requirements monthly, quarterly, and annually. The annual requirement includes a certification from a Chartered Accountant (CA) and IS audit report and Cyber Security audit report.

The quarterly reporting provides for certification requirement, and monthly requirement requires a transaction statistic. Where there is a change in management requiring intimation to the RBI, there shall be a need for reporting. Moreover, there are non-periodic requirements, as well.

The payment aggregators must submit the System Audit Report plus a cybersecurity audit is done by CERT-In impaneled auditors to the respective regional office DPSS (Department of Payment and Settlement Systems) RBI, within two months of the end of the financial year.

Escrow Account: Payment Intermediaries

The guidelines provide that the funds collected from the customers must be kept in an escrow account opened with any Schedule Commercial banks by the payment aggregators. The guidelines further state that the payment aggregator shall be deemed as Designated Payment System under section 23A of PSSA, 2007^[2], to protect the funds.

Permissible debits and credits

The guidelines provide a specific list of permissible debits and credits from the escrow account:

Permissible Debits

• Payment to merchants and service providers;
• Payment to any other account as directed by the merchant;
• Transfer representing refunds for failed or disputed transactions;
• Commission to the intermediaries;
• Payment received under promotional activities.

Permissible Credits

• Payment from customers towards the purchase of goods or services;
• Pre-funding by merchants or payment aggregators;
• Transfer representing refunds for failed or disputed, returned or canceled transactions;
• Payment of amount received for onward transfer to merchants under promotional activities.

The above-mentioned list of debit and credit into an account operated by an intermediary is broader than those permitted under the extant regulations. The provision of paying the amount held in escrow to another account on the merchant’s direction would enable cash flow trapping by third party lenders or financiers.

Conclusion

Also, read: RBI Extends timelines for payment system compliance by payment intermediaries