Every organization should have a framework for governance in an organization. Governance can be...
For regulating the activities of Payment intermediaries and providing technology-related recommendations to payment guidelines, the Reserve Bank of India issued final guidelines on March 17, 2020. This article covers the concept of payment aggregators and payment gateways and further covers various requirements under the guidelines.
In simple words, Payment Gateway is a software that allows online transactions. It serves as a gateway or channel that opens up when making an online transaction to transfer money from the payer’s wallet or debit/credit cards to the receiver.
Payment Aggregator is a service provider that includes all the payment gateways. Payment Gateway is just a technological base that requires a back end operator, and this function is fulfilled by the payment aggregator.
RBI guidelines have distinguished payment gateways as providers of technological infrastructure and payment aggregators as the entities facilitating the payment. The existing Payment Aggregator and Payment Gateway have different technological setup, and their infrastructure also changes frequently for providing a seamless customer experience.
RBI has intended to directly regulate payment aggregators, and it has provided an indicative baseline technology-related recommendation only. The guidelines issued by the RBI exclude Cash on Delivery e-commerce model from its purview. The guidelines came into effect from April 1, 2020, except for requirements for which a particular deadline has been prescribed.
The guidelines prescribe certain requirements that must be fulfilled by the payment aggregators within the specified time. The guidelines instruct non-bank entities providing the services of payment aggregators to be incorporated as a company under the Companies Act, being able to carry out the activity of functioning as payment aggregator according to its charter documents. Such entities must register themselves under the Payment and Settlements Act, 2007, in Form A.
RBI has laid down the capital requirements that are required to be followed by existing and new payment aggregators. The new Payment Aggregator and existing Payment Aggregator by March 31, 2021, must have a net worth of 15 crore rupees and 23 crore rupees by the end of the third financial year and thereafter. Non-compliance with the capital requirements will lead to winding up of the Payment Aggregators’ business.
With a view to supervising the implementation of the guidelines, a certification must be obtained from the statutory auditor to the effect certifying the compliance of the capital requirements.
The guidelines require the formulation and adoption of a board-approved policy for-
To deter the malafide intent of the merchants, the payment intermediaries (payment aggregator) must undertake background check of the merchants and must check Payment Card Industry Security Standard and Payment Application Data Security Standard compliance of the infrastructure of the merchants on board and carry a KYC of the merchants on board. Further, it provides for the incorporation of mandatory clauses in agreement to be executed with merchants.
The guidelines provide for reporting requirements monthly, quarterly, and annually. The annual requirement includes a certification from a Chartered Accountant (CA) and IS audit report and Cyber Security audit report.
The quarterly reporting provides for certification requirement, and monthly requirement requires a transaction statistic. Where there is a change in management requiring intimation to the RBI, there shall be a need for reporting. Moreover, there are non-periodic requirements, as well.
The payment aggregators must submit the System Audit Report plus a cybersecurity audit is done by CERT-In impaneled auditors to the respective regional office DPSS (Department of Payment and Settlement Systems) RBI, within two months of the end of the financial year.
The guidelines provide that the funds collected from the customers must be kept in an escrow account opened with any Schedule Commercial banks by the payment aggregators. The guidelines further state that the payment aggregator shall be deemed as Designated Payment System under section 23A of PSSA, 2007, to protect the funds.
The guidelines provide a specific list of permissible debits and credits from the escrow account:
The above-mentioned list of debit and credit into an account operated by an intermediary is broader than those permitted under the extant regulations. The provision of paying the amount held in escrow to another account on the merchant’s direction would enable cash flow trapping by third party lenders or financiers.