Overview of Payment Aggregator License in India The payment aggregator license in India is granted to facilitate online transactions among the customers and merchant legal entities registered under the Companies Act of 2013. The issue of payment aggregator licenses in India simplifies and transforms the payment structure of merchant businesses. The issue of payment aggregator licenses in India is regulated under the RBI guidelines, which detail provisions for controlling the overall procedure, pre-requisites, charges, capital requirements, customer grievance cell, security, and fraud protection framework for obtaining payment aggregator licenses in India. Who are Payment Aggregators? Payment Aggregator, also known as Merchant Aggregator, is a service provider through which payments can be made using mobile devices and e-commerce merchants can process payment transactions. An aggregator permits a merchant to accept card payments and bank transfers without opening a bank account with a bank or a credit card association. Merchant aggregators provide an easy and cheap way of accepting payments that can help a small business get off the ground quicker. One of the sole purposes of a payment aggregator is to provide a streamlined payment solution that is a shortcut to traditional payment methods. Payment aggregators include payment gateways, whereas payment gateways cannot include payment aggregators. As per the recent report, the payment aggregator market in India, valued at 9.5 trillion INR, is projected to increase 2.4 times due to high-value transactions. It is anticipated that there will be a 19% compound annual growth rate over the next five years, leading to a total of 22.6 trillion INR by the financial year 2025. Key Features of Payment Aggregators The payment process plays a crucial role in buyers' online shopping experience. This turns a payment aggregator into a crucial tool for companies, allowing them to craft a smooth payment experience for their clients. Payment aggregators also allow customers to utilise various payment options and have a smooth checkout process. Let us discuss the key features in detail: 1. Onboarding, Integration & Merchant Account In e-commerce, companies occasionally collaborate to offer services. Imagine a financial management platform accommodating multiple asset management firms (AMCs). For the end user to invest, the portal must offer the option to make payments to the AMCs. By collaborating with a payment aggregator, you can include sub-merchants by inputting their name and email or providing them with a referral link from your dashboard. Partners have the option to bring on sub-merchants using APIs as well. Sub-merchants can finish the KYC process directly through the partner's dashboard. 2. Safe Payment Processing Highly sensitive payment information must be handled with the utmost care. Compromising this information can lead to severe outcomes for your Company. To make sure about information security, payment aggregators: Investment in the highest quality infrastructure; Don’t store any sensitive info Tokenise digital card numbers to prevent any leakage 3. Fraud Detection & Prevention If a business or individual falls victim to sharing account information and passwords due to a scam, they risk losing their money. To address this issue, the payment aggregator guidelines provided below are adhered to: Payment aggregators study the payment activities of clients as well as previously detected fraud activities. They use machine learning to identify patterns in client transactions and detect common characteristics of fraudulent transactions. 4. Municipality of Payment Options Limited payment options will obstruct a customer's payment process. You can integrate with a payment aggregator to receive payments through various methods, including credit cards, debit cards, pay-later options, and EMIs on cards. 5. Customer Support Payment aggregators dedicate significant resources to customer support teams skilled at addressing different types of issues and obstacles faced by customers. Certain users may require monitoring the status of payments or revisiting historical payment records. Types of Payment Aggregators in India The different types of payment aggregators are authorised to be registered under the regulations laid out by the Reserve Bank of India. Consider the following categories that fall under the ambit of payment aggregators in India: 1. Bank Payment Aggregators Earlier, only banks used payment aggregators by employing diverse payment methods like Razorpay, PayU, Billdesk, etc. The banks hold the authority over bank payment aggregator licensing irrespective of the RBI’s authority. 2. Third-Party Payment Aggregators Third-party payment aggregators are non-bank payment aggregators which require approval from the Reserve Bank of India. PayPal, Stripe, and GooglePay are some of the widely used third-party payment aggregators. Business Eligible for Payment Aggregator License in India The Reserve Bank of India regulates specific business entities to issue their payment aggregator license in India. E-commerce, small and medium-sized, mobile-wallet providers, subscription-based, non-profit, event, digital content-creating, online travel agencies, ticketing, software, and technology companies are some of the leading business enterprises eligible to apply for a payment aggregator license in India. Documentation for Payment Aggregator License There are certain essential documents needed for obtaining the payment aggregator license in India. Consider the following documents necessary for successfully registering and obtaining a payment aggregator license in India. Certificate of incorporation of Company received from Registrar of Companies (ROC); Company incorporation documents like memorandum and articles of association; Copy of the formal board resolution authorizing the issue of payment aggregator license; PAN Card or Address proof of the directors of the company; DSC and DIN number of the directors of the company issuing payment aggregator license; Address proof of the business location; Details of the bank account of the company; Preparation of KYC documents; NBFC Business Plan of the company for five years; Code testing report by a software agency; The detailed structure of the ownership and shareholding status of the company obtaining payment aggregator license; Technology infrastructure details of the company; Compliance and anti-money laundering policies; Copy of the partnership agreement (if any). Basic IT Requirements for Payment Aggregator License The businesses are required to adhere to specific IT security measures before applying for the payment aggregator license in India. The ultimate need to comply with the security mandates is ensured through the establishment of a secured foundation for carrying out business activities. The following is the list of recommended IT security measures to be adopted by the Payment Aggregators are as follows: 1. Information Security Governance The organizations shall carry out a comprehensive study of security risk assessment of their people, IT, and business process environment. It must also identify risk exposures with remedial measures and residual risks. Reports on the risk assessment, security audit reports, security compliance posture, and security incidents shall be presented to the Board by the entities. 2. Data Security Standards Data security standards like PCI-DSS, PA-DSS also the latest encryption standards, and Transport Channel Security, etc. shall be put into practice for obtaining an aggregator payment license in India. 3. Merchant Onboarding The organizations shall undertake detailed security assessments during the merchant onboarding process to ensure that these minimal baseline security controls are followed by the merchants. 4. Security Incident Reporting The entities need to report security incidents or any type of breach in cardholders’ data within a time frame of 2-6 hours to RBI. Monthly reports related to cyber security incidents and also preventive actions are to be submitted to RBI. 5. Cyber Security Audit and Reports Entities like banks and third-party aggregators must quarterly submit their internal annual and external audit reports to the IT Committee established for the purpose. 6. Risk Assessment The risk assessment must identify the threat or vulnerability combinations and the likelihood of impact on the confidentiality, availability, or integrity of that asset from a business, compliance, and contractual perspective. 7. Access to Application For administering an application system, the procedures shall be Documented which shall be approved by the application owner and must be kept up to date. The principle of least privilege and need to know will commensurately job responsibilities while accessing the application. 8. Competency of IT Staff The resources must be trained with IT skills, and a periodic assessment of training requirements must be conducted for them. 9. Cryptographic Requirement Merchant Aggregators shall select encryption algorithms as per the international standards and which have been subjected to rigorous examination by an international community of cryptographers or approved by authoritative professional bodies, reputable security vendors, or government agencies. 10. Forensic Readiness All security events from Payment Aggregator’s infrastructure including application, servers, middleware, network, endpoint authentication events, web services, database, cryptographic events, and log files shall be collected, investigated, and analyzed for the proactive identification of security alerts. 11. Data Sovereignty The Payment Aggregators shall take preventive measures to ensure storing data in an infrastructure that does not belong to external jurisdictions. Appropriate controls shall be considered to prevent unauthorized access to the data. 12. Data Security in Outsourcing An outsourcing agreement shall be prepared to provide the ‘right to audit’ clause to enable Payment Aggregators or their appointed agencies and regulators to conduct Security audits. Alternatively, the third party needs to submit an annual independent security audit report to the Payment Aggregators. 13. Payment Application Security Payment applications will be developed as per PA-DSS guidelines and must comply with the specified guidelines. Payment Aggregators must review the PCI-DSS compliance status as part of their merchant onboarding process. 14. Security Incident Reporting Cyber Security incidents shall be reported by the Payment Aggregators to the regulator within 2-6 hours duration. Payment Aggregators must have an agreement with the merchants on security incident reporting. Process for Obtaining Payment Aggregator License in India The process of obtaining a payment aggregator license involves extensive research, compliance preparation, submission of documents, undergoing regulatory review, demonstrating ongoing compliance, and ultimately obtaining the license with the help of legal experts and following changing regulations for a successful result. There are certain processes for obtaining a payment aggregator license mentioned below for your better understanding: 1. Setting up under the Companies Act, 2013 If your company is willing to operate as a payment aggregator must be incorporated under the provision of this Act. It is considered to be the first legal step to structuring your organization. 2. Authorisation from RBI under the PSS Act If your organization is looking to work as payment aggregators then you need to obtain permission from the RBI under the Payment & Settlement Systems Act. This authorization is a basic necessity to participate in payment aggregator activities. 3. Capital Adequacy Organizations looking to obtain a payment aggregator license must fulfill a minimum capital requirement of Rs. 15 crores. It is important to mention that the minimum capital needed must be raised to Rs. 25 crores within three years of starting operations. Sufficient financial stability is crucial for ensuring the long-term viability and dependability of payment aggregator services 4. Mechanism for Anti-Money Laundering Your organization also needs to establish a strong mechanism to fight against money laundering activities and other cyber frauds. It will also cover effective policies and procedures to prevent and detect money laundering Simply, the payment aggregators are necessarily required to duly register for the KYC and AML to avoid money laundering fraud in the payment structure of the business. 5. Nomination of Nodal Officers Payment aggregators need to nominate a nodal officer held responsible for client redressal and framework for dispute management. The officer plays a major role in addressing customer issues and making sure of efficient dispute resolution mechanisms. Post-Licensing Compliances Payment Aggregators must submit reports on an annual, monthly, or quarterly basis which is explained below: 1. Annual Report The audited annual report must be attached with a CA certificate on Networth by the due date of 30th September. The Audit Report and Cyber Security Audit Report are noted with observations, including corrective or preventive action planned, and must be audited externally by the due date of 31st May, along with the Networth Certificate as of 30th September for an unaudited self-declaration basis. 2. Quarterly Report The Auditors’ Certificate on Escrow Balance must be reported by the due date of the 15th of the month following the quarter's end and the Bankers’ Certificate on Escrow Account Debits and Credits must be internally audited by the due date of the 15th of the month following the quarter end. For marketplaces, the auditor's certificate on nodal accounts must be issued by the 15th of the month following quarter-end and the Customer Grievances Report needs to be filed by the 15th of the month following the quarter-end. Lastly, the Cyber Security Audit Report which is internally audited must be filed by the 15th of the month following the quarter-end. 3. Monthly Report The monthly reports comprise the statistics of the transactions by the due date of the 7th of next month and a report of fraud to be filed by the due date of the 7th of next month. Also, the Cyber Security Incident Reports, with complete root cause analysis must be filed by the due date of the 7th of next month. 4. Non-periodic Reports The non-periodic reports including one-time technical audits are necessarily required to be filed to record any major changes about to be made in the existence of the Board of Directors of the Company. 5. Security Incident Reporting The payment aggregators in India hold a strong security mechanism for analyzing and reporting security incidents, breaches, or unauthorized access to secure timely actions. 6. Penalty for Non-Compliance Under the provision of the PSS Act, businesses or individuals acting as a payment aggregator without any necessary approval from RBI will attract penalties. It can be rightly to say that the guidelines of RBI need to be followed. What are the Benefits of Obtaining a Payment Aggregator License? Obtaining a payment aggregator license simplifies online transactions by combining different payment methods into a single platform, providing fast setup, improved security, and a variety of payment choices. They simplify processes, lower expenses, and enhance customer satisfaction, enabling business growth and offering important data analysis. These are the benefits mentioned below for a better insight enjoyed through obtaining a payment aggregator license in India: It becomes a bridge between the consumers on one end and merchants on the other end. Generation of settlement on one end and merchants on the other end. Role of processing and completion of the payment transactions. It is a cost-effective and efficient approach for a large volume of smaller transactions. The application process is very simple, which helps small businesses to function easily. Setting up a payment aggregator is a quick and easy process. All it takes is signing up to process an e-Commerce payment. It creates opportunities for more talents to enter the market and also gives consumers more options to buy. The payment aggregator tends to provide a proposal for online transaction processing, with minimal or no startup fees and fixed costs. What are the Risks Associated with Payment Aggregation? The activities of payment aggregators in online transactions consist of risks, which are as follows: Organizations may be a source of risk in such a technology and customer-experience-intensive business if they have insufficient governance practices which may affect the customer confidence and experience. The lack of proper redress mechanisms and uniformity in practice across the entities is also a matter of concern. An aggregator is also at risk of some transaction fraud or chargeback which is associated with its sub-merchants Some e-commerce marketplaces offer payment aggregation services, which do not come under the direct regulatory ambit of RBI, which can be a huge concern for the aggregators. Hence, it can be charged under double regulation. The payment aggregators also handle sensitive customer data. Managing data privacy and customer data can be a big task for aggregators. If the aggregators cannot manage the data, it can cause a risk of data loss and breach of privacy. Comparison between Payment Aggregator and Payment Gateway A payment aggregator simplifies the process of accepting payments for merchants by combining multiple merchant accounts and payment methods into one setup, removing businesses' need to maintain separate setups for payment acceptance. Whereas a payment gateway is a system that gathers, authenticates, and conducts fraud checks on customer's credit card details before transmitting them to the payment processor. There are some differences between payment gateway & payment aggregator based on certain pointers mentioned below: 1. Payment Options Payment aggregator allows multiple payment options whereas the payment gateway allows specific payment options or even restricts them. 2. Small Business Payment gateways can use payment aggregators to be able to provide services to small businesses whereas payment gateway levy transaction fees are too high & complex. 3. Based on Role Payment aggregators act as interface whereas the payment gateway acts as an intermediary 4. Touchpoint Digitised Payment aggregator provides offline and online touchpoints whereas the payment gateway provides online touch points including apps or websites. 5. Payment Success Rate Payment aggregators have significantly higher payment success rates whereas payment gateway can manage any. 6. Ownership Payment aggregators are owned by the fintech companies whereas the payment gateway can be owned by private & public bank merchants, vendors & payment aggregators. 7. Permissions Payment aggregators require and requisite certification as per the payment card industry data security standard (PCI-DSS) whereas payment gateway requires RBI authorization under the Payment & Settlement Systems Act, 2007 (PSSA). Why Choose Enterslice Services? Enterslice is a consultancy company that focuses on business formation, meeting regulatory requirements, and offering financial advice. One of their areas of specialization involves helping businesses acquire different financial licenses, such as Payment Aggregator Licenses in India. Our services are dedicated to securing the Payment Aggregator and Payment Gateway Compliances. Here is a detailed outline of how Enterslice can assist a company in acquiring a Payment Aggregator License mentioned below: 1. Comprehend Requirement We will initially assist the business in comprehending the guidelines established by the Reserve Bank of India for acquiring a payment aggregator license. This involves knowing the requirements for eligibility, essential infrastructure, and compliance requirements. 2. Document Preparation We will help with compiling and organizing all necessary paperwork. This entails the business strategy, system guidelines, leadership biographies, technology structure, and any other paperwork needed by the RBI. 3. Filing the Application We will help complete the application form and make sure all information is accurately and thoroughly included. Also, we will make sure that all necessary documents are properly included. 4. Compliance & Laison with RBI After submission, we may serve as an intermediary between the RBI and the business, managing inquiries and any further information or documentation requests from the RBI. 5. Operational Setup After the approval of the payment aggregator license, we could assist in establishing operations following RBI regulations. This could involve helping with technology implementation, configuring payment gateways, and linking with banks and financial institutions.