RBI issues guidelines to regulate payment aggregators
Three decades ago, India’s economic liberalisation led to a drastic change in its social and economic landscape, with the country consistently being one of the fastest growing economies in the world. The turn of the century saw telecom infrastructure in India grow exponentially, resulting in faster networks and increased accessibility to internet and data to the public. This set the platform for the development of e-commerce in India and resulted in an increased adoption of digital payments by buyers and sellers alike, requiring payment service providers to innovate and offer solutions designed to enable online merchants to seamlessly accept digital payments. Such service providers were subject to the supervision of the Reserve Bank of India (RBI) pursuant to a notification dated 24 November 2009 issued by the RBI (Intermediaries Directions), under which payment intermediaries were required to pool the funds collected from customers in separate ‘nodal’ accounts, and transfer such funds to the relevant beneficiaries within a specified timeframe in accordance with specified process.
As India now evolves as a ‘less-cash’ economy, the RBI reviewed the existing regulations applicable to such payment service providers in a discussion paper issued on 17 September 2019 (Discussion Paper), and highlighted a few concerns such as: (a) lack of proper systems for reporting of payments being routed; (b) inadequate governance practices impacting customer confidence and experience; and (c) absence of clear delineation of roles and responsibilities between merchants and customers, etc.
The RBI has now introduced an entirely new regulatory framework for payment aggregators under the Payment and Settlement Systems Act, 2007 (PSS Act) through the ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’ issued on 17 March 2020 (Guidelines). The Guidelines will be effective from 1 April 2020.
Ø Scope of activities of payment aggregators and payment gateways
§ Payment aggregators have been defined as entities which facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations, without the need for merchants to create a separate payment integration system of their own. Payment aggregators must connect merchants with acquirers, and in the process, collect and pool customer payments, and transfer such payments to the merchants after a given time period.
§ Payment gateways have been defined as entities which provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in the handling of funds involved in the payment transaction.
§ Payment aggregators are required to obtain authorisation from the RBI for undertaking payment aggregation activities (and comply with various other requirements on an ongoing basis, including adoption of specified recommendations relating to information technology and data security standards), and payment gateways have been advised to adopt the aforesaid technology related recommendations as a matter of good practice.
§ It has been clarified that the Guidelines would not be applicable to physical payments made by customers in cash under the ‘cash on delivery’ model adopted by e-commerce sites and merchants.
§ The Guidelines will also be applicable to the domestic leg of any import or export related payments which are facilitated by payment aggregators.
Comment: While payment aggregators have been defined as entities that facilitate e-commerce sites and merchants to accept various payment instruments and would ostensibly exclude such e-commerce sites and merchants themselves, there are no specific exclusions provided under the Guidelines in this regard. Further, payment service providers which facilitate payments for goods and services that are delivered to customers immediately or simultaneously with the making of the payment under the ‘delivery versus payment’ model, are also not expressly exempt from the ambit of the Guidelines (which is the case under the Intermediaries Directions).
In connection with processing of payments relating to import and export transactions, it is unclear whether the existing instructions issued by the RBI to banks on the arrangements entered into by them with online payment gateway service providers (OPGSPs) will continue. The interplay between the OPGSP framework and the regulatory framework prescribed for payment aggregators under the Guidelines will have to be analysed to iron out any conflicts (for example, on timelines for settlement of payments with merchants, and on whether the collection accounts to be maintained by OPGSPs will be governed by the escrow mechanism prescribed under the Guidelines).
Ø Authorisation process with the RBI for payment aggregators
§ Payment aggregators are required to obtain prior authorisation from the RBI. The promoters of the applicant must fulfil the ‘fit and proper’ criteria prescribed by the RBI. Applications for such authorisation must be made to the RBI in the prescribed format. No timeline has been prescribed for processing these applications by the RBI.
§ It has been clarified that licensed banks which provide payment aggregation services as part of their normal banking relationship would not require separate authorisation.
§ Existing players are required to submit applications before 30 June 2021 and can continue operating their existing payment aggregation business until processing of their applications by the RBI.
§ Applicants regulated by financial sector regulators are required to additionally obtain and submit a no-objection certificate from such financial sector regulator for undertaking payment aggregation business.
§ E-commerce marketplaces which also provide payment aggregation services are required to discontinue such services, house the payment aggregation business in a separate entity, and submit applications for obtaining authorisation under the Guidelines by 30 June 2021.
Comment: The requirement for obtaining prior RBI authorisation will directly impact existing market players in the payment aggregation space. Such aggregators will consequently be subject to the direct regulatory supervision of the RBI and will have to undertake ongoing compliances as prescribed under the Guidelines. The requirement for applicants to obtain NOCs from financial sector regulators may also delay the registration process for businesses which offer multiple financial services (such as insurance products, investment advisory, etc.) through a single corporate entity.
Ø Minimum capitalisation norms
§ Existing market players must maintain net worth capitalisation of at least (a) INR 150 million by 31 March 2021; and (b) INR 250 million by 31 March 2023 (and at all times thereafter).
§ New entrants must maintain net worth capitalisation of at least (a) INR 150 million at the time of submitting application to the RBI; and (b) INR 250 million at the expiry of three years from the date of obtaining RBI authorisation (and at all times thereafter).
Comment: An onerous minimum net worth requirement of INR 1 billion was proposed in the Discussion Paper. Based on feedback received from ecosystem participants, the RBI has significantly reduced the capitalisation requirement and has also provided a longer time period of three years for businesses to achieve such net worth. This is yet another example of the RBI being receptive to the concerns raised by the payment industry. While existing market players have been provided a time period up to 31 March 2021 to achieve the initial net worth threshold of INR 150 million, the illustrative table provided by the RBI in the Guidelines refers to a conflicting time period linked to the earlier of: (a) the date of submission of the application to the RBI by such existing players; and (b) 31 March 2021. It is therefore unclear whether existing market players who submit applications to the RBI for obtaining the payment aggregator license before 31 March 2021, will be provided additional time until 31 March 2021 to achieve the aforesaid initial net worth requirement.
Ø Pooling of funds and settlement timelines
§ While payment intermediaries are required to route funds collected from customers through ‘nodal accounts’ (which are to be treated as internal accounts of the banks) under the Intermediaries Directions, payment aggregators must now ensure pooling of funds collected from customers in an ‘escrow account’ maintained with a scheduled commercial bank. The Guidelines specify that such escrow account should be maintained with only one scheduled commercial bank at any point of time. The balance in such escrow account at the end of each day must not be less than the amounts collected by the aggregator from customers, or the amounts payable by the aggregator to the merchants. Payment aggregators are also permitted to earn interest on a specified ‘core portion’ of the funds lying in the escrow account, subject to specified conditions.
§ The Guidelines set out the purposes for which monies can be credited into, and debited from the escrow account (similar to the permissible credits and debits to nodal accounts prescribed under the Intermediaries Directions). The RBI has specifically permitted pre-funding of the escrow account by payment aggregators or merchants, and routing of funds connected with promotional activities, incentives, and cashbacks through the escrow account. In addition to settling funds lying in the escrow account to the various merchants and service providers, the Guidelines also permit settlements into any other account on the specific directions of the merchant.
§ The timelines for settlement of payments from the escrow account have now been linked to the date of intimation or confirmation provided by the merchants to the aggregators on the shipment or delivery respectively, depending on whether or not the payment aggregator is responsible for the delivery of goods or services. Further, if the merchant and the payment aggregator agree on retaining funds in the escrow account until the period upto which customers can initiate refunds of monies paid, the settlement of the funds to the merchant from the escrow account must be made within one day from the expiry of such period.
§ Operation of the escrow account by the payment aggregators has been classified as a ‘designated payment system’ under Section 23A of the PSS Act, thereby affording additional statutory protection to the funds pooled by payment aggregators.
Comment: The escrow mechanism outlined in the Guidelines largely mirrors the escrow structure applicable to issuers of prepaid payment instruments. Existing market players would be required to move from the current nodal account structure applicable to payment intermediaries under the Intermediaries Guidelines to the escrow account structure prescribed under the Guidelines. Such escrow mechanism would offer better protection of customer funds as it would insulate the e-commerce sites and merchants against the risk of insolvency or liquidation of banks or payment aggregators. This will ensure that the arrangements entered into by the payment aggregators with its clients are not adversely affected in situations similar the recent moratorium imposed by the RBI in connection with Yes Bank which impacted many fintech businesses.
The requirement for payment aggregators to maintain the escrow account with a single bank may negatively impact the aggregators if the operations of such bank are restricted due to imposition of a regulatory moratorium or similar actions. The RBI should either permit aggregators to use multiple banks or provide clear provisions to ensure that operations of aggregators do not abruptly come to a standstill owing to actions against one bank.
The regulatory approach followed by the RBI with respect to non-payment related activities of payment aggregators is unclear as on one hand, the RBI requires e-commerce marketplaces to separately house their payment aggregation related activities, but on the other hand, while stipulating the settlement timelines for payment aggregators, the RBI appears to acknowledge the involvement and responsibility of such aggregators in the shipment and delivery of goods and services purchased by the customers on such marketplace platforms.
Ø Ongoing compliances relating to reporting, disclosure and information security standards
§ Payment aggregators would be subject to periodic disclosure and reporting requirements prescribed under the Guidelines, including annual certifications on net worth, monthly reporting of transactions processed through various payment instruments, quarterly reporting of escrow account balance, and details of debits and credits with respect to the escrow account.
§ Payment aggregators must have a board approved policy for merchant onboarding, conduct background checks on merchants and ensure that they do not facilitate payments for sale of fake, counterfeit or prohibited products.
§ The Guidelines prescribe that any data or credentials relating to payment cards utilised by customers for making payments must not be saved on the merchant sites, on the payment aggregators’ database or even on the server accessed by the merchant.
§ Payment aggregators would also be responsible to check for PCI-DSS and PA-DSS compliances of the merchants and must have a board approved policy for information security. The RBI has also prescribed various requirements to be followed by payment aggregators with respect to its information technology systems and related security measures.
§ Payment aggregators must comply with the Prevention of Money Laundering Act, 2002 and the regulations issued by the RBI with respect to know-your-customer, anti-money laundering and combating financing of terrorism.
§ Payment aggregators should have a formal customer grievance redressal and dispute management framework, and appoint a nodal officer to handle regulatory and customer grievance functions.
Comment: The various ongoing compliances prescribed by the RBI under the Guidelines will increase the compliance burden on payment aggregators. The restriction on saving customer card data by the merchants as well as payment aggregators may create friction points for customers as they may not be in a position to pre-fill card details on online platforms, and might have to re-enter the card number and related details for each transaction. The requirement for payment aggregators to ensure PCI-DSS and PA-DSS compliances of the infrastructure of merchants on-boarded by them may add to the technical compliances to be undertaken by them, and it remains to be seen whether this will find widespread acceptance, particularly with respect to smaller merchants. Disclosure of merchant-wise payment transaction details processed by payment aggregators, if requested by the RBI, may ultimately lead to disclosure of GMV figures to the RBI.
The Guidelines are in tune with India’s overall push for digital payments and its vision of a ‘less-cash’ economy. The Guidelines provide additional security and protection to customers of e-commerce sites and merchants by ensuring increased accountability in the operations of payment aggregators. However, the Guidelines are unclear on a few aspects including interplay with payments processed under the ‘delivery versus payment’ model. Further, since the Guidelines do not expressly repeal the Intermediaries Directions, one would assume that intermediaries other than payment aggregators (such as marketplace platforms) would continue to be governed under the Intermediaries Directions and route customer funds collected by them through nodal accounts. Regulatory clarifications on some of these aspects would be required and one hopes that the RBI will give adequate time to the ecosystem participants to structure their business models and make applications post such clarifications. Overall, the Guidelines are a positive step towards bringing transparency and accountability in the digital payments space.
- Sanjay Khan Nagra (Partner), Prashanth Ramdas (Principal Associate), and Neil Deshpande (Associate)
For any queries please contact: email@example.com