The Reserve Bank of India ("RBI") has released a discussion paper on 'Guidelines for Payment Gateways and Payment Aggregators' for public comment ("Discussion Paper"). The Discussion Paper envisages payment gateways such as Paytm, Mobikwik, Bharat Bill Pay, PayUmoney etc. having to adhere to RBI guidelines1. The Discussion Paper highlights the RBI's concern for safeguarding the online experience of consumers while making payments and the role of intermediaries in conducting such transactions.Through the Discussion Paper, the RBI suggests three options / approaches regarding regulation, a brief summary of which is given herein below2:
Option 1: Continuation of Extant Instructions with Minor Modifications
In November 2009, the RBI had issued extant regulations which required banks to maintain a nodal or "internal account" for intermediaries. The notification also specified the permissible credits / debits in such accounts and the settlement cycle for credit to the merchants. As a first option, the RBI seeks to maintain this along with minor changes with respect to the definition of the date and time of charge / debit to the customer's account used for making payment for purchase of goods / services.
Option 2: Limited Regulation
Under the second approach, the RBI suggests that payment gateways and payment aggregators shall follow RBI guidelines and norms in respect of minimum net-worth, merchant on-boarding, timelines for settlement of funds, maintenance of escrow account, IT security, etc., and that they shall be required to submit returns to the RBI. Further, such entities are to be licensed / registered in a phased manner over a period of time with only off-site monitoring.
Option 3: Full and Direct Regulation
The third approach regarding full and direct regulation has been extensively discussed in the paper. It is suggested that payment gateways and payment aggregators shall be authorized under the Payment and Settlement Systems Act, 2007 ("PSSA").The requirements under direct regulation are given herein below:
- The regulations would be applicable to all payment gateways and payment aggregators and any non-bank payment gateways and payment aggregators will require authorization from the RBI under PSSA.
- Existing payment gateways and payment aggregators will be given one financial year (from the date of issue of guidelines) to comply with entry point norms and technology, security, storage etc. norms issued in this regard.
- Since banks are already regulated entities of the RBI, they would not require any separate authorization, however, they would be required to comply with other requirements such as timelines, customer grievance redressal mechanism, etc.Banks acting as payment aggregators would have to obtain authorization from PSSA along with a 'No Objection Certificate' from the respective regulatory department of the RBI.
- Entities undertaking payment gateways and payment aggregators activity shall be a company incorporated under the Companies Act, 2013 in India dealing with merchants having physical presence in India only.
- E-commerce marketplaces acting as payment gateways and payment aggregators to other merchants shall be required to stop such activity within 3 months so as to avoid dual regulation. Thus, separation of the primary business activities of such e-commerce marketplaces is recommended if they wish to continue to act as payment gateways and payment aggregators.
- Capital Requirements
- Existing payment gateways and payment aggregators shall be required to comply with capitalization norms (they shall have minimum net worth as prescribed for Bharat Bill Payment Operating Unit (BBPOUs) to be maintained at all times (currently ₹ 100 crore))within one year from the date of issuance of guidelines.
- In case of default in meeting such requirement within the stipulated time frame, the entity shall wind up payment aggregation business within one year from issuance of guidelines. In any such event, the banks presently maintaining nodal accounts of such entities shall have to report compliance in this regard.
- The entity shall be professionally managed with agreements in place to clearly delineate the roles and responsibilities of the involved parties in handling and sorting various consumer complaints / failed transactions / customer grievance redressal etc.
- Safeguards against Money Laundering (KYC / AML / CFT) Provisions
The Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines issued by the Department of Banking Regulation (DBR), RBI, in their "Master Direction – Know Your Customer (KYC) Directions" updated from time to time, shall apply mutatis mutandis to all such entities.
- Merchant On-boarding
The entity shall ensure compliance with KYC/AML requirements while on boarding merchants and undertake due diligence, background and antecedent checks of the merchants website and the merchant to ensure there is no mala fide intention to dupe customers.
- Customer Grievance Redressal & Dispute Management Framework
The entity shall put in place a formal, publicly disclosed customer grievance redressal framework and dispute management framework, including designating a nodal officer to handle the customer complaints / grievances, the escalation matrix and turn-around-times for complaint resolution. The complaint facility, made available on website / mobile, shall be clearly and easily accessible.
- Security, Fraud Prevention and Risk Management Framework
The entity shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.The entity shall also put in place a board approved Information Security policy for the safety and security of the payment systems operated by them, and implement security measures in accordance with such policy to mitigate identified risks. For this purpose, the Discussion Paper sets out a list of indicative IT security recommendations for adoption by the entities. Further, the entity shall establish a mechanism for monitoring and handling of cyber security incidents and breaches and any such incident shall be reported to DPSS (Department of Payment and Settlement Systems), RBI, Central Office, Mumbai and CERT-In (Indian Computer Emergency Response Team).System Audit Report's shall be submitted by the entities within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.
The Discussion Paper sets out a list of the reports to be submitted by Authorised Payment Aggregators on an annual, quarterly, monthly and non-periodic basis along with respective dates.
Under general instructions, the RBI stipulates that limits on transaction amounts, if any, for a particular payment mode shall lie with the issuing bank or entity only. The issuing bank shall be responsible for placing limits based on the customer's credit worthiness, profile etc. Further, payment gateways and payment aggregators shall not invoke ATM PIN as a factor for of authentication for card-not-present transactions involving debit card transactions.3
Entities not covered by the framework:
- Intermediaries who facilitate delivery of goods / services immediately / simultaneously (e.g. travel tickets / movie tickets, etc.) on the completion of payment by the customer i.e., where the delivery is linked to completion of corresponding payment.
- Cash on Delivery (CoD) e-commerce model and processing and settlement of import and export related payments facilitated by OPGSPs (Online Payment Gateway Service Providers) who are guided by instructions issued by FED, RBI.
- E-commerce marketplaces collecting payments for various merchants for transactions in respect of goods and services sold on their platform.
- Other bilateral arrangements of merchants with the aggregators to consolidate and make payments to vendors, agents, etc.4
It appears that there have been no new guidelines issued in the last decade concerning payment systems in India since the notification of November 2009. Thus, in order to keep pace with the rapidly and continuously evolving payment systems and market in India, it is crucial to have clear guidelines and secure mechanisms in place to increase transparency and efficiency in the industry. As mentioned in the paper by the RBI, "The facilitating role of innovation, fintech, expanding e-commerce activities, etc., has contributed to the impressive growth. In this fast-changing scenario, it is opportune to review if the extant guidelines / regulatory prescriptions are adequate. It is also time to see if a regime of direct regulation is warranted."5 Overall, regulation by RBI seems to be a positive step towards enforcing a robust regulatory framework and it will be worthwhile to examine the comments of the stakeholders and the public at large.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.