Vide the circular dated March 17, 2020, the Reserve Bank of India (the "RBI") had issued 'Guidelines on Regulation of Payment Aggregators and Payment Gateways" ("PA Guidelines"),1 through which, the RBI had decided to (a) regulate in entirety, the activities of non-bank payment aggregators ("PAs"); and (b) provide baseline technology-related recommendations to payment gateways. To this extent, the baseline technology-related recommendations were mandatorily applicable to non-bank PAs. IndusLaw has provided an overview and analysis of the PA Guidelines in an earlier alert published on March 25, 2020. Through a notification dated March 31, 20212 ("Notification"), the RBI has made public certain clarifications on the PA Guidelines, issued by it on September 17, 2020, as set out below. All other provisions of the PA Guidelines remain unchanged.
2. CLARIFICATIONS ON THE PA GUIDELINES
2.1. Definition and applicability
2.1.1. Under the PA Guidelines, all existing non-bank entities offering payment aggregator services were directed to seek an authorization from the RBI under the Payment and Settlement Systems Act, 2007 ("PSSA") on or before June 30, 2021. The RBI has now clarified in the Notification that the PA Guidelines will come into effect for non-bank PAs from the date of their authorisation with the RBI, subject to the submission of application for authorisation before June 30, 2021.
2.1.2. To clear any ambiguity in the definition of 'payment aggregators' as provided under the PA Guidelines,3 the RBI has explicitly clarified that the PA Guidelines are also applicable to e-commerce marketplaces that are undertaking direct payment aggregation, and to this extent, e-commerce marketplaces availing the services of a PA will be considered as merchants.
The RBI has also categorically clarified that the PA Guidelines are not applicable to 'delivery versus payment' ("DvP") transactions, however, they cover transactions where the payment is made in advance while the goods are delivered in a deferred manner. In this regard, as per RBI's extant 'Directions for opening and operation of accounts and settlement of payments for electronic payment transactions involving intermediaries' dated November 24, 2009 ("Intermediary Directions"),4 an exemption was created where the Intermediary Directions were not applicable to those intermediaries that facilitate delivery of goods and services immediately or simultaneously on the completion of payment by the customer, that is, DvP transactions, such as hotel bookings, travel tickets and movie tickets. To this extent, the RBI's discussion paper on the PA Guidelines dated September 17, 20195 also specified that the proposed regulatory framework will not cover intermediaries who facilitate DvP transactions. However, the PA Guidelines, prior to the Notification, lacked specific clarity in relation to the DvP model, and it was unclear whether such exemption can continue to be derived from the Intermediary Directions.
2.2. Capital and net-worth requirements
2.2.1. Net-worth certificate: The PA Guidelines prescribe strict minimum-net worth criteria, which if not complied with, will require the relevant entity to wind up its payment aggregation business. To this extent, the RBI in the Notification has clarified that for existing non-bank PAs, the requisite certificate from chartered accountants to evidence compliance with the applicable net-worth requirement (as on March 31, 2021) will be required to be submitted to the RBI at the time of application for authorization.6 For newly incorporated non-bank entities which may not have an audited statement of financial accounts, the RBI has reiterated that they can submit the requisite certificate from their chartered accountant regarding the current net-worth along with a provisional balance sheet. The RBI has further clarified that those entities which have not attained the requisite net-worth as of March 31, 2021 (applicable to existing non-bank PAs) shall be required to wind up their payment aggregation business.
2.2.2. Monitoring: The PA Guidelines had placed an obligation on banks maintaining the nodal/ escrow accounts of such entities to monitor and report compliance with the net-worth requirement. However, the RBI in the Notification has clarified that banks maintaining the escrow account(s) need not monitor the net-worth of the PA.
2.3.1. The PA Guidelines require PAs to be professionally managed, where the 'promoters' of the PA entity should satisfy the 'fit and proper' criteria prescribed by the RBI, and the directors of the applicant entity are required to submit a declaration in the requisite format. Pursuant to the Notification, the RBI has clarified that the 'Promoters/ Promoter Groups' shall conform to the RBI's fit and proper criteria, and has further set out in detail, a standard criterion for evaluating the directors of the PA entity against the fit and proper criteria. However, the RBI has not clarified whether the fit and proper criteria is applicable for both promoters and promoter groups or compliance by either of the two is sufficient.
2.4. KYC and merchant onboarding
2.4.1. In line with the PA Guidelines, the RBI has clarified in the Notification that for PAs maintaining an account-based relationship with the merchant, the KYC guidelines of the Department of Regulation of the RBI, that is, the Master Direction - Know Your Customer (KYC) Directions, 2016 ("Master KYC Directions")7, are applicable, and to this extent, paragraph 6 of the PA Guidelines (safeguards against money laundering (KYC/ AML/ CFT) provisions) shall also be applicable.
Further, under the PA Guidelines, PAs are directed to have a board-approved policy for merchant onboarding. Pursuant to the Notification, the RBI has now clarified that for merchant onboarding, the PA can have a board-approved policy, and to this extent, there is no requirement to carry out the entire KYC process in accordance with the Master KYC Directions in cases where the merchant already has a bank account which is being used for the purpose of transaction settlement.
2.5. Online Payment Gateway Service Providers for cross-border transactions
2.5.1. The domestic leg of import and export related payments facilitated by PAs was within the ambit of the PA Guidelines. In the Notification, the RBI has further prescribed that the entities operating as online payment gateway service providers ("OPGSP") and undertaking cross-border transactions should ensure compliance with RBI's directions on 'Processing and settlement of import and export related payments facilitated by Online Payment Gateway Service Providers' dated September 24, 20158 ("OPGSP Guidelines"). The RBI has also clarified that for undertaking any domestic leg of import or export transactions, OPGSP entities that are also functioning as payment gateways or PAs have to ensure that the timelines and other guidelines, including those relating to authorised modes of collection, that is, debit card, credit card and internet banking indicated for the purpose of cross-border transactions under the OPGSP Guidelines, are adhered to.
2.6. Security, fraud prevention and risk management framework
2.6.1. Merchant's compliance with PCI standards: In line with the PA Guidelines (paragraph 7.3), the RBI has reiterated the responsibility of PAs to ensure compliance of merchants onboarded by them to security standards, that is, the Payment Card Industry-Data Security Standard ("PCI-DSS") and Payment Application-Data Security Standard ("PA-DSS"), as applicable.
2.6.2. Standard System Audit: Through the Notification, the RBI has made it optional for PAs to carry out a standard system audit, including cyber security audit, by CERT-In empanelled auditors, which was earlier required to be carried out and submitted to the RBI mandatorily within 2 (two) months from the close of financial year of the PAs.
2.6.3. Prohibition on storage of card-on-file data: Despite stakeholder pushback, the RBI in the Notification has clarified that merchants are not allowed to store payment data and customer card credentials, irrespective of their compliance with the PCI-DSS. The RBI has further clarified that PAs can also not store customer card credentials within their database or the server (irrespective of it being accessed by merchants or not). However, merchants and PAs will be allowed to store limited data in this regard for the purpose of transaction tracking, for which the required limited information may be stored in compliance with data storage requirements as applicable to payment system operators (paragraph 10.4, PA Guidelines).9
However, based on industry representations, the RBI, as a one-time measure, has extended the timeline for compliance by PAs with respect to the above instructions on storage of card-on-file data by six months (that is, till December 31, 2021). This extension has been granted by the RBI to enable payment system providers and participants to put in place workable solutions, such as tokenisation, within the framework set out in the PA Guidelines and the RBI's guidelines on 'Tokenisation - Card transactions'.10
2.7. Settlement and Escrow Account Management
2.7.1. Intermediary Directions: The PA Guidelines lacked clarity regarding the continued operation of the Intermediary Directions with respect to settlement and account management. The RBI through the Notification has clarified that the Intermediary Directions (i) shall be considered repealed for authorised PAs from the date of their authorisation; and (ii) shall be considered repealed with effect from June 30, 2021 except for such PAs who have applied for authorisation and a decision on it is pending with the RBI.
2.7.2. Escrow Account:
- Under the PA Guidelines, the RBI has directed non-bank PAs to maintain the amount collected by them in an escrow account with any scheduled commercial bank, with a discretion to PAs to maintain an additional escrow account with a different commercial bank. To this extent, the RBI has clarified in the Notification that for the purpose of maintenance of escrow account(s), the operations of the PAs are deemed to be 'designated payment systems' under the PSSA, after the PA entity obtains an authorisation from the RBI.
- To alleviate industry concerns relating to the shift from the current nodal account structure under the extant Intermediary Guidelines to the escrow account structure under the PA Guidelines, the RBI has clarified that existing entities can continue to maintain nodal accounts till they have been authorised by RBI. However, in light of future compliance with the PA Guidelines, banks and the PAs may take a call on maintaining the escrow account from an earlier date as well.11
- Pursuant to the Notification, banks shall be required to close nodal accounts after June 30, 2021 unless the PA produces evidence to the bank regarding application for authorisation being made to the RBI.
- Under the PA Guidelines, PAs are permitted to pre-fund the escrow account with own or the merchant's funds (with the merchant's beneficial interest being created on the pre-funded portion in the latter scenario). To this extent, the RBI has clarified in the Notification that pre-funding has been allowed to tide over temporary mis-matches and withdrawal of surplus pre-funding is not allowed.
2.7.3. End-of-the-day Reconciliation: In accordance with the PA Guidelines, at the end of the day, the amount in the escrow account should not be less than the amount already collected from the customer as per 'Tp' (i.e., the date of charge or debit to the customer's account against the purchase of goods or services) or the amount due to the merchant. To this extent, the RBI has clarified in the Notification that the amount due to the merchant will be reckoned only after the settlement and credit to the escrow account, and there is no need to prefund the account for this purpose. However, the proceeds should be credited to the escrow account on the settlement day itself.
2.7.4. Settlement to Merchants:
- With respect to final settlement to the merchants by PAs, in instances where PAs have no control over incoming funds and delay thereof, the RBI has clarified in the Notification that PAs need to follow the instructions and transfer the funds to the merchants within T+0/ T+1 basis, post receipt of funds into their account.
- The RBI has also clarified that there can be a different "t" for different merchants as per the agreement between PAs and merchants. It appears that the timeline provided in paragraph 8.4 of the PA Guidelines is no longer mandatory since under the Notification, flexibility is given to PAs and merchants to agree for a different "t" under their agreements.
- Lastly, the RBI has clarified that the settlement accounts opened under the Bharat Bill Payment System ("BBPS") would be governed by the BBPS instructions.
3. INDUSLAW VIEW
There were several ambiguities surrounding the applicability of the PA Guidelines since they were notified by the RBI on March 17, 2020, and several stakeholders had reached out to the RBI to seek clarifications. The Notification is the first much needed public clarification issued by the RBI to clear some of these ambiguities, including with respect to the timelines for compliance, applicability of the PA Guidelines to marketplace e-commerce entities, exemption with respect to DvP transactions, the discontinuation of the Intermediary Directions, amongst other operational clarifications. However, it still remains unclear whether the extant provisions of the PA Guidelines require e-commerce marketplaces providing PA services to set up a separate entity altogether which houses the PA business, or separate and then operate the two businesses within the same entity, in order to comply with the requirements of separating the payment aggregation business from the marketplace business and seek an authorization for the payment aggregation business, as provided under the PA Guidelines.
There has been a strong industry pushback with respect to the restriction on storage of card-on-file data introduced under the PA Guidelines read with the Notification. Given that cards are still the most preferred option to make online payments, industry stakeholders have pointed out to the second order consequences of this restriction on customers, merchants and the overall digital payments ecosystem in India. Firstly, customers will be inconvenienced from having to manually re-enter all card details for each transaction, making their payment experience less seamless. Secondly, online merchants may see a fall in their conversion success rate on account of increased customer inconvenience and the higher likelihood of transaction failure resulting from input errors. The inability of merchants to store card details may also negatively impact their customer retention in the context of recurring payments for subscription-based services. Lastly, there is potential for systemic failure risks that may result from the volume of API authentications that will be required from issuing banks for processing each transaction, making the digital payments ecosystem vulnerable to any technology outages at the banks' end.
However, the RBI continues to remain skeptical of merchants storing card details of customers on account of cyber security risks, and appears to want to limit the number of participants in the payments ecosystem that have visibility to card-on-file data. While 'tokenisation' is a long-term solution to balance data security concerns vis-à-vis convenience of digital payments, the technology around it is still at a nascent stage in India with limitations at the ecosystem level. To this extent, significant investment and infrastructural development over time by various stakeholders (including card network operators, banks, PAs and merchants) is required for tokenisation to become a viable technology alternative to card-on-file data at full-scale.
3. 'Payment Aggregators' under the PA Guidelines are defined as entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. Payment aggregators will now be recognized as entities which facilitate merchants to connect with acquirers and which, in doing so, receive payments from customers, pool and then transfer them on to the merchants after a time period.
4. https://rbidocs.rbi.org.in/rdocs/notification/PDFs/DOIPS241109.pdf - 'Intermediaries' are defined under the Intermediary Directions as 'all entities that collect monies received from customers for payment to merchants using any electronic/online payment mode, for goods and services availed by them and subsequently facilitate the transfer of these monies to the merchants in final settlement of the obligations of the paying customers.'
6. In case of an existing entity desirous of applying before March 31, 2021, a similar certificate shall be submitted as on the nearest half-year ending date.
11. Note that this alone shall not make such PAs eligible for a 'designated payment system' status under the PSSA (which shall be after the PA entity obtains an authorisation from the RBI).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.