Background
The 'Guidelines on Regulation of Payment Aggregators and Payment Gateways' issued by the Reserve Bank of India ("RBI") on March 17, 2020 ("2020 PA-PG Guidelines"),1 is part of the extant legislative framework largely governing the fintech space. The 2020 PA-PG Guidelines primarily addressed the operational aspects of online payment aggregators including requirements related to registration, compliance and security measures. Offline payment systems, including paper-based transactions and electronic offline transactions, were less explicitly regulated. The focus was more on online and digital transactions, with offline payments largely falling under the broader category of traditional banking regulations.
With the aim to enhance the transparency, security, and reliability of payment services in India, the RBI on April 16, 2024 released draft directions ("Draft Directions") broadening the ambit of its payment aggregator ("PA") regulations to include physical point-of-sale ("P-POS") payment providers.2 By virtue of the Draft Directions, P-POS will now be required to apply for authorization from the RBI and must adhere to a series of detailed guidelines relating to merchant onboarding, customer grievance redressal, and other key operational standards as outlined under the 2020 PA-PG Guidelines.
The 2020 PA-PG Guidelines is currently the existing framework governing this fintech space till the Draft Directions come into play. The Draft Directions mandate some salient requirements to be followed by the previously unregulated P-POS providers, such as, non-banking entities providing P-POS services have been tasked with informing the RBI about their intentions to seek PA authorization within 60 calendar days from April 16, 2024, regarding their existing P-POS activities. Further, these P-POS providers have been given a deadline of May 31, 2025, to apply for a PA license. Additionally, such non-banking P-POS providers must seek approval from the Department of Payment and Settlement Systems (DPSS), RBI and the Central Office (CO) in the same manner.
Additionally, the Draft Directions provide for certain minimum net worth criteria for existing non-banking P-POS providers, whereby, such providers are required to have a net worth of at least ₹15 crore when submitting their application for authorization. Furthermore, existing P-POS providers are required to achieve a net worth of at least ₹25 crore by March 31, 2028. As regards merchant onboarding, non-banking P-POS providers must now conduct thorough due diligence to verify the legitimacy and financial stability of the merchants along with ensuring that only credible and reliable merchants are allowed to use P-POS services, thereby safeguarding the payment ecosystem. Apart from the aforementioned obligations, the Draft Directions also mandate non-banking entities providing P-POS services to ensure compliance with baseline technology recommendations, data security standards, fraud prevention and risk management framework as envisaged under the 2020 PA-PG Guidelines by July 16, 2024.
In furtherance to the Draft Directions, the RBI vide press release dated April 16, 2024 provided for 'clarifications in respect of PAs – Online and P-POS' ("Draft Clarifications")3 updating inter alia, the Know your Customer ("KYC") and due diligence requirements of merchants, operations in escrow accounts and similar compliance requirements under the extant 2020 PA-PG Guidelines. The Draft Clarifications shall be applicable with effect from one month from its date of issue (unless otherwise specified) to all PAs, irrespective of status of the application submitted to the RBI for seeking authorisation.
These Draft Clarifications inter alia, provide for a unified approach to escrow account management, streamlining collection and settlement for both online ("PA-O") and P-POS transactions. Previously, only PA-O activities were regulated, leaving offline merchants unaddressed. With the proposed regulations, all settlements can now be facilitated through a single escrow account, promoting consistency and adherence to regulatory standards. Importantly, by virtue of the Draft Clarifications, funds relating to Delivery versus Payment ("DvP") transactions, previously not covered under the scope of the existing RBI circulars shall now be required to be routed through the escrow account(s) opened by the PA. Cash-on-delivery transactions also fall outside the scope of the RBI circulars on PA, hence, the same will not be routed through escrow accounts. Further, the Draft Clarifications envisage the provision permitting debit to escrow accounts for "payment to any other account on specific directions from the merchant," under the 2020 PA-PG Guidelines, to be deleted with immediate effect.
It is interesting to note that, the Draft Clarifications now obligate PAs to settle funds only in a merchant's escrow account and not in any other account even on specific instructions from the merchant which is in glaring dissimilarity to the extant 2020 PA-PG Guidelines which allowed PAs to settle funds in other accounts based on specific directions from the merchant.
The Draft Clarifications also mandate due diligence of merchants PA's onboard, in accordance with the Customer Due Diligence ("CDD") requirements outlined in the Master Directions on KYC ("MD-KYC"), 2016,4 as amended on January 4, 2024. PAs are also required to comply with the wire transfer guidelines as per MD-KYC 2016, as amended. In this regard, the Draft Clarifications mandate detailed requirements to be undertaken for KYC verification by merchants by categorising merchants into small and medium merchants and specifying varied degree of due diligence requirements to be undertaken vis-à-vis this distinction. For small merchants with an annual turnover below Rs 5 lakh and not registered under the Goods and Services Tax ("GST"), PAs must conduct Contact Point Verification ("CPV") of the business establishment and verify the bank account where funds are settled. For medium merchants with a turnover below Rs 40 lakh per annum and not GST registered, PAs must perform CPV and verify one Officially Valid Document ("OVD") such as passport, proof of possession of the Aadhaar number; etc. as defined under the MD-KYC, of the proprietor or beneficial owner and one OVD of the business. Further, the Draft Clarifications state that assisted Video-based Customer Identification Process ("V-CIP") shall be allowed with the help of an agent at the merchant end with PAs mandatorily maintaining records of the agent assisting the merchant.
As part of ongoing due diligence, the Draft Clarifications mandate PAs to monitor merchant transactions continuously and migrate merchants to higher CDD categories based on transaction patterns prescribing additional due diligence to be performed immediately upon such migration. Importantly, these Draft Clarifications also mandate non-bank PAs to register with the Financial Intelligence Unit-India (FIU-IND). Further, risk-based payment limits are also envisaged to be established for onboarded merchants. Apart from this, along with providing designated timelines for completion of due-diligence process for existing merchants, the Draft Clarifications provide for the requirement of non-storage of Card-on-file ("CoF") data starting August 1, 2025, prescribing that for face-to-face / proximity payment transactions done using cards, entities in the card transaction/payment chain other than card issuers and networks will not be allowed to store CoF data (except the last four digits of the card number and the card issuer's name for transaction tracking or reconciliation purposes), with additional obligation of previously stored data to also be purged by such entities.
Concerns
Inclusion of offline and online PA's within the regulatory ambit of the definition of a PA under the RBI framework does promote a level playing field, ensuring protection of all consumers engaging with PA-O or P-POS. However, the requirements under the Draft Directions and subsequent Draft Clarifications might be concerning for not just the PAs but also for the merchants who depend on these PAs for facilitation of digital payments. Currently, industry-wide concerns are being raised around aspects such as significant addition to costs, ambiguities in interpretation of due diligence requirements, risks of duplication or even triplication of information that the regulator already has, and probability of barriers of entry for smaller merchants wanting to accept online payments. Some of the prominent concerns have been discussed below:
DvP exemption: As defined by the RBI, DvP transactions are understood to be transactions where payment for goods/services is immediately or simultaneously made at the time of their delivery. The 2020 PA-PG Guidelines stands as the extant regime governing DvP transactions. Clarifications to the 2020 PA-PG Guidelines issued on March 31, 2021, explicitly clarified DvP transactions to come outside the scope of the PA PG Guidelines while stating that the PA PG Guidelines would solely address transactions where the payment is made in advance while the goods are delivered in a deferred manner. Subsequently, the Draft Directions and Draft Clarifications issued in pursuance of the PA PG Guidelines, while majorly aimed towards regulating the operations of offline/P-POS PA's to come within the ambit of RBI's governance, also explicitly provide that DvP transactions conducted in offline/P-POS mode would now come under the regulatory ambit of the PA PG Guidelines.
Previously, DvP transactions in toto were excluded from the regulatory ambit of the 2020 PA PG Guidelines. However, what remains unclear is the RBI's intent on governing online DvP transactions conducted by PA which includes online booking of movie tickets, hotel bookings, flight tickets, etc. From a bare reading of the Draft Clarifications, it is clear that the substantive provision in the law aims to include both offline and online DvP transactions within the ambit of the 2020 PA PG Guidelines with respect to maintenance of escrow accounts, however, the definitions of online PAs and offline/physical P-POS PA's as underlined under the Draft Clarifications, in essence, provides a separate distinction between online and offline DvP transactions. The Draft Directions and Draft Clarifications remain particularly silent on DvP transactions conducted by PA's in an online mode. It remains to be seen how the RBI deals with this ambiguity in the draft law, which would significantly impact many fintech players operating in this space i.e. facilitating online DvP transactions.
Impact on merchants: The Draft Clarifications envisage increased KYC verification/anti-money laundering (AML) requirements to be followed by PA's based on strict categorisation of such merchants on the turnover they generate. These requirements are not only extremely rigid but might also prove to be quite burdensome during implementation. Small merchants, especially those that are not that capital intensive, are likely to get the most affected by virtue of this classification, since executing the increased compliance measures regarding KYC, especially CPV, would significantly add up to the costs of the PA's who would, in turn pass down this added expenditure to the merchants and consequently deter them from competing in the digital payments industry.
We also note that the Draft Directions additionally mandates certain minimum net-worth requirements for PA's to fulfil as part of their eligibility criteria for getting RBI authorisation. This would likewise put a strain on smaller PAs by creating rigorous entry requirements to meet, in order to enter this digital payments landscape and consequently run the risk of disrupting necessary competition.
KYC obligations: It should be noted that the KYC requirements under the Draft Clarifications are applicable to both PA's existing merchants along with new merchants being onboarded. These stringent KYC requirements would in essence entail merchants having to undergo a full-fledged KYC process for opening an account with the bank along with repeating this same KYC process all over again with the PA for accepting monies into the same bank account. While it is clear that the fundamental purpose behind this move is for the RBI to keep stringent checks towards curbing money laundering, this would undoubtedly lead to significantly higher costs on both the merchant's and the PA's end.
Further, there is also the risk of duplication or triplication of pre-existing information in the sense that with the existence of previous ongoing modes of identity verification like Aadhar, physical verification along with the Government's registries on such information, conducting of additional KYC verification via these Draft Clarifications would likely envisage a duplication or triplication of data being already stored with such authorities.
Additionally, it should be noted that the KYC requirements under the Draft Clarifications lack clarity on the terms "due diligence" and "CPV" which have not been adequately defined. This ambiguity might construe different interpretations of these terms which pose a risk to uniformity in understanding of the due diligence obligations for applicable stakeholders.
There have been discussions revolving around alternatives to such double compliance obligations regarding KYC formalities to be conducted such as examining the existing risk assessment and mitigation measures already put in place by PA's so as to ensure that solely merchants identified as high-risk by the regulator would be subjected to additional oversight and increased KYC compliance obligations.
Escrow account management: The Draft Clarifications mandate that PA's can only settle a merchant's funds in an escrow account and not to any other account of any third party. While we understand that the RBI is keen on controlling money laundering increasingly happening through third parties, this requirement will certainly cast increased friction and cost for marketplaces which function as legitimate businesses that endeavour to take part of the monies their sellers are making as a commission and settle the rest with the sellers directly. Further, this obligation might also adversely affect businesses that have independent contracts with their lenders that state that certain amount of the monies the businesses earn shall be routed towards repayment of loan to such lenders account. Introducing of this obligation under the Draft Clarifications has not taken into account such lawful merchant arrangements.
Impact
Notably, the previous regulatory framework lacked a clear definition for offline payment aggregators whereby offline transactions were broadly covered under traditional banking regulations but lacked specificity in terms of aggregation services, leading to potential regulatory gaps for offline and online PAs. The Draft Directions and Draft Clarifications indeed provide much needed clarity essential for ensuring that entities falling under this category are appropriately regulated and monitored along with appropriately demarcating the scope of regulation. This ensures that offline PAs are not inadvertently regulated under frameworks meant for online transactions. This distinction is hence crucial for tailoring regulatory measures to the specific needs and risks associated with offline transactions.
For P-POS providers, the Draft Directions present both challenges and opportunities. While the operational and compliance requirements may necessitate significant investments in systems, processes, and personnel, they also offer an opportunity to build stronger, secure and more customer-centric operations. Further, P-POS providers which successfully meet the regulatory standards are likely to gain a competitive advantage in the market, as they can assure merchants and customers of their credibility and reliability. Moreover, the emphasis on financial stability through stringent net worth requirements, although poses a hindrance to healthy competition, also does ensure that only well-capitalized entities operate in the P-POS space. This reduces the risk of financial instability and potential failures, which could disrupt the payment ecosystem and harm consumer trust, importance of which cannot be discounted for.
The Draft Directions ensure that all existing non-banking P-POS providers are brought under the regulatory umbrella within a specified timeframe, thereby enhancing the overall integrity and reliability of the payment ecosystem. Compliances like purging of existing CoF data will significantly reduce security and privacy risks arising from storage of card data and possibility of data leaks. It remains to be seen how these updated directions unfold amongst the fintech industry and its concerned stakeholders.
Conclusion
Undoubtedly, the Draft Directions and Draft Clarifications represent a significant advancement in the regulatory framework for offline payment aggregators. By addressing the gaps in the previous framework and introducing specific guidelines for offline transactions, the draft law aims to provide a more comprehensive and effective regulatory structure. The clear definition of offline payment aggregators, stringent security standards, and detailed operational requirements all contribute to a more robust and secure regulatory environment. These measures are expected to improve regulatory oversight, safeguard consumers, and enhance the overall security and efficiency of offline payment systems.
The RBI will need to ensure that the new regulations are practical, enforceable, and aligned with the evolving landscape of payment technologies. Ongoing dialogue with stakeholders and a careful monitoring of the impact of these regulations will be crucial for achieving the desired outcomes. While it is apparent that the Draft Directions indeed reflect RBI's commitment to consistently draft and update regulatory measures in tandem with technological advancements, it remains equally important to balance the same with practical considerations.
Footnotes
1 'Guidelines on Regulation of Payment Aggregators and Payment Gateways', [Reserve Bank of India - Notifications (rbi.org.in)] , Reserve Bank of India, March 17, 2020.
2 'Regulation of Payment Aggregators – physical Point of Sale – DRAFT', [Reserve Bank of India - Database (rbi.org.in)], Reserve Bank of India, April 16, 2024.
3 'Regulation of Payment Aggregators (PAs) – DRAFT', 'Clarifications in respect of PAs – Online and Physical Point of Sale', [Reserve Bank of India - Database (rbi.org.in)] , Reserve Bank of India, April 16, 2024.
4 'Master Direction - Know Your Customer (KYC) Direction, 2016', [Reserve Bank of India - Master Directions (rbi.org.in)], Reserve Bank of India, February 25, 2016 (updated as on January 4, 2024).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.