RBI Master Direction On Digital Payment Aggregators: Understanding Compliance Requirements And Industry Implications

Executive Summary

On September 15, 2025, the Reserve Bank of India ("RBI") issued a single, consolidated Master Direction ("MD") to regulate Payment Aggregators ("PAs") operating in India, bringing together rules for online, physical/point of sale and cross-border aggregation in a coherent framework. The MD applies to all banking, non-banking (Indian), and scheduled commercial banking entities that interact with the three categories of PAs: physical, online and cross-border. Payment Gateways ("PGs") that only provide routing tech and do not touch funds are explicitly out of scope, although PGs are encouraged to adopt the MD's baseline tech recommendations.

The new MD seeks to reduce systemic, consumer-protection and FX-related risk by introducing modern cyber-resilience, data sovereignty, audit requirements, tightening merchant Know Your Customer ("KYC") and ongoing transaction thresholds, on top of the pre-existing PA architecture. It is also set to strengthen governance by raising capital and governance thresholds, along with the implementation of strict escrow accounts and segregation rules. Further, the MD consolidates and supersedes RBI guidelines¹ while preserving past authorisations under the new regime, thus harmonising rules across domestic, physical and cross-border flows, while keeping the existing authorisations and approvals issued under older circulars valid. The MD now sits alongside other foundational RBI instruments such as the 2016 KYC Master Direction,² the 2018 payment-data localisation circular³ and the 2024 cyber-resilience directions.⁴

The Pulse of Progress: Payment Aggregators and the Acceleration of India's Digital Economy

Payment Aggregators are at the centre of India's digital payments ecosystem as they collect payments on behalf of merchants, route transactions and settle funds. They are a third-party service that grants merchants the capability to accept payments from the most common methods used by customers, including debit/credit cards, UPI, and net banking, all in one place. PAs act as a manager who facilitates the entire payment process from payment by customers to settlement into the merchant's bank account, simplifying the customer experience and removing complex integrations for businesses. PAs have simplified the online transactions for both consumers and businesses, having served a quarter of the world's population by processing more than USD 6 Trillion in digital payments globally in just the past year, with 75 per cent of small to medium businesses using PAs to manage online transactions. In India, over 2.2 Billion financial accounts are now enabled for secure, consent-based data sharing through the Account Aggregators ("AA"), an RBI-regulated digital intermediary for sharing your financial information.⁵

Key Highlights of the Directives

Authorisation and Capital Requirements

Banks can run the PA business without separate RBI authorisation, but non-bank PAs need authorisation via RBI's online portal Pravaah. The net-worth for the application has been set to INR 15 Crore, which needs to increase to INR 25 Crore by the end of the third financial year, thus restricting entry for small startups acting purely as aggregators, pushing consolidation and fundraising if an entity seeks to operate at scale across categories.⁶ The MD also issues a deadline for physical PA operators to apply by December 31, 2025 or wind up their PA business by February 28, 2026.

Governance and Fit Proper

Board and senior management must satisfy RBI's fit-and-proper test of financial probity, no criminal convictions for economic offences, not insolvent, not barred by regulators, and overall good character. RBI may consult other regulators when assessing suitability. Changes of control or management require adherence to RBI's Payment System Operator (PSO) takeover rules. This would require entities to ensure board packs, supporting declarations, director due diligence files and background checks must be prepared for applications and for any post-listing change in control.

Merchant Onboarding and KYC

The requirements have been heightened as PA merchant onboarding must comply with RBI's Master Direction on KYC⁷ and subsequent updates. PAs should first retrieve CKYCR records (Central KYC Records Registry) with merchant consent and follow the MD on KYC processes when CKYCR records are incomplete, which would increase the compliance workload and data quality requirements for merchant records. Merchants with a domestic annual turnover of up to INR 40 Lakh or export turnover up to INR 5 Lakh can be onboarded using (i) PAN/Form 60 verification, (ii) Contact Point Verification ("CPV"), and (iii) certified OVD of the proprietor/POA holder; but PA must still carry out background checks and ongoing monitoring. Non-bank PAs must use designated agents to perform digital KYC, but they retain the responsibility to vet the agents. Further, the merchants onboarded before December 31, 2025 must be brought into compliance within a year of this MD.

Transaction monitoring, Dispute Resolution and Consumer Protection

PAs must operate a documented dispute resolution mechanism, publish merchant grievance timelines, operate marketplace functions and appoint an officer for merchant issues. The merchants must display the surcharge before the transaction and route refunds to the original payment method.

Escrow and Cross Border

The escrow documentation and bank agreements must include express clauses restricting use of escrow balances to permitted debit/credit flows only. Permitted credits include payer receipts, inter-PA settlements, refunds and pre-funding from PA/merchant funds, while permitted debits include settlements to merchants, refunds and commissions. PAs are prohibited from mixing inward and outward cross-border funds, requiring them to create different escrow accounts for inward and outward collection accounts, with a cap of INR. 25 Lakh on transactions. The core portion in the domestic escrow may earn interest, subject to conditions and no loans against the core portion, and banks must not create liens. Entities are required to confirm balances and compliance through quarterly and annual auditor certificates. Cross-border PAs must build regulatory reporting for FX/AD bank coordination into their settlement flows, merchant onboarding, and documents needed for exporters/importers to reconcile entries with AD banks.

Cyber Resilience and Data Sovereignty

The MD echoes and extends prior technology requirements and cyber directions, including map data flows end-to-end; validate vendor contracts contain right-to-audit and local hosting clauses; ensure runbooks for incident reporting and board-level cyber crisis management are in place. PAs are required to have a board-approved information security policy, quarterly internal/annual external security audits, bi-annual Vulnerability Assessment and Penetration Testing ("VAPT"), and an inventory of applications handling sensitive data. Also, payment system data must be stored in India to allow supervisory access.⁸ PAs must implement data-sovereignty controls and include audit rights in outsourcing contracts. Security incidents and cardholder data breaches must be reported to RBI within stipulated timeframes, with monthly cyber incident reports and root-cause analyses.

Key Takeaway: The New Regulatory Landscape for Payment Aggregators in India

• Unified Regulatory Framework: The RBI's MD consolidates all prior regulations for PAs, covering online, physical, and cross-border activity under a single compliance-heavy framework designed to manage risk and harmonise standards.
• Raised Entry Barriers: Entry barriers for PAs have been significantly raised: Non-bank PAs must meet tougher capital requirements of INR. 15 Crore at application, rising to INR 25 Crore by year three; governance standards are tighter, with fit-and-proper mandates for senior management and detailed change of control procedures.
• Enhanced Merchant Onboarding and KYC: Merchant onboarding protocols now demand robust KYC compliance, leveraging CKYCR records and ongoing monitoring. Enhanced due diligence applies, especially for legacy and high-turnover or cross-border merchants.
• Escrow and Fund Segregation Rules: PAs must implement strict escrow and fund segregation rules, with quarterly and annual auditor certifications. Interest on core escrow balances is regulated, and co-mingling between domestic and cross-border funds is strictly prohibited.
• Technology and Cybersecurity Compliance: Technology requirements include PCI-DSS and PCI-SSF compliance, CERT-In system audits, and full payment data storage within India. Monthly incident reporting and cyber-resilience plans are mandated, with board-level oversight.
• Cross-Border Transaction Controls: Cross-border PA activity must integrate with FEMA requirements, limiting transaction sizes and requiring documentation to support exporter settlements and reporting.
• Risks of Non-Compliance: Non-compliance risks include authorisation breaches, net-worth shortfalls, escrow misuse, weak due diligence, and missed reporting deadlines. The MD repeals earlier regulations but preserves existing authorisations, a critical point for legacy operators.

Conclusion

The RBI's 2025 Master Direction fundamentally transforms the Payment Aggregator landscape, making participation capital and compliance-intensive while reinforcing systemic safeguards, auditability, and governance. Entities must rigorously assess their operational models, consider bank partnerships, or seek scale to survive in the new regime. To maintain regulatory approvals and business viability, legal, finance, technology, and board functions require coordinated adaptation, including process-heavy lifting for onboarding, escrow, reporting, and cyber measures.

Footnotes

1. RBI Guidelines on Regulation of PAs & PGs, dated 17.11.2020, https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11822&Mode=0

2. RBI Master Direction on KYC 2016, last updated on 14.08.2025, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566

3. RBI Circular on Storage of Payment System Data, dated 06.04.2018, https://www.rbi.org.in/scripts/notificationUser.aspx?Id=11244

4. RBI MD on Cyber Resilience and Digital Payment, dated 30.07.2024, https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12715&Mode=0

5. PIB, Celebrating four years of launch of the Account Aggregator Ecosystem - India's Digital Public Infrastructure (DPI), Ministry of Finance dated 02.09.2025, https://www.pib.gov.in/PressReleasePage.aspx?PRID=2162953

6. RBI MD on PA, dated 15.09.2025, https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12896

7. RBI MD on KYC, dated 25.02.2016, updated on 14.08.2025, https://www.rbi.org.in/CommonPerson/english/scripts/notification.aspx?id=2607

8. RBI circular on Payment System Data, dated 06.04.2018, https://www.rbi.org.in/scripts/notificationUser.aspx?Id=11244

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.