These intermediaries act like a bridge and facilitate payment collection and settlement between merchants and customers. However, even though a number of payment aggregators and payment gateways have come up, and a significant volume of transactions are carried out using these various payment aggregators and payment gateways, there was an absence of a regulatory framework governing the activities of payment gateways and payment aggregators.
The first indication that the Reserve Bank of India ("RBI") was considering having in place a regulatory framework for payment gateways and payment aggregators came in its monetary policy statement issued on 7 February 2019. Subsequent to this, the RBI issued a discussion paper covering various facets of the activities of payment gateways and payment aggregators as well as the different options towards their regulation. The discussion paper set out three approaches for regulation of payment gateways and payment aggregators, being:
- Option 1 - to continue with the extant instructions with minor changes in respect of the definition of the date and time of charge/debit to the customer’s account used for making payment for the purchase of goods/services and clarify the applicability of the guidelines; or
- Option 2 - limited regulation of the payment gateways and payment aggregators requiring these entities to obtain licence/registration in a phased manner and follow the norms and guidelines in respect of minimum net-worth, merchant on-boarding, timelines for settlement of funds, maintenance of escrow account, IT security, etc., and shall be required to submit certain returns to RBI; or
- Option 3 - full and direct regulation of payment gateways and payment aggregators requiring them to obtain authorisation under the Payment and Settlement Systems Act, 2007 (PSSA) and allowing sufficient time for the existing players to fulfil the required capitalisation norms.
However, the Guidelines have set forth a detailed regulatory framework for payment aggregators only.
Finally, on 17 March 2020, RBI issued guidelines on the regulation of payment aggregators and payment gateways ("Guidelines") under the provisions of section 18 read with section 10(2) of the PSSA. The Guideline came into effect from 1 April 2020 (other than those activities for which specific timelines have been set out in the Guidelines).
However, the Guidelines have set forth a detailed regulatory framework for payment aggregators only. As it regards the entities which are operating as payment gateways and engaged in providing technology infrastructure to route and facilitate the processing of an online payment transaction without any involvement in the handling of funds, the Guidelines have provided only indicative baseline technology-related recommendations which may be adopted by such payment gateways as a measure of good practice.
The Guidelines would also apply to the domestic leg of import and export related payments facilitated by PAs.
We have in this article briefly discussed certain key provisions of the Guidelines:
Applicability
The Guidelines would apply to payment aggregators ("PA") which have been defined to mean the entities facilitating e-commerce sites and merchants to accept various payment instruments from the customers without the need for the merchants to create a separate payment integration system of their own.
The Guidelines would also apply to the domestic leg of import and export related payments facilitated by PAs. However, the Guidelines would not apply to cash on delivery ("CoD") model of e-commerce operations.
E-commerce marketplaces providing PA services cannot continue this activity beyond 30 June 2021 but can provide the PA services only through a separate entity with prior authorisation of the RBI.
Authorisations from RBI
Any non-banking entity desirous of offering services of PAs would require authorisation from RBI. Existing non-banking entities already operating as PAs need to apply for authorisation on or before 30 June 2021, and are permitted to continue their business operations till their applications are finally considered.
An applicant entity proposing to operate as PA needs to be a company incorporated in India, and the proposed activity of operating as a PA must be included in the business objects set out in its memorandum of association.
Further, where any applicant entity is regulated by any financial sector regulator, then such entity shall need to obtain a no-objection certificate from the relevant financial regulator.
E-commerce marketplaces providing PA services cannot continue this activity beyond 30 June 2021 but can provide the PA services only through a separate entity with prior authorisation of the RBI.
Capital Requirements
The Guidelines have prescribed a minimum net worth[1] requirement of INR 250 million for PAs.
In relation to new applicants, the Guidelines provide that at the time of filing an application for authorisation, the minimum net worth would need to be INR 150 million. But such new entrants would need to achieve a minimum net worth of INR 250 million by the end of the third financial year of grant of authorisation by the RBI. Once the minimum net worth of INR 250 million has been achieved, this net worth requirement would need to be fulfilled at all times.
However, all existing PAs have been granted permission to achieve this net worth requirement in a staggered manner. They would need to achieve a net worth of INR 150 million on or before 31 March 2021 and a net worth of INR 250 million on or before 31 March 2023.
In the event a PA fails to comply with the net worth requirement within the stipulated time frame, such PA would have to wind-up its payment aggregation business and the banks maintaining nodal/escrow accounts of such entities would need to monitor and report compliance in this regard.
Where an entity carrying on activities as a PA has foreign direct investment ("FDI"), such entity would also need to comply with the provisions of the FDI policy and the relevant foreign exchange regulations in this regard.
The Guidelines also require any takeover or acquisition of control or change in management of a non-bank PA to be intimated to RBI within 15 days with complete details
Governance
The Guidelines require all PAs to be professionally managed, and their promoters to satisfy the fit and proper criteria prescribed by RBI. Upon receipt of an application for authorisation, the RBI would, amongst other factors, need to be satisfied with the fit and proper status of the applicant entity and its management. For this purpose, the RBI may obtain necessary inputs from other regulators or government departments.
The Guidelines also require any takeover or acquisition of control or change in management of a non-bank PA to be intimated to RBI within 15 days with complete details, including a declaration-cum-undertaking by each of the new directors, if any, in prescribed format. Upon receipt of such intimation, RBI would examine the fit and proper status of the management and, if required, may impose suitable restrictions on such changes.
Reporting requirements
In order to monitor compliance with Guidelines, RBI has prescribed certain periodical and event-based reporting requirements for the PAs.
For instance, while a net worth certificate along with the audited annual report is required to be submitted on an annual basis on or before 30 September every year, PAs would need to submit an auditor certificate regarding maintenance of balance in an escrow account as well as a certificate from the banker on escrow account debits and credits (internally audited) on a quarterly basis within 15 days from the end of the relevant quarter.
Event-based reporting obligations include submission of a declaration-cum-undertaking (in the form set out in the Guidelines) in case of any changes in the board of directors.
Further, a PA would need to submit a list of merchants to the relevant bank (being the bank with which the relevant PA maintains the escrow account) and update this list from time to time.
Escrow accounts
The Guidelines require every non-banking PA to open an escrow account with any scheduled commercial bank wherein the amounts collected by PAs would have to be deposited.
The escrow account cannot be operated for CoD transactions. The banks are not required to pay any interest on any balance in the escrow account. However, the PAs can enter into an agreement with the relevant bank to transfer the "core portion" (which shall be calculated as per the formula set out in the Guidelines) from the escrow amount to a separate account on which interest will be payable by the bank, subject to certain conditions as set out in the Guidelines.
Further, a PA would need to submit a list of merchants to the relevant bank (being the bank with which the relevant PA maintains the escrow account) and update this list from time to time. The relevant bank is required to ensure that the escrow account is used for making payments only to eligible merchants and for eligible purposes. The agreement between the PA and the bank maintaining escrow account must have an exclusive clause regarding its usage for this eligible purpose only.
KYC provisions
PAs are required to comply with know your customer (KYC) / anti-money laundering / combating financing of terrorism guidelines issued by the RBI. Further, provisions of the Prevention of Money Laundering Act, 2002 and rules framed thereunder would also apply to PAs.
The PAs are required to have a formal customer grievance redressal and dispute management framework, and also appoint a nodal officer who shall be responsible for handling customer grievances.
Security and risk management
In order to safeguard customers from any security related risks, the Guidelines require PAs to have in place adequate information and data security infrastructure and systems for the prevention and detection of fraud. Further, the Guidelines direct PAs not to store customer’s card credentials either within their database or the server accessed by the merchant.
Redressal of Customers’ grievances
The PAs are required to have a formal customer grievance redressal and dispute management framework, and also appoint a nodal officer who shall be responsible for handling customer grievances.
Although the model regulatory framework set out in the discussion paper was proposed for both the PAs and the payment gateways, the final framework set forth in the Guidelines is applicable to PAs only.
Our thoughts
With the increased focus of the Government of India on its 'Digital India' campaign, there has been an exponential surge in online transactions. While online transactions are convenient and time-saving, the customers sometimes have to face associated risks as well. Therefore, the approach of the RBI to regulate the activities of PAs appears to be a step in the right direction which ultimately aims to safeguard the interests of customers from any possible security related risks. However, the existing entities which are engaged in offering payment aggregation services might find it difficult to increase their net worth and apply for authorisation of RBI on or before 30 June 2021, especially on account of COVID-19.
Further, while the FDI policy indicates that an e-commerce marketplace may provide support services including payment collection (and that such entities may facilitate payments for sale in conformity with the guidelines of RBI, though there were no guidelines in place to regulate such activities), the Guidelines now finally attempt to regulate the payment aggregation activities of such e-commerce market place and have stipulated a deadline of 30 June 2021 by when e-commerce entities would need to separate their payment aggregation business and apply for authorisation of RBI. Further, the separate entity would have to comply with the net worth requirement which was hitherto not applicable to such e-commerce market places.
Although the model regulatory framework set out in the discussion paper was proposed for both the PAs and the payment gateways, the final framework set forth in the Guidelines is applicable to PAs only.
For any clarification or further information, please contact
Gaurav Wahie
Partner
E: gaurav.wahie@clasislaw.com
Dinesh Gupta
Senior Associate
E: dinesh.gupta@clasislaw.com
Disclaimer: This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to herein. This publication has been prepared for information purposes only and should not be construed as a legal advice. Although reasonable care has been taken to ensure that the information in this publication is true and accurate, such information is provided ‘as is’, without any warranty, express or implied, as to the accuracy or completeness of any such information.
[1] Net-worth consists of paid-up equity capital, compulsorily convertible preference shares, free reserves, share premium account and capital reserves representing surplus arising out of sale proceeds of assets (but does not include reserves created by revaluation of assets) adjusted for accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any.
