The Reserve Bank of India (RBI) on 17th March 2020, introduced new guidelines on the regulation of and Gateways. This determines that from now on payment gateways such as Paytm, Mobikwik, PayPal, and aggregators like PayU, Razorpay, etc. will be regulated by Reserve Bank of India (RBI) to make certain the safety of all our online transactions.
In a notification, Reserve Bank of India (RBI) said, “Based on the feedback received and taking into account the important functions of the intermediaries in the online payments space as also keeping in view their roles vis-à-vis handling funds, it has been decided to (a) regulate in entirety the activities of Payment Aggregators and (b) provide baseline technology-related recommendations to Payment Gateways.”
These guidelines are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 and shall come into effect from April 1, 2020. The guidelines primarily focus on the Definition, Applicability, Authorization, Capital Requirements, Governance, Safeguards against Money Laundering, Merchant Onboarding, Settlement, and Escrow Account Management, Customer Grievance Redressal and Dispute Management Framework, Security, Fraud Prevention and Risk Management Framework and Reports. Payment Aggregators and Payment Gateways are intermediaries playing an important role in facilitating payments in the online space.
Particularly, the Guidelines highlights, among other things, that all entities must put in place sufficient data security infrastructure and systems for prevention and detection of fraud, that agreements for the privacy and security of customer data must be included during merchant on-boarding, and that Payment Aggregators shall reveal comprehensive information relating to customer grievances, merchant policies, privacy policies, and other terms and conditions on their website and mobile applications.
Moreover, the Guidelines recommend Payment Aggregators and payment gateways to adopt baseline technology-related recommendations, including, among other things, carrying out a comprehensive risk assessment of their IT systems and business procedures, implementing data security standards such as Payment Card Industry Data Security Standard ('PCI-DSS') and the Payment Application Data Security Standard ('PA-DSS'), reporting security incidents to the Reserve Bank of India (RBI) within the specified timeframe, and taking preventive measures to make certain that data is not stored in infrastructure that belongs to an external jurisdiction.
Applicability of New Guidelines
- The new set of guidelines issued by Reserve Bank of India (RBI) shall be applicable to Payment Aggregators (PAs) and payment gateways (PGs).
- The Domestic leg of export and import regarding payments facilitated by Payment Aggregators (PAs) shall also adhere to these regulations.
- The new guidelines are not applicable to the Cash on Delivery (CoD) e-commerce model.
Key Highlights Of New Guidelines
- The Reserve Bank of India (RBI) said Existing non-bank entities that are offering payment aggregation services should apply for authorization on or before 30th June 2021. Further Reserve Bank of India (RBI) said, Payment Aggregators, shall be permitted to continue their operations till they receive communication from Reserve Bank of India (RBI) relating to the fate of their application.
- As per the guidelines, E-commerce marketplaces providing Payment Aggregators (PAs) services would be separated as an entity and would be identified as technology service providers or ‘outsourcing partners’ for banks or non-banks.
- The Reserve Bank of India (RBI) has brought down the capital requirements for payment aggregators at the time of application for the license from Rs 100 crore to Rs 15 crore. According to the Reserve Bank Of India’s (RBI) final regulation, an existing payment aggregator shall attain a net worth of Rs 15 crore by 31st March 2021, and a net-worth of Rs 25 crore by the end of the third financial year, on or before 31st March 2023. Post the third financial year; these payment aggregators are required to maintain the net-worth mark of Rs 25 crore.
- The Reserve Bank of India (RBI) says the entities which want to undertake Payment Aggregation and Payment Gateway activity should be a company incorporated in India under the Companies Act, 1956/2013.
- The Reserve Bank of India (RBI) has also asked payment aggregators (PAs) to set up designated nodal offices to deal with issues of customers.
- The Reserve Bank of India (RBI) has asked the payment aggregators to adhere to the security guidelines and AML( Anti Money Laundering) and KYC rules. Payment aggregators (PAs) are advised to gather Sufficient and proper information and data security infrastructure and systems to avert frauds.
- To enhance the security of ATMs, the Reserve Bank of India (RBI) has prohibited Payment Aggregators from allowing online transactions to be done with the ATM pin as the second factor of authentication.
- The guidelines issued by the Reserve Bank of India (RBI) have made it mandatory that payment aggregators will have to conduct a background check of their merchants to confirm that they do not intend to sell any prohibited/fake products.
- According to the new Reserve Bank of India (RBI) guidelines, Payment Aggregators (PAs) will have to submit a certificate in the prescribed format from their CA to evidence compliance with the applicable net-worth requirement while submitting the application for authorization.