» Blog Archive |

RBI guidelines on regulation of Payment Gateways and Payment Aggregators

The Reserve Bank of India (RBI) periodically issues guidelines on the regulation of payment gateways and payment aggregators in an effort to protect consumer interests because these entities possess significant amounts of customer data. As a financial security safeguard, the new RBI guidelines prohibit PAs and PGs from retaining customer card credentials on their database or server. Through a number of circulars that have been periodically revised and in response to requests from stakeholders in the industry, the RBI has published guidelines for regulating payment aggregators and payment gateways.

The permitted non-bank payment aggregators and merchants on-boarded by them were forbidden from retaining card data (CoF) as of June 30, 2021, pursuant to circular DPSS.CO.PD.No.1810/02.14.008/2019-20 issued March 17, 2020. Referring to the March 31, 2021, further extended to December 31, 2021 circular CO. DPSS.POLC.No.S33/02-14-008/2020-2021.

Understand payment aggregators and payment gateways

Payment aggregators (PAs) are organizations that enable merchants and e-commerce sites to accept different payment instruments from customers in order to fulfil their payment commitments without the need for the merchants to develop their own payment integration system. PAs make it easier for retailers to work with acquirers. They collect payments from clients along the process, pool them, and then eventually send the funds to the merchants.
Payment gateways (PGs) are organizations that offer technological infrastructure to route and facilitate processing of an online payment transaction without getting involved in money handling.

Applicability of the guidelines issued

Online PAs and PGs need to abide by the guidelines. The recommendations aim to control and govern the actions of online Pas while giving PGs general technology-related advice.
Bank PAs are exempt from the need for authorization; however, they must ensure that the rules are followed by September 30, 2020 (as extended by circular DPSS.CO.PD.No.1897/02.14.003/2019-20 dated June 04, 2020). If an application for authorization is submitted before the deadline of June 30, 2021, the instructions will take effect for non-bank PAs as of the date of such authorization.
The guidelines also should be followed by the online marketplaces that are engaged in direct payment aggregation; marketplaces that use a PA’s services are regarded as merchants.
Transactions where payment is provided in advance while the delivery of the products is deferred, does not apply to “Delivery vs. Payment” transactions.

When, How and Who will be authorised?

The requirements for authorization have been established based on the intermediary’s handling of money.

Bank and non-bank PAs both deal with money as part of their duties. However, as banks already offer PA services as part of their regular banking relationship, the RBI does not need to grant them a special authorization. According to the Payment and Settlement Systems Act of 2007, RBI authorization is required for non-bank PAs (PSSA).
PA must be a company established in India in accordance with the Companies Act, 1956 or 2013. The proposed activity of performing as a PA must be covered by the applicant entity’s Memorandum of Association (MOA).
For existing non-bank PAs, the RBI will require the CA certificate of net-worth at the time of the application for authorization, attesting that the requirement of net-worth is ensured (as of March 31, 2021). If an existing entity wishes to apply before March 31, 2021, a similar certificate shall be submitted as on the nearest half-year ending date. Newly incorporated non-bank entities must provide a certificate from their CA stating the present net worth along with a preliminary balance sheet even if they do not have an audited statement of financial accounts.
The ‘Form A’ application must be submitted to the RBI’s Central Office in Mumbai’s Department of Payment and Settlement Systems (DPSS). Within 45 days of receiving such a clearance, entities governed by one of the financial sector authorities must submit an application and a “No Objection Certificate” from that regulator.

Capital Requirements

By March 31, PAs that are already in existence as of the 17^th March’2020 must have a net value of 15 crore.
By the end of the third financial year, or on or before March 31, 2023, and a net value of $25 crore. Following that, the net worth of 25 crore shall always be maintained.
New PAs must have a net worth of at least 15 crore rupees at the time of application for authorization and 25 crore rupees at the end of the third financial year after authorization approval. Following that, the net worth of 25 crore shall always be maintained.

Who will govern the related issues?

The Promoter Groups and Promoters must meet the Reserve Bank’s “fit and appropriate” standards. A director of the PA company is considered “fit and proper” if-
This person has demonstrated fairness and integrity in the past, including, but not limited to-
moral and ethical integrity
Financial integrity
Honesty

Such a person has not been disqualified by any of the following-
Convicted by a court for a crime involving moral turpitude, a financial crime, or a crime under the laws administered by the RBI
Declared insolvent and not released;
A regulatory authority has issued an order restricting, prohibiting, or barring the person from accessing or dealing in any financial system, and the time period specified in the order has not yet expired;
Unsound financial condition;
A court of competent jurisdiction has found the person to be mentally incompetent

The RBI’s determination on any issue regarding a person’s suitability for employment shall be final.

Any management change, purchase of control, or takeover of a non-bank PA must be disclosed through a letter including all the information, including a “Declaration and Undertaking” by each of the new directors, if any, must be sent within 15 days to the Chief General Manager, Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai. RBI will assess the management’s “fit and proper” status and, if necessary, may impose acceptable limitations on such modifications.
The roles and responsibilities of the parties involved in sorting/handling complaints, refunds/failed transactions, return policies, customer grievance redressal (including turnaround time for resolving queries), dispute resolution mechanisms, reconciliation, etc., shall be clearly defined in agreements between PAs, merchants, acquiring banks, and all other stake holders.
PAs must provide complete information on their website and/or mobile application on merchant policies, customer complaints, privacy policies, and other terms and conditions. Individual merchants it has on-boarded are exempted from such disclosure.
PAs must have a Board-approved policy for handling complaints, a dispute resolution mechanism, time frames for processing refunds, etc., in a way that adequately complies with the RBI’s Turn Around Time (TAT) for resolution of failed transactions instructions issued via CO.PD No.629/02.01.014/2019-20 dated September 20, 2019.

Merchant On-boarding & KYC

PAs must have a merchant on-boarding policy that has been authorized by the board.
PAs must conduct background and antecedent checks on the merchants to make sure they don’t sell fake, counterfeit, or illegal goods, among other things, or that they don’t have any ill-intentions of defrauding customers. The terms and conditions of the service and the turnaround time for returns and refunds must be made clear on the merchant’s website.
PAs are in charge of ensuring that the infrastructure of newly onboarded merchants complies with the Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS).
The merchant site must not save client credit cards or other associated information. As and when necessary, a security audit of the merchant may be performed to verify compliance.
The security and privacy of client data must be covered by the agreement with the merchant. Compliance with PA-DSS requirements and incident reporting duties must be included in PA’s agreements with merchants. The PAs must receive security assessment reports on a regular basis, either based on risk assessment (for large or small merchants) or at the time of contract renewal.
The KYC rules of the Department of Regulation (DoR), RBI, are relevant if a PA maintains an account-based connection with the merchant. “Safeguards against Money Laundering (KYC/AML/CFT) Provisions” shall also apply in this context.
If the merchant already has a bank account being used for transaction settlement, it would not be necessary to complete the entire KYC process (in compliance with DoR’s KYC rules).

Management of Settlement and Escrow Accounts

After the business receives authorization from the RBI, the operations of PAs are considered to be “designated payment systems” under the Payment and Settlement Systems Act (PSS Act) for the purpose of maintaining the escrow account.
The November 24, 2009, circular DPSS.CO.PD.No.1102/02.14.08/2009-10, titled “Directions for opening and operating Accounts and settling payments for electronic payment transactions involving intermediaries,” shall be considered repealed for authorised PAs from the date of authorization. The mentioned circular will be regarded as revoked as of June 30, 2021, with the exception of PAs whose applications for authorization are still pending at the RBI.
Existing entities may continue to manage nodal accounts until RBI authorization has been granted. Since the PA must transition to an escrow account, the bank and the PA may decide to keep the account open from an earlier time. They will not, however, automatically qualify for “designated payment system” status under Section 23A of the PSS Act based only on this.
The bank may permit the balances under the existing nodal accounts of PAs to be taken into account for the computation of the “Core part” if it can demonstrate that the nodal account of an entity has been transferred to an escrow account in accordance with the new instructions.
Entities that do not have the required net worth as of March 31, 2021, must shut down their PA operations. After June 30, 2021, banks will be forced to terminate these nodal accounts unless the PA provides the bank with proof that an application for authorization was submitted to the RBI.
Temporary mismatches have been accommodated by the pre-funding. Refunding excess pre-funding is not permitted.
Depending on the terms of the agreement between the PA and the merchants, there may be various “t” for various merchants.
Only after the settlement and credit to the escrow account will the amount owed to the merchant be determined. The account does not require prefunding for this use. However, on the actual settlement day, the funds will be credited to escrow.
At the conclusion of the day, the amount in the escrow account may not be less than the total of the money the merchant is owed or the money that has already been collected from customers in accordance with “Tp.”
PAs may use their own or the merchant’s money to pre-fund the escrow account. The merchant’s beneficial interest will be generated on the pre-funded fraction in the latter circumstance, though.
When incoming funds are delayed beyond the PA’s control, the PAs must follow instructions and transfer the money to the merchant within T+0 or T+1 after receiving the cash into their account.
The Bharat Bill Payment System (BBPS) settlement accounts would be managed by BBPS guidelines.
The escrow account may not be used for “Cash-on-Delivery” transactions.
Where a second escrow account is kept, credit and debit transfers from one escrow account to the other are also allowed. The allowable credits and debits to the escrow account are listed below. Inter-escrow transfers should be avoided as much as possible, and if they must be used, they must be specifically mentioned in the auditor’s certification.
Credits
Contributions from different customers toward the purchase of products or services.
Pre-funding by retailers or PAs.
Transfers that represent returns for transactions that were unsuccessful, challenged, returned, or cancelled.
Money received for transfer to retailers in connection with promotions, rewards, cash-backs, etc.
Debits
Payment to different retailers and service providers.
Payment to any other account in accordance with the merchant’s specific instructions.
Transfer for refunds for unsuccessful or contested purchases.
Paying the intermediaries, a commission. This sum must be distributed at regular intervals.
Reimbursement of money obtained via incentives, cash-backs, and other promotional activities.
For the purpose of maintaining reserve requirements, the outstanding balance in the escrow account must be included in the bank’s “net demand and time liabilities” (NDTL). This position will be calculated based on the amounts that were recorded in the bank’s books as of the reporting date.
Both the organization and the banker of the escrow account are in charge of ensuring that all RBI directives that are periodically issued are followed. The RBI’s decision in this matter shall be final and enforceable.
Funds settlement with merchants must be kept separate from any other business the PA, if any, handles.
Where the registered office of the PA is located, the authorized entities must submit a certificate to the relevant Regional Office of DPSS, RBI, signed by the auditor(s), attesting that the entity has been maintaining balances in the escrow account(s). If an additional escrow account is kept, it must be made sure that the balances in both accounts are taken into consideration for the aforementioned certification. This must be stated in the certificate as well. Both escrow accounts will be audited by the same auditor.
PAs must provide the bank where they are maintaining the escrow account with a list of the merchants they have acquired, and they must update this list periodically. The bank must make sure that payments are only made to legitimate businesses or uses. The agreement between the PA and the bank managing the escrow account must contain an exclusive clause stipulating that the balance in the account may only be used for the aforementioned objectives.

Framework for Customer Grievance Redress and Dispute Management

PAs must establish a formal, openly accessible framework for handling customer complaints, grievances, and disputes. This framework must include appointing a nodal officer to manage customer complaints and grievances as well as an escalation matrix. If a complaint facility is made available on a website or mobile device, it must be obvious and simple to use.
PAs must designate a Nodal Officer to handle regulatory and customer complaint tasks. On their website, specifics of the nodal officer for client complaints must be clearly visible.
PAs must have a binding dispute resolution process that outlines the transaction life cycle, a thorough explanation of the different types of disputes, how to handle them, compliance, the obligations of all parties, documentation, reason codes, how to handle grievances, turnaround times for each stage, etc.

Framework for security, fraud prevention, and risk management

The PA must make sure that the infrastructure of the merchants complies with relevant security standards like PCI-DSS and PA-DSS.
Whether they are PCI-DSS compliant or otherwise, merchants are not permitted to hold payment information. However, they are permitted to save a limited amount of information for the purpose of tracking transactions; this information must be stored in accordance with the relevant standards.
The PA is not allowed to keep customer card information in its database or server (regardless of whether the merchant has access to it or not) unless it is strictly necessary for transaction tracking, for which the appropriate information may be kept in accordance with the relevant standards.
CERT-In empanelled auditors may conduct a normal system audit, including a cyber security audit within two months after the end of their fiscal year.

General Guidelines

PAs are responsible for ensuring that the Merchant Discount Rate (MDR) guidelines currently in place are adhered to. The PA must also give notice of any additional fees being assessed, such as convenience fees, handling fees, etc.
PAs are prohibited from restricting the number of transactions for a specific payment method. The issuing bank or company is accountable for this; for example, the issuing bank of a credit card is accountable for setting the amount limitations on cards it issues depending on the customer’s credit worthiness, spending habits, profile, etc.
PAs may not accept an ATM PIN as a form of verification for transactions using a card that is not physically present.
Unless the client specifically agrees to credit to a different mode of payment, all refunds must be issued to the original form of payment.

Baseline Technology-related Recommendations

The following are indicative baseline technology adoption suggestions for the PAs (required) and PGs (recommended)-

Recommendations relating to security

The following lists the obligations for entities with regard to IT systems and security:

Information Security Governance- To identify risk exposures with corrective actions and residual risks, the entities must, at the very least, conduct a thorough security risk assessment of their people, IT, business process environment, etc. These can include an internal security audit, an annual security audit performed by an impartial security auditor, or an auditor appointed by CERT-In. The Board shall receive reports on risk assessment, security compliance posture, security audit results, and security incidents.
Data Security Standards- It is required to adopt data security best practices and standards like PCI-DSS, PA-DSS, the newest encryption standards, transport channel security, etc.
Security Incident Reporting- Within the allotted timeframe, the organizations must notify RBI of any security incidents or breaches involving cardholder data. RBI must receive monthly updates on cyber security incidents that include root cause analyses and preventive measures adopted.
Merchant Onboarding- To make sure that the merchants follow these minimal baseline security rules, the entities must conduct a thorough security assessment during the merchant onboarding process.
Cybersecurity Audit and Reports- The entities must conduct and submit to the IT Committee quarterly internal and annual external audit reports; bi-annual Vulnerability Assessment / Penetration Test (VAPT) reports; PCI-DSS including Attestation of Compliance (AOC) and Report of Compliance (ROC) compliance report with observations noted, if any; corrective / preventive actions planned with action closure date; inventory of applications which store or process personally identifiable information; and a list of applications that store or process
Information security- The Board’s authorized information security policy must be reviewed at least once a year. The policy must take into account factors like how well it aligns with business goals, its objectives, scope, ownership, and responsibility, the roles and responsibilities of information security staff, the upkeep of asset registers and inventories, the classification of data, exceptions, and the knowledge and skill sets necessary for compliance, as well as periodic training and ongoing professional development.
IT Governance- To ensure that comprehensive documentation in the form of processes and guidelines exists and is put into practice, an IT policy must be formulated for the regular administration of IT functions. Annual reviews of the strategic plan and policy are required. A framework for IT governance at the Board level shall include-
Board Involvement- The Board and Top Management have a vital role to play in approving information security policies, setting up the required organizational procedures and functions for information security, and providing the required resources.
IT Steering Committee- As necessary, an IT Steering Committee with members from different business activities should be established. The Committee will support Executive Management in putting the Board-approved IT plan into action. It must have clearly defined goals and actions.
Enterprise Information Model- In accordance with the board-approved IT strategy, the entities must create and maintain an enterprise information model to facilitate application development and decision-supporting operations. The model should make it easier for businesses to create, use, and share information in the best possible way—one that retains integrity and is adaptable, practical, timely, secure, and robust to failure.
Cyber Crises Management Plan- Detection, Containment, Response, and Recovery are a few of the components of the entity’ entire Cyber Crisis Management Plan, which must be authorized by the IT strategy committee.
Enterprise Data Dictionary- The entities are required to have a “corporate data dictionary” that includes the organization’s data syntax guidelines. This will make it possible to share data between different applications and systems, encourage a shared understanding of data among IT and business users, and stop the development of incompatible data pieces.
Risk assessment- From a business, compliance, and/or contractual standpoint, the risk assessment must determine the threat/vulnerability combinations and likelihood of impact on the confidentiality, availability, or integrity of each asset within its scope.
Access to Application- The application owner must approve and maintain current written standards and procedures for administering an application system. According to the “need to know” principle and in accordance with the duties of the position, access to the application must be limited.
Staff Competency- With a periodic review of the training requirements for human resources, it is necessary to understand and assess the requirements for trained resources with the necessary skill sets for the IT function.
Vendor Risk Management- Regulatory access to these setups must clearly be allowed for in the Service Level Agreements (SLAs) for technical support, including BCP-DR and data management.
Maturity and Roadmap- The entities should think about determining their IT maturity level based on acknowledged worldwide standards, then designing and putting into practice an action plan to get there.
Cryptographic Requirement- The entities shall choose encryption algorithms that are well-established international standards and that have undergone rigorous examination by an international community of cryptographers, or that have been approved by reputable security vendors, governmental agencies, or authoritative professional bodies.
Forensic Readiness- All security events from the infrastructure of the entity, including but not limited to application, servers, middleware, endpoint, network, authentication events, database, web services, and cryptographic events, shall be gathered, investigated, and analysed for the purpose of proactively identifying security alerts.
Data Sovereignty- The entities must take precautions to make sure that data is stored in infrastructure that is not under the control of other countries. It is important to take appropriate safeguards into account while preventing unauthorized access to data.
Data Security in Outsourcing- An outsourcing agreement containing a “right to audit” language is required in order for the entities, their designated agencies, and regulators to be able to perform security audits. As an alternative, independent security audit reports from third parties must be sent to the entities every year.
Payment Application Security- Payment apps must be created in accordance with PA-DSS standards and adhere to them as necessary. As part of the merchant onboarding process, the businesses must assess PCI-DSS compliance status.

Additional Recommendations

The database or server that the merchant accesses must not save the customer card credentials.
It is forbidden to offer the option of using an ATM PIN as an element of authentication for card-not-present transactions.
PSOs must adhere to the instructions on the storage of payment system data.
Unless the customer specifically agrees to credit an alternative method, all refunds must be handled using the original payment method.

Conclusion

Regarding the circulars DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 (as updated from time to time) and DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021, which advise that neither the authorized Payment Aggregators (PAs) nor the merchants on-boarded by them shall store customer card credentials [also known as Card-on-File (CoF)]. No party in the card transaction or payment chain, outside the card issuers and/or card networks, shall hold the real card data as of September 30, 2022. Any previously stored copies of this data must also be deleted. Entities may, in accordance with the applicable standards, save only the last four digits of the actual card number and the name of the card issuer for transaction tracking and/or reconciliation reasons. The card networks are in charge of ensuring that all parties involved fully comply with the above.

RBI guidelines on regulation of Payment Gateways and Payment Aggregators

PSARA LICENSE – Estabizz Fintech

AUTHORISED PERSONS (APs) FRAMEWORK – Estabizz Fintech

GST DUES ( VOID PROPERTY TRANSFER ) -Estabizz Fintech

GST ( INSTALLMENT & RECOVERY ) – Estabizz Fintech

SEBI ( Surveillance of Transaction Alerts) – Estabizz Fintech

RESERVE BANK OF INDIA (Rules for payment companies outsourcing core activities) -Estabizz Fintech

RESERVE BANK OF INDIA( Guidelines for Appointment of Statutory Auditors of Banks, NBFCs) -Estabizz Fintech

RESERVE BANK OF INDIA ( Deadline for Current Account Notification) – Estabizz Fintech

RESERVE BANK OF INDIA ( Treatment of Inactive Trading account) -Estabizz Fintech

SEBI revises financial info filing formats for entities having listed non-convertible securities

SEBI notifies certification requirements for distributors, staff of portfolio management services

SEBI extends relaxations for compliance with rights issues.

SEBI extends relaxations for compliance with rights issues

SEBI extends deadline for investment advisers to conduct annual compliance audit

SEBI board okays steps to make M&As easier

SEBI proposes to revise settlement rules

SEBI approves framework for creating Social Stock Exchange

Scope of ED’s power to freeze bank accounts under Prevention of Money Laundering Act, 2002

Framework for Supervision of Authorised Persons (APs) & Branches by Members

NBFC REGISTRATION PROCESS

WHAT IS CYBER SECURITY AUDIT AND HOW IT IS HELPFUL FOR YOUR BUSINESS?

Annual Compliance for Private Limited Company

LLP Annual Compliance

FSSAI License Renewal

SEBI’s New Fund Offer Regulations: A Strategic Move for Investor Protection

SEBI’s Proposed Changes to Securitized Debt Instruments: Key Insights for Financial Experts

The Role of India’s Constitution and RBI in Economic Stability ( RBI at 90 )

NBFC’s Face Slower Growth Amid Asset Stress and Rising Fund Costs

Maximizing Tax Savings from Stock Market Losses

Decline in Retail Investor Base for Adani Group Firms

Binance Pioneers Framework for Cryptocurrency Compliance and Advocates Responsible Digital Asset Usage

A Comprehensive Guide to Calculating and Maximising Input Tax Credit with a GST Calculator

SEBI Enhances Position Limits for Trading Members in Index F&O Contracts

The Intriguing Journey of Manoj Bhargava: From Monastic Life to Billionaire Philanthropist and Alleged Tax Evader

Company

services

Website Visitors