Payment Aggregator License in India: Quick Overview
Regulator: Reserve Bank of India Legal Framework: Payment and Settlement Systems Act, 2007 and FEMA, 1999 where applicable Applicable Direction: RBI Regulation of Payment Aggregators Directions, 2025, as amended from time to time Registration Type: Certificate of Authorisation as Payment Aggregator Categories: PA-O, PA-P and PA-CB Minimum Net Worth at Application: Rs.15 crore Ongoing Net Worth: Rs.25 crore by end of third financial year from authorisation and thereafter Escrow Account: Mandatory for non-bank PAs FIU-IND Registration: Mandatory for non-bank PAs Cyber Compliance: Board-approved IT policy, CERT-In audit, PCI-DSS and data localisation Timeline: Indicative and subject to RBI review The above details are indicative and must be evaluated based on the applicant's business model, PA category, capital position, merchant flow, technology architecture, escrow design, FEMA applicability and latest RBI directions at the time of filing.
What is Payment Aggregator License in India?
Payment Aggregator License in India is RBI authorisation required for entities that aggregate payments made by customers to merchants through one or more payment channels and thereafter settle the collected funds to such merchants. If a non-bank entity handles merchant funds before settlement, Payment Aggregator authorisation is mandatory. A Payment Aggregator may operate through online channels, physical acceptance infrastructure or cross-border e-commerce payment flows, depending on the category of authorisation. If the business only provides technology infrastructure and does not handle funds, it may be closer to a Payment Gateway model. However, if the business touches merchant funds, collects money on behalf of merchants or settles funds later, Payment Aggregator License in India must be carefully evaluated.
Legal Foundation of Payment Aggregator License in India
Regulator: Reserve Bank of India Primary Law: Payment and Settlement Systems Act, 2007 FEMA Applicability: Applicable for cross-border PA-CB activities Applicable Direction: RBI Regulation of Payment Aggregators Directions, 2025, as amended from time to time Relevant RBI Department: Department of Payment and Settlement Systems Authorisation Issued: Certificate of Authorisation Applicable Entities: Bank and non-bank entities undertaking PA business, with non-bank entities requiring authorisation Core Regulatory Focus: Merchant fund protection, escrow discipline, cyber security, AML, grievance redressal and reporting The RBI framework consolidates compliance expectations for Payment Aggregators and brings online, physical and cross-border payment aggregation models under a structured regulatory framework.
Categories Under Payment Aggregator License in India
PA-O: Payment Aggregator - Online - Facilitates transactions where payment instrument and acceptance device are not in physical proximity - E-commerce checkout, online payment links, app-based payments PA-P: Payment Aggregator - Physical - Facilitates transactions where payment instrument and acceptance device are physically present - POS terminal, QR-based payment acceptance, soundbox-based merchant payments PA-CB: Payment Aggregator - Cross Border - Facilitates cross-border payment aggregation for permitted current account transactions through e-commerce mode - Export payments, import payments, cross-border merchant settlement PA-CB may include
- 'Inward transactions involving foreign inflow', 'Outward transactions involving foreign remittance'
- Correct category selection is critical. Wrong categorisation may lead to regulatory queries or rejection.
Payment Aggregator vs Payment Gateway - Regulatory Difference
Handles Funds: Yes - No Requires RBI Authorisation: Yes, for non-bank PA - No separate PA authorisation if it only provides technology routing Escrow Account: Mandatory - Not applicable Capital Requirement: Rs.15 crore at application and Rs.25 crore ongoing - Not prescribed as PA capital requirement Settlement Responsibility: Yes - No FIU-IND Registration: Required for non-bank PA - Not applicable in same manner Regulatory Risk: Direct RBI supervision - Technology compliance encouraged, subject to business model If the entity touches merchant funds, it should not be treated as only a Payment Gateway.
Who Requires Payment Aggregator License in India?
Banks do not require separate authorisation to carry out PA business, but non-bank entities must obtain RBI authorisation.
Eligibility Criteria for Payment Aggregator License in India
Entity Type: Company incorporated in India under Companies Act, 2013 - LLP, partnership, sole proprietorship and trust structures are not eligible MOA Object Clause: Must specifically cover PA activity - MOA should be reviewed and amended before application if required Minimum Net Worth at Application: Rs.15 crore - Must be certified by statutory auditor Ongoing Net Worth: Rs.25 crore by end of third financial year from authorisation - Must be maintained continuously Fit and Proper: Promoters and directors must satisfy RBI criteria - Financial integrity, reputation, no disqualifications NOC from Regulator: Required if already regulated by RBI, SEBI, IRDAI, PFRDA or NHB - Application must be filed within prescribed timeline after NOC FDI Compliance: Must comply with Consolidated FDI Policy and FEMA - Required where foreign investment exists Application Completeness: Application must be complete and in prescribed form - Incomplete application may be returned
Capital Requirement for Payment Aggregator License in India
At Application: Rs.15 crore - To be certified by statutory auditor By End of Third Financial Year from Authorisation: Rs.25 crore - Must be achieved within prescribed timeline Ongoing: Rs.25 crore - Must be maintained continuously An entity not meeting minimum capital norms will not be considered. Net worth erosion after authorisation may attract regulatory action.
Net Worth Computation for Payment Aggregator License in India
Paid-up equity share capital: Included Free reserves: Included Compulsorily Convertible Preference Shares: Included, subject to conditions Accumulated losses / deficit: Deducted Deferred Tax Assets: Deducted Redeemable preference shares: Not included Non-compulsorily convertible preference shares: Not included Net Worth = Paid-up Equity + Free Reserves + Eligible CCPS - Accumulated Losses - Deferred Tax Assets - Non-Qualifying Instruments Many applicants overstate net worth by including non-qualifying instruments. A pre-application net worth audit should be completed before obtaining the statutory auditor certificate.
Escrow Account Framework for Payment Aggregators
Escrow compliance is one of the most important pillars of Payment Aggregator License in India. Non-bank Payment Aggregators must maintain escrow accounts with Scheduled Commercial Banks to protect merchant funds. Domestic Escrow: PA-O and PA-P - Domestic merchant settlement Inward Collection Account: PA-CB inward - Cross-border inward collection Outward Collection Account: PA-CB outward - Cross-border outward payments Bank: Scheduled Commercial Bank for domestic PA, AD Category-I Scheduled Commercial Bank for PA-CB No Co-Mingling: Business funds and merchant funds must remain separate Day-End Balance: Must not be less than merchant payable amount No Loan: No loan or lien permitted against escrow funds Interest: Only eligible core portion may earn interest subject to conditions Merchant List: Merchant list must be submitted and updated with escrow bank COD Restriction: Escrow cannot be operated for Cash-on-Delivery transactions Cross-Border Separation: InCA and OCA must remain separate; no netting of inward and outward flows Core portion is generally computed by identifying the lowest daily balance fortnight-wise and averaging the lowest balances over 26 fortnights. No loan is permitted against the core portion.
Merchant KYC and Due Diligence Requirements
CKYCR Retrieval: Retrieve merchant KYC record where available with consent PAN Verification: Mandatory verification for merchants Contact Point Verification: Required, especially for small merchants Background Check: PA must conduct background and antecedent checks Merchant Category Code: Appropriate MCC and Merchant ID / Terminal ID should be allotted Marketplace Validation: Marketplace sellers must be properly onboarded Funds Credit: Merchant settlement should go only to the merchant verified bank account Ongoing Monitoring: Merchant transactions must be continuously monitored FIU-IND Registration: Mandatory for non-bank PAs AML/CFT Reporting: Suspicious transaction and related reporting obligations must be met Merchant onboarding after January 1, 2026 must strictly follow the new due diligence norms as applicable under the framework.
Dispute Resolution and Merchant Responsibilities
- 'Formal dispute management framework', 'TAT-based failed transaction resolution', 'Refund timeline process', 'Chargeback handling mechanism', 'Escalation matrix', 'Merchant grievance officer details on website', 'Public display of merchant policies, privacy policy and terms', 'Transparent merchant agreements' Failure in grievance redressal and dispute resolution may be viewed seriously by RBI.
Technical Requirements for Payment Aggregator License in India
Payment Aggregator License in India is now a technology-intensive authorisation. RBI expects strong cyber resilience, IT governance, data localisation, payment application security and audit readiness. IT Governance Framework Board-approved IT Policy: Formal IT and security framework approved by the Board IT Steering Committee: Cross-functional committee overseeing technology risk Enterprise Information Model: Structured data architecture Cyber Crisis Management Plan: Detection, containment, response and recovery plan Annual Strategy Review: IT roadmap and cyber posture reviewed periodically Information Security Governance
- 'Comprehensive security risk assessment', 'Internal or external annual security audit', 'Board review of security posture', 'Documentation of residual risks', 'Incident reporting process'
- Data Security Standards
- PCI-DSS: Mandatory where card data is handled PCI-SSF: Payment application security Strong Encryption: Internationally accepted cryptographic standards TLS Secure Channels: Secure data transmission No Card Credential Storage at Merchant End: Merchant systems must not store card credentials
- Cyber Security Audit Requirements
- Internal Audit: Quarterly - Internal / IT Committee External Cyber Audit: Annual - CERT-In empanelled auditor VAPT: Bi-annual - Certified security auditor PCI-DSS Assessment: As applicable - Accredited assessor Monthly Cyber Incident Report: Monthly - RBI as applicable
- Data Localisation and Vendor Risk
- 'Payment system data must be stored in India', 'Cloud architecture must support Indian data residency', 'Unauthorised cross-border data access must be prevented', 'Vendor contracts should address data localisation obligations', 'Right to audit clause in vendor contracts', 'Regulatory access to vendor setup', 'BCP and DR obligations', 'Vendor risk remains PA responsibility'
- Fraud Monitoring and Resilience
- 'Real-time fraud monitoring', 'Chargeback monitoring', 'Merchant risk scoring', 'Transaction anomaly detection', 'Centralised log monitoring', 'SIEM or equivalent monitoring', 'Root Cause Analysis reporting', 'BCP plan, DR site and periodic recovery testing'
Technical Readiness Checklist for Payment Aggregator License in India
Board-approved IT Policy: Required IT Steering Committee: Required Security Risk Assessment: Required PCI-DSS Compliance: Required where applicable PCI-SSF Alignment: Required for payment applications Data Localisation: Required CERT-In Cyber Audit: Required annually VAPT: Required bi-annually Fraud Monitoring: Required Merchant Security Assessment: Required SIEM / Log Monitoring: Expected BCP-DR Framework: Required Vendor Right to Audit Clause: Required Cyber Incident Reporting: Required
PA-CB Cross-Border Rules
Inward and Outward Funds: Must remain separate Netting: Not permitted Maximum Transaction Limit: Rs.25 lakh per transaction Forex Handling: Only through Authorised Dealer banks InCA and OCA: Separate accounts required FEMA Compliance: Mandatory EDPMS / IDPMS Support: Documentation support required for export/import closure Non-INR Settlement: Permitted only in specific cases as applicable PA-CB applicants must demonstrate both PSS Act and FEMA compliance readiness.
Documents Required for Payment Aggregator License in India
Company Documents: Certificate of Incorporation, MOA, AOA, PAN, board resolution Capital Documents: Net worth certificate from statutory auditor, audited financials, provisional balance sheet if applicable, bank statements, shareholder agreements for CCPS Director and Promoter Documents: Fit and proper declarations, KYC, PAN, Aadhaar, DIN, address proof, regulatory declarations Business Documents: Business plan, merchant acquisition strategy, revenue model, payment channel strategy, 3-year projections Policy Documents: Information Security Policy, Dispute Management Policy, Merchant KYC/CDD Policy, AML framework, Risk Policy Escrow Documents: Draft escrow agreement with Scheduled Commercial Bank, permissible debit/credit structure, merchant list process Technology Documents: PCI-DSS status, cyber security framework, VAPT plan, data localisation architecture, audit readiness documents Regulatory Documents: NOC from financial sector regulator if applicable, RBI online application, prescribed annexures Cross-Border Documents: FEMA framework, InCA/OCA plan, AD bank arrangement, EDPMS/IDPMS process if PA-CB
Step-by-Step Process for Payment Aggregator License in India
[ ['Pre-Application Structuring and Eligibility Assessment', 'Determine PA category, assess net worth, review MOA, check fit and proper status, assess NOC requirement and identify technology gaps.'], ['Net Worth Certification', 'Obtain statutory auditor certificate in prescribed format and ensure Rs.15 crore net worth is properly computed.'], ['Policy and Document Preparation', 'Prepare business plan, Board-approved Information Security Policy, dispute management policy, merchant KYC/CDD framework, escrow structure and director declarations.'], ['Online Application Filing', 'Submit application through RBI online portal with all required documents and annexures.'], ['RBI Review and Queries', 'RBI reviews capital, fit and proper status, business model, technology readiness, escrow design and compliance framework.'], ['Grant of Certificate of Authorisation', 'Upon regulatory satisfaction, RBI may grant Certificate of Authorisation specifying the PA category.'], ['Post-Authorisation Setup', 'Open escrow account within prescribed timeline, complete FIU-IND registration, implement cyber audit framework and start compliant merchant onboarding.'] ].map(([title, body], index) => ( Step index + 1 title body ))
Indicative Timeline for Payment Aggregator License in India
Stage 1: Pre-application assessment, net worth audit, MOA review and fit and proper check - 2 to 4 weeks Stage 2: Document preparation, policies, business plan and auditor certificate - 3 to 5 weeks Stage 3: Online portal submission - Around 1 week Stage 4: RBI primary review and acknowledgement - 4 to 8 weeks Stage 5: Query resolution and correspondence - 4 to 12 weeks Stage 6: CoA issuance and post-authorisation setup - 2 to 4 weeks Overall: Well-prepared application - 3 to 6 months Overall: Incomplete or query-heavy application - 9 to 18 months or more The timeline is indicative and depends on RBI review, documentation quality, technology readiness, query cycles and regulatory satisfaction.
Common Mistakes in Payment Aggregator License Applications
Incorrect net worth computation: Application may be returned MOA does not cover PA business: Regulatory query or rejection risk Incomplete fit and proper declarations: Delay in background verification No Board-approved Information Security Policy: Immediate technology compliance query Weak dispute management policy: Operational readiness concern Poor escrow explanation: Serious regulatory concern Wrong PA category selection: Structural clarification required PA-CB FEMA framework missing: Cross-border authorisation delay Technology infrastructure not evidenced: Annexure 1 compliance query Merchant KYC process weak: AML and onboarding concern Delayed regulatory deadline compliance: Business continuity risk
Post-Authorisation Compliance for Payment Aggregators
Monthly: Transaction statistics submission - By 7th of next month - Compliance / MIS Monthly: Cyber incident reporting - As prescribed - IT / Compliance Quarterly: Escrow balance certificate - By 15th of following month - Finance / Auditor Quarterly: Banker certificate for escrow / InCA / OCA - By 15th of following month - Banking Operations Quarterly: Internal cyber audit report - To IT Committee - IT / Security Bi-Annual: VAPT - Every 6 months - IT / External Auditor Annual: Net worth certificate - By September 30 - Statutory Auditor Annual: IS audit and cyber security audit - As prescribed - CERT-In empanelled auditor Event-Based: Change in board / director declaration - Immediate - Company Secretary Event-Based: Change in control approval - Before transaction - Compliance / Legal Maintaining Payment Aggregator License in India requires board-level monitoring, not only filing-level compliance.
Suspension, Cancellation and Supervisory Risk
Capital shortfall: Show cause or supervisory action Escrow violation: Severe regulatory penalty AML breach: FIU-IND reporting and regulatory action Cyber breach: RBI supervisory action False disclosure: Authorisation cancellation Merchant fund mismanagement: Escrow freeze or restriction Failure to submit reports: Supervisory action Unauthorised PA activity: Penalty under PSS Act Change in control without approval: Regulatory action
Why Early Structuring Matters for Payment Aggregator License in India
Most delays in Payment Aggregator License applications arise from incomplete MOA objects, weak escrow design, incorrect net worth computation, poor cyber documentation, inadequate board oversight and ambiguity in PA category selection. Early structuring helps promoters identify regulatory gaps before filing and reduces avoidable query cycles. "In financial infrastructure businesses, regulatory approval is not merely permission to operate; it is a declaration of systemic trust. That trust must be earned through governance discipline." CS Devyani Khambhati - Compliance Expert
How Estabizz Helps with Payment Aggregator License in India
Why Choose Estabizz for Payment Aggregator License in India?
FAQs on Payment Aggregator License in India
faqs.map((faq) => ( faq.q faq.a ))
Reviewed by Estabizz Compliance Expert
CS Devyani Khambhati Designation: Compliance Expert | Estabizz Fintech Private Limited Expertise: RBI, SEBI, IRDAI, IFSCA, fintech regulatory compliance, payment system authorisation, Payment Aggregator registration, FEMA, cyber compliance and post-authorisation regulatory support. This content has been prepared from a regulatory advisory perspective to help fintech founders, payment companies, cross-border payment businesses, merchant platforms and compliance teams understand the broad RBI framework for Payment Aggregator authorisation in India. This content is for general informational purposes only and should not be treated as legal, regulatory, financial or investment advice. RBI requirements, application formats, capital thresholds, escrow rules, cyber security expectations, reporting obligations and approval processes may change from time to time. Applicants should verify the latest regulatory position and obtain professional advice before filing any application with RBI.
Start Your Payment Aggregator License Journey with Estabizz
Build your Payment Aggregator application with structured RBI regulatory support, Rs.15 crore net worth readiness review, PA-O / PA-P / PA-CB category assessment, escrow design, cyber compliance framework, business plan, policy documentation and post-authorisation compliance assistance. Speak to RBI Compliance Expert Apply for Payment Aggregator License WhatsApp Estabizz Team