(453 kb)
Guidelines on Regulation of Payment Aggregators and Payment Gateways

RBI/DPSS/2019-20/174
DPSS.CO.PD.No.1810/02.14.008/2019-20

March 17, 2020

All Payment System Providers and System Participants

Madam / Sir,

Guidelines on Regulation of Payment Aggregators and Payment Gateways

This has reference to Reserve Bank of India (RBI) circular DPSS.CO.PD.No.1102/02.14.08/2009-10 dated November 24, 2009 on ‘directions for opening and operation of accounts and settlement of payments for electronic payment transactions involving intermediaries’.

2. A reference is also invited to the discussion paper placed on the RBI website on guidelines for regulation of Payment Aggregators (PAs) and Payment Gateways (PGs). Based on the feedback received and taking into account the important functions of these intermediaries in the online payments space as also keeping in view their role vis-à-vis handling funds, it has been decided to (a) regulate in entirety the activities of PAs as per the guidelines in Annex 1, and (b) provide baseline technology-related recommendations to PGs as per Annex 2.

3. Detailed guidelines to this end are appended. It may be noted that these guidelines are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 and shall come into effect from April 1, 2020 other than for activities for which specific timelines are mentioned.

Yours faithfully,

(P. Vasudevan)
Chief General Manager

Encl. : As above


Annex 1

Guidelines on Regulation of Payment Aggregators and Payment Gateways
(DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020)

Payment Aggregators (PAs) and Payment Gateways (PGs) are intermediaries playing an important function in facilitating payments in the online space.

1. Definitions

1.1. For the purpose of this circular, the PAs and PGs are defined as under:

1.1.1. PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.

1.1.2. PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

1.2. In the processing of an online transaction the following timelines are involved:

  • ‘Tp’ – date of charge / debit to the customer’s account against the purchase of goods / services.

  • ‘Ts’ – date of intimation by the merchant to the intermediary about shipment of goods.

  • ‘Td’ – date of confirmation by the merchant to the intermediary about delivery of goods to the customer.

  • ‘Tr’ – date of expiry of refund period as fixed by the merchant.

2. Applicability

2.1. The guidelines shall be applicable to PAs. PAs shall also adopt the technology-related recommendations provided in Annex 2. As a measure of good practice, the PGs may adhere to these baseline technology-related recommendations.

2.2. Domestic leg of import and export related payments facilitated by PAs shall also be governed by these instructions.

2.3. The guidelines are not applicable to Cash on Delivery (CoD) e-commerce model.

3. Authorisation

3.1. The criteria of authorisation has been arrived at based on the role of the intermediary in handling of funds.

3.2. Bank and non-bank PAs handle funds as part of their activities. Banks, however, provide PA services as part of their normal banking relationship and do not therefore require a separate authorisation from RBI. Non-bank PAs shall require authorisation from RBI under the Payment and Settlement Systems Act, 2007 (PSSA).

3.3. PA shall be a company incorporated in India under the Companies Act, 1956 / 2013. The Memorandum of Association (MoA) of the applicant entity must cover the proposed activity of operating as a PA.

3.4. Existing non-bank entities offering PA services shall apply for authorisation on or before June 30, 2021. They shall be allowed to continue their operations till they receive communication from RBI regarding the fate of their application.

3.5. Entities seeking authorisation as PA from the RBI under the PSS Act, shall apply in Form A to the Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai. Entities regulated by any of the financial sector regulators shall apply along with a ‘No Objection Certificate’ from their respective regulator, within 45 days of obtaining such a clearance.

3.6. E-commerce marketplaces providing PA services shall not continue this activity beyond the deadline prescribed at clause 3.4 above. If they desire to pursue this activity, it shall be separated from the marketplace business and they shall apply for authorisation on or before June 30, 2021.

3.7. PGs shall be considered as ‘technology providers’ or ‘outsourcing partners’ of banks or non-banks, as the case may be. In case of a bank PG, the guidelines issued by Reserve Bank of India, Department of Regulation (DoR) vide circular No.DBOD.NO.BP.40/21.04.158/2006-07 dated November 3, 2006 on “Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks” and other follow up circular(s) shall also be applicable.

4. Capital Requirements

4.1. PAs existing as on the date of this circular shall achieve a net-worth of ?15 crore by March 31, 2021 and a net-worth of ?25 crore by the end of third financial year, i.e., on or before March 31, 2023. The net-worth of ?25 crore shall be maintained at all times thereafter.

4.2. New PAs shall have a minimum net-worth of ?15 crore at the time of application for authorisation and shall attain a net-worth of ?25 crore by the end of third financial year of grant of authorisation. The net-worth of ?25 crore shall be maintained at all times thereafter.

4.3. Illustratively,

Non-bank EntityDate of Application / AuthorisationDate of Achieving ? 15 Cr. Net-worthDate of Achieving ? 25 Cr. Net-worth
Existing PAsUp to 30/06/2021Date of application or 31/03/2021 whichever is earlier31/03/2023
New PAs20/03/2020
01/04/2020
01/03/2021
01/04/2021
On date of application31/03/2022
31/03/2023
31/03/2023
31/03/2024

4.4. Net-worth shall consist of paid-up equity capital, preference shares that are compulsorily convertible to equity, free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets but not reserves created by revaluation of assets adjusted for accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any. Compulsorily convertible preference shares can be either non-cumulative or cumulative, and they should be compulsorily convertible into equity shares and the shareholder agreements should specifically prohibit any withdrawal of this preference capital at any time.

4.5. Entities having Foreign Direct Investment (FDI) shall be guided by the Consolidated Foreign Direct Investment policy of the Government of India and the relevant foreign exchange management regulations on this subject.

4.6. PAs shall submit a certificate in the enclosed format from their Chartered Accountants (CA) to evidence compliance with the applicable net-worth requirement while submitting the application for authorisation. Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate in the enclosed format from their Chartered Accountants regarding the current net-worth along with provisional balance sheet.

4.7. PAs that are not able to comply with the net-worth requirement within the stipulated time frame (as given at clauses 4.1 & 4.2) shall wind-up payment aggregation business. The banks maintaining nodal / escrow accounts of such entities shall monitor and report compliance in this regard.

5. Governance

5.1. PAs shall be professionally managed. The promoters of the entity shall satisfy the fit and proper criteria prescribed by RBI. The directors of the applicant entity shall submit a declaration in the enclosed format. RBI shall also check ‘fit and proper’ status of the applicant entity and management by obtaining inputs from other regulators, government departments, etc., as deemed fit. Applications of those entities not meeting the eligibility criteria, or those which are incomplete / not in the prescribed form with all details, shall be returned.

5.2. Any takeover or acquisition of control or change in management of a non-bank PA shall be communicated by way of a letter to the Chief General Manager, Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai within 15 days with complete details, including ‘Declaration and Undertaking’ by each of the new directors, if any. RBI shall examine the ‘fit and proper’ status of the management and, if required, may place suitable restrictions on such changes.

5.3. Agreements between PAs, merchants, acquiring banks, and all other stake holders shall clearly delineate the roles and responsibilities of the involved parties in sorting / handling complaints, refund / failed transactions, return policy, customer grievance redressal (including turnaround time for resolving queries), dispute resolution mechanism, reconciliation, etc.

5.4. PAs shall disclose comprehensive information regarding merchant policies, customer grievances, privacy policy and other terms and conditions on the website and / or their mobile application.

5.5. PAs shall have a Board approved policy for disposal of complaints / dispute resolution mechanism / time-lines for processing refunds, etc., in such a manner that the RBI instructions on Turn Around Time (TAT) for resolution of failed transactions issued vide DPSS.CO.PD No.629/02.01.014/2019-20 dated September 20, 2019 are adequately taken care of. Any future instructions in this regard shall also be adhered to by PAs.

5.6. PAs shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions. PAs shall prominently display details of the nodal officer on their website.

6. Safeguards against Money Laundering (KYC / AML / CFT) Provisions

6.1. The Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines issued by the Department of Regulation, RBI, in their “Master Direction – Know Your Customer (KYC) Directions” updated from time to time, shall apply mutatis mutandis to all entities.

6.2. Provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time, shall also be applicable.

7. Merchant On-boarding

7.1. PAs shall have a Board approved policy for merchant on-boarding.

7.2. PAs shall undertake background and antecedent check of the merchants, to ensure that such merchants do not have any malafide intention of duping customers, do not sell fake / counterfeit / prohibited products, etc. The merchant’s website shall clearly indicate the terms and conditions of the service and time-line for processing returns and refunds.

7.3. PAs shall be responsible to check Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded.

7.4. Merchant site shall not save customer card and such related data. A security audit of the merchant may be carried out to check compliance, as and when required.

7.5. Agreement with merchant shall have provision for security / privacy of customer data. PAs agreement with merchants shall include compliance to PA-DSS and incident reporting obligations. The PAs shall obtain periodic security assessment reports either based on the risk assessment (large or small merchants) and / or at the time of renewal of contracts.

8. Settlement and Escrow Account Management

8.1. Non-bank PAs shall maintain the amount collected by them in an escrow account with any scheduled commercial bank. For the purpose of maintenance of the escrow account, the operations of PAs shall be deemed to be ‘designated payment systems’ under Section 23A of the PSSA (as amended in 2015).

8.2. Escrow account balance shall be maintained with only one scheduled commercial bank at any point of time. In case there is a need to shift the escrow account from one bank to another, the same shall be effected in a time-bound manner without impacting the payment cycle to the merchants under advise to RBI.

8.3. Amounts deducted from the customer’s account shall be remitted to the escrow account maintaining bank on Tp+0 / Tp+1 basis. The same rules shall apply to the non-bank entities where wallets are used as a payment instrument.

8.4. Final settlement with the merchant by the PA shall be effected as under:

8.4.1. Where PA is responsible for delivery of goods / services the payment to the merchant shall be not later than on Ts + 1 basis.

8.4.2. Where merchant is responsible for delivery, the payment to the merchant shall be not later than on Td + 1 basis.

8.4.3. Where the agreement with the merchant provides for keeping the amount by the PA till expiry of refund period, the payment to the merchant shall be not later than on Tr + 1 basis.

8.5. Credits towards reversed transactions (where funds are received by PA) and refund transactions shall be routed back through the escrow account unless as per contract the refund is directly managed by the merchant and the customer has been made aware of the same.

8.6. At the end of the day, the amount in escrow account shall not be less than the amount already collected from customer as per ‘Tp’ or the amount due to the merchant.

8.7. PAs shall be permitted to pre-fund the escrow account with own / merchant’s funds. However, in the latter scenario, merchant’s beneficial interest shall be created on the pre-funded portion.

8.8. The escrow account shall not be operated for ‘Cash-on-Delivery’ transactions.

8.9. Permitted credits / debits to the escrow account shall be as set out below:

8.9.1.1. Credits

a) Payment from various customers towards purchase of goods / services.

b) Pre-funding by merchants / PAs.

c) Transfer representing refunds for failed / disputed / returned / cancelled transactions.

d) Payment received for onward transfer to merchants under promotional activities, incentives, cash-backs etc.

8.9.1.2. Debits

a) Payment to various merchants / service providers.

b) Payment to any other account on specific directions from the merchant.

c) Transfer representing refunds for failed / disputed transactions.

d) Payment of commission to the intermediaries. This amount shall be at pre-determined rates / frequency.

e) Payment of amount received under promotional activities, incentives, cash-backs, etc.

8.10. For banks the outstanding balance in the escrow account shall be part of the ‘net demand and time liabilities’ (NDTL) for the purpose of maintenance of reserve requirements. This position shall be computed on the basis of the balances appearing in the books of the bank as on the date of reporting.

8.11. The entity and the escrow account banker shall be responsible for compliance with RBI instructions issued from time to time. The decision of RBI in this regard shall be final and binding.

8.12. Settlement of funds with merchants shall not be co-mingled with other business, if any, handled by the PA.

8.13. A certificate signed by the auditor(s), shall be submitted by the authorised entities to the respective Regional Office of DPSS, RBI, where the registered office of the PA is situated, certifying that the entity has been maintaining balance in the escrow account in compliance with these instructions, as per the periodicity prescribed in Annex 3.

8.14. PAs shall submit the list of merchants acquired by them to the bank where they are maintaining the escrow account and update the same from time to time. The bank shall ensure that payments are made only to eligible merchants / purposes. There shall be an exclusive clause in the agreement signed between the PA and the bank maintaining escrow account towards usage of balance in escrow account only for the purposes mentioned above.

8.15. No interest shall be payable by the bank on balances maintained in the escrow account, except when the PA enters into an agreement with the bank maintaining the escrow account, to transfer "core portion" of the amount, in the escrow account, to a separate account on which interest is payable, subject to the following:

8.15.1. The bank shall satisfy itself that the amount deposited represents the "core portion" after due verification of necessary documents.

8.15.2. The amount shall be linked to the escrow account, i.e. the amounts held in the interest-bearing account shall be available to the bank, to meet payment requirements of the entity, in case of any shortfall in the escrow account.

8.15.3. This facility shall be permissible to entities who have been in business for 26 fortnights and whose accounts have been duly audited for the full accounting year. For this purpose, the period of 26 fortnights shall be calculated from the actual business operation in the account.

8.15.4. No loan is permissible against such deposits. Banks shall not issue any deposit receipts or mark any lien on the amount held in such form of deposits.

8.15.5. Core portion as calculated below shall remain linked to the escrow account. The escrow account balance and core portion maintained shall be clearly disclosed in the auditors’ certificates submitted to RBI on quarterly and annual basis.

Note: For the purpose of this regulation, "Core Portion" shall be computed as under:

Step 1: Compute lowest daily outstanding balance (LB) in the escrow account on a fortnightly (FN) basis, for 26 fortnights from the preceding month.

Step 2: Calculate the average of the lowest fortnightly outstanding balances [(LB1 of FN1+ LB2 of FN2+ ........+ LB26 of FN26) divided by26].

Step 3: The average balance so computed represents the "Core Portion" eligible to earn interest.

9. Customer Grievance Redressal and Dispute Management Framework

9.1. PAs shall put in place a formal, publicly disclosed customer grievance redressal and dispute management framework, including designating a nodal officer to handle the customer complaints / grievances and the escalation matrix. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible.

9.2. PAs shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions. Details of the nodal officer for customer grievance shall be prominently displayed on their website.

9.3. PAs shall have a dispute resolution mechanism binding on all the participants which shall contain transaction life cycle, detailed explanation of types of disputes, process of dealing with them, compliance, responsibilities of all the parties, documentation, reason codes, procedure for addressing the grievance, turn-around-time for each stage, etc.

10. Security, Fraud Prevention and Risk Management Framework

10.1. A strong risk management system is necessary to meet the challenges of fraud and ensure customer protection. PAs shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.

10.2. PAs shall put in place Board approved information security policy for the safety and security of the payment systems operated by them and implement security measures in accordance with this policy to mitigate identified risks. Baseline technology-related recommendations for adoption by the PAs are provided in Annex 2. The PGs may also adopt them as best practices.

10.3. PAs shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and breaches. The same shall be reported immediately to the DPSS, RBI, Central Office, Mumbai. They shall also be reported to CERT-In (Indian Computer Emergency Response Team) as per the details notified by CERT-In.

10.4. PAs shall not store the customer card credentials within their database or the server accessed by the merchant. They shall comply with data storage requirements as applicable to Payment System Operators (PSOs).

10.5. PAs shall submit the System Audit Report, including cyber security audit conducted by CERT-In empanelled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.

11. Reports

11.1. The reports to be submitted by authorised PAs are listed in Annex 3.

12. General Instructions

12.1. PAs shall ensure that the extant instructions with regard to Merchant Discount Rate (MDR) are followed. Information on other charges such as convenience fee, handling fee, etc., if any, being levied shall also be displayed upfront by the PA.

12.2. PAs shall not place limits on transaction amount for a particular payment mode. The responsibility therefor shall lie with the issuing bank / entity; for instance, the card issuing bank shall be responsible for placing amount limits on cards issued by it based on the customer’s credit worthiness, spending nature, profile, etc.

12.3. PAs shall not give an option for ATM PIN as a factor of authentication for card-not-present transactions.

12.4. All refunds shall be made to the original method of payment unless specifically agreed by the customer to credit to an alternate mode.


Annex 2

Baseline Technology-related Recommendations

Indicative baseline technology-related recommendations for adoption by the PAs (mandatory) and PGs (recommended) are:

1. Security-related Recommendations

The requirements for the entities in respect of IT systems and security are presented below:

1.1. Information Security Governance: The entities at a minimum shall carry out comprehensive security risk assessment of their people, IT, business process environment, etc., to identify risk exposures with remedial measures and residual risks. These can be an internal security audit or an annual security audit by an independent security auditor or a CERT-In empanelled auditor. Reports on risk assessment, security compliance posture, security audit reports and security incidents shall be presented to the Board.

1.2. Data Security Standards: Data security standards and best practices like PCI-DSS, PA-DSS, latest encryption standards, transport channel security, etc., shall be implemented.

1.3. Security Incident Reporting: The entities shall report security incidents / card holder data breaches to RBI within the stipulated timeframe to RBI. Monthly cyber security incident reports with root cause analysis and preventive actions undertaken shall be submitted to RBI.

1.4. Merchant Onboarding: The entities shall undertake comprehensive security assessment during merchant onboarding process to ensure these minimal baseline security controls are adhered to by the merchants.

1.5. Cyber Security Audit and Reports: The entities shall carry out and submit to the IT Committee quarterly internal and annual external audit reports; bi-annual Vulnerability Assessment / Penetration Test (VAPT) reports; PCI-DSS including Attestation of Compliance (AOC) and Report of Compliance (ROC) compliance report with observations noted if any including corrective / preventive actions planned with action closure date; inventory of applications which store or process or transmit customer sensitive data; PA-DSS compliance status of payment applications which stores or processes card holder data.

1.6. Information Security: Board approved information security policy shall be reviewed atleast annually. The policy shall consider aspects like: alignment with business objectives; the objectives, scope, ownership and responsibility for the policy; information security organisational structure; information security roles and responsibilities; maintenance of asset inventory and registers; data classification; authorisation; exceptions; knowledge and skill sets required; periodic training and continuous professional education; compliance review and penal measures for non-compliance of policies.

1.7. IT Governance: An IT policy shall be framed for regular management of IT functions and ensure that detailed documentation in terms of procedures and guidelines exists and are implemented. The strategic plan and policy shall be reviewed annually. The Board level IT Governance framework shall have-

1.7.1. Involvement of Board: The major role of the Board / Top Management shall involve approving information security policies, establishing necessary organisational processes / functions for information security and providing necessary resources.

1.7.2. IT Steering Committee: An IT Steering Committee shall be created with representations from various business functions as appropriate. The Committee shall assist the Executive Management in implementation of the IT strategy approved by the Board. It shall have well defined objectives and actions.

1.7.3. Enterprise Information Model: The entities shall establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with board approved IT strategy. The model shall facilitate optimal creation, use and sharing of information by a business, in a way that it maintains integrity, and is flexible, functional, timely, secure and resilient to failure.

1.7.4. Cyber Crisis Management Plan: The entities shall prepare a comprehensive Cyber Crisis Management Plan approved by the IT strategic committee and shall include components such as Detection, Containment, Response and Recovery.

1.8. Enterprise Data Dictionary: The entities shall maintain an “enterprise data dictionary” incorporating the organisation’s data syntax rules. This shall enable sharing of data across applications and systems, promote a common understanding of data across IT and business users and prevent creation of incompatible data elements.

1.9. Risk Assessment: The risk assessment shall, for each asset within its scope, identify the threat / vulnerability combinations and likelihood of impact on confidentiality, availability or integrity of that asset – from a business, compliance and / or contractual perspective.

1.10. Access to Application: There shall be documented standards / procedures for administering an application system, which are approved by the application owner and kept up-to-date. Access to the application shall be based on the principle of least privilege and “need to know” commensurate with the job responsibilities.

1.11. Competency of Staff: Requirements for trained resources with requisite skill sets for the IT function need to be understood and assessed appropriately with a periodic assessment of the training requirements for human resources.

1.12. Vendor Risk Management: The Service Level Agreements (SLAs) for technology support, including BCP-DR and data management shall categorically include clauses permitting regulatory access to these set-ups.

1.13. Maturity and Roadmap: The entities shall consider assessing their IT maturity level, based on well-known international standards, design an action plan and implement the plan to reach the target maturity level.

1.14. Cryptographic Requirement: The entities shall select encryption algorithms which are well established international standards and which have been subjected to rigorous scrutiny by an international community of cryptographers or approved by authoritative professional bodies, reputable security vendors or government agencies.

1.15. Forensic Readiness: All security events from the entities infrastructure including but not limited to application, servers, middleware, endpoint, network, authentication events, database, web services, cryptographic events and log files shall be collected, investigated and analysed for proactive identification of security alerts.

1.16. Data Sovereignty: The entities shall take preventive measures to ensure storing data in infrastructure that do not belong to external jurisdictions. Appropriate controls shall be considered to prevent unauthorised access to the data.

1.17. Data Security in Outsourcing: There shall be an outsourcing agreement providing ‘right to audit’ clause to enable the entities / their appointed agencies and regulators to conduct security audits. Alternatively, third parties shall submit annual independent security audit reports to the entities.

1.18. Payment Application Security: Payment applications shall be developed as per PA-DSS guidelines and complied with as required. The entities shall review PCI-DSS compliance status as part of merchant onboarding process.

2. Other Recommendations

2.1 The customer card credentials shall not be stored within the database or the server accessed by the merchant.

2.2 Option for ATM PIN as a factor of authentication for card not present transactions shall not be given.

2.3 Instructions on storage of payment system data, as applicable to PSOs, shall apply.

2.4 All refunds shall be made to original method of payment unless specifically agreed by the customer to credit an alternate mode.


Annex 3

Reports to be submitted by Authorised Payment Aggregators

Annual

1. Net-worth Certificate - Audited Annual report with CA certificate on Net-worth – by September 30th (Annex 3.1).

2. IS Audit Report and Cyber Security Audit Report with observations noted, if any, including corrective / preventive action planned with closure date – Externally Audited – by May 31st. The scope of audit shall encompass all relevant areas of information system processes and applications.

Quarterly

1. Auditors’ Certificate on Maintenance of Balance in Escrow Account – by 15th of the month following the quarter end. (Annex 3.2).

2. Bankers’ Certificate on Escrow Account Debits and Credits – Internally Audited – by 15th of the month following the quarter end.

Monthly

1. Statistics of Transactions Handled – by 7th of next month (Annex 3.3).

Non-periodic

1. Declaration and Undertaking by the Director - Changes in Board of Directors – as and when happens (Annex 3.4).

2. Report from Banks in Compliance with para 3.6 of Annex 1 – One time report to be sent by April 15th, 2021.

3. Cyber Security Incident Reports – with root cause analysis and preventive action undertaken – by 7th of next month of incidence mont