A. BACKGROUND
On March 17, 2020, the Reserve Bank of India (‘RBI’) issued the Guidelines on Regulation of Payment Gateways and Payment Aggregators (‘Guidelines’), effective from April 1, 2020, prescribing regulation of ‘payment aggregators’ under the Payments and Settlement Systems Act, 2007 (‘PSSA’), pursuant to its discussion paper of September 17, 2019. Currently, intermediaries such as payment gateways (‘PGs’) and payment aggregators (‘PAs') do not require RBI registration, and only the banks are regulated while opening / operating accounts for such intermediaries under the RBI’s payment intermediaries circular of November 24, 2009 (‘Intermediaries Circular’). This client alert summarizes the Guidelines and their implications for PGs and PAs.
B. HIGHLIGHTS
1. Definitions:
(a) PAs are defined as: (i) entities which facilitate e-commerce sites / merchants to accept various payment instruments from end-customers for completion of their payment obligations without the merchants requiring separate payment integration systems of their own; and (ii) entities which facilitate connection between merchants / acquirers and in the process they receive payments from customers, pool and transfer them to merchants.
(b) PGs are entities which provide technology infrastructure to route and facilitate processing online payment transaction without actually handling funds.
2. Applicability: PAs are required to mandatorily adhere to the Guidelines. PGs may adhere to baseline technology related recommendations. Further, domestic leg of import / export related payments facilitated by PAs will also be covered under the Guidelines.
3. RBI Registration:
(a) Registration: PAs will require RBI registration as an ‘authorized payment system’ under the PSSA by June 30, 2021.
(b) Local Presence: PAs seeking authorization require an Indian company to undertake operations – no local presence was prescribed under the Intermediaries Circular.
(c) E-commerce businesses: PA services provided by e-commerce marketplaces cannot continue beyond June 30, 2021 and they are required to segregate the marketplace activities from PA activities before obtaining RBI authorization – i.e. demarcation of e-commerce activities from financial services / payment activities.
(d) No RBI registration for PGs: PGs do not require RBI registration, though banks need to comply with RBI’s existing Outsourcing Guidelines for tie-up with the PGs.
4. Minimum Capitalization: Existing PAs require minimum net-worth of INR 150 million (approx. USD 2 million) by March 31, 2021 and INR 250 million (approx. USD 3.5 million) by March 31, 2023, on an on-going basis. New PAs require minimum net-worth of INR 250 million at the time of application.
5. Governance:
(a) PAs should be professionally managed, their promoters / directors need to fulfil RBI’s ‘fit and proper’ criteria – however, no specific ‘fit and proper’ criteria has been prescribed for PAs.
(b) PAs require board approved merchant and privacy policies, customer grievance / disposal of complaints / dispute resolution mechanism, processing refunds policy and a nodal officer. Prior approval from the RBI for change in control or management will be required.
6. Anti-Money Laundering Compliance: PAs shall be considered as ‘Regulated Entities’ for the purposes of complying with Anti-Money Laundering / Know Your Customer norms under the (Indian) Prevention of Money Laundering Act, 2002 and the RBI KYC Master Directions, 2016.
7. Additional Merchant Related Obligations: PAs need to undertake merchant background checks. Additional merchant related obligations have been prescribed as well.
8. Settlement/ Escrow Account: PAs require an escrow account with only one scheduled commercial bank for amounts collected (‘Escrow Account’), with only prescribed debits / credits allowed to / from such account. As opposed to the Intermediaries Circular, the Guidelines prescribe different settlement timelines basis responsibility for delivery of goods and services and can pre-fund the Escrow Account with their own or merchant’s funds.
9. Security, Fraud Prevention and Risk Management: PAs require adequate information and data security infrastructure for prevention and fraud detection and board approved information security policy and mechanism for cyber security incidents / breaches. They are also required to make RBI and CERT-in reportings, comply with data storage requirements, submit ‘System Audit Report’ with the RBI within 2 months after the financial year ends and make other prescribed periodic filings.
C. INDUSTRY TAKEAWAYS
1. The Guidelines would result in all payment intermediaries with existing nodal accounts / escrows with banks (opened under the Intermediaries Circular) triggering the RBI’s PA registration, with a requirement on banks maintaining nodal / escrow accounts to monitor and report compliance.
2. Unlike the position taken in the earlier discussion paper, entities which do not handle / touch funds are excluded from the RBI registration requirement (as PAs). Regulatory intention being to exclude pure tech-apps like third-party P2P unified payment interface (UPI) Apps, digital lenders (without “touching” funds), IT / ITES service providers from the ambit of the Guidelines, albeit prescribing technology recommendations which may be adopted by such entities as a measure of good practice.
3. The net worth and ‘fit and proper’ requirement may be difficult for upcoming payment players, requiring existing business models (especially with existing foreign investment) to be revisited. Local presence requirement is in line with the increasing regulatory trend for a local applicant (i.e. subsidiary) to be the regulated entity. As the Guidelines do not repeal/ override the Intermediaries Circular, this might result in dual-regulation i.e. both PAs and banks being regulated for the same underlying activity. Further, for cross-border online transactions, there may be regulatory overlap going forward, with the ‘Online Payment Gateway Service Providers’ and PAs being regulated separately for the same activity.
4. It will be interesting to see how the regulator views discretionary compliance with its non-binding baseline technology recommendations (by PGs) and KYC/ AML obligations on non-account based B2B intermediaries (by PAs)