DE-CRYPTING RBI GUIDELINES TO REGULATE PAYMENT AGGREGATORS
This post has been authored by Ayush Mehta, a B.A. LL.B (Hons.) candidate at the National Law University, Jodhpur.
The Reserve Bank of India [“RBI”] issued guidelines to regulate Payment Aggregators and Payment Gateways, which came into effect from April 1, 2020.[i] Payment aggregators and gateways are intermediaries between the merchants and the customers. The Circular is aimed to regulate the activities of the intermediaries and provide baseline technology recommendations to payment gateways. Prior to the notification, intermediaries were not required to obtain registration from the RBI. The RBI in pursuance of the power vested under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 [“The Act”] issued directives and guidelines regarding the regulation of such entities in order to safeguard interests of the consumers and ensure that payments are duly made by the intermediaries receiving these payments and remitting to the accounts of merchants.[ii]
This article seeks to examine the issued guidelines and assess the regulatory framework present in India.
Understanding the Context
The Act was promulgated at a time where use of electronic payments was not a common norm and hence had some gaps. In this regard, the RBI addressed, through its notification in 2009.[iii] In 2019, RBI released a discussion paper in light of the current cashless revolution and growing relevance of such intermediaries.[iv] The paper highlighted some concerns which the RBI sought to address in the present notification, such as:
Payment aggregators and gateways are a part of the payment process and if not properly regulated, they may be susceptible to risks which may impact the consumer interests,
Further these entities handle sensitive data relating to customer information, which makes customer data privacy a concern,
There is a lack of clear demarcation of roles between the customers and the intermediaries. The customers have limited access to the intermediaries and have to depend on merchants and banks.
In pursuance of the discussion paper, the present notification was issued to enforce a direct form of regulation on the intermediaries.
What are Payment Aggregators and Gateways?
The guidelines define payment aggregators as “entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own.”
Payment gateways can be defined as “entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.”
The present guidelines have demarcated the difference between the two which is primarily related to involvement in the handling of customer’s funds. Payment gateways are providers of the technological infrastructure used, while the payment aggregators are the specific entities which facilitate the payment.
The implementation of these guidelines would essentially mean that Payment gateways such as PayTm, Google Pay, Phonepay etc and Payment aggregators like BillDesk, PayU India, Razorpay will now be directly regulated by the RBI. This move would ensure more transparency and accountability on part of the entities in order to provide more security to the consumers.
Applicability of the Guidelines
The guidelines are issued to regulate the payment aggregators. They are mandated by RBI to adopt the technology–based recommendations provided in the Annexure 2 of the guidelines.[v] Further, RBI clarified that the domestic leg of import and export related payments shall also be governed by the guidelines, but they will not regulate physical payments like Cash on Delivery payments.
RBI, with regard to payment gateways stated that these entities may adhere to baseline technology–related recommendations in the guidelines.
Decoding the 2020 Guidelines
Authorisation and Governance of Entities
Earlier, intermediaries were not required to get authorization from RBI, however the present guidelines have made authorization from RBI a mandatory requirement for payment aggregation services. The existing entities are required to fulfil the requisite criteria latest by 30 June 2020. E–commerce marketplaces which provide aggregation services are now mandated to discontinue. In case, they seek to continue the service they can apply for authorisation from RBI through a separate business, on or before June 30, 2010.
The authorisation of the entities will ensure that the RBI has direct supervision of the entities and the aggregators will have to comply with the prescribed guidelines. The regulation through a transparent governance will ensure the safeguarding of the public.
Settlement and Escrow Account Management
The guidelines mandate aggregators to ensure pooling of funds collected from the customers in an escrow account, wherein the transaction will be completed by two or more parties. Operations of the aggregators shall be deemed to be “designated payment system” under Section 23A of the Act. An important requirement is that the escrow account shall be maintained in one single bank, which may have an effect on the operation of the aggregators in case of a moratorium on the functioning of the bank. The escrow mechanism would ensure better protection of the customer funds as it would insulate the merchants against the risks of insolvency or liquidation.[vi]
Payment aggregators are required to comply with a handful of requirements enumerated as follows:
(a) Aggregators shall periodically disclose annual certifications on net worth, monthly reporting of transactions and details with respect to escrow account.
(b) Aggregators are required to comply with The Prevention of Money Laundering Act, 2002 and the KYC norms issued by RBI in order to prevent illicit activities of money laundering and frauds.
(c) Aggregators are mandated to ensure adherence to the guidelines, putting in place a formal and publicly disclosed customer grievance redressal framework and further appointing a nodal officer to handle customer complaints. The details of the officer shall be publicly disclosed on the website or application of the aggregator.
(d) Aggregators are required to have a policy for merchant onboarding and conduct essential background checks on contracting merchants in order to prevent counterfeiting and fraud.
(e) Aggregators are required to comply with data storage requirements applicable to payment system operators under the Act. These include requirements to localise the payment data on Indian servers, complying to conditions mandated in the RBI notification on Storage of Payment System Data.[vii]
We are living in the era of digitalisation and in an age where online transactions have become the norm. Thus, the role of the intermediaries which connect the merchant and the customers becomes pivotal. The guidelines issued by the RBI are in consonance with the Prime Minister’s vision of Digital India, as it is promoting technological advancement but at the same time making efforts to safeguard public interest.
The guidelines provide for an authorisation mechanism for the intermediaries who were previously subject to operational compliances only. Through the notification, RBI has adequately dealt with the issue of direct regulation of the intermediaries. The guidelines provide accountability on part of the intermediaries and transparency, for the benefit of the customers. Moreover, the reduction in the minimum net–worth requirement to 15 crores at the time of authorisation is a noteworthy step as it would ease the financial burden on smaller players in the market, whilst encouraging entry into the field.
However, there are still some concerns about the clarity regarding the guidelines. The aggregators are required to comply with several compliances without adequate guidance. Aggregators are required to ensure merchants do not engage in selling counterfeit products, however it is unclear whether the aggregators have to monitor the merchant activity or contractually stipulate merchants to fulfil the obligation.
The fate of the intermediaries which do not come under the purview of payment aggregators still remains uncertain. There is uncertainty regarding the implementation of the guidelines in light of the extant intermediary directions, which the guidelines failed to repeal or amend.
While the guidelines are welcomed, more clarifications are required in order to incorporate the same. RBI can set up FAQ’s which may clear some uncertainty regarding the guidelines and explain how the RBI envisions the aggregation space going forward. In toto the guidelines are a positive step aimed to lead India towards a transparent and accountable payment structure.
[i] Reserve Bank of India, Guidelines on Regulation of Payment Aggregators and Payment Gateways, Circular RBI/DPSS/2019-20/174, Mar. 17, 2020, available at https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11822&Mode=0. [ii] Reserve Bank of India, Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries, Circular RBI/2009-10/231, Nov. 24, 2020, available at https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=5379&Mode=0. [iii] Id. [iv] Reserve Bank of India, Discussion paper on Guidelines for Payment Gateways and Payment Aggregators, Sept. 17, 2019, available at https://m.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=943 [v] Reserve Bank of India, Guidelines on Regulation of Payment Aggregators and Payment Gateways, Circular RBI/DPSS/2019-20/174, Mar. 17, 2020, available at https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11822&Mode=0. [vi] Sanjay Khan Nagra, Prashanth Ramdas, and Neil Deshpande, RBI issues guidelines to regulate payment aggregators, Mar. 23, 2020, available at https://www.khaitanco.com/thought-leaderships/RBI-issues-guidelines-to-regulate-payment-aggregators. [vii] Reserve Bank of India, Storage of Payment System Data, RBI/2017-18/153, Apr. 6, 2018, available at https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244