The Reserve Bank of India (RBI) has recently issued two draft guidelines aimed at strengthening the regulation of offline Payment Aggregators (PAs). One paper focuses on the activities of offline PAs, while the other proposes measures to bolster safety by expanding KYC requirements, due diligence processes for onboarded merchants, and operations in Escrow accounts. These latest guidelines have left many fintech players grappling with compliance challenges. Previously, the RBI required non-bank online payment gateways to obtain a payment aggregator license for acquiring merchants and offering digital payment services. Now, these requirements extend to entities facilitating offline payments through point-of-sale (PoS) machines and QR codes. With many players operating in both online and offline realms, the new guidelines introduce additional compliance and due diligence obligations, raising concerns among fintech firms regarding increased operational costs and the potential impact on small merchants.
RBI's Emphasis on Compliance
The RBI highlighted the rapid growth of digital transactions and the pivotal role played by payment aggregators in this landscape as the driving force behind the proposed updates to the current regulations. In India's payments ecosystem, payment aggregators facilitate both online transactions and face-to-face/proximity payment activities. Addressing KYC and due diligence, the draft guidelines require payment aggregators to conduct comprehensive due diligence on merchants they onboard, in alignment with the Customer Due Diligence (CDD) norms specified in the Master Directions on Know Your Customer (MD-KYC), 2016. The draft also mandates that payment aggregators ensure marketplaces they onboard do not engage in collecting and settling funds for services that are not offered through their platform. The RBI has invited comments on these guidelines, with the deadline set for May 31, 2024.
Evolution of Payment Aggregators
Payment Aggregators are entities that serve as intermediaries between merchants and customers in the digital payment’s ecosystem. They consolidate various payment methods, such as credit cards, debit cards, digital wallets, and net banking, into a single platform, simplifying the payment process for both businesses and consumers. Payment Aggregators facilitate transactions by providing merchants with a unified interface to accept payments from multiple sources, thereby enhancing convenience and efficiency in the payment experience. They typically generate revenue through transaction fees or commissions charged to merchants for processing payments and may offer additional services such as analytics, fraud detection, and reconciliation tools to enhance the overall payment experience.
As per this draft, the definition of Payment Aggregators (PAs) has been modified to include both online and offline operations, emphasizing the aggregation of payments through a merchant's interface. Its redefined as “Entities which on-board merchants and facilitate aggregation of payments made by customers to such merchants, for purchase of goods and services, using one or more payment channels, in online or physical Point of Sale payment modes through a merchant’s interface (physical or virtual), and subsequently settle the collected funds to such merchants.”
1. Online Payment Aggregators (PA-O):
These aggregators facilitate online transactions between consumers and merchants and typically provide a platform or gateway for merchants to accept payments from customers through various online channels such as websites, mobile apps, or e-commerce platforms. PA-Os play a crucial role in securely processing online payments, managing transactions, and ensuring compliance with regulatory requirements.
2. Offline / Physical Point-of-Sale Payment Aggregators (PA-P):
These aggregators specialize in facilitating transactions conducted in physical retail environments, such as stores, restaurants, or other brick-and-mortar establishments. PA-Ps enable merchants to accept payments via traditional methods like credit/debit cards, mobile wallets, or other electronic payment methods at physical point-of-sale terminals. They help streamline payment processes, enhance customer convenience, and ensure seamless transactions in offline settings.
Regulatory Framework and Compliance Requirements
Authorization:
Akin to the requirement prescribed for PA-Os, the non-bank PA-Ps will need to obtain an authorization from the RBI to operate a payment system for their offline payment aggregation business by May 31, 2025. The non-bank PA-Os who have already received an authorization (or whose application is pending with the RBI) are also required to seek an approval from the RBI for their existing PA-P activity, if they propose to continue with the same.
Applicability of the PA Guidelines to PA-Ps:
The entities operating as PA-Ps are also mandated to comply with the conditions under the PA Guidelines in respect of governance, merchant on-boarding, customer grievance redressal and dispute management framework, baseline technology recommendations, security, fraud prevention and risk management framework, on an ongoing basis. Draft Directions clarify that the continued adherence with these conditionalities will be considered in the processing the application for authorization and approval by the concerned PA-P.
Net Worth Criteria
The draft guidelines introduce minimum net worth requirements for payment aggregators (PAs) facilitating face-to-face or proximity payment transactions. Entities offering such services must possess a minimum net worth of INR 15 crore (USD 1.7Mn) upon applying for RBI authorization, with a stipulation to increase it to INR 28 crore (USD 3.3Mn) by March 2028. New non-bank PA-Ps are mandated to uphold a minimum net worth of INR 15 crore (USD 1.7Mn) at the time of application, with an escalation to INR 25 crore (USD 2.9Mn) by the conclusion of the third financial year post-authorization.
Escrow Accounts Management
An escrow account is a financial arrangement where a third party, typically a bank or other trusted entity, holds funds on behalf of two parties involved in a transaction. These funds are usually held until specific conditions, outlined in a contract or agreement between the parties, are met. Once the conditions are fulfilled, the funds are released by the escrow agent to the designated recipient.
One key aspect of the draft guidelines is the establishment of a unified approach to managing escrow accounts, which will streamline collection and settlement processes for both PA-O and PA-P transactions. Previously, only PA-O activities were regulated, leaving offline merchants unregulated. With the proposed regulations, all settlements can now be conducted through a single escrow account, fostering uniformity and adherence to regulatory protocols. The Draft Directions require that the funds for delivery versus payment (DvP) transactions, i.e., transactions where payment for goods or services is to be made at the time of delivery, need to be routed through such escrow account.
Stricter KYC Guidelines
The draft guidelines offer detailed protocols for Know Your Customer (KYC) verification specifically designed for small and medium-sized merchants, raising concerns among MSMEs and solopreneurs. These rules mandate stringent verification procedures for merchants, including physical checks and document verifications. While the RBI aims to enhance the financial system's security and prevent fraud, industry experts fear increased costs and slower onboarding processes, especially for smaller PAs. This may prompt some PAs to avoid working with MSMEs, potentially pushing these businesses to seek direct payments instead. Industry bodies like the Payments Council of India (PCI) have voiced concerns about the cost-effectiveness of these guidelines and plan to provide feedback to the RBI. Fintech founders anticipate challenges in setting up online businesses and potential hurdles for virtual operations.
These guidelines are still in the draft stage, and the RBI is open to industry consultation until September 2025. However, some experts view these regulations as bureaucratic and question their effectiveness in fraud prevention. The RBI has set different due diligence requirements for merchants based on their turnover. This process ensures that transactions are in line with the merchants' business profiles and helps to mitigate risks within the market.
Small Merchants –
These have an annual turnover below INR 5 lakh (USD 0.005 Mn). If such merchants are not enrolled under the Goods and Services Tax (GST) system, Payment Aggregators (PAs) are mandated to perform Contact Point Verification (CPV) and authenticate bank account details where funds are settled.
Medium Merchants –
These have an annual turnover below INR 40 lakh (USD 0.04 Mn). If they are not registered under Goods and Services Tax (GST) system, Payment Aggregators (PAs) are required to conduct Contact Point Verification (CPV), procure, and validate Officially Valid Documents (OVDs) for both the proprietor and the business.
Marketplaces onboarded by PAs must refrain from collecting and settling funds for services not offered through their platform. PAs are required to ensure that the name of the merchant (both legal and brand name) and the PA itself are prominently displayed on web pages where various payment options are listed, as well as on the payment confirmation page or charge slip. PAs have to maintain complete and ongoing compliance with wire transfer guidelines as prescribed in the MD-KYC, subject to amendments. For the purposes of undertaking KYC of merchants through video-based customer identification process (commonly, V-CIP), PAs are permitted to take assistance of agents for assistance with the process at the merchant’s end. Additionally, the Draft Directions propose that PAs will need to comply with the wire transfer guidelines prescribed under MD-KYC.
Monitoring of Merchants
PAs need to monitor the transaction activities of all merchants on an ongoing basis, ensure that the merchants’ transactions are in line with the merchant’s business profile and migrate merchants to a high category of customer due diligence based on their transaction patterns.
Registration with FIU
All non-bank PAs must register themselves with the Financial Intelligence Unit-India (FIU-IND). Existing Pas must complete the due diligence process for all existing merchants by September 30, 2025.
Restrictions on Storage of Cards Data
The Draft Directions expressly extend the current restrictions on storage of cards data (in respect of online transactions) to offline transactions as well. Similar to the restriction for online transactions, besides the card issuers or card networks, no entity in the card transaction or payment chain can store card-on-file data for face-to-face and proximity payment transactions. Additionally, the requirement to purge and delete previously stored cards data is also applicable to such transactions. This conditionality is proposed to be effective from August 01, 2025.
Enhancing Compliance Through Advanced Transaction Monitoring
The draft guidelines indeed mark a significant step towards establishing a cohesive regulatory framework for merchant services, particularly in the context of Payment Aggregators (PAs). Emphasizing compliance underscores the importance of tailored approaches, recognizing the diverse operations within the PA sector. Mechanisms such as continuous transaction monitoring, risk-based payment limits, and early risk detection are pivotal components highlighted in these guidelines.
The Reserve Bank of India's (RBI) efforts to enhance Know Your Customer (KYC) and due diligence practices reflect a commitment to bringing clarity to regulations. This initiative not only strengthens the PA ecosystem but also promotes digital trust and ethical conduct. The guidelines for PA-PGs reaffirm the necessity for robust systems prioritizing compliance, demonstrating India's resolve in combating fraud and fostering digital trust.
In today's digital landscape, RegTech firms like ZIGRAM play a crucial role by leveraging advanced AI technologies to provide round-the-clock transaction monitoring, thereby fortifying the merchant onboarding process. By utilizing such services, PAs can fulfill compliance requirements while delivering an enhanced customer experience. It's essential for the industry to acknowledge that robust KYC practices not only improve convenience but also act as a significant deterrent against fraud.
- #Regulations
- #PaymentAggregators
- #RBI
- #Merchants
- #KYC
- #FIU
- #Compliance