Regulating Payment Intermediaries: RBI’s Role And Way Forward

I. Introduction

Consumers in their daily lives interact with payment intermediaries (“Intermediaries”) such as Citrus Pay, Billdesk, CCAvenue, and PayUMoney, which have become a major part of their daily transactions. In the recent past, the number of electronic/online payments has increased exponentially, implying that the participation of Intermediaries in the payment cycle is not just important, but also inevitable. The Intermediaries in payments and settlements systems are principally of two kinds: Payment Gateways (“PG”) which are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds; and Payment Aggregators (“PA”) which are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations to such merchants, without the need for merchants to create a separate payment integration system of their own. While until recently such Intermediaries were scarcely regulated under the Directions (as defined below), the Reserve Bank of India (“RBI”), on March 17, 2020 published guidelines for the further regulation of such Intermediaries, as discussed in detail in section V. This article aims to provides an overview of the Directions and the Guidelines (as defined below) from a bird’s eye perspective.

II. Evolution of Regulation

The RBI (which is the regulating body of these Intermediaries),[1] had published directions in 2009 to regulate Intermediaries (“Directions”)[2], which were directed to banks, payment system providers, and system participants, in order to safeguard the interests of customers and to ensure that the payments made by them using electronic/online payment modes are duly accounted for by the Intermediaries receiving and remitting such payments. As such, the operations of PAs and PGs were indirectly regulated by the RBI under the Directions for opening and operation of accounts and settlement of payments for electronic payment transactions involving intermediaries. The earlier position of PGs/PAs was that they would fall under the definition of “intermediaries” as provided in the Directions. Intermediaries, under the Directions, would include all entities that collect monies received from customers for payment to merchants using any electronic/online payment mode, for goods and services availed by them and subsequently facilitate the transfer of these monies to the merchants in final settlement of the obligations of the paying customers.

In September 2019, RBI released a discussion paper on these Guidelines for Payment Gateways and Payment Aggregators[3] disclosing its intention to impose further regulations on PAs/PGs. This paper offered three approaches for the improvement of the regulatory framework, which varied on the degree of control (see section IV).

In furtherance of the same, the RBI has now issued ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’ on March 17, 2020 (“Guidelines”) to provide for the regulation of the activities of PAs and PGs, and to provide baseline technology-related recommendations to PGs, discussed extensively, below. These guidelines are specifically applicable to PAs and PGs, and would be effective from April 01, 2020.

III. Directions

The Directions define Intermediaries as entities which collect the monies received from the customers through electronic/online payments for the goods or services delivered by the merchants and subsequently, they transfer the monies to the merchant as a final settlement for the obligation of the customers. The Directions carve out an exception under the directions for those Intermediaries which provide services specifically concerning online payments for delivery of goods or services, the delivery of which is to be rendered to the customer immediately or simultaneously (Delivery versus Payment or DvP).

1. Maintenance of nodal accounts

For Intermediaries governed by the Directions, it is mandatory for a separate account to be opened with banks for the collection of payments by Intermediaries, and such accounts are maintained by the banks themselves as internal accounts.

2. Permissible Transactions

Along with restrictions on the maintenance of accounts, the Intermediaries have a limitation on the type of debit/credit transactions which they are permitted to execute through nodal accounts. RBI has placed the said restriction by providing an exhaustive list of the permissible transactions in the Directions, as follows:

Credits:

1. Payments from various persons towards purchase of goods/services;
2. Transfers from other banks as per pre-determined agreement into the account, if this account is the nodal bank account for the intermediary; and
3. Transfers representing refunds for failed/disputed transactions.

Debits:

1. Payments to various merchants/service providers;
2. Transfers to other banks as per pre-determined agreement into the account, if that account is the nodal bank account for the intermediary;
3. Transfers representing refunds for failed/disputed transactions; and
4. Commissions to the intermediaries. These amounts shall be at pre-determined rates/frequency.

3.  Mode of settlement

The Intermediaries are required to make the settlements on T+2 basis for payment to the merchant, if not through nodal banks, and T+3 basis for payment to the merchant, if through nodal banks, where ‘T’ is the day of intimation regarding the completion of transaction.

4. Scope for improvement

Since 2009, Intermediaries have evolved in terms of methods of processing payments, which now are increasingly intricate and complicated. It is important to highlight that the Directions neither provide for the protection of the confidential information of the customers and merchants such as the bank account details, card information, etc. which may be collected by such Intermediaries for the facilitation of payments, nor for any redressal mechanism for any default in processing the payments. The RBI recognised these lapses in a discussion paper, which proposed different approaches and further regulations to address these concerns as mentioned in detail in the next section.

IV.   Discussion Paper of 2019: A proposal for change in regulation

The discussion paper on guidelines for payment gateways and payment aggregators (“Discussion Paper”)[4] attempted to engage with the possible changes to improve the regulatory framework for Intermediaries.

The Discussion Paper recognised the scope for further improvements in the current framework of Intermediaries as mentioned above, and proposed three options/approaches to incorporate the same:

1. Under the first option, the Discussion Paper proposed to continue with the existing directives with minor changes in the definition of ‘T’[5] and clarifications on applicability of the Directions.
2. Through the second option, the Discussion Paper proposed limited regulation and off-site monitoring of the PAs/PGs.
3. Lastly, under the third option, the Discussion Paper contemplated full and direct regulations, which include both on-site and off-site monitoring of the PAs/PGs.

For a sector which is largely unregulated and hinges significantly on a single, limited direction (i.e. the Directions), the full and direct regulations proposed under the Discussion Paper contemplated secure payments for the customers and merchants, amongst other provisions.

The major takeaways from the third approach proposed under the Discussion Paper were as follows:

1. Authorisation and Licensing: To function as an Intermediary, the entities would be required to obtain an authorisation from the RBI. An additional requirement was that the Intermediary should be incorporated as a company.
2. Minimum Capital Requirements: The net worth requirement for these Intermediaries would be the same as Bharat Bill Payment Operating Unit (BBPOUs), which is currently INR 100 crores (minimum) and hence the net worth would always have to be maintained at INR 100 crores or above. In cases where the Intermediary is unable to maintain the net worth, it would be directed to wind-up it’s business.
3. Governance: The Intermediaries would be directed to appoint Nodal Officer(s) for the proper handling of consumer grievances. The Intermediary would additionally have to maintain an appropriate mechanism in place, complying with the requirements of Board[6], for disposal of the consumer complaints and dispute resolution.
4. Security, Fraud Prevention and Risk Management Framework: Given the possibility of data and financial fraud, RBI would be directing the Intermediaries to place a framework to safeguard the transactions from the said fraud, making recommendations on the framing and maintenance of these frameworks.
5. Safeguards against Money Laundering (KYC/AML/CFT) Provisions: For the protection of the merchants, the Intermediaries would be directed to comply with the relevant guidelines, as and when notified by RBI and to ensure protection against any form of money laundering.
6. Customer Grievance Redressal and Dispute Management Framework: For the protection of the customers, Intermediaries would be required to publicly disclose their policy on grievance redressal and dispute management, which they would have to frame as per the requirements of RBI.

V. Guidelines on Regulation of Payment Aggregators and Payment Gateways

The Guidelines are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 (“PSSA”) and will come into effect from April 1, 2020, other than for activities for which specific timelines are provided therein.

The Guidelines provide for a distinction between PAs[7] and PGs[8], and specifically provide for regulations to oversee the operations of PAs, while providing for recommendations which may be implemented by PGs. As a clarification, the Guidelines state that the domestic leg of import and export related payments facilitated by PAs shall also be governed by the Guidelines. However, the Guidelines are not applicable to the cash on delivery (CoD) e-commerce models, similar to the exception carved out under the Directions, as proposed by the Discussion Paper.

Under the Guidelines, PAs are required to adhere to the following:

1.  Authorisation

Non-bank PAs are required to obtain authorisation from the RBI under the PSSA. Existing non-bank entities offering PAs need to apply for authorisation on or before June 30, 2021 and are allowed to continue their operations till they receive communication from the RBI regarding the fate of their application. Further, entities regulated by any of the financial sector regulators must further receive a ‘No Objection Certificate’ from their respective regulator, within 45 days of obtaining such a clearance.

2. Capital Requirements

Existing PAs are required to achieve a net-worth of INR 15 crore by March 31, 2021, and further, a net-worth of INR 25 crore by the end of third financial year, i.e., on or before March 31, 2023. New PAs must have a minimum net-worth of INR 15 crore at the time of application for authorisation and are required to attain a net-worth of INR 25 crore by the end of third financial year of grant of authorisation. This net-worth of INR 25 crore is required be maintained at all times thereafter, for all PAs in accordance with their respective timelines.

PAs which are not able to comply with the net-worth requirement within the stipulated time frame are required to wind-up their payment aggregation business. The responsibility of monitoring this compliance is given to the banks maintaining nodal/escrow accounts of such entities.

3.  Governance

To receive authorisation, the promoters are required to satisfy the ‘fit and proper’ criteria as required by the RBI. Similarly, all directors of such entities are required to submit a declaration and an undertaking in respect of the same. The entities, and their respective directors, will also be subject to such criteria in the event of any takeover or acquisition of control or change in management of a non-bank PA. The RBI will examine the ‘fit and proper’ status of the management and, if required, may place suitable restrictions on such changes. To this end, the Guidelines specify that the RBI may obtain inputs from “other regulators, government departments, etc” as the RBI may deem fit.

Further, agreements between PAs, merchants, acquiring banks, and all other stakeholders must clearly delineate the roles and responsibilities of the parties involved. Therefore, the RBI is clearly mandating regulation of the contracts between participants involved in the process of payment aggregation.

4.  Customer Grievance Redressal

For the protection of the customers, PAs are required to disclose comprehensive information regarding merchant policies, customer grievances, privacy policy and other terms and conditions on the website and/or their mobile application. Also, PAs are to introduce a Board approved policy for disposal of complaints/dispute resolution mechanism/timelines for processing refunds, etc., in compliance with the RBI notification Turn Around Time (TAT) for resolution of failed transactions[9].

PAs must also put in place a formal, publicly disclosed customer grievance redressal and dispute management framework, including designating a nodal officer to handle the customer complaints/ grievances and the escalation matrix. The complaint facility, if made available on website/mobile, shall be clearly and easily accessible.

5.  Safeguards against Money Laundering (KYC/AML/CFT)

For the protection of the customers and merchants, the PAs are directed to comply with the Master Directions[10], along with the Provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder.

6. Security, Fraud Prevention and Risk Management Framework

PAs must put in place adequate information and data security infrastructure and systems for prevention and detection of frauds. PAs are required to adopt a Board approved information security policy for the safety and security of the payment systems operated by them and implement security measures in accordance with this policy to mitigate identified risks. The Guidelines also provide for baseline technology recommendations which are mandatory to be adopted by PAs, and may be adopted by PGs.

The baseline recommendations are mainly in relation to security measures, and inter alia, include recommendations related to the risk assessment in order to identify exposures, as well as remedial measures to handle including the risk assessment of exposures, and also information security governance and the implementation of data security standards, along with the reporting of breaches and other security related reports. They also provide for various policies to be implemented by the Intermediaries such as IT and information security policies, in addition to them ensuring that such baselines measures are being implemented by merchants.

7. Merchant On-boarding

PAs are required to adopt a Board approved policy for merchant on-boarding. In addition to the same, PAs will be have to ensure that they conduct background checks of the merchants which are onboarded by them and to also check that such merchants have in place the required infrastructure to comply with the Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS). Further, the PAs must obtain periodic security assessment reports either based on risk assessment of the merchant and/or at the time of renewal of contracts.

8.  Settlement and Escrow Account Management

Non-bank PAs must maintain the amount collected by them in an escrow account with any scheduled commercial bank, for the purpose of which, the operations of PAs shall be deemed to be of a ‘designated payment systems’. Such PAs, including non-bank entities operating payment wallets, are required to maintain the following timelines:

1. Amounts deducted from the customer’s account shall be remitted to the escrow account maintaining bank on Tp+0/Tp+1 basis.
2. Where PA is responsible for delivery of goods/services, the payment to the merchant shall be not later than on Ts + 1 basis.
3. Where merchant is responsible for delivery, the payment to the merchant shall be not later than on Td + 1 basis.
4. Where the agreement with the merchant provides for keeping the amount by the PA till expiry of refund period, the payment to the merchant shall be not later than on Tr + 1 basis.

Wherein, the terms have the meaning as given below

1. ‘Tp’ – date of charge/debit to the customer’s account against the purchase of goods/services.
2. ‘Ts’ – date of intimation by the merchant to the intermediary about shipment of goods.
3. ‘Td’ – date of confirmation by the merchant to the intermediary about delivery of goods to the customer.
4. ‘Tr’ – date of expiry of refund period as fixed by the merchant.

At the end of the day, the amount in escrow account should not be less than the amount already collected from the customer as per ‘Tp’ or the amount due to the merchant.

9.  Permissible Transactions

Along with the timelines as given above, the PAs are also bound by certain limitations on the type of debit/credit transactions which they are permitted to execute through their nodal/escrow accounts. An exhaustive list of the permissible transactions provided for by the Guidelines, is as follows:

Credits:

1. Payment from various customers towards purchase of goods/services;
2. Pre-funding by merchants/PAs;
3. Transfer representing refunds for failed/disputed/returned/cancelled transactions; and
4. Payment received for onward transfer to merchants under promotional activities, incentives, cash-backs etc.

Debits:

1. Payment to various merchants/service providers.
2. Payment to any other account on specific directions from the merchant.
3. Transfer representing refunds for failed/disputed transactions.
4. Payment of commission to the intermediaries. This amount shall be at pre-determined rates/frequency.
5. Payment of amount received under promotional activities, incentives, cash-backs, etc.

For the balances maintained in the such accounts, the PAs under the extant Guidelines are allowed to transfer “core portion” of the amount, in the escrow account, to a separate account on which interest is payable no interest shall be payable, pursuant to an agreement entered into with the bank maintaining the escrow account, subject to certain conditions as provided under the Guidelines.

10. Reports

The Guidelines requires PAs to submit periodic reports to the RBI such as a net-worth certificate, and information system audit report and cyber security audit report on an annual basis, an auditors’ certificate on maintenance of balance in escrow account quarterly and statistics of transactions handled on a monthly basis, to name a few. The Guidelines also mention other reports and undertakings required to be submitted, however the same are incident based and not necessarily periodical in nature.

VI. Conclusion

While the increasing penetration of technology in our daily transactions facilitates the speed and ease of transactions, the potential of fraud is also increasing with the advent of online systems. The Guidelines provide for an in-depth framework, which was much required in order to actively and successfully govern payment aggregators as they facilitate the increasing number of transactions between customers and merchants.

The Guidelines recognised the scope for improvement in regulations, particularly in the Directions, and now aims to provide the participants in a transaction a greater assurance on security as well as grievance redressal. We also witness notable changes in the timelines as well as in the permissible debit and credit transactions which may be undertaken by the Intermediaries. Previously, the credits and debits allowed from the nodal/escrow were much more limited. The permissible credits under the Directions did not allow for pre-funding by the merchants or the PAs, nor did they provide for payments in relation to promotional activities or other incentives. Similarly, the permissible debits under the Guidelines now allow for payments in relation to such promotional activities, and also allow for payments to any account as may be specified by the intermediary. Such provisions allow the PAs much more flexibility than before. In addition of the same, certain variations in the provisions from those discussed in the Discussion Paper, such an a considerable decrease in the minimum capital requirement, etc, should help ensure that the interests of all system participants such as the customers, merchants and especially the Intermediaries, are adequately addressed.

 

[1] RBI derives power to pass regulations, guidelines, directions and circulars from Section 10(2) read with Section 18 of the Payment and Settlements Systems Act, 2007.

[2] Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries, 2009, available at: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/DOIPS241109.pdf.

[3] Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators, Reserve Bank of India, published on 17th September 2019, available at:

https://rbidocs.rbi.org.in/rdocs//PublicationReport/Pdfs/DPSSDISCUSSIONPAPEREFCF5B7E17F9431185BD4FD

[4] Supra note 3.

[5] The Discussion Paper does not specify what would be the altered definition of ‘T’ in this approach.

[6] Board for (Regulation and Supervision of) Payment and Settlement Systems, which was established under Section 3 of the Payment and Settlement Systems Act, 2007.

[7] PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers and in the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.

[8] PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

[9] DPSS.CO.PD No.629/02.01.014/2019-20- Notification on Harmonisation of Turn Around Time (TAT) and customer compensation for failed transactions using authorised Payment Systems dated September 20, 2019.

[10] RBI/DBR/2015-16/18- Master Direction – Know Your Customer (KYC) Direction, 2016 dated February 25, 2016.

This material and the information contained herein prepared by Algo Legal is intended to provide general information on a subject or subjects and is not an exhaustive treatment of such subject(s). Algo Legal is not, by means of this material, rendering professional advice or services. The information is not intended to be relied upon as the sole basis for any decision. Algo Legal shall not be responsible for any loss whatsoever sustained by any person who relies on this material.