RBI’s draft rules for payment aggregators
Will non-bank payment aggregators need separate authorisation from the RBI? What lessons did the RBI incorporate from the Paytm Payments Bank crisis? What will happen to non-banking entities currently engaged in point-of-sale activities if they fail to co
The story so far:
Following its announcement in June 2022 that it will seek better regulation of o ine payment aggregators (PAs) facilitating proximity or face-to-face transactions, the Reserve Bank of India (RBI) oated two consultation papers earlier this month. The rst deals with activities of o ine PAs, while the second proposes to strengthen the ecosystem’s safety by expanding instructions for Know Your Customer (KYC), due diligence of onboarded merchants and operations in Escrow accounts. The RBI has invited comments/feedback by May 31.
What exactly are the norms about?
Payment aggregators are entities that settle payments from customers to merchants — unburdening the latter from creating a payment integration system of their own. The existing guidelines cover their activities in e-commerce sites and other online avenues. The latest draft guidelines propose to extend these regulations to o ine spaces, entailing proximity or face-to-face transactions.
The RBI observed back in June 2022 that the nature of activities carried out by the PAs, both online and o ine, is similar. It aspires to bring in “synergy in regulation covering activities and operations of PAs apart from convergence on standards of data collection and storage.”
The proposed norms incorporate lessons from what happened this year with Paytm Payments Bank (PPBL) — albeit in an unrelated space. With the expansion of the scope of operations of PAs, the RBI appears to be strengthening the ecosystem against any opacity. The PPBL crisis was triggered by, among other things, major irregularities in the bank’s KYC adherence. The Financial Intelligence Unit (FIU-IND) had imposed a penalty of ₹5.49 crore having found that PPBL “engaged in a number of illegal acts, including organising and facilitating online gambling.” It added that the money generated from it was “routed and channelled through bank accounts maintained by these (illegal) entities” with the PPBL.
Is registration with the RBI being made compulsory?
The primary focus here is on non-bank PAs and within them, the o ine extensions. Banks providing physical PA services would not require any separate authorisation from the RBI. They are only expected to comply with the revised instructions within three months after they are issued.
Non-banking entities providing PA services at the point of sale (PoS), that is, o ine, would have to inform the RBI within 60 days (after the circular is issued), about their intent to seek authorisation.
The entities would, however, be allowed to continue their operations. As for non-banking entities providing PA services online — both those authorised and whose applications are pending — would be required to seek approval, about their existing o ine PA activity, from the Department of Payment and Settlement Systems and the regulator within 60 days of the directions being mandated. This would also apply to any authorised non-banking entity aspiring to enter the online and/or o the future.
The RBI’s directions also stipulate that entities currently engaged in PoS activities must ensure they adhere to guidelines on merchant on-boarding, customer grievance redressal and dispute management, baseline technology recommendations, security, fraud prevention and risk management framework as per the previous framework within 3 months. For entities that would require fresh registration, the RBI has said continued adherence to existing guidelines framed in 2020 would be viewed positively while processing the applications.
Does it talk about provisions for sustainability?
The RBI proposes that non-banking entities currently providing proximity/face-to-face transaction services have a minimum net worth of ₹15 crore when they apply. This would be extended to ₹25 crore by March 31, 2028. The requirements are the same for new applicants, the di¤erence being that a ₹25 crore net worth requirement would apply at the end of third nancial year from when the authorisation is granted.
The RBI has proposed that existing o ine operators unable to comply with the approval-seeking timeframe wind up their operations by July 31, 2025. Banks will also be directed to close all accounts ine PA space in by the end of October next year should they fail to produce evidence of their application seeking authorisation.
What about KYC requirements?
The regulations aim to ensure that onboarded merchants do not collect and settle funds for services not o¤ered on their platforms. While KYC is already mandatory, the regulations seek to make the provisions more nuanced.
The RBI’s proposed instructions categorise merchants into small and medium merchants. Small merchants would constitute physical merchants with an annual business turnover of less than ₹5 lakh who are not registered under the GST regime. The regulator proposes that the PAs undertake ‘contact point veri cation’, that is, collect information physically to establish the existence of the rm. They must also verify the bank accounts in which their funds are settled. Medium merchants, de ned as physical or online merchants with annual business turnover of less than ₹40 lakhs who are not registered under the GST, would also have to undergo contact point veri cation.
The PA would be expected to establish their existence by verifying one o¨cial document each of the proprietor, bene cial owner or attorney holder, and of the stated business.
The PAs must ensure that transactions undertaken by their merchants are in line with their business pro le. They must assign risk-based payment limits to the merchants. Based on their transaction pattern, the merchant could be migrated to a higher degree of due diligence.
Does it propose storage of card data?
The draft regulations instruct that no entity, other than the card issuer and/or card network, can store data for proximity/face-to-face payments from August 1, 2025, and direct them to purge data stored previously. To track transactions and reconcile them, entities would be allowed to store limited data, that is, the last four digits of the card number and the issuer’s name.