RBI’s draft rules for payment aggregators
Will nonbank payment aggregators need separate authorisation from the RBI? What lessons did the RBI incorporate from the Paytm Payments Bank crisis? What will happen to nonbanking entities currently engaged in pointofsale activities if they fail to co
The story so far: ollowing its announcement in June 2022 that it will seek better regulation of o ine payment aggregators (PAs) facilitating proximity or face-to-face transactions, the Reserve Bank of India (RBI) oated two consultation papers earlier this month. The rst deals with activities of o ine PAs, while the second proposes to strengthen the ecosystem’s safety by expanding instructions for Know Your Customer (KYC), due diligence of onboarded merchants and operations in Escrow accounts. The RBI has invited comments/feedback by May 31.
FWhat exactly are the norms about?
Payment aggregators are entities that settle payments from customers to merchants — unburdening the latter from creating a payment integration system of their own. The existing guidelines cover their activities in e-commerce sites and other online avenues. The latest draft guidelines propose to extend these regulations to o ine spaces, entailing proximity or face-to-face transactions.
The RBI observed back in June 2022 that the nature of activities carried out by the PAs, both online and o ine, is similar. It aspires to bring in “synergy in regulation covering activities and operations of PAs apart from convergence on standards of data collection and storage.”
The proposed norms incorporate lessons from what happened this year with Paytm Payments Bank (PPBL) — albeit in an unrelated space. With the expansion of the scope of operations of PAs, the RBI appears to be strengthening the ecosystem against any opacity. The PPBL crisis was triggered by, among other things, major irregularities in the bank’s KYC adherence. The Financial Intelligence Unit (FIU-IND) had imposed a penalty of 5.49 crore having found that PPBL “engaged in a number of illegal acts, including organising and facilitating online gambling.” It added that the money generated from it was “routed and channelled through bank accounts maintained by these (illegal) entities” with the PPBL.
Is registration with the RBI being made compulsory?
The primary focus here is on non-bank PAs and within them, the o ine extensions. Banks providing physical PA services would not require any separate authorisation from the RBI. They are only expected to comply with the revised instructions within three months after they are issued.
Non-banking entities providing PA services at the point of sale (PoS), that is, o ine, would have to inform the RBI within 60 days (after the circular is issued), about their intent to seek authorisation.
The entities would, however, be allowed to continue their operations. As for non-banking entities providing PA services online — both those authorised and whose applications are pending — would be required to seek approval, about their existing o ine PA activity, from the Department of Payment and Settlement Systems and the regulator within 60 days of the directions being mandated. This would also apply to any authorised non-banking entity aspiring to enter the online and/or o ine PA space in the future.
The RBI’s directions also stipulate that entities currently engaged in PoS activities must ensure they adhere to guidelines on merchant on-boarding, customer grievance redressal and dispute management, baseline technology recommendations, security, fraud prevention and risk management framework as per the previous framework within 3 months. For entities that would require fresh registration, the RBI has said continued adherence to existing guidelines framed in 2020 would be viewed positively while processing the applications.
Does it talk about provisions for sustainability?
The RBI proposes that non-banking entities currently providing proximity/face-to-face transaction services have a minimum net worth of 15 crore when they apply. This would be extended to 25 crore by March 31, 2028. The requirements are the same for new applicants, the di¤erence being that a 25 crore net worth requirement would apply at the end of third nancial year from when the authorisation is granted.
The RBI has proposed that existing o ine operators unable to comply with the approval-seeking timeframe wind up their operations by July 31, 2025. Banks will also be directed to close all accounts by the end of October next year should they fail to produce evidence of their application seeking authorisation.
What about KYC requirements?
The regulations aim to ensure that onboarded merchants do not collect and settle funds for services not o¤ered on their platforms. While KYC is already mandatory, the regulations seek to make the provisions more nuanced.
The RBI’s proposed instructions categorise merchants into small and medium merchants. Small merchants would constitute physical merchants with an annual business turnover of less than 5 lakh who are not registered under the GST regime. The regulator proposes that the PAs undertake ‘contact point verication’, that is, collect information physically to establish the existence of the rm. They must also verify the bank accounts in which their funds are settled. Medium merchants, dened as physical or online merchants with annual business turnover of less than 40 lakhs who are not registered under the GST, would also have to undergo contact point verication.
The PA would be expected to establish their existence by verifying one o¨cial document each of the proprietor, benecial owner or attorney holder, and of the stated business.
The PAs must ensure that transactions undertaken by their merchants are in line with their business prole. They must assign risk-based payment limits to the merchants. Based on their transaction pattern, the merchant could be migrated to a higher degree of due diligence.
Does it propose storage of card data?
The draft regulations instruct that no entity, other than the card issuer and/or card network, can store data for proximity/face-to-face payments from August 1, 2025, and direct them to purge data stored previously. To track transactions and reconcile them, entities would be allowed to store limited data, that is, the last four digits of the card number and the issuer’s name.
The Reserve Bank of India is proposing new regulations for oline payment aggregators (PAs) to enhance safety.
The proposed norms aim to extend existing guidelines to cover oline transactions and strengthen Know Your Customer requirements for merchants.
The draft regulations instruct that no entity, other than the card issuer and/or card network, can store data for proximity/face-to-face payments from August 1, 2025.