RBI’s Draft Rules for Payment Aggregators

April 26, 2024

What’s in Today’s Article?

Background:

The Reserve Bank of India (RBI) had floated two consultation papers earlier this month to seek better regulation of offline Payment Aggregators (PAs).
The first deals with activities of offline PAs, while the second proposes to strengthen the ecosystem’s safety by expanding instructions for Know Your Customer (KYC), due diligence of onboarded merchants and operations in Escrow accounts.
The RBI had invited comments/feedback by May 31.

Who are Payment Aggregators?

Payment aggregators (Pas) are entities that facilitate online transactions by collecting payments from customers on behalf of merchants.
They act as intermediaries between the buyer, the seller, and the payment gateway.
Working of PAs:
- Collect Payments: Payment aggregators collect payments from customers using various payment methods like credit/debit cards, net banking, digital wallets, etc.
- Transfer Funds: Once the payment is collected, the aggregator transfers the funds to the merchant after deducting their service fees or commission.
- Settlement: The aggregator ensures that the funds are settled in the merchant's bank account within a specified time frame, which is usually a few days.
- Security: Payment aggregators ensure the security of transactions by using encryption and other security measures to protect sensitive customer information.
- Integration: They offer APIs and plugins that merchants can integrate into their websites or mobile apps to easily accept payments.
Popular payment aggregators include companies like Razorpay, Paytm and PayPal in India.
They play a crucial role in enabling businesses to accept payments online, thereby facilitating e-commerce and online transactions.

What Exactly are the RBI’s Draft Rules About?

The existing guidelines cover their activities in e-commerce sites and other online avenues.
The latest draft guidelines propose to extend these regulations to offline spaces, entailing proximity or face-to-face transactions.
RBI observed back in June 2022 that the nature of activities carried out by the PAs, both online and offline, is similar.
It aspires to bring in “synergy in regulation covering activities and operations of PAs apart from convergence on standards of data collection and storage.”
The proposed norms are elaborate and incorporate lessons from what happened this year with Paytm Payments Bank (PPBL).
- The PPBL crisis was triggered by, among other things, major irregularities in the bank’s KYC adherence.
- In fact, the Financial Intelligence Unit (FIU-IND) had imposed a penalty of ₹5.49 crore having found that PPBL “engaged in a number of illegal acts, including organising and facilitating online gambling.”
With expansion of the utility and scope of operations of PAs, RBI appears to be strengthening the ecosystem against any such opacity.

Is Registration with RBI Being Made Mandatory?

The primary focus here is on non-bank PAs and within them, the offline extensions.
Banks providing physical PA services as part of their normal banking relationship would not require any separate authorisation from the RBI.
They are only expected to comply with the revised instructions within three months after they are issued.
PAs, providing online / offline services, would have to inform RBI within 60 days (after the circular is issued), about their intent to seek authorisation.

Does the Draft Rules talk about Provisions for Sustainability?

RBI proposes that non-banking entities currently providing proximity/face to face transaction services have a minimum net worth of ₹15 crore when they apply.
This would be extended to ₹25 crore by March 31, 2028.
The requirements are the same for new applicants, the difference being that a ₹25 crore net worth requirement would apply at the end of three financial years when the authorisation is granted.
RBI has proposed that existing offline operators unable to comply with the approval-seeking timeframe wind-up their operations by July 31, 2025.
Banks will also be directed to close all accounts by the end of October next year should they fail to produce evidence of their application seeking authorisation.

Provisions for KYC Requirements:

The purpose of the proposed regulations is to ensure that onboarded merchants do not collect and settle funds for services not offered on their platforms.
While KYC is already mandatory, the regulations seek to extend the scope and make the provisions more nuanced.
RBI’s proposed instructions categorise merchants into small and medium merchants.
Small merchants would constitute physical merchants with an annual business turnover of less than ₹5 lakh who are not registered under the Goods and Services Tax (GST) regime.
The regulator proposes that the PAs undertake ‘contact point verification’, that is, collect information physically to establish the existence of the firm.
They must also verify the bank accounts in which their funds are settled.
Medium merchants, defined as physical or online merchants with annual business turnover of less than ₹40 lakhs who are not registered under GST, would also have to undergo contact point verification.
The PA would be expected to establish their existence by verifying one official document each of the proprietor, beneficial owner or attorney holder, and of the stated business.

Provisions for Data Privacy:

The draft regulations instruct that no entity, other than the card issuer and/or card network, can store data for proximity/face to face payments from August 1, 2025, and direct them to purge data stored previously.
To track transactions and to reconcile them, entities would be allowed to store limited data, that is, the last four digits of the card number and the issuer’s name.
The onus for compliance in this domain would also be on card networks.