Payment Aggregators and Payment Gateways - A Robust Regime Under New Guidelines

Payment Aggregators and Payment Gateways - A Robust Regime Under New Guidelines

The Reserve Bank of India (RBI) in the exercise of its powers under Sections 18 and 10(2) of the Payment and Settlement Systems Act, 2007 decided to regulate the activities of Payment Aggregators and also issued technology-related recommendations for Payment Gateways…

After confronting the pandemic, the services provided by the e-commerce marketplaces have become even more indispensable. This has made the entire financial ecosystem of the country rely on electronic payment transactions more than ever. It is easy to ignore how complex and online payment systems are in India. Furthermore, many such payment systems are still evolving with the advances in technology. The probability of misuse of information and being duped by delinquent hackers remains high in the face of a system which is still developing. Before discussing the highlights and mandatory requirements provided under the guidelines, let us first understand the role of the Payment Aggregators (PAs) and Payment Gateways (PGs) followed by a clear distinction recognized by the RBI between them. Though, it is pertinent to note that PAs and PGs both are intermediaries playing an extremely crucial function in facilitating online payments.

Recognizing the gravity of these challenges as well as the cruciality of roles, (which includes the handling of sensitive customer data), the Reserve Bank of India ("RBI") in the exercise of its powers under Sections 18 and 10(2) of the Payment and Settlement Systems Act, 2007 ("PSSA") (an Act that primarily governs the expanse of payment systems in India) decided to regulate the activities of Payment Aggregators and also issued technology-related recommendations for Payment Gateways through the Guidelines on Regulations of Payment Aggregators and Payment Gateways, 2020 ("Guidelines"). The Guidelines came into effect on April 01, 2020, other than for activities for which specific timelines have been provided.

Before discussing the highlights and mandatory requirements provided under the Guidelines, let us first understand the role of the Payment Aggregators ("PAs") and Payment Gateways ("PGs") followed by a clear distinction recognized by the RBI between them. Though, it is pertinent to note that PAs and PGs both are intermediaries playing an extremely crucial function in facilitating online payments.

PAs are entities that assist merchants to accept various payment instruments from customers for completion of their payment obligations and in the process, these PAs receive payments from customers, pool and transfer them to the merchants after a period of time. PGs are entities that provide technological infrastructure to route and facilitate the processing of an online payment without any involvement in handling the funds. For processing an electronic payment, apart from Payment Aggregators and Payment Gateways, there are different players in the online space. Payment System is the foremost and primary player while there are other System Participants such as Payment Service Providers and Third-Party App Providers. The present article covers the expanse of the regulatory framework with respect to Payment Aggregators and Payment Gateways.

1. PAYMENT AGGREGATORS

While recognizing the risks associated with inadequate governance, lack of proper redress mechanism and uniformity in practices as well as with the inability of PAs to meet their payment obligations, the RBI, with an intention to enhance consumer protection, chose to regulate in entirety the activities of the PAs. The regulations set out the following mandatory practices for the PAs:

A. Authorization of non-bank PAs

The services of PAs, apart from being provided by a private entity (i.e., non-bank PAs) are also provided by various banks as part of their normal banking services. For the non-bank PAs, the regulations provide the following mandatory requirements:

1. New 'non-bank PAs' are required to obtain mandatory authorization from the RBI under the Payment and Settlement Systems Act, 2007;

2. Existing 'non-bank PAs' are required to apply for authorization on or before June 30, 2021. They are also allowed to continue operations, till the decision of the RBI upon their application is granted.

It has also been clarified that any entity applying for authorization shall be a Company incorporated under the provisions of the Companies Act, 1956/2013 and shall ensure that the business activity as PA is covered under its Memorandum of Association.

B. E-commerce marketplaces providing services of PAs

E-commerce marketplaces providing PA services are allowed to continue services till June 30, 2021. To continue this activity any further, the entity is required to separate the PA activities from the marketplace business and to obtain an authorization on or before June 30, 2021.

C. Capital Requirements

The primary role of the PAs is to manage funds on behalf of the third parties i.e., merchants and customers, and to ensure that the customer has seamless and safe payment experience. To make sure that PAs are financially stable, the Guidelines provide strict mandatory net-worth requirements to be fulfilled:

1. New PAs are required to have a net-worth of INR 150 million at the time of applying for authorization and are obligated to achieve a net worth of INR 250 million by the end of the third financial year from the grant of authorization. The net worth of INR 250 million is required to be maintained at all times thereafter.

2. Existing PAs are required to achieve a net worth of INR 150 million by March 31, 2021, and a net-worth of INR 250 million by the end of third financial year i.e., on or before March 31, 2023. The net-worth of INR 250 million is required to be maintained at all times thereafter.

3. The Guidelines require that the net-worth consists only of paid-up equity capital, preference shares that are compulsorily convertible to equity, free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets and exclude the reserves created by revaluation of assets adjusted for accumulated loss balance, the book value of intangible assets and deferred revenue expenditure if any. In this regard, the compulsory convertible preference shares can be either non-cumulative or cumulative and the shareholder agreements should specifically prohibit any withdrawal of this preference capital at any time.

D. Governance, Customer Grievance Redressal and Dispute Management Framework

The main function performed by a PA is to collect i.e., debit money from the account of a customer towards a payment obligation and pool it. The collected money is thereafter transferred to the account of the merchant after a period of time as per the terms and conditions as agreed between the merchant and the PA. The customers ordinarily have very limited access to the PAs for redressal of grievances and rely mainly on the merchants or banks while transacting an online payment. Hence, to create transparency in the functioning of PAs and to assuage any risks, the RBI while addressing the issue of lack of proper redress mechanism has made it compulsory for PAs to:

1. Clearly delineate by way of agreements the roles and responsibilities between the PAs, merchants, acquiring banks and all other stakeholders in sorting/handling complaints, refund/failed transactions, return policy, customer grievance redressal, dispute resolution mechanism, reconciliation, etc.

2. To disclose comprehensive information regarding merchant policies, customer grievances, privacy policy, etc., on website.

3. To put in place a formal, publicly disclosed customer grievance redressal and dispute management framework.

4. To have a board-approved policy for disposal of complaints/dispute resolution mechanism/ timelines for processing refunds in complete adherence with previous instructions of RBI on Turn Around Time for resolution of failed transactions.

5. To appoint and display details of a Nodal Officer on the website who shall be responsible for regulatory and customer grievance handling functions.

E. Data Protection and Risk Management

The PA being part of a payment process chain also handles sensitive customer data including customer's card credentials and other personally identifiable information which the customers are ordinarily required to part with while transacting online and discharging payment obligations. Keeping in view the security of the customer's data and to increase the customer's confidence in the financial ecosystem and to alleviate any fraud and compromise with cyber security, the RBI has mandated for PAs to:

1. Put in place adequate information and data security infrastructure and systems for the prevention and detection of frauds.

2. To establish a mechanism for monitoring, handling and follow-up of cyber security incidents and breaches. Such incidents are also required to be reported to RBI and CERT-In.

3. To not store the customer card credentials within their database or the server accessed by the merchant. PAs are also obligated to comply with data storage requirements as applicable to Payment System Operators².

4. To submit the System Audit Report, including cyber security audit conducted by CERT-In empaneled auditors, within two months of the closing of the financial year to the respective Regional Office of the Department of Payment and Settlement Systems, RBI.

5. To conduct a security audit of the Merchant to ensure that the merchant site has not saved customer card details and related data.

6. To have provision for security/privacy of customer data in the agreement with the merchant.

7. To undertake background and antecedent check of the merchants to ensure that merchants do not have mala fide intention of duping a customer and do not sell fake/counterfeit or prohibited products.

F. Settlement and Escrow Account Management

The non-bank PAs are obligated to maintain the amount collected by them in an escrow account with a single Scheduled Commercial Bank. For maintenance of the account, the operations of the PAs are deemed to be "Designated Payment Systems" under Section 23A of the Payment and Settlement System Act. The amounts deducted from customer accounts are required to be remitted to the escrow account on Tp+0 or Tp+1 basis, Tp being the date of debit to the customer's account against the purchase of goods and services. The final settlement with the merchant by PA is to be effected as follows:

1. Where PA is responsible for delivery of goods/services, no later than Ts+1 basis, Ts being the date of intimation by merchant about the shipment of goods.

2. Where the merchant is responsible for the delivery of goods, the payment to the merchant shall be no later than Td+1 basis. Td being the date of confirmation by the merchant of delivery of goods to the customer.

3. Where the agreement with merchant provides for the PA holding the amount till the expiry of refund period, no later than Tr+1 basis, Tr being the date of expiry of refund period, as fixed by the merchant.

4. The credits towards reversed and refund transactions are to be routed back through escrow account unless as per the contract, the refund is directly managed by the merchant and the customer is aware of this arrangement.

5. The Guidelines also list out the permissible credit and debit from the escrow account with an obligation upon the relevant bank to ensure that the payments from escrow account are made only to eligible merchants/purposes. No interest shall be payable by the banks on balances maintained in the escrow account, except under the certain circumstances outlined in the Guidelines³.

The intention of the RBI to designate the PAs, for the purposes of maintaining escrow account, as Designated Payment Systems under the provisions of Section 23A of the PSSA, is to explicitly secure and provide safe payment experience to the customers and merchants. Under the non-obstante provision of Section 23A(3) PSSA, the persons entitled to receive payments from the escrow account shall have a first and paramount charge on the balance held in that account notwithstanding any other law including Insolvency and Bankruptcy Code, 2016. Therefore, if a PA or concerned scheduled commercial bank undergoes the liquidation, then the liquidator is duty-bound to not utilize the balance in the account for any other purposes until all such entitled persons (merchants etc.) are paid in full or an adequate provision is made therefor.

2. PAYMENT GATEWAYS

PGs have been mandated to adopt the baseline technology-related recommendation provided in the Guidelines to ensure that there is a uniform adoption of IT amongst PGs. Apart from the technology recommendation provided under the Guidelines, the bank PGs are also further subject to RBI guidelines on 'Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks'⁴.

In an important step towards enhancing the security of the customer and his/her private and sensitive data, the RBI has advised the PGs to take preventive measures to ensure storing of data in an infrastructure that does not belong to an external jurisdiction and PGs are also made subject to instructions on storage of payment data, as applicable to Payment Systems Operators. Therefore, the data localization norms as applicable to Payment System are also applicable upon the Payment Gateways and make it obligatory to store all data related to payment transaction in a system located in India. This data includes end-to-end transaction details/information collected/ carried/processed as part of the message/payment instructions.

Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.