The regulatory landscape has undergone a significant change with the introduction of Guidelines on Regulation of Payment Aggregators and Payment Gateways (DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020). The guidelines propose for stricter regulation on the activities of payment activities and payment gateways in India. This has been issued by RBI under the Payment and Settlement System Act, 2007 following the provisions of section 18 read with section 10 (2) of the act. It shall come into effect on April 01, 2020.
Who is a Payment aggregator?
Payment Aggregator facilitates e-commerce sites and merchants to accept various payment instruments from customers for completion of their payment obligations without the requirement for merchants to create a separate payment integration system of their own. Payment Aggregators facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool, and transfer them on to the merchants.
Payment Aggregators refers to institutions:
Payment Gateways provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.
Details of License Required to Commence Operations
A payment aggregate license requires a net worth capital of Rs. 15 crores which must be increased to Rs 25 crores within three years of inception. To obtain the license the entity must be registered incorporated as per the companies act, 2013.
Under annex 2 of the Guideline , it is now mandatory for a Payment aggregator which states that – Data Security Standards: Data security standards and best practices like PCI-DSS, PA-DSS, latest encryption standards, transport channel security, etc., shall be implemented.
The Payment Card Industry Data Security Standard (PCI DSS) is the unified global standard for cardholder data security established by five international payment card brands (VISA, MasterCard, JCB, AMEX and Discover). This is the data security standard that multilaterally specifies requirements of security management, policies, procedures and methods, network configurations and software design to protect other cardholder data.
statutory and regulatory complainces
Applicability– The guidelines issued by RBI are applicable to all payment aggregators. These guidelines are not applicable to Cash on Delivery (CoD) e-commerce model.
Bank and non-bank PAs handle funds as part of their activities. Banks, however, provide PA services as part of their normal banking relationship and do not therefore require a separate authorisation from RBI. Non-bank PAs shall require authorisation from RBI under the Payment and Settlement Systems Act, 2007 (PSSA).
They should be registered as the company incorporated under the Companies Act, 1956 / 2013 and must contain the activity of operating as a payment aggregator in their Memorandum of Association (MoA).
E-commerce marketplaces providing PA services shall not continue this activity on or before June 30, 2021. If they desire to pursue this activity, it shall be separated from the marketplace business and they shall apply for authorization on or before June 30, 2021.
Entities seeking authorization as PA from the RBI under the PSS Act, shall apply in form A to the Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai. Entities regulated by any of the financial sector regulators shall apply along with a ‘No Objection Certificate’ from their respective regulator, within 45 days of obtaining such a clearance.
They are also required to submit certificates from their Charted Accountants evidencing compliance of the net-worth requirements to RBI. Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate in the enclosed format from their Chartered Accountants regarding the current net-worth along with provisional balance sheet.
PAs are required to obtain a license from the RBI to carry on their activity in India. Existing payment aggregators have been granted time until June 30, 2021 to apply for the license and have been permitted to continue their activities until their applications is decided on. Since banks provide payment aggregator services as part of their routine services, they are not required to additionally obtain this license.
Capital Requirements -The Guidelines impose certain capital and net-worth requirements on non-bank payment aggregators which they are required to achieve within a three-year time frame, which are:
Payment aggregators are required to have board-approved policies for disposal of complaints, dispute resolution, processing refunds, merchant on-boarding, information security etc.
Appointment and display of details of a nodal officer responsible for regulatory and customer grievance is mandatory.
Payment aggregators are required to maintain the amounts collected by them in an escrow account with only one scheduled commercial bank, at a given point in time.
Payment aggregators cannot store the customer card credentials within their database or the server which is accessible by the merchant and are required to comply with the data localization norms as applicable to payment system operators i.e., storage of complete end-to-end transaction data in systems only in India and deletion of any data processed abroad and bringing the same back to India within 24 hours.
Payment aggregators are required to comply with the RBI regulations on Know your customer (KYC), Anti money laundering (AML), etc.
Payment aggregators must ensure that the instructions with regard to Merchant Discount Rate (MDR) i.e., rates charged by payment aggregators for payment processing services on transactions, are followed.
Payment aggregators undertake a thorough background and antecedent check of the merchants to ensure that merchants do not have malafide intentions of cheating customers, selling fake / counterfeit / prohibited products, etc. Further, the merchant’s website is required to indicate the terms and conditions of the service and timeline for processing returns and refunds.
PSS Act, 2007
Section 4- Payment system not operate without authorization
4(1)- No person, other than the Reserve Bank, shall commence or operate a payment system except under and in accordance with an authorization issued by the Reserve Bank under the provisions of this Act.
Companies Act, 2013
According to Section 4 of the Companies Act, 2013, the MoA is a legal document specifying information about the shareholding of the company. It also outlines the scope of the company’s business activities. Further, it is prepared for the purpose of registering the company. It is also called the charter of the company.
RBI Master Circular- RBI/2013-14/94
Know Your Customer (KYC) norms / Anti-Money Laundering (AML) standards/Combating of Financing of Terrorism (CFT)/Obligation of banks under PMLA, 2002
Are There Any India laws That Impose Privacy By Design On Payment Aggregators?
According to the General Data Protection Regulation (GDPR) the term “Privacy by Design” means nothing more than “data protection through technology design ”. the idea behind this concept is that data protection in data processing procedures is best adhered to when it is already integrated into the technology when created.
The Data protection bill, 2019 talks about privacy by design and incorporate that every data fiduciary should prepare privacy by design, which covers aspect such as-
1. the practices and systems designed,
2. the technologies used,
3. the legitimate interests of businesses,
4. how data is protected during the lifecycle, and,
5. demonstration of transparency principle to showcase the measures being taken to prevent any harm to the individual.
The law with regards to privacy are still ambiguous with regards to the financial services on India. As the RBI is yet to release a detailed guideline to the fin-tech sector which will make the data privacy standard to a global level.
At present the data privacy by design as a concept is integrated in the latest regulation as it incorporates stricter regulations on the PA’s and the recommendations are also mandatory to follow. Some of the provision directly encourages privacy by design.