All Payment System Providers and Payment System Participants
Guidelines on Regulation of Payment Aggregators and Payment Gateways
We invite a reference to our circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 (as updated from time to time) and the clarification dated September 17, 2020 issued on the subject (Annex). Accordingly, neither the authorised Payment Aggregators (PAs) nor the merchants on-boarded by them can store customer card credentials within their database or server.
2. Based on the representations received from the industry seeking additional time for implementing the above instructions, it has been decided, as a one-time measure, to extend the timeline for non-bank PAs by six months, i.e., till December 31, 2021, to enable the payment system providers and participants to put in place workable solutions, such as tokenisation, within the framework set out in the circular dated March 17, 2020 cited above and our circular DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 08, 2019 on “Tokenisation – Card transactions”. All other provisions of the circular dated March 17, 2020 referred to above, shall remain unchanged.
3. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).
RBI circular CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021
Clarification issued by RBI on circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 (as updated from time to time) on “Guidelines on Regulation of Payment Aggregators (PAs) and Payment Gateways (PGs)”
1. Definition and applicability related
1.1. The circular is applicable to online PAs and PGs. The guidelines seek to regulate the activities of online PAs while providing baseline technology-related recommendations to PGs.
1.2. In the case of bank PAs, there is no requirement of authorisation; they shall ensure compliance with the guidelines by September 30, 2020 (as extended vide circular DPSS.CO.PD.No.1897/02.14.003/2019-20 dated June 04, 2020). For non-bank PAs, the instructions will come into force from the date of their authorisation, subject to the submission of application for authorisation before the end date of June 30, 2021.
1.3. The circular is also applicable to e-commerce marketplaces that are undertaking direct payment aggregation; e-commerce marketplaces availing the services of a PA shall be considered as merchants.
1.4. The circular is not applicable on ‘Delivery vs. Payment’ transactions but addresses the transactions where the payment is made in advance while the goods are delivered in a deferred manner.
2. Authorisation, capital and net-worth related
2.1. Banks maintaining the escrow account/s need not monitor the net-worth of the PA.
2.2. For existing non-bank PAs, the CA certificate of net-worth evidencing that the requirement of net-worth is ensured (as on March 31, 2021) will be required to be submitted to RBI at the time of application for authorisation (in case of an existing entity desirous of applying before March 31, 2021 a similar certificate shall be submitted as on the nearest half-year ending date). Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate from their CA regarding the current net-worth along with provisional balance sheet.
3. Governance related
3.1. The Promoters / Promoter Groups, shall conform to the Reserve Bank’s ‘fit and proper’ criteria. Director of the PA company shall be deemed to be a “fit and proper” person if:
3.1.1. Such person has a record of fairness and integrity, including but not limited to:
- financial integrity;
- good reputation and character; and
3.1.2. Such person has not incurred any of the following disqualifications:
- Convicted by a court for any offence involving moral turpitude or any economic offence or any offence under the laws administered by the RBI;
- Declared insolvent and not discharged;
- An order, restraining, prohibiting or debarring the person from accessing / dealing in any financial system, passed by any regulatory authority, and the period specified in the order has not elapsed;
- Found to be of unsound mind by a court of competent jurisdiction and the finding is in force; and
- Is financially not sound.
3.1.3. If any question arises as to whether a person is a fit and proper person, the RBI’s decision on such question shall be final.
4. KYC and merchant on-boarding related
4.1. In case a PA is maintaining an account-based relationship with the merchant, the KYC guidelines of Department of Regulation (DoR), RBI is applicable. Thus, to this extent, para 6 on ‘Safeguards against Money Laundering (KYC / AML / CFT) Provisions’ shall also be applicable.
4.2. For merchant on-boarding, the PA can have a Board approved policy (Para 7.1). There would not be a requirement to carry-out entire process of KYC (in accordance with the KYC guidelines of DoR), in cases where the merchant already has a bank account which is being used for transaction settlement purpose.
5. OPGSP related
5.1. Entities functioning as OPGSP and undertaking cross-border transactions in terms of OPGSP guidelines shall ensure compliance with the instructions issued vide A.P. (DIR Series) Circular No.16 dated September 24, 2015.
5.2. If OPGSP is also an entity which is functioning as PG or PA under the guidelines stipulated by DPSS, for undertaking any domestic leg of import / export transaction, it has to be ensured that the timelines and other guidelines, including those relating to authorised modes of collection, i.e. debit card, credit card and internet banking, indicated for the purpose of cross-border transactions in A.P. (DIR Series) Circular No.16 dated September 24, 2015, are also adhered to.
6. Security, fraud prevention and risk management framework related
6.1. The PA needs to ensure compliance of the infrastructure of the merchants to security standards like PCI-DSS and PA-DSS, as applicable.
6.2. Merchants are not allowed to store payment data irrespective of their being PCI-DSS compliant or otherwise. They shall, however, be allowed to store limited data for the purpose of transaction tracking; for which, the required limited information may be stored in compliance with the applicable standards.
6.3. The PA cannot also store customer card credentials within its database or the server (irrespective of it being accessed by merchant or not) except for the limited purpose of transaction tracking; for which, required credentials may be stored in compliance with the applicable standards.
6.4. Para 10.5: A standard system audit, including cyber security audit, conducted by CERT-In empanelled auditors may be carried out.
7. Settlement and escrow account related
7.1. For the purpose of maintenance of the escrow account, the operations of PAs are deemed to be ‘designated payment systems’ under the Payment and Settlement Systems Act (PSS Act) after the entity obtains authorisation from RBI.
7.2. The applicability of circular DPSS.CO.PD.No.1102/02.14.08/2009-10 dated November 24, 2009 on “Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries” shall be as follows:
7.2.1. The circular shall be considered repealed for authorised PAs from the date of authorisation;
7.2.2. The circular shall be considered repealed with effect from June 30, 2021 except for such PAs who have applied for authorisation and a decision on it is pending with RBI.
7.3. The existing entities can continue to maintain nodal accounts till they have been authorised by RBI. Since the PA needs to move towards an escrow account, the bank and the PA may take a call about maintaining the same from an earlier date as well. However, this alone shall not make them eligible for a “designated payment system” status under Section 23A of the PSS Act.
7.4. If the bank can satisfactorily establish that the nodal account of an entity has been migrated to escrow account in compliance with the new instructions, it can allow the balances under existing nodal accounts of PAs to be considered for calculation of ‘Core portion’.
7.5. Those entities who have not attained the requisite net-worth as of March 31, 2021 shall wind up their PA business. Banks shall be required to close such nodal accounts after June 30, 2021 unless the PA produces evidence to the bank regarding application for authorisation being made to RBI.
7.6. The pre-funding has been allowed to tide over temporary mis-matches. Taking back of surplus pre-funding is not allowed.
7.7. There can be different “t” for different merchants as per the agreement between PA and merchants.
7.8. Para 8.6: The amount due to the merchant will be reckoned only after the settlement and credit to the escrow account. There is no need to prefund the account for this purpose. However, the proceeds shall be credited to escrow on the settlement day itself.
7.9. Where PAs have no control over incoming funds and its delay thereof, the PAs need to follow the instructions and transfer the funds to the merchant within T+0 / T+1 basis, post receiving of funds into its account.
7.10. The settlement accounts opened under Bharat Bill Payment System (BBPS) would be governed by BBPS instructions.