In the online space, Payment Aggregators (PAs) and Payment Gateways (PGs) serve as crucial intermediaries in facilitating payments. In this regard RBI has issued guidelines. We discuss the same in this post
Definitions
For the purpose of this circular, the PAs and PGs are defined as under:
1.1.1. PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.
1.1.2. PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.
1.2. In the processing of an online transaction the following timelines are involved:
- ‘Tp’ – date of charge / debit to the customer’s account against the purchase of goods / services.
- ‘Ts’ – date of intimation by the merchant to the intermediary about shipment of goods.
- ‘Td’ – date of confirmation by the merchant to the intermediary about delivery of goods to the customer.
- ‘Tr’ – date of expiry of refund period as fixed by the merchant.
Applicability
2.1. The guidelines shall be applicable to PAs. PAs shall also adopt the technology-related recommendations provided in Annex 2. As a measure of good practice, the PGs may adhere to these baseline technology-related recommendations.
2.2. Domestic leg of import and export related payments facilitated by PAs shall also be governed by these instructions.
2.3. The guidelines are not applicable to Cash on Delivery (CoD) e-commerce model.
Authorization
3.1. The criteria of authorisation has been arrived at based on the role of the intermediary in handling of funds.
3.2. Bank and non-bank PAs handle funds as part of their activities. Banks, however, provide PA services as part of their normal banking relationship and do not therefore require a separate authorisation from RBI. Non-bank PAs shall require authorisation from RBI under the Payment and Settlement Systems Act, 2007 (PSSA).
3.3. PA shall be a company incorporated in India under the Companies Act, 1956 / 2013. The Memorandum of Association (MoA) of the applicant entity must cover the proposed activity of operating as a PA.
3.4. Existing non-bank entities offering PA services shall apply for authorisation on or before June 30, 2021. They shall be allowed to continue their operations till they receive communication from RBI regarding the fate of their application.
3.5. Entities seeking authorisation as PA from the RBI under the PSS Act, shall apply in Form A to the Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai. Entities regulated by any of the financial sector regulators shall apply along with a ‘No Objection Certificate’ from their respective regulator, within 45 days of obtaining such a clearance.
3.6. E-commerce marketplaces providing PA services shall not continue this activity beyond the deadline prescribed at clause 3.4 above. If they desire to pursue this activity, it shall be separated from the marketplace business and they shall apply for authorisation on or before June 30, 2021.
3.7. PGs shall be considered as ‘technology providers’ or ‘outsourcing partners’ of banks or non-banks, as the case may be. In case of a bank PG, the guidelines issued by Reserve Bank of India, Department of Regulation (DoR) vide circular No.DBOD.NO.BP.40/21.04.158/2006-07 dated November 3, 2006 on “Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks” and other follow up circular(s) shall also be applicable.
Capital Requirements
4.1. PAs existing as on the date of this circular shall achieve a net-worth of ₹15 crore by March 31, 2021 and a net-worth of ₹25 crore by the end of third financial year, i.e., on or before March 31, 2023. The net-worth of ₹25 crore shall be maintained at all times thereafter.
4.2. New PAs shall have a minimum net-worth of ₹15 crore at the time of application for authorisation and shall attain a net-worth of ₹25 crore by the end of third financial year of grant of authorisation. The net-worth of ₹25 crore shall be maintained at all times thereafter.
4.4. Net-worth shall consist of paid-up equity capital, preference shares that are compulsorily convertible to equity, free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets but not reserves created by revaluation of assets adjusted for accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any. Compulsorily convertible preference shares can be either non-cumulative or cumulative, and they should be compulsorily convertible into equity shares and the shareholder agreements should specifically prohibit any withdrawal of this preference capital at any time.
4.5. Entities having Foreign Direct Investment (FDI) shall be guided by the Consolidated Foreign Direct Investment policy of the Government of India and the relevant foreign exchange management regulations on this subject.
4.6. PAs shall submit a certificate in the enclosed format from their Chartered Accountants (CA) to evidence compliance with the applicable net-worth requirement while submitting the application for authorisation. Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate in the enclosed format from their Chartered Accountants regarding the current net-worth along with provisional balance sheet.
4.7. PAs that are not able to comply with the net-worth requirement within the stipulated time frame (as given at clauses 4.1 & 4.2) shall wind-up payment aggregation business. The banks maintaining nodal / escrow accounts of such entities shall monitor and report compliance in this regard.
Governance
5.1. PAs shall be professionally managed. The promoters of the entity shall satisfy the fit and proper criteria prescribed by RBI. The directors of the applicant entity shall submit a declaration in the enclosed format. RBI shall also check ‘fit and proper’ status of the applicant entity and management by obtaining inputs from other regulators, government departments, etc., as deemed fit. Applications of those entities not meeting the eligibility criteria, or those which are incomplete / not in the prescribed form with all details, shall be returned.
5.2. Any takeover or acquisition of control or change in management of a non-bank PA shall be communicated by way of a letter to the Chief General Manager, Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai within 15 days with complete details, including ‘Declaration and Undertaking’ by each of the new directors, if any. RBI shall examine the ‘fit and proper’ status of the management and, if required, may place suitable restrictions on such changes.
5.3. Agreements between PAs, merchants, acquiring banks, and all other stake holders shall clearly delineate the roles and responsibilities of the involved parties in sorting / handling complaints, refund / failed transactions, return policy, customer grievance redressal (including turnaround time for resolving queries), dispute resolution mechanism, reconciliation, etc.
5.4. PAs shall disclose comprehensive information regarding merchant policies, customer grievances, privacy policy and other terms and conditions on the website and / or their mobile application.
5.5. PAs shall have a Board approved policy for disposal of complaints / dispute resolution mechanism / time-lines for processing refunds, etc., in such a manner that the RBI instructions on Turn Around Time (TAT) for resolution of failed transactions issued vide DPSS.CO.PD No.629/02.01.014/2019-20 dated September 20, 2019 are adequately taken care of. Any future instructions in this regard shall also be adhered to by PAs.
5.6. PAs shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions. PAs shall prominently display details of the nodal officer on their website.
Safeguards against Money Laundering (KYC / AML / CFT) Provisions
6.1. The Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines issued by the Department of Regulation, RBI, in their “Master Direction – Know Your Customer (KYC) Directions” updated from time to time, shall apply mutatis mutandis to all entities.
6.2. Provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time, shall also be applicable.
Merchant On-boarding
7.1. PAs shall have a Board approved policy for merchant on-boarding.
7.2. PAs shall undertake background and antecedent check of the merchants, to ensure that such merchants do not have any malafide intention of duping customers, do not sell fake / counterfeit / prohibited products, etc. The merchant’s website shall clearly indicate the terms and conditions of the service and time-line for processing returns and refunds.
7.3. PAs shall be responsible to check Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded.
7.4. Merchant site shall not save customer card and such related data. A security audit of the merchant may be carried out to check compliance, as and when required.
7.5. Agreement with merchant shall have provision for security / privacy of customer data. PAs agreement with merchants shall include compliance to PA-DSS and incident reporting obligations. The PAs shall obtain periodic security assessment reports either based on the risk assessment (large or small merchants) and / or at the time of renewal of contracts.
Settlement and Escrow Account Management
8.1. Non-bank PAs shall maintain the amount collected by them in an escrow account with any scheduled commercial bank. An additional escrow account may be maintained with a different scheduled commercial bank at the discretion of the PA. For the purpose of maintenance of escrow account, operations of PAs shall be deemed to be ‘designated payment systems’ under Section 23A of the PSSA (as amended in 2015).
8.2. In case there is a need to shift the escrow account from one bank to another, the same shall be effected in a time-bound manner without impacting the payment cycle to merchants, under advice to RBI.
8.3. Amounts deducted from the customer’s account shall be remitted to the escrow account maintaining bank on Tp+0 / Tp+1 basis. The same rules shall apply to the non-bank entities where wallets are used as a payment instrument.
8.4. Final settlement with the merchant by the PA shall be effected as under:
8.4.1. Where PA is responsible for delivery of goods / services the payment to the merchant shall be not later than on Ts + 1 basis.
8.4.2. Where merchant is responsible for delivery, the payment to the merchant shall be not later than on Td + 1 basis.
8.4.3. Where the agreement with the merchant provides for keeping the amount by the PA till expiry of refund period, the payment to the merchant shall be not later than on Tr + 1 basis.
8.5. Credits towards reversed transactions (where funds are received by PA) and refund transactions shall be routed back through the escrow account unless as per contract the refund is directly managed by the merchant and the customer has been made aware of the same.
8.6. At the end of the day, the amount in escrow account shall not be less than the amount already collected from customer as per ‘Tp’ or the amount due to the merchant.
8.7. PAs shall be permitted to pre-fund the escrow account with own / merchant’s funds. However, in the latter scenario, merchant’s beneficial interest shall be created on the pre-funded portion.
8.8. The escrow account shall not be operated for ‘Cash-on-Delivery’ transactions.
8.9. Permitted credits / debits to the escrow account shall be as set out below; where an additional escrow account is maintained, credit and debit from one escrow account to the other shall also be permitted. However, inter-escrow transfers should be avoided as far as possible and if resorted to, auditor’s certification shall clearly mention such transactions.
Credits
a) Payment from various customers towards purchase of goods / services.
b) Pre-funding by merchants / PAs.
c) Transfer representing refunds for failed / disputed / returned / cancelled transactions.
d) Payment received for onward transfer to merchants under promotional activities, incentives, cash-backs etc.
Debits
a) Payment to various merchants / service providers.
b) Payment to any other account on specific directions from the merchant.
c) Transfer representing refunds for failed / disputed transactions.
d) Payment of commission to the intermediaries. This amount shall be at pre-determined rates / frequency.
e) Payment of amount received under promotional activities, incentives, cash-backs, etc.
8.10. For banks the outstanding balance in the escrow account shall be part of the ‘net demand and time liabilities’ (NDTL) for the purpose of maintenance of reserve requirements. This position shall be computed on the basis of the balances appearing in the books of the bank as on the date of reporting.
8.11. The entity and the escrow account banker shall be responsible for compliance with RBI instructions issued from time to time. The decision of RBI in this regard shall be final and binding.
8.12. Settlement of funds with merchants shall not be co-mingled with other business, if any, handled by the PA.
8.13. A certificate signed by the auditor(s), shall be submitted by the authorised entities to the respective Regional Office of DPSS, RBI, where registered office of PA is situated, certifying that the entity has been maintaining balance(s) in the escrow account(s) in compliance with these instructions, as per periodicity prescribed in Annex 3. In case, an additional escrow account is being maintained, it shall be ensured that balances in both accounts are considered for the above certification. This shall also be indicated in the certificate. The same auditor shall be employed to audit both escrow accounts.
8.14. PAs shall submit the list of merchants acquired by them to the bank where they are maintaining the escrow account and update the same from time to time. The bank shall ensure that payments are made only to eligible merchants / purposes. There shall be an exclusive clause in the agreement signed between the PA and the bank maintaining escrow account towards usage of balance in escrow account only for the purposes mentioned above.
8.15. No interest shall be payable by the bank on balances maintained in the escrow account, except when the PA enters into an agreement with the bank maintaining the escrow account, to transfer “core portion” of the amount, in the escrow account, to a separate account on which interest is payable, subject to the following:
8.15.1. The bank shall satisfy itself that the amount deposited represents the “core portion” after due verification of necessary documents.
8.15.2. The amount shall be linked to the escrow account, i.e. the amounts held in the interest-bearing account shall be available to the bank, to meet payment requirements of the entity, in case of any shortfall in the escrow account.
8.15.3. This facility shall be permissible to entities who have been in business for 26 fortnights and whose accounts have been duly audited for the full accounting year. For this purpose, the period of 26 fortnights shall be calculated from the actual business operation in the account.
8.15.4. No loan is permissible against such deposits. Banks shall not issue any deposit receipts or mark any lien on the amount held in such form of deposits.
8.15.5. The core portion shall be calculated separately for each of the escrow accounts and will remain linked to the respective escrow account. The escrow balance and core portion maintained shall be clearly disclosed in the auditors’ certificates submitted to RBI on quarterly and annual basis.
Note: For the purpose of this regulation, “Core Portion” shall be computed as under:
Step 1: Compute lowest daily outstanding balance (LB) in the escrow account on a fortnightly (FN) basis, for 26 fortnights from the preceding month.
Step 2: Calculate the average of the lowest fortnightly outstanding balances [(LB1 of FN1+ LB2 of FN2+ ……..+ LB26 of FN26) divided by26].
Step 3: The average balance so computed represents the “Core Portion” eligible to earn interest.
Customer Grievance Redressal and Dispute Management Framework
9.1. PAs shall put in place a formal, publicly disclosed customer grievance redressal and dispute management framework, including designating a nodal officer to handle the customer complaints / grievances and the escalation matrix. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible.
9.2. PAs shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions. Details of the nodal officer for customer grievance shall be prominently displayed on their website.
9.3. PAs shall have a dispute resolution mechanism binding on all the participants which shall contain transaction life cycle, detailed explanation of types of disputes, process of dealing with them, compliance, responsibilities of all the parties, documentation, reason codes, procedure for addressing the grievance, turn-around-time for each stage, etc.
Security, Fraud Prevention and Risk Management Framework
10.1. A strong risk management system is necessary to meet the challenges of fraud and ensure customer protection. PAs shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.
10.2. PAs shall put in place Board approved information security policy for the safety and security of the payment systems operated by them and implement security measures in accordance with this policy to mitigate identified risks. Baseline technology-related recommendations for adoption by the PAs are provided in Annex 2. The PGs may also adopt them as best practices.
10.3. PAs shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and breaches. The same shall be reported immediately to the DPSS, RBI, Central Office, Mumbai. They shall also be reported to CERT-In (Indian Computer Emergency Response Team) as per the details notified by CERT-In.
10.4. PAs shall not store the customer card credentials within their database or the server accessed by the merchant. They shall comply with data storage requirements as applicable to Payment System Operators (PSOs).
10.5. PAs shall submit the System Audit Report, including cyber security audit conducted by CERT-In empanelled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.
Reports
The reports to be submitted by authorised PAs are listed in Annex 3.
General Instructions
12.1. PAs shall ensure that the extant instructions with regard to Merchant Discount Rate (MDR) are followed. Information on other charges such as convenience fee, handling fee, etc., if any, being levied shall also be displayed upfront by the PA.
12.2. PAs shall not place limits on transaction amount for a particular payment mode. The responsibility therefor shall lie with the issuing bank / entity; for instance, the card issuing bank shall be responsible for placing amount limits on cards issued by it based on the customer’s credit worthiness, spending nature, profile, etc.
12.3. PAs shall not give an option for ATM PIN as a factor of authentication for card-not-present transactions.
12.4. All refunds shall be made to the original method of payment unless specifically agreed by the customer to credit to an alternate mode.
