Payment Aggregators and Gateways – India’s Regulatory Framework

Over the last few years, India has witnessed huge disruptions in the fintech landscape. One key trend that has consistently powered this is the emergence of non-bank intermediaries that offer online payment solutions for digital transactions in the e-commerce space. This proliferation of e-commerce intermediaries has propelled the adoption of electronic payments and induced payments ecosystem stakeholders to innovate and provide technologically advanced  and new age payment solutions to enable customers to transact seamlessly and help merchants to accept payments in a secure and timely manner. These intermediaries act as a bridge between the merchants of goods and services and the buying customers.

Indian regulators have recognised this trend and have tried to keep pace with the rapidly changing environment by attempting to create a balance between technology and customer expectations.

To safeguard customers’ interests and ensure intermediaries facilitate the collection of customer payments and remit those, without undue delay, to the merchants, who have supplied goods and services, the Reserve Bank of India (“RBI“) introduced the regulatory framework for payment intermediaries (“intermediaries“) in 2009.

Regulation of Intermediaries

Over the years, intermediaries engaged in facilitating collection of customers’ electronic payments and onward settlement of those payments to merchants have been governed by the “Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries” that were issued by the RBI in November 2009 (“Intermediary Directions“).

The Intermediary Directions were issued under the Payment and Settlement Systems Act, 2007 (“Payment Systems Act“), which regulates payment systems in India. A payment system is a system that enables payments to be effected between a payer and a beneficiary and includes clearing, payment and/or settlement services. While the Payment Systems Act does not prescribe the scope of a clearing or payment service, a settlement service means settlement of payment instructions and transactions involving payment obligations. Under the Payment Systems Act, an entity that wishes to operate a payment system is required to obtain prior authorisation from the RBI.

The Intermediary Directions, however, provided a special dispensation to intermediaries that freed such bodies of the requirement to obtain an authorisation from the RBI. This was granted because intermediaries facilitate the collection and settlement of funds through an internal account of a bank (“nodal account“) and are not involved in actual clearing, payment or settlement services for payment obligations between customers and merchants.

With the largescale adoption of digital payments, rapid changes in the payment systems and emergence of numerous players in the payments ecosystem, the RBI, under the “Vision Statement on Payment and Settlement Systems in India: 2019-2021”, expressed its intention to revamp the existing regulations for intermediaries and introduce comprehensive guidelines to regulate various facets of payment related activities carried out by payment gateway service providers and payment aggregators. Towards this objective, the RBI released a discussion paper on the “Guidelines for Payment Gateways and Payment Aggregators” in September 2019, seeking public comments on how the new guidelines should look and the nature of regulatory intervention and prescriptions that would be appropriate for the industry.

Based on the feedback received, and having considered the critical functions performed by intermediaries in the online payments space, the RBI issued the “Guidelines on Regulation of Payment Aggregators and Payment Gateways” (“Guidelines“) in March 2020. The Guidelines were proposed to come into effect from April 1, 2020, however, the RBI has recently deferred it to September 30, 2020.

Aggregators versus Gateways

Under the Guidelines, the RBI categorises intermediaries into payment aggregators (“aggregators“) and payment gateways (“gateways“).

The aggregators are intermediaries that help merchants make available payment methods (for electronic payments) to customers; collect payments from customers; pool funds received from customers towards the amounts due to merchants; and transfer fund to merchants to settle customers’ payment obligations.

On the other hand, gateways are intermediaries that provide technology infrastructure to route and facilitate the processing of online payments. They are technology providers that offer support for and integrate routing and processing of electronic payments, for instance by disseminating transaction data. The RBI has created this distinction between intermediaries (under the Guidelines) based on the role that an entity plays in handling funds.

In a nutshell, aggregators are intermediaries that actually handle of funds; and gateways are intermediaries that have no connection to the funds.

Who needs authorisation?

Any non-bank entity that wishes to operate as an aggregator will be required to obtain RBI authorisation to operate a payment system under the Payment Systems Act. However, entities that propose to function as gateways do not require any RBI authorisation.

The Guidelines also govern the operations of existing intermediaries (to the extent that their activities constitute those of an aggregator), as well as e-commerce marketplace entities that perform aggregator functions. They require such entities to obtain an RBI authorisation by June 30 2021. The e-commerce marketplaces that intend to continue their aggregator business also need to separate the marketplace business.

The key conditions that aggregators need to adhere to are:

· Local presence: aggregators must be structured as a company incorporated in India.

· Capitalisation: aggregators must have a minimum net-worth of Indian rupees 15 crores  at the time of applying for authorisation, which will need to be increased to Indian rupees 25 crores within 3 financial years and thereafter maintained going-forward.

· Governance: aggregators must be professionally managed and operated. The promoters must satisfy the “fit and proper criteria” prescribed by the RBI. A declaration is also required from the aggregator’s directors, with information about proceedings against them.

· Governance: aggregators need to disclose information about merchants’ policies, customer grievances, privacy policy and other terms and conditions, on their website or mobile application. They must also have board approved policies for disposal of complaints and dispute resolution mechanisms and timelines for processing refunds.

· Anti-money laundering: aggregators need to adhere to the guidelines relating to know your customer (“KYC“), anti-money laundering (“AML“) and combating financing of terrorism (“CFT“) under the “Know Your Customer (KYC) Directions” issued by the RBI, as well as the provisions of the Prevention of Money Laundering Act, 2002.

· Merchant related compliances: aggregators need to have a board-approved merchant onboarding policy and must perform background and antecedent checks of merchants to ensure that they do not have a malafide intention to dupe customers or sell fake, counterfeit or prohibited products. Aggregators must also ensure merchants’ infrastructure complies with Payment Card Industry-Data Security Standard (“PCI-DSS“) and Payment Application-Data Security Standard (“PA-DSS“). They additionally  need to ensure the security and privacy of customer data by merchants, as a part of which merchants have been restricted from storing customer’s card details.

· Customer grievances: aggregators need to implement a customer grievance redressal and dispute management framework. Also, aggregators need to designate a nodal officer to handle regulatory and customer grievances.

· Security and risk management: aggregators need to have a board-approved information security policy and also need to put in place a strong risk management system, adequate information and data security infrastructure and systems for prevention and detection of frauds.

· Audits: similar to most payment systems, aggregators also need to conduct an annual system audit and cyber security audit.

Nodal account and escrow account: While intermediaries were required under the Intermediary Directions to maintain a nodal account with a scheduled commercial bank in India, the Guidelines direct non-bank aggregators to operate an escrow account with a scheduled commercial bank (escrow account)  to collect, pool and disburse funds to merchants.

Like a nodal account, the escrow account is also highly regulated. The Guidelines prescribe a list of debits and credits that are permitted to and from the escrow account, as well as settlement timelines from the escrow account to merchants. While interest is not payable on the amount held in the escrow account, the aggregator may agree with the bank to transfer a “core portion” of the amount from escrow account to another account, on which interest may be payable.

Tech Recommendations:  In addition to the authorisation requirement and the wide-ranging framework for aggregators, the Guidelines lay down certain baseline technology-related recommendations (“Tech Recommendations“). These include requirements in respect of information security governance, data security standards, security incident reporting, cyber security audits, IT governance, data security in case of outsourcing and measures to be taken in relation to the competency of staff and vendor risk management, amongst other things. Adherence to the Tech Recommendations is mandatory for aggregators and optional for gateways, which may implement them as a matter of good practice.

The path ahead

With the introduction of the Guidelines, the RBI has distinguished intermediaries into two distinct groups: aggregators, which handle funds; and gateways, which are not exposed to funds.

The role that an intermediary intends to perform in collection, processing and settlement of funds, in terms of handling the funds, is the decisive factor behind whether an intermediary is considered an aggregator, which will need an authorisation from RBI-, or a gateway, which can benefit of a much more liberal regime. Being directly regulated by the RBI, an aggregator will need to satisfy a substantially higher level of regulatory requirements than a gateway, for whom the adherence to the Tech Recommendations is also optional, i.e. Gateways are not under a mandatory regulatory requirement to adhere to the Tech Recommendations.

A liberalised approach for gateways is a welcome move from the RBI for tech-apps, pure-play tech gateways and IT service providers, none of which touch funds. To operate as a gateway, an intermediary will need to ensure that it does not facilitate the collection of payments from customers, pooling of funds, or  settlement of funds to merchants to discharge  customers’ payment obligations.

As a departure from the Intermediary Directions, any intermediary that handles funds and consequently operates as an aggregator, will need to have a local presence. Through the Guidelines, the RBI has placed an emphasis on customer protection and security and fraud prevention. Aggregators need to put in place effective consumer grievance redressal and dispute management frameworks, and appoint a nodal officer for regulatory and customer grievance handling, among other things.

Besides customer protection, the Guidelines introduce incremental merchant-related obligations. Some of these requirements could be operationally quite burdensome and challenging for aggregators. In today’s times, even e-commerce marketplaces do not provide any assurances with respect to the quality of the merchants’ products that are sold on their websites; hence expecting aggregators to conduct product-related checks for merchants may not be reasonable. On most occasions, aggregators may not even be aware of the nature of the product for which a payment is being made.

Fate of the Intermediary Directions

The Guidelines do not expressly supersede the Intermediary Directions, as a result of which two divergent schools of thought on the fate of the Intermediary Directions seem to have emerged in the industry.

While the popular view is that the spirit in which Guidelines have been introduced by the RBI is to govern operations of all kinds of intermediaries going-forward, irrespective of whether they handle funds as aggregators or route  online transactions using their technological infrastructure, as gateways. The discussion paper on the Guidelines published prior to the issuance of the Guidelines in September 2019 made it clear that the RBI’s intent was to revise the existing framework embodied in the Intermediary Directions. Hence, it is unlikely that two sets of regulations will regulate intermediaries simultaneously. Accordingly, any interpretation that the Guidelines and the Intermediary Directions co-exist may not be correct.

However, on the other hand, there is a section in the industry arguing that the absence of an overriding provision under the Guidelines is indicates that the RBI wants the Intermediary Directions to continue to exist, at least until June 2021 – the time period granted to existing intermediaries to migrate to the Guidelines. They contend that the RBI proposes to regulate only pure play payment intermediaries (namely, aggregators and gateways that are involved in providing payment processing services to merchants) through the Guidelines. In this regard, this view seems to suggest that merchant aggregator websites or e-commerce marketplaces that collect payments on their own platforms  and facilitate the settlement of such payments to their end merchants (as an ancillary function) should still continue to be governed by the Intermediary Directions.

In our view, in the absence of any such distinction drawn by the RBI, the regulatory framework under the Guidelines should be applicable to all intermediaries, agnostic of whether they undertake payment facilitation for their own websites and marketplaces or for third-party merchant websites. In this context, it is imperative to note the Guidelines unambiguously clarify that e-commerce marketplace entities that perform aggregator functions need to separate the aggregator function from their marketplace activities and apply for an authorisation as an aggregator.

We expect the RBI to come out with guidance and clarifications to put these discussions to rest.

Authors:

Rachit Bahl, Partner
Rohan Bagai, Partner
Arjun Uppal, Senior Associate

Published In:Asia Fintech Special Focus 2020 - India
Date: July 16, 2020