Introduction and implications in a nutshell
As per the Reserve Bank of India’s (the “RBI”) Annual Report, the number of card payment transactions carried out through credit cards and debit cards during 2018 and 2019 was 1.8 billion and 4.4 billion, respectively. Prepaid Payment Instruments (PPIs) recorded a volume of about 4.6 billion transactions valued at INR2129 billion, and these digital payments were facilitated by 82 authorized payment system operators.
The exponential increase in the number of digital payment transactions necessitated the regulation of payment system operations in India. In September 2019, the RBI put out a discussion paper, and on March 17, 2020, the RBI released the final Guidelines on Regulation of Payment Aggregators and Payment Gateways (the “Guidelines”). The Guidelines, which become effective on April 1, 2020, regulate the functioning of Payment Aggregators (“PAs”) in India and specify the technological requirements for PAs and Payment Gateways (“PGs”).
The Guidelines require PAs to be stand-alone entities. This may impact companies like Flipkart and others, whose e-commerce and payments businesses operate under one entity. Separating these businesses may have a foreign investment, valuation and capital gains tax impact. Moreover, operationally also, this may cause issues, because dedicated people will have to be allocated to each entity and overlaps may not be permitted.
Considering the size of the digital payment ecosystem in India, regulating the functioning and ensuring oversight of PAs is a good move, and will also augment consumer confidence in digital transactions. However, the compliance burden on PAs will increase substantially.
Background and jurisprudence
PAs and PGs were mostly unregulated until the RBI released directions for opening and operation of accounts and settlement of electronic payment transactions involving intermediaries in November 2009 (the “2009 Directions”). Under the 2009 Directions, PAs and PGs were treated as intermediaries, and they had to maintain a nodal account with a bank. Additionally, intermediaries had to comply with provisions of India’s Information Technology Act, 2008 and consumer protection laws. However, there was no regulatory framework for capital adequacy, reporting, licensing and governance of PAs and PGs. This void has been filled by the Guidelines.
Over the last decade, various countries have adopted a similar framework. China published its Know Your Customer guidelines in 2016, which also mandated merchant verification. In Europe too, the licensing of payment aggregators was made mandatory from 2017, and rules requiring adequate IT infrastructure were put in place. However, the settlement fund requirement is relaxed in some countries including, South Korea and Brazil. Japan follows a different approach requiring PAs and PGs to hold funds from a merchant or a consumer in a trust or escrow account and deposit the funds in a designated bank account.
A PA is defined as an entity that facilitates e-commerce sites and merchants to accept various payment instruments from customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. In short, PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, and pool and transfer them on to the merchants after a time period.
A PG is an entity that provides technology infrastructure to route and facilitates the processing of an online payment transaction without any involvement in the handling of funds.
The Guidelines apply only to PAs facilitating the online payment model of e-commerce and exempt those operating under the cash-on-delivery model of payment.
Licensing, Break-up and Capital Requirements
All existing PAs will have to obtain a license or authorization from the RBI to operate after June 30, 2021. However, PAs will be allowed to continue their operations until they receive a response from the RBI on their application. E-commerce entities, who offer PG services along with their marketplace, will have to hive-off their PG businesses after June 30, 2021, i.e., the e-commerce business and the payments business will have to operate as stand-alone businesses. The 15-month transition period given to PAs to comply with the Guidelines is a welcome move and will enable existing PAs to implement the requirements of the Guidelines without interruption.
All existing and new PAs will be required to have a net worth of INR150 million (approximately, US$2 million). Existing PAs have been given until March 31, 2021 to achieve this net worth. However, new PAs will have to meet this requirement at the time of the application itself.
Additionally, by the end of the third financial year (i.e., by March 31, 2023), all existing PAs will have to maintain a net worth of INR250 million (approximately, US$3.33 million). New PAs will have to maintain the net worth of INR250 million by the end of the third financial year from the grant of their license or authorization. A certificate from a Chartered Accountant evidencing the fulfillment of the net worth criteria will have to be submitted by all PAs, failing which they will have to close their operations.
In addition to the Guidelines, foreign entities investing in the PA or PG business in India will have to comply with the Foreign Direct Investment (“FDI”) regulations in respect of capital requirements.
Other compliances for PAs
The Guidelines lays down various compliances for the close monitoring of the functioning of PAs. Some of them are discussed below.
Fit and proper criteria: PAs shall be registered as a company under Companies Act, 2013, and the promoter will have to satisfy the “fit and proper criteria” prescribed by the RBI, failing which the application will be rejected. What constitutes “fit and proper criteria” has been left to the discretion of the RBI, thereby causing some confusion and increasing the chances of rejection of an application.
Compliance with other laws: PAs are also required to adhere to other banking laws, directions and guidelines, such as the KYC directions, Prevention of Money Laundering Act and Combating Financing of Terrorism guidelines. Additionally, PAs will have to adhere to the extant provisions of the Payment and Settlement Act, 2007, which prescribes the offences and penalties for non-compliance of the Guidelines and any other directions of the RBI.
Merchant on-boarding: PA entities are required to create a Board approved policy for on-boarding of merchants on their platform. A background check and frequent security audit of merchants also needs to be undertaken.
Settlement and Escrow Accounts: Similar to the 2009 Directions, PAs are required to set up nodal or escrow accounts with banks for the settlement of transactions. However, now the Guidelines provide an extensive framework to be followed by PAs for each transaction, including the turnaround time and the minimum balance requirement in the escrow account. An extensive framework of the settlement of funds and processing of transactions will reduce any risk and help in the smooth functioning of the PAs.
Customer Grievance Redressal Framework: PAs must put in place a customer grievance redressal framework, including the appointment of a Nodal Officer, outlining a clear mechanism for handling consumer complaints, and explaining the process of dealing with complaints, all of which should be prominently displayed on the PAs’ websites.
Security, Fraud Prevention and Risk Management Framework: A strong security infrastructure, information security policy and mechanism for monitoring and handling of cybersecurity incidents and breaches are required to be put in place by all PAs. Additionally, any incident or data breach is required to be reported immediately to the RBI.
Data Privacy and Storage: PAs, as well as their merchants, are not allowed to store customer data or credentials on their servers. PAs are required to follow the RBI’s guidelines on Payment System Data for data privacy. With the Personal Data Protection Bill still pending in Parliament, stringent data privacy rules under the Guidelines will come as a relief for customers.
Reporting Requirements: Various monthly, quarterly and annual reporting requirements have been put in place to monitor the functioning of PAs. This includes submitting a net worth certificate, audited annual reports by September 30, IS audit reports and cybersecurity audit reports by May 31, quarterly auditor’s and banker’s certificates, and monthly statistics of transactions handled by PAs. Additionally, some non-periodic reporting requirements such as declaration and undertaking by the director and submission of cybersecurity incident report have been put in place in the Guidelines.