RBI redefines Payment aggregators scope and  KYC compliance

The Reserve Bank of India on Tuesday came out with draft guidelines to further strengthen regulations on payment aggregators, a move aimed at boosting the payment ecosystem.

The payments ecosystem in India includes online Payment Aggregators (PA-Os) and Physical Payment Aggregators (PA-P) that cover Point of Sales business, which facilitate face-to-face/proximity payment transactions.

For ease of operations for payment players, the banking regulator has suggested the classification of merchants into small and medium categories. The regulator has defined small merchants as those physical merchants with a turnover of less than Rs 5 lakh per annum. Medium merchants are those with a turnover beyond Rs 5 lakh but up to Rs 40 lakh per annum.

It defined a marketplace as: “An electronic commerce entity which provides an information technology platform on a digital or electronic network to facilitate transactions between buyers and sellers.”

Online payments are routed through escrow accounts, which are a form of pass-through account used to settle digital payments. The RBI has now brought digital payments made at the time of delivery of an e-commerce purchase within the ambit of an escrow account.

The regulator also heightened security measures that PAs need to adopt around monitoring of these merchants. It said PAs need to ensure that merchants are using the services only for their proposed line of business. It has also suggested the imposition of risk-based payment limits on these merchants.

“Given the growth in digital transactions and the significant role that PAs play in this space, the current directions on PAs are proposed to be updated and cover, inter alia, KYC and due diligence of merchants, operations in Escrow accounts, and intended to strengthen the payment ecosystem,” said RBI.

As per the proposed guidelines, for face-to-face/proximity payment transactions done using cards, from August 1, 2025, and no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the Card-on-File (CoF) data. “Any such data stored previously shall be purged,” the draft added.

Banks provide physical PA services as part of their normal banking relationship, and hence, do not require separate authorisation from RBI for the purpose, the circular said. Nevertheless, they shall ensure compliance with these instructions within three months from the date of issue of this circular, it added. However, Non-bank entities providing PA-P services as of the date of this circular, shall inform RBI within 60 days from the issuance of this circular about their intention to seek authorisation. They shall be allowed to continue their operations till they receive communication from the RBI regarding the fate of their application. The notification directed banks to close non-bank PA-Ps by October 31, 2025, unless they provide evidence of applying to RBI for authorisation.

On KYC and due diligence, the draft said the payment aggregators should undertake due diligence of merchants onboarded by them by Customer Due Diligence (CDD) prescribed in Master Directions on Know Your Customer (MD-KYC), 2016. The regulator also heightened security measures that PAs need to adopt around monitoring of these merchants. It said PAs need to ensure that merchants are using the services only for their proposed line of business.

The circular further said non-banks providing PA-P services should have a minimum net worth of Rs 15 crore at the time of submitting an application to the RBI for authorisation and a minimum net worth of Rs 25 crore by March 31, 2028. The net worth of Rs 25 crore shall be maintained at all times thereafter.

The PA-O or PA-P should ensure adherence to the guidelines on governance, merchant on-boarding, customer grievance redressal and dispute management framework, baseline technology recommendations, security, fraud prevention and risk management framework (provided in the March 17, 2020 RBI circular) within a period of three months from the date of this circular. The entity shall ensure compliance with these guidelines on an ongoing basis thereafter. The continued adherence to these guidelines shall be considered while processing the application for authorisation / approval.

“PAs shall ensure that marketplaces onboarded by them do not collect and settle funds for services not offered through their platform,” said the draft on which the RBI has invited comments by May 31, 2024.