A critique of the payment gateways and payment aggregators guidelines

The Reserve Bank of India (“RBI”) on March 17, 2020 issued guidelines[1] (“Guidelines”) to regulate previously unregulated payments aggregators and payment gateways. The Guidelines came into effect from April 1, 2020. While the Guidelines are a progressive step to regulate the activities of payment aggregators, given their role in effecting a payment transaction, it has thrown up more questions and concerns. Below is an overview of various points that we hope RBI would clarify in the near future in order to avoid ambiguity and ensure absolute compliance by the various players in the sector.

Compliance timeline

The Guidelines state that it shall come into effect from April 1, 2020 other than for activities for which specific timelines are mentioned. Thereafter, an extension in the timeline was notified[2] by the RBI on June 4, 2020. The said notification confirmed that the activities for which specific timelines are not mentioned and were supposed to come into effect from April 1, 2020 will now come into effect on September 30, 2020.

While clause 3.4 of the Guidelines states that existing non-bank entities offering payment aggregation services are required to apply for authorisation on or before June 30, 2021, and that such entities will be allowed to continue their operations till they receive communication from the RBI regarding the fate of their application, it is unclear whether existing non-bank payment aggregators can continue to provide payment aggregation services as is or any compliances are required to be met by them before September 30, 2020, prior to actually receiving a licence from the RBI

Compliance with KYC directions

The Guidelines state that ‘Master Direction – Know Your Customer (KYC) Directions’[3] (“KYC Directions”) updated from time to time, shall apply mutatis mutandis to payment aggregators.

The KYC Directions require regulated entities (in this case – payment aggregators) to undertake KYC of customers on the commencement of an account-based relationship with the customer.

It is uncertain whether a payment aggregator that is providing payment aggregation services to various merchants will have to undertake KYC for each merchant, even though there is no account-based relationship between the payment aggregator and such merchants.

Further, merchants are appropriately verified and KYC-ed at the time of bank account opening and on-boarding. The transactions take place between merchants and their customers who have already undertaken the relevant KYC checks while opening their respective bank accounts. Therefore, the obligation on payment aggregators to undertake KYC of the merchants appears to be fairly onerous as each payment aggregator could have over a million merchants.

Background check of merchants

Clause 7.2 (Annex 1) of the Guidelines state that payment aggregators must undertake background and antecedent check of the merchants to ensure that such merchants do not have any malafide intention of duping customers, do not sell fake / counterfeit / prohibited products, etc. The merchant’s website shall clearly indicate the terms and conditions of the service and timeline for processing returns and refunds.

The Guidelines do not specify whether this requirement extends to payment aggregators in instances when the payment aggregator provides its services to an e-commerce entity (who onboards sub-merchants), and whether the payment aggregator will be required to undertake KYC for the sub merchants as well, since the delivery of goods and services is by the sub-merchants.

Further, the Guidelines do not contemplate a scenario whereby a merchant may use the payment aggregator’s services solely for the collection of payments from its customers while the actual transactions with respect to delivery of goods or provision of services would be conducted offline. Undertaking background checks for merchants who sell their goods or services offline and do not have a website would not be a commercially feasible process.

The Guideline also imposes the obligation on payment aggregators’ to undertake checks on its merchants to verify whether appropriate terms and conditions have been uploaded on the merchant website. The Guidelines do not address instances where a merchant may not have its own website or may have availed listing services provided by third parties and therefore will be unable to display terms and conditions. This requirement is not feasible and would be difficult for a payment aggregator to comply with.

Compliance with PCI-DSS and PA-DSS Standards

Clause 7.3 (Annex 1) of the Guidelines state that payment aggregators will be responsible to check Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded whereas clause 7.4 (Annex 1) states that merchant site shall not save customer card and such related data, and that the payment aggregator may carry out security audit of the merchant to check compliance, as and when required.

There appears to be a contradiction in clause 7.3 and 7.4. It is unclear why merchants would be required to undertake PCI-DSS and PA-DSS compliance if they are not permitted to save any card related data as per clause 7.4.

Further, the requirement to comply with PCI-DSS and PA-DSS may be onerous on small businesses such as sole proprietorships and MSMEs and will impede their operations and ability to use online payment modes on account of such restrictions.

Conflict with Nodal Account Guidelines, 2009

In 2009, the RBI introduced the ‘Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries, 2009[4]’ (“Nodal Directions”). These Nodal Directions also detailed the timelines for all final settlements to merchants that banks and intermediaries need to comply with while operating a nodal account.

Since both the Nodal Directions issued in 2009 and the Guidelines issued in 2020 pertain to the same subject matter i.e the role and responsibilities of intermediaries (payment aggregators) with respect to settling of fund between a customer an a merchant, the RBI should clarify whether the Nodal Directions issued in 2009 would continue to apply despite separate guidelines issued by the RBI in this regard. Additionally, both the Guidelines and the Nodal Directions detail the timelines that ought to be followed by an intermediary/payment aggregator for settlement of funds, co-existence of these regulations only creates ambiguity and confusion.

Non-periodic reporting

With respect to non-periodic reporting mentioned in Annex 3 of the Guidelines, it is stated that ‘Report from Banks in Compliance with para 3.6 of Annex 1 – One time report should be sent by April 15th, 2021 to the RBI’.

Clause 3.6 states: ‘E-commerce marketplaces providing PA services shall not continue this activity beyond the deadline prescribed at clause 3.4 above. If they desire to pursue this activity, it shall be separated from the marketplace business and they shall apply for authorisation on or before June 30, 2021.’

It is unclear whether payment aggregators will be required to send the report from the bank by April 15, 2021 or June 30, 2021 since the separation of businesses is required to be undertaken by June 30, 2021. Additionally, the Guidelines fail to clarify what aspects of the separation of the business are banks expected to report on and whether such banks would be in a position to confirm such compliance.

Escrow account

Clause 8.6 (Annex I) states that payment aggregators shall be permitted to pre-fund the escrow account with own / merchant’s funds. However, in the latter scenario, merchant’s beneficial interest shall be created on the pre-funded portion.

Since a single escrow account will be opened by a payment aggregator, the Guidelines are unclear on how multiple beneficial interests will be created in favour of merchants who will pre-fund the escrow account, or whether the escrow account will have to be segregated into separate virtual private accounts or sub-accounts for creation of a beneficial interest in favour of each merchant.

The RBI also seems to have overlooked business continuity processes and disaster recovery management processes that a payment aggregator would implement while mandating that only one escrow account be maintained by a payment aggregator. This may create difficulties for payment aggregators to operate efficiently and seamlessly in the event of technical glitches with the escrow bank.

Data storage

Clause 10.4 (Annex I) states that payment aggregators shall not store the customer card credentials within their database or the server accessed by the merchant and shall comply with data storage requirements as applicable to Payment System Operators (PSOs).

Additionally, clause 1.2 of Annex 2 (Baseline Technology – Related Recommendations) states that payment aggregators shall implement data security standards and best practices like PCI-DSS, PA-DSS, etc.

Clause 10.4 and clause 1.2 mentioned above appear contradictory to each other. Clause 1.2 requires payment aggregators to implement PCI-DSS and PA-DSS (which is required to be carried out by entities that store, process, and transmit cardholder data) whereas clause 10.4 states that payment aggregators shall not store customer card credentials.

 It is also unclear whether payment aggregators can store customer card credentials in a separate database on a server which is not accessed by the merchant since the restriction appears to be for storing customer card credentials within the database or the server accessed by the merchant.

Security Assessment of merchants

While clause 1.3 of Annex 2 states that payment aggregators should undertake comprehensive security assessment during merchant on-boarding process to ensure these minimal baseline security controls are adhered to by the merchants, it is uncertain how payment aggregators shall undertake this requirement if the merchants that use payment aggregation services operate through offline means such as a brick and mortar shop.

Further, the requirement to comply with minimal baseline security controls as specified in the Guidelines may impose significant costs on small merchants and may restrict them from using payment aggregation services.

Conclusion

Considering the increasingly significant role that payment aggregators play in the digital payments ecosystem, the Guidelines are a welcome move in terms of providing additional security and protection to customers of e-commerce entities and merchants. We await clarifications from the RBI with respect to the highlighted issues, a clearer articulation of regulatory objectives with respect to the Guidelines will indeed provide the much-needed certainty to payment aggregators for them to structure their business in line with the Guidelines.

[1] Accessible at – https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11822&Mode=0

[2] Accessible at – https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11910&Mode=0

[3] Accessible at – https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566

[4]  Accessible at – https://www.rbi.org.in/scripts/NotificationUser.aspx?Mode=0&Id=5379

For any questions or clarifications, please reach out to Mathew Chacko or Ankita Hariramani.