RBI Could Begin Regulating Payment Gateways And Aggregators

The Reserve Bank of India is looking to bring payment gateways and aggregators under its regulatory ambit citing potential risks as digital transactions continue to rise in India.

The current payment gateway ecosystem for online transactions could be a source of risk if operators have lax governance practices, according to a discussion paper uploaded on the central bank’s website. That could impact customer confidence and experience, it said.

The paper defines such companies as non-bank entities that provide technology infrastructure to facilitate processing of an online payment and other services without handling the funds. They could be engaged by banks, merchants or utilities. While gateways are encrypted web pages generated every time a customer makes an online transaction, aggregators provide a channel to accept card payments or bank transfers.

Paytm, Freecharge, Citus Pay, PayU, CC Avenue, Paypal, Instamojo, Atom Technologies and Razorpay are among the numerous companies offering payment gateway and aggregator services in India.

While many were standalone operators providing many payments services, newer entrants include e-wallet players, fintechs and international platforms.

The RBI, the paper suggests, could approach regulating such entities in one of the three ways:

• Continue with existing instructions, with minor changes, wherein payment gateway operators and aggregators are indirectly regulated though nodal banks.
• Operators to follow RBI norms on minimum net-worth, merchant on-boarding, IT security, among others. Licences will be issued for a period of time and only off-site monitoring would take place.
• Full and direct regulation of operators through the Payment and Settlement Systems Act, 2007. Existing players will be given a year to comply with the required capital norms and operators would subjected to on- and off-site monitoring.

Under the direct regulation regime, some gateway providers and aggregators that are primarily engaged in e-commerce would need to separate the two businesses as they are subjected to dual-regulator, the central bank’s paper said. These entities will need to stop all payments-related activity within three months of the RBI issuing guidelines. Separate entities will have to comply with the RBI’s instructions after applying for a licence.

Currently all payment gateway operators must follow international security standards such as PCI-DSS, USSD gateway protocols and encryption standards, depending on the nodal banks they operate with, Dewang Neralla, chief executive officer, Atom Technologies said.

“The intention here isn’t to regulate pricing of payment gateway and aggregator services among players in the industry, but to ensure there are appropriate governance norms and adequate capital behind each entity so that there is no systemic risk problem in the future,” Neralla said.

We welcome the intention to regulate the industry given that so far payment gateway operators and aggregators did not have a “seat on the table for discussions” when it comes to various payment industry regulations, Harshil Mathur, co-founder and chief executive officer of Razorpay, told BloombergQuint.

“Gateways are regulated through banks, which creates opaqueness in the system and without clear-cut guidelines there was a lot of uneccesary arbitrage in the payments system,” he said. “Regulations will help eliminate this arbitrage and make things clearer for the entire industry in terms of capital requirement, governance and KYC norms for example.”

A New Regulatory Regime

The proposed regulatory framework would cover the capital requirements for gateway operators and payment aggregators, governance standards, know-your-customer and anti-money laundering safeguards, fraud prevention, risk management framework and, IT security aspects, among other requirements.

Each entity needs to appoint a nodal officer and formulate a customer grievance redressal and dispute management framework.

Unlike pre-paid instruments like e-wallets, where the customer’s money is directly involved, payment aggregators or payment gateways act as a pass-through, Neralla said. “Therefore, it depends on the merchants to provide services and handle customer enquiries.”

Further the paper says that since banks are already regulated by the RBI, the gateway services provided by them do not require separate authorisation, however, they will have to comply the RBI’s prescriptions for all operators when the regulations are published.

Where banks act as payment aggregators, they will have to obtain authorisation under Payment and Settlement Systems Act, 2007, the paper said.

If the RBI decides to fully and directly regulate these operators:

• All non-bank operators will require authorisation from the RBI.
• Existing operators will be given a year to comply from the date the guidelines are issued.
• Minimum net worth of Rs 100 crore to be maintained at all times. Existing operators will have a year to comply, others will have to wind up operations.
• Compliance with technology requirements on security and privacy of data as well as on storage of payment data.
• KYC and due diligence should be done when on-boarding merchants.
• Transition from nodal account to collate customer funds and settle merchant transactions to an escrow-like facility.

The RBI has invited comments from all stakeholders and the public by Oct. 17.