On 17 September, the Reserve Bank of India (RBI) issued a discussion paper on Guidelines for Payment Gateways and Payment Aggregators which seeks to develop a framework to regulate intermediaries such as the payment gateways and payment aggregators, facilitating online payments. These intermediaries shall be authorised under the Payment and Settlement Systems Act, 2007 (PSSA), suggests the paper.
In the Statement on Developmental and Regulatory Policies released with the Sixth Bi-monthly Monetary Policy Statement for 2018-19, the Reserve Bank had announced that a discussion paper will be placed in the public domain for consultation with the stakeholders on comprehensive guidelines covering payments related activities of payment gateway providers and payment aggregators.
Accordingly, RBI has invited comments on the policy paper from all stakeholders and members of public by October 17, 2019.
Highlights of the discussion paper
1. Based on the understanding of the current ecosystem, certain regulatory options and approaches are suggested in this discussion paper for regulating the activities of Payment Aggregators and Payment Gateways.
Option 1 : Continue with the extant instructions with minor changes in respect of definition of ‘T’ and clarify the applicability of the guidelines. ‘T’ is the date and time of charge / debit to the customer’s account used for making payment for purchase of goods / services.
Option 2 : Limited Regulation : The Payment Gateways and Payment Aggregators shall follow the norms and guidelines in respect of minimum net-worth, merchant on-boarding, timelines for settlement of funds, maintenance of escrow account, IT security, etc., and shall be required to submit certain returns to RBI. The Payment Gateways and Payment Aggregators to be licensed / registered in a phased manner, over a period of time. Only offsite monitoring would be resorted to.
Option 3 : Full and Direct Regulation: Payment Gateways and Payment Aggregators shall be authorised under the Payment and Settlement Systems Act, 2007 (PSSA). The authorised Payment Gateways and Payment Aggregators shall, if required, maintain the funds received from customers in an escrow account with a scheduled commercial bank. Other requirements include,
- Authorisation / Licencing : The regulations would be applicable to Payment Aggregators and Payment Gateways. Non-bank Payment Aggregators and Payment Gateways shall require authorisation from RBI under PSSA. Entities undertaking Payment Aggregation and Payment Gateway activity shall be a company incorporated in India under the Companies Act, 2013. They shall be given one financial year (from date of issue of guidelines) to comply with the entry point norms and other technology, security, storage, etc., norms issued in this regard.
- Capital Requirements : Capital requirements shall have minimum net-worth as prescribed for Bharat Bill Payment Operating Unit (BBPOUs) (currently ₹ 100 crore) to be maintained at all times. Existing Payment Aggregators shall, within one year after the issuance of guidelines by RBI, comply with this net-worth requirement. Entities not able to comply with the net-worth requirement within the stipulated time frame, need not apply for authorisation but shall wind-up payment aggregation business within one year of issuance of guidelines.
- Governance : The entity shall be professionally managed where the promoters of the company shall satisfy the fit and proper criteria prescribed by RBI. There shall be a Board approved policy for disposal of complaints / dispute resolution mechanism / time-lines for processing refunds, etc. Entities shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions whose details are prominently displayed on their website.
- Safeguards against Money Laundering (KYC / AML / CFT) Provisions : The Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines issued by the Department of Banking Regulation (DBR), RBI, in their “Master Direction – Know Your Customer (KYC) Directions” updated from time to time, shall apply mutatis mutandis to all the Payment Aggregators and Payment Gateways along with the provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time.
- Customer Grievance Redressal and Dispute Management Framework : Payment Aggregators shall put in place a formal, publicly disclosed customer grievance redressal framework and dispute management framework, including designating a nodal officer to handle the customer complaints / grievances, the escalation matrix and turn-around-times for complaint resolution. The customer and the merchant complaints shall be promptly handled / disposed of by the Payment Aggregators and Payment Gateways as per their Board approved policy, within a period of 7 working days of receipt of complaint by the Payment Aggregator.
- In case Option 3 is exercised, additional regulatory prescriptions/specifications pertaining to licencing, capital requirements, merchant on-boarding etc. will be applicable. Each of these regulatory prescriptions have been discussed in detail in the paper.
2. The framework will cover :
- The activities of Payment Gateways and Payment Aggregators in online transactions, their capital requirements, governance, safeguards against money laundering (KYC / AML / CFT) provisions, merchant on-boarding, settlement and escrow account management, customer grievance redressal & dispute management framework, security, fraud prevention and risk management framework, Information System Audit, etc.
- The technological prescriptions for Payment Gateways and Payment Aggregators.
3. The framework will not cover :
- Intermediaries who facilitate delivery of goods / services immediately / simultaneously (e.g. travel tickets / movie tickets, etc.) on the completion of payment by the customer i.e., where the delivery is linked to completion of corresponding payment.
- Cash on Delivery (CoD) e-commerce model and processing and settlement of import and export related payments facilitated by OPGSPs who are guided by instructions issued by FED, RBI.
- e-commerce marketplaces collecting payments for various merchants for transactions in respect of goods and services sold on their platform.
- Other bilateral arrangements of merchants with the aggregators to consolidate and make payments to vendors, agents, etc.
4. The baseline and desirable requirements for payment aggregators in respect of IT systems and security are presented below.
Base line Requirements
- Information Security Governance: The entities at a minimum shall carry out comprehensive security risk assessment of their people, IT, business process environment to identify risk exposures with remedial measures and residual risks. These can be internal security audit and annual security audit by an independent security auditor or a CERT-In empanelled auditors. Reports on risk assessment, security compliance posture, security audit reports and security incidents shall be presented to the Board.
- Data Security Standards: Data security standards and best practices like PCI-DSS, PA-DSS, latest encryption standards, Transport Channel Security etc. shall be implemented.
- Security Incident Reporting: The entities shall report security incidents / card holder data breaches within 2-6 hours timeframe to RBI. Monthly cyber security incident reports with root cause analysis and preventive actions undertaken shall also be submitted to RBI.
- Merchant On-boarding: The entities shall undertake comprehensive security assessment during merchant on-boarding process to ensure these minimal baseline security controls are adhered to by the merchants.
- Cyber Security Audit and Reports: The entities shall carry out and submit to the IT Committee quarterly internal and annual external audit reports; bi-annual Vulnerability Assessment / Penetration Test (VAPT) reports; PCI-DSS including Attestation of Compliance (AOC) and Report of Compliance (ROC) compliance report with observations noted if any including corrective / preventive actions planned with action closure date; Inventory of applications which stores or processes or transmits customer sensitive data; PA-DSS compliance status of payment applications which stores or processes card holder data.
- Information Security: Board approved Information security policy shall be reviewed at least annually. The policy shall consider aspects like: alignment with business objectives; the objectives, scope, ownership and responsibility for the policy; information security organizational structure; information security roles and responsibilities; maintenance of asset inventory and registers; data classifications; authorization; exceptions; knowledge and skill sets required; periodic training and continuous professional education; compliance review and penal measures for non-compliance of policies.
- IT Governance: An IT policy needs to be framed for regular management of IT functions and ensure that detailed documentation in terms of procedures and guidelines Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators. The strategic plan and policy shall be reviewed annually.
- Data Sovereignty: The Payment Aggregators shall take preventive measures to ensure storing data in infrastructure that do not belong to external jurisdictions. Appropriate controls shall be considered to prevent unauthorized access to the data.
- Data Security in outsourcing: There shall be an outsourcing agreement providing ‘right to audit’ clause to enable Payment Aggregators / their appointed agencies and regulators to conduct Security audits. Alternatively, third party to submit annual independent security audit report to Payment Aggregators.
- Payment Application Security: Payment applications shall be developed as per PA-DSS guidelines and complied with as required. Payment Aggregators to review PCIDSS compliance status as part of merchant on-boarding process.