RBI wants guidelines for online payment aggregators to be extend to offline aggregators, too.
Considering, both online and offline payment aggregators perform the same activities, it seems prudent to extend the current regulations to offline aggregators as well.
The announcement was a part of the Statement on Developmental and Regulatory Policies, released alongside the monetary policy statement on September 30, 2022. RBI also mentioned that a detailed guide will be issued in the coming days.
WHY WAS THIS RECOMMENDED?
Payment Aggregators (PA) framework for online operators was announced in 2020 and mandated only RBI-approved companies to offer payment services to online merchants. With this alteration, these guidelines will get extended to offline PAs as well, with the hope of introducing synergy in regulations covering activities and operations of PAs over all.
Convergence on standards of data collection and storage is one of the objectives. PAs, as per the Guidelines, are required to adopt the technology-related recommendations. It is important to bring the offline PAs at parity with online PAs since offline PAs also manage funds and undertake similar nature of financial activities. The regulatory framework may be similar to online PAs, but detailed guidelines for Offline PAs can be expected to explore the cross applicability.
Payment aggregators are mandated to have in place a customer grievance redressal and dispute management framework along with designated nodal officer to handle customer complaints and grievances.
PAs were already under obligation under the Guidelines to have an adequate information and data security infrastructure and systems for prevention and detection of frauds and have a Board approved information security policy covering a mechanism for monitoring, handling and follow-up of cyber security incidents and breaches.
This change will therefore, further ensure adequate security and data protection along with oversight on Merchant Discount Rate (MDR) and other transaction charge. MDR is the rate charged to a merchant for payment processing services on debit and credit card transactions.
Merchants working with PAs have to consider this fee when managing the overall costs of their business which will now include offline PAs as well. Offline PAs will likely have to cater to the MDR guidelines. Information on other charges such as convenience fee, handling fee, etc., if any, being levied shall also be displayed upfront by such PAs.
PAYMENT AGGREGATOR LICENSES
PAs are a bridge between the merchants and customers and require a PA license and necessary certification from the Payment Card Industry. The PA framework earlier mandated only RBI-approved companies to offer payment services to online merchants, but now, these guidelines require companies to be RBI approved to be offline PAs.
To apply for this license PAs have to apply with the apex bank and have a net worth of INR 15 Crore on the date of their application (or as of FY21). The limit will be increased to INR 25 Crore by the end of FY23.
Following are the documents required for obtaining a PA license:
- Certificate of incorporation of Company received from Registrar of Companies (ROC).
- PAN Card or Address proof of the Directors.
- DSC and DIN of the directors.
- Address proof of the place of business.
- Details of the Bank Account of the Company.
- Business plan of the Company for five years.
- Code testing report by a software agency.
RBI is considering various parameters while granting the approvals. The applications are being rejected based on KYC-related issues, relation with cryptocurrency, and history with certain banned apps among others. Several only-offline players have already applied for the PA license and some have received in-principle approval from the RBI for the licenses under the Payment and Settlement Systems (PSS) Act. The FinTech startups that receive RBI authorization and PA license will come under the direct purview of the Central Bank.
Accordingly, merchants working with unauthorized PAs (ones without the license) would have to delist the PAs within three months of application rejection.
WHAT DOES THIS MEAN FOR OFFLINE PAYMENT AGGREGATORS?
As detailed guidelines are awaited, the offline PAs may have to comply with requirements currently applicable only to online PAs. The major obligation on Online PAs is around storing customer card credentials in their database or the server accessed by the merchant. Prior to these guidelines, RBI has regulated data storage through various circulars on the request of the industry stakeholders.
From January 1, 2022, it has been stated that no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the CoF data i.e. actual debit card/credit card data and any previous data stored, will have to be purged.
Thus, neither the authorized PAs nor the merchants on-boarded by them can store customer card credentials within their database or server.
Post these regulations, offline PAs will have to formulate a Board approved policy for merchant on-boarding with mandatory background check and antecedent check of the merchants, to ensure that such merchants:
- Do not have any malafide intention of duping customers
- Are not selling fake, counterfeit or prohibited products.
- Comply with the Payment Card Industry-Data Security Standards (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS)
Offline PAs will have to adhere to-
- card limit guidelines stated by banks and the refund-to-source framework; and
- comply with data storage requirements as applicable to Payment System Operators (PSOs).
There cannot be limits on transaction amount for a particular payment mode and the responsibility is with the issuing bank or entity.
The card issuing bank shall be responsible for placing amount limits on cards issued by it based on the customer’s credit worthiness, profile, spending nature, etc. PAs are gradually being pushed to a more compliant role since they handle proximity or face-to-face transactions. They are viewed as holders of significant role in the spread of digital payments.
The press release can be accessed here.
This is only for informational purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein. Endeavoured to accurately reflect the subject matter of this alert, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This isn’t an attempt to solicit business in any manner.
Sources: thehindubusinessline.com, bfsi.economictimes.indiatimes.com, inc42.com