The story so far: Following its announcement in June 2022 that it will seek better regulation of offline payment aggregators (PAs) facilitating proximity or face-to-face transactions, the Reserve Bank of India (RBI) floated two consultation papers earlier this month. The first deals with activities of offline PAs, while the second proposes to strengthen the ecosystem’s safety by expanding instructions for Know Your Customer (KYC), due diligence of onboarded merchants and operations in Escrow accounts. The RBI has invited comments/feedback by May 31.
What exactly are the norms about?
Payment aggregators are entities that facilitate payment from customers to merchants — unburdening the latter from creating a payment integration system of their own. The existing guidelines cover their activities in e-commerce sites and other online avenues. The latest draft guidelines propose to extend these regulations to offline spaces, entailing proximity or face-to-face transactions. RBI observed back in June 2022 that the nature of activities carried out by the PAs, both online and offline, is similar. It aspires to bring in “synergy in regulation covering activities and operations of PAs apart from convergence on standards of data collection and storage.”
The proposed norms are elaborate and incorporate lessons from what happened this year with Paytm Payments Bank (PPBL) — albeit in an unrelated space. With expansion of the utility and scope of operations of PAs, RBI appears to be strengthening the ecosystem against any opacity. The PPBL crisis was triggered by, among other things, major irregularities in the bank’s KYC adherence. In fact, the Financial Intelligence Unit (FIU-IND) had imposed a penalty of ₹5.49 crore having found that PPBL “engaged in a number of illegal acts, including organising and facilitating online gambling.” It added that the money generated from it were “routed and channelled through bank accounts maintained by these (illegal) entities” with the PPBL.
Is registration with the RBI being made compulsory?
The primary focus here is on non-bank PAs and within them, the offline extensions. Banks providing physical PA services as part of their normal banking relationship would not require any separate authorisation from the RBI. They are only expected to comply with the revised instructions within three months after they are issued.
Non-banking entities providing PA services at the point of sale (PoS), that is, offline, would have to inform RBI within 60 days (after the circular is issued), about their intent to seek authorisation. The entities would, however, be allowed to continue their operations while their applications are being reviewed. As for non-banking entities providing PA services online – both those authorised and whose applications are pending, would require to seek approval, about their existing offline PA activity, from the Department of Payment and Settlement Systems (DPSS) and the regulator within 60 days of the directions being mandated. This would also apply to any authorised non-banking entity aspiring to enter the online and/or offline PA space in future.
Also Read: PayU gets RBI’s approval to operate as Payments Aggregator
RBI’s directions also stipulate that entities currently engaged in PoS activities must ensure they adhere to guidelines on merchant on-boarding, customer grievance redressal and dispute management, baseline technology recommendations, security, fraud prevention and risk management framework as per the previous framework within 3 months. For entities that would require fresh registration, RBI has said continued adherence to existing guidelines framed in 2020 governing e-commerce transactions, would be viewed positively while processing the applications.
Does it talk about provisions for sustainability?
Borrowing and extending the mandates from their earlier circular, RBI proposes that non-banking entities currently providing proximity/face to face transaction services have a minimum net worth of ₹15 crore when they apply. This would be extended to ₹25 crore by March 31, 2028. The requirements are the same for new applicants, the difference being that a Rs 25 crore net worth requirement would apply at the end of three financial years when the authorisation is granted.
RBI has proposed that existing offline operators unable to comply with the approval-seeking timeframe wind-up their operations by July 31, 2025. Banks will also be directed to close all accounts by the end of October next year should they fail to produce evidence of their application seeking authorisation.
What about KYC requirements?
The purpose of the proposed regulations is to ensure that onboarded merchants do not collect and settle funds for services not offered on their platforms. While KYC is already mandatory, the regulations seek to extend the scope and make the provisions more nuanced.
Also Read: RBI enhances UPI payment limits for healthcare and education
RBI’s proposed instructions categorise merchants into small and medium merchants. Small merchants would constitute physical merchants with an annual business turnover of less than ₹5 lakh who are not registered under the Goods and Services Tax (GST) regime. The regulator proposes that the PAs undertake ‘contact point verification’, that is, collect information physically to establish the existence of the firm. They must also verify the bank accounts in which their funds are settled. Medium merchants, defined as physical or online merchants with annual business turnover of less than ₹40 lakhs who are not registered under GST, would also have to undergo contact point verification. The PA would be expected to establish their existence by verifying one official document each of the proprietor, beneficial owner or attorney holder, and of the stated business.
On an ongoing basis, PAs must ensure transactions undertaken by their merchants are in line with their business profile. Also working on sustainability, PAs must assign risk-based payments to the merchants. And finally, based on their transaction pattern, the merchant could be migrated to a higher degree of due diligence as per existing norms.
Does it also propose storage of card data?
The draft regulations instruct that no entity, other than the card issuer and/or card network, can store data for proximity/face to face payments from August 1, 2025, and direct them to purge data stored previously.
To track transactions and to reconcile them, entities would be allowed to store limited data, that is, the last four digits of the card number and the issuer’s name. The onus for compliance in this domain would also be on card networks.
Disclaimer: The copyright of this article belongs to the original author. Reposting this article is solely for the purpose of information dissemination and does not constitute any investment advice. If there is any infringement, please contact us immediately. We will make corrections or deletions as necessary. Thank you.
