The rapid transformation of the Indian economy into a cashless one, particularly with the establishment of e-commerce as a legitimate mode of consumerism, there has been an equally urgent need for innovating and adopting digital payment systems. On one hand, there was a need to bring the required technology into the foray and on the other hand, there needed to be a regulatory framework in place to govern the digital payment providers and systems. At its most nascent stage, the electronic payments space was regulated by Section 18 read with section 10(2) of the Payment and Settlement Systems Act, 2007 (the “PSS Act”). The aim of the PSS Act was to ensure a safe and effectual system of payments and settlement. At the time of its implementation, transactions were heavily dependent on cash or bank transfer, however, with the evolution of the digital payments system, these service providers came to be regulated by the Intermediaries Directions (“Intermediary Directions”) issued by the Reserve Bank of India (“RBI”) vide notification dated 24.11.2009. Under this scheme, banks were required to maintain a nodal account of the intermediaries with permissible credits and debits as also the settlement cycle for credit to the merchants’.
The RBI analysed the current regulatory framework in place by way of a discussion paper which ultimately paved the way for the RBI to issue detailed guidelines (“Guidelines”) applicable to payment aggregators (“PAs”), which came into effect from 01.04.2020. The Intermediary Directions, in their definition of ‘intermediaries’ included every available kinds of electronic payment system and made no distinction between payment gateways and payment aggregators. However, the Guidelines make a departure from the earlier position and have expressly differentiated between PAs and payment gateways. PAs have been defined as entities that act as facilitators between merchants and customers and in this process, receive, pool and subsequently transfer the payments made by the customer to the merchants. In India, these entities include fintech startups such as PayU, Instamojo, Paytm, Razorpay amongst others. In contrast, payment gateways are merely the technology and infrastructure providers for the smooth functioning of the electronic payment system.
BASIC TENETS OF THE GUIDELINES
Authorization: Non-bank PAs will now require authorisation from RBI under the Guidelines. Existing non-bank entities offering PA services, will need to apply for authorisation before 30.06.2021 and can function without any disturbance to their operations till approval from RBI. E-commerce marketplaces will need to separate their PA business from their market place business.
Capital Requirements: PAs will need to initially have a minimum net worth of INR 15 crores whether applying fresh or already existing. Thereafter, the net worth will need to be increased to 25 crores within the time prescribed under the Guidelines. The net-worth of INR 25 crores shall always be maintained thereafter.
Governance: The Guidelines make it obligatory on the PAs to communicate any change in control or ownership to the RBI and also disclose all the details pertaining to handling complaints, refund / failed transactions, return policy etc.
Anti-Money Laundering: The Guidelines make the Prevention of Money Laundering Act, 2002 applicable on the PAs. PAs must also follow the Know Your Customer (KYC) directions as prescribed in the “Master Direction – Know Your Customer (KYC)”.
Merchant On-boarding: PAs are required to undertake background and antecedent check of the merchants, to ensure that such merchants do not have any malafide intention of duping customers and do not sell fake / counterfeit / prohibited products, etc.
Settlement/Escrow Account: PAs are required to set up one escrow account with a scheduled commercial bank for the funds they collect. The account can be used by the PAs only for debits and credits specified in the Guidelines and not for Cash on Delivery transactions. The RBI has also prescribed strict timelines within which PAs must settle amounts with merchants.
Customer Grievance Redressal and Dispute Management Framework: PAs are obligated to put in place a formal, publicly disclosed customer grievance redressal and dispute management framework.
Security, Fraud Prevention and Risk Management: PAs are required to ensure prevention of fraud and ensure customer protection and to this end, they are mandated to put in place a Board approved information security policy, establish mechanisms for handling cybersecurity incidents and breaches and submit System Audit Reports to the RBI.
DISECTING THE GUIDELINES
While the guidelines are a positive step towards customer protection, certain clarifications need to be addressed:
- Intermediary Directions are still in force and have not been expressly repealed, having both the Intermediary Directions and Guidelines regulating the digital payment system is only likely to create conflict;
- While not expressly stated, a possible argument could be that PA services relating to instant delivery on payment (such as purchase of tickets online or movie tickets -etc.) are not covered, considering the definition of PA under the Guidelines and certain other provisions thereto
- The definition of “Net-Worth” includes compulsorily convertible preference shares which essentially means that the RBI, for the purposes of Net-Worth of the PA, is treating the preference shares as equity shares even before conversion. Consequently, any right to redeem the preference, capital prior to conversion, under any agreement may not be possible under the Guidelines. PA entities are heavily funded by institutional investors and such investors often require a right to redeem capital on such convertible securities on occurrence of an event now with the Guidelines this right may pose a challenge to the investors resulting in maybe innovative structures by such investors. Further, the Guidelines make it obligatory on the PA to inform the RBI regarding any change in control or management of the PA entity this can result in more RBI scrutiny on such investors considering institutional investors do not hold shares for long time in such PA entities;
- The Guidelines also place an obligation on the PAs to monitor the merchant to ensure that no counterfeit/fake/prohibited products are being sold to the customer. The PA is now necessarily responsible for obtaining security assessment reports from time to time from the merchants in order to check their technical soundness and to ensure that they comply with the baseline data privacy standards. Considering that the role of the PAs is to merely act as a facilitator between the customer and merchant, this task seems particularly onerous. Further, no specific parameters have been provided on how to carry out the antecedent check to ensure that the merchants have no malafide intent. Accordingly, PA’s will need to be extremely careful while on boarding such merchants so as to avoid any penalties under the Guidelines for breach of this obligation. As a way forward, it may be advisable for PA’s to explore structures such as asking for a security deposit from the merchants or any post-dated cheques covering the penal amount or other amounts as maybe be mutually agreed.
While the aforementioned ambiguities would need to be clarified by the RBI in the form of FAQs or notifications, the Guidelines are in conformity with the increasing push for a digital payment ecosystem and a cash-less economy and most certainly, are the right step forward towards achieving transparency, accountability and consumer protection.
 Notification no: RBI/2009-10/231 , DPSS.CO.PD.No.1102 /02.14.08/ 2009-10, November 24, 2009 [available on https://rbidocs.rbi.org.in/rdocs/notification/PDFs/DOIPS241109.pdf] last accessed on 27.07.2020
 Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators; Reserve Bank of India Department of Payment and Settlement Systems [available on https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/DPSSDISCUSSIONPAPEREFCF5B7E17F9431185BD4FD57E540F47.PDF] last accessed on 27.07.2020.