Regulation of Payment Ecosystem by RBI
To lead towards a more standardised and regulated payments ecosystem, the Reserve Bank of India (RBI) issued Guidelines on Regulation of Payment Aggregators and Payment Gateways, on March 17, 2020 ("Guidelines”) . The guidelines is a step towards making the fast-changing payment ecosystem more secure.
Payment aggregators and payment gateways are intermediaries playing an important role in facilitating payments in the online space and over the years, the volume and value of transactions made through cards have increased exponentially. Hence, to improve user convenience and increase the security of card transactions, the Reserve Bank of India has introduced these guidelines.
In terms of the said guidelines, the RBI has prescribed (a) guidelines for regulating activities of Payment Aggregators (PAs); and (b) baseline technology recommendations for Payment Gateways (PGs).
Applicability of New Guidelines
The new set of guidelines issued by RBI is applicable to:
- PAs for example companies like PayU, Razorpay, etc. and PGs for example companies like Paytm, Mobikwik, PayPal.
- The domestic leg of export and import regarding payments facilitated by PAs may also adhere to these regulations.
Please note that it is not applicable to the Cash on Delivery (CoD) e-commerce model.
Definition of PAs and PGs
The Guidelines define ‘Payment Aggregators’ and ‘Payment Gateways’ as follows:
Payment Aggregators are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers. They receive payments from customers, pool and transfer them on to the merchants after a time period.
Whereas Payment Gateways are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.
Key Provisions of the Guidelines
The guidelines primarily focus on the Definition, Applicability, Authorization, Capital Requirements, Governance, Merchant Onboarding, Customer Grievance Redressal.
- The RBI has mandated payment aggregators to adopt the technology-related recommendations provided in the guidelines.
- The guidelines require all existing non-bank entities offering PAs services to seek an authorization from the RBI.
- E-commerce marketplaces providing payment aggregator services have been mandated to discontinue this activity. If such entities desire to pursue PAs services, they can do so only through a separate business from the marketplace business and shall apply for authorisation with the RBI on or before June 30, 2021, through the separate business.
- The guidelines prescribe a net-worth criteria, which if not complied with, will require the relevant entity to wind up its payment aggregation business.
- The guidelines provide a comprehensive governance framework for payment aggregators.
Next Steps on the Payment Ecosystem
The guidelines are mostly for the businesses to follow however there is one provision in the guidelines which a customer taking services from the merchants must be aware of. The provision is as follows:
7.4. Merchant site shall not save customer card and such related data. A security audit of the merchant may be carried out to check compliance, as and when required.
It may be understood that the storage of payment card numbers by online merchants, payment aggregators, and ecommerce website will not be allowed going forward.
Next Steps for Businesses: The operations of eCommerce companies and financial institutions involved in credit card transactions may have change the backend infrastructure relating to card storage to abide by the compliance.
Alternative Mechanism Proposed by RBI
To reduce fraud and safeguard the end-user/ customer data while transacting online, RBI has proposed an alternative called Card on File Tokenization framework (CoFT) for processing of card-based transactions for online payments.
Tokenization is a globally acclaimed process which is used by almost 130 countries that provides an added layer of security to the users by converting sensitive card information such as card number, expiry, CVV, and card name to a set of randomly generated numbers known as ‘tokens’. Globally, tokenization has led to reduction in fraud impact on online merchants by an average of 26 per cent.
This has been co-authored by Ria Sharma and Uddeshya Goel.