Technology Law Analysis

Licensing Regime Introduced for Payment Aggregators: E-Commerce Industry to Undergo Significant Change

• Payment aggregators to require an authorization for operating in India.
• Minimum net worth criteria along with heightened governance and security compliances prescribed.
• New structure and mechanism for settlement of transactions.
• Payment gateways largely remain untouched but privacy and security by design recommended.

The Reserve Bank of India (“RBI”), India’s central and apex bank on March 17, 2020 issued detailed guidelines¹ (“Guidelines”) applicable to payment aggregators (“PAs”), which shall come into effect from April 1, 2020. Going forward PAs will need to an authorization / license to operate from the RBI. No authorization /license is prescribed for payment gateways (“PGs”). While Guidelines recommend certain good practices for PGs, they are not mandatory.

Since 2009, RBI regulated entities who were facilitating payments between users and merchants using any electronic / online payment mode, via intermediary directions dated November 24, 2009² (“Intermediary Directions”).

The RBI had earlier in September last year floated a discussion paper³ (“Discussion Paper”) wherein it was exploring regulating PAs and PGs, given that they form a critical link in the online world of commerce. Some key concerns raised by the RBI in the Discussion Paper were:

1. The activities of PAs and PGs in online transactions are extremely crucial and such entities may be a source of risk, if they have inadequate governance practices that may impact customer confidence and experience.
2. A customer has very limited recourse to PAs and PGs and must rely on merchants or banks who in turn seek redressal from the PAs.
3. Being part of the payments process chain, these entities also handle sensitive customer data. Hence, managing customer data, data privacy and know-your-customer (KYC) requirements of merchants are important from a security and customer confidence perspective.

Basis the above, it appears that the Discussion Paper paved the way for the said Guidelines. For ease of reference, we have sought to break down the Guidelines in a Q&A format as detailed below.

1. WHAT ARE PAS AND PGS?

The Guidelines define ‘payment aggregators’ as “entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.”

Thus, PAs are those entities that facilitate payments to merchants, and that receive, pool and transfer user payments to the merchants as part of the facilitation process.

On the other hand, ‘payment gateways’ are defined as “entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.”

Thus, PGs under the Guidelines may be limited to entities providing authentication services, back-end infrastructure or technology integrations services which assist in the payment ecosystem.

However, this understanding would need to be further examined basis the existing law on intermediaries (as discussed in the below Q&A).

2. WHO DOES THE GUIDELINES EXTEND TO?

The Guidelines are specifically applicable to PAs, though there are also recommended good practices (non-binding) for PGs, such as security and data retention related measures. The Guidelines even apply to domestic legs of import and export related payments facilitated by PAs.

The Guidelines do not apply to cash-on-delivery e-commerce models.

3. WHEN DO THE GUIDELINES BECOME EFFECTIVE?

Any new entity that intends to offer the services of a PA post April 1, 2020, would be subject to the said Guidelines. Thus, with effect from April 1, 2020 any new entity intending to provide PA services can only do so post authorization from the RBI.

For existing PAs, they need to apply for RBI authorization on or before June 30, 2021 and then they would be allowed to continue operations until they hear back from the RBI on their application. However, it appears unclear from the Guidelines that until such authorization has been obtained by existing PAs, whether such PAs would continue operating as per the Intermediary Directions or adopt measures and compliances under the Guidelines. This is an aspect that requires further clarity from the regulators.

4. WHAT IS THE INTERPLAY BETWEEN PAS AND INTERMEDIARIES?

As per the Intermediary Directions, intermediaries were defined as: “all entities that collect monies received from customers for payment to merchants using any electronic/online payment mode, for goods and services availed by them and subsequently facilitate the transfer of these monies to the merchants in final settlement of the obligations of the paying customers.”

The said Intermediary Directions also stipulated compliances involving use of nodal accounts, permissible debits / credits in such nodal accounts, time periods for final settlement of funds to merchants etc. However, as per the said Intermediary Directions, entities operating as intermediaries were not required to obtain an authorization / license from the RBI for undertaking the said activities.

On the other hand, PAs under the said Guidelines appear to be a sub-set of an intermediary as they also facilitate transactions between users and merchants by pooling funds and transferring them to merchants. Thus, the question which arises is would there be any intermediaries (as per the Intermediary Directions) which would not be categorized as PAs under the said Guidelines, and if so, how would such intermediaries continue to be treated.

Going by the intent, it seems that the Intermediary Directions would be phased out once the Guidelines are fully into effect.

5. WHAT ARE THE KEY ELIGIBILITY CRITERIA FOR A PA TO OBTAIN RBI AUTHORIZATION?

1. Authorization – Bank PAs do not need separate authorization from RBI. Non-bank PAs are required to seek an authorization from RBI. Only a company (as opposed to other types of entities) is eligible to register as a non-bank PA. An LLP would not be eligible for such RBI authorization.
2. Marketplaces: E-commerce marketplaces providing PA services cannot continue the said activity beyond June 30, 2021. If they desire to do so, the PA services will have to be separated from the marketplace business and then an application for authorization as a PA will need to be made on or before June 30, 2021. Such internal restructuring could lead to significant tax & contractual issues which will need to be evaluated on a case to case basis.
3. Capital Requirements - Existing PAs are to have a net-worth of INR 15,00,00,000 (approx. USD 2,000,000) by March 31, 2021 and net-worth of INR 25,00,00,00 (approx. USD 3,330,000) by the end of the 3^rd financial year, i.e. on or before March 31, 2023. This net-worth should be maintained at all times thereafter.
   
   New PAs should have a minimum net-worth of INR 15,00,00,000 (approx. USD 2,000,000) at the time of filing its application for RBI authorization and should attain a net-worth of INR 25,00,00,000 (approx. USD 3,330,000) by the end of the 3^rd financial year from the grant of authorization. This net-worth should be maintained at all times thereafter.

6. WHAT IS THE ROLE THAT PAS WILL PLAY IN SETTLEMENT OF TRANSACTIONS GOING FORWARD?

Unlike as prescribed under the Intermediary Directions wherein intermediaries are required to open a nodal account, the Guidelines prescribe that a non-bank PA maintain an escrow account with any one scheduled commercial bank for amounts collected, which the PA may also pre-fund. The escrow account cannot be used for or co-mingled with other businesses, if any, of the PA. The amounts held in the escrow account should be interest free, except under certain circumstances as maybe determined between the PA and bank.

Once the amount is deducted from a user’s account, it should be remitted to the escrow account on a ‘T’+0 or ‘T’+1 basis. Thereafter, final settlement with the merchant may take place as follows:

• If the PA is responsible for the delivery of goods / services – ‘T’+1 basis wherein T is the date of intimation by the merchant to the intermediary about the shipment of goods.
• If the merchant is responsible for delivery – ‘T’+1 basis wherein T is the date of confirmation by the merchant to the PA about the delivery of goods
• If the agreement provides for the PA to keep the amount till expiry of refund period – ‘T’+1 basis where T is the date of expiry of the refund period fixed by the merchant.

The escrow account should also be used to route credits towards reversed transactions and refunds.

Similar to that of a nodal account, the escrow account to be opened by PAs allows for only certain credits and debits, as follows:

Credits

1. Payment from various customers towards purchase of goods / services.
2. Pre-funding by merchants / PAs.
3. Transfer representing refunds for failed / disputed / returned / cancelled transactions.
4. Payment received for onward transfer to merchants under promotional activities, incentives, cash-backs etc.

Debits

1. Payment to various merchants / service providers.
2. Payment to any other account on specific directions from the merchant.
3. Transfer representing refunds for failed / disputed transactions.
4. Payment of commission to the intermediaries. This amount shall be at pre-determined rates / frequency.
5. Payment of amount received under promotional activities, incentives, cash-backs, etc.

7. WHAT ARE THE KEY COMPLIANCES APPLICABLE TO PAS?

1. Technology – The PA should have a board approved policy for information security for the safety and security of the payment systems operated and such measures should be implemented. A PA should put in place adequate information and data security infrastructure and systems to prevent and detect fraud, and other technology based recommendations as provided in the Guidelines.
2. Governance – The promoters of the PA entity should satisfy a ‘fit and proper’ criteria prescribed by the RBI and the directors are to submit an undertaking as per the prescribed format. A PA should have a board approved policy for disposal of complaints / dispute resolution mechanism and time-lines for processing refunds etc. as per timelines prescribed by the RBI. A nodal officer should also be designated for regulatory functions and to handle customer complaints as well as an escalation matrix.
   
   In terms of documentation, a PA should have (i) agreements in place with merchants, acquiring banks and other stakeholders that delineate the roles and responsibilities of each party in handling complaints, refunds, returns, customer grievances, dispute resolution and reconciliation, and (ii) disclosure comprehensive information regarding merchant policies, customer grievances, privacy policy and other terms and conditions on its website / application.
   
   Furthermore, any takeover or acquisition of control of change in management of a non-bank PA should be communicated to the RBI within 15 days. Although not explicit, it appears that this reporting requirement triggers post the corporate action taking place. However, given the ambiguity, it may be preferable to notify the RBI prior to such corporate action, given that the Guidelines give discretion to RBI to place restrictions on such changes, if deemed suitable.
3. Merchant on-boarding - A PA should have a board approved policy for merchant on-boarding. In addition, the PA should conduct background and antecedent checks on the merchant to ensure that they do not have a history of duping customers or selling fake / counterfeit / prohibited products.
4. KYC – The Guidelines also make prevailing KYC norms applicable to PAs. Though unclear, it appears that PAs and PGs should conduct KYC checks on its customers, which may be merchants and / or end users, basis the nature of each arrangement. Generally, this KYC requirement should apply only to PAs vis-à-vis the merchants since the merchants are considered customers of the PA and have a direct contractual arrangement with such PAs. However, further clarity on the same by the RBI would be helpful.
5. Security and Data – The Guidelines also prescribe certain security, fraud prevention and risk management compliances for PAs, in terms of policies to adopt and measures to implement. Specifically, PAs should not store customer card credentials on their systems that may be accessed by the merchant. PA’s would also be subject to the data storage requirements applicable to payment system operators, which appear to also include data localization requirements in terms of end-to-end transaction data.⁴ Hence, such data would not be able to be transferred outside India, unless in certain circumstances and subject to certain compliances.
   
   There is also a requirement for PAs to take preventive measures to ensure that data is stored in ‘infrastructure that does not belong to external jurisdictions’. This requirement of data sovereignty appears vague and unclear. Situations where an Indian company (which is a wholly owned subsidiary of a foreign company) or any other Indian owned / controlled entity using foreign technology to provide data storage services to PAs would need to evaluate whether they fulfil the necessary data compliance requirements.

CONCLUSION

It appears that many of the prescribed compliances as per the Guidelines are similar to those already prescribed by the RBI for payment system operators, such as e-wallet and gift card issuers, and it appears that the RBI is placing PAs on the same pedestal as such payment system providers in terms of regulation.

Also, the obligations placed on PAs vis-à-vis merchants such as conducting background checks on the merchant’s history to ensure that they do not have a history of duping customers or selling fake / counterfeit / prohibited products, appears onerous and practically difficult to implement. Although one could consider evaluating self-declarations made by merchants in this regard.

These Guidelines also bring about multiple uncertainties, such as the fate of intermediaries that do not constitute PAs and how would they continue to function, especially since these Guidelines do not specifically repeal nor clarify to what extent it would override the Intermediary Directions.

Furthermore, as previously mentioned, the Guidelines are also unclear on the position and approach that existing PAs should take prior to obtaining an authorization, i.e. whether they should continue to comply with the Intermediary Directions or comply with the Guidelines by April 1, 2020.

Given that the Guidelines propose to bring about significant changes in the e-commerce industry and would change the way online payments are structured, it may be helpful if the RBI were to issue FAQs of its own, throwing light on various uncertainties and clearly explaining the position going forward for intermediaries and PAs.