Tag Archives: Payment Gateways

payment aggregators and payment gateways

All Payment System Providers and Payment System Participants

Guidelines on Regulation of Payment Aggregators and Payment Gateways

We invite a reference to our circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 (as updated from time to time) and the clarification dated September 17, 2020 issued on the subject (Annex). Accordingly, neither the authorised Payment Aggregators (PAs) nor the merchants on-boarded by them can store customer card credentials within their database or server.

2. Based on the representations received from the industry seeking additional time for implementing the above instructions, it has been decided, as a one-time measure, to extend the timeline for non-bank PAs by six months, i.e., till December 31, 2021, to enable the payment system providers and participants to put in place workable solutions, such as tokenisation, within the framework set out in the circular dated March 17, 2020 cited above and our circular DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 08, 2019 on “Tokenisation – Card transactions”. All other provisions of the circular dated March 17, 2020 referred to above, shall remain unchanged.

3. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).


Annex

RBI circular CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021

Clarification issued by RBI on circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 (as updated from time to time) on “Guidelines on Regulation of Payment Aggregators (PAs) and Payment Gateways (PGs)”

1. Definition and applicability related

1.1. The circular is applicable to online PAs and PGs. The guidelines seek to regulate the activities of online PAs while providing baseline technology-related recommendations to PGs.

1.2. In the case of bank PAs, there is no requirement of authorisation; they shall ensure compliance with the guidelines by September 30, 2020 (as extended vide circular DPSS.CO.PD.No.1897/02.14.003/2019-20 dated June 04, 2020). For non-bank PAs, the instructions will come into force from the date of their authorisation, subject to the submission of application for authorisation before the end date of June 30, 2021.

1.3. The circular is also applicable to e-commerce marketplaces that are undertaking direct payment aggregation; e-commerce marketplaces availing the services of a PA shall be considered as merchants.

1.4. The circular is not applicable on ‘Delivery vs. Payment’ transactions but addresses the transactions where the payment is made in advance while the goods are delivered in a deferred manner.

2. Authorisation, capital and net-worth related

2.1. Banks maintaining the escrow account/s need not monitor the net-worth of the PA.

2.2. For existing non-bank PAs, the CA certificate of net-worth evidencing that the requirement of net-worth is ensured (as on March 31, 2021) will be required to be submitted to RBI at the time of application for authorisation (in case of an existing entity desirous of applying before March 31, 2021 a similar certificate shall be submitted as on the nearest half-year ending date). Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate from their CA regarding the current net-worth along with provisional balance sheet.

3. Governance related

3.1. The Promoters / Promoter Groups, shall conform to the Reserve Bank’s ‘fit and proper’ criteria. Director of the PA company shall be deemed to be a “fit and proper” person if:

3.1.1. Such person has a record of fairness and integrity, including but not limited to:

  1. financial integrity;
  2. good reputation and character; and
  3. honesty;

3.1.2. Such person has not incurred any of the following disqualifications:

  1. Convicted by a court for any offence involving moral turpitude or any economic offence or any offence under the laws administered by the RBI;
  2. Declared insolvent and not discharged;
  3. An order, restraining, prohibiting or debarring the person from accessing / dealing in any financial system, passed by any regulatory authority, and the period specified in the order has not elapsed;
  4. Found to be of unsound mind by a court of competent jurisdiction and the finding is in force; and
  5. Is financially not sound.

3.1.3. If any question arises as to whether a person is a fit and proper person, the RBI’s decision on such question shall be final.

3.2. Para 5.4 related to disclosure of comprehensive information regarding merchant policies, customer grievances, privacy policy and other terms and conditions on the website and / or their mobile application, refers to policies of the PA and not of individual merchants on-boarded by it.

4. KYC and merchant on-boarding related

4.1. In case a PA is maintaining an account-based relationship with the merchant, the KYC guidelines of Department of Regulation (DoR), RBI is applicable. Thus, to this extent, para 6 on ‘Safeguards against Money Laundering (KYC / AML / CFT) Provisions’ shall also be applicable.

4.2. For merchant on-boarding, the PA can have a Board approved policy (Para 7.1). There would not be a requirement to carry-out entire process of KYC (in accordance with the KYC guidelines of DoR), in cases where the merchant already has a bank account which is being used for transaction settlement purpose.

5. OPGSP related

5.1. Entities functioning as OPGSP and undertaking cross-border transactions in terms of OPGSP guidelines shall ensure compliance with the instructions issued vide A.P. (DIR Series) Circular No.16 dated September 24, 2015.

5.2. If OPGSP is also an entity which is functioning as PG or PA under the guidelines stipulated by DPSS, for undertaking any domestic leg of import / export transaction, it has to be ensured that the timelines and other guidelines, including those relating to authorised modes of collection, i.e. debit card, credit card and internet banking, indicated for the purpose of cross-border transactions in A.P. (DIR Series) Circular No.16 dated September 24, 2015, are also adhered to.

6. Security, fraud prevention and risk management framework related

6.1. The PA needs to ensure compliance of the infrastructure of the merchants to security standards like PCI-DSS and PA-DSS, as applicable.

6.2. Merchants are not allowed to store payment data irrespective of their being PCI-DSS compliant or otherwise. They shall, however, be allowed to store limited data for the purpose of transaction tracking; for which, the required limited information may be stored in compliance with the applicable standards.

6.3. The PA cannot also store customer card credentials within its database or the server (irrespective of it being accessed by merchant or not) except for the limited purpose of transaction tracking; for which, required credentials may be stored in compliance with the applicable standards.

6.4. Para 10.5: A standard system audit, including cyber security audit, conducted by CERT-In empanelled auditors may be carried out.

7. Settlement and escrow account related

7.1. For the purpose of maintenance of the escrow account, the operations of PAs are deemed to be ‘designated payment systems’ under the Payment and Settlement Systems Act (PSS Act) after the entity obtains authorisation from RBI.

7.2. The applicability of circular DPSS.CO.PD.No.1102/02.14.08/2009-10 dated November 24, 2009 on “Directions for opening and operation of Accounts and settlement of payments for electronic payment transactions involving intermediaries” shall be as follows:

7.2.1. The circular shall be considered repealed for authorised PAs from the date of authorisation;

7.2.2. The circular shall be considered repealed with effect from June 30, 2021 except for such PAs who have applied for authorisation and a decision on it is pending with RBI.

7.3. The existing entities can continue to maintain nodal accounts till they have been authorised by RBI. Since the PA needs to move towards an escrow account, the bank and the PA may take a call about maintaining the same from an earlier date as well. However, this alone shall not make them eligible for a “designated payment system” status under Section 23A of the PSS Act.

7.4. If the bank can satisfactorily establish that the nodal account of an entity has been migrated to escrow account in compliance with the new instructions, it can allow the balances under existing nodal accounts of PAs to be considered for calculation of ‘Core portion’.

7.5. Those entities who have not attained the requisite net-worth as of March 31, 2021 shall wind up their PA business. Banks shall be required to close such nodal accounts after June 30, 2021 unless the PA produces evidence to the bank regarding application for authorisation being made to RBI.

7.6. The pre-funding has been allowed to tide over temporary mis-matches. Taking back of surplus pre-funding is not allowed.

7.7. There can be different “t” for different merchants as per the agreement between PA and merchants.

7.8. Para 8.6: The amount due to the merchant will be reckoned only after the settlement and credit to the escrow account. There is no need to prefund the account for this purpose. However, the proceeds shall be credited to escrow on the settlement day itself.

7.9. Where PAs have no control over incoming funds and its delay thereof, the PAs need to follow the instructions and transfer the funds to the merchant within T+0 / T+1 basis, post receiving of funds into its account.

7.10. The settlement accounts opened under Bharat Bill Payment System (BBPS) would be governed by BBPS instructions.

Leave a comment

Filed under banking laws

payments infrastructure development fund scheme

Payments Infrastructure Development Fund (PIDF) Scheme

The objective of PIDF is to increase the number of acceptance devices multi-fold in the country. The Scheme is expected to benefit the acquiring banks / non-banks and merchants by lowering overall acceptance infrastructure cost.

1. Validity Period and PIDF Target

1.1 Three years from January 01, 2021, extendable by two further years, if necessary.

1.2 Increasing payments acceptance infrastructure by adding 30 lakh touch points – 10 lakh physical and 20 lakh digital payment acceptance devices every year.

2. Governance Structure of PIDF

2.1 PIDF shall be governed by an ex-officio Advisory Council (AC).

2.2 Composition of the AC :–

  1. Shri B P Kanungo, Deputy Governor, Reserve Bank of India;
  2. Shri Sunil Mehta, Chief Executive, Indian Banks’ Association;
  3. Shri D Nageswara Rao, Chief General Manager, DFIBT, NABARD;
  4. Shri Dilip Asbe, Chief Executive Officer, National Payments Corporation of India;
  5. Shri Vishwas Patel, Chairman, Payments Council of India;
  6. Shri Shailesh Paul, Vice President and Head Merchant Sales and Solutions, Visa;
  7. Shri Rajeev Kumar, Senior Vice President, Market Development, Mastercard;
  8. Shri R Vittal Raj, Chartered Accountant, Kumar & Raj Chartered Accountants; and
  9. Shri Ajay Michyari, Regional Director, Reserve Bank of India, Mumbai Regional Office (Administrator of PIDF).

The Chief General Manager, Department of Payment & Settlement Systems, Reserve Bank of India shall function as the Secretariat to the AC.

2.3 The AC may constitute sub-committees to look into different aspects of the PIDF, as required.

2.4 The AC may co-opt members at its discretion.

2.5 AC shall devise suitable rules for operating the PIDF.

3. Target Geographies

3.1 The primary focus shall be to create payment acceptance infrastructure in Tier-3 to Tier-6 centres.

3.2 North Eastern states of the country shall be given special focus.

3.3 While setting parameters for utilisation of funds, the focus shall be to target those merchants who are yet to be terminalised (merchants who do not have any payment acceptance device).

3.4 The AC shall devise a transparent mechanism for allocation of targets to acquiring banks / non-banks in different segments / locations.

3.5 The tentative distribution of targets across centers will be as follows:

Distribution of Acceptance Devices% Share of Total
Tier-3 and Tier-4 centres30
Tier-5 and Tier-6 centres60
North Eastern States10

4. Market Segments and Merchant Categories

4.1 Merchants providing essential services (transport, hospitality, etc.), government payments, fuel pumps, PDS shops, healthcare, kirana shops may be targeted, especially in the targeted geographies.

5. Types of Acceptance Devices Covered

5.1 Multiple payment acceptance devices / infrastructure supporting underlying card payments, such as physical PoS, mPoS (mobile PoS), GPRS (General Packet Radio Service), PSTN (Public Switched Telephone Network), QR code-based payments, etc.

5.2 As the cost structure of acceptance devices vary, subsidy amounts shall accordingly differ by the type of payment acceptance device deployed. A subsidy of 30% to 50% of cost of physical PoS and 50% to 75% subsidy for Digital PoS shall be offered.

5.3 Payment methods that are not inter-operable shall not be considered under PIDF.

5.4 The subsidy shall not be claimed by applicant from other sources like NABARD, etc. In case other mechanisms exist for providing subsidy or reimbursing cost of deployment of acceptance infrastructure, no reimbursement shall be claimed from PIDF therefor.

6. Initial Corpus

6.1 Initial corpus of PIDF has to be substantial to initiate pan-India terminalisation and to cover the pay-outs in the first year. Contributions to the PIDF shall be mandatory for banks and card networks.

6.2 RBI shall contribute ₹ 250 crore to the corpus; the authorised card networks shall contribute in all ₹ 100 crore.

6.3 The card issuing banks shall also contribute to the corpus based on the card issuance volume (covering both debit cards and credit cards) at the rate of ₹ 1 and ₹ 3 per debit and credit card issued by them, respectively.

6.4 It shall be the endeavour to collect the contributions by January 31, 2021.

6.5 Any new entrant to the card payment eco-system (card issuer and card network) shall contribute an appropriate amount to the PIDF.

7. Recurring Contribution

7.1 Besides the initial corpus, the PIDF shall also receive annual contribution from card networks and card issuing banks as under:

a) Card networks – Turnover based – 1 basis point (bps) i.e., 0.01 paisa per Rupee of transaction;

b) Card issuing banks – Turnover based – 1 bps and 2 bps i.e., 0.01 paisa and 0.02 paisa per Rupee of transaction for debit and credit cards respectively; also at the rate of ₹ 1 and ₹ 3 for every new debit and credit card issued by them respectively during the year.

7.2 RBI shall contribute to yearly shortfalls, if any.

8. Collection Mechanism

8.1 By January 31st and July 31st based on card data of December 31st and June 30th respectively.

9. Types of Expenses Covered

9.1 The parameters / rules for claiming the amount of subsidy for the capital expenditure, taking into account the type of device, deployment location etc., shall be framed by the AC.

9.2 Subsidy shall be granted on half yearly basis, after ensuring that performance parameters are achieved, including conditions for ‘active’ status of the acceptance device and ‘minimum usage’ criteria, as defined by the AC.

9.3 The minimum usage shall be termed as 50 transactions over a period of 90 days and active status shall be minimum usage for 10 days over the 90-day period.

9.4 The subsidy claims shall be processed on half yearly basis and 75 percent of the subsidy amount shall be released. The balance 25 percent shall be released later subject to the status of the acceptance device being active in 3 out of the 4 quarters of the ensuing year.

10. Deployment Targets for Acquirers

10.1 Acquirers need to adopt a scientific process for identification of deployment areas, submit proposals to Regional Director, Mumbai Regional Office (MRO), RBI and effectively implement the project. The PIDF proposal format for submission in this regard is enclosed (Format I).

11. Claims

11.1 The scheme is on reimbursement basis; accordingly, the claim shall be submitted only after making payment to the vendor.

11.2 Maximum cost of physical acceptance device eligible for subsidy – ₹ 10,000 (including one-time operating cost up to a maximum of ₹ 500).

11.3 Maximum cost of digital acceptance device eligible for subsidy – ₹ 300 (including one-time operating cost up to a maximum of ₹ 200).

11.4 Subsidised amount of cost of physical and digital payment acceptance devices based on location of deployment shall be as under:

LocationPhysical payment acceptance device
(% of total cost)
Digital payment acceptance device
(% of total cost)
Tier-3 and Tier-4 centres3050
Tier-5 and Tier-6 centres4060
North Eastern States5075

11.5 Acquirers shall submit their claims through their bankers to RBI, MRO with self-declaration about fulfilment of ‘minimum usage’ and ‘active status’ criteria for deployed devices.

11.6 All initial claims shall be submitted for reimbursement of expenses (less the Input Tax Credit received / receivable by the bank / non-bank under GST) as per format (Format II). The second claim for 25% of eligible subsidy shall be submitted as per format (Format III).

12. Monitoring of Implementation of Targets

12.1 Implementation of targets under PIDF shall be monitored by RBI, MRO with assistance from Card networks, Indian Banks’ Association (IBA) and Payments Council of India (PCI).

12.2 Acquirers shall submit quarterly deployment reports on achievement of targets to RBI, MRO.

12.3 Acquirers meeting / exceeding their targets well in time and / or ensure greater utilisation of acceptance devices in terms of transactions shall be incentivised while those who do not achieve their targets shall be disincentivised, by scaling up or down the extent of reimbursement of subsidy as follows.

Target Achievement / Utilisation% of Subsidy Eligible
Less than 75 percent90
75 percent to 125 percent100
Greater than 125 percent110

Leave a comment

Filed under banking laws

Payment system operators – compliance

RBI has vide its circular dated 4th June, 2020 relaxed some compliance timelines for payment system operators.

(i) All existing non-bank PPI issuers (at the time of issuance of PPI-MD) to comply with the minimum positive net-worth requirement of Rs. 15 crore for the financial position as on March 31, 2020 (audited balance sheet). – New deadline – financial position as on September, 30, 2020

(ii) Authorised non-bank entities shall submit the System Audit Report, including cyber security audit conducted by CERT-IN empanelled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI. – New deadline to be submitted by October 31, 2020

(iii) Implementing provisions of circular on “Enhancing Security of Card Transactions” – New deadline to be done by September, 30, 2020

“Harmonisation of Turn Around Time (TAT) and customer compensation for failed transactions using authorised Payment Systems”, “calendar days” to be read as “working days”. – New deadline – time given upto December, 31, 2020

“Guidelines on Regulation of Payment Aggregators and Payment Gateways”, the activities for which specific timelines are not mentioned and were supposed to come into effect from April 1, 2020. – New deadline – September, 30, 2020

https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11910&Mode=0

Leave a comment

Filed under Uncategorized

Payment Aggregators & Gateways

https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11822&Mode=0

This has reference to Reserve Bank of India (RBI) circular DPSS.CO.PD.No.1102/02.14.08/2009-10 dated November 24, 2009 on ‘directions for opening and operation of accounts and settlement of payments for electronic payment transactions involving intermediaries’.

2. A reference is also invited to the discussion paper placed on the RBI website on guidelines for regulation of Payment Aggregators (PAs) and Payment Gateways (PGs). Based on the feedback received and taking into account the important functions of these intermediaries in the online payments space as also keeping in view their role vis-à-vis handling funds, it has been decided to (a) regulate in entirety the activities of PAs as per the guidelines in Annex 1, and (b) provide baseline technology-related recommendations to PGs as per Annex 2.

3. Detailed guidelines to this end are appended. It may be noted that these guidelines are issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 and shall come into effect from April 1, 2020 other than for activities for which specific timelines are mentioned.

Yours faithfully,

(P. Vasudevan)
Chief General Manager

Encl. : As above


Annex 1

Guidelines on Regulation of Payment Aggregators and Payment Gateways
(DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020)

Payment Aggregators (PAs) and Payment Gateways (PGs) are intermediaries playing an important function in facilitating payments in the online space.

1. Definitions

1.1. For the purpose of this circular, the PAs and PGs are defined as under:

1.1.1. PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.

1.1.2. PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

1.2. In the processing of an online transaction the following timelines are involved:

  • ‘Tp’ – date of charge / debit to the customer’s account against the purchase of goods / services.
  • ‘Ts’ – date of intimation by the merchant to the intermediary about shipment of goods.
  • ‘Td’ – date of confirmation by the merchant to the intermediary about delivery of goods to the customer.
  • ‘Tr’ – date of expiry of refund period as fixed by the merchant.

2. Applicability

2.1. The guidelines shall be applicable to PAs. PAs shall also adopt the technology-related recommendations provided in Annex 2. As a measure of good practice, the PGs may adhere to these baseline technology-related recommendations.

2.2. Domestic leg of import and export related payments facilitated by PAs shall also be governed by these instructions.

2.3. The guidelines are not applicable to Cash on Delivery (CoD) e-commerce model.

3. Authorisation

3.1. The criteria of authorisation has been arrived at based on the role of the intermediary in handling of funds.

3.2. Bank and non-bank PAs handle funds as part of their activities. Banks, however, provide PA services as part of their normal banking relationship and do not therefore require a separate authorisation from RBI. Non-bank PAs shall require authorisation from RBI under the Payment and Settlement Systems Act, 2007 (PSSA).

3.3. PA shall be a company incorporated in India under the Companies Act, 1956 / 2013. The Memorandum of Association (MoA) of the applicant entity must cover the proposed activity of operating as a PA.

3.4. Existing non-bank entities offering PA services shall apply for authorisation on or before June 30, 2021. They shall be allowed to continue their operations till they receive communication from RBI regarding the fate of their application.

3.5. Entities seeking authorisation as PA from the RBI under the PSS Act, shall apply in Form A to the Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai. Entities regulated by any of the financial sector regulators shall apply along with a ‘No Objection Certificate’ from their respective regulator, within 45 days of obtaining such a clearance.

3.6. E-commerce marketplaces providing PA services shall not continue this activity beyond the deadline prescribed at clause 3.4 above. If they desire to pursue this activity, it shall be separated from the marketplace business and they shall apply for authorisation on or before June 30, 2021.

3.7. PGs shall be considered as ‘technology providers’ or ‘outsourcing partners’ of banks or non-banks, as the case may be. In case of a bank PG, the guidelines issued by Reserve Bank of India, Department of Regulation (DoR) vide circular No.DBOD.NO.BP.40/21.04.158/2006-07 dated November 3, 2006 on “Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks” and other follow up circular(s) shall also be applicable.

4. Capital Requirements

4.1. PAs existing as on the date of this circular shall achieve a net-worth of ₹15 crore by March 31, 2021 and a net-worth of ₹25 crore by the end of third financial year, i.e., on or before March 31, 2023. The net-worth of ₹25 crore shall be maintained at all times thereafter.

4.2. New PAs shall have a minimum net-worth of ₹15 crore at the time of application for authorisation and shall attain a net-worth of ₹25 crore by the end of third financial year of grant of authorisation. The net-worth of ₹25 crore shall be maintained at all times thereafter.

4.3. Illustratively,

Non-bank Entity Date of Application / Authorisation Date of Achieving ₹ 15 Cr. Net-worth Date of Achieving ₹ 25 Cr. Net-worth
Existing PAs Up to 30/06/2021 Date of application or 31/03/2021 whichever is earlier 31/03/2023
New PAs 20/03/2020
01/04/2020
01/03/2021
01/04/2021
On date of application 31/03/2022
31/03/2023
31/03/2023
31/03/2024

4.4. Net-worth shall consist of paid-up equity capital, preference shares that are compulsorily convertible to equity, free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets but not reserves created by revaluation of assets adjusted for accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any. Compulsorily convertible preference shares can be either non-cumulative or cumulative, and they should be compulsorily convertible into equity shares and the shareholder agreements should specifically prohibit any withdrawal of this preference capital at any time.

4.5. Entities having Foreign Direct Investment (FDI) shall be guided by the Consolidated Foreign Direct Investment policy of the Government of India and the relevant foreign exchange management regulations on this subject.

4.6. PAs shall submit a certificate in the enclosed format from their Chartered Accountants (CA) to evidence compliance with the applicable net-worth requirement while submitting the application for authorisation. Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate in the enclosed format from their Chartered Accountants regarding the current net-worth along with provisional balance sheet.

4.7. PAs that are not able to comply with the net-worth requirement within the stipulated time frame (as given at clauses 4.1 & 4.2) shall wind-up payment aggregation business. The banks maintaining nodal / escrow accounts of such entities shall monitor and report compliance in this regard.

5. Governance

5.1. PAs shall be professionally managed. The promoters of the entity shall satisfy the fit and proper criteria prescribed by RBI. The directors of the applicant entity shall submit a declaration in the enclosed format. RBI shall also check ‘fit and proper’ status of the applicant entity and management by obtaining inputs from other regulators, government departments, etc., as deemed fit. Applications of those entities not meeting the eligibility criteria, or those which are incomplete / not in the prescribed form with all details, shall be returned.

5.2. Any takeover or acquisition of control or change in management of a non-bank PA shall be communicated by way of a letter to the Chief General Manager, Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai within 15 days with complete details, including ‘Declaration and Undertaking’ by each of the new directors, if any. RBI shall examine the ‘fit and proper’ status of the management and, if required, may place suitable restrictions on such changes.

5.3. Agreements between PAs, merchants, acquiring banks, and all other stake holders shall clearly delineate the roles and responsibilities of the involved parties in sorting / handling complaints, refund / failed transactions, return policy, customer grievance redressal (including turnaround time for resolving queries), dispute resolution mechanism, reconciliation, etc.

5.4. PAs shall disclose comprehensive information regarding merchant policies, customer grievances, privacy policy and other terms and conditions on the website and / or their mobile application.

5.5. PAs shall have a Board approved policy for disposal of complaints / dispute resolution mechanism / time-lines for processing refunds, etc., in such a manner that the RBI instructions on Turn Around Time (TAT) for resolution of failed transactions issued vide DPSS.CO.PD No.629/02.01.014/2019-20 dated September 20, 2019 are adequately taken care of. Any future instructions in this regard shall also be adhered to by PAs.

5.6. PAs shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions. PAs shall prominently display details of the nodal officer on their website.

6. Safeguards against Money Laundering (KYC / AML / CFT) Provisions

6.1. The Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines issued by the Department of Regulation, RBI, in their “Master Direction – Know Your Customer (KYC) Directions” updated from time to time, shall apply mutatis mutandis to all entities.

6.2. Provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time, shall also be applicable.

7. Merchant On-boarding

7.1. PAs shall have a Board approved policy for merchant on-boarding.

7.2. PAs shall undertake background and antecedent check of the merchants, to ensure that such merchants do not have any malafide intention of duping customers, do not sell fake / counterfeit / prohibited products, etc. The merchant’s website shall clearly indicate the terms and conditions of the service and time-line for processing returns and refunds.

7.3. PAs shall be responsible to check Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded.

7.4. Merchant site shall not save customer card and such related data. A security audit of the merchant may be carried out to check compliance, as and when required.

7.5. Agreement with merchant shall have provision for security / privacy of customer data. PAs agreement with merchants shall include compliance to PA-DSS and incident reporting obligations. The PAs shall obtain periodic security assessment reports either based on the risk assessment (large or small merchants) and / or at the time of renewal of contracts.

8. Settlement and Escrow Account Management

8.1. Non-bank PAs shall maintain the amount collected by them in an escrow account with any scheduled commercial bank. For the purpose of maintenance of the escrow account, the operations of PAs shall be deemed to be ‘designated payment systems’ under Section 23A of the PSSA (as amended in 2015).

8.2. Escrow account balance shall be maintained with only one scheduled commercial bank at any point of time. In case there is a need to shift the escrow account from one bank to another, the same shall be effected in a time-bound manner without impacting the payment cycle to the merchants under advise to RBI.

8.3. Amounts deducted from the customer’s account shall be remitted to the escrow account maintaining bank on Tp+0 / Tp+1 basis. The same rules shall apply to the non-bank entities where wallets are used as a payment instrument.

8.4. Final settlement with the merchant by the PA shall be effected as under:

8.4.1. Where PA is responsible for delivery of goods / services the payment to the merchant shall be not later than on Ts + 1 basis.

8.4.2. Where merchant is responsible for delivery, the payment to the merchant shall be not later than on Td + 1 basis.

8.4.3. Where the agreement with the merchant provides for keeping the amount by the PA till expiry of refund period, the payment to the merchant shall be not later than on Tr + 1 basis.

8.5. Credits towards reversed transactions (where funds are received by PA) and refund transactions shall be routed back through the escrow account unless as per contract the refund is directly managed by the merchant and the customer has been made aware of the same.

8.6. At the end of the day, the amount in escrow account shall not be less than the amount already collected from customer as per ‘Tp’ or the amount due to the merchant.

8.7. PAs shall be permitted to pre-fund the escrow account with own / merchant’s funds. However, in the latter scenario, merchant’s beneficial interest shall be created on the pre-funded portion.

8.8. The escrow account shall not be operated for ‘Cash-on-Delivery’ transactions.

8.9. Permitted credits / debits to the escrow account shall be as set out below:

8.9.1.1. Credits

a) Payment from various customers towards purchase of goods / services.

b) Pre-funding by merchants / PAs.

c) Transfer representing refunds for failed / disputed / returned / cancelled transactions.

d) Payment received for onward transfer to merchants under promotional activities, incentives, cash-backs etc.

8.9.1.2. Debits

a) Payment to various merchants / service providers.

b) Payment to any other account on specific directions from the merchant.

c) Transfer representing refunds for failed / disputed transactions.

d) Payment of commission to the intermediaries. This amount shall be at pre-determined rates / frequency.

e) Payment of amount received under promotional activities, incentives, cash-backs, etc.

8.10. For banks the outstanding balance in the escrow account shall be part of the ‘net demand and time liabilities’ (NDTL) for the purpose of maintenance of reserve requirements. This position shall be computed on the basis of the balances appearing in the books of the bank as on the date of reporting.

8.11. The entity and the escrow account banker shall be responsible for compliance with RBI instructions issued from time to time. The decision of RBI in this regard shall be final and binding.

8.12. Settlement of funds with merchants shall not be co-mingled with other business, if any, handled by the PA.

8.13. A certificate signed by the auditor(s), shall be submitted by the authorised entities to the respective Regional Office of DPSS, RBI, where the registered office of the PA is situated, certifying that the entity has been maintaining balance in the escrow account in compliance with these instructions, as per the periodicity prescribed in Annex 3.

8.14. PAs shall submit the list of merchants acquired by them to the bank where they are maintaining the escrow account and update the same from time to time. The bank shall ensure that payments are made only to eligible merchants / purposes. There shall be an exclusive clause in the agreement signed between the PA and the bank maintaining escrow account towards usage of balance in escrow account only for the purposes mentioned above.

8.15. No interest shall be payable by the bank on balances maintained in the escrow account, except when the PA enters into an agreement with the bank maintaining the escrow account, to transfer “core portion” of the amount, in the escrow account, to a separate account on which interest is payable, subject to the following:

8.15.1. The bank shall satisfy itself that the amount deposited represents the “core portion” after due verification of necessary documents.

8.15.2. The amount shall be linked to the escrow account, i.e. the amounts held in the interest-bearing account shall be available to the bank, to meet payment requirements of the entity, in case of any shortfall in the escrow account.

8.15.3. This facility shall be permissible to entities who have been in business for 26 fortnights and whose accounts have been duly audited for the full accounting year. For this purpose, the period of 26 fortnights shall be calculated from the actual business operation in the account.

8.15.4. No loan is permissible against such deposits. Banks shall not issue any deposit receipts or mark any lien on the amount held in such form of deposits.

8.15.5. Core portion as calculated below shall remain linked to the escrow account. The escrow account balance and core portion maintained shall be clearly disclosed in the auditors’ certificates submitted to RBI on quarterly and annual basis.

Note: For the purpose of this regulation, “Core Portion” shall be computed as under:

Step 1: Compute lowest daily outstanding balance (LB) in the escrow account on a fortnightly (FN) basis, for 26 fortnights from the preceding month.

Step 2: Calculate the average of the lowest fortnightly outstanding balances [(LB1 of FN1+ LB2 of FN2+ ……..+ LB26 of FN26) divided by26].

Step 3: The average balance so computed represents the “Core Portion” eligible to earn interest.

9. Customer Grievance Redressal and Dispute Management Framework

9.1. PAs shall put in place a formal, publicly disclosed customer grievance redressal and dispute management framework, including designating a nodal officer to handle the customer complaints / grievances and the escalation matrix. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible.

9.2. PAs shall appoint a Nodal Officer responsible for regulatory and customer grievance handling functions. Details of the nodal officer for customer grievance shall be prominently displayed on their website.

9.3. PAs shall have a dispute resolution mechanism binding on all the participants which shall contain transaction life cycle, detailed explanation of types of disputes, process of dealing with them, compliance, responsibilities of all the parties, documentation, reason codes, procedure for addressing the grievance, turn-around-time for each stage, etc.

10. Security, Fraud Prevention and Risk Management Framework

10.1. A strong risk management system is necessary to meet the challenges of fraud and ensure customer protection. PAs shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.

10.2. PAs shall put in place Board approved information security policy for the safety and security of the payment systems operated by them and implement security measures in accordance with this policy to mitigate identified risks. Baseline technology-related recommendations for adoption by the PAs are provided in Annex 2. The PGs may also adopt them as best practices.

10.3. PAs shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and breaches. The same shall be reported immediately to the DPSS, RBI, Central Office, Mumbai. They shall also be reported to CERT-In (Indian Computer Emergency Response Team) as per the details notified by CERT-In.

10.4. PAs shall not store the customer card credentials within their database or the server accessed by the merchant. They shall comply with data storage requirements as applicable to Payment System Operators (PSOs).

10.5. PAs shall submit the System Audit Report, including cyber security audit conducted by CERT-In empanelled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.

11. Reports

11.1. The reports to be submitted by authorised PAs are listed in Annex 3.

12. General Instructions

12.1. PAs shall ensure that the extant instructions with regard to Merchant Discount Rate (MDR) are followed. Information on other charges such as convenience fee, handling fee, etc., if any, being levied shall also be displayed upfront by the PA.

12.2. PAs shall not place limits on transaction amount for a particular payment mode. The responsibility therefor shall lie with the issuing bank / entity; for instance, the card issuing bank shall be responsible for placing amount limits on cards issued by it based on the customer’s credit worthiness, spending nature, profile, etc.

12.3. PAs shall not give an option for ATM PIN as a factor of authentication for card-not-present transactions.

12.4. All refunds shall be made to the original method of payment unless specifically agreed by the customer to credit to an alternate mode.


Annex 2

Baseline Technology-related Recommendations

Indicative baseline technology-related recommendations for adoption by the PAs (mandatory) and PGs (recommended) are:

1. Security-related Recommendations

The requirements for the entities in respect of IT systems and security are presented below:

1.1. Information Security Governance: The entities at a minimum shall carry out comprehensive security risk assessment of their people, IT, business process environment, etc., to identify risk exposures with remedial measures and residual risks. These can be an internal security audit or an annual security audit by an independent security auditor or a CERT-In empanelled auditor. Reports on risk assessment, security compliance posture, security audit reports and security incidents shall be presented to the Board.

1.2. Data Security Standards: Data security standards and best practices like PCI-DSS, PA-DSS, latest encryption standards, transport channel security, etc., shall be implemented.

1.3. Security Incident Reporting: The entities shall report security incidents / card holder data breaches to RBI within the stipulated timeframe to RBI. Monthly cyber security incident reports with root cause analysis and preventive actions undertaken shall be submitted to RBI.

1.4. Merchant Onboarding: The entities shall undertake comprehensive security assessment during merchant onboarding process to ensure these minimal baseline security controls are adhered to by the merchants.

1.5. Cyber Security Audit and Reports: The entities shall carry out and submit to the IT Committee quarterly internal and annual external audit reports; bi-annual Vulnerability Assessment / Penetration Test (VAPT) reports; PCI-DSS including Attestation of Compliance (AOC) and Report of Compliance (ROC) compliance report with observations noted if any including corrective / preventive actions planned with action closure date; inventory of applications which store or process or transmit customer sensitive data; PA-DSS compliance status of payment applications which stores or processes card holder data.

1.6. Information Security: Board approved information security policy shall be reviewed atleast annually. The policy shall consider aspects like: alignment with business objectives; the objectives, scope, ownership and responsibility for the policy; information security organisational structure; information security roles and responsibilities; maintenance of asset inventory and registers; data classification; authorisation; exceptions; knowledge and skill sets required; periodic training and continuous professional education; compliance review and penal measures for non-compliance of policies.

1.7. IT Governance: An IT policy shall be framed for regular management of IT functions and ensure that detailed documentation in terms of procedures and guidelines exists and are implemented. The strategic plan and policy shall be reviewed annually. The Board level IT Governance framework shall have-

1.7.1. Involvement of Board: The major role of the Board / Top Management shall involve approving information security policies, establishing necessary organisational processes / functions for information security and providing necessary resources.

1.7.2. IT Steering Committee: An IT Steering Committee shall be created with representations from various business functions as appropriate. The Committee shall assist the Executive Management in implementation of the IT strategy approved by the Board. It shall have well defined objectives and actions.

1.7.3. Enterprise Information Model: The entities shall establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with board approved IT strategy. The model shall facilitate optimal creation, use and sharing of information by a business, in a way that it maintains integrity, and is flexible, functional, timely, secure and resilient to failure.

1.7.4. Cyber Crisis Management Plan: The entities shall prepare a comprehensive Cyber Crisis Management Plan approved by the IT strategic committee and shall include components such as Detection, Containment, Response and Recovery.

1.8. Enterprise Data Dictionary: The entities shall maintain an “enterprise data dictionary” incorporating the organisation’s data syntax rules. This shall enable sharing of data across applications and systems, promote a common understanding of data across IT and business users and prevent creation of incompatible data elements.

1.9. Risk Assessment: The risk assessment shall, for each asset within its scope, identify the threat / vulnerability combinations and likelihood of impact on confidentiality, availability or integrity of that asset – from a business, compliance and / or contractual perspective.

1.10. Access to Application: There shall be documented standards / procedures for administering an application system, which are approved by the application owner and kept up-to-date. Access to the application shall be based on the principle of least privilege and “need to know” commensurate with the job responsibilities.

1.11. Competency of Staff: Requirements for trained resources with requisite skill sets for the IT function need to be understood and assessed appropriately with a periodic assessment of the training requirements for human resources.

1.12. Vendor Risk Management: The Service Level Agreements (SLAs) for technology support, including BCP-DR and data management shall categorically include clauses permitting regulatory access to these set-ups.

1.13. Maturity and Roadmap: The entities shall consider assessing their IT maturity level, based on well-known international standards, design an action plan and implement the plan to reach the target maturity level.

1.14. Cryptographic Requirement: The entities shall select encryption algorithms which are well established international standards and which have been subjected to rigorous scrutiny by an international community of cryptographers or approved by authoritative professional bodies, reputable security vendors or government agencies.

1.15. Forensic Readiness: All security events from the entities infrastructure including but not limited to application, servers, middleware, endpoint, network, authentication events, database, web services, cryptographic events and log files shall be collected, investigated and analysed for proactive identification of security alerts.

1.16. Data Sovereignty: The entities shall take preventive measures to ensure storing data in infrastructure that do not belong to external jurisdictions. Appropriate controls shall be considered to prevent unauthorised access to the data.

1.17. Data Security in Outsourcing: There shall be an outsourcing agreement providing ‘right to audit’ clause to enable the entities / their appointed agencies and regulators to conduct security audits. Alternatively, third parties shall submit annual independent security audit reports to the entities.

1.18. Payment Application Security: Payment applications shall be developed as per PA-DSS guidelines and complied with as required. The entities shall review PCI-DSS compliance status as part of merchant onboarding process.

2. Other Recommendations

2.1 The customer card credentials shall not be stored within the database or the server accessed by the merchant.

2.2 Option for ATM PIN as a factor of authentication for card not present transactions shall not be given.

2.3 Instructions on storage of payment system data, as applicable to PSOs, shall apply.

2.4 All refunds shall be made to original method of payment unless specifically agreed by the customer to credit an alternate mode.


Annex 3

Reports to be submitted by Authorised Payment Aggregators

Annual

1. Net-worth Certificate – Audited Annual report with CA certificate on Net-worth – by September 30th (Annex 3.1).

2. IS Audit Report and Cyber Security Audit Report with observations noted, if any, including corrective / preventive action planned with closure date – Externally Audited – by May 31st. The scope of audit shall encompass all relevant areas of information system processes and applications.

Quarterly

1. Auditors’ Certificate on Maintenance of Balance in Escrow Account – by 15th of the month following the quarter end. (Annex 3.2).

2. Bankers’ Certificate on Escrow Account Debits and Credits – Internally Audited – by 15th of the month following the quarter end.

Monthly

1. Statistics of Transactions Handled – by 7th of next month (Annex 3.3).

Non-periodic

1. Declaration and Undertaking by the Director – Changes in Board of Directors – as and when happens (Annex 3.4).

2. Report from Banks in Compliance with para 3.6 of Annex 1 – One time report to be sent by April 15th, 2021.

3. Cyber Security Incident Reports – with root cause analysis and preventive action undertaken – by 7th of next month of incidence month.

Leave a comment

Filed under Uncategorized