Why the RBIs proposal to directly regulate payment gateways and aggregators may do more harm than good.

Following the Reserve Bank of India’s (“RBI”) monetary policy statement for 2018-19 where the RBI had indicated that the existing guidelines for payment gateways and payment aggregators (“Payment Entities”) needs review, the RBI has published the Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators (“Discussion Paper”) outlining the options that the RBI can take in order to regulate Payment Entities in India.

In simple terms, a payment gateway is an e-commerce application service that allows online transactions to take place. It is a pass-through mechanism that provides a merchant the means to accept online payments. Some common examples of payment gateways are PayTM, Paypal, Bharat Interface for Money (“BHIM”), and Amazon Pay amongst others. A payment aggregator on the other hand, is an entity which hosts multiple payment gateways on its web platform. Some common examples of payment aggregators are Citrus and RazorPay in India.

Looking at an illustration will further clarify the manner in which payment gateways and payment aggregators operate. If you visit an e-commerce platform and proceed to pay, you will usually be taken to a page operated by a payment aggregator such as Citrus or RazorPay where you will find the various payment gateways such as BHIM, PayTM through which you can make your payment.

Currently, the Payment Entities are loosely regulated by the RBI. Although the RBI requires all Payment Entities to have a nodal account, there is no need for Payment Entities to obtain any registration with/ approval from the RBI prior to commencing their business as is required under the Payment and Settlement Systems Act, 2007 (“PSS Act”) nor do they need to have a dedicated official to ensure compliance with RBI regulations.

Therefore, as (a) there are no direct regulations over Payment Entities (as mentioned above), (b) Payment Entities play a critical role in online transactions, (c) there are no clear distinctions between the roles of Payment Entities and merchants, and (d) end users do not have direct contact with the Payment Entities and need to contact merchants in the event of any dispute, the RBI has concluded that there needs to be a change in the way Payment Entities are regulated.

The main approaches the RBI has recommended in the Discussion Paper are:

(a)  Option 1 – Continue with existing regulations with a few tweaks – In this option, the RBI will issue certain minor clarifications such as what are the timelines within which Payment Entities should resolve any dispute. Barring these minor clarifications, the current regulations would continue to regulate Payment Entities in India;

 

(b) Option 2 – Limited Regulations – In this option, the RBI will require Payment Entities to comply with only a limited number of RBI regulations such as (i) maintaining a minimum net worth, (ii) timelines for settling payments, (iii) IT security requirements etc. In this option, the RBI has proposed that it will only conduct off-site inspections. Off-site inspections is when the RBI carries out inspections and monitoring through online software. This is different from an on-site inspection is when RBI officials physically come to the offices of the entity and carry out inspections; and

 

(c)   Option 3 – Full and direct regulations – In this option, all Payment Entities will fall within the ambit of the PSS Act and will be bound by all RBI regulations. If this option is exercised by the RBI, then some of the requirements that Payment Entities will need to comply with are:

 

(i)   Prior approval of the RBI: All non-bank Payment Entities will need to seek RBI approval prior to commencing business;

 

(ii)  Parties related to E-Commerce platforms: Any e-commerce marketplace acting as a Payment Entity (for example, Amazon Pay), will need to stop acting as a Payment Entity within 3 months. However, if the e-commerce platform wishes to continue with this activity, it will need to be separated from the e-commerce platform (for instance, Amazon Pay will need to be separated from Amazon India’s e-commerce business);

 

(iii)   Minimum net-worth: All Payment Entities will need to maintain the minimum net-worth as prescribed for Bharat Bill Payment Operating Unit which is currently ₹100 Crore at all time of operations;

 

(iv)   Fit and proper guidelines: All promoters of Payment Entities will need to comply with the fit and proper guidelines issued by the RBI. Some of the requirements under the fit and proper guidelines are (1) the promoters should not be declared insolvent, and (2) the promoters should not be disqualified as directors under the Companies Act, 2013 amongst others;

 

(v)  Policy for disposal of complaints: The board of all Payment Entities should will need a    detailed policy for the disposal of all complaints raised by the customers;

 

(vi)  Appoint nodal officer to ensure compliance: All Payment Entities will need to appoint a nodal  officer who will be responsible to ensure that the Payment Entity is in full compliance with all RBI regulations;

 

(vii) KYC Guidelines and Prevention of Money Laundering Act, 2002: All Payment Entities will need to comply with the KYC Guidelines issued by the RBI and comply with the provisions of the Prevention of Money Laundering Act, 2002;

 

(viii) Grievance redressal and dispute management framework: All Payment Entities will need to  put in place, a publicly disclosed public redressal and dispute management framework. A point for Payment Entities to note is that the Discussion Paper suggests that all redressals should be resolved within 7 working days;

 

(ix)   Merchant on-boarding: All Payment entities will need to due diligence on the merchant for security and authentication purposes prior to engaging with such merchant;

 

(x)  IT Security: All Payment entities will need to comply with the IT security standards prescribed  by the RBI. For instance, the RBI recommends that all entities should have data security standards that are compliant with industry standards such as PCI-DSS and entities should report any IT security breach to the RBI with 2 to 6 hours of the entity obtaining knowledge of the same; and

 

(xi)   Reports: Some of the reports that all Payment Entities will need to file with the RBI are: (1) Audited annual statements (to be filed annually with the RBI by September 30), (2) Net-worth certificate as on the 30th of September (to be filed annually with the RBI by December 31), and (3) Customer grievance report (to be filed quarterly with the RBI) amongst others.

Quick View

The RBI, through the Discussion Paper has come up with 3 options to regulate Payment Entities. However, we feel that there are inherent flaws with the options put forward by the RBI.

We find that there is very little to differentiate Options 1 (i.e continue with current regulations) and 2 (i.e limited regulations). If the RBI moves forward with either options, then it will need to provide more details as to what RBI regulations will be applicable on the Payment Entities. On a review of the Discussion Paper, the RBI has only provided an indicative list of what may be applicable to Payment Entities under Options 1 and 2. Therefore, it is difficult to understand the full implications Options 1 and 2 will have on Payment Entities. Considering that the RBI has only briefly outlined Options 1 and 2, and has explained Option 3 (i.e Full and direct regulation), it is our educated guess that the RBI will choose Option 3 to regulate Payment Entities in India.

On a preliminary review of Option 3, the RBI seems to have made a firm commitment to protect the interests of the customer. For instance, the fact that Payment Entities will need to ensure that they have detailed grievance redressal policies and that they will need to comply with certain security standards all make the right noises when it comes to ensure that the interests of customers are protected.  

While this is an important function of the RBI, on a reading of the RBI Act, 1934, the objective of the RBI is to operate the entire credit and banking system in India. Therefore, the RBI will not only need to look at the interests of customers, but will also ensure that there are sufficient credit facilitators in the economy. Therefore, with a drastic increase in regulations, entities will not be pumped to operate as Payment Entities.  For instance, a majority of well-known payment aggregators such as RazorPay are start-ups that started only a few years ago. It will therefore not be possible for start-ups to ensure that they always have a minimum net worth of 100 Crore.

Therefore, the RBI will need to bring in a balance between protecting the interest of the customers and ensuring innovation with regards to Payment Entities that are essential for providing banking and credit facilities to people with no access to the formal banking sector is not negatively impacted. We feel that this can be done if the RBI prescribes new rules and regulations applicable to Payment Entities rather than relying on existing rules and regulations.

Disclaimer: This post has been prepared for informational purposes only. The information/or observations contained in this post does not constitute legal advice and should not be acted upon in any specific situation without seeking proper legal advice from a practicing attorney.

 

Disclaimer

As per rules of the Bar Council of India, advocates are not permitted to solicit work or advertise. By clicking on the “I agree” button below and accessing this website, the User acknowledges that by accessing this website (www.gamechangerlaw.com):