Journey of payment regulations from nodals to licences

Recognising the growth of online payments with the e-commerce boom, the Reserve Bank of India (RBI) on 24 November 2009 issued directions under the Payment and Settlement Systems Act, 2007 (PSSA), to safeguard the interests of end-consumers and ensure timely payments to merchants (intermediaries circular).

The RBI indirectly sought to regulate payment aggregators (PA) and payment gateways (PG) through the circular, which required payment intermediaries to maintain nodal accounts and comply with prescribed settlement timelines. A nodal account is a special internal bank account mandated by the RBI for businesses that are intermediaries, connecting customers to sellers.

The big change

Historically, PAs were not required to obtain any separate registration with the RBI. However, the RBI recognised the need for a more robust regulatory framework governing payment intermediaries, and on 17 September 2019 it issued a discussion paper. Following discussions with stakeholders, the RBI issued the payment aggregator and gateway guidelines (PA/PG guidelines) on 17 March 2020, directly regulating PAs and prescribing baseline technology standards for both PAs and PGs.

The guidelines seek to address key gaps in the country’s payments architecture, including on bankruptcy protection of pooled funds, data storage and privacy, security and audit framework, settlement cycle, liability framework, and consumer protection.

PA/PG guidelines

While the interpretation of a PA and PG is evolving, both qua registration and prescribed compliances, it appears settled that any technology platform collecting funds from customers would be covered within the PA/PG guidelines, and so they are required to apply for an RBI authorisation to continue operations beyond 30 June 2021.

Card data storage. Under the revised regime, the ability of merchants and PAs to save customer card credentials or other related data within their databases may be impacted. We understand that a few subscription-based technology platforms have approached the RBI in this regard, since they already hold the Payment Card Industry Data Security Standard (PCI DSS) certification. As merchants are not regulated by the RBI, it would be interesting to see how this evolves.

The RBI has issued certain clarifications to industry bodies on transaction tracking, which may be helpful. While tokenisation may be a possible solution, given the ongoing debate around the Personal Data Protection Bill (PDP), which is equivalent to the EU’s General Data Protection Regulation, it would be interesting to see the impact that our new PDP law has on data or privacy rules issued by sectoral regulators like the RBI.

OPGSP v PA/PG. The PA/PG guidelines also apply to the domestic leg of import and export-related payments facilitated by PAs within the framework of the online payment gateway service providers (OPGSP) guidelines dated 24 September 2015 (OPGSP circular). This has created some confusion in terms of the intersection between the PA/PG guidelines and the OPGSP circular, especially given that the guidelines are issued by the Department of Payment and Settlement Systems and the OPGSP circular is used by the foreign exchange department of the RBI. Global OPGSPs operating in India may have to either tweak their business models or piggyback on existing PAs/PGs or apply to the RBI for authorisation by 30 June 2021.

Nodals v Escrows. The PA/PG guidelines require PAs to move away from the earlier nodal account model to a maximum of two escrow accounts. An escrow account is a temporary vault of money held by a trusted third-party on behalf of two transacting parties that are bound by a contract. To afford statutory protection to funds pooled by PAs, the escrows have been classified as designated payment systems under the PSSA. This may, however, impact existing PAs or PGs operating multiple nodals.

Separation of business. The PA/PG guidelines require e-commerce marketplaces to either discontinue any PA activity before 30 June 2021, or to separate such activity from the marketplace business.

The PA/PG guidelines do not clarify whether a “Chinese wall” approach, a barrier that separates two or more groups as a means of restricting the flow of information, would be required, or a drop-down subsidiary with the minimum ₹150 million (US$2.06 million) net-worth before 31 March 2021 would suffice, which adds to the uncertainty on the internal reorganisation required for compliance.

The PA/PG guidelines recognise the pivotal role played by intermediaries in post covid-19 digital payments economy. The increased regulation and compliance requirements are likely to bring more transparency, accountability and security for consumers, and ensure only serious players remain.

Anu Tiwari and Rohan Banerjee are partners at Cyril Amarchand Mangaldas. Anindita Bhowmik, a principal associate, and Tanya Nayyar, a senior associate at the firm, also contributed to this article.