In our previous FIG Paper, we shared key learnings from our experience in connection with the payment aggregator and payment gateway guidelines (“PA/PG Guidelines”) issued by the Reserve Bank of India (“RBI”) on March 17, 2020. Based on representations received from various industry associations and payment intermediaries, the RBI has formalised the clarifications (initially issued on September 17, 2020) relating to the PA/PG Guidelines on March 31, 2021 (“Clarifications”).
In this Paper (Series – 2), we share our additional thoughts on the regulatory guidance provided by the RBI through the Clarifications.
1. Card Data Storage:
- In line with the Master Direction on Digital Payment Security Controls dated February 18, 2021 which restricts merchants, e-commerce websites and PAs from storing customer payments data, the PA/PG Guidelines emphasise that neither PAs nor the merchants on-boarded by them can store customer card credentials within their database/servers. RBI has extended the timeline for ensuring compliance with the said norms up to December 31, 2021, which would allow players to crystallise their partnerships with card networks and issuing banks and implement infrastructural changes.
- In our previous FIG Paper, we had stated that tokenisation could be a potential solution for storing card data. Under the Clarifications, the RBI has recognised tokenisation to be in compliance with its extant norms as a workable solution.
- The RBI has formally indicated that data can be stored for the purpose of transaction tracking. Given the extent of changes required to align with tokenisation and other solutions, it would be interesting to see if PAs resort to taking a wide interpretation of the term ‘transaction tracking’ to their benefit.
2. Corporate Governance:
- PAs are required to be professionally managed by persons satisfying the ‘fit and proper’ criteria. Whilst the RBI has not spelt out standards comprising the qualification/experience of directors or top management, PAs may consider proactively hiring seasoned professionals on the board and the timing of onboarding such professionals would be crucial from an application standpoint.
- Application forms to be submitted by PAs require the disclosure of the entity’s “chief executive”. Whilst this term has not been defined in the dated format of the PA application, one would generally understand this term to mean the organisation’s chief executive officer (“CEO”). Since private companies are not mandatorily required to appoint a CEO under the Companies Act, 2013, it would be interesting to observe the alternative designations and profiles that applicants would resort to, in response to this requirement. Alternatively, in view of the professional management directive, some applicants may consider appointing a CEO as well.
3. Reporting Requirements:
PA/PG Guidelines prescribe a one-time reporting by banks in terms of Paragraph 3.6 to be submitted to the RBI by April 15, 2021. However, Paragraph 3.6 which pertains to ‘separation of business’, does not specifically call out for any reporting by banks. While ensuring strict compliance, some banks did go ahead and provide a confirmation on behalf of marketplace applicants regarding the said segregation. However, it remains to be seen what purpose this confirmation/information would serve to the RBI.
Rather, Paragraph 4.6 requires existing players to have achieved a certain net-worth by March 31, 2021, and given the closely timed deadlines, we believe that a confirmation to this effect would be a fitting one-time reporting by banks. It remains to be seen how the RBI utilises this information at the time of evaluation of PA applications.
4. Ambit of the PA/PG Guidelines
- With a boom in Indian e-commerce, the RBI introduced the Intermediaries Circular of 2009 (“Intermediaries Circular”) to safeguard customers’ interests and create a framework for facilitating ‘electronic/online’ payment modes. Accordingly, it will be interesting to see if entities facilitating payments exclusively to offline merchants shall be covered within the ambit of the PA/PG Guidelines.
- A substantial portion of online payments in India are made on e-commerce marketplaces that have onboarded several merchants, wherein there exists no direct contractual relationship between the merchants and the ultimate consumer. Whilst payment processors under the aforementioned model would fall within the ambit of PA/PG Guidelines, there is no regulatory guidance on whether an e-commerce marketplace having a bilateral arrangement with a technology platform receiving funds directly from the customers of the marketplace entities will fall within the ambit of the PA/PG Guidelines and consequently, be required to separate its businesses.
- The Clarifications specify that the PA/PG Guidelines will not apply to ‘delivery v. payment’ transactions, i.e. delivery of goods/ services immediately/ simultaneously on the completion of payment by the customer. Having said that, the aspects of the transaction, wherein advance payment is made for the goods which will be delivered in a deferred manner, shall continue to be regulated under the regime of PA/PG Guidelines.
5. Data Localisation (“DL”):
- PAs are required to comply with RBI’s DL norms. Given the subjectivity in RBI’s April 6, 2018 DL circular, it will be interesting to witness RBI’s approach in case of qualifications/red-flags in the PA applicants’ system audit reports.
- The concerns around DL seem to have assumed significant importance for foreign players, against the backdrop of a recent order imposing restrictions on a leading card payment network from on-boarding new domestic customers, on account of non-compliance with data storage norms.
6. Escrows & settlement:
- Existing PAs would have to transition their ‘nodals’ to ‘escrows’ and comply with the updated instructions prescribed under the PA/PG Guidelines. Banks will have to shut nodals if an entity has not applied for a PA/PG license or where the INR 15 crore net-worth has not been met by the March 31 It is unclear if banks are expected to conduct an account-wise due diligence to ascertain whether intermediaries collecting third-party funds through nodal accounts currently have applied prior to the June 30 deadline.
- In light of the Clarifications, PAs may now continue operating their nodals beyond the June 30 deadline, if they have applied for authorisation. Whilst PAs need to maintain an escrow upon authorisation, PAs may migrate to an escrow mechanism from an earlier date, in consultation with their bankers. Since migration process may not be completed overnight, many PAs are already switching to escrows.
- Unlike the Intermediaries Circular, the PA/PG Guidelines do not adopt a ‘one size fits all’ approach in respect of settlement timelines. The timeline for disbursement of funds to the merchant would vary, depending on the agreement between the PA and the merchant, thereby giving them the flexibility to negotiate, based on their respective business models. This, coupled with the ability to have an interest-bearing escrow account, subject to certain prescribed conditions, are a welcome monetisation avenue for PA entities.
However, it is to be seen whether merchant discount rate (“MDR”) related restrictions will also apply to authorised PAs and how it may affect their margins.
The RBI, formalising the Clarifications, provides added certainty for PAs to align their models and aid in easing transaction timelines. However, we note certain relevant operational issues that market players will need to consider during this authorisation period. Foremost among them would be questions on how many PAs will be authorised from a management perspective, considering inter alia, systemic risks, regulatory capabilities, resources of the RBI and any objective threshold based on which applications would be considered.
The Clarifications allow for ease of operation wherein PAs need not carry out entire Know-Your-Customer (“KYC”) process for merchant on-boarding, in cases where such merchants already have a bank account, which is used for transaction settlement purposes.
Further, it is unclear as to the timing of when PAs should build capacities and infrastructure to be in compliance with the PA/PG Guidelines, especially considering that the RBI is expected to issue cybersecurity norms for payment service providers, which may be similar to the recently issued cyber hygiene norms for banks and NBFCs.
We continue to monitor the regulatory and market developments relating to the PA/PG space and we hope to issue a Series-3 Paper with further learnings and any updated notifications that the RBI may issue.