|
The Reserve Bank of India (RBI) has rolled out detailed regulatory guidelines for Payment Aggregators (PAs) and recommended baseline technology standards for Payment Gateways (PGs), to ensure safety, transparency and resilience in the fast-growing digital payments ecosystem.
The central bank, in its notification titled "Guidelines on Regulation of Payment Aggregators and Payment Gateways", said that while PAs handle funds and therefore require direct regulation, PGs will be treated as technology providers and are encouraged to adhere to prescribed security recommendations. According to the RBIs guidelines, non-bank PAs must seek RBI authorisation under the Payment and Settlement Systems Act, 2007. Such entities are required to be incorporated in India and maintain a minimum net-worth of Rs 15 crore at the time of application, which should be increased to Rs 25 crore by the end of the third financial year. This net-worth requirement must be maintained at all times thereafter. Existing players were allowed to operate while banks offering PA services as part of their normal banking functions are exempted from separate authorisation. The central bank has stressed that PAs should be professionally managed and adhere to a 'fit and proper' criteria for promoters and directors. Any acquisition or change in management must be reported to the central bank within 15 days. Any agreement between PAs, merchants and acquiring banks must clearly define responsibilities, including dispute resolution, refund processes and customer grievance redressal mechanisms. PAs are required to appoint a nodal officer to oversee regulatory compliance and customer grievance handling. To safeguard customer interests, the central bank guidelines make it mandatory for PAs to conduct background checks of merchants to prevent fraud, counterfeit sales or prohibited product listings. They must also ensure that merchants comply with Payment Card Industry Data Security Standards (PCI-DSS). Funds collected by PAs from customers must be kept in an escrow account with a scheduled commercial bank. PA operations must remain distinct from other businesses, and all settlements must be routed through the escrow mechanism. The central bank has also emphasised strong risk management systems to guard against fraud. PAs are required to put in place robust IT and data security infrastructure, with mandatory annual security audits by CERT-In empanelled auditors. They must also report cyber incidents immediately to RBI and CERT-In. The guidelines reiterated that customer card credentials must not be stored by either PAs or merchants, and all refunds should be made to the original payment method unless explicitly agreed otherwise by the customer. (ANI)
|
