By Shivanand Pandit
The Reserve Bank of India (RBI), in June 2022, announced its intention to enhance the regulation of offline payment aggregators (PAs) involved in proximity or face-to-face transactions. Recently, in April 2024, the RBI released two consultation papers. The first focuses on regulating the activities of offline PAs, while the second aims to bolster the safety of the ecosystem by broadening guidelines for Know Your Customer (KYC), conducting due diligence on onboarded merchants, and managing operations in Escrow accounts.
Payment aggregators facilitate payment settlement between customers and merchants, relieving merchants from developing their payment integration systems. While current guidelines govern their operations in online platforms, proposed draft guidelines aim to broaden their scope to include offline transactions, such as proximity or face-to-face interactions. The RBI noted in June 2022 that the functions of payment aggregators, whether online or offline, share similarities. The goal is to harmonize regulations across all activities of payment aggregators and establish uniform standards for data collection and storage.
New Wine in the New Bottle
The proposed regulations draw insights from this year’s events involving Paytm Payments Bank (PPBL), though in a different domain. By broadening the operational framework of Payment Aggregators (PAs), the RBI seems intent on fortifying the ecosystem against any lack of transparency. The PPBL crisis, prompted by various factors, notably significant irregularities in KYC compliance, serves as a cautionary tale. The Financial Intelligence Unit (FIU-IND) levied a penalty of ₹5.49 crore after discovering that PPBL had been implicated in various illicit activities, including the facilitation of online gambling. This illicitly obtained money was channelled through bank accounts linked to these unlawful entities, further implicating PPBL.
The primary focus here is on non-bank PAs, particularly those operating offline. Banks offering physical PA services won’t need separate authorization from the RBI; they simply need to comply with updated instructions within three months of issuance. Non-bank entities providing PA services offline at point-of-sale (PoS) terminals must notify the RBI within 60 days of the circular’s issuance to seek authorization. However, they can continue operations during this period.
Regarding non-banking entities providing PA services online, authorised and pending applicants must seek approval for their offline PA activities from the Department of Payment and Settlement Systems within 60 days of the directive. It also applies to any authorised entity intending to enter the online and/or offline PA domain inthe future.
The RBI’s directives also require entities engaged in PoS activities to adhere to guidelines on merchant onboarding, customer grievance redressal, dispute management, technology standards, security, fraud prevention, and risk management within three months. Adherence to the existing 2020 guidelines will be considered positively for entities needing fresh registration during application processing.
The regulator has introduced net worth requirements for PAs facilitating face-to-face or proximity transactions. To apply for RBI authorization, these entities must have a minimum net worth of ₹15 crores. According to the proposed norms, they must increase their net worth to ₹28 crores by March 2028. New non-bank PA-Ps must have a net worth of ₹15 crores when applying to the RBI for authorization. Within three years of authorization, they must raise their net worth to ₹25 crores and maintain it thereafter. Offline operators failing to comply with the authorization process must cease operations by July 31, 2025. Banks failing to apply for authorization risk closure of their accounts by October 2025.
Comprehensive KYC
requirements
The regulations aim to ensure that merchants onboarded adhere to strict guidelines regarding the services they offer and the funds they handle. While Know Your Customer (KYC) procedures are already obligatory, the proposed regulations intend to refine these provisions.
The RBI’s proposed guidelines categorize merchants into small and medium categories. Small merchants are defined as physical businesses with an annual turnover of less than ₹5 lakh, not registered under the GST regime. The regulator suggests PAs conduct ‘contact point verification’ (CPV) to physically confirm the existence of such businesses. Additionally, they must verify the bank accounts used for fund settlements. Medium merchants, with an annual turnover of less than ₹40 lakhs, whether physical or online and not registered under the GST, would also undergo contact point verification.
PAs are required to confirm the existence of these businesses by validating official documents of the proprietor, beneficial owner, or attorney holder, along with documents about the business itself.Furthermore, PAs must ensure that transactions conducted by their merchants align with their stated business activities. They are tasked with assigning risk-based payment limits to these merchants and may escalate due diligence based on transaction patterns.
The draft regulations stipulate that, effective August 1, 2025, only card issuers and/or card networks may retain data for face-to-face payments.Other entities are required to purge previously stored data. However, limited data retention for tracking and reconciliation purposes is allowed, including the last four digits of the card number and the issuer’s name.
Stringent regulations,
fiercer rivalry
In the latest tally, over two dozen applicants await approval for a PA license, a surprising surge given the crowded field with nearly 30 incumbents. The challenge lies not only in the stiff regulations but also in the pivotal aspect of Contact Point of Verification (CPV) in the RBI’s draft guidelines.
The stringent requirement for physical KYC and accompanying due diligence mirrors that of universal banks, adding to the burden. Moreover, PAs must also validate the bank accounts where merchants’ funds are settled, making CPV a laborious process, especially for smaller merchants. It could jeopardize payment acceptance, particularly for smaller businesses that find verification costs prohibitive. Such hurdles may lead PAs to reconsider serving smaller merchants, potentially diverting funds elsewhere, and affecting peer-to-peer merchant transactions.
With estimates suggesting a KYC verification could cost up to ₹5,000 each, outsourcing to Business Correspondents or agencies might lead to incomplete verification due to the sheer volume. To sustain operations, PAs will need focused strategies, identifying suitable use cases, merchant segments, and value propositions meticulously.In essence, navigating the regulatory landscape and mitigating operational challenges will demand concerted efforts from PAs to carve out a sustainable path forward.
Some established players propose that if a bank conducts KYC procedures for a merchant, it should suffice for the PA as well. However, regulators might demand that PAs take full responsibility for KYC due to the settlement process, where funds flow from the sponsor bank through the PA’s bank to the end customer’s account. TheRBI is unlikely to permit third-party providers to assist with KYC, unlike other regulators.Additionally, it may not recognize websites as legitimate business premises for online ventures. Despite high costs, including technology investment and customer incentives, profit margins are expected to be razor-thin, possibly ranging from 4 to 10 basis points. Consequently, only entities prepared for high-volume transactions are likely to endure.
Major corporate entities such as the Tatas and Reliance Industries are endeavouring to harness internal streams by establishing their payment aggregator entities. While not primarily driven by high economics, this is more about scaling the business, which may lead to several exits. Unless there is a shift in regulatory stance, the number of exits could be significant.
The writer is a tax specialist, financial adviser, guest faculty and public speaker based in Goa.
He can be reached at [email protected]
