When it comes to regulations regarding IT securities and consumer protection, the Reserve Bank of India should clearly distinguish between payment aggregators and payment gateways, Dvara Research said in its submission to the central bank. The RBI had released a discussion paper on guidelines for payment aggregators and payment gateways in September.

Dvara also said that RBI should harmonise the proposed consumer grievance redressal framework with the existing consumer recourse mechanism. However, the recommendations did not incorporate important issues regarding simplifying the KYC check system for PAs/PGs and governance of e-commerce marketplaces under the proposed framework by RBI.

The key recommendations have been summarised below:

Recommendation 1: Provide a clear articulation of regulatory objectives so that proportionality of proposed regulations can be assessed and regulatory efforts aren’t duplicated. The regulator needs to specify the financial and consumer protection risks and financial stability risks that are being addressed to assess the effectiveness of the proposed regulatory framework.

For instance, the RBI’s discussion paper suggests PAs and PGs to “consider information disclosure policies, privacy policies, and digital footprints while conducting due diligence.” However, PAs and PGs may not be well equipped to analyse merchants’ privacy policy, Dvara noted.

Recommendation 2: Clearly specify the distinction between payment aggregators and payment gateways. For regulations regarding IT securities, consumer protection, and contractual clarity, RBI should differentiate between PAs and PGs. The regulator should also specify the risks that this distinction is seeking to address at the functional level. Also, the definition of PAs in the discussion paper claims deeper consideration. This is because the 2009 directions for payment intermediaries (such as PAs and PGs) say that the nodal accounts opened and maintained for facilitating collection of payments by intermediaries from customers of merchants shall be treated as internal accounts of the banks and will not be operated by the intermediaries.

Recommendation 3: Harmonise the proposed consumer grievance redressal framework with the existing consumer recourse mechanism. The proposed grievance redressal mechanism resembles the existing Ombudsman Scheme for Digital Transactions (OSDT). This also deviates from the government’s longstanding recommendation of creating a unified financial redress agency for consumers. Multiple, parallel and fragmented channels of redressal mechanisms create confusion amongst users.

Recommendation 4: Create symmetric regulation of all digital financial activities to ensure uniform treatment of users’ data. As the PAs and PGs play a significant role in digital payment, the regulator should consider revaluation of their cybersecurity framework. RBI should harmonise the cybersecurity requirements in its proposed framework across the financial sector, which will minimise the scope of regulatory arbitrage.

Recommendation 5: Provide more details on the options of the proposed policy alternatives as this would enable a better comparison of their relative costs and benefits. RBI’s discussion gave three policy frameworks as options for regulating PAs and PGs: continue with the extant instructions, limited regulations, and full and direct regulations. Since RBI did not elaborate on the first two, it is hard to assess and recommend a policy alternative with certainty.

Go deeper: RBI should cover all payment intermediaries for payment instructions