The Reserve Bank of India must implement full and direct regulations for payment aggregators (PA) and payment gateways (PG), Vidhi Centre for Legal Policy said in its submission (available below) to the central bank. It also said that implementation of limited rules without any registration/licensing will impact effective enforcement of provisions for payment intermediaries. RBI should specify the role, rights, and liabilities of payment intermediaries that have access to sensitive customer data, Vidhi said in its response to RBI’s discussion paper on guidelines for PAs and PGs, released in September.
Of the three possible regulatory approaches that RBI’s discussion paper discussed for regulating the activities of PAs and PGs — continue with extant instructions (option 1), limited regulation of such entities (option 2), and full and direct regulations (option 3) —, Vidhi has recommended going with option 3.
The key recommendations have been summarised below:
Recommendation 1: Do not continue with the extant instructions (option 1). Given that the discussion paper itself notes that there are no proper consumer redress mechanisms or uniformity in practice across entities, there is a need for a framework that specifies the role, rights, and liabilities of payment intermediaries that have access to sensitive customer data and funds. Also, despite saying that the RBI will clarify the applicability of the 2009 directions for electronic payment transactions, the nature of clarifications sought hasn’t been specified.
Recommendation 2: Do not implement limited regulations (option 2). Option 2 does not specify the scope of the proposed regulation. Reviewing regulations listed under option 2 will overlap with option 3, but certain issues — customer grievance redressal and dispute management, security, fraud prevention, and risk management — are not clarified under option 2. Also, the implementation of limited rules without any registration/licensing requirement will impact the effective enforcement of provisions.
Recommendation 3: Implement full and direct regulations for PAs and PGs (option 3). Given the growing adoption of digital payments, there is a need for proportionate and risk-based regulation. Under this regulatory approach, PAs and PGs will be subject to direct regulatory supervision of RBI in respect to requirements relating to authorisation, capital, governance, anti-money laundering (AML) and know your customer (KYC), consumer grievance redressal mechanism, dispute management, security, fraud and risk management. These provisions are missing in the other two proposed frameworks (options 1 and 2).
Recommendation 4: Implement regulatory prescription for banks under the Payments Settlements System (PSS) Act 2007. RBI should order banks that act as payment aggregators to obtain authorisation under the PSS Act 2007. Banks providing payment gateway services should obtain an approval/no objection certificate from RBI for the purposes of digital payment services. Such banks should be required to comply with specific requirements, including provisions relating to technical requirements, submission of information, reports, etc.
Recommendation 5: Allow PA/PG to opt for payment settlement mechanism of their choice to safeguard customers’ funds. The mechanism could either be the existing arrangement of maintaining a nodal account, or a PA/PG could choose to maintain an escrow account with a bank for merchants. Shifting to an escrow account arrangement will provide protection to funds collected from customers and maintained in escrow accounts with banks.
Recommendation 6: Specify obligations under the KYC and AML requirements for PA/PGs while onboarding merchants. RBI has asked payment aggregators to undertake background and antecedent checks of merchants to ensure that merchants do not have any wrong intentions of duping customers, faking sales, etc. RBI should reconsider such directions as PAs and PGs may find it difficult to comply with such requirements and consider them onerous.
Recommendation 7: Clearly distinguish between payment services providers and technical service providers. RBI should study the nature of services provided by PA/PG and provide clarification for entities that solely provide technical services and support provision of any payment services. The following services should come under technical service provider: service of processing and storing data, any information technology security, trust or privacy protection service, data and entity authentication service, and all information technology service.