In early March 2020, a regulatory moratorium imposed on a private bank in India froze the country’s digital payments ecosystem. Many payment aggregators (“PA”) and payment gateways (“PG”) had set up nodal accounts with this bank, including others, and it raised a question on whether the customer funds pooled in those accounts were bankruptcy ‘remote’. Within 10 days, the Reserve Bank of India (“RBI”) issued the payment aggregator and gateway guidelines (“PA/PG Guidelines”) on March 17, 2020, under the Payment and Settlement Systems Act, 2007 (“PSSA”), to regulate PAs and prescribe baseline technology standards for PAs and PGs.
The PA/PG Guidelines seek to address key gaps in the country’s payments architecture, including on bankruptcy protection of pooled funds, data storage and privacy, security and audit framework, settlement cycle, liability framework, consumer protection, etc., as an improvement to the earlier Intermediaries Circular issued by the RBI on November 24, 2009.
Whilst the interpretation of ‘PA’ and ‘PG’ is evolving, both qua registration and compliances prescribed, it appears settled now, that any technology platform collecting funds from customers, for settlement to merchants, may be covered within the PA/PG Guidelines and needs to apply for an RBI authorisation to continue beyond June 30, 2020.
With this Paper (Series-1, to be followed by Series-2), we share our key learnings basis recent experience with the RBI PA/PG application process.
1. Card Data Storage:
- Under the revised regime, ability of merchants and PAs to save customer card credentials/ other related data within their databases may be impacted. We understand that a few subscription-based technology platforms have approached the RBI, in this regard, since they already hold the PCI DSS certification. As merchants are not regulated by the RBI, it would be interesting to see how this evolves.
RBI has issued certain clarifications to industry bodies on ‘transaction tracking’, which may be helpful.
- Whilst ‘tokenisation’ may be a possible solution, given the ongoing debate around the introduction of the Personal Data Protection Bill (“PDP”), India’s GDPR equivalent, before the Indian Parliament, it would be interesting to see the impact that our new PDP law has on data/ privacy rules issued by sectoral regulators like the RBI.
2. OPGSP versus ‘PA / PG’:
- The PA/PG Guidelines also apply to the domestic leg of import/ export related payments, facilitated by PAs, within the framework of the online payment gateway service providers (“OPGSP”) guidelines, dated September 24, 2015 (“OPGSP Circular”).
- Whilst the above has created some confusion in terms of the overlap between PA/PG Guidelines and the OPGSP Circular, and the point at which one ends and the other begins, especially given that PA/PG Guidelines are issued by the Department of Payment and Settlement Systems and the OPGSP Circular is used by the Foreign Exchange Department of the RBI. Based on business models followed, global OPGSP players operating in India may have to either tweak their models or ‘piggy-back’ on existing PA/PG or apply to the RBI for PA/PG authorisation by June 30.
3. ‘Nodals’ versus ‘Escrows’:
PA/PG Guidelines require PAs to move away from the earlier ‘nodal account’ model to a maximum of 2 ‘escrows’. This may impact existing PA/PGs operating multiple ‘nodals’.
4. Separation of Business:
- PA/ PG Guidelines require e-commerce marketplaces to either discontinue any PA activity before June 30 or separate such activity from the marketplace business.
- The PA/ PG Guidelines do not clarify whether a ‘Chinese wall’ approach would be required, or a ‘drop-down’ subsidiary, with the minimum INR 150 million net-worth before March 31, 2021, would be required.
- Given the sensitivities surrounding the above, internal reorganisation required under the second option (‘slump sale’ versus ‘asset transfer’) will be onerous in the absence of regulatory guidance.
We are monitoring the developments relating to the PA/ PG space and will issue the Series-2 Paper with further learnings, basis developments, including regulatory and market guidance, if any.