CDD Beyond Tokenisation- Payment Aggregators/Payment Gateways

By

 A payment aggregator(PA), also known as a merchant aggregator, is a third-party service provider that enables companies to accept payments from customers by integrating payment functionality into their websites or mobile applications. It  is a bridge between acquirers and merchants. Once this is done, it will be able to access a “sub-merchant account”. After that, the payment aggregator will work on Merchant's  behalf to collect payments from customers. Following a specific period, the money will be transferred to the Merchant in instalments. This stage of the process is called settlement.

Under the Companies Act of 1956 (as amended in 2013), a payment consolidator can become a legally recognized entity in India. It is now possible for them to be both a non-banking organization and a bank. Since a  payment aggregator is responsible for handling money, a license from the Reserve Bank of India is necessary. Although, the permission of the RBI is only necessary for payment aggregators that are not banks.

Payment aggregators are entities that facilitate payment from customers to merchants — unburdening the latter from creating a payment integration system of their own. The existing guidelines cover their activities in e-commerce sites and other online avenues. The latest draft guidelines propose to extend these regulations to offline spaces, entailing proximity or face-to-face transactions. RBI observed back in June 2022 that the nature of activities carried out by the PAs, both online and offline, is similar. It aspires to bring in “synergy in regulation covering activities and operations of PAs apart from convergence on standards of data collection and storage.” The Reserve Bank of India (RBI) has issued guidelines for Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) in the banking and card business. These guidelines include: 

 

·         Know Your Customer (KYC) norms: These guidelines help banks understand their customers and their financial dealings better. They also help banks manage risks prudently. 

 

·         Risk-based approach: The RBI takes a risk-based approach to AML/CFT threats. 

 

·         Screening: The RBI screens for adverse media, international sanctions, and politically exposed persons (PEPs). 

 

·         Group-wide programs: Groups of banks must implement group-wide programs for money laundering and terror financing. 

 

·         Information sharing: Groups of banks must share information for client due diligence and money laundering and terror finance risk management. 

 

·         Confidentiality: Information collected from customers must be kept confidential. 

 

·         Tokenization: Cardholders can tokenize their cards through authorized card networks, banks, or credit card companies. This ensures that merchants can only view the last four digits of the card and the cardholder's name.


Following its announcement in June 2022 that it will seek better regulation of offline payment aggregators (PAs) facilitating proximity or face-to-face transactions, the Reserve Bank of India (RBI) floated two consultation papers earlier this month. The first deals with activities of offline PAs, while the second proposes to strengthen the ecosystem’s safety by expanding instructions for Know Your Customer (KYC), due diligence of onboarded merchants and operations in Escrow accounts. The RBI has invited comments/feedback by May 31, 2024.  

In April 2024, the Reserve Bank of India (“RBI“) issued the Draft Circular for the Regulation of Payment Aggregators (“Draft Circular“), in keeping with their pivotal role in the ever-evolving financial services industry. The Draft Circular is slated to update the extant Guidelines on Regulation of Payment Aggregators and Payment Gateways, as issued by the RBI on March 31, 2021 (“Guidelines“).

The Draft Circular encompasses changes to significant aspects of the Guidelines to bring them up to speed with the evolving landscape. The most notable features of the Draft Circular are as follows:

  1. Definition of Payment Aggregators (“PA”): The Draft Circular proposes to amend the definition of PAs “Entities which on-board merchants and facilitate the aggregation of payments made by customers to such merchants, for purchase of goods and services, using one or more payment channels, in online or physical Point of Sale payment modes through a merchant’s interface (physical or virtual), and subsequently settle the collected funds to such merchants.” The addition of physical point-of-sale payment providers would effectively widen the scope of the Guidelines, which limited its conception of PAs to entities which facilitated e-commerce sites and merchants to accept various payment instruments from customers (for the completion of their payment obligations) without being needed to create separate payment integration systems on their own. The earlier definition had categorically emphasized that the function of PAs was to connect merchants with acquirers; particular by receiving payments from customers, pooling them, and transferring them to merchants after a certain time period.
  1. Introduction of Categorization:

The Draft Circular classifies PAs into 2 (two) categories, namely:

  • Online PAs (“PA-O“): PAs that facilitate e-commerce transactions (excluding payments made upon the delivery of goods); and
  • PA Physical Point-of-Sale (“PA-P“): PAs which facilitate face-to-face or proximity payments, specifically those made upon the delivery of goods.

Also, the Draft Circular also classifies merchants (i.e., entities which sell/provide goods and services to customers, including marketplaces) into 2 (two) categories, namely:

  • Small Merchants: Physical merchants which only deal in face-to-face transactions having an annual turnover of less than Rs. 5,00,000/- (Rupees Five Lakhs Only) which are not registered to pay goods and services tax; and
  • Medium Merchants: Merchants (both physical and online) which do not fulfil the criteria for small merchants, having an annual business turnover of less than Rs. 40,00,000/- (Rupees Forty Lakhs Only), which are not registered to pay goods and services tax.
  1. Escrow Accounts Integration: As per the extant Guidelines, PAs are required to maintain the funds collected in escrow accounts with scheduled commercial banks. By way of the Draft Circular, the RBI has now permitted the same escrow account to be used for both PA-O and PA-P activities, including funds in respect of ‘Delivery versus Payment transactions’ by the RBI. The Draft Circular has also deleted ‘payment to any other account on specific directions from the merchant‘ as a permitted debit from the escrow account.
  1. Due Diligence of KYC: The Draft Circular requires that PAs ought to undertake due diligence of merchants onboarded by them in accordance with Customer Due Diligence prescribed in the Master Directions on KYC, 2016 issued by the RBI. It stipulates that for small merchants, the PAs must conduct contact point verification (“CPV“) of the business establishment and verify merchant bank accounts. In parallel, for medium merchants, CPV ought to be carried out along with the verification of one Officially Valid Document (“OVD“) of the proprietor/beneficial owner, and the verification of one OVD for the business itself. Existing PAs are required to ensure the due diligence process detailed above is completed for all existing merchants by September 30, 2025. Additionally, quarterly reports detailing compliance with the aforementioned requirements are required to be submitted to the RBI (through its regional offices) by the 7th (seventh) day of the following month.
  1. Agents: As per the Draft Circular, PAs are allowed to utilize agents for merchant onboarding if they have a board-approved policy clearly laying out the agent engagement protocols. Thorough due diligence of persons appointed as agents ought to be carried out and the respective PA shall be responsible as the principal for all acts of the agents (including aspects relating to safety and security) and shall preserve records/confidentiality of customer information at all times. 


Key Highlights of the Proposed Guidelines are as follows:

Authorization: Non-bank PA-Ps must obtain authorization from the RBI to operate a payment system for offline payment aggregation by May 31, 2025. Existing non-bank PA-Os must seek approval from the RBI to continue their PA-P activities.

Compliance Requirements: PA-Ps must adhere to governance, merchant onboarding, customer grievance redressal, and dispute management frameworks, as well as security, fraud prevention, and risk management measures outlined in the PA Guidelines. Continued compliance with these conditions is essential for authorization and approval by the RBI.

Net-worth Criteria: Non-bank PA-Ps must maintain a minimum net-worth of INR 15 crore at the time of application and INR 25 crore by March 31, 2028.

Payments on merchant’s instructions: The existing debit permitted from escrow account in respect of payment to any other account on specific directions from merchant, is proposed to be deleted from the PA Guidelines.

KYC for Merchants: Merchants are categorized based on turnover and GST registration status, with corresponding due diligence requirements for KYC conducted by PA-Ps. The proposed categories are as follows:

Small Merchants: These merchants operate with physical presence, exclusively conducting face-to-face and proximity transactions, and generate an annual turnover of less than INR 5,00,000. They are not registered under the Goods and Services Tax (GST) regime. For small merchants, PAs are required to perform due diligence, including contact point verification (CPV) of their physical premises and verification of their bank account details.

Medium Merchants: These merchants have either physical or online presence and generate an annual turnover ranging from more than INR 5,00,000 to less than INR 40,00,000. Similar to small merchants, they are not registered under the GST regime. PAs must conduct CPV as well as obtain and verify one officially valid document (OVD) of the proprietor/beneficial owner and one OVD of the business.

Monitoring of Merchants: PA-Ps must monitor transaction activities of all merchants and ensure compliance with their business profiles, escalating customer due diligence for high-risk transactions. These responsibilities are presumably recommended by the RBI to mitigate the risk of merchants engaged in money laundering activities.

Registration with FIU: Non-bank PAs must register with the Financial Intelligence Unit-India (FIU-IND) and provide requested information.

Restrictions on Data Storage: Like online transactions, restrictions on storage of card data apply to offline transactions, effective from August 01, 2025.

Agent Appointment: PAs can appoint third-party agents for merchant onboarding, with PAs assuming responsibility for their actions.

Other Compliances:

The Draft Circular also requires that ongoing monitoring of the transaction activity of merchants be carried out by PAs, based on which a merchant may be migrated to a high category of Customer Due Diligence.

PAs must verify that merchant transactions processed by them align with their stated business profile; and that risk-based payment limits be put in place for the onboarded merchants.

PAs ought to ensure that the marketplaces they onboard do not handle funds for services not offered through their platform.

PAs must maintain ongoing compliance with wire transfer guidelines as per Master Directions on KYC, 2016.Regulatory developments play a direct and significant role in the future of any industry. This is especially true in the arena of technology—where innovation is often unforeseen at the preliminary stages. With the advent of several new processes and technologies in the sphere of financial technology and payment aggregation in the recent past, the revamp of the guidelines governing payment aggregators and gateways is rightly timed. By adapting to the evolving landscape, the Draft Circular ensures transparency, security and sustainability, fostering a conducive environment for continued growth and innovation in the sector.


In an effort to make online transactions safer, the Reserve Bank of India on July 30, 2024  issued new rules for non-bank payment system operators under which a real-time fraud monitoring solution will have to be put in place to identify suspicious transactional behaviour and generate alerts.

Regarding mobile payments, RBI said PSOs should ensure that an authenticated session, together with its encryption protocol, remains intact throughout an interaction with the customer.

In case of any interference or if the customer closes the application, the session shall be terminated, and the affected transactions resolved or reversed out

RBI further said the card networks should facilitate implementation of transaction limits at card, bank identification number (BIN) as well as at card issuer level. Such limits shall mandatorily be set at the card network switch itself.

Moreover, the non-bank payment system operators (PSOs) will have to ensure that an online session on mobile application is terminated automatically after a fixed period of inactivity and customers are prompted to re-login, according to Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs..

Also, the card networks should institute an alert mechanism on a 24x7 basis, to be triggered to the card issuer in case of any suspicious incident. RBI also said card networks will have to ensure that card details of the customers are stored in an encrypted form at any of their server locations.

The central bank has also encouraged Prepaid Payment Instruments issuers to communicate OTP and transaction alerts with users in a language of their choice, including vernacular languages.

RBI said the PSO should put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information in respect of data available with it or at vendor managed facilities.

They will also have to develop a business continuity plan based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed.

According to the directions, while sending SMS or e-mail alert to customers, either by PSO or payment system participants, it has to be ensured that bank account number, card number, or other confidential information are redacted/masked to the extent possible.

The PSO shall provide a facility on its mobile application / website that would enable customers, with necessary authentication, to identify / mark a fraudulent transaction for seamless and immediate notification to the issuer of payment instrument


Also, the card networks should institute an alert mechanism on a 24x7 basis, to be triggered to the card issuer in case of any suspicious incident. RBI also said card networks will have to ensure that card details of the customers are stored in an encrypted form at any of their server locations.

The central bank has also encouraged Prepaid Payment Instruments issuers to communicate OTP and transaction alerts with users in a language of their choice, including vernacular languages.

RBI said the PSO should put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information in respect of data available with it or at vendor managed facilities.

They will also have to develop a business continuity plan based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed.

According to the directions, while sending SMS or e-mail alert to customers, either by PSO or payment system participants, it has to be ensured that bank account number, card number, or other confidential information are redacted/masked to the extent possible.

The PSO shall provide a facility on its mobile application / website that would enable customers, with necessary authentication, to identify / mark a fraudulent transaction for seamless and immediate notification to the issuer of payment instrument


Reporting Suspicious Transactions


Reserve Bank of India has asked[Apr 22, 2024] all authorisednon-bank Payment System Operators (PSOs) to report high value and suspicious transactions undertaken on their platforms during the election period.

The leading players in this sector are card networks like Visa, Mastercard, and Rupay, to payment gateways like Razorpay, Cashfree, Mswipe, Infibeam, and PayU. Additionally, it extends to payment apps such as Paytm, BharatPe, MobiKwik, Google Pay, and PhonePe, as well as firms involved in cross-border money transfer, ATM networks, PPIs, instant money transfer, TReDS, BBPD, and related systems. These fintech firms operate within the payment ecosystem, facilitating transactions and hence they have been instructed to send daily reports to ensure fair elections.


These updates reflect the growing significance of digital transactions and emphasise the importance of governance and adherence to regulatory standards.






Happy reading ,

Those who read this, also read:





Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more