Card System Operators& AML/CFT

By

 

PMLA 2002 and Card Operators

According to Sec 2(rb) of PMLA 2002, payment system means a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them.[2009]

Explanation. For the purposes of this clause, payment system includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations.

RBI, India Guidelines 

The RBI, India's Master Direction RBI/2015-16/42 DBR.AML.BC.No.15/14.01.001/2015-16 July 1, 2015 

Customer Identification Procedure (CIP) is required while selling banks’ own products, payment of dues of credit cards/sale and reloading of prepaid/travel cards and any other product for more than Rs. 50,000/-.

Introduction of New Technologies – Credit Cards/Debit Cards/ Smart Cards/Gift Cards

Banks should pay special attention to any money laundering threats that may arise from new or developing technologies including internet banking that might favour anonymity, and take measures, if needed, to prevent the same being used for money laundering purposes. Many banks are engaged in the business of issuing a variety of Electronic Cards that are used by customers for buying goods and services, drawing cash from ATMs, and can be used for electronic transfer of funds. Banks should ensure that appropriate KYC procedures are duly applied before issuing the cards to the customers. Banks are required to ensure full compliance with all KYC/AML/CFT guidelines issued from time to time, in respect of add-on/ supplementary cardholders also. Further, marketing of credit cards is generally done through the services of agents. It is desirable that agents are also subjected to due diligence and KYC measures.

Technology requirements:

The AML software in use at banks/FIs needs to be comprehensive and robust enough to capture all cash and other transactions, including those relating to walk-in customers, sale of gold/silver/platinum, payment of dues of credit cards/reloading of prepaid/travel cards, third party products, and transactions involving internal accounts of the bank.

RBI, India on Pre-paid Payment Instruments

Master Circular – Policy Guidelines on Issuance and Operation of Pre-paid Payment Instruments in India RBI/2016-2017/16 DPSS.CO.PD.PPI.No.01/02.14.006/2016-17 dated July 01, 2016 has been issued to facilitate the Prepaid Payment Instrument Issuers, System Providers, System Participants and all other Prospective Prepaid Payment Instrument Issuers to have all the extant instructions on the subject at one place.

Safeguards against Money Laundering (KYC/AML/CFT) Provisions

The guidelines on Know Your Customer/Anti-Money Laundering/Combating Financing of Terrorism guidelines issued by the Reserve Bank of India to banks, from time to time, shall apply mutatis mutandis to all the persons issuing pre-paid payment instruments.

As PPI issuers are operating a Payment System, provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time, are also applicable to PPI issuers. Necessary systems shall be put in place to ensure compliance with these guidelines.

The use of pre-paid payment instruments for cross border transactions shall not be permitted except for the payment instruments provided at paragraph 4.1 of the guidelines.

Persons issuing pre-paid payment instruments shall maintain a log of all the transactions undertaken using these instruments. This data should be available for scrutiny by the Reserve Bank or any other agency / agencies as may be advised by the Reserve Bank. These persons shall also file Suspicious Transaction Report (STR) to Financial Intelligence Unit – India (FIU-IND).

Payment System Operator & AML/CFT

The Prevention of Money Laundering Act (PMLA) of 2002 defines a "payment system operator" as someone who operates a payment system, including their overseas principal:

  • Payment system: A system that allows a payer to make a payment to a beneficiary, which may involve clearing, payment, or settlement services
  • Payment system operator: A person who operates a payment system, including their overseas principal
  • Overseas principal: An individual or Karta of a Hindu undivided family who resides outside India and owns, controls, or manages the activities of a payment system in India 

 

Payment aggregator is a third-party service provider that enables customers to make payment to merchants. 

These new directions define payment aggregators (PAs) as— “entities which on-board merchants and facilitate aggregation of payments made by customers to such merchants, for purchase of goods and services, using one or more payment channels, in online or physical Point of Sale payment modes through a merchant’s interface (physical or virtual), and subsequently settle the collected funds to such merchants.” This definition notably adds physical point-of-sale payment providers within the ambit of payment aggregators, which means that companies like Pine Labs and MSwipe would now fall under the scope of PA regulation’ . It is only through these payment aggregators that customers are able to make payment via debit & credit cardsUPI, bank transfer. These payment aggregators include Amazon Pay, Razorpay, Paytm, Cashfree, PhonePe and GooglePay etc. 

The PMLA's definition of "payment system operator" is broad enough to include institutions that enable payment and settlement over the internet. The definition is distinct from the definition of "financial institution" in the Reserve Bank of India Act, 1934.The Reserve Bank of India (RBI) has come out with updated directions for payment aggregators covering know-your-customer (KYC) requirements, due diligence of merchants, and operations of escrow accounts. These directions update the RBI’s guidelines for regulating payment aggregators in 20202021, and 2022.

In the draft directions, amendments to the existing directions on PAs, the RBI has divided the PAs into two distinct categories:

(i) Online Payment Aggregators (PA-O): Such PAs primarily facilitate e-commerce transactions, excluding payments made upon the delivery of goods. Transactions facilitated by these would include online shopping and online ticket booking. 

(ii) Physical Point of Sale Payment Aggregators (PA-P): Such PAs primarily facilitate face-to-face payments and cater to merchants who carry out their operations in physical locations like retail shops and restaurants. PA-P are subjected to KYC requirements, due diligence of merchants, and proper management of escrow accounts. 

The first aspect, the draft directive particularly relates to bank and non-bank entities providing physical PoS services. Banks providing PA-P services as part of their regular services do not need to seek authorization from the RBI. However, non-bank entities providing PoS services are required to seek authorization from the RBI within 60 days of the issuance of this circular. Further, existing non-bank PA-Os will need to seek approval from the RBI’s Department of Payment and Settlement within 60 days if they want to continue providing the services alongside their online activities. Moreover, non-bank entities providing PoS services are required to maintain a net worth of Rs. 15 crore at the time of application, increasing to Rs. 25 crore by March 31, 2028. If the entities fail to meet these thresholds, they will have to wind up their operations. 

The categories of small and medium merchants.

Small merchants are physical merchants who primarily conduct face-to-face transactions with an annual turnover of less than Rs. five lakh, for instance small retail shops, street vendors, and local service providers. 

Medium merchants operate both physical and online channels with an annual turnover ranging from Rs. five lakh to Rs. forty lakh. These include medium-sized retail stores, restaurants with online ordering facilities, and local service providers with an online presence.

The draft guidelines provide meticulous procedures for KYC verification tailored to small and medium-sized merchants. For small merchants with an annual turnover below Rs 5 lakh and not registered under the Goods and Services Tax (GST), PAs are required to undertake Contact Point Verification (CPV) and verify bank account details where funds are settled. For medium merchants with a turnover below Rs 40 lakh per annum and not GST registered, PAs must conduct CPV, obtain, and verify Officially Valid Documents (OVDs) of both the proprietor and the business.

 

Moreover, the new directives implement stricter KYC compliances, mandating due diligence procedures for onboarding merchants, including contact point verification (CPV) and verification of Officially Valid Documents (OVDs). PAs have to maintain a check on merchant transactions, make sure that company standards are followed, and list the identities of the merchant and PA on payment systems. It is also important to follow wire transfer regulations, register with the Financial Intelligence Unit-India (FIU-IND), and use the right agent engagement frameworks.

 OVD includes the passport, the driving license, proof of possession of the Aadhaar number, and a Voter Identity Card. Due diligence through the Video-based Customer Identification Process (V-CIP) will be allowed if the PA takes an agent’s help to facilitate the process only at the merchant end. PAs must maintain the details of these agents.

This due diligence must be completed by September 30, 2025, and provide quarterly compliance reports as per the format prescribed by RBI. Entities providing PA-P services as of April 16,2024 must complete the due diligence process within a period of 12 months from the date of submission of the application for PA authorization.


Additionally, starting on August 1, 2025, only card issuers and networks will retain card data for in-person transactions, indicating stricter data security protocols.

Another, notable update pertains to escrow accounts wherein the same accounts will be allowed to be utilized for both online and physical point-of-sale activities, including funds from delivery versus payment transactions. The unified approach to escrow account management, streamlining collection and settlement for both online (PA-O) and physical point-of-sale (PA-P) transactions. Previously, only PA-O activities were regulated, leaving offline merchants unaddressed. With the proposed regulations, all settlements can now be facilitated through a single escrow account, promoting consistency and adherence to regulatory standards.

The RBI guidelines on obligation of Payment System Operators under PMLA, 2002 as amended by Prevention of Money Laundering (Amendment) Act, 2009 are given in Annex-I and Annex-II. All Payment System Operators should have in place a proper policy framework on ‘Know Your Customer’, ‘Anti-Money Laundering’ and Combating the Financing of Terrorism measures with the approval of their Board


Happy reading


Those who read this, also read:


1. CDD Beyond Tokenisation- Payment Aggregators/Payment Gateways

2. Virtual Digital Assets & Service Providers

3. Financial Intelligence Unit(FIU-Ind)

Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more