Introduction
Updated by the RBI in March 2020 and its released framework regarding payment aggregators’ further continuation compliance. The regulator stated that the payment gateways now need to obtain a license and certification from the Payment Card Industry (Data Security Standard/ PCI DSS) to keep their merchant transactions as it is and smooth going.
After seeing the influence and imperative functions of these two intermediaries(Payment aggregators and payment gateways) in the payment space, RBI decided;
(a) to regulate in entirety the activities of PAs as per the guidelines in Annex 1, and
(b) provide baseline technology-related recommendations to PGs as per Annex 2.
This was done with the motive of securing the welfare of both ends — consumers and businesses.
What is payment aggregator licensing
Once a business sets up the payment aggregator along with the payment gateway, it could use it conveniently to transact payment without creating its own in-house payment system or opening a bank account with a bank or a credit card association. The ease of these two components paved the way for smooth monetary transactions.
However, to overcome the too much leniency in the payment network and supervise the integrity of such transactions, RBI came up with the Payment aggregator framework in which payment gateways have to obtain a verified license approval from the regulator to continue their normal functioning. Otherwise, they can also get penalties for not following RBI directions in other scenarios.
Steps to acquire a Payment Aggregator license
For payment aggregator license obtaining — there are two possible scenarios. Banks provide PA services as part of their everyday banking activities and do not require separate authorization from RBI. Only non-bank PA service providers need to obtain approval from RBI under the Payment and Settlement Systems Act, 2007 (PSSA). So we will only talk about the second part.
Documents for Obtaining a Payment Aggregator License
- Certificate of incorporation received from ROC.
- MOA & AOA
- PAN identification or address proof of the Directors.
- Directors’ DSC and DIN.
- Business address proof.
- Company’s five-year business plan
- PCI DSS certificate
- Bank statement for the last 12 months
- Last audited balance sheet of last two year
- Code testing report by a software agency.
Steps and conditions
- Minimum capital requirement net worth of 15 crores, which should be increased in 3 years to 25 crores, i.e., on or before March 31, 2023.
- System flow and code testing report necessary to obtain by software certifying agency
- PAs shall dissect information regarding merchant policies, customer grievances, privacy policies, and other terms and conditions on their website or apps.
- The Consolidated Foreign Direct Investment policy shall control business with Foreign Direct Investment (FDI).
- PAs must intend to appoint a Nodal Officer to handle customer grievances and should share his/her details on their website or apps.
- Payment aggregators should have adherence to PCI DSS compliances.
- Should Build safety measures and systems around Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines — also time to time upgradation shall be applicable.
Reapply for Payment aggregator licensing.
Due to non-compliance or not meeting some condition – your payment aggregator license application can get rejected. So in order to reapply, the firm must wait for 120 days until it confirms all the requirements for licensing.
Recently, RBI asked Paytm Payments Services Limited and PayU India to resubmit the application to continue as payment aggregators. The regulator set down a pause on the onboarding of merchants for both firms. Paytm Payments Services. Companies will only onboard new online merchants once approvals are pending.
IT checklist to get Payment Aggregator License
- Application process flow (needs to be submitted to RBI) – application process shall be based on the principle of least privilege and must be up-to-date and in line with the job responsibilities.
- Privacy – To avoid data and privacy exposure to external parties, appropriate controls must be considered. Even while outsourcing, clear all the checkpoints and conduct security audits.
- User Data security – it involves best practices and standards, like PCI-DSS, PA-DSS, latest encryption standards, protection of transport channels, etc. Moreover, it added that the Merchant site should not save customer cards and such related data. Merchant agreements shall have provisions for the security/privacy of customer data.
- Information Security Governance – To identify possible risk exposure, companies shall perform a security risk assessment of their people, IT, business process environment, etc. — external and internal security audits involved. Eventually, entities should also analyze remedial measures and nullify the impact to a greater extent.
- Secure payment processing systems – Firms should do merchant background checks and robustly analyze the merchant onboarding process to check whether merchants have any malafide intention of duping customers or selling fake/counterfeit/prohibited products, etc. The Merchant’s website should clearly indicate the terms and conditions of the service and the timeline for processing returns and refunds.
- Compliance – Payment applications should be built as per PA-DSS guidelines and must review PCI-DSS compliance status. Further, it can include Regular Security Incident Reporting, Cyber Security Audits, and Forensic Readiness.
- Privacy Policy & Terms & Conditions – Firms need to confirm that the merchant shall select encryption algorithms as per the international standards and which have been subjected to updated examination by an international community of cryptographers, professional bodies, reputable security vendors, or government agencies.
- Future Features & Updates info – The companies should also vow to update their external parties about their new features and updates in the product and services or the application.
- Risk Assessment – Firms should perform a risk assessment of each asset — its scope, and identify the threat/vulnerability combinations and the likelihood of impact on confidentiality, availability, or integrity.
FAQs
1. Why does a business require to get a payment aggregator license in India?
Payment aggregator licenses assist firms in processing and offering payment options with various payment instruments for their customers — it’s necessary to safeguard the welfare of the customers and businesses.
2. How do payment aggregators work?
Payment aggregators maintain the money balance of firms as a bank. This money can be further used for purchasing or selling assets and equity. The benefit is aggregators do not offer any interest like a bank and earn money in the form of a fee charge.
3. What is the difference between a payment gateway and a payment aggregator?
The payment gateway takes care of the technical side, i.e., transaction data and payment aggregators are the interfaces themselves. Both are needed for smooth payment systems. Read further here.
4. Types of businesses that can benefit from payment aggregators?
Any online business can benefit from a payment aggregator license. Some of the industries that use this form of payment include:
- Business to business (B2B).
- Business to Customer (B2C).
- Software.
- Services.
- Agency and many more.
How can we help!
Competing with compliance and various regulations can be a hazardous and challenging task. With ongoing regulatory updates, it is easy for businesses to get off track. An aggregator is an optimal solution when it comes to small businesses scaling further without heavy investment commitment for payment structure.
So be aware of mundane tasks and optimally use payment aggregators to increase your sales.
We at NBFC Advisory, with more than 8 years of experience — a team of professionals will plan your every move related to payment system setup, compliance, and licensing. We got you covered!
