44. Guidelines

Long ago, when I was a teenager with a curious mind… I asked my close friend, “What do we need to ride a bike?”. Without a second thought, he said, “We need a bike… just a bike”.

The answer made perfect sense at the moment but later, I realised that we need license, bike insurance, need to know traffic rules and most importantly, money to buy a bike.

What did we learn?

There are guidelines that apply in all spectrums of life… few mandated by governing or regulatory bodies and few are self-imposed. ‘Red light’ at a signal means we should stop the bike — that’s by regulation. But if there is no cop on the signal & no traffic but you still stop at the red light, that’s self-regulation.

Even Payments are no exception. In an earlier chapter, I briefly covered the impact of regulations on the payment industry. Today, we’ll talk more about the RBI.

RBI (Reserve Bank of India) is India’s central bank… do not confuse it with the Central Bank of India (this is one more PSU Bank). Preamble of RBI describes the basic function of RBI as …

to regulate the issue of Bank notes and keeping of reserves with a view to securing monetary stability in India and generally to operate the currency and credit system of the country to its advantage; to have a modern monetary policy framework to meet the challenge of an increasingly complex economy, to maintain price stability while keeping in mind the objective of growth

That is quite mouthful… isn’t it? But in much simpler words, RBI has 7 basic functions — Refer here

The focus of my blog will be on summarising various guidelines of RBI related to payments. Please note that these guidelines should always be read in their entirety. So I encourage you to read the guidelines completely but I’ll also summarise those for your quick reference.

Payments and Settlement Act of 2007

This is the main guideline that is followed by the payment aggregators (if they want to)… this is not one single document but rather, multiple notifications which need to be considered to get the complete view. Few of the points of these directives

• Intermediaries (Payment Aggregators) should move money via nodal account (collect money from acquiring banks/partners to nodal account and then do merchant settlement). Also, do not keep funds in the nodal account for more than 3 working days
• Follow Master KYC guidelines while on-boarding merchants

RBI has more stringent guidelines for prepaid cards compared to the one for Payment Aggregators. So the industry was more or less self-regulated (basically, everyone is expected to do the right thing when no one was watching them). No certification required and nothing to report back unless you appear on RBI’s radar.

Along with the growth of digital payments, even the frauds increased. Hence, the RBI has to regulate various aspects of payments (mandatory OTP, data localisation, refunds etc.). So now, PGs (Payment Gateways) & PAs (Payment Aggregators) need to be regulated….thus, the RBI came up with a comprehensive (almost) set of guidelines in Mar’20

Here are the 8 broad points:

• Authorisation: Get an authorisation from RBI to run a PG or PA business
• Capital requirement: You want to move the money for merchants? Then first, show the money. That is Rs.25Cr net worth
• Due Diligence: On-board merchants after due diligence and follow Master KYC and AML guidelines
• Security & fraud prevention: Follow highest level of security, data protection, data localisation practices along with PCI-DSS and PA-DSS compliance
• Customer Grievance: Customer is important… safeguard them and address all end customer complaints/grievances… appoint a nodal officer
• Fund movement via Escrow: PG/PAs can move funds via Escrow accounts instead of nodal accounts.(Original Guideline: single escrow account of one bank, Revision (Nov’20) — two escrow accounts from 2 banks). There is higher flexibility in terms of holding the funds in escrow account (depending on confirmation, delivery and refund dates). Cherry on top -, opportunity to earn ‘interest’ on non-core portion (if PA and Banks agree)
• Governance: Bring in corporate governance in your own company
• Reports: Different types of reports needs to be submitted to RBI on annual, quarterly, monthly and non-periodic basis

All in all, these are great guidelines and I am sure these will be refined over a period to build a robust payment ecosystem.

Here are few observations (again, only few but I can talk for hours on these guidelines):

• Super small aggregators may not meet few criteria, especially the capital requirement. So many such companies may morph into resellers to bigger aggregators
• Only two escrow account of a two banks — PAs will not be able to take benefit of working with multiple banks
• If PAs earn interest on a non-core amount that was kept in escrow account then will the banks increase MDRs? (liabilities increased… isn’t it?)
• ATM PIN cannot be used as 2FA for Card-not-present transactions (That’s bad for FSS, this model is not even big enough to have any impact…Hmm)
• PAs cannot enforce transaction limits but only bank/issuing entity should (not a good rule if PAs want to tighten the velocity checks)
• Refund can go to a different source if the customer is fine with it — Refund to source via payout solutions (IMPS, NEFT, UPI, Visa Direct, Master Money send, wallet) may become popular
• Card vault: This part keeps evolving. First, it said that only PA/PG can store cards and not marketplaces (e.g. Flipkart or Amazon) but later it was changed that only banks can store the cards, not even PA. Either the PAs and merchants can have a vault in a bank (literally) or move to tokenisation (which will take a long time to be ready). Time to adhere to new card vault guidelines is the end of Dec’21.

A lot needs to be done to adhere to these guidelines… yes, there is plenty of time for that as these guidelines will be in force in coming months (Refer: guidelines for dates, which may change due to COVID — lockdown)

Here are some links to various guidelines that are applicable for payment sectors

• Payment & Settlement Act : Refer Here
• PG & PA guideline (2020): Refer Here and Revision (Nov’2020): Here
• Prepaid Payment Instrument (PPI): Refer Here
• Master KYC Circular: Refer Here

RBI has a great vision for digital payments… RBI is very vocal (in written form) about its visions for this vast country & beyond… time to time, RBI publishes its vision documents. They are quite interesting and you will know what to expect in near future… Here is the link

Special thanks to Shreya Sharma for helping me to simplify the guidelines