The digital payments ecosystem in India has seen an excellent growth in the past few years. The term “Digital Payments” comprises of different types of systems of online payment which cover transactions done through Real Time Gross Settlement (RTGS), National Electronic Fund Transfer (NEFT), Immediate Payment Service (IMPS), Digital Wallets and Unified Payments Interface (UPI). Of these, Digital Wallets and UPI have amplified their operations in the wake of demonetization in the November of 2016.
Payment systems are not only the lifeline of an economy but are increasingly being recognized as a means of achieving financial inclusion and ensuring that economic benefits reach the bottom of the pyramid.
Regulating the payment and settlement systems in the country enables businesses, companies, and consumers to manage their financial transactions and payments efficiently. Implementing fintech laws and regulations ensures safety and security to financial institutions, providing services and the customers using them.
The term “FinTech” is short for “financial technology” and could apply to any kind of technology that is used to drive a financial transaction or service, offered by any entity. However, in business and regulatory jargon, FinTech has come to mean the technology used by financial service providers that disrupt the traditional way of providing such services. Thus, businesses such as PayTM, PhonePe, RazorPay, MobiKwik, PayU are all classified as fintech businesses.
Key Fintech Offerings
Some of the key services that are offered by FinTech companies broadly fall within the ambit of either Digital Payments or digital lending.
PPI – Prepaid Payment Instruments (“PPIs”) are instruments that facilitate the purchase of goods and services including financial services, remittances etc. against a stored value on such instruments. PPIs may be issued under one of the three categories –
- Closed system PPIs – They are issued by an entity to a holder to facilitate the purchase of goods and services from the issuer itself. An ideal example of this type of a system would be a brand-specific gift card.
- Semi – closed system PPIs – These are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations or establishments which have a specific contract with the issuer to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks.
- Open system PPIs – These PPIs are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc.
Each of these categories permits a different scope of transactions.
UPI Payments – UPI is a payment platform managed and operated by the National Payments Corporation of India (“NPCI”). The UPI enables real time, instant, mobile based bank to bank payments. It primarily relies on mobile technology and telecom infrastructure to offer easily accessible, low cost facilities to the users. UPI enabled payments constitute majority of the digital payment transactions in India.
Digital Lending – With expanding propels in innovation, technology, and telecommunications foundations, several Non-Banking Financial Institutions (NBFCs) in India have moved to advanced stages of digital platforms for credit items, especially to retail and Small and Medium Enterprises (SME) clients. They have developed intuitive applications and websites to empower end-to-end digital customer journeys.
Payment Intermediaries/Aggregators and Payment Gateways – Payment intermediaries or aggregators are entities which simplify online sale and purchase transactions primarily on e-business platforms. They facilitate collecting electronic payments from customers and pool them and transfer them to the merchants. Payment Gateways provide technology infrastructure to route or facilitate processing of online payment transactions, without handling any funds.
P2P lending platforms – Peer-to-peer (P2P) lending platforms are online platforms that offer loan facilitation services between lenders registered on the platform and prospective borrowers. Under RBI regulations, P2P lending platforms may be operated by eligible Indian companies registered with the Reserve Bank of India (“RBI”) as NBFC.
Payment Banks – Payment banks are bodies authorized by the RBI to offer fundamental online banking services to their clients. These are allowed to accept small deposits (up to INR 100,000). However, they are not permitted to issue credit cards, give loans or offer any credit products
Laws and Regulations
The RBI is the primary regulator for most Fintech activities in banking, payments and lending. The jurisdiction of other regulators may also get attracted, depending on the nature of the services being offered, including of the Securities and Exchange Board of India (“SEBI”) when dealing in the securities market, the Insurance Regulatory and Development Authority of India (“IRDAI”) for the insurance sector, as well as the Ministry of Electronics and Information Technology (“MEITY”) and the Ministry of Corporate Affairs (“MCA”), as may be applicable.
Regulations governing Digital Payments
Master Direction on Issuance and Operation of Prepaid Payment Instruments (“Master Direction”) which was issued by the RBI by virtue of Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 (“PSS Act”). PPIs can be issued as cards, wallets, and any such form / instrument which can be used to access the PPI and to use the amount therein. PPIs in the form of paper vouchers cannot be issued.
- All entities (both banks and non-banks), regulated by any of the financial sector regulators and seeking approval / authorisation from the RBI under the PSS Act, shall apply to Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai along with a ‘No Objection Certificate’ from their respective regulator, within 45 days of obtaining such clearance.
- Non-bank entities applying for authorisation shall be a company incorporated in India and registered under the Companies Act 1956 / Companies Act 2013.
- The Memorandum of Association (MOA) of the applicant non-bank entity shall cover the proposed activity of operating as a PPI issuer.
- Banks which comply with the eligibility criteria, including those stipulated by the respective regulatory department of RBI, shall be permitted to issue semi-closed and open system PPIs, after obtaining approval from RBI.
- Non-bank entities which comply with the eligibility criteria, including those stipulated by the respective regulatory department of RBI, shall be permitted to issue only semi-closed system PPIs, after obtaining authorization from RBI.
Capital and other eligibility requirements
- All non-bank entities seeking authorisation from RBI under the PSS Act shall have a minimum positive net-worth of Rs. 5 crore as per the latest audited balance sheet at the time of submitting the application. Thereafter, by the end of the third financial year from the date of receiving final authorisation, the entity shall achieve a minimum positive net-worth of Rs. 15 crore which shall be maintained at all times.
- Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate from their Chartered Accountants regarding the current net-worth along with provisional balance sheet.
- A non-bank entity desirous of setting up payment systems for issuance of PPIs shall apply for authorisation in Form A (available on RBI website) as prescribed under Regulation 3(2) of the Payment and Settlement Systems Regulations, 2008 along with the requisite application fees. The directors of the applicant entity shall submit a declaration in the enclosed format. RBI shall also check ‘fit and proper’ status of the applicant and management by obtaining inputs from other regulators, government departments, etc., as deemed fit. Applications of those entities not meeting the eligibility criteria, or those which are incomplete / not in the prescribed form with all details, shall be returned without refund of the application fees.
- In addition to the compliance with the applicable guidelines, RBI shall also apply checks, inter-alia, on certain essential aspects like customer service and efficiency, technical and other related requirements, safety and security aspects, etc. before granting in-principle approval to the applicants.
- Subject to meeting the eligibility criteria and other conditions, the RBI shall issue an ‘in-principle’ approval, which shall be valid for a period of six months. The entity shall submit a satisfactory System Audit Report (SAR) to RBI within these six months, failing which the in-principle approval shall lapse automatically. SAR shall be accompanied by a certificate from the Chartered Accountant regarding compliance with the requirement of minimum positive net-worth of Rs. 5 crore. An entity can seek one-time extension for a maximum period of six months for submission of SAR by making a request in writing, to DPSS, Central Office, RBI, Mumbai, in advance with valid reasons. The RBI reserves the right to decline such a request for extension.
- Pursuant to receipt of satisfactory SAR and net-worth certificate, the RBI shall grant final Certificate of Authorisation. Entities granted final authorisation shall commence business within six months from the grant of Certificate of Authorisation failing which the authorisation shall lapse automatically.
- The Certificate of Authorisation shall be valid for five years unless otherwise specified and shall be subject to review including cancellation of Certificate of Authorisation.
- Any takeover or acquisition of control or change in management of a non-bank entity shall be communicated by way of a letter to the Chief General Manager, DPSS, RBI, Central Office, Mumbai within 15 days with complete details, including ‘Declaration and Undertaking’ by each of the new directors, if any. RBI shall examine the ‘fit and proper’ status of the management and, if required, may place suitable restrictions on such changes.
The issuers can issue two types of semi-closed PPIs based on the level of their Know Your Customer (“KYC”) compliance, that is to say, on the level of identification-related information provided by the user. The first type can be issued with minimum or limited KYC. The minimum KYC details include the customer’s mobile number verified through One-Time-Pin (OTP), and a self-declaration of name and a government identification number to authenticate the account.
The amount of funds loaded in this type of an instrument, during any month, cannot exceed ten thousand rupees and the total amount loaded during the whole of financial year cannot exceed one lakh rupees. Only the purchase of goods and services is allowed and bank transfer and interoperability of the instrument is not permissible for PPIs with a limited KYC compliance.
These minimum-detail instruments are mandatorily required to be converted within 18 months into full-KYC compliant, semi-closed PPIs. On the other hand, the full KYC-compliant PPIs, apart from allowing for purchase of goods and services, offer the option of ‘fund transfer back to the source’, bank account transfers as well as transfer to beneficiaries of up to one lakh rupees per month.
Prevention of Money Laundering
The entity operating a digital payment system is required to adhere to the RBI Master Direction on Know Your Customer (KYC), 2016 for customer identification. These Master Directions have provided for a sound framework for the prevention of money-laundering and since the non-bank issuers are essentially in the business of operating a payment system, compliance with Prevention of Money Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 framed thereunder, is necessary.
Additionally, PPI issuers are required to maintain the log of all transactions for a period of ten years. This data shall be made available for scrutiny to RBI or any other agency / agencies as may be advised by RBI. PPI issuers are also required to file Suspicious Transaction Reports (STRs) to the Financial Intelligence Unit (FIU-IND).
Security of Payments
A strong risk management system is necessary for the PPI issuers to meet the challenges of fraud and ensure customer protection. PPI issuers shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.
All PPI issuers shall put in place information security policy for the safety and security of the payment systems operated by them, and implement security measures in accordance with this policy to mitigate identified risks. PPI issuers shall review the security measures (a) on on-going basis but at least once a year, (b) after any security incident or breach, and (c) before / after a major change to their infrastructure or procedures.
Some of the mandatory requirements to be followed by the private entities to prevent fraudulent transactions are:
- If the PPI issuer provides the same login for its wallet and its other services, that information regarding the same has to be clearly conveyed to the holder.
- Restrictions on multiple invalid attempts to log in have to be placed.
- Every payment transaction has to be authenticated through customer consent and alerts should be sent out for every transaction.
- Overall, a suitable mechanism has to be put in place for preventing, detecting and restricting occurrence of fraudulent transactions.
- Increasing norms around customer protection and fraud prevention is going to have the effect of increasing customer confidence in the digital payments, thereby increasing its adoption and increasing business.
- As per the norms, a ‘cooling period’ for fund transfer is also a requisite whenever a new PPI account is opened, freshly loaded or a new beneficiary is added. In that time, alerts are sent to the customers to review the new additions and prevent erroneous transactions.
The ability of customers to use a set of payment instruments seamlessly with other users within the segment are based on adoption of common standards by all providers of these services so as to make them inter-operable. Accordingly, it has been decided to implement it in phases:
- In the first phase, PPI Issuers (both bank and non-bank entities) shall make all KYC-compliant PPIs issued in the form of wallets interoperable amongst themselves through Unified Payments Interface (UPI) within 6 months from the date of issue of the Master Direction. With Prepaid Payment Instruments (PPIs) – Guidelines for Interoperability released by the RBI in 2018, an attempt has been made to make the digital wallets operable with each other.
- In subsequent phases, interoperability shall be enabled between wallets and bank accounts through UPI.
- PPI Issuers shall ensure adherence to the technical and operational requirements for such interoperability, including those relating to safety and security, risk mitigation, etc.
UPI was developed by the NPCI and was launched in 2016. It facilitates inter-bank transactions in real-time which are processed either on web or a mobile platform. It also caters to the “Peer to Peer” collect request which can be scheduled and paid as per requirement and convenience.
How is it unique?
- Immediate money transfers through mobile device round the clock 24*7 and 365 days.
- Single mobile application for accessing different bank accounts.
- Single Click 2 Factor Authentication – Aligned with the Regulatory guidelines, yet provides for a very strong feature of seamless single click payment.
- Virtual address of the customer for Pull & Push provides for incremental security with the customer not required to enter the details such as Card no, Account number; IFSC etc.
- Merchant Payment with Single Application or In-App Payments.
- Utility Bill Payments, Over the Counter Payments, Barcode (Scan and Pay) based payments.
- Raising Complaint from Mobile App directly.
For the functioning of UPI there is a Unified Payment Interface Guidelines by the NPCI. These guidelines are framed under the provisions of the Payment and Settlement of System Act, 2007. These guidelines are binding in nature and hence every member of UPI has to abide by them.
The Payment Service Provider/member should be a regulated entity by RBI under Banking Regulations Act 1949 and should be authorized by RBI for providing mobile banking service.
The member should comply with the Procedural Guidelines, certification requirements and efficiency and risk guidelines issued by NPCI from time to time.
Lastly, the bank should be live on Immediate Payment Service (IMPS).
Once the bank-enabled UPI agrees the entity can build their PSP (Payment Service Provider) which is well known as a third-party application. The partnered banks are entirely liable for all the financial and operation liability of these applications.
The data of clients should be maintained by the banks, and the merchant app shouldn’t have access to it. The payment concerning the responsive data, credentials should by no means reach these merchant apps and only exist in the UPI system of the bank. It imposes accountability on the bank for the proper functioning of the apps and to make sure that the application assists supports all versions of Android and iOS.
These NPCI guidelines also offer freedom to the client for downloading any application as they want. Clients can have two applications in a single device, and no application should obstruct the working of the other while installing, operating or any function done by the application.
The present members can be suspended or terminated anytime from undertaking the functions by NPCI if the member fails to obey any UPI or NPCI product, procedural NPCI guidelines for UPI or any provisions by RBI or NPCI. It can further be terminated if the member’s RTGS account with the RBI is suspended. Moreover, in the case where the member bank is amalgamated or combined with another member bank, the membership is terminated or suspended. At last, if the RBI suspends the consent of the mobile application, then the also merchant stops being a member.
Obligation of PSP
Considering the sensitivity of these transactions, NPCI obligates the Third Party Application Provider (TPAP) as well as the PSPs certain requirements to be fulfilled to enable such transactions. Before initiating operations, the TPAP is mandated to seek a written permission from the NPCI and is required to give the names of the participating banks. The responsibility of the participating banks is immense as they are primarily responsible for providing security against any kind of breach of customer data that could happen through the third party apps. As the responsibility for storing payment sensitive data of the customers is with the PSP, they must perform an audit on the TPAP’s infrastructure to ensure that the integrity of such data is maintained and that the functioning of the app is secure. Along with the TPAP, the PSPs are also responsible for addressing the complaints of the consumers.
PSP should conduct due diligence on the potential technology service provider before selecting and entering into any form of outsourcing relationships. A bank should conduct an in-depth assessment of the third party’s ability to perform the said activities in compliance with all applicable laws and regulations and in a safe and sound manner. The PSP should consider the following during due diligence: a) Legal and Regulatory Compliance b) Financial Condition c) Business Experience and Reputation d) Qualifications, Backgrounds, and Reputations of Company Principals e) Risk Management f) Information Security g) Incident-Reporting and Management Programs h) Business Continuity Program.
Obligations of TPAP
The obligation on the third parties is to store only that customer data to which the customers have given their consent. A record of details like customer’s name, mobile number, gender, email id etc. can only be in an encrypted format and all the information exchange between the third party and the bank is to be done through a secure channel. As a caveat, it has also been provided that the third party shall not share the details of individual transactions with any other third party, including their holding company or subsidiary and the Indian Government or Intelligence without the prior consent of the PSP and NPCI.
Payment Gateways and Payment Aggregators
The RBI vide its Circular dated March 17, 2020, has issued the ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’ (the “Guidelines“) through which, the RBI has decided to (a) regulate in entirety, the activities of payment aggregators; and (b) provide baseline technology-related recommendations to payment gateways.
PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.
PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.
The Guidelines have been issued to regulate in entirety the activities of payment aggregators. In this regard, the RBI has also mandated payment aggregators to adopt the technology-related recommendations provided in the Guidelines. While the RBI has clarified that the domestic leg of import and export related payments facilitated by payment aggregators shall also be governed by these Guidelines, these Guidelines will not regulate Cash on Delivery (COD) payments.
The RBI, as a measure of good practice, has stated that PGs may adhere to the baseline technology-related recommendations provided in the Guidelines.
The Guidelines provide that any entity seeking to make an application for authorization must be a company incorporated in India under the Companies Act 1956/ 2013 and shall ensure that the business activity of operating as a PA is covered under the scope of its memorandum of association.
Banks, however, provide PA services as part of their normal banking relationship and do not therefore require a separate authorisation from RBI. Non-bank PAs shall require authorisation from RBI under the PSS Act.
E-commerce marketplaces providing PA services shall not continue this activity beyond the deadline prescribed i.e. June 30, 2021. If they desire to pursue this activity, it shall be separated from the marketplace business and they shall apply for authorisation.
PGs shall be considered as ‘technology providers’ or ‘outsourcing partners’ of banks or nonbanks, as the case may be. In case of a bank PG, the guidelines issued by Reserve Bank of India, Department of Regulation (DoR) vide Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks and other follow up circular(s) shall also be applicable.
PAs existing as on March 17, 2020 are required to achieve a net-worth of INR 15 crore by March 31, 2021, and a net-worth of INR 25 crore on or before March 31, 2023, which must be maintained at all times thereafter.
New PAs need to have a minimum net-worth of INR 15 crore at the time of application for authorisation and a net-worth of INR 25 crore by the end of third financial year of grant of authorization, which must be maintained at all times thereafter.
Non-bank PAs are required to annually submit a certificate to the RBI evidencing compliance with the applicable net-worth requirement.
Lastly, the Guidelines require that the net-worth consist only of paid-up equity capital, preference shares that are compulsorily convertible to equity (“CCPS“), free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets but not reserves created by revaluation of assets adjusted for accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any. In this regard, the CCPS can be either non-cumulative or cumulative and the shareholder agreements should specifically prohibit any withdrawal of this preference capital at any time.
PAs shall submit a certificate in the specified format from their Chartered Accountants to evidence compliance with the applicable net-worth requirement while submitting the application for authorisation. Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate in the enclosed format from their Chartered Accountants regarding the current net-worth along with provisional balance sheet.
The Guidelines provide a comprehensive governance framework for PA, key elements of which have been summarised below:
- PA should be professionally managed. To this extent, promoters of the PAs entity shall need to satisfy the fit and proper criteria prescribed by the RBI. RBI shall also check the ‘fit and proper’ status of the applicant entity and management by obtaining inputs from other regulators, government departments, etc., as deemed fit.
- Any takeover or acquisition of control or change in management of a non-bank PA shall need to be promptly communicated to the RBI, in order to ensure compliance with the fit and proper criteria of the management.
- PAs will now have to enter into direct agreements with all merchants, acquiring banks and other stakeholders, which will need to delineate the roles and responsibilities of the involved parties in sorting/ handling complaints, refund/ failed transactions, return policy, customer grievance redressal (including turnaround period), dispute resolution mechanism and reconciliation etc.
- PAs will need to have a Board approved policy for disposal of complaints/ dispute resolution mechanism/ timelines for processing refunds etc. as per the RBI instructions on Turn Around Time for resolution of failed transactions.
- PAs are required to appoint a nodal officer responsible for regulatory and customer grievance handling functions.
- Non-bank PAs shall maintain the amount collected by them in an escrow account with any scheduled commercial bank. An additional escrow account may be maintained with a different scheduled commercial bank at the discretion of the PA. For the purpose of maintenance of escrow account, operations of PAs shall be deemed to be ‘designated payment systems’ under Section 23A of the PSS Act.
- Amounts deducted from the customer’s account shall be remitted to the escrow account maintaining bank on Tp+0 / Tp+1 basis. The same rules shall apply to the non-bank entities where wallets are used as a payment instrument.
- Final settlement with the merchant by the PA shall be effected as under:
- Where PA is responsible for delivery of goods / services the payment to the merchant shall be not later than on Ts + 1 basis.
- Where merchant is responsible for delivery, the payment to the merchant shall be not later than on Td + 1 basis.
- Where the agreement with the merchant provides for keeping the amount by the PA till expiry of refund period, the payment to the merchant shall be not later than on Tr + 1 basis.
- All credits for reversed and refund transactions shall be routed back through the same escrow account, unless the merchant is responsible for managing refunds under the merchant agreement and the customer is aware of this arrangement. The Guidelines list out the permissible credits into and debits from the escrow account. No interest shall be payable by the bank on balances maintained in the escrow account, except under certain circumstances outlined in the Guidelines. Importantly, the escrow account cannot be operated for ‘cash-on-delivery’ transactions, and settlement of funds with merchants must not be co-mingled with other business, if any, handled by the payment aggregator.
- All Pas shall submit certificate signed by the auditor, to the regional office of the RBI, where the registered office of the PA is situated, certifying that they have been maintaining the balance in the escrow account in compliance with the Guidelines.
Applicability of KYC/ AML/ CFT provisions
The KYC, anti-money laundering (AML)/ combating financing of terrorism (CFT) guidelines issued by RBI shall apply to all entities, along with Prevention of Money Laundering Act, 2002 and Rules framed thereunder.
Security, fraud prevention and risk management framework
All PAs are required to put in place adequate information and data security infrastructure and systems for prevention and detection of frauds, which must be aligned with its Board approved information security policy for safety and security of the payment systems operated by them. To this extent, PAs are required to comply with data storage requirements as applicable to payment system operators, which also includes obligations pertaining to data sovereignty.
PAs have additionally been directed not to store any customer card credentials within their database or server, which can be accessed by the merchant.
PGs have been considered as ‘technology providers’ or ‘outsourcing partners’ of banks and non-banks, as the case may be and have been advised to adopt the baseline technology-related recommendation provided in the Guidelines. To this extent, PGs may desire to adhere to the prescribed minimum standards in order to remain at power with similar IT and security standards adopted by non-bank PAs and other stakeholders in the digital payment ecosystem.
Bank PGs are further subject to RBI Guidelines on ‘Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks.
The content of this article is for information purpose only and does not constitute advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer to relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that the Author / Treelife is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof.
Last Updated on: 8th December 2023, 08:26 pm
The content of this article is for information purpose only and does not constitute advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer to relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc. before acting on the basis of the above write up. The possibility of other views on the subject matter cannot be ruled out. By the use of the said information, you agree that the Author / Treelife is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions in this piece of information for any action taken thereof.