Context

The Reserve Bank of India (RBI) is taking significant steps to regulate offline payment aggregators (PAs), aiming to fortify the safety and integrity of financial transactions within India's burgeoning digital payment landscape. The latest draft regulations, unveiled in response to evolving market dynamics, seek to extend existing guidelines to encompass offline transactions, particularly those conducted in physical proximity or face-to-face scenarios. By soliciting feedback through consultation papers and inviting stakeholders to contribute their insights until May 31, the RBI demonstrates its commitment to fostering a robust regulatory framework that adapts to the changing needs of the industry.

Regulatory Expansion for Offline Payment Aggregators

Payment aggregators play a pivotal role in streamlining transactions between customers and merchants, offering a seamless payment experience while alleviating the burden of developing individual payment integration systems for merchants. Traditionally focused on online platforms, these entities are now facing regulatory scrutiny regarding their operations in offline spaces. Recognizing the similarities in the nature of activities conducted by PAs across both online and offline domains, the RBI aims to establish cohesive regulation that ensures consistency and convergence in standards of data collection, storage, and transaction oversight.

The proposed regulations stem from the RBI's observation that extending the regulatory purview to offline PAs is essential for harmonizing the regulatory landscape and addressing potential gaps in oversight. By incorporating lessons learned from recent crises, such as the Paytm Payments Bank (PPBL) debacle, the RBI underscores the imperative of bolstering the ecosystem's resilience against operational irregularities and compliance breaches. The PPBL crisis, characterized by lapses in KYC adherence and involvement in illicit activities like online gambling, serves as a cautionary tale, prompting the RBI to proactively enhance regulatory safeguards.

Authorization Requirements and Compliance Framework

One of the key aspects of the draft regulations pertains to the authorization process for non-bank PAs operating in offline capacities. While banks providing physical PA services are exempt from seeking separate authorization, non-banking entities engaged in point-of-sale (PoS) activities must adhere to a structured approval-seeking timeframe outlined by the RBI. Failure to comply with the stipulated deadlines could result in regulatory repercussions, necessitating the cessation of operations for entities unable to meet the prescribed requirements.

The RBI's directives emphasize the importance of adherence to established guidelines on merchant onboarding, customer grievance redressal, technology infrastructure, security protocols, and risk management frameworks. Existing entities must swiftly align their operations with the revised standards, while prospective entrants into the PA space must demonstrate their commitment to regulatory compliance from the outset. By imposing stringent authorization criteria and compliance deadlines, the RBI aims to foster a culture of accountability and responsibility among payment aggregators, safeguarding the interests of consumers and merchants alike.

Sustainability Provisions and Financial Prerequisites

In a bid to promote financial stability and sustainability within the PA ecosystem, the RBI has proposed minimum net worth requirements for both existing operators and new entrants. Non-banking entities providing proximity/face-to-face transaction services must meet specified net worth thresholds, with incremental increases mandated over time to bolster financial resilience. These provisions underscore the RBI's emphasis on fostering a robust and resilient financial infrastructure capable of withstanding systemic shocks and safeguarding against operational risks.

Furthermore, the RBI has outlined stringent timelines for non-compliant entities to wind up their operations, ensuring a phased transition towards regulatory compliance. Banks providing PA services are also subject to scrutiny, with the RBI mandating the closure of accounts for entities failing to demonstrate evidence of authorization applications. By enforcing financial prerequisites and delineating clear timelines for compliance, the RBI seeks to instill confidence in the regulatory framework while promoting the long-term sustainability and integrity of the PA ecosystem.

Enhanced Know Your Customer (KYC) Requirements

Recognizing the critical importance of robust KYC processes in mitigating fraud and enhancing transaction security, the RBI has proposed comprehensive KYC requirements for merchants onboarded by PAs. The regulations categorize merchants based on their business turnover, delineating specific verification procedures tailored to their respective risk profiles. Small and medium merchants are subject to distinct KYC protocols, encompassing physical verification, documentation validation, and transaction monitoring mechanisms.

Moreover, PAs are tasked with implementing risk-based payment limits for merchants, thereby mitigating the potential for fraudulent activities and unauthorized transactions. By leveraging technology and data analytics, PAs can proactively identify and mitigate emerging risks, ensuring the integrity and security of the payment ecosystem. The proposed KYC enhancements underscore the RBI's commitment to fortifying the regulatory framework against evolving threats and vulnerabilities, reinforcing trust and confidence in digital payment systems.

Data Storage and Transaction Security

In a significant move aimed at enhancing transaction security and protecting consumer data, the RBI has mandated stringent guidelines governing the storage of card data by payment aggregators. From August 1, 2025, only card issuers and card networks will be authorized to store transaction data, with all other entities required to purge previously stored data. To facilitate transaction tracking and reconciliation, payment aggregators will be permitted to retain limited data, including the last four digits of card numbers and issuer information.

By restricting data storage to authorized entities and implementing robust data purging mechanisms, the RBI seeks to minimize the risk of data breaches and unauthorized access to sensitive financial information. These measures underscore the RBI's proactive stance on data privacy and cybersecurity, aligning with global best practices and regulatory standards. By prioritizing transaction security and data integrity, the RBI aims to foster a trusted and resilient digital payment ecosystem that safeguards the interests of all stakeholders.

Conclusion

The RBI's draft regulations for offline payment aggregators represent a proactive and comprehensive approach to enhancing the safety, integrity, and resilience of India's digital payment landscape. By extending regulatory oversight to encompass offline transactions, strengthening KYC requirements, imposing authorization criteria, and enhancing data security protocols, the RBI underscores its commitment to fostering a robust and sustainable payment ecosystem. As stakeholders engage in the consultation process and provide feedback, the regulatory framework is poised to evolve further, ensuring that India's digital payment infrastructure remains at the forefront of innovation while upholding the highest standards of security and consumer protection.