The Reserve Bank of India (RBI) on Tuesday issued detailed regulatory guidelines for Payment Aggregators (PAs) and recommended baseline technology standards for Payment Gateways (PGs) in a bid to enhance safety, transparency, and resilience in the country’s fast-growing digital payments ecosystem.
In its notification titled “Guidelines on Regulation of Payment Aggregators and Payment Gateways,” the central bank clarified that PAs, being entities that handle funds, will be directly regulated, whereas PGs — treated as technology providers — are encouraged to follow the prescribed security recommendations voluntarily.
Under the new framework, non-bank PAs must obtain RBI authorisation under the Payment and Settlement Systems Act, 2007. Such entities must be incorporated in India and maintain a minimum net worth of ₹15 crore at the time of application, which must be increased to ₹25 crore by the end of the third financial year. This net worth must be maintained at all times thereafter.
Existing players may continue operations until their applications are processed, while banks offering PA services as part of their normal banking operations are exempt from seeking separate authorisation.
The RBI has also mandated that PAs must be professionally managed and comply with a “fit and proper” criteria for promoters and directors. Any acquisition or change in management must be reported to the RBI within 15 days.
The guidelines require that agreements between PAs, merchants, and acquiring banks clearly define responsibilities, including dispute resolution, refund processes, and customer grievance redressal mechanisms. PAs must appoint a nodal officer to oversee compliance and grievance handling.
PAs are also required to conduct background checks on merchants to prevent fraud, counterfeit sales, or the listing of prohibited products. Merchants must adhere to Payment Card Industry Data Security Standards (PCI-DSS).
Funds collected from customers must be kept in an escrow account with a scheduled commercial bank. PA operations must be ring-fenced from other businesses, and all settlements must be routed through the escrow mechanism to ensure transparency and timely payments.
The RBI has emphasised the need for robust risk management systems and strong IT security infrastructure. PAs must conduct mandatory annual security audits through CERT-In empanelled auditors and report any cyber incidents immediately to both RBI and CERT-In.
Further, the guidelines reiterate that neither PAs nor merchants are allowed to store customer card credentials. Refunds must be processed to the original payment method unless the customer explicitly opts for an alternative.
(ANI)