On April 16, the RBI dropped a press release that could significantly alter the regulatory approach towards payment aggregators or ‘PAs’. The RBI press release has introduced two new guidelines:
- Draft Offline PA Guidelines: regulation for offline PAs, and
- Draft PA Amendments: amendments to existing PA guidelines.
Before we proceed, let us understand what PAs are and what they do. Any payment involves multiple parties – a buyer, buyer’s issuing bank (where the buyer maintains her/his bank account), seller, seller’s acquirers (who onboard sellers on a payment ecosystem like card network), payment intermediaries, etc. A PA is a payment intermediary. PAs act as a bridge between merchants (who provide services, including marketplaces like e-commerce platforms) and customers (who avail products and services). Let us break this down: You go to Myntra, zero-in on a pair of Levi’s jeans, add it to your cart. Now, you need to make a payment and notice that Myntra has multiple payment options - UPI, credit card, debit card, wallets, pay later, net banking. After much thought, you choose UPI and pay. How is Myntra able to give its customers so many payment options? Is Myntra separately integrated with NPCI, each wallet-issuer, each issuing bank and acquirer? No, likely not – here’s where PAs come in. They partner with payment system providers to offer different payment options to buyers, eliminating the need for merchants to do so. They also partner with merchant’s acquirers, collect payments from users, pool it in their escrow account and settle it to merchants. PAs, in short, are in the business of moving money.
PAs are of two kinds: online and offline. Online PAs facilitate non-face-to-face e-commerce payments (illustrated above) on websites like Myntra. Until now, the PA Guidelines only regulated online PAs. The RBI has now proposed to regulate offline PAs (this has been on the RBI’s radar since 2022). Let us understand what offline PAs are. You now go to a Levi’s store to buy jeans instead of buying it from Myntra. You tell the cashier that you will pay by UPI – the cashier shows you a point-of-sale (PoS) device. The device has a UPI QR code. You scan the QR code and pay.
The PoS machine facilitates payments through varied payment modes like cards, UPI and wallets. The operators of such PoS devices and other similar tools that facilitate face-to-face payments are offline PAs. The Draft Offline PA Guidelines require all non-bank entities (including online PAs) to get RBI’s authorisation to start/continue their offline PA business. Existing offline PAs should comply with the PA Guidelines within 3 months of the Draft Offline PA Guidelines being notified.
The RBI has also proposed changes on permissible debits from PA’s escrow account and storage of card transaction data - we have covered these (along with other key highlights of the Draft PA Amendments and Draft Offline PA Guidelines) in our LinkedIn post here. In this edition, we will focus on one key change proposed under the Draft PA Amendments: KYC.
The Draft PA Amendments require PAs to KYC merchants (even existing ones within the specified timelines) as per the standards given under the RBI KYC Master Directions. A relaxation is given for small and medium merchants – (i) for small merchants (turnover of less than INR 5 Lakh per annum), PAs must do contact point verification (CPV) of the business and verify the merchant’s bank account in which funds will be settled; (ii) for medium merchants (turnover of less than INR 40 Lakh per annum), PAs must conduct CPV and verify an officially valid document (OVD) of the business and its beneficial owner. The Draft PA Amendments also prohibit PAs from settling funds to any accounts which are not merchant-owned.
The Draft PA Amendments tighten PA’s obligations on transaction monitoring too: PAs must monitor merchants’ transactions on an ongoing basis. Based on such monitoring, PAs must enhance KYC and due diligence checks if required. PAs must check that merchants’ transactions are in line with their business profile (for instance, if the merchant has described itself as an online ticketing platform, it should not receive and settle payments for gaming transactions). PAs should also set risk-based payment limits for merchants.
The USP of most new-age PAs is the quick onboarding of merchants. PAs do minimal KYC of merchants by taking comfort in the merchant settlement bank account already being KYC-ed. This will change if the Draft PA Amendments on KYC are implemented.
We imagine a debate between two opposing sides on this aspect would look like this:
For (an RBI official): PAs onboard merchants on the payment ecosystem. They have the direct interface with merchants, and hence the ability to monitor merchants and their transactions. So, they are the gatekeepers and first line of defence against fraudulent merchants. They also have ground-level visibility to catch risky transactions.
So far, we allowed PAs to skip KYC if they settled funds to already KYCed account of merchants. Lately, however, we have realised that the system is not working so well. Take the Chinese lending and betting apps scrutinized by the enforcement directorate as an example. The investigations revealed that the apps leveraged PA services for their operations. They collected and laundered funds earned (through the platforms) using mule accounts opened in names of several shell companies. They eventually converted funds to cryptocurrency and remitted it offshore against made-up purchases of software, foreign currency, etc. The PAs were unable to help the law enforcement agencies to trace the flow and end-beneficiary of the funds – primarily because of lax KYC of the mule accounts where funds were settled.
As a regulator, our main concern is to protect customers and intercept the bad actors who might be using PAs as a means to meet their (non-compliant) ends. We believe that if PAs do KYC, they can weed out the bad actors before it’s too late. Because even if a shady digital lender or a gambling platform opens a bank account, it can dupe customers (at scale) only if it avails PA services to collect online payments.
Against (a PA): We only settle amounts in KYCed bank accounts of merchants. We must now re-do full KYC of the merchants when banks have already completed their KYC once. We are also required to undertake CPV of small and medium merchants – does this mean we need to hire personnel to physically visit the merchant’s store for verifying their details? That sounds expensive and cumbersome. Are we required to collect OVDs of businesses? What would that be? The RBI KYC Master Directions define what OVDs of individuals are but are silent on what they are for businesses – we’d like some clarity on that. The last thing we want to be in is a regulatory soup. Also the RBI deleted the provision in PA Guidelines that allows us to settle to ‘any other account’ upon merchant’s instructions. Does it mean we can’t offer the split settle feature – where out of total settlement amount (for a good/service sold through a marketplace), we settle the commission to the marketplace and the balance amount to the sellers (of the goods/services), delivery service providersand other participants on the marketplaces? It will be a logistical nightmare – we must brace ourselves for a lot of merchant drop-offs. Above all, we are worried about the proposed norms hampering our digitization efforts and financial inclusion of small and medium merchants. These merchants may opt-out of PA services if the services are costly or if they find the onboarding process cumbersome. We urge the RBI to re-consider some of these requirements. For instance, instead of a bank-grade KYC for merchants, the RBI must consider introducing light-touch KYC norms.
Reportedly, the Draft PA Amendments will slow down the onboarding process for online merchants by 90%. Industry insiders estimate that the timelines for completion of merchant onboarding will increase from few hours/ days to few weeks. The immediate cost impact to conduct KYC checks is estimated to be somewhere between INR 40-50 crore. Smaller sellers on e-commerce platforms might find the onboarding process too cumbersome and switch to bank transfers, UPI or cash.
Regardless of which side you are on, if you have thoughts on the Draft Offline PA Guidelines or Draft PA Amendments which you think must reach the RBI’s ears, you might want to mark 31 May 2024 – the deadline for submitting your comments on the draft directions to the RBI – on your calendar.
(This post has been authored by the fintech team at Ikigai Law. It was originally published in the May 2024 edition of our monthly fintech newsletter, FinTales.)
