[By Shivam Tripathi]
The author is a fourth year student of Maharashtra National Law University, Nagpur.
The global payments landscape is under fundamental transformation and India is no exception to this. The Reserve Bank of India (“RBI”) notified the 2020 guidelines[i] governing Payment Aggregators (“PA”) and Payment Gateways (“PG”) (“Guidelines”). PA is a service provider through which merchants can process their payment transactions, and PG provides the technical support for securely transferring money from the customer bank account to the merchants’ payment portal. In the process, both PA and PG act as intermediaries facilitating online payment methods. Under the existing regime governed by Directions for Opening and Operation of Accounts and Settlement of Payments for Electronic Payment Transactions involving Intermediaries, 2009[ii] (“2009 Direction”) the intermediaries have to maintain a nodal account, in the form of an internal account, thus both PA and PG were not being directly governed by the RBI. The Guidelines recently issued by the RBI provide structure to regulate every activity of the PA, along with recommendations regarding the maintenance of online data security of the customers.
Key Takeaways from the Guidelines
The Guidelines adopt a licensing method, under which no PA will be allowed to operate without prior authorization by the RBI. The key takeaway of these Guidelines is that firstly it define PA[iii] and PG[iv] as the 2009 Directions only recognised the intermediary as a whole. Secondly any e-commerce marketplace providing services that are covered under the definition of PA are to be separated from the marketplace. Thirdly every PA seeking authorization under the Guidelines must be a registered company under the Companies Act 1956/2013. Fourthly banks providing PA services as a part of the normal banking services need not acquire separate authorization and lastly all the entities governed under the Guidelines are to be managed professionally and are required to maintain an escrow account with one of the scheduled commercial banks. Additionally, all the entities must maintain a customer grievance redressal and dispute management framework. The Guidelines do not regulate the functioning of PG, however, they do provide for the protection of consumer information.
The Guidelines are a welcome step as they bring intermediary payment platforms under the direct control of RBI.[v] However certain steps taken under the Guidelines might act as roadblocks rather than furthering effective implementation.
Regulating the Payment Gateway
The Guidelines distinguish between PA and PG, which leaves a chunk of entities outside the ambit of the Guidelines. Instead, the Guidelines should incorporate a method under which payment services[vi] are regulated. A similar method is adopted by Singapore[vii] and the European Union.[viii] FAQ[ix] of the Payment Service Act, 2019 (Singapore) states that the scope of the Act also includes payment gateways. The European Union under the Payment Service Directive (“the EU Directives”) also adopts a similar approach[x]. Such an approach enables the government to adopt a more comprehensive regulatory mechanism. However, in both these cases, an exception is carved out for entities providing purely technical support, for instance, privacy protection services, data processing services, communication network services, etc.
Whether registration under the Companies Act, 1956/2013 is necessary?
The Guidelines require any entity applying for a license/authorization to operate as PA, to be a registered company under the Companies Act 1956/2013,[xi], and the MOA of such a company should specify the proposed activity of operating as a PA. Such an approach acts as an impediment in attracting international payment services providers in India. Looking at foreign jurisdictions, Singapore has a similar requirement under the Payment Services Act. However the FAQ’s released under the Payment Service Act, 2019 state that both local and foreign companies are permitted to apply for a licence under the legislative framework.[xii] On the other hand, the European Union Payment Services Directives do not contain any such requirement at all.
Third-Party Payment Service providers
The Guidelines leave a gap as to the regulations imposed on the third party payment service providers which included payment initiation and account information services. These services providers access the customer’s security details through online banking, but as there is no legal framework governing third-party service providers, issues like breach of privacy may arise. Under the EU Directives, third party payment services are also included. The Directives state that these providers will be governed by the same rules as the other online payment service provider, i.e. registration, licensing, and supervision by the competent authorities.[xiii] Furthermore the EU Directives also state that the banks have the duty to establish a safe and secure communication channel for transmission of data.[xiv] The Banks will also be liable for maintaining the accounts and ensuring that there is no delay or incorrect payments. Additionally, to prevent leakage of any sensitive data, the EU Directive mandates that the third-party service provider, should ensure that the information regarding the payment shall only be conveyed to the recipient and to no other party, furthermore no sensitive data can be stored.
Approach for revised regulations
With the ever-evolving technology, the traditional approach of “one size fits all” fails. Instead, the regulators should come up with a new innovative approach to regulate the payment service sector. For instance, the current regime focuses on the design of the entity, i.e. whether the entity is a payment aggregator or a payment gateway. To determine the applicability of the Guidelines, instead the regulators should focus on the performance standards. Performance standards specify an outcome, but leave the specific measures to achieve the outcome to the discretion of the regulated entity. Performance standards can better account for changes in the practices of regulated entities, empower innovation in compliance methods, and incentivize the developments that are occurring in the industry while ensuring that the regulatory goal is achieved.
Traditionally, policymakers used to face certain issues while implementing performance standards, because earlier it was very difficult to test how the goal is met, owing to the information gap between the regulators and the industry. Additionally, regulators attempting to implement classical performance standards lacked the technical knowledge to be able to measure, monitor, and iterate the standard. However, as a result of advancements in technology by an increase in data storing capacity, computing power, algorithmic design, and an increase in data acquisition capacity, such problems have been taken care of.[xv]
The industrial approach of conducting business has undergone drastic changes in the last decade. The industry has increased its data acquisition capability, data storage, computing power, and algorithmic design, which have enabled better insights into developing technology. Policymakers can use the same techniques, skill, and approach to transform the regulatory process of designing, implementing, and improving public policy and legislation in collaboration with stakeholders. Such approach can be implemented through three different methods-
- The regulator works with the relevant advisory committee in the Payment Systems Market Expert Group to identify relevant pieces of dynamic performance data, which can be collected from all regulated entities and applied to a particular results based goal.
- The regulator sets out a series of performance-based goals for regulated entities to aspire to. The entities determine how they can best achieve the said goals. The regulated entities must record the progress, using result based data. These records must be regularly audited by the regulator. If the results of the report fall below a certain threshold the regulator may use its enforcement authority.
- The regulator sets out a series of performance-based goals for regulated entities to meet. The regulated entities also determine how they can best achieve those goals. Creation of an internal independent auditor is suggested, which is subject to control by the regulator. The role of the internal auditor will also subject to an annual review of its program.
Although the implementation of the Guidelines is a welcome step, however some grey areas have been left open by RBI. For instance the Guidelines do not provide the regulatory framework for a PG, and entities like the third party payment service provider are not covered under the Guidelines. Additionally, the approach for regulation does not fully utilize the advancements in technology in the market. In order to reap maximum benefit from the technological development in the banking sector, the regulatory approach should also be updated. Nonetheless, with the introduction of the Guidelines, the indirectly regulated intermediaries are brought directly under the control of RBI, thus ensuring customer protection and accounting of all online/electric payment.
[i] Guidelines on Regulation of Payment Aggregators and Payment Gateways, Reserve Bank of India, https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT17460E0944781414C47951B6D79AE4B211C.PDF.
[ii] Directions for opening and operation of accounts and settlement of payments for electronic payment transactions involving intermediaries, Reserve Bank of India, https://rbidocs.rbi.org.in/rdocs/notification/PDFs/DOIPS241109.pdf.
[iii] Ibid at ¶1.1.1.
[iv] Ibid at ¶1.1.2.
[v] Neha Alawadhi, RBI formalises guidelines for regulating payment aggregators, gateways, Business Standard (Mar. 17. 2020), https://www.business-standard.com/article/economy-policy/rbi-formalises-guidelines-for-payment-aggregators-gateways-120031701767_1.html.
[vi] Payment Service Provider, can be defined as a third party that allows merchants to accept a wide variety of payments. It works with the acquiring bank to manage the entire transaction process from start to finish.
[vii] Laney Zhang, Singapore: Payment Services Act Passes, Regulating Crypto currency Dealing or Exchange Services, Library of Congress (Apr. 17, 2019), https://www.loc.gov/law/foreign-news/article/singapore-payment-services-act-passed-regulating-cryptocurrency-dealing-or-exchange-services/.
[viii] Payment Services, European Union, https://ec.europa.eu/info/business-economy-euro/banking-and-finance/consumer-finance-and-payments/payment-services/payment-services_en.
[ix] Payment Services Act 2019, Frequently Asked Questions, Monetary Authority of Singapore, https://www.mas.gov.sg/-/media/MAS/FAQ/Payment-Services-Act-FAQ-4-October-2019.pdf.
[x] Directive (EU) 2015/2366 of the European Parliament and of the Council, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32015L2366.
[xi] The Companies Act 2013, Ministry of Corporate Affairs, https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf.
[xii] Supra note 9, at question 16.
[xiii] Payment Service Directive 2, Frequently Asked Questions, European Union, https://ec.europa.eu/commission/presscorner/detail/en/QANDA_19_5555
[xiv] Kati Meister, The Third-party Payment Service Provider – A newly-regulated player, Lexology (July 2, 2016), https://www.lexology.com/library/detail.aspx?g=2693c4b0-7ef5-41c6-93bb-35e551497939.
[xv] PayPal A Smart Step: Putting Innovation at the heart of payments regulations, https://www.ebaymainstreet.com/sites/default/files/PayPal-Payment-Regulations-Booklet-EU.pdf.