Skip to main content

RBI Guidelines for Payment Aggregators & Payment Gateways


The Reserve Bank of India (RBI) provides a structured framework for Payment Aggregators (PAs) and Payment Gateways (PGs) to ensure a secure and efficient digital payment ecosystem. These guidelines are designed to address various aspects of payment processing, from authorization and capital requirements to fraud prevention and dispute management.

Get Audit Consultation

What are Payment Aggregators and Payment Gateways?

Payment Aggregators (PAs)

These entities act as intermediaries that facilitate e-commerce platforms and merchants in accepting a variety of payment methods from customers. By providing a unified payment interface, PAs enable merchants to connect with acquiring banks and manage transaction settlements. PAs receive payments from customers, aggregate these funds, and subsequently transfer them to merchants, typically after a specified period.

Payment Gateways (PGs)

Unlike PAs, PGs provide the technology infrastructure necessary for processing online transactions. They handle the routing and execution of payments without directly managing or holding the funds. PGs ensure the smooth flow of transaction data between customers, merchants, and financial institutions. 

Applicability

  1. Payment Aggregators (PAs):
    These guidelines are mandatory for all Payment Aggregators operating within the framework set by the RBI. They ensure compliance with regulatory standards for handling payment processing. 
  2. Payment Gateways (PGs):
    Payment Gateways are encouraged to adopt these guidelines as best practices. While not mandatory, following these recommendations can enhance operational transparency and security. 
  3. Domestic Import/Export Payments:
    Transactions related to domestic imports and exports must adhere to these guidelines. This includes regulatory compliance for cross-border payment processing.
  4. Cash on Delivery (CoD):
    Cash on Delivery transactions are excluded from the scope of these guidelines. CoD payments do not fall under the regulatory requirements set for electronic payment methods.

RBI Circulars on Payment Aggregators and Payment Gateways

Guidelines on Regulation of Payment Aggregators and Payment Gateways (DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020)

This circular establishes a regulatory framework for Payment Aggregators and Payment Gateways, aimed at ensuring their operations adhere to RBI standards. It outlines the requirements for registration, compliance, and operational practices that these entities must follow to maintain the security and integrity of electronic payments.

Directions for Opening and Operation of Accounts and Settlement of Payments for Electronic Payment Transactions Involving Intermediaries (DPSS.CO.PD.No.1102/02.14.08/2009-10)

This earlier circular provides detailed instructions on how accounts should be opened and managed for entities involved in electronic payment transactions. It also addresses the settlement process for these transactions, ensuring proper handling and reconciliation by intermediaries.

Clarification Issued by RBI on Circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020

This circular provides further clarifications and updates to the guidelines issued in the March 17, 2020, circular. It addresses any ambiguities or additional questions that have arisen, helping to ensure that the implementation of the guidelines is clear and consistent.

Audit Methodology

1

Authorization

The audit verifies whether the Payment Aggregator (PA) has obtained proper authorization from the RBI. It ensures compliance with regulatory mandates under the Payment and Settlement Systems Act, 2007.
2

Capital Requirements

The audit assesses if the PA meets the minimum capital requirements set by the RBI. It also checks the adequacy of capital to cover operational risks and ensure business continuity.
3

Governance

The audit evaluates the governance structure, focusing on board oversight, compliance mechanisms, and internal controls. It ensures that governance practices align with regulatory expectations.
4

Safeguards against Money Laundering (KYC / AML / CFT) Provisions

The audit examines the PA’s adherence to KYC, AML, and CFT guidelines. It ensures that robust measures are in place to prevent money laundering and financing of terrorism.
5

Merchant On-boarding

The audit reviews the processes for merchant onboarding, ensuring they meet regulatory standards. It checks for due diligence in merchant background checks and risk assessment.
6

Settlement and Escrow Account Management

The audit ensures that settlement processes comply with RBI guidelines, including the management of escrow accounts. It verifies the timely transfer of funds to merchants and secure handling of customer payments.
7

Customer Grievance Redressal and Dispute Management Framework

The audit evaluates the effectiveness of the customer grievance redressal mechanism. It checks whether disputes are resolved within stipulated timeframes and in accordance with regulatory norms.
8

Security, Fraud Prevention, and Risk Management Framework

The audit assesses the security framework, focusing on data protection, fraud detection, and risk management. It ensures that robust measures are in place to safeguard against cyber threats and financial fraud.
9

Reports

The audit reviews the accuracy and timeliness of reports submitted to the RBI. It ensures that all required disclosures are made and that reports comply with regulatory requirements.
10

General Instructions

The audit verifies adherence to any additional instructions issued by the RBI. It ensures that the PA complies with all general guidelines and updates to regulatory frameworks.

Ready to elevate your security journey?

Frequently asked questions

What are the key timelines in transaction processing?

  • Tp’: The date when the customer’s account is debited for the purchase.
  • ‘Ts’: The date the merchant notifies the intermediary about the shipment of goods.
  • ‘Td’: The date the merchant confirms delivery of goods to the customer.
  • ‘Tr’: The date when the refund period expires, as set by the merchant.

What happens if a Payment Aggregator fails to comply with the RBI guidelines?

Non-compliance with RBI guidelines can result in penalties, suspension of licenses, or even legal action against the Payment Aggregator. This could lead to disruptions in their services and loss of trust among merchants and customers.

How do these guidelines impact the overall customer experience for online transactions?

The guidelines are designed to improve customer experience by ensuring faster, more secure, and reliable payment processing. Customers can trust that their payments are handled by regulated entities adhering to stringent security and operational standards.

How should Payment Aggregators manage the settlement of payments?

Payment Aggregators must ensure that settlements to merchants are conducted within the stipulated time frames as per the RBI guidelines. They must also maintain proper reconciliation processes and ensure that customer funds are not commingled with their operational funds.

What are the technical security requirements for Payment Aggregators under the RBI guidelines?

Payment Aggregators are required to comply with security standards such as PCI-DSS (Payment Card Industry Data Security Standard) to ensure secure handling of payment data. They must also implement robust cybersecurity measures, encryption protocols, and regular audits to safeguard against breaches and data theft.

Ready to elevate your security journey?

Stay up-to date with latest emerging threats

Close Menu