Guidelines on Regulation of Payment Aggregators and Payment Gateways

Introduction:

The Reserve Bank of India (RBI) has played a pivotal role in shaping the landscape of digital payments in the country. On March 17, 2020, the RBI issued comprehensive guidelines titled "Guidelines on Regulation of Payment Aggregators and Payment Gateways" (DPSS.CO.PD.No.1810/02.14.008/2019-20). These guidelines aim to establish a robust framework for the functioning of Payment Aggregators (PAs) and Payment Gateways (PGs), ensuring the security, efficiency, and reliability of digital transactions.

I. Key Components of the Guidelines:

1. Security-related Recommendations: Information Security Governance: PAs and PGs are mandated to conduct comprehensive security risk assessments annually. The assessment includes evaluating people, IT systems, and business processes to identify and address security vulnerabilities. Reports on risk assessments, security compliance, and incidents must be presented to the board. Data Security Standards: Implementation of data security standards like PCI-DSS and PA-DSS is mandatory. This ensures the adoption of the latest encryption standards, transport channel security, and compliance with globally recognized best practices. Security Incident Reporting: Timely reporting of security incidents and cardholder data breaches to the RBI is required. Monthly cybersecurity incident reports, root cause analyses, and preventive actions must be submitted for review. Merchant Onboarding: Comprehensive security assessments are obligatory during the onboarding process of merchants to ensure adherence to baseline security controls. Cyber Security Audit and Reports: Regular internal and external audits, Vulnerability Assessment/Penetration Test (VAPT) reports, and compliance reports with PCI-DSS are essential. Boards must review the information security policy annually. IT Governance: Establishing an IT policy and governance framework, including an IT steering committee and a Cyber Crisis Management Plan, is critical. The plan should cover detection, containment, response, and recovery strategies.
2. Enterprise Data Management: Enterprise Data Dictionary: PAs and PGs are required to maintain an enterprise data dictionary, facilitating data sharing across applications and ensuring a common understanding of data across IT and business users. Risk Assessment: Comprehensive risk assessments must be conducted for each asset within the scope, identifying threat/vulnerability combinations and evaluating the impact on confidentiality, availability, or integrity. Access to Application: Documented standards and procedures for administering application systems, based on the principle of least privilege, must be approved by the application owner. Vendor Risk Management: SLAs for technology support, including BCP-DR and data management, should include clauses permitting regulatory access. PAs and PGs must assess their IT maturity levels based on international standards. Cryptographic Requirements: The selection of encryption algorithms must adhere to well-established international standards, ensuring rigorous scrutiny by cryptographic experts or authoritative bodies. Forensic Readiness: Security events across infrastructure components must be collected, investigated, and analyzed for proactive identification of security alerts. Data Sovereignty and Security in Outsourcing: Preventive measures should be in place to ensure data is stored within jurisdictions and outsourcing agreements should include 'right to audit' clauses or submission of annual independent security audit reports by third parties. Payment Application Security: Payment applications must be developed in accordance with PA-DSS guidelines, and PCI-DSS compliance status should be reviewed during the merchant onboarding process.

II. Other Recommendations:

1. Transaction Handling: Customer card credentials should not be stored within the database or server accessed by the merchant. The option for ATM PIN as a factor of authentication for card-not-present transactions is not allowed. Instructions on the storage of payment system data applicable to Payment System Operators (PSOs) are also binding. All refunds should be made to the original method of payment unless specifically agreed upon by the customer.
2. Reports to be Submitted by Authorised Payment Aggregators: Annual Reports: PAs must submit an audited annual report on net worth with a certificate by September 30th. An IS Audit Report and Cyber Security Audit Report, externally audited, must be submitted by May 31st. Quarterly Reports: Auditors' certificates on maintaining the balance in escrow accounts must be submitted by the 15th of the month following the quarter-end. Monthly Reports: Statistics of transactions handled must be submitted by the 7th of the next month. Non-periodic Reports: Declarations and undertakings by directors regarding changes in the Board, a one-time report from banks in compliance with specified parameters, and cyber security incident reports must be submitted as per the defined timelines.

III. Annexes and Supporting Documents:

1. Net-worth Certificate (Annex 3.1): Non-bank PAs must submit a net-worth certificate by September 30th, certifying the company's net worth computed in accordance with the guidelines.
2. Auditors' Certificate on Maintenance of Balance in Escrow Accounts (Annex 3.2): Non-bank PAs must provide detailed information on escrow accounts, including outstanding liabilities, debits, credits, and balances at the beginning and end of the quarter/year. The auditor must verify daily balances and ensure sufficient funds to cover outstanding liabilities.
3. Statistics of Transactions Handled (Annex 3.3): Monthly submission of transaction statistics, including volume and value across different payment modes, provides insights into the PA's operational activities.
4. Declaration and Undertaking by the Director (Annex 3.4): This declaration, to be submitted when a new director is appointed, requires personal details, relevant relationships, professional achievements, and disclosures on legal or regulatory proceedings.

Conclusion:

The Guidelines on Regulation of Payment Aggregators and Payment Gateways issued by the RBI represent a pivotal step in fortifying the security and operational standards of entities operating in the digital payment ecosystem. By emphasizing information security governance, risk assessment, and adherence to global standards like PCI-DSS and PA-DSS, the guidelines aim to ensure the resilience and trustworthiness of digital payment systems.

The detailed reporting requirements, including annual net-worth certificates, quarterly escrow account audits, and monthly transaction statistics, underscore the RBI's commitment to transparency and accountability in the rapidly evolving fintech landscape. Adherence to these guidelines not only fosters a secure digital payment environment but also contributes to the overall stability and integrity of the financial ecosystem.

As technology continues to reshape the payments landscape, these guidelines serve as a robust framework to safeguard the interests of consumers, merchants, and other stakeholders. The RBI's proactive approach in regulating payment aggregators and gateways reflects its commitment to fostering innovation while maintaining the highest standards of security and reliability in digital financial transactions.

?