RBI issues guidelines for payment aggregators, gateways to boost digital payment ecosystem

The Reserve Bank of India (RBI) on Tuesday issued detailed regulatory guidelines for Payment Aggregators (PAs) and recommended baseline technology standards for Payment Gateways (PGs) in a bid to enhance safety, transparency, and resilience in the country’s fast-growing digital payments ecosystem.

In its notification titled “Guidelines on Regulation of Payment Aggregators and Payment Gateways,” the central bank clarified that PAs, being entities that handle funds, will be directly regulated, whereas PGs — treated as technology providers — are encouraged to follow the prescribed security recommendations voluntarily.

Under the new framework, non-bank PAs must obtain RBI authorisation under the Payment and Settlement Systems Act, 2007. Such entities must be incorporated in India and maintain a minimum net worth of ₹15 crore at the time of application, which must be increased to ₹25 crore by the end of the third financial year. This net worth must be maintained at all times thereafter.

Existing players may continue operations until their applications are processed, while banks offering PA services as part of their normal banking operations are exempt from seeking separate authorisation.

The RBI has also mandated that PAs must be professionally managed and comply with a “fit and proper” criteria for promoters and directors. Any acquisition or change in management must be reported to the RBI within 15 days.

The guidelines require that agreements between PAs, merchants, and acquiring banks clearly define responsibilities, including dispute resolution, refund processes, and customer grievance redressal mechanisms. PAs must appoint a nodal officer to oversee compliance and grievance handling.

PAs are also required to conduct background checks on merchants to prevent fraud, counterfeit sales, or the listing of prohibited products. Merchants must adhere to Payment Card Industry Data Security Standards (PCI-DSS).

Funds collected from customers must be kept in an escrow account with a scheduled commercial bank. PA operations must be ring-fenced from other businesses, and all settlements must be routed through the escrow mechanism to ensure transparency and timely payments.

The RBI has emphasised the need for robust risk management systems and strong IT security infrastructure. PAs must conduct mandatory annual security audits through CERT-In empanelled auditors and report any cyber incidents immediately to both RBI and CERT-In.

Further, the guidelines reiterate that neither PAs nor merchants are allowed to store customer card credentials. Refunds must be processed to the original payment method unless the customer explicitly opts for an alternative.

(ANI)

RELATED ARTICLES

5 hours ago | Auckland

India, New Zealand enter new era of ties with Strategic Partnership; FTA to double trade by 2030: PM Modi

Prime Minister Narendra Modi on Saturday said India and New Zealand have entered a new chapter in their bilateral relationship with the elevation of ties to a Strategic Partnership, expressing confidence that the recently concluded Free Trade Agreeme...

7 hours ago | India-New Zealand

PM Modi invites New Zealand businesses to invest in India’s growth sectors

Prime Minister Narendra Modi, along with New Zealand Prime Minister Christopher Luxon, interacted with a select group of chief executive officers (CEOs) and business leaders on Saturday, highlighting the vast potential for expanding bilateral trade, ...

7 hours ago | India-New Zealand

India-New Zealand FTA to unlock new opportunities for trade, investment: PM Modi

Prime Minister Narendra Modi on Saturday invited New Zealand businesses to expand their investments in India, highlighting the country’s strong economic fundamentals, policy stability and growing opportunities across infrastructure, technology, cle...