Payment Aggregators and Payment Gateways: Guidelines on Settlement and Escrow Account Management and Other Instructions

Payment Aggregators facilitate e-commerce sites and merchants to accept various payment instruments from customers without the need for merchants to create a separate payment integration system of their own. Payment Gateways (PGs) provide technology infrastructure to route and facilitate the processing of an online payment transaction without any involvement in the handling of funds. PAs and PGs allow customers sitting on one end of the world to make payments to a person sitting at another end without any fear of fraud.

Payment Aggregators manage the funds of a merchant. Therefore, their activities are required to be more regulated. Reserve Bank of India (RBI) has issued “Guidelines on Regulation of Payment Aggregators and Payment Gateways” vide RBI/DPSS/2019-20/174 dated 17th March 2020 to regulate payment aggregators.

This article discusses the guidelines issued to operate the Payment Gateway entities:

1. Policy of taking Merchant On-Board

The Merchants obtain services of the payment gateways to get hassle-free payment from their customer through any mode. However, as per the Guidelines issued, the Payment aggregators are required to note the following points while taking a merchant on board:

• PAs shall have a Board approved policy for merchant on-boarding.
• PAs shall undertake background and antecedent checks of the merchants and shall make sure that the merchant does not have any intention of duping the customers and does not sell fake or prohibited products, etc. 
• The merchant’s website specifies the terms and conditions of the service and the timeline for processing returns and refunds. 
• PAs shall be responsible for checking Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure of the merchants on-boarded.
• Merchant sites shall not save the customer card and such related data. For this purpose, the PAs may carry out a security audit of the merchant.
• Agreement with merchant shall have provision for security and privacy of customer data. PA’s agreement with merchants shall include compliance with PA-DSS and incident reporting obligations. 
• The PAs shall obtain periodic security assessment reports either based on the risk assessment (large or small merchants) or at the time of renewal of contracts.

2. Settlement and Escrow Account Management

The Payment Aggregators collect the funds from the customers and then transfer the same to the merchant. RBI specified the following guidelines that how payment aggregators shall manage the funds and within how much time the funds should be credited to merchants’ accounts.

Read Also: Guidelines on Payment Aggregator and Payment Gateways: Meaning, Authorisation & Capital Requirement

a. Escrow Account:

• Non-bank PAs shall open an escrow account with any scheduled commercial bank and all the funds collected from the customers shall be received in such escrow account.
• An additional escrow account may be maintained with a different scheduled commercial bank at the discretion of the PA. 
• The PAs can shift the escrow account from one bank to another. However, the same shall be carried out in a time-bound manner without impacting the payment cycle to merchants, under advice to RBI.

b. Time cycle of receipt of funds in an escrow account and transfer of funds from the escrow account

• The following are the key terms used:
  • Tp’ – date of charge/debit to the customer’s account against the purchase of goods/services.
  • ‘Ts’ – date of intimation by the merchant to the intermediary about the shipment of goods.
  • ‘Td’ – date of confirmation by the merchant to the intermediary about delivery of goods to the customer.
  • ‘Tr’ – date of expiry of refund period as fixed by the merchant.

• Amounts deducted from the customer’s account shall be remitted to the escrow account of the PA on a Tp+0 / Tp+1 basis. The same rules shall apply to non-bank entities where wallets are used as a payment instrument.
• The Final settlement with the merchant shall be effected as under:

• Settlement of funds with merchants shall not be co-mingled with other businesses, if any, handled by the PA.

c. Guidelines on Refund transactions:

• Credits towards reversed transactions, where initial funds were received through PA, shall be routed back through the escrow account except where the refund is directly managed by the merchant and the customer is aware of the same.

d. Other terms and conditions

• At the end of the day, the PA shall maintain the minimum amount collected from the customer as per ‘Top’ or the amount due to the merchant.
• PAs shall be permitted to pre-fund the escrow account with their own or merchant’s funds. However, in the latter scenario, the merchant’s beneficial interest shall be created on the pre-funded portion.
• The escrow account shall not be operated for ‘Cash-on-Delivery’ transactions.

e. Permitted Debits or credit to or from the escrow account 

• Where more than one escrow account is maintained, credit and debit from one escrow account to the other shall be permitted. However, inter-escrow transfers should be avoided as far as possible and if resorted to, the auditor’s certification shall mention such transactions.
• Permissible Credits:
  • Payment from various customers towards the purchase of goods or services.
  • Pre-funding by merchants or PAs.
  • Transfer representing refunds for failed/disputed/returned/canceled transactions.
  • Payment received for onward transfer to merchants under promotional activities, incentives, cash-backs, etc.

• Permissible Debits:
  • Payment to various merchants.
  • Payment to any other account on specific directions from the merchants
  • Transfer representing refunds for failed/disputed transactions.
  • Payment of commission to the intermediaries. This amount shall be at pre-determined rates/frequency.
  • Payment of amount received under promotional activities, incentives, cash-backs, etc.

F. Compliance with RBI Guidelines:

• For the purpose of maintaining reserve requirements, The balance in the escrow account shall be considered as part of “net demand and time liabilities” (NDTL).  The balance with the bank in the escrow account on the date of reporting shall be considered.
• The entity and the escrow account banker shall be responsible for compliance with RBI instructions issued from time to time. 
• Authorised entities shall submit the certificate signed by the auditor to the respective Regional Office of DPSS, RBI certifying that the entity has been maintaining balance(s) in the escrow account(s) in compliance with these instructions. Where more than one escrow account is maintained, balances in all escrow accounts shall be considered.
• PAs shall submit the list of merchants acquired by them to the bank where they are maintaining the escrow account and shall update such list from time to time. 
• The bank shall ensure that payments are made only to eligible merchants.

G. Transfer of “Core Portion” to separate Account

• No interest shall be payable by the bank on balances maintained in the escrow account. However, as per the agreement entered with PA, the bank can transfer the “core portion” of the amount to a separate account on which interest is payable.
• In case of a shortfall in the escrow account, the amounts held in the interest-bearing account shall be available.
• This facility shall be permissible to entities who have been in business for 26 fortnights and whose accounts have been duly audited for the full accounting year. For this purpose, the period of 26 fortnights shall be calculated from the actual business operation in the account.
• No loan is permissible against such deposits. Banks shall not issue any deposit receipts or mark any lien on the amount held in such form of deposits.

3. Customer Grievance Redressal and Dispute Management Framework

• PAs shall implement a customer grievance redressal and dispute management framework and designate a nodal officer to handle the customer complaints and the escalation matrix.
• The complaint facility, if made available on the website/mobile, shall be clearly and easily accessible.
• PAs shall have a dispute resolution mechanism binding on all the participants which shall contain a transaction life cycle, a detailed explanation of types of disputes, the process of dealing with them, compliance, responsibilities of all the parties, documentation, reason codes, procedure for addressing the grievance, turn-around-time for each stage, etc.

4. Security, Fraud Prevention and Risk Management Framework

• PAs shall put in place adequate information and data security infrastructure and systems for the prevention and detection of fraud.
• PAs shall put in place Board approved information security policy for the safety and security of the payment systems operated by them and implement security measures in accordance with this policy to mitigate identified risks. Baseline technology-related recommendations for adoption by the PAs are provided in Annex 2. 
• PAs shall establish a mechanism for monitoring, handling, and follow-up of cyber security incidents and breaches. The same shall be reported immediately to the DPSS, RBI, Central Office, Mumbai, and to CERT-In (Indian Computer Emergency Response Team)
• PAs shall not store the customer card credentials within their database or the server accessed by the merchant. 
• PAs shall submit the System Audit Report, including the cyber security audit conducted by CERT-In impaneled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.

5. General Instructions

• PAs shall ensure that the extant instructions about the Merchant Discount Rate (MDR) are followed. Information on other charges such as convenience fees, handling fees, etc., if any, being levied shall also be displayed upfront by the PA.
• PAs shall not place limits on transaction amounts for a particular payment mode. The same can be done by the issuing bank/entity, e.g., the card issuing bank shall be responsible for placing amount limits on cards issued by it based on the customer’s creditworthiness, spending nature, profile, etc.
• PAs shall not give an option for ATM PIN as a factor of authentication for card-not-present transactions.
• All refunds shall be made to the original payment method unless specifically agreed by the customer to credit to an alternate mode.

Conclusion

To ensure the safety of funds of customers and merchants, the RBI has issued detailed guidelines for handling funds by the PAs, security measures required to be implemented by the PA, and a customer grievance redressal framework. The PAs must follow each guideline issued by the RBI to maintain the authorisation.