RBI Issues Guidelines For Payment Aggregators & Standards For Gateways

(MENAFN- KNN India) New Delhi, Sep 17 (KNN) The Reserve Bank of India (RBI) has released comprehensive regulatory guidelines for Payment Aggregators (PAs) and recommended baseline technology standards for Payment Gateways (PGs) to strengthen security, transparency, and resilience in the digital payments ecosystem.

In its notification, Guidelines on Regulation of Payment Aggregators and Payment Gateways, the central bank clarified that PAs, which handle customer funds, will come under direct regulation, while PGs will be treated as technology providers and encouraged to follow the prescribed security measures.

Under the framework, non-bank PAs must obtain RBI authorisation under the Payment and Settlement Systems Act, 2007.

Such entities are required to be incorporated in India and maintain a minimum net worth of Rs 15 crore at the time of application, rising to Rs 25 crore by the end of the third financial year, and maintained thereafter.

Existing operators may continue to function, while banks providing PA services as part of their normal banking business are exempted from separate authorisation.

The guidelines stipulate that PAs must be professionally managed, with promoters and directors meeting a 'fit and proper' criterion. Any acquisition or change in management must be reported to RBI within 15 days.

Agreements between PAs, merchants, and acquiring banks must clearly outline roles and responsibilities, including provisions for dispute resolution, refunds, and grievance redressal. PAs are also required to appoint a nodal officer for compliance and customer protection.

To safeguard consumer interests, PAs must conduct due diligence on merchants to prevent fraud, counterfeit products, or prohibited sales. They are also required to ensure merchant compliance with Payment Card Industry Data Security Standards (PCI-DSS).

Funds collected must be maintained in an escrow account with a scheduled commercial bank, with all settlements routed exclusively through this mechanism.

The RBI has further directed PAs to establish strong risk management systems and robust IT infrastructure.

Annual security audits must be conducted by CERT-In empanelled auditors, and any cyber incidents must be reported promptly to both RBI and CERT-In.

Reiterating data protection measures, the guidelines prohibit storage of customer card credentials by PAs or merchants. Refunds must be credited back to the original payment method, unless otherwise agreed to by the customer.

(KNN Bureau)

MENAFN17092025000155011030ID1110075616