Data Strategy Briefing — March 17, 2020

The Reserve Bank of India (RBI) issued comprehensive Guidelines on Regulation of Payment Aggregators and Payment Gateways on 17 March 2020, setting a licensing pathway for domestic and cross-border providers that collect payments on behalf of merchants. The framework, issued under the Payment and Settlement Systems Act, 2007, ties authorization to Indian incorporation, capital adequacy, escrow safeguards, and domestic storage of payments data within 180 days. Providers already in market were given time-bound milestones to meet the standards, while new entrants were required to demonstrate compliance upfront. This briefing synthesizes what localization means in practice, highlights operational expectations, and maps the broader industry impact.

Localization in the RBI context requires more than hosting a copy of data in-country. Payment aggregators must ensure primary data residency for the full payments data stack—transaction logs, customer payment credentials collected on behalf of merchants, audit trails, risk decisions, chargeback data, and settlement files. The guidelines reference the 2018 circular on storage of payment system data, which demands that end-to-end transaction data be stored only in India, subject to periodic audit and board oversight. Global firms can retain mirror copies abroad for processing, but production data must sit on servers located in India, and any offshore processing must be tightly controlled, logged, and reported.

Operationally, authorized payment aggregators must act as “principal” to the merchant for settlement, ensuring that funds flow into an escrow account with a scheduled commercial bank, that refunds and chargebacks are prioritized, and that settlement timelines are honored. Merchants that handle sensitive categories—such as regulated financial services, health, and gaming—require enhanced diligence and explicit RBI approval where needed. The regulator expects ongoing monitoring, with annual system audits, quarterly net-worth certifications, and detailed reporting on fraud, disputes, and system availability.

Because localization and escrow controls sit at the heart of the framework, technology leaders need to align infrastructure, contracts, and governance. This means mapping which microservices touch payments data, redesigning data retention policies to conform to RBI timelines, and ensuring that third-party vendors who store or process data also comply. Escrow workflows need to enforce the settlement cascade (T+1 or as contracted) and block any pooling of funds across merchants. The RBI also expects customer experience safeguards, including clear refund timelines, dispute resolution processes, and the ability for users to revoke mandates or stored payment instructions.

RBI requirements

The 2020 framework codifies the supervisory expectations that had evolved in prior circulars and supervisory letters. Key requirements include:

• Licensing and incorporation: Payment aggregators must be incorporated in India and obtain authorization under the Payment and Settlement Systems Act. Existing marketplace players that were not previously classified as payment system operators must transition into the licensed regime.
• Capital adequacy: A minimum net worth of ₹15 crore was required by March 2021, rising to ₹25 crore by March 2023, with ongoing maintenance thereafter. Quarterly certifications from statutory auditors are expected to verify compliance.
• Data localization: Full transaction data, including customer and merchant identifiers, payment instrument details, and transaction metadata, must be stored only in India. System logs, risk models, and dispute records must also reside domestically, subject to periodic system audits.
• Escrow and settlement discipline: Customer funds must be routed to an escrow account with a scheduled commercial bank. Settlement to merchants follows the RBI-prescribed cascade: chargebacks, refunds, taxes, and fees are processed first, with merchant settlement executed within the contracted timeline (commonly T+1).
• Merchant due diligence: Aggregators must perform KYC on merchants, verify the legitimacy of goods and services, monitor for prohibited categories, and implement controls to suspend or terminate non-compliant merchants. High-risk sectors require enhanced monitoring and, where applicable, prior regulatory approval.
• Customer protection and disclosures: Clear display of pricing, refund windows, dispute contacts, and storage of payment credentials must be provided to end users. Aggregators must also maintain a robust grievance redress mechanism with defined turnaround times.

The RBI has emphasized that non-compliance—especially around data residency and escrow operations—can lead to supervisory action, including restrictions on onboarding new merchants or processing new transactions until remediation is complete.

Implementation guidance

Engineering and compliance teams can operationalize localization and escrow controls by working through a structured plan:

• Data mapping and minimization: Catalog every dataset created during checkout, authorization, settlement, reconciliation, and dispute handling. Remove non-essential personal data and avoid storing payment instrument details beyond what is necessary for refunds and chargebacks.
• Infrastructure localization: Host primary databases, log stores, and backups in India-based availability zones. Where global services are used for analytics or fraud, ensure that raw payment data is tokenized or anonymized before export and that offshore processing is logged and reported as required.
• Key management and encryption: Apply encryption at rest for transactional data and escrow account references. Keep hardware security modules or key management systems within Indian regions to prevent key material from leaving the jurisdiction.
• Escrow orchestration: Automate the settlement cascade with explicit tagging of funds for refunds, chargebacks, and taxes. Implement guardrails to prevent commingling of merchant funds, and reconcile escrow balances daily against settlement files.
• Vendor governance: Update contracts with cloud, fraud, and customer-support vendors to include RBI data localization clauses, breach notification timelines, and audit rights. Assess whether any sub-processors store or access payment data outside India.
• Audit and reporting: Schedule annual system audits by CERT-In empaneled auditors, maintain logs for at least six months on hot storage for forensic investigations, and prepare quarterly net worth and compliance attestations for the board.
• Customer experience: Surface transparent refund timelines, provide self-service options for transaction receipts and dispute initiation, and ensure that fallback channels exist for outages affecting payment gateways or banks.

This structured approach helps international payment firms align with RBI expectations without compromising reliability or innovation. Teams should build “local first” defaults, with any cross-border data flows justified and documented as exceptions.

Industry impact

The localization mandate reshaped market entry strategies for global payment service providers. Companies previously operating via cross-border routing or merchant-of-record models had to establish Indian subsidiaries, secure local banking partners, and re-architect data storage. For domestic fintechs, the framework clarified the compliance bar and created a level playing field, but it also raised operating costs due to escrow management, audits, and capital requirements.

Merchants benefited from clearer refund timelines and standardized dispute resolution, yet they also faced tighter onboarding checks that could delay go-live for higher-risk categories. Banks gained visibility into settlement flows through escrow accounts, enabling better monitoring of chargebacks and fraud patterns. At the ecosystem level, the guidelines reinforced India’s broader data sovereignty policy direction, dovetailing with initiatives such as the National Payments Corporation of India’s push for local processing across UPI and RuPay networks.

The RBI’s supervisory letters since 2020 show a focus on cyber resilience and incident reporting. Payment aggregators that experienced service disruptions or data leakage have faced restrictions on new merchant onboarding until independent audits verified remediation. As a result, mature change management, rigorous vendor risk assessments, and tabletop exercises for outage response have become board-level priorities.

Investors now underwrite compliance execution as a core part of valuation. Founders must demonstrate that product roadmaps—whether new checkout experiences, tokenization flows, or buy-now-pay-later partnerships—are built on infrastructure that meets localization, escrow, and grievance redress requirements. This compliance capability is increasingly seen as a competitive differentiator when courting enterprise merchants and regulated sectors.

Operational checklist

Before submitting an authorization application or an audit pack, teams should validate the following:

• Indian-incorporated entity with board-approved risk and information security policies that reference RBI localization and escrow rules.
• Escrow account agreement with a scheduled commercial bank, including settlement cascade logic and service-level commitments.
• Documented data flow diagrams showing that primary storage, backups, and log pipelines remain in India, with exception registers for any offshore processing.
• Merchant onboarding playbooks covering KYC, sector classification, content moderation for prohibited categories, and triggers for suspension.
• Incident response plan with roles for notifying banks, merchants, regulators, and customers, alongside evidence of recent tabletop exercises.
• Evidence of annual system audit by an independent auditor, penetration testing results, and remediation tracking for identified findings.

Maintaining this checklist and updating it with new RBI clarifications—such as revised fraud reporting templates or expectations around tokenized card data—helps payment aggregators reduce supervisory friction.