Data Strategy Briefing — March 17, 2020
The Reserve Bank of India finalised payment aggregator guidelines requiring Indian storage of payments data, triggering localisation workstreams for fintechs and global merchants operating in the market.
Executive briefing: The Reserve Bank of India (RBI) released final guidelines on the regulation of payment aggregators and payment gateways on . The framework requires payment aggregators (PAs) to obtain RBI authorisation, maintain capital buffers, store payments data only in India, and implement stringent customer protection controls. Existing entities had to apply for authorisation by September 2020 and achieve net worth thresholds by March 2021 (INR 25 crore) and March 2023 (INR 15 crore for gateways). Global merchants and fintechs operating in India must adjust corporate structures, data localisation practices, and risk management.
Key regulatory requirements
The guidelines mandate that PAs be incorporated in India, with foreign companies required to establish local subsidiaries. PAs must maintain a minimum net worth of INR 15 crore at application, increasing to INR 25 crore by 31 March 2023, and maintain this level thereafter. They must also comply with Payment and Settlement Systems Act provisions, RBI’s Know Your Customer (KYC) Master Directions, and data localisation mandates from the April 2018 circular on payments data storage.
PAs must route transactions through escrow or nodal accounts maintained with scheduled commercial banks. Settlement timelines are defined (T+1 for domestic merchants, T+5 for cross-border) with clear disclosure requirements. Chargeback and dispute resolution mechanisms must be transparent, with mandatory refund timelines and customer grievance redress systems.
Data localisation and security controls
All payments data—including full end-to-end transaction information—must be stored in systems located in India. Data processing outside India is allowed only for limited purposes (e.g., processing a transaction) and requires data to be deleted and brought back to India within 24 hours. System logs must be retained for at least one year.
Information security requirements include adherence to PCI DSS for card transactions, robust encryption, tokenisation where applicable, and quarterly security audits. RBI expects compliance with its cybersecurity framework for payment system operators, requiring cybersecurity policies, real-time monitoring, incident response plans, and reporting of security incidents within 2–4 hours.
Customer protection and merchant due diligence
PAs must implement merchant onboarding due diligence to prevent fraud and ensure compliance with RBI and Prevention of Money Laundering Act (PMLA) requirements. This includes background checks, site visits, and periodic reviews. Merchants must provide clear terms and conditions, refund policies, and customer support contacts. PAs must ensure customer data is protected and not shared without consent.
Guidelines require PAs to provide real-time notifications, two-factor authentication, and clear communication of failed transactions. They must also implement grievance redress mechanisms, including appointing a nodal officer for customer complaints and integrating with the RBI Ombudsman scheme.
Operational impact for fintechs and global merchants
Foreign payment gateways must evaluate whether to establish Indian subsidiaries or partner with licensed PAs. Corporate restructuring may be necessary to meet net worth and governance requirements. Data localisation mandates require migrating data centres or leveraging Indian cloud regions with compliant infrastructure. Firms must negotiate with global processors to ensure data repatriation obligations are met.
Compliance programmes must cover escrow management, settlement reconciliation, and merchant risk monitoring. Entities need to integrate fraud detection systems, maintain audit trails, and ensure segregation of duties. Internal audit teams must review adherence to RBI reporting timelines and supervisory inspections.
Governance and reporting
PAs must have board-approved policies on IT governance, risk management, and outsourcing. Key managerial personnel must have relevant experience, and RBI can require changes in management. Annual system audits by CERT-In empanelled auditors are mandatory, and reports must be submitted to RBI. Entities must file periodic statements on transaction volumes, security incidents, and customer complaints.
Outsourcing arrangements must comply with RBI’s outsourcing guidelines, ensuring service providers meet security and business continuity requirements. Contracts should include clauses for RBI inspection rights, data confidentiality, and termination.
Transition timelines and enforcement
Existing PAs were required to submit applications by 30 June 2021 (after extensions) and were allowed to continue operations pending RBI decisions. Entities failing to comply face directives to cease operations. RBI has already rejected several applications for non-compliance, signalling strict enforcement.
New entrants must not commence operations without prior authorisation. The guidelines emphasise regular supervisory reviews, on-site inspections, and compliance with KYC/AML obligations. Non-compliance can lead to penalties under the Payment and Settlement Systems Act and PMLA.
Action plan
- Immediate: Assess corporate structure, capital adequacy, and data localisation readiness. Map data flows to ensure storage within India and document cross-border processing exceptions.
- 30–60 days: Update merchant onboarding procedures, escrow account management, and settlement controls. Engage auditors to plan annual system audits and penetration tests.
- 60–90 days: Finalise RBI authorisation documentation, submit required forms, and align governance policies with board oversight expectations. Implement monitoring dashboards for transaction reconciliation and incident reporting.
- Continuous: Track RBI circulars, enforcement actions, and industry association guidance (e.g., Payments Council of India). Review compliance quarterly and adjust infrastructure as regulations evolve.
Adhering to RBI’s payment aggregator framework enhances consumer trust, reduces systemic risk, and secures continued access to India’s fast-growing digital payments market.
Industry response and competitive dynamics
Major Indian PAs such as Razorpay, PayU, and BillDesk accelerated funding rounds and compliance investments to meet net worth thresholds. Global players including Amazon Pay, Google Pay, and PayPal reviewed corporate structures to align with local incorporation requirements, with some choosing to operate as third-party apps partnering with licensed PAs. Industry associations like the Internet and Mobile Association of India (IAMAI) engaged with RBI seeking clarity on timelines and implementation details.
Merchants must assess PA partners' authorisation status and contingency plans. Contracts should include clauses allowing merchants to exit relationships if RBI denies authorisation. Competition may intensify as licensed PAs differentiate through value-added services such as analytics, lending, and subscription billing while balancing compliance costs.
Technology and process adjustments
IT teams must ensure payment processing platforms support localisation requirements, including routing data to Indian data centres, implementing data residency controls, and updating disaster recovery sites within India. Encryption key management should align with Indian jurisdiction, potentially requiring hardware security modules deployed locally. Firms should conduct data flow mapping, update data retention policies, and ensure compliance with RBI’s directive to purge foreign copies within 24 hours.
Process adjustments include revising merchant onboarding workflows to capture KYC documentation, automating escrow reconciliations, and integrating compliance dashboards with RBI reporting formats. Customer service teams need scripts and training to handle dispute resolution timelines and escalate grievances to nodal officers efficiently.
Follow-up: RBI extended compliance windows through 2021 while vetting applicants, then granted full payment-aggregator licences to firms such as Razorpay, Cashfree, and Google Pay between late 2023 and early 2024, reaffirming data localisation and capital thresholds.
Sources
- Guidelines on Regulation of Payment Aggregators and Payment Gateways — Reserve Bank of India; Sets out licensing, data storage, governance, and security requirements for payment aggregators in India, including mandatory domestic data storage within 180 days.
- DPSS.CO.PD.No.1102/02.14.008/2019-20 — Reserve Bank of India; RBI notification announcing the payment aggregator framework, compliance timelines, and supervisory expectations.