The Reserve Bank of India (RBI) has recently released guidelines for online payment aggregators and issued draft rules to regulate point-of-sale payment service providers (PA-P). These rules state that companies providing the service must apply for authorisation from the RBI by 31 May 2025. If they fail to obtain authorisation, they will have to stop offering these services.
The RBI has also directed payment aggregators to inform the regulator about their intention to seek authorisation within 60 days from the date of issuance of formal guidelines. Banks have been instructed to close non-bank PA-Ps by 31 October 2025, unless they provide evidence of applying to the RBI for authorisation.
The regulator has also suggested that payment aggregators undertake enhanced customer due diligence to ensure that only the right set of merchants avail of digital payment services.
Additionally, all PAs must become members of the Financial Intelligence Unit under the Finance Ministry to report any suspicious transactions. It is important to note that these guidelines apply equally to PA-Ps as well as online payment aggregators (PA-O).
“In its guidelines, the regulator has emphasised that compliance is an area where PAs cannot adopt a 'one size fits all' approach. They need to have mechanisms in place that continuously monitor the transaction activity of the merchants, incorporate risk-based payment limits and flag off any potential risk at an early stage,” said Ankit Ratan, Co-founder and chief executive officer (CEO), Signzy.
The Reserve Bank of India (RBI) has declared that the instructions on Know Your Customer (KYC) will be implemented three months from the date of the circular's issuance. The RBI has asked payment aggregators (PAs) to adhere to KYC regulations by September 2025 for existing merchants.
"In the near term, payment aggregators are likely to experience increased compliance costs due to the new regulations, which could impact their operating margins. The additional expenses may include investments in updated risk management, fraud prevention, and KYC frameworks," said Deepak Chand Thakur, CEO & Co-founder, NPST.
These guidelines are important because the RBI is scrutinising the digital payments ecosystem and the level of KYC carried out by service providers on their merchants. Paytm Payments Bank, for instance, faced regulatory action recently due to inadequate KYC of its user base over the years.
“The importance has been placed on more robust KYC and distinction on account of offline and online transactions. A new category Delivery versus payment has been introduced and cash on delivery transactions have been excluded from the escrow account,” said Jyoti Prakash Gadia, Managing Director at Resurgent India.
To make it easier for payment providers to operate, the central bank has recommended classifying merchants into small and medium categories.
Physical merchants with an annual turnover of less than Rs 5 lakh are considered small merchants. Medium merchants are those with an annual turnover of over Rs 5 lakh but up to Rs 40 lakh.
“As offline payment aggregation increasingly becomes a complementary offering for many Payment Aggregators (PAs), these guidelines are quite timely. While the increased net worth requirements will raise industry standards, they also ensure a level playing field and enhance consumer protection,” said Rohit Taneja, Founder & CEO, Decentro.
Furthermore, the RBI has defined a marketplace as "an electronic commerce entity that provides an information technology platform on a digital or electronic network to facilitate transactions between buyers and sellers."
Online payments are processed through escrow accounts, which are a type of account used to settle digital payments. Recently, the Reserve Bank of India (RBI) has included digital payments made during the delivery of an e-commerce purchase under the scope of an escrow account.
“The changes essentially have been proposed for greater clarity about the various set of transactions and emphasis on escrow account being monitored for specific usage of funds only, not permitting unrelated transactions from the escrow account,” Gadia from Resurgent India added.
Furthermore, the regulator has mandated that Payment Aggregators (PAs) must adopt enhanced security measures to monitor these merchants.
PAs must ensure that merchants are using their services solely for their proposed business activities. The RBI has also recommended that PAs impose payment limits on these merchants based on risk.
“Financial Advisors view this as a positive move, promoting transparency and accountability in the industry. By adhering to stringent standards, Payment Aggregators can bolster trust among investors and consumers alike, fostering a more resilient financial ecosystem,” said Rayan Malhotra, CEO, of NeoFinity.
Starting from 1 August 2025, payment aggregator firms will no longer be allowed to store card-on-file (COF) data. Only card issuers and card networks like VISA, Mastercard, and banks will be authorised to store the COF data, according to the RBI's draft circular.