Saturday, July 13, 2024
- Advertisement -

    Latest Posts

    Here’s how RBI’s draft directions for Payment Aggregators would impact both payment providers and merchants

    When we spoke to the co-founder of InstaMojo Sampath Swain last year, he told us that the company no longer intends to apply for a payment aggregator license. He had also questioned whether obtaining payment aggregator (PA) authorization would have been the start of a bigger problem because it would put his company under the regulatory clutches of the Reserve Bank of India (RBI). Swain’s comment foreshadowed the changes to the regulatory landscape for PAs which were about to come soon after. 

    In April this year, the RBI released draft directions for PAs, expanding the know-your-customer (KYC) verification requirements for PAs. It also brought out requirements for ongoing merchant monitoring and operation of escrow accounts. These fresh requirements spell trouble not just for the PAs but also for the merchants who rely on these PAs for digital payments. They add up costs, lead to duplication or even triplication of information that the regulator already has, and run the risk of running smaller merchants out of accepting online payments. This is ironic considering the push for online payments that the regulator and Indian government have made in the past. 

    What are the new requirements being introduced by RBI?

    In essence, RBI wants PAs (both those facilitating transactions online and at physical point-of-sale locations) to carry out due diligence when onboarding merchants. When conducting KYC verification of small merchants (those undertaking face-to-face transactions of less than 5 lakh per annum), PAs have to conduct contact point verification (CPV) of the merchant’s business establishment. They must also verify the bank accounts in which the merchants’ funds are settled. 

    Similarly, when conducting KYC for medium merchants (both physical and online merchants with a turnover between Rs 5 lakh and Rs.40 lakh per annum), PAs will undertake CPV as well as verify one Officially Valid Document (OVD) of the proprietor of the business and verify one OVD of the business. OVD includes the passport, the driving license, proof of possession of the Aadhaar number, and a Voter Identity Card. The draft directions also require PAs to carry out ongoing monitoring of a merchant’s transaction activity. This will used to see if the merchant needs to be moved to a higher category of due diligence. PAs are expected to have risk-based limits for the onboarded merchants.

    PAs have also been told to settle funds only in a merchant’s escrow account and not in any other account even if the merchant requests them to do so. Interestingly, the 2020 guidelines for payment aggregators and payment gateways allowed PAs to settle funds in other accounts based on specific directions from the merchant. 

    Based on a senior industry professional in the fintech space, the rationale behind all these changes is to prevent money laundering. 

    What is the problem with these KYC verification requirements?

    One of the most glaring issues about these updated KYC requirements is that they come with additional expenditures that PAs would incur in carrying out contact point verification for merchants. “Some of our members are finding the KYC of the smaller merchants stringent and not cost-effective,” Vishwas Patel, the Chairman of the Payments Council Of India, told us. He said that the council would convey the same to the regulator in its comments. 

    Of course, if the cost rises for the PA, they are bound to pass it down to the merchants. A source from the payment aggregator space who wishes to remain anonymous told us that these KYC requirements would have an onerous impact on small online sellers and content creators. “In the last 2-3 years since COVID, we have seen people selling stuff on Facebook, Instagram, and the creator economy, as well as people running YouTube streams and accepting online payments. I think that segment will be severely impacted both in terms of time and in terms of cost,” they said. Giving us an extent of the problem, the source explained that today at least 80-90% of all online sellers onboarded on PAs are small sellers. 

    They explained that there is no carve-out for small online businesses within the draft directions and as a result of this, 70-80% of online sellers could end up being disenfranchised because they will not be able to fulfill the entire obligations or if they can, it would cost them a lot. They mentioned that PAs don’t make enough commission from small sellers to absorb the additional KYC cost and also lack the capacity to carry out physical verification. PAs might end up denying small sellers their services, which in turn would mean that the smaller merchants would not be able to accept payments online and would have to use other methods like cash transactions or bank transfers. 

    One must note that these KYC requirements are not only for new merchants being onboarded by the PA but also for the PA’s existing merchants. “I believe that merchants already have a higher grade of KYC which happens through the banks which require banks to know their nature of business, the beneficial ownership if there are other owners of the business,” an industry expert in the fintech space explained. 

    How the new KYC norms “double up” merchant verification:

    “When someone opens a business they need to open a bank account and for that, you have to undergo a full-fledged KYC process. And then they need to go through the same KYC process all over again with a PA to accept money in the same bank account,” the source told us. When we spoke to Swain last year, he also brought up the fact that banks already carry out KYC verification. He argued that fintech companies have already been complying with the requirements RBI has set out because they cannot operate without the help of a bank, and banks are already regulated by RBI. Although Swain was making these comments to justify the fact that there is no need for a separate PA authorization, they continue to ring true in the context of the draft directions. 

    An industry expert from the fintech space mentioned that the double layer of KYC has been a problem in many sectors, including digital payments. “Banks have had issues with regulatory arbitrage, with a whole bunch of startups coming in and doing very quick onboarding because it was digital onboarding,” he said. He brought up the context of Paytm which post-demonetization got 200 million customers. “And they were able to do that simply through OTP (one-time passwords) on the premise that the mobile number was already KYC-ed,” he explained. He added that banks pushed back against this, “so then RBI almost came down and said that these PPI [prepaid payment instrument] licenses should actually go in for bank-level KYC,” which also saw its own pushback. 

    The expert mentioned that the RBI has accepted that there is no need for double KYC when it comes to end customers. He gave the example of third-party application providers (TPAPs) that provide UPI, noting they are not required to do any KYC, firstly because of OTPs and second because UPI transactions always take place through a bank. “But with the merchants, they want to up the ante on the KYC part because they have been concerned about money laundering and a whole bunch of things,” he explained. 

    A senior fintech industry professional we spoke to mentioned that one of the concerns with the KYC norms being put in place is the lack of clarity on the terms “due diligence” and “contact point verification”, as they are not adequately defined. “If you are going and putting QR codes and soundboxes somewhere you are contacting the merchant then, I mean that is the verification right?” he said, giving the example of the ways in which the PAs are already physically contacting the merchant. 

    It must be noted here that on January 31, RBI issued an order banning Paytm Payments Bank Limited (PPBL) from carrying out a wide range of activities including deposits, credit transactions, and fund transfers. While neither Paytm nor RBI did clarify the reason behind the order, multiple reports suggest that the RBI found “31 crore out of 35 crore Paytm Wallets inoperative in its inspection, cases where a single PAN card was linked to thousands of accounts, absence of KYC for lakhs of accounts and violation of KYC-anti money laundering rules.” If there were indeed such major issues in the KYC of Paytm wallets, this could have been a factor in the Reserve Bank of India (RBI) moving towards tighter KYC norms for PAs. 

    Alternatives to doubling up on verification:

    Instead of having these additional due diligence requirements for all GST-eligible businesses (Goods and Services Tax), it would be best to follow a graded approach to due diligence on risk-based metrics, Adeesh Nandi, the Secretariat of Merchants Payments Association of India (MPAI) pointed out. “The regulator might want to consider scrutinizing the risk assessment practices of PAs to ensure that only high-risk merchants are subjected to the additional oversight,” he explained.

    Unlike other sources that we spoke to, who were against a second layer of verification, the senior industry professional we spoke to agreed with this graded approach that Nandi mentioned. He said that the problem with the current verification approach being introduced is that it paints merchants at different levels effectively under the same brush. He added that businesses that don’t fall within the scope of GST, also fall outside the scope of the Prevention of Money Laundering Act (PMLA, 2002). As such, having a different approach for GST exempt and GST non-exempt makes sense. He mentioned that there have been discussions that there could be a relaxed KYC for GST-exempt businesses, similar to the consumer KYC verification practices that are currently in place. For the GST-exempt businesses (like your average Kirana shop or a vegetable seller), if they have a bank account, the KYC is adequate, he said.

    The overarching problem with KYC verification:

    The senior fintech industry professional we spoke to mentioned that the problem isn’t just with KYC for merchants within the PA space, but that of KYC verification overall. He explained that while Aadhaar has been touted as a solution for verification, in reality, this has only sped up the process of enrollment but not solved any other issues. “If you go into the pre-Aadhaar times, we were doing physical KYC which by the way has not stopped, people have to do it after a few days,” he said, implying that despite Aadhaar (which verifies people’s identity at the government level), physical verification is still alive and well. 

    He added that with Aadhaar, physical verification, and the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), there’s a triplication of data

    “If you really see the cost, it has actually gone two to three times higher, nothing has stopped, it is like I am sending you [the same information] via message, email, text, letter everything and nobody wants to take a chance [with KYC] because that’s the place where RBI places the strictest action and penalties,” the senior industry professional said. 

    The senior industry professional brought up another very interesting point: if there is a verification taking place at the government level (aka Aadhaar) why is the payment aggregator the only one held responsible if something goes wrong? 

    “Let us say you verified an individual merchant via Aadhaar which is a verification carried out by the government and then there is a mobile number [attached to the merchant] which is also supposed to be verified by Aadhaar. After that if something goes wrong, why is it the financial service provider the only one held accountable? Why is it not seen as a flaw in the telecom system, a flaw in the Aadhaar system which is government? If you can’t trust the government system, then who do you trust? How can we be better than that?” he asked  

    He mentioned that third parties are not held accountable anywhere across the world if they verify users via a common government database. “You [the PA] authenticated Aadhaar, you authenticated the address proof, etc. What else can you do? We are not in a surveillance or a police kind of business,” he argued.  

    What did the PA regulatory landscape look like before these draft directions?

    RBI has previously issued three separate sets of guidelines for regulating payment aggregators in 2020, 2021 and 2022. Until the 2020 guidelines went into effect, payment aggregators and gateways were primarily regulated by a less stringent 2009 circular.

    The 2020 guidelines required non-bank entities offering PA services to apply for regulatory authorization. In terms of merchant verification, the guidelines required PAs to comply with the RBI’s 2016 Know Your Customer (KYC) Directions. PAs were required to have a board-approved policy for merchant onboarding. They were also required to undertake background and antecedent checks of the merchants being onboarded by them to ensure that the merchants did not have any intention of duping customers.

    The 2021 guidelines clarified that for PAs maintaining an account-based relationship with the merchant, the KYC guidelines would be applicable. However, for merchant onboarding, there would be no requirement to carry out the entire process of KYC, in cases where the merchant already has a bank account that is being used for transaction settlement purposes. 

    Other concerns emerging from the draft directions:

    Another major concern that emerges from the draft directions is the fact that PAs can only settle a merchant’s funds in an escrow account. When we asked the senior industry professional about this, he said that this was another step being taken to curb money laundering. “RBI is extremely uncomfortable if there is a transaction where the money instead of showing up in the merchant’s account is going to a third party who is not even involved in the transaction. And RBI is not getting a trail of that,” he explained. 

    He said that there could be situations where a merchant asks the PA to settle money in an account that is outside the PA’s system or to an individual (as opposed to a business).  While there are verifications in place at the bank account level, there could be situations where the trail of a specific transaction is lost, leading to money laundering concerns. 

    While the rationale behind limiting settlements to a merchant’s escrow account makes sense, they fail to account for legitimate reasons why a merchant might want to send money directly to a separate account. The senior industry professional mentioned that often businesses have contracts with their lenders that state that a portion of the funds they earn will go to the repayment of the loan. In such a situation transfers based on the merchant’s requests should be allowed, he explained.

    Another situation where such transactions make sense is where smaller marketplaces want to take part of the money their sellers are making as a commission and settle the rest with the sellers directly. Typically, these marketplaces settle funds directly to sellers via a PA, but these new directions would require marketplaces to open escrow accounts and settle funds which will increase friction and cost for the marketplaces, another one of our sources shared. 

    Positive steps introduced in the draft directions:

    Despite the various concerns presented in the draft directions, there are certain aspects of the draft directions that have seen a positive response as well. For instance, the source told us that purging of card-on-file data currently stored by entities other than card issuers and card networks was a positive step for the ecosystem. It reduces the security risks. 

    Similarly, the inclusion of physical point-of-sale PAs (PA–P) has also been seen as an expected step. Given the way online PAs were regulated, it was always expected that physical point-of-sale PAs would be brought in as well. Patel also expressed support for the inclusion of PA-Ps under the scope of regulation. “The lines between online transactions and offline transactions were clearly blurring and by bringing offline PAs under the same licensing norms [it] makes everything clearer and it will make things efficient in [the] future for sure,” he mentioned. 

    Ultimately what the RBI decides to keep in the final enforceable version of these directions remains to be seen. With today marking the last day upto which the regulator accepted comments on the directions, some of these concerns could be reflected in the responses received by RBI as well.

    Also read:

    STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!

    The post Here’s how RBI’s draft directions for Payment Aggregators would impact both payment providers and merchants appeared first on MEDIANAMA.

    Latest Posts

    - Advertisement -

    Don't Miss

    Stay in touch

    To be updated with all the latest news, offers and special announcements.