1. Payment and Settlement Systems Act 2007
The Payment and Settlement Systems Act 2007 (PSS Act) provides the legal framework for regulation and supervision of payment systems in India. It vests RBI with comprehensive powers to regulate payment systems.
1.1 Key Definitions
- Payment System: A system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them
- System Provider: A person who operates an authorized payment system
- System Participant: A bank or any other person participating in a payment system
1.2 RBI's Powers Under PSS Act
- Authorize operation of payment systems (Section 4)
- Prescribe standards for payment systems (Section 10)
- Issue directions to system providers (Section 18)
- Revoke authorization (Section 8)
- Impose penalties for violations (Section 26)
Authorization Requirement
No person other than RBI can commence or operate a payment system in India without prior authorization. Operating without authorization is punishable with imprisonment up to 3 years, or fine up to Rs. 10 lakhs, or both.
2. Payment Aggregators & Payment Gateways
2.1 Payment Aggregators (PA)
Payment Aggregators are entities that facilitate e-commerce transactions by pooling and aggregating merchant payments:
| Requirement | Details |
|---|---|
| Authorization | Mandatory from RBI under PSS Act |
| Net Worth | Rs. 15 crore (existing), Rs. 25 crore by March 2024 |
| Entity Type | Company incorporated in India |
| Escrow Account | Mandatory with scheduled commercial bank |
| Settlement Timeline | T+1 business day to merchants |
2.2 Payment Gateways (PG)
Payment Gateways provide technology infrastructure for payment processing without handling funds. Key distinctions:
- Do not handle settlement of funds
- Provide only technology routing services
- Not required to obtain PA authorization
- Must comply with data security standards (PCI-DSS)
PA vs PG: Critical Distinction
Payment Aggregator: Receives funds from customers, holds them temporarily, then transfers to merchants. Requires RBI authorization.
Payment Gateway: Only routes payment instructions between parties. Funds flow directly from customer's bank to merchant's bank. No authorization required but must follow technical standards.
Many entities incorrectly classified themselves as PGs to avoid PA regulations. RBI has clarified that the test is whether the entity "handles funds" at any stage.
3. Unified Payments Interface (UPI)
UPI is India's flagship real-time payment system operated by NPCI (National Payments Corporation of India). It has revolutionized digital payments in India.
3.1 UPI Architecture
- NPCI: Central infrastructure provider, rule maker
- Remitter Bank: Bank from which funds are debited
- Beneficiary Bank: Bank to which funds are credited
- PSP (Payment Service Provider): Provides UPI app to customers
- TPAP (Third Party Application Provider): Provides user interface, partners with PSP
3.2 UPI Participation Requirements
| Participant Type | Requirements |
|---|---|
| PSP Bank | Schedule commercial bank, NPCI membership |
| TPAP | Agreement with PSP bank, compliance with NPCI guidelines |
| Merchant | QR code from acquiring bank/aggregator |
3.3 UPI Lite
UPI Lite is an on-device wallet feature enabling small-value offline transactions:
- Maximum balance: Rs. 2,000
- Per transaction limit: Rs. 500
- Total daily limit: Rs. 4,000
- No UPI PIN required for payments
- Works offline using NFC or QR
UPI Market Share Regulations
NPCI proposed a 30% market share cap for TPAPs to prevent concentration risk. Implementation has been deferred multiple times. Currently, Google Pay and PhonePe together control over 80% of UPI transactions.
4. Prepaid Payment Instruments (PPIs)
PPIs are instruments that facilitate purchase of goods and services against stored value. They include mobile wallets, gift cards, and prepaid cards.
4.1 Categories of PPIs
| Category | Description | Limits |
|---|---|---|
| Small PPIs | Minimum KYC, limited functionality | Rs. 10,000 outstanding, Rs. 10,000/month |
| Full-KYC PPIs | Full KYC completed | Rs. 2 lakh outstanding |
| Gift PPIs | Issued as gift cards | Rs. 10,000 per card |
4.2 PPI Issuer Requirements
- Banks: Can issue PPIs without separate authorization
- Non-Banks: Require RBI authorization under PSS Act
- Net Worth: Rs. 15 crore (non-bank issuers)
- Escrow: Mandatory escrow equal to outstanding PPI balance
4.3 Key Compliance Requirements
- Interoperability: Full-KYC PPIs must be interoperable (UPI, card network)
- Cash Withdrawal: Permitted up to Rs. 2,000/month for interoperable PPIs
- Fund Transfer: Permitted to bank accounts from full-KYC PPIs
- Expiry: Minimum 1 year validity, amounts to be refunded
- Grievance Redressal: Mechanism for customer complaints mandatory
5. Cross-Border Payments
5.1 RBI Framework for Cross-Border Payments
RBI has enabled authorized entities to facilitate cross-border payments:
- Export/Import: Through authorized AD banks
- Online Export: Payment Aggregators can handle export payments up to USD 15,000
- Remittances: Through authorized money transfer services
5.2 UPI for Cross-Border
NPCI International has enabled UPI in several countries through linkages:
- Singapore (PayNow-UPI linkage)
- UAE, France, UK (QR-based acceptance)
- Bhutan, Nepal (bilateral arrangements)
PA-Cross Border Guidelines
RBI's 2023 guidelines for Payment Aggregators in cross-border transactions:
- Export of goods/services: Authorized PAs can handle settlements
- Import payments: Only through AD banks (PAs cannot directly settle)
- KYC: Merchant due diligence mandatory
- Reporting: Transaction-wise reporting to RBI
- Purpose Code: Correct code mandatory for forex transactions
6. Payment System Compliance Checklist
- Determine if activity requires RBI authorization
- Apply for authorization through DAKSH portal
- Maintain required net worth and escrow accounts
- Implement PCI-DSS compliant infrastructure
- Establish merchant onboarding and KYC procedures
- Ensure settlement within T+1 timelines
- File regulatory returns and reports
- Maintain customer grievance redressal mechanism
- Comply with data localization requirements
- Conduct annual security audits