What RBI’s final directions mean for payment aggregators, users

These new regulations, which are effective immediately, establish stricter criteria for eligibility and net worth, set up a unified licensing and reporting and compliance framework for PAs, and also introduce stronger requirements for governance, cybersecurity, and the onboarding of both customers and merchants. The overall goal of the RBI master circular is to enhance the security and transparency of the fintech industry, aligning it with international standards. Mint explains:

Who is a payment aggregator?

A payment aggregator acts as a single window, helping businesses receive various types of customer payments. Let’s say a store accepts payments via UPI, credit cards and digital wallets. The payment aggregator collects all these payments, and transfers them to the store at one go. This simplifies the process for businesses, so they don’t have to deal with multiple banks or payment systems.

Payment aggregators come in three main types: (1) Physical (PA-P): Used for in-person payments, like swiping a credit card at a store. Both the card machine and the payment card are close together. (2) Online (PA-O): Used for online payments, such as buying something on a website, where payment and acceptance are at different locations (3) Cross-border (PA-CB): Handles international payments. This type is further divided into two sub-groups: those that handle money coming into the country (inward) and those that handle money going out (outward).

How are the new guidelines different?

The new framework has two major changes: One, aggregators of point of sale (PoS) devices, such as a card swipe machine, will need RBI approval—bringing them on par with online payment aggregators. Two, all aggregators must keep customer money in a separate account at scheduled banks, called an escrow account. For cross-border payments, they must use different accounts for money coming in versus money going out.

“Unlike earlier rules, there is now a clear prohibition on co-mingling, netting off, or using escrow for cash-on-delivery flows, with the ‘core portion’ interest mechanism strictly defined,” said Utkarsh Bhatnagar, partner, Cyril Amarchand Mangaldas.

The central bank had issued aggregator guidelines in 2020 and 2021, and for cross-border aggregators in 2023. In April 2024, it issued a draft circular combining these. The latest master circular comes after taking feedback from the payment industry.

Who needs to apply for a PA licence?

Except banks, everyone else. Any applicant regulated by another financial sector watchdog, such as Sebi or Irdai, must also secure a no-objection certificate from that regulator.

Aggregators already authorized for physical aggregation (PA-P) will require a revised authorization under new guidelines, or else they must wind up by February 2026. On the other hand, the norms have made it easier for existing aggregators who want to enter another PA category and can do so by simply informing the RBI 30 days in advance instead of applying for a new licence.

Before a company can get its final authorization from the RBI, it must prove it meets the required net worth, has its dedicated escrow accounts set up, and is registered with FIU-IND (Financial Intelligence Unit-India), said Cyril Amarchand Mangaldas’s Bhatnagar. “Additionally, new applicants, especially those that handle in-person payments, have until December 31, 2025, to apply, or they will have to shut down by February 2026.”

While the new regulations increase costs for companies—like needing more capital, and spending more on checks for customer identity (KYC), anti-money laundering (AML), and cybersecurity—they also create a single, clear set of rules for the entire industry. This reduces confusion and the “grey areas” that were common under the old, scattered guidelines, Bhatnagar said.

Any entity, who has applied for PA-O or PA-CB, must inform RBI about its existing PA-P business, if any, by 31 December.

What about capital?

A minimum net worth of ₹15 crore, to be raised to ₹25 crore by the end of the third financial year of granting authorization. The net worth should be continuously maintained.

What are the responsibilities of PAs?

Payment aggregators must thoroughly background-check merchants, and ensure the payments they receive match their business type. They must also ensure that money is sent only to the correct bank accounts of their partners. They must have mechanisms to ensure that funds due to a merchant are credited to its bank account only. The norms look to bring uniformity in KYC regulations for banks and non-banks. PAs must ensure that merchants signed up till 31 December comply with due diligence requirements within a year. From 1 January, merchants will need to be onboarded in accordance with the new due diligence requirements.

What about resolving disputes?

PAs must have dispute resolution mechanisms to handle disputes, including timelines for processing refunds. They must follow rules on turnaround time for resolving failed transactions, assigning proper reason codes, responding to chargeback and handling disputes raised against their onboarded merchants.

Also, agreements between a PA, merchants, acquiring banks, and other stakeholders must specify roles and responsibilities of the involved parties, covering manner of refunds, treatment of failed transactions, return policy, grievance redressal, reconciliation, among others.

PAs will also need to disclose comprehensive information regarding its merchant policies, privacy policy and other terms and conditions. They will need to appoint an officer responsible for responding to issues raised by its merchants along with an escalation matrix for grievance redressal, details of which will also need to be displayed on the website.

What about security?

Payment aggregators must have strong security in place to prevent and detect fraud. They need a board-approved security policy and must follow specific technology and data storage rules set by the RBI. This includes an annual system and cybersecurity audit to ensure safety.

Will retail customers benefit?

While following all instructions with regard to Merchant Discount Rate (MDR), PAs will need to ensure that any charges, other than the price of goods/service/investment charged by a merchant, are distinctly displayed to the payer prior to the transaction. PAs will not be allowed to limit the transaction amount for a particular payment mode–something that will be controlled entirely by the issuing bank or non-bank entity such as in the case of card transactions. Further, all refunds will automatically be made to the original method of payment, unless specifically otherwise instructed by the payer.

What are the specific directions for cross-border PAs?

Funds related to inward and outward transactions will need to be kept separate with no mixing of funds or netting-off for outward and inward transactions. All such transactions will need to identified as cross-border transactions.

The RBI has capped the value of each transaction processed by a PA-CB at ₹25 lakh while mandating that a PA-CB may not purchase foreign currency from, or sell it to, any entity other an authorised dealer. Outward transactions can be carried out using any payment instrument except small prepaid payment instrument (PPI).

Further, settlement in non-rupee currencies shall be permitted only for those merchants (Indian exporters) which have been directly onboarded by the PA–CB facilitating inward transactions, the central bank said.