The regulation of Payment Aggregators in India is based on the powers of the Reserve Bank of India under the Payment and Settlement Systems Act, 2007, which enables the central bank to supervise entities involved in payment processing and settlement. With the growth of digital commerce and fintech platforms, intermediaries began handling customer funds before transferring them to merchants, creating risks related to fund safety, delayed settlements, and consumer protection. To address these concerns, the RBI classified Payment Aggregators as payment system operators and introduced mandatory authorisation, operational controls, and oversight requirements.

The regulatory approach has now been consolidated into a single direction covering online, offline, and cross-border payment aggregation. This ensures that entities handling customer money follow strict standards relating to licensing, financial capacity, governance, data security, and cybersecurity. By imposing these obligations, the RBI aims to strengthen financial stability, protect consumers, and enhance trust and transparency in India’s rapidly expanding digital payments ecosystem.

In this article, CA Manish Mishra talks about Payment Aggregator Compliance Under RBI Rules.

Applicability of the PA Structure

The Payment Aggregator regulations apply to all entities that receive funds from customers and later settle those funds with merchants, irrespective of the mode of payment collection. This includes transactions carried out through websites, mobile applications, payment links, QR codes, and physical point-of-sale devices. The key determining factor is whether the entity handles customer money before transferring it to the merchant. If an entity assumes custody of funds even for a temporary period, it falls within the scope of a Payment Aggregator and must comply with RBI requirements.

Non-bank entities must obtain prior authorisation from the RBI before commencing such activities, whereas banks can undertake Payment Aggregator operations without separate approval but must follow the same operational, settlement, and risk management norms. E-commerce marketplaces that collect payments from customers and later remit them to sellers are also covered because they manage settlement funds. In contrast, technology service providers that only offer payment gateway infrastructure without handling funds are not treated as Payment Aggregators since they do not hold customer money.

Authorisation and Licensing Requirements

Obtaining RBI authorisation is a mandatory legal requirement for non-bank Payment Aggregators and forms the foundation of regulatory oversight. The application process requires submission of detailed information about the business model, payment flow, ownership structure, financial position, merchant onboarding procedures, and technology systems. The RBI evaluates whether the applicant has adequate safeguards for risk management, fraud detection, settlement processes, and data security before granting approval.

Only companies incorporated under the Companies Act, 2013 are eligible to apply, which ensures corporate governance and regulatory accountability. After obtaining authorisation, any significant change such as a merger, acquisition, or transfer of control requires prior RBI approval. This prevents unauthorised entities from gaining control over payment operations and ensures that only fit and proper management continues to operate the Payment Aggregator.

Capital and Net Worth Requirements

The RBI has prescribed minimum net worth thresholds to ensure that Payment Aggregators have sufficient financial strength to manage settlement obligations and operational risks. At the time of application, a non-bank Payment Aggregator must maintain a net worth of at least ₹15 crore, which must be increased to ₹25 crore within the specified period. This capital requirement acts as a financial buffer to protect merchants and customers in case of operational losses or settlement delays.

The net worth must be maintained continuously and cannot be reduced due to accumulated losses or accounting adjustments. If the Payment Aggregator fails to meet the prescribed financial threshold, the RBI may impose restrictions or suspend operations. These requirements ensure that only financially stable entities are allowed to handle customer funds and maintain confidence in the digital payment system.

Governance and Fit and Proper Criteria

The governance requirements for Payment Aggregators are designed to ensure accountability and strong internal control mechanisms. Promoters and directors must meet fit and proper standards, which include having a sound financial background, integrity, and a clean legal record. This ensures that individuals managing payment operations are trustworthy and capable of handling sensitive financial activities.

The Board of Directors is responsible for approving policies on risk management, merchant onboarding, cybersecurity, outsourcing, and grievance redressal. Independent audit and compliance functions must be established to monitor adherence to regulatory norms and internal policies. Regular review of these controls promotes transparency, strengthens operational discipline, and ensures that compliance is embedded at all levels of the organisation.

Merchant Onboarding and Due Diligence

Merchant onboarding is a critical control point for Payment Aggregators because they provide access to the payment system for businesses and are responsible for preventing misuse. A risk-based due diligence process must be followed, which includes verifying the legal status of the merchant, validating registration documents, confirming bank account ownership, and assessing the nature of goods or services offered. This helps ensure that prohibited, fraudulent, or high-risk entities do not gain access to digital payment channels. The onboarding process must be supported by proper documentation and internal approvals.

After onboarding, continuous monitoring of merchant transactions is required to ensure that the activity matches the declared business profile. Any unusual transaction pattern, sudden volume spike, or mismatch in business category must be flagged for review. High-risk merchants must be subject to enhanced due diligence and closer monitoring. A legally enforceable merchant agreement must clearly define settlement timelines, refund responsibilities, chargeback handling, and liability allocation to avoid operational disputes and ensure accountability.

Escrow Account and Settlement Compliance

Payment Aggregators must route all customer funds through a designated escrow account maintained with a scheduled commercial bank. This ensures that customer money is kept separate from the aggregator’s operational funds and is used only for settlement with merchants. The escrow arrangement provides transparency, creates a clear audit trail, and protects merchant funds in case of financial distress or operational failure of the Payment Aggregator.

Settlements must be completed within the prescribed timelines, and any delay must be recorded and justified. Proper reconciliation between bank records, escrow balances, and merchant settlements must be maintained. In cross-border transactions, domestic and international fund flows must be handled separately, and inward and outward transactions cannot be offset against each other. This ensures transparency and supports compliance with foreign exchange requirements.

Data Localisation and Storage Restrictions

Payment Aggregators are required to store all payment system data within India so that regulatory authorities have access when required and customer data remains protected under domestic jurisdiction. This includes transaction records, settlement data, and system logs. However, sensitive card information such as full card numbers and CVV details cannot be stored by the Payment Aggregator and must remain with authorised entities.

To protect payment information, strong encryption, tokenisation, and role-based access controls must be implemented. System access should be restricted to authorised personnel, and secure application programming interfaces must be used for data exchange. These measures reduce the risk of data breaches, unauthorised access, and misuse of financial information, thereby strengthening customer trust in digital payment systems.

Cybersecurity and Technology Compliance

Payment Aggregators must maintain a secure technology environment because they process high volumes of digital transactions. Multi-factor authentication, real-time fraud monitoring tools, and secure payment processing infrastructure must be implemented to detect and prevent unauthorised transactions. Regular vulnerability assessments and system testing are necessary to identify and address security gaps.

Annual system and cybersecurity audits must be conducted by qualified auditors, and any incidents such as data breaches or system failures must be promptly reported. Payment Aggregators must also maintain business continuity and disaster recovery plans to ensure uninterrupted operations during cyberattacks or technical disruptions. These controls help maintain system resilience, protect customer funds, and preserve the integrity of the digital payment ecosystem.

Customer Protection and Grievance Redressal

Customer protection is a core regulatory requirement for Payment Aggregators because they act as intermediaries between customers, merchants, and banks. Since customer funds pass through the Payment Aggregator before settlement, the entity is responsible for ensuring that transactions are processed securely, transparently, and within prescribed timelines. To achieve this, every Payment Aggregator must establish a formal grievance redressal mechanism and appoint a nodal officer who is accountable for handling customer complaints and coordinating with banks, card networks, and merchants to resolve issues.

Complaints relating to failed transactions, delayed settlements, unauthorised debits, duplicate payments, or refund delays must be acknowledged promptly and resolved within the timelines prescribed by the RBI. Customers must be kept informed about the status of their complaints through clear and timely communication, including expected resolution timelines. In cases of failed or disputed transactions, refunds must be processed as per the Turn Around Time norms, and proper audit trails must be maintained. A structured dispute resolution process, supported by defined responsibilities and escalation mechanisms, is essential to build customer trust and ensure accountability in digital payment operations.

Cross-Border Payment Aggregator Compliance

Payment Aggregators that handle international transactions are subject to stricter regulatory requirements because such transactions involve movement of foreign currency and cross-border fund transfers. In addition to RBI authorisation for Payment Aggregator activities, a separate approval is required for undertaking cross-border payment services. The entity must clearly specify whether it is facilitating export collections, import payments, or both, and must operate only within the permitted scope. These transactions must be processed through authorised dealer banks so that foreign exchange reporting, purpose code classification, and regulatory monitoring are properly maintained.

The Payment Aggregator must maintain detailed, transaction-level records containing information about the remitter, beneficiary, amount, currency, and purpose of the transaction. Domestic funds and cross-border funds must be kept strictly segregated, and they cannot be mixed in the same settlement flow. Additionally, inward and outward transactions cannot be netted against each other, as each payment must remain individually traceable for audit and regulatory verification. These controls ensure transparency, prevent misuse of payment channels for unauthorised remittances, and support compliance with India’s foreign exchange laws.

Outsourcing and Third-Party Risk Management

Payment Aggregators frequently engage third-party service providers for services such as payment processing infrastructure, cloud hosting, fraud monitoring tools, customer support operations, and technology development. While the RBI permits outsourcing of these operational functions, it clearly mandates that the ultimate regulatory responsibility remains with the Payment Aggregator. This means that any failure, data breach, service disruption, or compliance lapse by the outsourced entity will be treated as a failure of the Payment Aggregator itself. Therefore, outsourcing cannot be used as a mechanism to dilute regulatory obligations.

Before onboarding any third-party vendor, the Payment Aggregator must conduct comprehensive due diligence covering the service provider’s financial position, technical capability, data security standards, regulatory track record, and business continuity arrangements. A formal outsourcing agreement must be executed, incorporating clauses on data confidentiality, information security, audit and inspection rights for the Payment Aggregator and the RBI, service level standards, incident reporting timelines, and disaster recovery mechanisms. Continuous monitoring of the vendor’s performance is required to ensure that outsourced activities do not compromise transaction security, customer data protection, or settlement integrity.

Recent Regulatory Developments

The RBI has strengthened the Payment Aggregator framework through the issuance of a consolidated Master Direction that brings all categories of aggregation under a unified regulatory regime. The regulator has introduced stricter timelines for merchant verification, enhanced monitoring of merchant activity, and risk-based digital payment authentication requirements. These developments reflect a shift towards a more supervisory and prudential approach to fintech regulation, ensuring that Payment Aggregators operate with the same level of discipline as traditional financial intermediaries.

Penalties and Enforcement

Non-compliance with RBI directions can result in serious regulatory consequences, including cancellation of authorisation, monetary penalties, restrictions on onboarding new merchants, and directions to cease operations. Since Payment Aggregators handle public funds, regulatory breaches may also trigger anti-money laundering investigations and supervisory action. The enforcement framework underscores the importance of maintaining robust compliance systems and governance structures.

Conclusion

The RBI’s regulatory framework for Payment Aggregators establishes a structured compliance environment to safeguard customer funds, promote transparency, and maintain stability in the digital payments ecosystem. By requiring mandatory authorisation, minimum net worth, escrow account mechanisms, data localisation, and strong cybersecurity controls, the RBI ensures that entities handling payment flows operate with financial discipline and technological resilience. The framework also places significant emphasis on merchant due diligence, governance standards, and customer grievance redressal to enhance trust and reduce systemic risks.

Further, the inclusion of foreign exchange compliance for cross-border transactions and continuous regulatory supervision has positioned Payment Aggregators as regulated financial intermediaries rather than mere technology providers. For fintech companies, meeting these compliance obligations is critical not only for obtaining and retaining RBI approval but also for ensuring lawful operations, protecting consumer interests, and achieving long-term sustainability in India’s rapidly expanding digital payments market.

Frequently Asked Questions (FAQs)

Q1. What is a Payment Aggregator under RBI regulations?

Ans. A Payment Aggregator is an entity that enables merchants to accept payments from customers by collecting funds through multiple payment instruments such as cards, UPI, net banking, and wallets, and settling those funds with merchants after processing. Since the aggregator handles customer funds before settlement, it is treated as a payment system operator and must comply with RBI licensing, escrow, and governance requirements.

Q2. Is RBI authorisation mandatory for Payment Aggregators?

Ans. Yes, RBI authorisation is mandatory for all non-bank Payment Aggregators. They must obtain a Certificate of Authorisation under the Payment and Settlement Systems Act, 2007 before commencing operations. Banks are permitted to offer PA services without separate authorisation but must comply with operational and security norms prescribed by the RBI.

Q3. Who is eligible to apply for a Payment Aggregator licence?

Ans. Only companies incorporated under the Companies Act, 2013 are eligible to apply for a Payment Aggregator licence. The applicant must have a robust governance framework, sound financial position, secure technology infrastructure, and a clear merchant onboarding process.

Q4. What are the minimum net worth requirements for Payment Aggregators?

Ans. Non-bank Payment Aggregators must have a minimum net worth of ₹15 crore at the time of application. This must be increased to ₹25 crore within the prescribed timeframe and maintained on an ongoing basis to ensure financial stability and settlement capability.

Q5. Are e-commerce marketplaces treated as Payment Aggregators?

Ans. Yes, e-commerce marketplaces that collect payments from customers and later transfer them to sellers are treated as Payment Aggregators because they handle settlement funds. However, platforms that only provide technology and do not handle funds are treated as payment gateways and are not required to obtain PA authorisation.

Q6. What is the escrow account requirement for Payment Aggregators?

Ans. Payment Aggregators must maintain an escrow account with a scheduled commercial bank to route customer funds. The escrow mechanism ensures that customer money is ring-fenced and not mixed with the aggregator’s own funds. This protects merchants and customers in case of operational or financial issues.

Q7. What are the merchant onboarding compliance requirements?

Ans. Payment Aggregators must conduct full KYC and due diligence of merchants before onboarding them. This includes verifying business registration, bank account details, and the nature of goods or services offered. A risk-based monitoring system must be implemented to track merchant transactions and detect suspicious activity.

Q8. Are Payment Aggregators required to follow data localisation rules?

Ans. Yes, all payment system data must be stored within India. Payment Aggregators are prohibited from storing sensitive card credentials and must implement tokenisation and secure authentication mechanisms in accordance with RBI guidelines.

Q9. What cybersecurity standards must Payment Aggregators follow?

Ans. Payment Aggregators must implement strong cybersecurity controls, including encryption, multi-factor authentication, fraud detection systems, and real-time transaction monitoring. Annual system and cybersecurity audits are mandatory, along with incident reporting and disaster recovery planning.

Q10. What are the settlement timelines for Payment Aggregators?

Ans. Funds collected from customers must be settled with merchants within the Turn Around Time prescribed by the RBI. Delays must be documented and reported, and Payment Aggregators must maintain a clear audit trail of all settlement transactions.