Payment gateways and payment aggregators are central to the functioning of India’s rapidly expanding digital payments ecosystem. They enable seamless online transactions for businesses, consumers, and digital platforms by facilitating electronic fund transfers across banks, cards, wallets, and other payment instruments. Although these terms are often used interchangeably in commercial conversations, they perform distinct functions and are governed by different legal and regulatory expectations. The role an entity plays whether limited to technological routing or extending to merchant onboarding and fund settlement determines the level of regulatory scrutiny and compliance obligations applicable to it.

As digital commerce and fintech innovation accelerate, regulators have intensified oversight to safeguard consumer interests, ensure systemic stability, and maintain transparency in fund flows. Payment businesses are now expected to operate with strong governance, robust security frameworks, and clearly documented processes. Understanding the legal distinction between payment gateways and payment aggregators, along with the compliance framework governing each, is therefore essential for fintech companies, startups, marketplaces, and enterprises operating in India’s payments space.

In this article, CA Manish Mishra talks about Payment Gateways & Payment Aggregator Guidelines.

Difference Between Payment Gateways and Payment Aggregators

Payment Gateway – Technology Enablement Role

A payment gateway acts as a secure technology interface that facilitates communication between customers, merchants, banks, and card networks. It enables transaction authorisation, encryption, and routing but does not typically handle or hold funds. Since gateways do not aggregate or settle funds, their regulatory exposure depends on whether their business model expands into fund handling or merchant onboarding.

Payment Aggregator – Fund Handling Role

A payment aggregator onboards merchants, accepts payments on their behalf, aggregates funds, and settles them to merchants after deducting charges. Because payment aggregators directly handle customer funds, regulators subject them to stricter legal and compliance requirements. This includes authorisation, escrow arrangements, merchant due diligence, settlement discipline, and continuous supervision.

Legal Framework Governing Payment Aggregators

Payment and Settlement Systems Law

Any entity operating a payment system that involves the collection, pooling, or settlement of funds is governed by payment and settlement laws. These laws require such entities to obtain prior regulatory authorisation before commencing operations. The regulator is empowered to issue binding directions, impose operating conditions, and conduct inspections to ensure system integrity and consumer protection. Payment aggregators fall squarely within this framework because they directly handle customer funds and manage settlement flows between customers and merchants.

RBI Master Directions for Payment Aggregators

The regulatory framework issued by the central bank provides a comprehensive compliance structure for payment aggregators. It prescribes eligibility norms, governance and ownership requirements, minimum capital thresholds, merchant onboarding standards, settlement mechanisms, escrow arrangements, technology and cybersecurity benchmarks, and periodic reporting obligations. The framework also recognises that cross-border payment aggregation carries additional risks and therefore applies distinct compliance expectations for domestic and international transactions.

Authorisation and Eligibility Requirements

When Authorisation Is Mandatory

Regulatory authorisation becomes mandatory when an entity aggregates customer funds and settles them to merchants. Even fintech companies that begin as technology service providers may trigger authorisation requirements if their operational role expands to include merchant onboarding, fund handling, or settlement management. Business models must therefore be assessed continuously to ensure regulatory alignment as products evolve.

Governance and Ownership Expectations

Payment aggregators are expected to operate with strong governance structures, including fit-and-proper management, transparent shareholding, and effective board oversight. These requirements are designed to ensure accountability, reduce systemic risk, and strengthen operational resilience. Regulators view governance quality as a key indicator of long-term compliance capability.

Merchant Onboarding and Due Diligence

KYC and Background Verification

Payment aggregators must conduct thorough due diligence before onboarding merchants. This includes identity verification, assessment of business legitimacy, risk categorisation, and verification of ownership structures. All onboarding processes must be properly documented, auditable, and periodically reviewed to prevent misuse of the payment system for unlawful or high-risk activities.

Ongoing Monitoring

Compliance obligations extend beyond initial onboarding. Aggregators are required to continuously monitor merchant transactions, behaviour patterns, and customer complaints. Any suspicious or abnormal activity must be promptly investigated and addressed to mitigate fraud, regulatory exposure, and reputational risk.

Settlement, Escrow, and Fund Flow Controls

Escrow Account Structure

Non-bank payment aggregators must maintain a dedicated escrow account with a scheduled commercial bank for holding customer funds. This structure ensures complete segregation between platform-owned funds and merchant or customer money, thereby protecting stakeholders and enhancing audit transparency.

Permitted Credits and Debits

Escrow accounts are subject to strict operational controls. Only authorised credits and debits linked to payment settlement activities are permitted. These restrictions prevent misuse of funds and ensure that all transactions remain traceable and compliant with regulatory expectations.

Settlement Timelines

Regulators prescribe defined settlement timelines to safeguard merchant liquidity and customer interests. Delays, misuse, or diversion of settlement funds are treated as serious compliance breaches and may result in supervisory action or penalties.

Cross-Border Payment Aggregation

Separate Treatment for International Transactions

Cross-border payment aggregation is subject to enhanced regulatory oversight due to foreign exchange and jurisdictional risks. Regulators require separate operational processes, reporting structures, and settlement controls for inbound and outbound international transactions to ensure compliance with foreign exchange regulations.

Transaction Limits and Currency Controls

Regulatory frameworks impose transaction value limits and require all foreign exchange conversions to be routed through authorised banking channels. Payment aggregators must strictly comply with these requirements to avoid violations of foreign exchange laws and reporting obligations.

Technology, Cybersecurity, and Data Protection

Information Security Governance

Payment entities must maintain board-approved information security policies covering system access, encryption, monitoring, and incident response. Cybersecurity failures are increasingly viewed as governance failures, making senior management and boards accountable for system resilience.

Data Privacy and Consent

Payment systems process large volumes of sensitive personal and financial data. Entities must ensure lawful data processing, obtain informed consent, restrict access, and securely store data. Data protection compliance is now treated as a core regulatory responsibility rather than a peripheral obligation.

Audit Trails and System Logs

Payment platforms must maintain detailed system logs capturing transaction flows, access events, modifications, and settlement actions. These audit trails support regulatory inspections, internal audits, and forensic investigations.

Consumer Protection and Grievance Redressal

Transparent Disclosures

Payment aggregators are required to clearly disclose charges, refund terms, settlement timelines, and complaint-handling processes. Misleading disclosures or hidden fees can attract regulatory penalties and reputational damage.

Grievance Handling Mechanisms

A robust grievance redressal mechanism is mandatory. Complaints must be addressed within prescribed timelines, and escalation channels must be clearly communicated to customers and merchants. Effective grievance handling is a key indicator of compliance maturity.

Recent Regulatory Developments

Strengthened Merchant Due Diligence

Recent regulatory updates have tightened merchant onboarding standards, requiring more structured documentation, enhanced risk assessment, and continuous monitoring. While transitional timelines have been provided, all new onboardings must comply immediately.

Enhanced Focus on Data Protection

Evolving data protection laws require payment businesses to embed privacy and security into system design. Breach preparedness, vendor governance, and data minimisation have become essential compliance components.

Increased Supervisory Enforcement

Regulatory authorities have adopted a stricter enforcement approach, emphasising that authorisation is not a one-time approval but subject to continuous compliance and supervision.

Conclusion

Payment gateways and payment aggregators play an important role in supporting India’s rapidly growing digital payment ecosystem, but their legal and compliance responsibilities vary significantly depending on their involvement in fund handling. While payment gateways primarily act as technology facilitators, payment aggregators directly manage customer funds and merchant settlements, placing them under a much stricter regulatory framework. This framework emphasises strong governance, rigorous merchant due diligence, segregation of funds through escrow mechanisms, consumer protection, and robust technology and security controls to ensure system integrity and financial stability.

As regulatory expectations continue to evolve, compliance can no longer be treated as a backend or reactive function. Payment aggregators must embed regulatory requirements into everyday operations, system design, and decision-making processes. Platforms that prioritise transparency, maintain audit-ready records, and align business models with regulatory intent are better positioned to scale responsibly, retain regulator confidence, and achieve long-term sustainability in India’s digital payments.

Frequently Asked Questions (FAQs)

Q1. Are payment gateways and payment aggregators regulated in the same manner?

Ans. No, they are regulated differently based on their functional role. Payment gateways that only provide technology for routing transactions face limited regulatory obligations. In contrast, payment aggregators that onboard merchants, collect funds, and handle settlements are subject to comprehensive regulatory oversight, as they directly impact fund flows, consumer protection, and financial system stability.

Q2. Is regulatory authorisation mandatory for all payment businesses?

Ans. Regulatory authorisation is mandatory only for entities that aggregate customer funds and settle them to merchants. Technology-only service providers may not require authorisation initially. However, if their role expands to include merchant onboarding, fund collection, or settlement control, regulatory approval becomes mandatory, and operating without it can result in enforcement action.

Q3. Why are escrow accounts mandatory for payment aggregators?

Ans. Escrow accounts are mandatory to ensure strict segregation of customer and merchant funds from the payment aggregator’s own operational funds. This protects stakeholders from misuse or diversion of money, ensures transparent settlement, and provides a clear audit trail. Escrow structures also reduce systemic risk and enhance regulatory confidence in fund handling practices.

Q4. What are the key compliance risks for payment aggregators?

Ans. Key compliance risks include inadequate merchant due diligence, commingling or misuse of funds, weak cybersecurity controls, delayed settlements, and insufficient documentation. These risks can lead to consumer harm, regulatory penalties, suspension of operations, and reputational damage. Regulators closely scrutinise these areas during audits and supervisory inspections.

Q5. How do regulators treat cross-border payment aggregation?

Ans. Cross-border payment aggregation attracts heightened regulatory scrutiny due to foreign exchange exposure and jurisdictional risks. Regulators require separate operational processes, settlement controls, and reporting mechanisms for international transactions. Strict adherence to foreign exchange laws, transaction limits, and authorised banking channels is essential to avoid violations and enforcement action.

Q6. What role does cybersecurity play in payment compliance?

Ans. Cybersecurity is treated as a governance responsibility rather than a technical function. Weak security controls can expose customers to fraud, data breaches, and financial loss. Regulators hold boards and senior management accountable for cybersecurity preparedness, incident response, and system resilience, making it a critical pillar of payment compliance.

Q7. Are payment aggregators responsible for merchant misconduct?

Ans. Yes, payment aggregators are expected to monitor merchant activities and take corrective action when misconduct or misuse is detected. Regulators view aggregators as gatekeepers of the payment ecosystem. Failure to detect or address merchant violations can result in penalties, restrictions, or enhanced supervisory action against the aggregator.

Q8. How important is auditability in payment operations?

Ans. Auditability is extremely important because regulators rely on system logs, transaction records, and evidence trails to assess compliance. Payment entities must demonstrate clear documentation of onboarding, settlements, refunds, and data access. Poor auditability can hinder investigations, weaken regulatory trust, and expose entities to compliance findings.

Q9. Can fintech startups operate payment aggregation without compliance expertise?

Ans. Operating payment aggregation without compliance expertise significantly increases regulatory risk. Payment businesses function in a highly regulated environment requiring continuous monitoring, documentation, and legal interpretation. Without structured compliance frameworks and professional oversight, startups risk violations that can lead to penalties, licence restrictions, or business disruption.

Q10. What is the future focus of payment regulation in India?

Ans. The future focus of payment regulation is on consumer protection, data security, strong governance, and sustainable compliance-led innovation. Regulators are moving away from tolerating rapid, unchecked growth and instead emphasise transparency, accountability, and resilience. Payment entities must align innovation with regulatory intent to succeed long term.