Faceless, Paperless, Cashless: Navigating the Indian Digital Payments Landscape

Labanyendu Das, Shubhangi Agarwal | December 2021

Everything is just a click away these days, skimming through various applications one can indulge as per ones’ choice and make payments on fingertips! Gone are the days when online payments denoted online banking services only. One can see a paradigm shift in the modes of payment with the advent of Unified Payments Interface (UPI), mobile wallets, banking cards, mobile banking etc. It is no surprise that a social networking platform like WhatsApp is also incorporating payment options within the application that allows you to transfer money to other people with minimal effort. From a local kirana store to the biggest of the retail brands, everyone now prefers digital payment!

Behind this quick and smooth digital transfer of money is a complex set of events. In an online payment transaction, apart from a customer, there are various players involved; seller (merchant), customer’s bank / wallet account, acquiring bank, the bank having the nodal account, IT and communication hardware /software, middleware, security systems, payment gateways and payment aggregators. The complexity doesn’t stop! The means opted for payment could be a credit card, debit card, bank account, wallet, UPI, etc. And depending on the mode of payment used, additional players like card networks, NPCI, banks offering net-banking services, banks /nonbanks issuing wallets, etc. may become a part of the payment chain.

In this Article, we attempt to demystify these complex systems/ mechanisms, highlight the regulatory intricacies and break down the contractual considerations for a consumer and seller (merchant).

SO HOW DID INDIA REACH HERE?

With e-commerce transactions skyrocketing, the adoption of digital payments by both buyers and sellers has become imperative. In 2015, Government of India had launched the Digital India Programme with a vision to transform India into a “Faceless, Paperless, Cashless” digitally empowered society and knowledge economy. The promotion of digital payments has been accorded the highest priority to bring every segment of our country under the formal fold of digital payment services. In fiscal year 2019, digital payments accounted for 769 percent of India’s GDP share. The high ratio in the measured time period is a result of increasing digitization across the country is likely to continue1 . According to a report, digital payments in India are set to account for 71.7% of the total payments volume by 2025, leaving cash and cheques at 28.3%2 . As per the National Payments Commission of India (NPCI), in October 2021, there were 261 banks active on UPI, generating a volume of 4,218.65 million transactions worth 7,71,444.98 crores.

STAKEHOLDERS IN A DIGITAL TRANSACTION

The Reserve Bank of India (“RBI”) is the apex body which acts as a whistle-blower and looks into all nuances of an online payment transaction. On August 27 2021, the RBI had imposed monetary penalty of `3 crore on Transaction Analysts (India) Private Limited for contravention of / noncompliance with certain provisions of the directions issued by the RBI contained in the Master Direction on Issuance and Operation of PPIs in India and Master Direction – Know Your Customer (KYC) Direction4 . The RBI had also imposed a penalty of `1crore on Paytm Payments Bank (PPBL) for violating provisions of the Payment and Settlement Systems Act, 2007. In a statement, the RBI said that PPBL was penalised on October 1, for an offence committed under Section 26 (2) of the Act (as defined hereinafter). “On examination of PPBL’s application for issue of final Certificate of Authorisation (CoA), it was observed that PPBL had submitted information which did not reflect the factual position,” it said. Chapter 7 of the Payment and Settlement Systems Act, 2007 lists down the offences and the subsequent penalties which the RBI has the authority to impose on defaulters.

Further, payments in the online space are facilitated by a number of intermediaries like the payment gateways and payment aggregators. In this Article we will be referring to the following stakeholders:

Payment Aggregator performs the merchant on-boarding process and receives/collects funds from the customers on behalf of the merchant in an escrow account.
Payment Gateways refers to the entities that provide technology infrastructure to route and/or facilitate the processing of online payment transactions by enabling ‘Hotlinks’ between the merchant, customer and the payment aggregator.
User/Customer refers to the individual/person making the payment on the merchant PoS (Point of Sale).
Merchant/ Merchant PoS refers to the recipient of the amounts of the transaction, wherein the transaction happens on the merchant’s PoS i.e. website/app.
Payment Instrument is a payment order or instruction sent by a customer, instructing to pay the merchant (e.g. credit cards, debit cards/PPIs, UPI, wallets, etc.).
Facility Providers are collectively referred to as the issuing banks, card associations, tech service providers of the banks etc.

REGULATORY LANDSCAPE

The Payment and Settlement Systems Act, 2007 (“Act”)

The scope of intermediaries is primarily governed by the Act which provides for the regulation and supervision of payment systems in India and designates the RBI as the authority for that purpose and all related matters. Under the Act, two Regulations have been established, namely, the Board for Regulation and Supervision of Payment and Settlement Systems Regulations, 2008 and the Payment and Settlement Systems Regulations, 2008 (“Regulations”). Both these Regulations had come into force along with the Act. The Payment and Settlement Systems Regulations, 2008 covers form of application for authorization for commencing/ carrying on a payment system and grant of authorization, payment instructions and determination of standards of payment systems, furnishing of returns/documents/other information, furnishing of accounts and balance sheets by system provider etc.

According to Section 4 of the Act, if any person or system providers desire to operate or commence a payment system, then it has to apply for authorization from the RBI under the relevant section of the Act. Foreign entities are allowed to operate the payment system in India. To commence a payment system in India, it is necessary to obtain license or approval from the RBI, irrespective of being a domestic or foreign entity.

Master Directions on Prepaid Payment Instruments (“Master Directions”)

The RBI defines Prepaid payment instruments (PPI) as “instruments that facilitate purchase of goods and services, financial services, remittance facilities, etc., against the value stored therein”. As one can decipher, the RBI has sought to make the definition all-encompassing, and keeping in mind the same, PPIs constitute nearly all major methods of online payment like wallets, gift cards, debit cards, credit cards etc. For simplicity’s sake, PPIs are bifurcated into Small PPI (used only for purchase of goods and services) and Full KYC PPI (used for purchase of goods and services, funds transfer or cash withdrawal).

Further, as per the Master Directions, KYC compliant reloadable semi-closed and open system PPIs issued by banks having AD-I licence are permitted to be used in cross-border outward transactions (only for permissible current account transactions under FEMA viz. purchase of goods and services), subject to adherence to extant norms governing such transactions.

Guidelines on Regulation of Payment Aggregators and Payment Gateways (“Guidelines”)

RBI, vide its circular dated March 17, 2020, has issued Guidelines9 through which the RBI has regularised the role of various intermediaries like payment aggregators, payment gateways, merchants, customers, and the flow of online transactions by providing technology-related recommendations. It is pertinent to note that domestic leg of import and export related payments facilitated by payment aggregators are also governed by these Guidelines. Vide another circular dated March 31, 2021 (“Clarifications”)10 issued in line with the Guidelines, the RBI had clarified that the Guidelines are also applicable to e-commerce marketplaces that are undertaking direct payment aggregation, and to such extent e-commerce marketplaces availing the services of a payment aggregator will also be considered as merchants. These Guidelines are not applicable on ‘Delivery vs. Payment’ transactions but the transactions where the payment is made in advance while the goods are delivered in a deferred manner, are covered under the scope. In addition, the Guidelines also provide with a holistic mandate regarding capital and net-worth, escrow account management and governance.

After the issuance of Clarifications, a slew of companies harbouring fintech ambitions reached to the RBI to become licensed payment aggregators. In August, from Amazon to Zomato, a big crowd were at the RBI doors for payment aggregator licence11. The Guidelines and the subsequent Clarifications make it mandatory for all the payment aggregators/ payment gateway to seek an approval from the RBI to acquire and offer payment services to merchants. Additionally, merchants are not allowed to store payment data irrespective of their being PCI-DSS compliant or otherwise. However, they are allowed to store limited data for the purpose of transaction tracking; for which, the required limited information may be stored in compliance with the applicable standards.

Master Direction on Issuance and Operation of Prepaid Payment Instruments (“PPI Master Directions”)

These PPI Master Directions provide a framework for authorisation, regulation, and supervision of entities operating payment systems for issuance of PPIs and assist in fostering competition while taking into account safety and security of transactions as well as systems along with customer protection and convenience. These PPI Master Directions also help in harmonisation and interoperability of PPIs. Interoperability refers to the ability of customers to use a set of payment instruments seamlessly with other users within the segment based on adoption of common standards by all providers of these services so as to make them inter-operable.

Other Applicable Laws and Regulations

The Guidelines, Master Directions and PPI Master Directions explicitly state that Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT) guidelines issued by the RBI, in their Master Direction – Know Your Customer (KYC) Directions updated from time to time, are also applicable mutatis mutandis to all entities. PCI-DSS and PA-DSS.

Both Payment Application Data Security Standard (PA-DSS) and the Payment Card Industry (PCI-DSS) refer to requirements set for companies to protect credit card information and to secure payment portals. PCI-DSS is applicable to all companies that store, process, or transmit cardholder data, whereas PA-DSS applies to vendors that produce and sell payment applications.

Processing of E-Mandate for recurring transactions (“Mandate”)

HDFC, the largest private bank in India had posted the following message on its website: “Please note: Effective 1st Oct 2021, the Bank will NOT approve any Standing Instruction (e-Mandate for processing of recurring payments) given at Merchant Website / App, on HDFC Bank Credit card/Debit Card, unless it is as per RBI compliant process.”

In August 2019, the RBI had issued a framework for processing of e-mandates on recurring online transactions. This was initially only relevant to cards and wallets, however, the Mandate now covers UPI transactions as well. As per the Mandate, automatic recurring payment is no longer applicable for various services, including recharge and utility bill as the additional factor of authentication (AFA) has become mandatory from October 1, 2021. Based on the interest of customer convenience and safety in use of recurring online payments, the use of AFA during registration and first transaction (with relaxation for subsequent transactions up to a limit of `2,000, since enhanced to `5,000), as well as pre-transaction notification, facility to withdraw the mandate, etc.

CONTRACTUAL OVERVIEW

On-boarding of payment aggregators typically requires the merchant to execute a Payment Gateway Aggregator Agreement (“Agreement”). Specific care should be taken to clearly delineate the role and responsibilities of the parties in relation to sorting/ handling complaints, refund/ failed transactions, return policy, customer grievance redressal (including turnaround time for resolving queries), dispute resolution mechanism, reconciliation, chargebacks.

In this particular segment of the Article, we wish to capsulate the important provisions of such Agreement(s) from the point of view of a merchant.

Contractual Relationship between the Parties: As mentioned previously, an online transaction works in harmony with various parties. Typically, payment aggregator will try to ensure that contractually it distances itself, to the extent of isolating itself from the customers. A merchant is required to accordingly look into the construct of this clause and strategically define and limit its relationship with the relevant parties.
Confidentiality: It is important for both the parties to safeguard the confidential information provided to each other. A merchant should ensure that the data is segregated from merchant information categorically.
Additional covenants: Generally, a payment aggregator will ensure that it is not being held liable for any risks which are attached with the delivery of the products, services available via the merchant; technical glitches, loss of data etc. Additionally, payment aggregator might also share data to third parties as per the requirement. It is imperative that the merchant allays any data mining risks and ensures that no merchant information or data is used as a cohort to target or re-target clients.
Connectivity and Integrity of Hotlink: The Agreement would generally state that it is the sole and independent responsibility of the merchant to complete the integration strictly as per the integration specifications provided by payment aggregator. In such a scenario, it is essential to ensure that some of the responsibility is dissipated by making the merchant accountable for issues with Hotlink attributable to merchant solely.
Reserves Amount: Merchant is required to provide payment aggregator with reserve of certain amounts to secure the performance of the merchant’s obligations including for high chargeback risk, credit risk etc. This amount generally sits idle and thus the clause should be tactfully drafted.
Inspection: As per the Agreement, it is generally the responsibility of a merchant to compile and retain permanent records of all transactions and other data and, to reconcile all transaction information that is associated with its customer, which is subject to periodic audits and checks. With regards to this, a merchant should ensure that the data retention is limited as per the requirement of applicable laws and that provision is made for a neutral third party auditor.
Termination: At times, this could be a one-sided clause wherein a payment aggregator could attach various types of caveats with regards to termination of the services. A payment aggregator generally reserves the right: to disable the services if payment aggregator observes high volume of disputed transactions, chargebacks and escalations originating in relation to the transactions; to impose limits on the number of purchases and/or the value of purchases which may be made by a user during any time period, reserves the right to refuse to make payments in respect of payments exceeding such limits with due notice and information to client, etc. These are wide set of powers conferred to a payment aggregator and the clause should be worded tactfully in order to limit the termination events and not hold merchant ransom for the smallest of infractions.

While it is essential to look into the above stated clauses, it is extremely crucial to look into Indemnity, Limitation of Liability and Chargeback & Refunds minutely.

Indemnity: With digital payment platforms booming, drafting and negotiating this clause is of extreme importance. Indemnity is one-sided wherein the merchant is only indemnifying payment aggregator for breach of covenants, neglect, claims including third party claims and payment aggregator/payment gateway are not liable to any third party or customer. A merchant should ensure that it is asking for reciprocity in indemnity.
Limitation of Liability: The total aggregate liability of payment aggregator usually does not exceed the fees charged or chargeable in respect of transactions facilitated during a month’s period prior to the date of claim. A merchant should seek for a higher cap, subject to certain set of caveats.
Chargeback & Refunds: Merchants are typically required to refund any transaction for which the user has put in a “Chargeback Request”. These refunds should always be subject to a pre agreed mechanism, which most agreements omit or are unclear. This is a very critical element of the Agreement and holistic mechanism must be captured in the Agreement. This will not be a standard clause and will differ from transaction to transaction.

An agreement between the merchant and payment aggregator is fundamental to payment aggregator business. The payment aggregator’s business rests on clear articulation of the legal basis of the activities being performed by the payment aggregator with respect to other participants in the payment system, such as a merchant, escrow banks, in a clear and understandable way.

EVOLVING ISSUES AND CHALLENGES

“RBI has the right to ensure financial data is not hacked and protect the data of the consumer but not the way they are trying to do by regulating merchants,” said Dr Aruna Sharma, Former Secretary, Government of India16. Though the RBI is trying to bring in a comprehensive PPI system to create an infrastructure around risk management and adequate customer redressal, the provisions of both, Guidelines and the Mandate which address data security and privacy concerns are making it challenging for not only payment aggregators and payment gateway, but also for merchants, small businesses, banks and various other stakeholders. The Guidelines make it difficult for the merchants to address consumer grievance, unless the banks and card networks provide them with a holistic redressal mechanism. Going forward, it will be a cumbersome process wherein a customer will be required to enter details manually for every transaction. The requirement for payment aggregators to ensure PCI-DSS and PA-DSS compliances of the infrastructure of merchants on-boarded by them may add to the compliances, and its widespread acceptance, particularly with respect to smaller merchants is still a grey area yet to be ventured. The Guidelines also place an obligation on the payment aggregators to monitor the merchant to ensure that no counterfeit/fake/ prohibited products are being sold to the customer, making the role of a payment aggregator an onerous one.

With non-bank entities entering into retail payment businesses by way of providing direct services to merchants, the ability of non-bank entitles to penetrate into merchant on boarding processes, has far overreaching growth potential than merchant on-boarding processes of traditional banks. This could lead to lackadaisical approach being followed while having agreements and merchant-on boarding policies, and customer grievance redressal policies in place. It could also lead to lack of quality assurance, and would require adequate checks on background.

CONCLUSION

The digital marketspace is constantly evolving, and so are the mandates by the RBI. Due to constant modifications and amendments, there are various ambiguities that still need to be addressed. Overlapping on scope of each intermediary, several obligations imposed on merchants in the interest of security and risk mitigation, nonstorage of consumer data could become a roadblock while paving our way to digital economy. Keeping the complex nature of such transactions in mind, it is crucial to take necessary care while drafting agreements, on-boarding policies, redressal mechanism and abide by the global best practices and meet the objective of underlying regulation.

“Overregulation of security and e-commerce will leave room for only 3-4 big players who can comply. India often ends up killing big industry via over-regulation. The Indian government should learn from other countries and how they have regulated such companies in the digital payments space in a balanced manner and not do it like China. Retaining flexibility is important for India to grow,” said Montek Singh Ahluwalia, Former Chairman, Planning Commission of India.

Tags: TMT Law Practice

About Author

Labanyendu Das

Laban is an Associate Partner at the Bhubaneswar offices of TMT Law Practice. He has spent around 7 years with Cyril Amarchand Mangaldas (Mumbai) and Khaitan & Co. (Mumbai) in the M&A, Corporate and Commercial practice group. Prior to TMT, Laban was a legal consultant to Disney+Hotstar (Mumbai). Laban specialises in general corporate advisory, foreign investments, not for profit advisory and joint ventures. He completed his LL.B. from NALSAR University of Law, Hyderabad and had a stint at SMU School of Law, Singapore. Laban is a member of the Bar Council of Maharashtra and Goa.

Shubhangi Agarwal

Shubhangi Agarwal is working as an Associate with TMT Law Practice, Mumbai. Graduated from ILS Law College, Pune in 2018, she has experience with multiple due diligence ranging across industries and also worked on transactional matters in the past involving joint ventures and M&A. She has even appeared before the Trademarks Office, Mumbai, and defended clients’ interest against the show-cause notices issued post the examination of the trademark applications. She has cleared several manuscripts (non-fiction) before publication. Her area of expertise primarily consists of working on corporate transactions involving drafting, reviewing and negotiating commercial contracts such as service agreements, non-disclosure agreements, privacy policy, terms & conditions, and employment agreements among others.