Synopsis : RBI mandates payment aggregators to stop storing card data from Aug 2025. Only issuers and networks can retain it. Non-banking entities must comply by July 31 or face closure. Amendments include merchant due diligence and marketplace fund regulations.
Payment aggregator firms will face new restrictions regarding the storage of card on file (COF) data, as per regulations set to take effect from August 1 of the following year. Under these regulations, only card issuers and recognized card networks like VISA, Mastercard, and banks will retain authorization to store COF data.
The Reserve Bank of India (RBI) is tightening regulations on payment aggregators, requiring non-banking entities to seek authorization and maintain a minimum net worth of INR 15 crore. Those unable to comply will be mandated to cease operations by July 31, 2025.
The RBI's draft circular emphasizes that, starting August 1, 2025, entities beyond card issuers and networks will be barred from storing COF data for face-to-face or proximity card transactions. Any previously stored data must be promptly purged, with entities allowed to retain only minimal transaction data for tracking and reconciliation purposes.
However, these regulations remain subject to stakeholder feedback before implementation.
Furthermore, the RBI specifies that payment aggregators must maintain a minimum net worth of INR 25 crore consistently. Payment aggregators facilitate transactions between customers and merchants, utilizing various payment methods such as debit and credit cards, UPI, and bank transfers. Prominent examples include Amazon Pay, Razorpay, Paytm, Cashfree, PhonePe, and GooglePay.
In terms of compliance, commercial banks offering physical payment aggregator services within their standard banking operations need not obtain separate authorization from the RBI. They must, however, adhere to the outlined instructions within three months of the circular's issuance.
Non-bank entities, however, must notify the RBI within two months of the circular's issuance. Additionally, authorized non-bank payment aggregators seeking to commence physical aggregator activities must obtain clearance from the Department of Payment and Settlement Systems (DPSS) and the RBI's central office.
These entities must maintain a net worth of INR 15 crore upon application submission and increase it to INR 25 crore by the end of the third financial year post-authorization, maintaining this level thereafter.
Non-compliant non-bank payment aggregators must cease operations by July 31, 2025.
Proposed amendments include requiring payment aggregators to conduct due diligence on onboarded merchants, ensuring that marketplaces onboarded by them only collect and settle funds for services offered through their platforms, and mandating registration with the Financial Intelligence Unit-India (FIU-India).
Existing payment aggregators must complete due diligence for all current merchants by September 30, 2025, in accordance with the revised directives.
Amendment to the current directions
Some current set of regulations have also been proposed to be amended. These include the following:
A. Payment aggregators will need to undertake due diligence of merchants onboarded by them.
B. They will have to ensure that marketplaces onboarded by them do not collect and settle funds for services not offered through their platform.
C. Moreover, non-bank PAs will ensure registering themselves with the financial intelligence unit-India (FIU-India).
D. The existing PAs will have to ensure that for all existing merchants the due diligence process is completed by Sept 30, 2025.
