Introduction
On 15 September 2025, the Reserve Bank of India (RBI) issued the Master Direction on Regulation of Payment Aggregators (PAs). This consolidated framework supersedes earlier circulars — the 2020 and 2021 guidelines on Payment Aggregators and Gateways, and the 2023 directions on Cross-Border Payment Aggregators.
The new Direction has been issued under the powers conferred by Section 18, read with Section 10(2) of the Payment and Settlement Systems Act, 2007, together with Section 10(4) and Section 11(1) of the Foreign Exchange Management Act, 1999. It harmonises regulations for online, physical and cross-border aggregation of payments, introducing a common compliance regime for banks, non-banks, authorised dealer (AD) banks and scheduled commercial banks.
Key Definitions
To understand the scope of the 2025 Master Direction, it is essential to first look at the definitions provided by the Reserve Bank of India. These definitions set the base for regulating Payment Aggregators (PAs) and Payment Gateways (PGs).
- A cash-on-delivery transaction is a merchant transaction in which banknotes or currency notes, being legal tender in India, are offered or tendered at the time of delivery of goods and services.
- Contact Point Verification (CPV) refers to the physical verification of the merchant’s address or place of business.
- E-commerce refers to the buying and selling of goods and services, including digital products, conducted over digital and electronic networks. For this definition, the term ‘digital and electronic network’ includes networks of computers, television channels, and other internet applications used in an automated manner, such as web pages, extranets and mobile platforms.
- An inward transaction refers to any transaction involving the inflow of foreign exchange, while an Outward transaction consists of the outflow of foreign exchange.
- A Marketplace is an e-commerce entity that provides an information technology platform on a digital or electronic network to facilitate transactions between buyers and sellers.
- A Merchant means an entity or marketplace that sells goods, provides services, or offers investment products. This also includes exporters and overseas sellers.
- Payment channel refers to the method or manner through which a payment instruction is initiated and processed in a payment system.
- A Payment Aggregator (PA) is an entity that facilitates the aggregation of payments made by customers to merchants through one or more payment channels, using the merchant’s interface (physical or virtual), to purchase goods, services, or investment instruments. Subsequently, it settles the collected funds to the merchant. The Directions categorise PAs into three types:
- PA–Physical (PA–P): Facilitates transactions where the acceptance device and payment instrument are physically present in proximity.
- PA–Cross Border (PA–CB): Facilitates aggregation of cross-border payments for current account transactions permissible under FEMA, through the e-commerce route. Two sub-categories exist under PA–CB: inward transactions and outward transactions.
- It is clarified that non-bank entities authorised as AD Category-II, and facilitating current account transactions not prohibited under FEMA (other than purchase or sale of goods or services), do not fall within the purview of PA–CB business.
- Similarly, a card transaction where the foreign exchange settlement is facilitated by a card network and the aggregator receives payment in local currency is not treated as PA–CB activity.
- PA–Online (PA–O): Facilitates transactions where the acceptance device and payment instrument are not present in proximity at the time of payment.
- A Payment Gateway (PG) is defined as an entity that provides the technology infrastructure to route and facilitate the payment transaction processing without handling funds.
Finally, terms such as Central KYC Records Registry (CKYCR), Officially Valid Document (OVD), equivalent e-document, digital KYC, and Video-based Customer Identification Procedure (V-CIP) carry the same meanings as set out in the RBI’s Master Direction on Know Your Customer (2016), as amended from time to time.
Authorisation For Payment Aggregator Business
The Master Direction distinguishes between banks and non-bank entities operating as a Payment Aggregator. Here are the differences between banks and non-banks operating as PAs:
- Banks do not require a separate authorisation from the RBI to provide PA services. Their existing powers and supervisory framework govern their activities.
- Non-bank entities, however, must seek explicit authorisation from the RBI under the Payment and Settlement Systems Act, 2007. Only companies incorporated under the Companies Act, 2013, are eligible to apply.
To operationalise this requirement, the RBI has mandated that all non-bank Payment Aggregators submit their applications through the designated portal. Those who fail to apply by 31 December 2025 must wind down their PA business operations by 28 February 2026.
Capital Requirements For Payment Aggregators
To ensure that only entities with sufficient monetary capacity operate as PAs, the RBI has imposed a phased capital requirement:
- At the time of application, a non-bank Payment Aggregator must demonstrate a minimum net worth of ₹15 crore.
- By the end of the third financial year from the date of authorisation, this net worth must rise to ₹25 crore.
For this purpose, net worth is calculated in line with the Companies Act and relevant accounting standards. Compulsorily convertible preference shares may be included, but deferred tax assets are specifically excluded.
Governance And Management
The RBI has raised governance standards for Payment Aggregators in line with their growing role in handling public funds. Every PA is expected to be professionally managed, with its promoters and directors meeting the central bank’s fit and proper criteria. This entails solid financial integrity, a reputation for honesty, and freedom from disqualifications such as insolvency or conviction.
RBI has also closed the door on ownership changes slipping through unnoticed. Any takeover or acquisition of control, whether direct or indirect, requires prior approval from the RBI. This ensures that entities entrusted with merchant and customer funds remain under the regulator’s watch even when corporate structures shift.
To embed accountability, Boards of Payment Aggregators must frame policies on risk management, information security, and customer protection. These policies must not be a one-time exercise but must be subject to periodic review.
Dispute Resolution Framework
The RBI has mandated a time-bound framework for dispute resolution and refunds, aligned with its earlier Turn Around Time (TAT) prescriptions for failed transactions.
Payment Aggregators must enter into legally enforceable agreements with merchants and acquiring banks. These contracts must clearly allocate responsibility for settlement, refunds, and handling of disputes, reducing ambiguity in the payments chain.
Equally important is transparency for customers. Refund policies must be disclosed upfront, so payers know how their funds will be handled in the event of a reversal. Each PA must also appoint a grievance redressal officer and provide an escalation matrix to track and resolve complaints efficiently.
Security, Fraud Prevention And Risk Management
Every Payment Aggregator must implement a comprehensive risk management framework, including fraud prevention, suspicious activity monitoring, and controls safeguarding customer information.
Compliance with internationally recognised standards is compulsory. Aggregators must adhere to Payment Card Industry – Data Security Standards (PCI-DSS) and Payment Application – Data Security Standards (PA-DSS) where relevant.
To verify adherence, Payment Aggregators must undergo an annual audit by a CERT-In empanelled auditor. This ensures independent validation of cybersecurity and system integrity. In addition, the Directions mandate compliance with RBI’s Cyber Resilience and Digital Payment Security Directions, 2024.
Data handling is another area where obligations are explicit. All payment system data must be stored in India, per the RBI’s 2018 data localisation circular.
General Directions For Payment Aggregators
RBI has laid down a series of general directions that shape day-to-day business conduct for Payment Aggregators:
- Contractual exclusivity: Aggregators may only facilitate payments for merchants with valid contracts. This ensures accountability and prevents misuse of aggregator platforms for unauthorised transactions.
- Marketplace restriction: PAs are prohibited from running their own marketplaces. This prevents conflicts of interest between operating as a payments intermediary and competing as a merchant platform.
- Merchant Discount Rate (MDR): PAs must comply fully with RBI’s prescriptions on MDR. Importantly, they are required to ensure that charges are transparently disclosed to merchants.
- Refund rules: Refunds must, by default, be processed back to the original payment method. The only exception is when the customer opts for an alternative account under the same ownership.
- Authentication norms: Using ATM PINs as an authentication factor is explicitly disallowed for card-not-present transactions.
Special Directions For Cross-Border Payment Aggregators
Entities facilitating payments for imports or exports via the e-commerce route must comply with additional safeguards to prevent misuse of outward remittances and to ensure alignment with FEMA.
Key provisions include:
- Segregation of funds: Aggregators must maintain separate accounts for inward and outward flows. Inward and outward remittances cannot be commingled.
- Transaction limits: Outward transactions are capped at ₹25 lakh per transaction. This ceiling prevents the misuse of aggregator channels for large-scale capital transfers.
- Banking arrangements: Only Authorised Dealer (AD) Category-I–banks can be used to maintain collection accounts for inward (InCA) and outward (OCA) flows. This ensures settlement happens only through banks with full foreign exchange authorisation.
- Settlement currency: Non-INR settlement is permitted only in cases where the merchant is an Indian exporter directly onboarded by the aggregator. For other cases, settlement must be in Indian Rupees.
- Regulatory reporting: Cross-border PAs must provide sufficient data to their AD banks for reporting into RBI’s Export Data Processing and Monitoring System (EDPMS) and Import Data Processing and Monitoring System (IDPMS).
KYC And Due Diligence
Merchant onboarding lies at the heart of the Directions. RBI has imposed obligations that are closely aligned with its broader KYC Master Directions:
- Complete due diligence: Aggregators must conduct comprehensive Customer Due Diligence (CDD) of all merchants, using officially valid documents, PAN, and other identifiers.
- Simplified process for small merchants: A streamlined onboarding process may be applied when a merchant’s annual domestic turnover does not exceed ₹40 lakh, or where export turnover does not exceed ₹5 lakh. This involves verifying PAN, conducting Contact Point Verification (CPV), and collecting an officially valid document (OVD).
- Background Verification and categorisation: Aggregators must validate the background of merchants, classify them under appropriate Merchant Category Codes (MCCs), and ensure that their names are accurately reflected in customer-facing transactions.
- Monitoring: Onboarding is not a one-time exercise. PAs are responsible for continuous monitoring of merchants, including watchlist screening, tracking changes in legal status, and observing for adverse media.
- Registration with FIU-IND: Non-bank aggregators must register with the Financial Intelligence Unit – India (FIU-IND) and adhere to reporting standards under the Prevention of Money Laundering Act.
- Legacy merchants: All existing merchants must comply with these requirements by 31 December 2025. Merchants not verified by then must be re-onboarded from 1 January 2026.
Escrow Accounts And Settlement Requirements
The Directions mandate that all non-bank Payment Aggregators maintain merchant funds in escrow accounts with Scheduled Commercial Banks. For cross-border activity, separate accounts are required: an Inward Collection Account (InCA) for receipts from overseas customers and an Outward Collection Account (OCA) for payments made by Indian customers to overseas merchants. Funds relating to inward and outward transactions must be kept segregated.
Settlement Framework
- Existing non-bank PAs must migrate to the escrow arrangement within two months of receiving RBI authorisation.
- Credits and debits to the escrow account are restricted to transactions permitted explicitly under the Directions, ensuring that merchant funds are not diverted for unrelated purposes.
- Interest may be earned only on the core portion of the escrow balance, calculated as the average of the lowest daily balances in each fortnight over the preceding 26 fortnights. This provision allows recognition of a stable minimum balance without enabling misuse of settlement float.
- Following separate arrangements, escrow accounts must not be used for cash-on-delivery (COD) transactions.
Certification And Reporting
- Quarterly: Payment Aggregators must obtain auditor certification confirming compliance with escrow guidelines.
- Annually, the auditor and the escrow bank must certify adherence to RBI requirements.
Compliance And Reporting Obligations
Payment Aggregators are subject to extensive compliance and reporting requirements under the Directions.
- Monthly: Aggregators must report transaction statistics to the Reserve Bank, covering volumes and values across different payment channels.
- Quarterly: They must obtain an auditor’s certificate confirming compliance with escrow account operations and a certificate from the bank maintaining the escrow account on credits and debits.
- Annual: Every aggregator must submit a net worth certificate, an information systems and cyber security audit report, and confirmation of compliance with the governance and operational provisions of the Directions.
- Event-based: Any change in promoters, directors, or key managerial personnel must be communicated to the Reserve Bank, supported by a declaration confirming compliance with the fit-and-proper criteria.
How Can AuthBridge Streamline Your Compliance Under RBI’s New Directions?
Meeting RBI’s new master directions requires both robust governance structures and scalable verification infrastructure. AuthBridge’s solutions are aligned to support entities in implementing these requirements:
- Merchant Onboarding And KYC/CDD
RBI requires full customer due diligence, including PAN, CKYCR, OVD checks, and Contact Point Verification for merchants. AuthBridge enables this through automated identity verification APIs, digital address verification, and V-CIP for high-risk profiles. - Ongoing Monitoring And Due Diligence
The Directions emphasise continuous monitoring of merchants, including adverse news screening and changes in legal status. AuthBridge provides automated monitoring tools and dynamic risk scoring, allowing compliance teams to act on early warning signals. - AML And FIU-IND Reporting
Non-bank aggregators must register with FIU-IND and comply with SAR/STR reporting. AuthBridge offers workflows that automate case detection and reporting, reducing the operational burden on compliance teams.
Governance And Fit-And-Proper Checks
RBI mandates promoters and directors to meet fit-and-proper criteria and requires risk management and customer protection policies. AuthBridge supports this with director background checks, conflict-of-interest screening, and governance-focused due diligence services.
