The Reserve Bank of India (RBI) recently sought stakeholders’ views on the need for direct regulatory oversight relating to activities of payment gateways – intermediaries that facilitate and accept customer payments on behalf of merchants without handling the funds. The RBI has been indirectly regulating intermediaries since 2009 and has acknowledged that such regulation has withstood the test of time, with no major complaints or governance issues so far that impact customer sentiment.
However, the need for direct regulations has been emphasised to improve customer confidence and experience, given the rapid technological changes in the operations of payment systems in the last decade. That said, it is critical to consider if the role of payment gateways has substantially changed and whether imposing substantial direct legal obligations on intermediaries would encourage or have an adverse effect on the ecosystem surrounding the digital world we find ourselves in today. This article seeks to explore these aspects.
The role of gateways
The primary role of a payment gateway is to provide technological support to banks/merchants for processing online transactions and to facilitate their reconciliation. Most users are unaware of the intermediary’s identity, as it just provides back-end support and customers’ actual interaction online is with the bank or merchant. Naturally, a customer would, therefore, first approach the bank or merchant for any recourse in case of a grievance. Typically, the intermediary would have private contractual arrangements with the bank/merchant.
Therefore, apart from direct access to the bank/merchant, customers also have access to the intermediary through their banks/merchants who have recourse towards intermediaries pursuant to their respective contractual arrangements. Chances of customer complaints remaining unresolved or customers losing confidence in the payment ecosystem as a result of an intermediary default are thus quite negligible. For timely resolution of complaints and to have clarity on the roles and responsibilities, imposing certain timelines on intermediaries for implementation through their board approved policies and requiring intermediaries to mandatorily include certain provisions in their contracts with banks/merchants may be palatable.
However, asking intermediaries to provide, among others, comprehensive disclosures publicly regarding their merchant policies and pricing might be an overreach given that such information may not be very relevant for customers transacting online with their choice of bank/merchant. If such costs are already factored in the charges levied by the bank or merchant on customers, they can consider the pricing while choosing the bank or merchant. Such disclosure requirements may not only demean the sanctity of the private contractual relationships between an intermediary and the banks/merchants but would also impose an additional compliance burden on them, which would yield limited additional comfort to the customer, but on the other hand restrict the “ease of doing business” for the intermediary.
Steep net-worth criterion
India is a rapidly developing economy and it is necessary to encourage domestic as well as international participation for its brighter future. In that context, the net-worth criterion of Rs 100 crore seems steep for upcoming domestic technology companies trying to establish presence in the e-commerce space while supporting the Indian payment systems initiative. To maintain a level playing field, a lower net-worth criterion could be considered with emphasis on professional, ‘fit and proper’ governance.
As far as data privacy issues are concerned, the intermediary does have access to customer data and should be responsible for safeguarding and storing data confidentially with a facility for providing access to regulators, if required, or reporting at timely intervals. However, imposing KYC directions mutatis mutandis on an intermediary, requiring it to conduct extensive KYC of customers seems to be shifting the bank’s/merchant’s primary responsibility on the intermediary. Also, if such KYC is to be done by intermediaries via the merchants, the latter may find it undesirable to provide access to their sensitive information/ data regarding their internet traffic, digital footprint to an intermediary whose limited role is to process transactions consummated on the merchant’s website.
As intermediaries are dependent on technology for their business, in our view, it’s only fair that there are appropriate compliance procedures and highest quality standards to ensure IT (information technology) security, information governance along with risk management in connection with data breaches; and, to that end, the security recommendations of the RBI are laudable.
After carefully weighing in, it seems that going slow and steady can indeed win us the race. Rather than the proverbial big brother attitude with full regulatory oversight, having limited and phased regulation (being one of the options envisaged by the RBI), could help RBI monitor and fill regulatory gaps from time to time and achieve its vision of empowering an exceptional e-payment experience for the Indian customer. At the same time, this would also auger well for business sentiment in India as well as for foreign investors and technology providers who view India as a very favourable market for payment processing.(The writers are respectively Partner and Senior Associate at J. Sagar Associates.
Views expressed are personal)