Why RBI is Reviewing the Business of Payment Aggregators
In August 2020, Juspay, a payment aggregator startup, suffered an unidentified data breach exposing the payment information related to nearly 35 million user accounts. Most of the data ended up being on sale on the dark web.
In January 2021, another fintech company called Chqbook, faced a similar ordeal with more than 67 GB of sensitive user data being leaked. A team of cyber researchers who investigated the leak, later confirmed that Chqbook’s entire database was unprotected and unencrypted.
In fact, below is a list of cyber-attacks on fintech firms in India. The fact that there are several names on the list goes on to show just how vulnerable their digital infrastructure is.
And, let’s not forget that these are companies whose businesses are built entirely on the superiority and finesse of the same infrastructure.
While Indian startups are no stranger to cyber-attacks, the growing number of data breaches into the systems of companies which operate in the payments sector has been a cause of concern. Not only does it jeopardise the data security of citizens by leading to troves of user-sensitive data ending up in the wrong hands, it also erodes faith in the payments infrastructure in a country where more and more people are being integrated into the digital finance ecosystem every day.
But while data breaches are caused by fringe elements and draw a substantial amount of regulatory bandwidth, there are other kinds of compromises in user data security that often go unnoticed. Recently, the Reserve Bank of India decided to review the entire business models of payment aggregator companies.
Why? Because the RBI suspects that these companies are deliberately sharing financial data with a profit-making intent.
Profit-Making How?
First of all, one needs to understand what it is that payment aggregators (hereinafter referred to as PAs) do. These are companies which provide technological infrastructure to facilitate the processing of online payment transactions.
Now, in India, there are chiefly two categories of PAs: bank PAs and third-party PAs. Bank PAs usually have high set up costs and their features aren’t very comprehensive. They are also very hard and expensive to opt for small and medium scale enterprises which wish to integrate with digital payment features as merchants.
Alternatively, third-party PAs are quite user-friendly, come with seamless features and have reliable customer support. These have capitalised well on the explosive growth of e-commerce transactions and online banking in India over the past decade. They also have sub-class called payment gateways (or PGs) which focus exclusively on the processing side of payment while leaving the customer onboarding and merchant integration side of things to PAs.
For instance, Google Pay is a PA which allows you to set up your digital payment account by setting up UPI ids and KYC whereas Razorpay is a PG which assists with processing the transaction that takes place through these UPIs.
How Does One Become a PA/PG?
As per RBI norms, to obtain a PA licence, a company must reach and maintain a specific amount of net worth. This limit is set at ₹25cr ($3.2m) by March 31st 2023. Until then, PAs can operate by seeking an authorisation from the Department of Payment and Settlement Systems.
PGs, on the other hand, operate on a slightly different regulatory line. They are essentially called “outsourcing partners” or “technological providers” for banks and non-banking financial institutions (NBFCs). As a result, they are exempt from net worth maintenance requirements (as mandated for PAs). Instead, they are required to follow the RBI’s framework on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks.
This basically states that a company can operate as a PG as long as its board establishes “organisational processes and policies pertaining to information security”.
Why this disparity? It’s because of one tiny detail that separates PAs from PGs. PAs handle funds as a part of their activities which indirectly means that they have access to customer payments data. PGs, however, are simply technology providers which facilitate the processing of an online transaction without any involvement in the actual handling of funds.
In fact, with RBI’s new rules on data tokenisation, PGs are required to mandatorily tokenise (or encrypt) customer payment details and relay the information securely between the customer and the payment recipient which further restricts them from accessing transaction data.
How Do They Make Money?
Considering that both PAs and PGs are financial intermediaries, it is likely that they make money the same way as all intermediaries do — via commission. A part of the transaction fees is secured by the PAs in exchange for processing payments.
This is called the MDR or Merchant Discount Rate, which is the charge paid by a merchant to a PA for processing a transaction. Merchant refers to a brick-and-mortar store or a website which accepts payments from a customer through online payments.
However, things changed in January 2020 when the RBI decided to abolish the MDR. It meant that merchants were no longer required to share a slice of their hunt with the PAs. Thus, revenue generation prospects took a dive and business took a hit because without fetching substantial unit returns on transactions, it was difficult for these companies to keep their front-line payment infrastructure up and running.
Now, this is where the question of data monetisation emerges. The data that PAs have managed to harness over the course of transactions is primed for the plucking, especially by NBFCs who seek to maximise their reach amongst the rising digital subscriber base in India. The NBFCs use such data to make lending decisions and cut the PAs a fee in exchange for sharing such data with them.
This is essentially a two-pronged regulatory circumvention. First, using payment history data without consent to book profits is plain illegal and flies right in the face of data privacy laws.
Secondly, the act of partnering with NBFCs means that the PAs are entering into the banking business with a non-banking profile to begin with. If NBFCs are called shadow banks, meaning that they operate in the shadowy edges of the banking world, then it is fair to say that PAs are eclipsed banks, with no bandwidth or scale to operate in the banking domain and yet tip-toeing along the microlending sector via tie-ups with NBFCs. The compliance framework in this zone is highly deficient (some would say non-existent) and therefore it makes sense as to why the Central Bank is contemplating a review.
Why Tokenisation Doesn’t Prevent Data Sharing in This Instance?
Well, for one thing, rules on tokenisation haven’t been implemented yet (pushed to June 30th 2022). Secondly, the current tokenisation framework only applies to card data whereas digital payments in India take place through a wide array of instruments like UPI, netbanking, internet banking, digital wallets, etc.
When you combine data from all these sources, tokenisation barely covers a fraction of the trove, considering that only a small section of Indians use bank-issued cards to make online payments.
Beginning March 2021, RBI mandated that payment system operators are required to send “comprehensive compliance certificates” biennially to show adherence to all RBI regulations around the security and storage of payment data. Oh, and these compliance certificates will have to be signed by the CEOs of the companies as well.
It took another year for the Central Bank to realise that it needs to bank on more than the diligence of company executives for payment system compliance in the country. Perhaps one should be thankful that the realisation came sooner rather than later.
(Originally published March 28th 2022 in the TRANSFIN E-O-D Newsletter)
