The Reserve Bank of India, in a series of authorisation decisions in late December 2023 and January 2024, granted Payment Aggregator licences to multiple fintech companies, significantly expanding the regulated digital payments ecosystem in India. Entities including Zomato Payments, Stripe India, and Tata Pay received final authorisation to operate as payment aggregators under the Payment and Settlement Systems Act, 2007, following earlier approvals to Razorpay, Cashfree Payments, and Open in December 2023.
Background
The RBI's framework for regulation of payment aggregators was introduced through guidelines issued in March 2020, requiring all entities engaged in the aggregation of payment services to obtain authorisation from the central bank. Payment aggregators facilitate merchants in accepting payments from customers through various payment instruments such as debit cards, credit cards, net banking, and UPI, without the merchant needing a direct integration with each payment service provider.
Following the issuance of these guidelines, the RBI imposed a pause on the onboarding of new merchants by existing payment aggregators that had not yet obtained authorisation. This regulatory pause, which lasted approximately one year, was part of the RBI's effort to ensure compliance with the enhanced due diligence, net worth, and security requirements prescribed under the framework. During this period, several payment aggregators submitted applications and underwent regulatory scrutiny.
The authorisation process assessed compliance across multiple parameters including minimum net worth requirements, governance structure, information security standards, customer grievance redressal mechanisms, and adherence to the card-on-file tokenisation framework that prohibits merchants and payment aggregators from storing actual card data on their servers.
Key Provisions
The January 2024 authorisation round established the following regulatory position:
Expanded licensed ecosystem: With the grant of PA licences to entities including Zomato Payments (authorised 24 January 2024), Stripe India, and Tata Pay, the RBI significantly widened the universe of regulated payment aggregators, bringing major technology platforms under formal regulatory oversight.
Merchant onboarding resumption: Newly authorised entities can resume onboarding merchants and expanding their payment acceptance networks, ending the operational restrictions that had constrained business growth during the application processing period.
Tokenisation compliance: All authorised payment aggregators are required to comply with the card-on-file tokenisation framework, ensuring that actual card details are not stored and that tokenised credentials are used for transaction processing, reducing the risk of large-scale data breaches.
Net worth and capital requirements: Authorised entities must maintain the prescribed minimum net worth and meet ongoing capital adequacy requirements as a condition of continued authorisation.
Customer protection obligations: Authorised payment aggregators are subject to enhanced obligations regarding transaction dispute resolution, refund timelines, and the maintenance of escrow accounts to protect merchant and customer funds.
Implications for Practitioners
The completion of the PA licensing cycle marks a structural shift in the fintech regulatory landscape. Legal advisors to payment aggregators should note that the authorisation carries ongoing compliance obligations that extend well beyond the initial licensing requirements.
For merchants engaging with payment aggregators, the authorisation status of their service providers now becomes a due diligence item, as transacting through unauthorised entities carries regulatory risk. Merchant agreements should be reviewed to confirm that the payment aggregator holds a valid RBI authorisation.
The convergence of PA licensing with the card tokenisation mandate creates a layered regulatory framework where data security and payment processing authorisation operate as complementary compliance requirements. Practitioners advising fintech clients should adopt an integrated compliance approach that addresses both dimensions simultaneously.