RBI Payment Aggregators & Gateway Audit

Call Us

RBI Payment aggreagtors and gateway audit

On 17th Match’20 RBI circulated a new guideline for the Regulation of Payment Aggregators and Payment Gateways that mandated the entities to get authorization from RBI, for obtaining the settlement of payment to the merchant at fixed transaction time.

Under the issued 'Guidelines on Regulation of Payment Aggregators and Payment Gateways' (the "Guidelines"), the RBI has decided to (a) regulate, in entirety, the activities of payment aggregators; and (b) provide baseline technology-related recommendations to payment gateways. These guidelines aimed at serving and assisting payment aggregators in having a baseline technology related to payment gateways.

From now, the Payment Aggregators and Payment Gateways will be regulated by RBI to ensure the safety of all online transactions. The Key aspects of the guidelines are as follows:

The Payment Aggregators required baseline technology, which includes the implementation of Data Security standards, Cybersecurity audits, incident reporting, and framing IT policies.
Payment Aggregators have clear policies while on-boarding the merchant, privacy policy, Customer Grievances, etc. and follow the provisions set by Prevention of Money Laundering ACT 2002.
E-commerce organizations with a Payment Aggregators business, need to take the authorized license and must segregate Payment Aggregators into the separate entity.
A non-bank Payment Aggregators must be a complete company incorporated under the Act of the organization with the PA activity forming a party.
In case of any takeover or acquisition of control or any change in upper management of non-bank Payment, Aggregators must communicate with the Chief General Manager of RBI within 15 days of the change.
The RBI also gives the format of authorization which includes net-worth certificate director's undertaking, auditor certificate while maintaining the balance on an escrow account, and a format for storing the data of transactions handled by Payment Aggregators every month.
Non-Banks Payment Aggregators will have the minimum net worth of Rs 15 Crore which also varies up to INR 25 crore by the end of the financial year.

Audit Approach

Business Understanding

Evaluating business process and environment to understand the in-scope elements

Audit Scope Finalization

Detailed questionnaire is shared with your teams along with other documentation, and evidence is collected on the architecture, implementation and controls.

Initial/Readiness Assessment

As per the prescribed RBI guideline, we will conduct an initial audit of all the storage locations which comprise of any payment related data.

Risk Assessment

Identifying and analysing the risks in the information security posture.

Data Flow Assessment

Conducting thorough systems analysis to evaluate data flow and possible leakages

Remediation Support

As per the assessment, and the identification of the payment data, QRC will provide remediation support for complying with the RBI directive on the baseline technology requirement and the security controls.

Scans And Testing

Identify critical vulnerabilities in your system with a robust testing approach

Evidence Review

Review of the evidence collected to assess their maturity, in line with the compliance

Final Audit

Post remediation, we conduct a final audit and review your evidence as identified during the audit. On successful closure, we will share the confirmation letter that all assets defined as per the scope meet the prescribed guidelines.

Concise Reporting

Our team documents a comprehensive report detailing all findings covered during the assessment cycle.

Related Updates

RBI issues new norms for digital payments.

With rising cases of cyber fraud RBI published a Master Direction providing necessary guidelines....

Merchant's guide for payment security requirements.

Ecommerce, online payment transactions are advancing their path in this developing technology....

RBI PA & PG Audit