rbi payment aggregator directions 2026

RBI Payment Aggregator Directions 2025–2026: The Compliance Checklist Every Indian Fintech Needs

by

India’s payment aggregator rules just got a complete rewrite. The Reserve Bank of India’s September 2025 revised master directions don’t just tweak the existing framework — they fundamentally expand who is regulated, what they must do, and when they must do it. With the PA market processing over ₹200 lakh crore in annual transactions and 20+ licensed aggregators — including Razorpay, PayU, Cashfree, CCAvenue, and Paytm Payment Gateway — already operating under prior rules, the compliance stakes have never been higher. Miss a deadline, and you’re looking at licence cancellation, operational restrictions, and public censure. Here’s your deadline-by-deadline roadmap through 2026.

What Changed: Old Framework vs New

The original Payment Aggregator and Payment Gateway guidelines were issued by RBI in March 2020. Those rules covered online payment aggregators — entities facilitating digital payments between merchants and customers over the internet. For five years, offline payment collection, cross-border transactions, and hybrid models operated in a regulatory grey zone.

The September 2025 revision changed all of that. Prompted by three key developments — the explosive growth of QR-based offline payments post-2021, India’s ambition to dominate cross-border digital payments under the G20 framework, and a series of compliance failures at mid-tier aggregators — RBI issued comprehensive revised master directions that now govern the entire PA ecosystem.

Key triggers for the revision:

  • Rapid expansion of offline payment collection by non-bank entities operating outside any oversight framework
  • Regulatory gaps exploited by new-age fintech PAs processing significant volumes without RBI registration
  • Global pressure to align India’s PA rules with FATF and IOSCO standards on anti-money laundering and merchant due diligence
  • Merchant grievances around settlement delays and misuse of funds held in escrow/nodal accounts

Who Is Now Covered

The 2025 directions dramatically expand the regulatory perimeter. Any entity that collects, holds, or routes payment funds on behalf of merchants — whether online, offline, or cross-border — now requires an RBI PA licence with a minimum ₹25 crore net worth.

Category Pre-2025 Framework 2025 Revised Directions
Online PAs ✅ Covered ✅ Covered
Offline PAs (QR/POS-based) ❌ Not covered ✅ Now covered
Cross-border PAs ❌ Not covered ✅ Now covered
Payment Gateways (tech-only) Partial guidance Clarified scope
Banking correspondents acting as PAs Ambiguous Explicitly included
White-label PA solutions Not addressed New registration category

Key New Requirements

Governance Norms

RBI has introduced Board-level accountability for PA compliance for the first time. Required structures include:

  • A Board-approved Compliance Policy, reviewed and renewed annually
  • A designated Chief Compliance Officer (CCO) reporting directly to the Board
  • Quarterly Board review of merchant onboarding metrics, settlement performance data, and grievance statistics
  • Board-level ownership of data localisation compliance certification
  • Independent internal audit of PA operations conducted at least once per calendar year

Merchant Due Diligence

Merchant onboarding standards have been significantly tightened. PAs must now implement a risk-tiered due diligence framework:

  • Tier 1 (Low risk, ≤₹50,000/month volume): Basic KYC — PAN, GST registration, and bank account verification
  • Tier 2 (Medium risk, ₹50,000–₹5 lakh/month): Enhanced KYC including business address proof and director identity verification
  • Tier 3 (High risk, >₹5 lakh/month or high-risk merchant categories): Full due diligence including site visit or equivalent, CKYC registry check, and negative-list screening

PAs must maintain merchant due diligence records for a minimum of 8 years and must re-verify merchants whose transaction patterns show a material change, defined as a volume increase of more than 200% over three consecutive months.

Capital Requirements

The minimum net worth requirement for PA licence holders is ₹25 crore, to be maintained at all times. The 2025 directions add new obligations on top of this baseline:

  • Quarterly net worth certification filed with RBI’s DPSS
  • Additional capital buffers required if escrow float exceeds ₹500 crore
  • Existing PAs that fall below the ₹25 crore threshold face a 12-month remediation window ending March 2026; new entrants must demonstrate full capital before receiving in-principle approval

Settlement Timelines (T+1 Mandate)

The most operationally impactful change: RBI has mandated T+1 settlement for all standard merchant categories by default, replacing the T+3 norm that persisted widely in practice. Under the revised directions:

  • Standard merchants: Settlement within 1 business day of transaction confirmation
  • Disputed or chargeback-flagged transactions: Funds withheld only against specific, documented holds — no blanket buffers permitted
  • Export/cross-border merchants: T+2 permitted due to FEMA reconciliation timelines
  • Any deviation from T+1 requires explicit written agreement with the merchant, documented and retained

This mandate directly improves working capital for India’s estimated 8+ million online merchants and will eliminate the practice of PAs earning float income on systematically delayed settlements.

Escrow/Nodal Account Structures

RBI has materially tightened escrow account rules:

  • Funds must be swept to escrow within T+0 (same business day of collection)
  • PAs cannot commingle their own operating funds with merchant funds in any account
  • Multiple escrow accounts are permitted but each must be mapped to a distinct, documented merchant pool
  • Overdraft or credit facilities on escrow accounts are prohibited
  • Monthly reconciliation statements must be filed with RBI showing opening balance, total receipts, disbursements, and closing balance
  • Escrow accounts must be held exclusively at scheduled commercial banks — payments banks cannot hold primary escrow accounts

Data Localisation

All payment transaction data processed by PA-regulated entities must be stored exclusively within India:

  • Primary and backup servers hosting transaction data must be physically located in India
  • Full replication or mirroring of transaction datasets to foreign servers is prohibited
  • Tokenised data and anonymised analytics may be processed offshore only if no raw transaction identifiers are included
  • An annual data audit by a CERT-In empanelled auditor is mandatory
  • Retention periods: minimum 5 years for transaction records, 8 years for KYC and merchant due diligence records

Phased Compliance Timeline

Requirement Category Compliance Deadline
CCO appointment and Board Compliance Policy approval January 31, 2026
Offline PA registration (existing operators) March 31, 2026
Board governance structures fully in place March 31, 2026
Capital adequacy certification (first quarterly filing) March 31, 2026
Escrow account restructuring to meet new norms March 31, 2026
T+1 settlement implementation (all merchants) April 1, 2026
Merchant due diligence re-verification (existing base) June 30, 2026
Cross-border PA licence applications June 30, 2026
White-label PA solution registration June 30, 2026
CKYC integration for Tier 3 merchants June 30, 2026
Data localisation full compliance September 30, 2026
First annual data audit completion December 31, 2026

The 12-Point Compliance Checklist

  1. Register as PA (offline/cross-border category) — If you collect payments offline via QR codes, POS devices, or mobile collection apps, or if you process cross-border transactions, file your registration application with RBI’s DPSS by the applicable deadline.
  2. Verify net worth at ₹25 crore — Obtain a CA-certified net worth certificate. If capital falls below the threshold, initiate an infusion plan with Board approval immediately.
  3. Appoint a CCO and approve Board Compliance Policy — Draft a comprehensive Board-approved Compliance Policy; appoint a designated Chief Compliance Officer before January 31, 2026.
  4. Restructure escrow accounts — Map all escrow accounts to defined merchant pools, eliminate any commingling of PA operating funds, and implement same-day (T+0) fund sweeps.
  5. Re-engineer settlement workflows to T+1 — Audit your core payments stack and banking partner integrations for settlement cycle timing; go live on T+1 by April 1, 2026.
  6. Tier your merchant risk framework — Segment your entire merchant base into Tier 1, 2, and 3, and assign appropriate due diligence requirements to each tier.
  7. Re-verify existing merchant base — Conduct re-verification for merchants showing material volume changes; complete a full-base sweep by June 30, 2026.
  8. Integrate CKYC for Tier 3 merchants — Build and test API integration with the Central KYC registry for all high-risk merchant onboarding and re-verification workflows.
  9. Audit data localisation compliance — Map all transaction data flows, identify any cross-border replication, and remediate to achieve full domestic storage by September 30, 2026.
  10. Commission CERT-In empanelled data audit — Appoint an empanelled auditor, conduct the audit, and file results with RBI by December 31, 2026.
  11. File quarterly net worth certifications — Set up an internal process to generate and submit quarterly capital adequacy certificates to RBI’s DPSS portal.
  12. Establish monthly escrow reconciliation filings — Implement automated reconciliation reporting for all escrow accounts, formatted to RBI’s prescribed template and filed without exception each month.

Penalties for Non-Compliance

RBI’s enforcement toolkit under the Payment and Settlement Systems Act, 2007 includes a range of escalating actions:

  • Monetary penalty: Up to ₹10 lakh per violation; cumulative penalties for systemic or repeated breaches can be substantially higher
  • Operational restrictions: RBI can bar a PA from onboarding new merchants while under investigation, freezing commercial growth
  • Licence suspension: Temporary bar on processing any transactions — effectively a full business shutdown
  • Licence cancellation: Permanent revocation for material, willful, or repeated non-compliance
  • Public censure: RBI publishes enforcement actions on its website; reputational damage in B2B fintech relationships is disproportionate to the penalty amount
  • Director-level liability: Board members who certified compliance inaccurately face personal disqualification proceedings

As a reference point, RBI levied a penalty of ₹5.39 crore on Paytm Payments Bank in 2024 for KYC violations, demonstrating its clear intent to enforce compliance obligations across the payments ecosystem.

What This Means for the Market

The 2025 directions will accelerate consolidation in India’s PA market. Currently 20+ licensed PAs operate commercially, but many are subscale — processing under ₹500 crore annually with thin capital reserves. The fully-loaded annual cost of compliance with the new framework — technology upgrades for T+1 settlement infrastructure, CERT-In data audits, CKYC API integration, CCO hiring, and monthly regulatory filings — is estimated at ₹2–5 crore per year for a mid-size PA.

Smaller operators face a difficult calculus: invest heavily to comply or sell to a larger player. Well-capitalised PAs such as Razorpay, PayU India, and Cashfree Payments are positioned to absorb the compliance burden and are likely to benefit as weaker competitors exit the market or are absorbed through M&A.

For merchants, the T+1 settlement mandate and strengthened due diligence standards will meaningfully improve trust and cash-flow predictability. For India’s ambition to become a global digital payments hub by 2030 — building on the UPI platform that already processes over 13 billion transactions monthly — the 2025 PA directions are a necessary, if demanding, step toward regulatory maturity.

References

  1. RBI Master Directions on Payment Aggregators and Payment Gateways (2020, updated 2025) — https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11822
  2. Payment and Settlement Systems Act, 2007 — https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/PSACT2007290509.pdf
  3. RBI Press Release on Paytm Payments Bank Penalty, 2024 — https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx
  4. NPCI Monthly Transaction Statistics — https://www.npci.org.in/statistics
  5. RBI Annual Report on Payment and Settlement Systems 2024-25 — https://www.rbi.org.in/Scripts/AnnualReportPublications.aspx
  6. Ministry of Finance: India’s G20 Digital Payments Presidency — https://www.mea.gov.in/financial-inclusion

Disclaimer: This article is for informational purposes only and does not constitute legal, regulatory, or financial advice. Payment aggregator regulations are subject to ongoing revision; readers are advised to consult official RBI publications and qualified legal counsel before making compliance decisions.

About the Author: InsightPulseHub Editorial Team creates research-driven content across finance, technology, digital policy, and emerging trends. Our articles focus on practical insights and simplified explanations to help readers make informed decisions.

Related Reading

About the Author

InsightPulseHub Editorial Team creates research-driven content across finance, technology, digital policy, and emerging trends. Our articles focus on practical insights and simplified explanations to help readers make informed decisions.