Payment Aggregators and Gateways in India: Compliance Burden and Business Impact

In the era of rapid digital transformation, India’s digital payment ecosystem has witnessed an extraordinary rise. From unified payments interface (UPI) based transfers to e-commerce transactions, online payments have become part of everyday life for consumers and businesses alike. Central to this ecosystem are payment aggregators and payment gateways, two separate intermediaries that allow merchants to process online payments. While both play pivotal roles in facilitating digital commerce, they are subject to different regulatory requirements and compliance obligations which carry significant consequences for business strategy, risk management, and operational costs.

Payment Aggregators vs Payment Gateways

A clear distinction exists between payment aggregators and payment gateways, and it’s essential for legal and business professionals to understand this difference. A payment aggregator (PA) is an intermediary that enables merchants to accept multiple payment instruments such as cards, UPI, and wallets without requiring merchants to set up separate accounts with different acquiring banks. Critically, payment aggregators handle funds, receive payments from customers, pool them, and then settle these amounts to the merchant on a periodic basis. A payment gateway (PG), on the other hand, is a technology provider that routes payment instructions between the customer, merchant, and acquiring bank. Payment gateways do not handle funds, they provide the infrastructure for securely transmitting transaction data. This operational distinction forms the basis of regulatory treatment, particularly how the Reserve Bank of India (RBI), regulates these entities. Payment aggregators are subject to compulsory and direct regulation, whereas payment gateways are largely governed by technology and security guidelines that are mostly advisory rather than mandatory in nature.

Regulatory Framework and Compliance Requirements

1. Authorization and Legal Status

Payment aggregators must obtain an official authorization from the RBI under the Payment and Settlement Systems Act (PSSA), 2007 before operating in India. To qualify for authorization, an applicant must comply with the terms of the PSSA, be a company incorporated in India, and must explicitly cover payment aggregator activities in its object clauses (in the memorandum of association). The RBI also applies a ‘fit and proper’ test to directors and key management personnel to ensure governance integrity.

2. Capital and Net-Worth Requirements

The regulatory framework issued by RBI prescribes that an entity seeking authorisation to commence or carry on payment aggregator business shall have a minimum net-worth of Rs. 15 crores at the time of tendering application for authorisation and shall attain a minimum net-worth of Rs. 25 crores by the end of third financial year of grant of authorisation. The minimum net worth, as applicable, shall be maintained by a payment aggregator on an ongoing basis[1]. This requirement is designed to ensure financial resilience and the ability to manage operational risks arising from handling consumer funds.

3. Escrow Accounts and Fund Handling

One of the core compliance obligations for payment aggregators is the maintenance of escrow accounts with scheduled commercial banks. Funds collected from customers must be held in these accounts and settled in a timely manner to merchants. The escrow mechanism adds a layer of consumer protection and ensures segregation of funds. Additionally, the Reserve Bank of India (Regulation of Payment Aggregators) Directions, 2025 prohibit payment aggregators and merchants from storing card credentials, such as complete card data in their systems, aligning with global practices that reduce fraud and data breach risks.

4. Governance and Risk Management

The compliance expectations for payment aggregators go beyond financial metrics and extend into governance, fraud prevention, and risk controls. A payment aggregator must put in place board approved policies for merchant onboarding, dispute resolution, refunds, and customer grievance redressal. These policies must be publicly disclosed on websites or mobile applications. The RBI also requires robust risk-management systems, fraud-detection controls, and comprehensive information security frameworks in line with standards such as Payment Card Industry Data Security Standard (PCI-DSS) andPayment Application Data Security Standard (PA-DSS). Compliance reporting and regular security audits including internal and external assessments are also mandatory.

5. KYC, AML, and Merchant Due Diligence

Payment aggregators are also subject to Know Your Customer (KYC), Anti-Money Laundering (AML), and Combating Financing of Terrorism (CFT) regulations under RBI’s KYC Directions and the Prevention of Money Laundering Act, 2002. They must undertake merchant background checks to ensure that merchants do not have mala-fide intent or sell prohibited products. This merchant diligence requirement reflects a focus on safeguarding consumer interests but also adds significant operational burden, especially for aggregators onboarding a high volume of small merchants.

6. Merchant Onboarding and Data Security

Aggregators must also verify that the merchants comply with data security standards and that their infrastructure adheres to best practices for managing sensitive payment information. This extends to ensuring merchants’ systems meet PCI-DSS and PA-DSS norms. These requirements are meant to mitigate risks related to breaches, fraud, and customer data misuse, but they impose substantial compliance costs and technical obligations on both aggregators and merchants.

Payment Gateways: Advisory and Best Practices

In contrast to payment aggregators, payment gateways are not required to obtain a formal authorization from the RBI because they do not handle funds. Instead, they are advised to adopt the baseline technology-related recommendations laid out in the aforesaid RBI guidelines. This advisory approach reflects the view that gateways are technology service providers responsible primarily for secure routing of transactions and do not engage in fund pooling or settlement activities. Consequently, while they are subject to information technology and security standards, they face a lighter regulatory burden compared to aggregators. Nonetheless, gateway operators must still ensure compliance with industry security protocols and adopt best practices in risk management, encryption, and incident reporting to safeguard transaction integrity and consumer trust.

Business Impact: Compliance Costs and Operational Challenges

The regulatory regime for payment aggregators, while critical for protecting consumers and reinforcing financial system stability, imposes several compliance costs and strategic considerations for businesses.

1. Higher Regulatory Burden and Cost of Compliance

Authorization, net-worth thresholds, governance policies, and mandatory security audits result in significant upfront and ongoing costs. Smaller fin-techs and startups may find these obligations onerous, potentially discouraging market entry or forcing consolidation. The requirement to maintain robust merchant vetting and grievance processes further adds to the compliance overhead.

2. Impact on Merchant Relations

Requiring aggregators to conduct rigorous merchant due diligence and security compliance checks changes the dynamics of merchant onboarding. While beneficial for protecting end consumers, these obligations can slow down onboarding and restrict the ability of aggregators to rapidly scale their merchant base, especially in segments with high churn or low transaction volumes.

3. Differentiated Competitive Landscape

The regulatory clarity around payment aggregators and gateways creates a differentiated landscape where pure technology providers (gateways) may operate with fewer constraints than aggregators who handle funds. This contrast can influence business models, pricing strategies, and competitive positioning within the digital payments market.

Weighing Regulation Against Growth

India’s regulatory framework for payment aggregators and gateways reflects a deliberate effort by the RBI to foster a secure, transparent, and trustworthy digital payments ecosystem. By imposing comprehensive compliance requirements on payment aggregators including licensing, governance, risk management, and merchant oversight, regulators seek to protect consumers and strengthen systemic resilience. However, these regulatory expectations also translate into higher compliance costs, operational complexity, and strategic challenges for businesses. Payment gateways, meanwhile, benefit from a lighter regulatory approach that focuses on technology best practices rather than direct supervision.

[1] Reserve Bank of India (Regulation of Payment Aggregators) Directions, 2025