FEMA & RBI · NBFC & Financial Services Licensing
Payment Bank, Payment Gateway & Wallet Licensing
Payment Banks, Payment Aggregators, Payment Gateways, and Prepaid Payment Instruments (wallets) each sit under a distinct Reserve Bank of India licensing and supervisory framework — the Payment and Settlement Systems Act, 2007, the RBI's differentiated Payment Banks licensing guidelines, the Master Direction on Prepaid Payment Instruments, and the Guidelines on Regulation of Payment Aggregators and Payment Gateways.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Payment Banks, Payment Aggregators, Payment Gateways, and Prepaid Payment Instruments (wallets) each sit under a distinct Reserve Bank of India licensing and supervisory framework — the Payment and Settlement Systems Act, 2007, the RBI's differentiated Payment Banks licensing guidelines, the Master Direction on Prepaid Payment Instruments, and the Guidelines on Regulation of Payment Aggregators and Payment Gateways. Getting the category wrong — treating a payment gateway build as if it needs a PPI licence, or assuming a wallet product can be launched without RBI authorisation — stalls a product launch by months and can attract regulatory action for operating an unauthorised payment system under Section 4 of the PSS Act. At PNPC Global, we have advised financial services and fintech clients since 1986, with offices in Chennai, Bangalore, Hyderabad, and Dubai. Our Payment Bank, Payment Gateway & Wallet Licensing practice helps promoters, NBFCs, and fintech companies identify the correct RBI authorisation pathway, build the compliance and net worth case the RBI expects, and manage the licensing or authorisation process from application to go-live.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
"Payment licensing" is an umbrella term PNPC uses for a family of distinct Reserve Bank of India authorisations that govern who may operate a payment system in India under the Payment and Settlement Systems Act, 2007 (PSS Act). Section 4 of the PSS Act prohibits any person from operating a payment system in India except under and in accordance with an authorisation issued by the RBI. This single provision is the reason every payment bank, wallet issuer, payment aggregator, and payment gateway in India must either hold, or operate under an entity that holds, an RBI authorisation before processing a single transaction. The specific authorisation required depends entirely on what the business actually does — deposit-taking, instrument issuance, or transaction facilitation are regulated as separate activities under separate frameworks.
A Payment Bank is a differentiated banking licence category created by the RBI's November 2014 guidelines for Licensing of Payments Banks, issued under Section 22 of the Banking Regulation Act, 1949. A Payments Bank can accept deposits (currently capped per the RBI's prescribed ceiling per individual customer), issue debit cards, offer payments and remittance services, and act as a business correspondent for other banks — but cannot undertake lending activities or issue credit cards. It operates under the same prudential and licensing rigour as a universal bank promoter evaluation, just with a restricted business model. This is the most heavily regulated and capital-intensive category in this group, and new licences have been issued only in the limited cohort the RBI selected following its 2014 guidelines — it is not a licence category with a routine, always-open application window.
A Prepaid Payment Instrument (PPI) — commonly a digital wallet, prepaid card, or mobile wallet — is governed by the RBI's Master Directions on Prepaid Payment Instruments (last comprehensively updated in August 2021, with subsequent amendments). PPIs are instruments that facilitate purchase of goods and services, or fund transfers, against the value stored on them. Non-bank PPI issuers must obtain a Certificate of Authorisation from the RBI under the PSS Act, meet a prescribed minimum positive net worth at the time of application and maintain it on an ongoing escalating basis, and comply with KYC, escrow account, and interoperability requirements. Banks, being regulated entities, can issue PPIs without a separate authorisation, though they follow the same PPI Master Direction conditions.
A Payment Aggregator (PA) is an entity that facilitates e-commerce merchants to accept payment instruments from customers for completion of their payment obligations, without the need for merchants to create a separate payment integration. A Payment Gateway (PG), by contrast, is purely a technology provider that enables processing of payment transactions by routing and facilitating the exchange of information between the acquiring bank and the customer — it does not handle funds. This distinction matters enormously: under the RBI's March 2020 (updated 2021, and further tightened by the November 2024 circular extending PA regulation to Payment Aggregators – Cross Border, PA-CB) guidelines, Payment Aggregators require RBI authorisation because they handle funds in the payment flow through a nodal or escrow account, while pure Payment Gateways that never touch funds are technology service providers outside direct RBI authorisation, though they are commonly bundled commercially with a PA function and must then meet PA requirements for that combined offering. PNPC's role is to correctly classify which category (or combination) your product model actually falls into before any application is prepared — misclassification is the single most common and costly error we see in this space.
When this advisory is the right starting point
You are building a digital wallet, prepaid card, or gift card product and need to determine whether you require a PPI Certificate of Authorisation from the RBI or can operate as a co-branded partner of an existing licensed PPI issuer
You are an e-commerce, SaaS, or marketplace platform building payment collection for merchants and need to determine whether your model constitutes a Payment Aggregator requiring RBI authorisation, or a pure technology Payment Gateway that does not
You are evaluating whether to apply for a Payments Bank licence, or — more commonly given the closed cohort of existing licences — whether a Business Correspondent, PPI, or NBFC partnership model achieves your commercial goal without a full banking licence
You already hold a PA authorisation and are scaling into cross-border collections, requiring assessment against the PA-CB (Cross Border) framework introduced via the RBI's November 2024 circular
You are a promoter or NBFC exploring an in-house wallet or payments product and need the net worth, board composition, and compliance framework build-out required for an RBI application, structured correctly from the outset
Your existing PPI or PA authorisation is approaching a periodic RBI compliance review or renewal-linked condition and you need an independent compliance health check before the regulator's own review
You are a foreign payments company or UAE-based fintech evaluating entry into the Indian payments market and need India-specific RBI, FEMA, and Companies Act structuring advice from a firm with a genuine India-UAE presence
When another PNPC service is the better starting point
You are simply integrating an existing licensed payment gateway or aggregator (such as a bank's own gateway or an already-authorised third-party PA) into your website or app as a merchant — you do not need any RBI authorisation of your own; this is a commercial integration, not a licensing question
You are setting up a standard NBFC for lending activity with no payment system or wallet component — our dedicated NBFC Registration & Licensing service is scoped specifically for lending NBFC applications under the RBI's NBFC framework
You need general RBI/FEMA compliance review for cross-border transactions unrelated to a payment system authorisation — our FEMA Compliance Advisory & Review service is the correctly scoped engagement
Your product is purely a KYC/AML or fraud-technology tool with no fund handling or instrument issuance of its own — our KYC & AML Advisory service addresses that compliance layer without payment-system licensing
You are certain your model is a pure technology Payment Gateway with no fund custody, no nodal account, and no merchant settlement responsibility, and simply want confirmation of that classification — a shorter scoping consultation, rather than a full licensing engagement, may be all that is needed initially; we will tell you honestly if that is the case
Payment Bank vs Payment Aggregator vs Payment Gateway vs PPI (Wallet) — how RBI treats each
| Feature | Payments Bank | Payment Aggregator (PA) | Payment Gateway (PG) only | PPI / Wallet Issuer |
|---|---|---|---|---|
| Governing framework | RBI Licensing Guidelines for Payments Banks, 2014 + Banking Regulation Act Sec 22 | RBI Guidelines on Regulation of PAs and PGs, 2020/2021 (+ PA-CB 2024) | Not separately RBI-authorised if no fund handling; PSS Act oversight if bundled with PA activity | RBI Master Directions on Prepaid Payment Instruments, 2021 (as amended) |
| Authorisation type | Differentiated banking licence from RBI | Certificate of Authorisation under PSS Act | None required for pure technology routing with no fund custody | Certificate of Authorisation under PSS Act |
| Can hold customer deposits | Yes — subject to a prescribed per-customer ceiling | No — funds pass through a nodal/escrow account, not held as deposits | No — no fund handling at all | Yes, but as prepaid value/stored balance, not a deposit; PPI balances are ring-fenced in escrow, not general deposits |
| Can lend or issue credit cards | No — explicitly prohibited under the licence conditions | No — not a lending activity | No — not applicable | No, except limited co-branded/small PPI credit-linked variants under specific RBI permissions |
| Minimum net worth (illustrative structure — verify current RBI figure before applying) | Highest tier — substantial paid-up capital prescribed at licensing | Prescribed minimum net worth at application, escalating to a higher figure within a prescribed number of years | Not applicable — no RBI net worth prescription for pure non-fund-handling gateways | Prescribed minimum positive net worth at application, escalating over a prescribed timeline as per the PPI Master Direction |
| Escrow / nodal account requirement | Not applicable — operates as a bank with its own deposit accounts | Mandatory — PA must maintain funds in a nodal account with a scheduled commercial bank per RBI-prescribed structure | Not applicable — no funds pass through | Mandatory — PPI issuer must maintain an escrow account with a scheduled commercial bank for outstanding PPI balances |
| Cross-border collections | Governed by FEMA/AD-bank framework applicable to banks | Requires separate PA-CB authorisation per the RBI's November 2024 circular for cross-border payment collection | Not applicable directly unless bundled with PA-CB activity | Cross-border PPI use is restricted; primarily a domestic instrument unless specifically permitted |
| New licence availability | Extremely limited — RBI issued its 2014 cohort and has not run a continuous open window since; policy toward new differentiated licences evolves periodically | Open application window for new entrants meeting eligibility, subject to RBI's processing timelines and periodic pauses on new applications during policy reviews | No authorisation gate for the pure technology function itself | Open application window for new entrants meeting eligibility criteria |
| Typical promoter profile | Well-capitalised financial institution, NBFC, telecom, or corporate group with deep banking-grade compliance capability | Fintech, e-commerce platform, or payments-focused company with technology and compliance infrastructure | Any technology company building payment routing infrastructure without touching funds | Fintech, e-commerce, telecom, or NBFC building a stored-value or wallet product |
This table gives directional orientation only. RBI net worth thresholds, escalation timelines, and eligibility criteria are periodically revised through Master Direction updates and circulars — always confirm the current prescribed figures with PNPC or directly against the live RBI Master Direction before building a business case or application budget. Many payments businesses combine categories (a PA that also issues a co-branded PPI, for example), and each combination changes the applicable compliance stack.
| # | Stage & What PNPC Does | What Generic Advisors Miss | Timeline |
|---|---|---|---|
| 1 | Business Model Classification — Determine which RBI authorisation your product actually needs | We map your actual transaction flow — does money ever sit in an account you control between payer and payee (PA/PPI territory), or does your system only route information between banks (pure PG, no RBI authorisation)? Founders frequently describe their own product incorrectly, either overstating complexity (assuming a PPI licence is needed when a PA suffices) or understating it (assuming 'just an API' when funds do briefly rest in an account the company controls). This classification decision anchors everything that follows. | Week 1 |
| 2 | Regulatory Framework & Eligibility Mapping | For PA/PPI applications, we assess current RBI-prescribed net worth thresholds against your promoter group's actual audited financials, and map the escalating net worth timeline you will need to plan capital infusion around. For a Payments Bank enquiry, we give a candid assessment of licence availability given the RBI's limited and non-continuous licensing window for this category, and discuss realistic alternative structures (Business Correspondent, PPI, or NBFC partnership) where a full banking licence is not a realistic near-term path. | Week 1–2 |
| 3 | Promoter & Group Due Diligence Readiness | RBI evaluates the 'fit and proper' status of promoters, directors, and significant shareholders — prior regulatory history, credit history, litigation record, and source of funds are all scrutinised. We run an internal readiness check against the same criteria the RBI examiner will apply, surfacing issues (a promoter's unrelated past regulatory notice, an unclear shareholding chain) before they surface in the RBI's own review, where they cause far more damage to application credibility. | Week 2–3 |
| 4 | Corporate Structure & Governance Build-Out | RBI authorisation requires specific board composition (including independent directors in prescribed proportion for larger entities), a dedicated compliance and risk function, an IT and cybersecurity governance framework, and board-approved policies on KYC/AML, grievance redressal, and business continuity — all of which must exist in substance, not just as documents, before or alongside the application. We build this governance layer with the client rather than handing over a template policy set that will not survive an RBI query. | Week 3–6 |
| 5 | Net Worth & Capital Structuring | We work with the promoter group to structure the capital infusion timeline against the RBI's escalating net worth requirement — for example, PPI issuers must meet a starting net worth at application and reach a higher prescribed figure within a set number of financial years. Getting the capital-raise sequencing wrong stalls an otherwise-ready application indefinitely. | Week 3–6, in parallel with governance build-out |
| 6 | Escrow / Nodal Account Arrangement | PA and PPI applicants must have a bank-vetted nodal or escrow account structure in place, with the escrow agreement conforming to RBI's prescribed terms (no interest to the issuer on the escrow balance beyond permitted limits, no co-mingling with the company's own funds, and specific withdrawal conditions). We coordinate this directly with scheduled commercial banks experienced in RBI-compliant escrow structures — a generic current account will be rejected at application review. | Week 4–7 |
| 7 | Technology & Security Audit Readiness | RBI applications for PA and PPI authorisation require a system audit report from a CERT-In empanelled auditor covering the payment system's technical architecture, data security, and business continuity arrangements. We coordinate the technical documentation and pre-review the scope with the client's technology team before the formal CERT-In empanelled audit is commissioned, to avoid a failed or heavily-qualified audit report reaching the RBI application. | Week 6–10 |
| 8 | Policy Documentation Package | Board-approved policies required typically include: KYC/AML policy aligned to the PMLA and RBI's KYC Master Direction, customer grievance redressal policy with defined turnaround times, data storage and localisation policy (payment system data must be stored only in India per RBI's April 2018 data localisation circular), business continuity and disaster recovery policy, and a fraud risk management framework. PNPC drafts these to reflect the actual operating model — not generic templates that create their own compliance gaps once operations begin. | Week 6–9, in parallel with technology audit |
| 9 | Application Preparation & Filing | The application is compiled — for PA/PPI, this is filed with the RBI's Department of Payment and Settlement Systems (DPSS) through the prescribed format, along with all supporting documents: certificate of incorporation, board resolutions, promoter KYC and net worth certificates, system audit report, and policy documents. We conduct a final internal review against RBI's published application checklist before submission — incomplete applications are frequently returned without substantive review, resetting the timeline. | Week 9–11 |
| 10 | RBI Query Response Management | RBI's DPSS routinely raises clarificatory queries after initial review — on shareholding structure, technology architecture, policy gaps, or promoter background. Response quality and turnaround materially affect the overall timeline; a poorly substantiated response can trigger further rounds of query. We manage this correspondence directly, drawing on our experience of how DPSS examiners typically frame follow-up questions. | Ongoing, typically several months from filing to in-principle approval |
| 11 | In-Principle Approval & Conditions Compliance | RBI authorisations are frequently granted in-principle first, subject to specific conditions being fulfilled within a stipulated period — final capital infusion, appointment of specific senior personnel, or completion of a pending system enhancement. We track every condition against its deadline and coordinate the client's execution so the final Certificate of Authorisation is not delayed by a missed condition. | Varies by conditions imposed |
| 12 | Final Authorisation & Go-Live Compliance Setup | Once the final Certificate of Authorisation (or licence) is issued, we set up the ongoing compliance calendar: periodic RBI reporting (system audit reports, net worth certificates, transaction data returns as prescribed), the annual compliance certificate cycle, and the internal controls needed to operate within the authorisation's conditions from day one of go-live. | Immediately following final authorisation |
| 13 | Ongoing Regulatory Relationship Management | RBI-authorised payment system operators are subject to ongoing supervision — periodic inspections, data calls, and circular-driven compliance updates (the payments regulatory framework changes frequently, as the PA-CB circular of November 2024 illustrates). PNPC's retainer clients receive proactive alerts when a new RBI circular affects their authorisation conditions, rather than discovering a compliance gap at the next inspection. | Lifetime of the authorisation |
Realistic end-to-end timeline for a PA or PPI Certificate of Authorisation, from engagement to final RBI authorisation, commonly runs 6–12 months depending on application quality, promoter readiness, and the RBI's query cycle — this is a regulator-paced process, not a fixed-duration filing. A Payments Bank licence enquiry should be treated as a multi-year strategic decision given the extremely limited licensing window for that category; PNPC will give a candid assessment of feasibility before any engagement begins rather than accepting a mandate we believe has a low probability of a new licence being issued.
Certificate of Incorporation and Memorandum/Articles of Association of the applicant entity — objects clause must permit the specific payment system activity applied for
Shareholding pattern and beneficial ownership chain — RBI scrutinises ultimate beneficial ownership closely, particularly where foreign shareholding is present and FDI sectoral conditions for payment system operators apply
Board resolution authorising the application and designating the authorised signatory for RBI correspondence
Promoter and director KYC — PAN, Aadhaar/passport, address proof, and a declaration of any past or pending regulatory, criminal, or civil litigation history for each promoter and proposed director
Net worth certificates of promoters/promoter group, certified by a practising Chartered Accountant, supporting the source and adequacy of proposed capital infusion
Organisational chart showing the compliance, risk, technology, and grievance redressal functions with designated responsible officers
Audited financial statements of the applicant entity (and promoter group, where relevant) for the preceding financial years
Statutory auditor's certificate confirming the entity's net worth as on a specified date, computed per RBI's prescribed method (paid-up capital plus free reserves, minus accumulated losses and certain deductions)
Capital infusion plan and timeline demonstrating how the entity will meet the RBI's escalating net worth requirement over the prescribed number of years
Bank statements and proof of funds evidencing that promoter capital contribution is from legitimate, traceable sources — RBI applies source-of-funds scrutiny consistent with its broader KYC/AML expectations
System audit report from a CERT-In empanelled auditor covering application architecture, data security controls, encryption standards, and penetration testing results
Data localisation compliance confirmation — payment system data must be stored exclusively on servers located in India, per RBI's April 2018 circular on storage of payment system data
Business continuity and disaster recovery plan, including recovery time objectives and a tested failover mechanism
API and integration architecture documentation, particularly for PA/PG applicants, showing how the merchant onboarding, transaction routing, and settlement flow operate end-to-end
Cybersecurity policy approved by the Board, aligned with RBI's cybersecurity framework expectations for payment system operators
Escrow or nodal account agreement executed with a scheduled commercial bank, drafted to conform with RBI's prescribed terms — no interest accrual to the operator beyond permitted limits, no co-mingling with operating funds, and defined permissible debits and credits
Merchant settlement policy documenting the maximum permissible settlement cycle (T+1 or as otherwise prescribed) and the mechanism for handling failed or disputed transactions
Reconciliation process documentation between the nodal/escrow account, the technology platform's transaction ledger, and merchant payouts
KYC and Anti-Money Laundering policy aligned with the Prevention of Money Laundering Act, 2002 and RBI's Master Direction on KYC
Customer grievance redressal policy with defined escalation levels and turnaround commitments, and a nodal grievance officer designated
Fraud risk management and transaction monitoring policy, including suspicious transaction reporting procedures to the Financial Intelligence Unit-India where applicable
Merchant onboarding and due diligence policy (for PA applicants) — covering merchant KYC, category restriction screening, and periodic re-verification
Outsourcing policy, where any technology, KYC, or operational function is outsourced to a third party, consistent with RBI's guidelines on managing outsourcing risk
Periodic system audit reports as prescribed in the authorisation conditions (typically annual, from a CERT-In empanelled auditor)
Annual net worth certificate confirming continued compliance with the prescribed and escalating net worth requirement
Transaction data and MIS returns to RBI's DPSS in the prescribed format and frequency
Board meeting minutes evidencing periodic review of the payment system's risk, compliance, and technology posture as required under the authorisation conditions
Updated policy documents reflecting any material change in business model, technology architecture, or ownership, filed with RBI where prior intimation or approval is a condition of the authorisation
| Phase | Triggered By | PNPC CA/Regulatory Guidance | Risk If Ignored |
|---|---|---|---|
| Pre-Application Structuring (Month 1–2) | Decision to launch a payments product | Business model classification against PA/PG/PPI/Payments Bank frameworks. Candid feasibility assessment — particularly for Payments Bank enquiries given the limited licensing window. Corporate structure and shareholding review for FDI sectoral compliance where foreign capital is involved. | Building and launching a product under the wrong regulatory assumption — for example, operating as an unauthorised payment aggregator while believing the model is 'just a gateway' — exposes the company to action under Section 4 and Section 26 of the PSS Act for operating an unauthorised payment system. |
| Governance & Net Worth Build-Out (Month 2–6) | Application readiness assessment | Board composition, compliance function, and policy documentation built to RBI's actual evaluation standard. Capital infusion plan sequenced against the escalating net worth requirement. Escrow/nodal account arrangement finalised with a scheduled commercial bank. | An application filed with inadequate governance substance is either rejected or generates extensive query cycles that add months to the timeline and increase professional cost through repeated remediation. |
| Application & RBI Review (Month 6–12+) | Application filed with RBI DPSS | Query response management, drawing on experience of how RBI examiners frame follow-up questions on shareholding, technology, and policy adequacy. Tracking of in-principle approval conditions against their deadlines. | Delayed or poor-quality query responses extend the review timeline indefinitely and can result in application withdrawal being recommended by RBI rather than a formal rejection on record — a materially worse outcome for future re-application. |
| Go-Live & Early Operations (Month 1–12 post-authorisation) | Certificate of Authorisation issued | Compliance calendar setup for periodic reporting, transaction MIS returns, and the first system audit cycle. Internal controls testing to confirm actual operations match the policies filed with RBI at application. | A gap between the policies filed at application and actual day-one operations is the most common finding in an RBI's first post-authorisation inspection — remediation under regulatory scrutiny is materially more disruptive than building it right the first time. |
| Steady-State Supervision (Ongoing, Annual) | RBI's periodic supervisory cycle | Annual net worth certification, system audit report submission, and policy refresh against new RBI circulars — the payments regulatory framework is amended frequently (data localisation in 2018, PA/PG guidelines in 2020/2021, PA-CB in 2024 are recent examples). PNPC's retainer clients receive proactive alerts on circulars affecting their authorisation. | Non-compliance with ongoing conditions — a missed system audit, an unreported material change in ownership or technology — risks suspension or cancellation of the Certificate of Authorisation under the PSS Act, halting the business entirely. |
| Scale & Expansion (As business grows) | Cross-border collections, new product lines, M&A interest | Assessment of whether scaling into cross-border payment collection triggers PA-CB authorisation requirements. Evaluation of whether a new product (co-branded PPI, BNPL-linked wallet feature) requires an amendment to the existing authorisation or a fresh one. Investor and acquirer regulatory due diligence support. | Scaling into cross-border collection without PA-CB authorisation, or launching a materially new payment feature without confirming it falls within the existing authorisation's scope, creates fresh unauthorised-operation exposure even for an already-licensed entity. |
| Regulatory Change & Renewal Events | New RBI circular, periodic authorisation review, or licence condition change | Impact assessment of new circulars against existing operations (for example, tightened net worth thresholds, revised data localisation requirements, or new interoperability mandates). Coordination of any required systems or policy changes within RBI's compliance deadline. | The payments regulatory space changes faster than most other RBI-regulated categories; operators who do not track circulars proactively risk falling out of compliance without any single deliberate act of non-compliance — simply through inaction as the rules moved. |
| Exit, Sale, or Wind-Down | M&A, strategic exit, or business closure decision | Regulatory approval requirements for change in control or shareholding transfer of an RBI-authorised entity. Orderly wind-down plan for outstanding PPI balances or escrow funds if the authorisation is being surrendered, ensuring customer funds are fully settled before deregistration. | Change in control of a PA/PPI-authorised entity without prior RBI intimation or approval (as required under the authorisation conditions) is itself a compliance breach that can complicate or block the underlying M&A transaction. |
What is the difference between a Payment Gateway and a Payment Aggregator — and why does RBI treat them differently?
A Payment Gateway is purely a technology layer that routes and encrypts transaction information between the customer, the merchant's website, and the banks involved — it never takes custody of the actual funds. A Payment Aggregator, by contrast, receives the customer's payment into an account it controls (a nodal or escrow account) and then settles the net amount to the merchant after deducting fees. Because a Payment Aggregator briefly holds customer funds, RBI treats it as a payment system operator requiring authorisation under the PSS Act. A pure Payment Gateway that never touches funds generally falls outside that specific authorisation requirement — but in practice, most commercial payment processing platforms in India combine both functions, which brings the combined entity within PA regulation.
Do I need RBI authorisation to build a digital wallet or prepaid card product?
Yes, if you are a non-bank entity issuing the instrument. Prepaid Payment Instruments (PPIs) — which include digital wallets, prepaid cards, and gift cards that store value for future purchases or fund transfers — require a Certificate of Authorisation from the RBI under the PSS Act, granted per the Master Directions on Prepaid Payment Instruments. Banks can issue PPIs without a separate authorisation because they are already RBI-regulated entities, but a non-bank fintech or NBFC building a wallet product from scratch must obtain PPI authorisation before issuing instruments to customers, or partner with an already-authorised PPI issuer under a co-branding arrangement.
Can I still apply for a Payments Bank licence in India?
Technically the framework exists, but practically this is the most constrained licensing category PNPC advises on. RBI issued its Payments Bank licensing guidelines in November 2014 and granted licences to a limited cohort of applicants from that process; RBI has not run a continuous, always-open application window for new Payments Bank licences since. Policy toward new differentiated bank licences is periodically reviewed by RBI, and any prospective applicant should treat this as a multi-year strategic question rather than a routine application process. In most cases, promoters seeking similar commercial outcomes (deposit-like products, payments and remittance services) achieve them faster through a Business Correspondent arrangement with an existing bank, a PPI authorisation, or an NBFC structure.
What is the minimum net worth required for a Payment Aggregator or PPI licence?
RBI prescribes a minimum net worth at the time of application, with a requirement to reach a higher, escalating net worth figure within a specified number of financial years thereafter — this structure is designed to ensure only adequately capitalised entities remain authorised as they scale. Because these prescribed figures are revised periodically through RBI Master Direction updates and circulars, PNPC always verifies the current applicable figures directly against the live RBI Master Direction at the time of your engagement rather than relying on a fixed number from a prior year — quoting an outdated threshold is one of the most common errors we see from advisors who have not kept pace with RBI's updates.
What is a nodal account or escrow account, and why is it mandatory?
A nodal account (used interchangeably with escrow account in RBI's payment aggregator framework) is a special bank account maintained with a scheduled commercial bank, into which customer payments are received and from which merchant settlements are made, under terms that RBI prescribes to prevent the Payment Aggregator from co-mingling customer funds with its own operating funds or earning undue benefit from holding customer money. RBI mandates this structure specifically to ring-fence customer and merchant funds from the operational or insolvency risk of the Payment Aggregator itself.
What happens if I operate a payment system without RBI authorisation?
Section 4 of the Payment and Settlement Systems Act, 2007 prohibits operating a payment system in India without RBI authorisation, and Section 26 of the PSS Act prescribes penal consequences for contravention, including fines and, in specified circumstances, imprisonment for persons responsible for the contravention. Beyond the direct statutory exposure, an unauthorised operator faces practical business risk: banking partners typically require confirmation of RBI authorisation status before enabling nodal accounts or settlement rails, and investors conduct regulatory due diligence that will surface unauthorised operation as a material finding, commonly a deal-breaker or valuation-reducing issue.
How long does it take to get RBI authorisation for a Payment Aggregator or PPI licence?
There is no fixed statutory timeline — this is a regulator-paced process. In PNPC's experience, a well-prepared application with adequate governance, net worth, and technology documentation in place typically runs 6–12 months from initial filing to final Certificate of Authorisation, factoring in RBI's query and clarification cycles. Applications with governance or documentation gaps take considerably longer, as each query round can add several weeks. Building the governance and compliance infrastructure before filing — rather than filing early and fixing gaps reactively — is consistently the faster overall path.
Can a foreign company or NRI promoter apply for PA or PPI authorisation in India?
Yes, subject to standard FDI and FEMA compliance for the sector, and subject to RBI's promoter fit-and-proper evaluation applying equally to foreign promoters. Foreign investment in payment system operators is permitted under the FDI framework applicable to the relevant category, though specific conditions (including the Press Note 3 (2020) government-route requirement for investment from entities with beneficial ownership in a country sharing a land border with India) must be checked against the current promoter and shareholding structure. PNPC's Chennai, Bangalore, Hyderabad, and Dubai offices allow us to coordinate India entity structuring, FEMA/FDI compliance, and the RBI authorisation application under one engagement for foreign or NRI promoters.
What is the PA-CB framework and does it apply to my business?
PA-CB (Payment Aggregator – Cross Border) is the framework RBI introduced via its November 2024 circular extending payment aggregator-style regulation specifically to entities facilitating cross-border payment collections for the import and export of goods and services. If your Payment Aggregator business is expanding into, or already handles, cross-border transaction collection — for example, enabling Indian exporters to collect payments from overseas buyers, or Indian consumers to pay overseas merchants — this framework's specific eligibility and authorisation conditions apply in addition to, or in place of, standard domestic PA authorisation, depending on your existing licensing status.
Is a system audit mandatory before applying for PA or PPI authorisation?
Yes. RBI requires a system audit report from a CERT-In (Indian Computer Emergency Response Team) empanelled auditor as part of the application, covering the technology architecture, data security controls, and business continuity arrangements of the payment system. This audit examines whether the platform meets RBI's expected security and resilience standards — encryption in transit and at rest, access controls, incident response readiness, and data localisation compliance among other areas.
What is data localisation, and does it apply to payment system operators?
Yes, and it is one of the most operationally significant requirements for any payment system operator. RBI's April 2018 circular on the storage of payment system data requires that the entire data relating to a payment system — the full end-to-end transaction details, and any payment system data collected, carried, or processed as part of the transaction — be stored only in systems located within India. Any foreign leg of the transaction data may be stored abroad in addition to, but not instead of, the mandatory Indian copy. This requirement affects technology architecture decisions from day one — a global SaaS payments platform designed with servers only in another jurisdiction cannot simply add an India authorisation later without a material architecture change.
Can an NBFC also operate a payment aggregator or issue a PPI?
Yes, subject to obtaining the specific PA or PPI Certificate of Authorisation separately from its NBFC registration — an NBFC licence to carry on non-banking financial business does not itself authorise payment system operation. Many NBFCs pursue a combined lending-plus-payments strategy (for example, a consumer NBFC that also issues a co-branded PPI or wallet), but each regulated activity requires its own specific authorisation and ongoing compliance, and RBI evaluates the group's overall risk and governance posture across both when assessing a combined application.
What ongoing compliance is required after receiving PA or PPI authorisation?
Ongoing obligations typically include: periodic system audit reports (commonly annual) from a CERT-In empanelled auditor, annual net worth certification confirming continued compliance with the prescribed and escalating threshold, transaction data and MIS returns to RBI's Department of Payment and Settlement Systems in the prescribed format, maintenance of the escrow/nodal account per RBI's conditions, and prior intimation or approval for material changes such as a change in control, shareholding, or business model. RBI also conducts periodic supervisory inspections of authorised payment system operators.
What is the KYC requirement for PPI (wallet) customers?
RBI's PPI Master Direction prescribes tiered KYC requirements depending on the type and maximum value of the PPI. Minimum-detail PPIs (issued with limited KYC, typically OTP-based verification for small-value instruments) carry lower balance and usage limits, while full-KYC PPIs — where the customer's identity is verified per RBI's KYC Master Direction, typically through Aadhaar-based e-KYC or equivalent — permit higher balances and broader usage including fund transfers. Issuers must build KYC tiering into the product from the outset, since retrofitting a KYC framework onto an already-scaled wallet customer base is a significant operational undertaking.
Does a payment gateway or aggregator need to register separately in each Indian state?
No — RBI authorisation under the PSS Act operates at the central, national level; there is no state-by-state payment system licensing requirement. However, GST registration is required in each state where the entity has a fixed place of business or crosses the relevant threshold, and this is a separate, unrelated compliance requirement from the RBI payment system authorisation. Founders sometimes conflate the two — GST is a tax registration, RBI authorisation is a sectoral regulatory licence, and they follow entirely independent processes.
What is interoperability, and is it mandatory for PPI issuers?
Interoperability refers to the ability of a customer to use their PPI (wallet) balance to transact with, or transfer funds to, instruments or accounts issued by other providers — for example, transferring wallet balance to a bank account via UPI, or between wallets issued by different providers. RBI's PPI Master Direction has progressively mandated interoperability for full-KYC PPIs through UPI and card networks, moving away from the earlier closed-loop wallet model where funds could only be used within the issuer's own ecosystem. PPI issuers must build interoperability into their technology architecture and settlement arrangements as a compliance requirement, not merely a product feature.
What is the difference between a closed, semi-closed, and open system PPI?
RBI's PPI framework historically classified instruments as closed system (usable only for goods/services from the issuer itself, such as a single retailer's gift card — generally outside the need for RBI authorisation since no third-party payment or cash withdrawal function exists), semi-closed system (usable at a group of clearly identified merchant locations under contract with the issuer, but not for cash withdrawal — the most common wallet type, requiring RBI authorisation), and open system (usable at any merchant for goods/services and permitting cash withdrawal, typically issued only by banks). The classification determines both the authorisation requirement and the permissible use cases and limits.
Can a startup launch a payment feature using a licensed third-party PPI issuer instead of getting its own authorisation?
Yes, and this is a common and often commercially sensible path — a co-branding or program manager arrangement with an already RBI-authorised PPI issuer allows a startup to offer a wallet or prepaid-instrument feature to its customers without independently obtaining RBI authorisation, since the licensed partner remains the regulated entity issuing the instrument and bearing the compliance obligations. The trade-off is reduced control over product features, commercial terms, and the underlying compliance posture, since these remain governed by the licensed partner's own risk appetite and RBI relationship.
What is the role of the Financial Intelligence Unit-India (FIU-IND) for payment system operators?
RBI-authorised payment system operators — including PAs and PPI issuers — are 'reporting entities' under the Prevention of Money Laundering Act, 2002, obligated to maintain records of specified transactions and report suspicious transactions, cash transactions above prescribed thresholds, and certain other transaction categories to the Financial Intelligence Unit-India. This runs alongside, and is enforced in parallel with, RBI's own supervisory framework — a payment system operator's AML/CFT (Counter Financing of Terrorism) compliance is scrutinised both by RBI during inspections and can independently attract FIU-IND action for reporting failures.
How does PNPC charge for payment licensing advisory — is it a fixed fee?
PNPC scopes and quotes this engagement based on the specific authorisation sought (PPI, PA, PA-CB, or Payments Bank feasibility), the promoter group's current readiness (existing governance and technology maturity versus a from-scratch build-out), and whether the engagement covers the full application lifecycle or a defined phase (such as classification and feasibility only, versus full application management through to authorisation). We provide a written scope and fee proposal before any engagement begins — this is not a service PNPC prices as a flat, one-size-fits-all package given the material variation in starting readiness between applicants.
Why should I engage PNPC rather than a payments-specific fintech consultancy?
Many fintech-focused consultancies are strong on technology architecture and product strategy but do not have the underlying Chartered Accountancy, FEMA/FDI, and corporate law depth that an RBI application actually requires — net worth certification, promoter due diligence documentation, escrow account structuring, and the ongoing statutory compliance calendar all sit squarely in CA-firm territory, not pure technology consulting. PNPC combines both: we understand the payment system technology and business model questions well enough to classify your product correctly, and we have the CA-firm infrastructure to certify net worth, structure FDI-compliant shareholding, and manage the RBI relationship as an ongoing regulatory matter — not just get you to the application filing.
What does the PNPC payment licensing engagement typically include?
A typical full-scope engagement includes: business model classification and authorisation-category determination, feasibility assessment (particularly important for Payments Bank enquiries), promoter and group due diligence readiness review, corporate governance and policy documentation build-out, net worth structuring and capital-raise sequencing advisory, escrow/nodal account coordination with a scheduled commercial bank, technology and CERT-In system audit coordination, application compilation and filing, RBI query response management through to authorisation, and post-authorisation compliance calendar setup. The exact scope is confirmed in writing before engagement based on your specific starting point.
Is a virtual office address acceptable as the registered office for an RBI-authorised payment system operator?
The Companies Act itself does not prohibit a virtual or shared office address as a registered office, and RBI's payment system authorisation guidelines do not separately mandate a specific type of premises. In practice, however, RBI's promoter and operational due diligence for PA/PPI applications does examine the substance of the applicant's operational infrastructure — a registered office alone with no demonstrable operational capability (staff, systems, governance function) raises questions during the fit-and-proper and technology review stages, even if the address itself is not disqualifying.
What is a Business Correspondent, and is it an alternative to a Payments Bank licence?
A Business Correspondent (BC) is an agent appointed by a licensed bank to provide banking services — account opening, cash deposit/withdrawal facilitation, remittances — on the bank's behalf in locations or customer segments the bank does not serve directly, under RBI's BC guidelines. Operating as a BC does not require the agent itself to hold an RBI payment system or banking authorisation, because the BC acts under the principal bank's licence and supervision. For promoters seeking a payments and financial-inclusion-style business model without pursuing the demanding and largely closed Payments Bank licensing route, a BC partnership with an existing bank is frequently the faster, lower-capital commercial path to a similar customer-facing proposition.
Does RBI authorisation for a PA or PPI expire, or is it perpetual?
Certificates of Authorisation issued under the PSS Act are not typically granted for a fixed expiry date in the way some other statutory licences operate, but they remain conditional on continuous compliance with the authorisation conditions, and RBI retains the power to suspend or cancel an authorisation for non-compliance under the PSS Act. In practice, this makes ongoing compliance — not a renewal date — the operative discipline: an authorisation that is technically perpetual can still be revoked at any point if the operator falls out of compliance with net worth, reporting, or governance conditions.
What is the escalating net worth requirement, and why does RBI structure it that way rather than a single fixed threshold?
RBI structures net worth requirements for PA and PPI authorisation as an initial threshold at application, rising to a higher figure within a prescribed number of subsequent financial years, rather than a single flat number, because it wants applicants to demonstrate a credible entry-stage capital base while also committing to build institutional-grade capital adequacy as transaction volumes and systemic importance grow. This mirrors a broader RBI regulatory philosophy applied across NBFC and payment system categories — proportionate initial entry barriers paired with escalating requirements tied to scale and maturity.
Can a Payment Aggregator also process cross-border e-commerce export/import payments without PA-CB authorisation?
Following RBI's November 2024 circular, entities facilitating cross-border payment collection for the import or export of goods and services are brought within the PA-CB (Cross Border) framework, which imposes its own eligibility and authorisation conditions distinct from, or in addition to, domestic PA authorisation depending on the entity's existing status. An entity handling meaningful cross-border collection volume without assessing PA-CB applicability risks operating outside the scope of its existing domestic authorisation for that specific cross-border activity.
What role does FEMA play in a payment licensing engagement, separate from the RBI payment system authorisation itself?
FEMA governs the cross-border capital flow dimension — any foreign investment into the applicant entity (FDI via share allotment, reported through FC-GPR), any foreign shareholder or promoter, and any cross-border fund flow the payment system itself facilitates, are all subject to FEMA in addition to the PSS Act authorisation for the payment system activity itself. These are two distinct and separately-administered regulatory frameworks — RBI's Department of Payment and Settlement Systems oversees the PSS Act authorisation, while FEMA compliance (FDI reporting, sectoral caps, pricing guidelines) is assessed against the RBI's separate foreign exchange regulatory framework, even though both ultimately sit within the RBI as regulator.
What is the biggest reason PA/PPI applications get delayed or rejected at RBI?
In PNPC's experience, the most common causes are: governance and policy documentation that exists only as templates without operational substance behind them, net worth or capital structure that does not hold up under RBI's specific computation method, escrow/nodal account arrangements that do not conform to RBI's prescribed terms, and incomplete or inconsistent promoter due diligence disclosure that raises fit-and-proper concerns during review. Technology and system audit gaps are also common, particularly around data localisation compliance and business continuity planning.
Does PNPC also handle Payment Bank, PA, or PPI licensing for clients based in the UAE expanding into India?
Yes — this is a specific strength of PNPC's structure. With an operating office in Dubai alongside Chennai, Bangalore, and Hyderabad, we coordinate the full engagement for UAE-based fintech and payments companies entering India: Indian subsidiary incorporation, FEMA/FDI structuring and FC-GPR reporting for the capital inflow, RBI payment system authorisation (PA, PPI, or PA-CB as applicable), and the India-UAE tax and DTAA considerations for the group structure — as one coordinated engagement rather than a UAE advisor and an unconnected Indian advisor working in isolation from each other.
Do I need a separate authorisation if I only process payments for my own e-commerce marketplace and not third-party merchants?
This depends on the actual structure of your fund flow, not simply on whether merchants are 'third party' in a legal sense. If your marketplace collects customer payment into an account it controls before paying out to sellers or service providers on the platform — even if those sellers are onboarded directly onto your own marketplace rather than being external clients of a separate payment product — that fund flow can itself constitute Payment Aggregator activity requiring RBI authorisation, because RBI's PA/PG guidelines look at the substance of the payment collection and settlement mechanism, not merely the commercial label of the underlying marketplace relationship.
What is the process if RBI rejects a PA or PPI application?
RBI does not always issue a formal rejection on record; in many cases, where an application has material gaps, RBI's DPSS will informally indicate the application is unlikely to succeed in its current form, giving the applicant the option to withdraw and reapply once the gaps are addressed, rather than carrying a formal rejection in its regulatory history. Where a formal rejection does occur, reapplication is possible, but the applicant should expect heightened scrutiny on a subsequent attempt, making it especially important to remediate the specific issues that led to the earlier outcome rather than reapplying with only cosmetic changes.
How does PNPC stay current on RBI's frequently changing payment system regulations?
RBI's Department of Payment and Settlement Systems issues circulars, Master Direction amendments, and FAQs on an ongoing basis — the PA/PG guidelines alone have been substantively updated multiple times since their original 2020 issuance, most recently with the PA-CB framework in November 2024. PNPC's FEMA/RBI advisory team tracks DPSS circulars as part of standing practice, and retainer clients receive proactive advisories when a regulatory change affects their specific authorisation or business model, rather than discovering the change only when it affects an inspection or filing.
PNPC Global vs typical alternatives for payment system licensing
| Dimension | PNPC Global | Fintech-focused Consultancy | Law Firm Alone | In-House / DIY |
|---|---|---|---|---|
| Business model classification (PA vs PG vs PPI vs Bank) | Core diagnostic step of every engagement, grounded in CA-firm regulatory practice since 1986 | Often strong on technology framing, less consistent on regulatory nuance | Legally accurate but sometimes disconnected from operational/technology substance | High risk of self-serving misclassification — founders often want the lighter-touch answer |
| Net worth certification & capital structuring | In-house CA certification and capital-raise sequencing as standard practice | Typically outsourced to a separate CA — adds coordination overhead | Not a core competency — referred out | Frequently underestimated or planned too late |
| FEMA/FDI coordination for foreign promoters | Integrated — same firm handles FC-GPR, shareholding structuring, and RBI application | Variable; foreign investment structuring often outside core scope | Strong on FEMA legal interpretation, weaker on the ongoing filing execution | High risk of missed FC-GPR deadlines and shareholding structure errors |
| Escrow/nodal account bank coordination | Direct coordination with scheduled commercial banks experienced in RBI-compliant escrow terms | Varies by firm's banking relationships | Not typically part of law firm scope | Founders often present a generic current account that fails review |
| Ongoing post-authorisation compliance | Standing compliance calendar and circular-tracking as part of retainer relationship | Frequently ends at authorisation — limited ongoing retainer model | Typically transactional, not a continuing compliance relationship | Easy to fall behind without a dedicated compliance function |
| India-UAE cross-border coordination | Genuine operating presence in Dubai alongside Chennai, Bangalore, Hyderabad | Rare to have a genuine UAE office, not just a referral partner | Occasional UAE desk, but not integrated day-to-day | Requires managing two unconnected advisors across jurisdictions |
| Fee transparency | Written scope and fee proposal before engagement begins, tailored to actual readiness | Often bundled into broader technology consulting retainers | Typically hourly billing with less cost predictability | No professional fee, but highest risk of costly rework |
What the PNPC package includes
- 01
Business model classification against PA, PG, PPI, PA-CB, and Payments Bank frameworks, with a candid feasibility assessment before engagement
- 02
Promoter and group fit-and-proper readiness review benchmarked against RBI's actual evaluation criteria
- 03
Net worth certification and capital infusion sequencing aligned to RBI's prescribed and escalating thresholds
- 04
Corporate governance and board composition structuring, including compliance, risk, and grievance redressal function design
- 05
Full policy documentation suite — KYC/AML, fraud risk management, grievance redressal, business continuity, outsourcing, and data localisation policies
- 06
Escrow/nodal account coordination with scheduled commercial banks experienced in RBI-compliant terms
- 07
CERT-In empanelled system audit coordination and pre-review of technology architecture for data security and localisation compliance
- 08
Complete application compilation, filing with RBI's Department of Payment and Settlement Systems, and query response management through to authorisation
- 09
FEMA/FDI structuring and FC-GPR reporting for foreign promoters and investors, coordinated under the same engagement
- 10
Post-authorisation compliance calendar — periodic system audits, net worth certification, MIS returns, and proactive alerts on new RBI circulars affecting the authorisation
Before you build the product or promise a launch date, get a candid RBI classification and feasibility assessment from a CA firm that has managed cross-border financial services compliance since 1986 — talk to PNPC Global's FEMA & RBI advisory team in Chennai, Bangalore, Hyderabad, or Dubai.