Payment Aggregator Compliance: RBI Rules Every PM Must Know

Understanding PA vs. PG: Regulated vs. Borderline

The RBI's payment aggregator (PA) and payment gateway (PG) distinction isn't intuitive, and most product teams get it wrong. Payment aggregators directly settle funds to merchants — they hold escrow accounts, manage settlement, and are responsible for merchant KYC. Payment gateways are just technical pipes — they route payments to banks and don't touch the money. Aggregators are heavily regulated; gateways are barely regulated.

For product teams, this distinction matters because PAs operate under strict compliance rules (RBI PA-CB guidelines) while PGs have minimal compliance burden. If your product is handling merchant settlements, if you're holding customer funds even temporarily, or if you're managing recurring payments at scale, you're likely a PA whether you call yourself one or not. And if you haven't applied for PA licensing or compliance certification, you're operating illegally.

The RBI introduced the PA-CB (Payment Aggregator Compliance and Best Practices) guidelines in 2024–2025 to formalize requirements that were previously unclear. These guidelines are now the law. Non-compliance can result in directions to cease payment operations, penalty notices, and worse — regulators have shut down fintech apps for PA violations. PMs must understand these constraints before designing checkout flows.

Key Compliance Requirements: KYC, Settlement, and Data Localization

Merchant Due Diligence (MDD) and KYC: Every merchant using your PA must complete KYC. This isn't optional, and it's not "just for money laundering" — it's a core PA responsibility. Your product must have a merchant onboarding flow that collects business registration documents, PAN, GST (if applicable), bank account proof, and beneficial owner details. The KYC isn't just a checkbox: you must verify documents, maintain an audit trail, and be able to produce it to RBI auditors. For product teams, this means your merchant dashboard must include a KYC status workflow, document upload flows, and rejection/correction loops if documents are incomplete.

Fund Settlement Timelines: RBI requires settlement within 4 business hours of transaction completion. This seems simple until you hit edge cases: what if the merchant's bank is offline? What if there are disputes or chargebacks? The 4-hour rule means you can't hold funds for reconciliation — you must settle immediately and handle disputes later. Your product must show merchants exactly when they'll receive funds and provide real-time settlement status in their dashboard. Any delays require explanation (and are technically violations).

Escrow Account Management: As a PA, you must hold customer and merchant funds in an escrow account (not your operating account). This is a technical and accounting requirement, but it impacts your product's cash flow and reconciliation. If you're integrating with a banking partner, ensure they provide escrow account separation. If not, you're non-compliant. The RBI can audit your escrow account at any time.

Data Localization and Security: All transaction data for Indian customers must be stored in India. This means your payment databases, transaction logs, and customer data can't be stored in AWS US or any other region. You must use AWS India, Equinix Data Centers, or other RBI-approved data centers. This is often overlooked by product teams that inherit infrastructure from non-fintech projects.

Product Implications: Checkout, Merchant Dashboard, Dispute Handling

Checkout flow changes: Your checkout can't just say "pay with UPI" — it must show the merchant name, transaction amount, and terms clearly. RBI wants users to make informed decisions about where their money goes. If you're using a hosted checkout (redirecting to your PA's payment page), you must display terms before the payment. If you're embedding payments, the responsibility falls on your merchant to display terms. This is why most PAs now offer "pre-checkout consent" flows: "I authorize payment to [Merchant] for ₹[Amount]" before the payment is initiated.

Merchant dashboard features: Your product must include a merchant dashboard that shows transaction history, settlement status, and payout tracking. Merchants need to see (1) which transactions have been settled, (2) when they'll receive the funds, and (3) dispute status. If a chargeback is initiated, merchants must be notified within the RBI-required timeframe. This means building dashboard features for chargeback defense, settlement reconciliation, and dispute tracking — all of which are compliance requirements, not nice-to-haves.

Dispute and chargeback handling: The RBI requires PAs to handle disputes within specific timelines (typically 90 days for chargebacks, 60 days for refund disputes). Your product must provide dispute evidence collection, dispute status tracking, and customer communication flows. If a merchant disputes a transaction, they must be able to upload evidence (screenshots, conversation logs, delivery proof) through your dashboard within the allowed window. Most fintech products underestimate the operational load of dispute management — it's not optional.

Refund and settlement exceptions: What happens if a transaction is initiated but never completed? What if a refund is requested? RBI expects refunds to be processed within 1–2 business days. Your product must handle partial refunds, full refunds, and refunds beyond the merchant's transaction history. These are edge cases, but they're compliance requirements that show up during RBI audits.

Key Takeaways

• Payment aggregators (PAs) are heavily regulated; if you handle merchant settlements, you're a PA and must comply with RBI PA-CB guidelines
• Merchant KYC is non-optional and auditable; your product must collect, verify, and maintain KYC documentation
• Settlement must occur within 4 business hours; delays are violations and must be explained to merchants in real-time
• All Indian customer data must be localized to India; check your infrastructure for compliance before launch
• Checkouts must display merchant name, amount, and terms before payment; pre-checkout consent flows are now standard
• Merchant dashboards must include settlement tracking, dispute evidence upload, and chargeback status — these are compliance, not features
• Dispute timelines (90 days for chargebacks, 60 days for refunds) must be baked into product workflows; treat them as hard constraints