Introduction
This policy is created by PayGlocal Technologies Private Limited (hereinafter referred to as the "Company" or PayGlocal or "We") to clearly document guidelines & practices followed by the Company for refund in the course of its Payment Aggregator ("PA") and Payment Aggregator – Cross Border ("PA-CB") businesses. The Reserve Bank of India ("RBI") by means of Guidelines on Regulation of Payment Aggregators and Payment Gateways ("PA Guidelines") and Regulations on Payment Aggregator – Cross Border ("PA-CB Regulations") regulates PA and PA-CB intermediaries in the payment ecosystem.
In accordance with the PA Guidelines and PA-CB Regulations PayGlocal ensures detailed evaluation of each merchant onboarded on its system with detailed coverage of all the steps. ("Merchant On-boarding Policy" or "Policy"). The intent of the Policy is to establish a comprehensive mechanism to onboard merchants on the platform.
Merchant on-boarding process includes documentation collection and verification, merchant nodal codes setup process, activation & maintenance activities.
Our assessment and evaluation processes followed have been diligently drafted primarily on the guidelines and rules framed by RBI, advice and counsel of our banking partners and renowned consultants, prevailing industry best practices and our own zeal to provide our merchants and customers a safe, trusted, reliable and a secure platform to allow exchange of payments across. These assessments, evaluations and processes are updated from time to time as per the regulatory guidelines formulated and enforced.
II Objectives
The key Policy objectives are:
- Adherence to regulatory compliance in line with RBI guidelines titled 'Guidelines on Regulation of Payment Aggregators and Payment Gateways' dated March 17, 2020 and bearing reference no. RBI/2020-21/117 CO.DPSS.POLC.No.S33/02-14-008/2020-2021 and amendments issued to the same thereafter.
- Adherence to regulatory compliance in line with RBI regulations titled 'Regulation of Payment Aggregator – Cross Border (PA – Cross Border)' dated October 31, 2023 and bearing reference no. RBI/2023-23/80CO.DPSS.POLC.No.S-786/02-14-008/2023-24 and amendments issued to the same thereafter.
- Adherence to regulatory compliance in line with RBI regulation titled 'Master Direction on Know Your Customer (KYC), 2016 ('KYC Master Directions) and amendments issued to the same thereafter.
- Provide a clean, secure and robust process to ensure thorough assessment and evaluation of the prospective merchants of the Company.
- Provide seamless onboarding experience to the merchant
- Adequate management of financial and operational risk associated with the merchant onboarding process.
- Checks and evaluation criteria at the time of onboarding the merchant.
The policy must be read in conjunction with the Company's Know Your Customer/ Anti-Money Laundering/ Combating Financing of Terrorism Policy (KYC/AML/CFT Policy), as updated from time to time.
III Scope and Applicability
The scope of the Merchant Onboarding Policy is to establish the framework and requirements for ensuring adequate management of regulatory compliance, financial and operational risk associated with the merchant onboarding process. The aim of this framework is not to eliminate the aforesaid risk, but to assist in managing the risks involved in the activities associated with KYC verification, commercial update/ payment option enablement etc., to maximize efficiency, to improve the processes and to minimize chances of adverse consequences and resultant losses.
This Policy shall be applicable to all the merchants with whom the Company establishes a PA or PA-CB relationship irrespective of the entity types or the scale of the merchants.
The Customer Onboarding, Risk and Compliance teams shall be responsible to assess scrutinize the potential merchant based on the information collected from the said merchant. The parameters for assessing the merchant are subject to and in accordance with the applicable laws, including the PA Guidelines and PA-CB Regulations.
IV Governance
The Policy is approved by the Board of Directors (“the Board”) of the Company.
The merchant sourcing / sales team and the risk & operations team are responsible for onboarding merchants and performing necessary due diligence.
A report on an agreed frequency is submitted to senior management for the merchants onboarded, necessary findings and due diligence conducted. A list of merchants is also provided to competent regulatory authorities whenever requested.
On-boarding Risks
The scope of this section is to capture the activities and process steps involved in merchant onboarding and to identify the risks in the system.
Throughout our process of merchant onboarding, PayGlocal bears two types of contingent liability: Financial risk and compliance risk.
Please note that relevant financial risk and its mitigation guidelines on account of merchant credit / fraud risk is part of the Company's 'Merchant Risk & Fraud Policy.’
Financial risk
PayGlocal is exposed to financial risks in the following situations:
- Activate payment option / merchant on incorrect TDR (with reference to agreement/ addendum).
- Activate merchant / payment option on TDRs less than the buy rate / bank rate except in cases where business head approval on TDR is available.
- Activate merchant on incorrect settlement type / flag (T+1, T+2 or any other).
- Activate incorrect bank details updated on MID.
- Activate incorrect nodal codes.
- Activate a merchant without requisite approval.
- Activate merchant on incorrect back-end processor keys.
Compliance risk
Compliance Risk is endured in the following situations:
- Merchant on-boarded without agreement.
- Merchant KYC documents are missing as per the entity type of the merchant.
- Merchant KYC documents are forged or not validated from the source.
- Modification of details for live merchant without additional checks.
Other Assessments
- Verification of brand identity, business model and line of business of the Merchants
- Website Redirection – If the merchant website is redirecting to a different website for purchase or payments, we seek clarification on requirement of PG Web/App not live. If web/app is not live or throwing some error, we don't allow and inform the business team to take up with merchant further.
- Incorrect web/app URL – If the merchant has shared an incorrect URL, we do not allow and inform the business team to talk with the merchant about such rectification. These businesses are subject to further verification of business model. Additional information or documents are sought here. Business Model must be clearly defined while ascertaining LOB of the merchant. Model must accurately define the use of PG on the merchant website/application. Purpose of PG must be clearly stated in detail.
- Refund & Cancellations Policy of the merchants: Verify refund policy offered by merchant (Returns/ Refunds or replacements or no refund no exchange), applicable policy TAT (Days till policy remains active for services/products as per merchant business model), mode of refund, the time till when the merchant is going to accept the cancellations and through which all channels.
- Privacy policy of the merchants – Privacy policy should be according to the jurisdiction of India or their state in addition from where merchant is doing his business, customer/user information collection, use of information, third party disclosure, information protection, rights of users, cookies policy and notification of changes
- Commercial check – This check is needed for the enterprise level merchants. PayGlocal will validate merchant’s commercials as per the updated benchmark sheet for respective banking industry. Users need to select approve/reject/approval required for all the line as per the Commercials which are below the benchmark rates would need an approval from the respective business head of department.
V Merchant Onboarding Overview
The Company shall ensure that the following KYC and due diligence checks are performed on the merchants as part of the onboarding process as per the PA Guidelines and PA-CB Regulations:
- The Company shall obtain the proof of business existence for the merchant as per the applicable KYC/AML regulatory requirements. (Refer to Appendix-2 below) and KYC for overseas merchants, will be as per the regulation defined in that geography.Important Note: KYC/AML/CFT Policy covers the detailed approach on KYC process
- The merchant onboarding team shall perform a complete KYC check of the merchant. Verification shall be done for identity of the merchant and address of the establishment as per the regulatory requirements for KYC verification.
- The Company shall undertake background and antecedent checks of the merchant to ensure that fraudulent merchant set-ups, unreliable or untrustworthy operators are not onboarded. It includes KYC document verification and risk assessment of the merchant through assessment of the website, line of business and various paid / unpaid third party platforms.Important Note: KYC/AML/CFT Policy covers the detailed approach on KYC process
- For domestic merchants, based on the merchant's line of business / business model, number of years of operations, the merchant shall be classified as low, medium or high risk and accordingly, and the periodic updation of KYC/ Re-KYC will be triggered as per the extant directions of the RBI including but without limitation the RBI KYC Master Directions.
VI Merchant Onboarding Process
The Policy covers mainly the following aspects of managing financial risk and compliance risk:
- Merchant KYC verification
- Merchant commercial update – Revenue and Cost
- Merchant payment option activation
- Merchant bank details update
- MID Creation and Activation
This Policy aims to define the following processes, which are to be executed by Merchant On-boarding team and part of PayGlocal core activity of payments processing:
Merchant KYC validation:
- Merchant supporting documents and KYC validation / verification.
- PayGlocal's terms of use to be agreed with and accepted by the Merchant
Merchant Commercial update:
- TDR & Base rate (rack rate) verification –Revenue
Merchant payment option update:
- Checking payment options are enabled as per the as per the agreed terms.
Merchant bank details update:
- Account Verification
- Preformat Code Creation (Beneficiary code with Nodal Bank)
MID Creation & Activation
- Creation & Activation of MID
Please refer to Appendix 1 of this Policy for the list of banned and restricted business lists. Restricted categories to be onboarded post joint approval from Risk and Business heads.
VII Merchant KYC Verification
To minimize the error in merchant validation in Onboarding process and to enable Transaction and Settlement for the Merchant below due diligence on merchant KYC is performed.
Settlement Obligations
Merchant settlement cycle within the system will be as following:
- Settlement cycle will be defined and agreed with the merchant.
- PayGlocal will ensure the settlement cycle is configured in PayGlocal system complies with the agreed time with the merchant in the contract.
- PayGlocal will ensure the settlement cycle is not configured to be later than (Td+1) or (Tr+1) as per the settlement cycle agreed with the merchant.
- Certain exceptions will be agreed with the merchant when the settlement can be put on hold by PayGlocal which shall include.
- risk-based events such as excessive chargebacks, complaints, frauds, non-compliance, etc.
- other scenarios where deferred settlement is agreed between PayGlocal & merchant explicitly in the merchant agreement.
- Merchants will be obligated to comply with regulatory & compliance requirements set down in the PA Guidelines with respect to handling customers’ card data. It will be considered a breach of agreement if the PA Guidelines on handling card data are not adhered to, and the Merchant’s transaction processing is suspended immediately until the situation is remediated.
- For cross border transactions, settlement cycle shall be mutually agreed between the merchant and PayGlocal teams and shall be documented in the agreement.
Merchant supporting documents and KYC validation/ verification
Depending on the business entity and type of the merchant a defined set of respective documents is required which should be provided by the merchant. The KYC documents are validated/ verified and if any application is considered as unacceptable/ unqualified the merchant is to be rejected and the services will not be enabled. Please refer to Appendix-2 of this Policy for KYC documents required by each merchant entity type.
Merchant commercial update
Based on the agreement between the merchant and PayGlocal, the merchant is charged a service fee which may vary basis the various plans offered to the merchant as per the business category or as per the agreed terms between PayGlocal and the merchant.
Merchant payment option update
Tp, Ts, Td and Tr are terms defined by RBI as time of payment, time of shipment, time of delivery and time of refund. PayGlocal is not in the business of shipping goods or services. Hence, PayGlocal will agree on settlement cycle with the merchants either based on Tp, Td or Tr and will adhere to the agreed timelines for settlement cycle excluding exception.
Based on the commercials provided by the business team, onboarding team checks them against the base rate (rack rate) and commercials agreed with the merchant to process further. If the rates are below the base rate (rack rate), the team rejects the cases. Such cases only get processed on approval of the business head.
- A check is in place to ensure all the payment options are enabled as per the agreed terms between PayGlocal and the merchant.
Merchant bank details update
PayGlocal will review and validate all its merchants as mentioned below:
Bank account validation
Bank verification letter/ cancelled cheque/ bank account details is/are mandatory document(s) which is provided by the merchant for due diligence wherein the details are cross checked and validated and if any application is considered as unacceptable/unqualified the merchant should be rejected and the services should be put on hold.
Bank validation testing or account verification
A systemic bank account verification activity is performed for any new bank account that is recieved on our system to validate the authenticity of the merchant’s account. The check is implemented to see if the merchant has provided valid / active bank account.
Preformat code creation
PayGlocal system creates 'preformat codes’ which is mandatory for merchant settlement wherein a code in specific format is mapped to the bank account details of a Merchant on a particular merchant ID. These codes are updated on bank’s portal that processes PayGlocal’s merchant settlements. This ensures that settlement will be done on the merchant’s bank account that is mapped to the specific code which is mapped on the system.
VIII MID Creation & Activation
PayGlocal will create the unique MID in the PayGlocal system once the below conditions are met:
- Merchant Risk Underwriting approval
- KYC assessment approval
- Sanction screening
If all the above conditions are successfully completed, then MID will be generated post which MID would be activated for transaction processing.
MID activation is preceded by following activities:
- Updation of merchant and bank rates
- Update of agreement settlement cycle
- Successful setup and mapping of beneficiary codes with MID
IX Security Assessment of Merchants
The following security assessment will be conducted prior to onboarding merchants, wherever applicable:
Security controls implemented by the merchants will be assessed by the Company. The assessment would include checks of the following aspects, at least:
- Security safeguards implemented by merchants to ensure transactions are secure and customer data is protected.
- Encryption standards implemented.
- Breach and security incident management procedures implemented by the merchants.
- No storage of card information/ data of the customers and related data.
Merchants will be assessed to ensure compliance of their infrastructure to security standards PCI-DSS, as applicable. Merchants are obligated to be compliant with the security standards as per PA Guidelines and PA-CB Regulations and any violation of the same is considered breach of agreed terms with PayGlocal and can be considered as grounds for delisting or deactivation.
Merchant site shall not save customer card and a security audit of the merchant may be carried out to check compliance, as and when required. Merchants are not allowed to store payment data irrespective of their being PCI-DSS compliant or otherwise. They shall, however, be allowed to store limited data for the purpose of transaction tracking, for which the required limited information may be stored in compliance with the applicable standards.
Data sovereignty: PayGlocal shall take preventive measures to ensure that a Merchant does not store data in infrastructure that belongs to jurisdictions which may be physically located outside India. Appropriate controls shall be considered to prevent unauthorized access to the data.
A review will be conducted at least annually in order to verify continued compliance by the merchants already onboarded.
Below mentioned is the indicative frequency of security assessment based on the volumes processed by the merchant:
Volumes processed monthly (USD) | Frequency of security assessment |
---|
Greater than 5 Mn | 12 months |
Between 2 Mn to 5 Mn | 18 Months |
Less than 2 Mn | 24 months |
X Delisting and Deactivation of Merchants
Delisting or de-activation of a merchant shall be considered for the reasons as per the agreed terms between the Company and the merchant. The reasons for deactivation shall include the following:
- Non-adherence to the terms and agreed terms between the merchant and the Company.
- Merchant's involvement in fraudulent transactions.
- Complaints raised against the merchant.
- Cancellation request from the merchant.
- Merchant inactive and not performing transactions for 12 (Twelve) months or more.
- Any direction or request received from any governmental authority; and
- Data security breach.
XI Policy Review
The Policy shall be reviewed as and when required (at least annually), or when significant regulatory changes occur to ensure its continuing suitability, adequacy, and effectiveness. The changes must be approved by the Board of the Company.
XII Record Keeping
The records pertaining to merchant transactions/ complaints shall be maintained for a minimum period of 5 (Five) years by the respective department of the Company as per the KYC Master Directions.
PayGlocal shall maintain all necessary records of transactions between them and the customer, both domestic and international, for at least 5 (Five) years from the date of transaction and preserve the records pertaining to the identification of the merchants and their addresses obtained while opening the account and during the course of business relationship, for at least 5 (Five) years after the business relationship is ended.
PayGlocal shall make available the identification records and transaction data to the competent authorities upon request and also maintain all necessary information in respect of transactions prescribed under Rule 3 of Prevention of Money Laundering (Maintenance of Records) Rules, 2005, so as to permit reconstruction of individual transaction, including the following:
- the nature of the transactions.
- the amount of the transaction and the currency in which it was denominated.
- the date on which the transaction was conducted.
- the parties to the transaction.
Banned Business List
- Adult goods and services which includes pornography and other sexually suggestive materials (including literature, imagery and other media), escort or prostitution services.
- Alcohol which includes alcohol or alcoholic beverages such as beer, liquor, wine, or champagne.
- Body parts which include organs or other body parts.
- Bulk marketing tools which include email lists, software, or other products enabling unsolicited email messages (spam).
- Cable descramblers and black boxes which includes devices intended to obtain cable and satellite signals for free.
- Child pornography which includes pornographic materials involving minors.
- Copyright unlocking devices which include Mod chips or other devices designed to circumvent copyright protection.
- Copyrighted media which includes unauthorized copies of books, music, movies, and other licensed or protected materials, copyright infringing merchandise.
- Products labelled as 'tester, 'not for retail sale,' or 'not intended for resale'.
- Copyrighted software which includes unauthorized copies of software, video games, and other licensed or protected materials, including OEM or bundled software.
- Counterfeit, unauthorized goods which include replicas or imitations of designer goods; items without a celebrity endorsement that would normally require such an association; fake autographs, counterfeit stamps, and other potentially unauthorized goods.
- Products that have been altered to change the product's performance, safety specifications, or indications of use.
- Drugs and drug paraphernalia which includes hallucinogenic substances, illegal drugs and drug accessories, including herbal drugs like salvia and magic mushrooms.
- Drug test circumvention aids which include drug cleansing shakes, urine test additives, and related items.
- Endangered species which includes plants, animals, or other organisms (including product derivatives) in danger of extinction.
- Government IDs or documents which includes fake IDs, passports, diplomas, and noble titles.
- Hacking and cracking materials which include manuals, how-to guides, information, or equipment enabling illegal access to software, servers, websites, or other protected property.
- Illegal goods which include materials, products, or information promoting illegal goods or enabling illegal acts.
- Miracle cures which include unsubstantiated cures, remedies, or other items marketed as quick health fixes.
- Offensive goods which include literature, products, or other materials that:
- Defame or slander any person or groups of people based on race, ethnicity, national origin, religion, sex, or other factors.
- Encourage or incite violent acts.
- Promote intolerance or hatred.
- Offensive goods, crime which includes crime scene photos or items, such as personal belongings, associated with criminals.
- Pyrotechnic devices (apart from the ones mentioned in the Restricted category), hazardous materials and radioactive materials and substances.
- Tobacco and cigarettes which includes cigars, chewing tobacco, and related products.
- Traffic devices which include radar detectors/jammers, license plate covers, traffic signal changers, and related products.
- Weapons which include firearms, ammunition, knives, brass knuckles, gun parts, and other armaments.
- Matrix sites or sites using matrix scheme approach/Ponzi/Pyramid schemes.
- Work-at-home information.
- Any product or service which is not in compliance with all applicable laws and regulations whether federal, state, local or international including the laws of India.
- BPO services.
- Surgical products on B2C model.
- Immigration services.
- Immigration services.
- Guaranteed Employment Services.
- Religious products that make false claims or hurt someone's religious feelings/beliefs.
- Adoption agencies.
- Pawnshop.
- Esoteric pages, Psychic consultations.
- Telemarketing (Calling list, selling by phone for example travel service, overall sales).
- Credit Counselling/Credit Repair Services.
- Get Rich Businesses.
- Bankruptcy Services.
- Websites depicting violence and extreme sexual violence.
- Bestiality.
Restricted Business List
- Gaming/gambling which includes lottery tickets, sports bets, memberships/enrolment in online gambling sites, and related content.
- Prescription drugs or herbal drugs or any kind of online pharmacies which includes drugs or other products requiring a prescription by a licensed medical practitioner. Exceptions:
- Medical devices authorized by the FDA for over-the-counter purchase that are not otherwise restricted and are appropriately described and labelled, including eyeglass frames, tanning devices, otoscopes, ionized or ionic bracelets, Personal Sound Amplification Products (PSAPs), etc.
- Fireworks and related flammable goods.
- Securities which include stocks, bonds, or related financial products.
- Forex merchants.
- Crowdfunding.
- Investment in the future of assets (Futures markets are the performance of contracts for purchase or sale of certain matters at a future date, agreeing price on the present, the amount and due date. Currently, these negotiations are conducted in stock markets).
- Portfolio Collection, Debt Collection.
- Stock trading & Financial advisory.
- Multilevel sales, profit or income by referral of new users.
- NGO.
- Real Estate.
- Loans.
- Surgical products on B2B model.
- Club memberships.
- Money transfer.
- Resume Writing Services.
- Auctions/Tenders.
- Sale of gemstones / High value jewellery.
- Sale of animal husbandry.
- Antiques or collectibles.
- Dietary and herbal supplements.
- OTC drugs.
- Photographs, images from videos, images generated by PC Images (copyright or intellectual property).
- Foundations, donations or fundraising by third parties.
- Discount coupons, coupons.
- Sex shops and erotic items.
- Professional services (psychologists, lawyers, etc.).
- Protection services (Bodyguards services).
- Electronic cigarettes (e-cigarettes).
- Political Parties; Politically related payments (donations for a party).
- Religious Organisations.
- Financial Services: money exchange service, including bitcoins, cryptocurrency, forex brokers, financial institutions, debt recovery.
- Financial Products (Mutual Funds, Insurance).
- Real Estate Agents/Brokers.
- Matchmaker services.
- Sexual Health Products (Vitamins, Nonprescriptive Treatment & Medicine).
- Offline dating meetups, social-based dating events, matchmaking.
- Gift Cards as Primary Business.
- Gold, Silver & Precious metals.
- Collection Agencies.
- Medical Devices.
- Chit Fund, Credit societies, and small NBFC.
- Fireworks.
- Lottery, Raffles.
- Incentive Business.
- Funeral Services.
- Subscription Services.
- Warranty Services.
- Air Bags, Batteries containing mercury.
- Government Uniforms.
- Real Estate Maintenance.
- Web Hosting, Designing.
- Art Promotion.
- Commodities Trading.
- Career Counselling Services.
- Marketplace Model.
- Aggregator, Payment Facilitator.
Appendix 2
KYC Document Requirements by Merchant Entity type