Account Aggregator Use Case for Payment Aggregators

Payment Aggregators (PAs) play a crucial role in the financial sector by bridging the gap between merchants (who provide goods and services) and their customers. They enable payment collection and settlement between merchants and customers. 

As per RBI, PAs include entities that 

1. Provide technology infrastructure to facilitate processing of online payments, without actually handling the funds
2. Facilitate e-commerce sites and merchants who accept payment instruments from customers
3. Facilitate merchants to connect with acquirers

Apart from payment processing services, some PAs also provide generation of settlement, cross border settlement services, and transaction management services.  Thus, PAs are also subject to Forex regulations. 

Regulatory Requirement for Security, Fraud Prevention, and Risk Management Framework

PAs have been operating in India for a while now and were recently included into the regulatory ambit by the RBI.  Regulations have increased the emphasis on security, fraud prevention and risk management.  

The security framework governing PAs highlights five key measures for mitigating their risk: 

1. Information Security Governance to identify risk exposures with remedial measures and residual risks 
2. Data Security Standards and best practices like PCI-DSS, PA-DSS, latest encryption standards, Transport Channel Security etc. to be implemented
3. Security Incident Reporting and security incidents/cardholder data breaches within 2-6 hours to the RBI besides other monthly reportingI
4. Merchant Onboarding to ensure these minimal baseline security controls are adhered to by the merchants
5. Cyber Security Audit and Report

AA as a Tool for Fraud Risk Management – Payment Aggregator (PA) Perspective

As PAs are included into the regulatory ambit, (being newest Regulated Entity (RE) by the Central Bank), the onus of Fraud Risk Management has increased multifold. Majority of frauds happen at the payment legs across the world. PAs have to be one step ahead in Fraud Risk Management. The largest risk a PA (who is primarily responsible for Settlement of the funds to the Merchant) carries is to ensure the funds getting settled are for genuine transactions and for genuine goods & services provided by the merchant. The payment industry today lacks additional data points to know of foul play by merchants as they have access only to Transaction Data with PA framework.

Currently, risk assessment is primarily being done during merchant onboarding wherein thorough KYC is performed of the merchant. Post merchant go-live, there are hardly any measures, controls, or innovation to engage in continuous risk monitoring by looking at data points beyond transaction data. This is where Account Aggregator can solve the problem for newly regulated RE’s. With access to banking data/GSTN data and lot more FSR’s participating as FIP’s, the richness of data can add an immense value to assess risk of a merchant.

Thanks to one consent framework, which

1. Can allow continuous flow of recurring data,
2. Seamless merchant-onboarding experience &
3. Unified Consent Management Framework through AA, risk models can be built to assess the overall health of the Merchant.

Merchant Risk Monitoring will be a great tool to check frauds by Merchants. Based on the Transaction Data & Financial Data coming from AA, the Fraud Risk team can do a combined behavioral pattern analysis & can act accordingly.

To conclude, Payment Aggregators urgently need innovation and the Account Aggregator framework can be a game changer for the industry.

About Author:

Oomkar Kulkarnie is the Head of Product & Technology, at 1pay.in, one of the leading payment aggregators in India. The author can be reached at oomkar@1pay.in for feedback and comments.