A significant regulatory overhaul is underway for India’s digital payment ecosystem. The Reserve Bank of India (RBI) has issued its comprehensive Master Direction on Regulation of Payment Aggregator (PA) on September 15, 2025. This landmark directive is the new single, authoritative compliance code for all entities facilitating payments in India.
The RBI Master Direction on Payment Aggregator consolidates and replaces numerous prior circulars, setting a definitive framework under the Payment and Settlement Systems Act, 2007, and FEMA, 1999.
This new code is designed to enhance regulatory clarity, boost consumer trust, and ensure that India’s digital payments infrastructure remains secure and globally benchmarked.
1. Mandatory Re-Licensing and the ₹25 Crore Capital Threshold
The most crucial change introduced by the RBI Payment Aggregator Master Direction is the heightened entry barrier and the requirement for mandatory authorisation.
- Mandatory Licensing: Non-bank entities operating as Payment Aggregators (PAs) must secure explicit authorisation from the RBI.
- Strengthened Capital Threshold: The directive raises the net-worth standard to ensure financial stability:
- At Application: PAs must possess a minimum net-worth of ₹15 crore to apply.
- Post-Authorisation: This minimum net-worth must escalate to ₹25 crore by the end of the third financial year after receiving the licence.
This rigorous financial requirement ensures only stable players operate in the critical payment intermediary space.
2. Expanded Scope: Unifying Online, Physical, and Cross-Border PAs
For the first time, the RBI has created a single regulatory umbrella covering all facets of payment aggregation.
The Payment Aggregator Master Direction clearly defines three categories:
- PA – Online (PA-O): E-commerce and non-physical transactions.
- PA – Physical (PA-P): Point-of-Sale (POS) and other physical acceptance devices.
- PA – Cross Border (PA-CB): Aggregation of inward and outward cross-border payments.
In essence, the regulatory mandate now applies to all bank and non-bank entities handling any form of aggregated digital payment flow.
3. Non-Negotiable Security: CERT-In Audits and PCI-DSS
Security, fraud prevention, and risk governance are central to the new rules.
The directive mandates that PAs must focus on modern cyber resilience:
- Annual Cyber Audits: PAs must conduct an annual system audit, including a comprehensive cyber security audit. Importantly, these must be performed by CERT-In empanelled auditors.
- Merchant Security: Furthermore, PAs are responsible for ensuring their merchants comply with global security standards like PCI-DSS and PA-DSS.
This is designed to boost consumer trust and secure India’s fast-growing ecosystem.
Conclusion
The RBI Master Direction on Payment Aggregator (2025) marks a pivotal moment, effectively creating a unified, future-ready compliance blueprint. This document replaces numerous older circulars, offering a clear path forward for the industry.
For all stakeholders, understanding and implementing these new mandates quickly is crucial.
For professional assistance on FinTech licensing, NBFC structuring, and complete payment regulatory compliance, connect with our experts:
📧 sailfreely(Replace this parenthesis with the @ sign)capasricha.com
