Do I need RBI authorisation to start a payment gateway?

A pure payment gateway acting only as a technology service provider that does not handle funds may operate without RBI authorisation, but a Payment Aggregator that onboards merchants and holds funds in a nodal account requires RBI authorisation under the PA-PG framework. The distinction often blurs in practice, so founders must structure the model carefully.

What is a Prepaid Payment Instrument licence?

A PPI licence is an authorisation issued by the Reserve Bank of India to issue prepaid wallets, gift cards or transit cards. The licence comes in small and full variants with different KYC, loading limits and interoperability obligations. Issuers must maintain prescribed net worth, hold funds in escrow with a scheduled commercial bank and comply with detailed KYC and AML norms.

Is data localisation mandatory for payment systems?

Yes. Under the RBI circular on storage of payment system data, all data relating to payment systems operated in India must be stored only in India, with limited carve-outs for foreign leg of cross-border transactions. The localisation requirement covers full end-to-end transaction details and is verified through system audit reports.

Can a startup directly integrate with UPI?

A non-bank fintech can offer UPI services only as a Third-Party Application Provider in partnership with one or more sponsor banks under NPCI's TPAP framework. The TPAP is responsible for the user experience, while the sponsor bank carries the regulatory accountability. Direct membership of UPI by a non-bank is not permitted.

Start Mobile Payments solutions

Start Mobile Payments Solutions in India: The 2026 Regulatory and Compliance Playbook

Starting a mobile payments business in India in 2026 means choosing one of six tightly regulated categories under RBI's oversight, building the capital base and nodal architecture those rules demand, and running a compliance programme from day one — not after launch. If you pick the right category, meet the net worth threshold, pass the system audit, and wire your GST and TDS obligations correctly, you can go from incorporation to live merchant flows within 12–18 months. Get any of those elements wrong, and RBI will simply not issue the authorisation.

The Six Regulatory Lanes — Which One Do You Actually Need?

The single biggest mistake early-stage payment founders make is treating "payments licence" as a single object. There are six distinct regulated categories, each with a different capital requirement, a different principal regulator, and a different revenue model.

1. Payment Aggregator (PA)

A PA onboards merchants, accepts funds from customers on behalf of those merchants, holds those funds in a nodal account, and settles net amounts to merchants. This is the highest-capital, highest-obligation route — and also the most commercially powerful, because you sit in the fund flow. Non-bank PAs must be incorporated as companies under the Companies Act 2013 and obtain authorisation from RBI under the Payment and Settlement Systems Act, 2007 (PSS Act).

2. Payment Gateway (PG)

A PG provides technology infrastructure to route payment instructions between customers, banks, and card networks — but does not hold funds. Because no fund-holding occurs, PGs are not required to obtain PA authorisation. They remain bound, however, by RBI's PA-PG Master Direction for data localisation, audit, and security standards. If you are building a pure routing layer for a bank or existing PA, this is your lane.

3. Prepaid Payment Instrument (PPI) Issuer

PPI issuers issue wallets, gift cards, meal vouchers, or transit cards under RBI's Master Direction on Prepaid Payment Instruments. There are two sub-categories: Small PPIs (limited to Rs. 10,000 balance, minimum KYC, cash-in only from bank accounts) and Full-KYC PPIs (up to Rs. 2,00,000 balance, full Aadhaar or V-CIP KYC, inter-operability mandatory). Full-KYC PPIs require net worth of Rs. 5 crore and RBI authorisation; small PPI issuance can be operated under a lighter notification regime.

4. Bharat Bill Payment Operating Unit (BBPOU)

BBPOUs participate in the Bharat Bill Payment System operated by NPCI Bharat BillPay Limited (NBBL). They connect billers (electricity, gas, telecom, insurance, education) and customer-facing payment channels. Authorisation comes from RBI; operational certification comes from NBBL. If your product is specifically about utility bill collection, this is the correct lane — not a full PA licence.

5. Third-Party Application Provider (TPAP) on UPI

PhonePe, Google Pay, Amazon Pay, and Paytm Payments Bank's UPI interface are all TPAPs. A TPAP does not hold an RBI licence directly. Instead, it contracts with one or more Participating Member banks (called the TPAP's sponsor bank) who are certified NPCI members. NPCI approval is required for any new TPAP. The TPAP must comply with UPI operating and procedural guidelines, RBI data localisation norms, and all applicable KYC rules — but capital obligations flow through the sponsor bank.

6. Account Aggregator (AA)

An AA is an NBFC-AA registered with RBI that enables consent-based sharing of financial data between Financial Information Providers (banks, MF houses, insurers) and Financial Information Users (lenders, wealth managers). Minimum net worth is Rs. 2 crore. If you are building embedded credit underwriting, open finance analytics, or personal finance management rather than a pure payment flow, this is the correct structure.

Pick your lane before you incorporate. The corporate object clause, the shareholders, the capital structure, and the compliance budget all flow from this choice.

RBI Authorisation: The PA Route Step by Step

For most payment startup founders, the Payment Aggregator authorisation is the target. Here is the actual sequence.

Incorporate the company under Companies Act 2013. The company must be a body corporate — partnerships and LLPs are not eligible.
Build to net worth threshold. At the time of application, your company must demonstrate net worth of Rs. 25 crore (as notified in RBI's updated PA guidelines). Net worth is paid-up capital plus free reserves minus accumulated losses and intangibles.
Appoint fit and proper management. All directors and the CEO must clear RBI's fit and proper criteria. Any prior conviction, regulatory sanction, or insolvency disqualification bars the individual.
Engage a CERT-In empanelled auditor to conduct a System Audit covering application security, network security, and data flow. The System Audit Report (SAR) is a mandatory attachment.
Obtain PCI DSS certification if your architecture will touch card data — either as processor, transmitter, or storage node.
File the application through PRAVAAH, RBI's centralised portal for regulatory applications. Attach the SAR, PCI DSS certificate, business plan, IT policy, board resolutions, and last three years' financials (or projections for a new entity).
Receive in-principle approval. RBI typically issues in-principle approval before full authorisation. During this window, you may not commence live merchant operations.
Open a nodal account with a scheduled commercial bank. The bank must be RBI-approved. The escrow/nodal arrangement must conform to the fund-flow requirements of the PA guidelines.
Complete merchant onboarding framework — KYB documentation, risk classification of merchants by category, escrow mechanics, and prohibited merchant list controls.
Receive final Certificate of Authorisation (CoA). This is the operative licence. Authorisation must be renewed periodically and any material change in ownership, technology, or product scope requires prior RBI intimation or approval.

Capital and Net Worth: The Numbers You Must Hit

The Rs. 25 crore net worth figure is not a one-time box to tick. It is an ongoing minimum. RBI has in the past directed existing authorised PAs to maintain and demonstrate net worth on a continuous basis, with consequences for slipping below the threshold.

For a new entrant, the practical capital-raising math looks like this:

Outlay	Estimated Range
Net worth (equity injection)	Rs. 25 crore
System audit, PCI DSS, IT infrastructure	Rs. 40–80 lakh
Nodal account initial float	Rs. 50 lakh–Rs. 2 crore
Legal, compliance, and PRAVAAH filing costs	Rs. 20–40 lakh
Ops and tech team (pre-revenue, 12 months)	Rs. 1.5–3 crore
Working capital buffer	Rs. 2–3 crore

A realistic all-in capital requirement to reach live authorisation — not just application — is Rs. 30–32 crore, assuming a lean tech build and no delays.

For PPI issuers on the full-KYC track, the Rs. 5 crore net worth requirement is the entry point, but similar audit and technology costs apply, pushing actual capital need to Rs. 7–9 crore before revenue.

Nodal Account Architecture and Settlement Mechanics

The nodal account is the treasury heartbeat of a PA business. Every rupee a customer pays flows into this escrow; the PA is a custodian, not a beneficiary. RBI's PA guidelines prescribe the permitted uses of nodal account funds, the timelines for settlement, and the audit obligations.

Key rules:

Funds collected by the PA from customers must be settled to the merchant's bank account within T+1 working days of the transaction confirmation. The PA may not use nodal account balances for its own treasury purposes or intercompany loans.
The PA must maintain a reconciliation statement daily, matching inflows (customer debits), outflows (merchant credits), refunds, and chargebacks.
The escrow bank is entitled to issue a certificate of balance to RBI upon request. The PA must not instruct the bank to withhold such information.
Refunds and chargebacks must be processed within defined timelines under RBI's customer protection circulars. A delay in processing a refund is a regulatory breach, not just a customer service issue.

A common architect's error is to build the nodal account as a simple current account with manual reconciliation. This does not scale. You need an automated reconciliation engine that flags unmatched transactions within 2 hours of cut-off, with an escalation workflow reaching the CFO for any variance above a materiality threshold you define at product design time.

Core Compliance Stack: What You Must Run on Day One

Do not build these as Phase 2 items. RBI examines compliance readiness as part of the authorisation review, not after.

Data Localisation

Under RBI's 2018 circular and all subsequent PA-PG guidelines, all payment system data must be stored only within India. This includes full end-to-end transaction details — customer identifier, payment instrument details, merchant identifier, transaction amount, timestamp. Processing may occur abroad, but the data must return and reside in India within the same business day. Cloud architecture must reflect this: use India-region availability zones and contractually restrict data egress.

KYC Under PMLA and RBI KYC Master Direction

Every merchant you onboard is a regulated entity relationship. Obtain CIN/GSTIN, beneficial owner declarations, PAN, proof of business address, and last 12 months' bank statements. For individual merchants, PMLA-compliant KYC applies. Maintain records for five years from the end of the business relationship. Flag high-risk merchant categories (gaming, crypto, adult content) for enhanced due diligence and senior management approval.

Cyber Security Framework

RBI's 2023 Master Direction on IT Governance, Risk, Controls and Assurance Practices requires a board-approved IT risk framework, an IT Steering Committee, and documented DR/BCP with annual testing. For PAs, add: VAPT (Vulnerability Assessment and Penetration Testing) by a CERT-In empanelled auditor at least annually, real-time SOC (Security Operations Centre) monitoring, and an Incident Response Plan with a 2-hour breach notification obligation to RBI.

Grievance Redressal

Name a Nodal Officer for customer grievances and publish their contact on your website and merchant dashboard. Your grievance policy must include a 30-day resolution timeline at the first level. Unresolved escalations feed into the RBI Integrated Ombudsman Scheme — if a customer complains to the Ombudsman and the PA has not issued a final response within 30 days, RBI will treat this as a compliance failure.

Technology Build: Minimum Viable Payments Infrastructure

You do not need to build everything from scratch, but you do need to own certain critical components outright — outsourced risk scoring or settlement engines owned by a third party can create TPAP/PA boundary issues in RBI's view.

Components you must own and control:

Switch and routing layer — routes transactions to the appropriate rail (UPI, card, net banking, wallet) with failover logic. Minimum 99.95% uptime SLA to stay within NPCI and RBI availability norms.
Merchant onboarding and KYB engine — scoring merchants against prohibited categories, PEP lists, negative databases, and real-time GST status checks.
Settlement and reconciliation engine — T+1 settlement computation, fee deduction, GST calculation on fees, TDS deduction under section 194-O, and net credit to merchant.
Dispute and chargeback management — evidence docketing, representation workflows, and outcome tracking aligned to card network and NPCI chargeback rules.
Fraud detection module — velocity checks, device fingerprinting, behavioural anomaly scoring. RBI expects a documented fraud monitoring framework, not ad hoc rules.

Tokenisation is now mandatory under RBI's card-on-file tokenisation circular. No PA or PG may store raw card data (Primary Account Number, CVV) after the tokenisation deadline. Use network-issued tokens (Visa Token Service, Mastercard Digital Enablement Service) for all card-on-file flows.

Tax Wiring for a Payments Business: GST, TDS, and FEMA

GST on Processing Fees

Payment processing fees, annual merchant subscription charges, and technology service fees are taxable at 18% GST (SAC 997159 — Other financial services). The PA is the supplier; the merchant is the recipient. If both are in the same state, CGST + SGST applies. If in different states, IGST applies. Register in all states where you have merchants, or rely on centralised registration with appropriate apportionment if eligible.

Section 194-O TDS on E-Commerce

A Payment Aggregator acting as an e-commerce operator under Section 194-O of the Income-tax Act, 1961 must deduct TDS at 1% on the gross amount paid or credited to every e-commerce participant (merchant). The deduction applies at the time of credit or payment, whichever is earlier. Threshold exemption: resident individual and HUF merchants with gross sales below Rs. 5 lakh in a financial year, and who have furnished their PAN, are exempt. All others: TDS mandatory. The PA must issue Form 16B and file quarterly TDS returns in Form 26Q. Failure to deduct attracts disallowance under Section 40(a)(ia) and interest under Section 201.

Worked example: Merchant A, a proprietor, generates gross sales of Rs. 8,00,000 through your platform in FY 2026-27. Your platform settles Rs. 7,90,000 after a 1.25% fee. TDS under 194-O = 1% × Rs. 8,00,000 = Rs. 8,000, deducted before settlement. Net settlement = Rs. 7,90,000 − Rs. 8,000 = Rs. 7,82,000. You deposit Rs. 8,000 to the government by the 7th of the following month and reflect it in Form 26Q for Q2.

FEMA, LRS, and Cross-Border Collections

If you collect payments from overseas buyers for Indian merchants (export of goods/services), you are operating under RBI's OPGSP (Online Payment Gateway Service Provider) guidelines. Key obligations:

Repatriate export proceeds to the merchant's bank within as notified timelines under FEMA (currently in alignment with the revised FEM (Export of Goods and Services) Regulations).
The importer's bank issues an eBRC (Electronic Bank Realisation Certificate) on DGFT's portal once repatriation is confirmed. Maintain eBRC records for FEMA audit purposes.
Cross-border processing fees earned by a non-resident technology vendor may attract Equalisation Levy at 6% if the service constitutes online advertising or specified digital services by a non-resident. Note: the 2% broadened EL on e-commerce supply by non-residents was abolished effective 1 April 2025 under the Finance Act 2025 — the 6% levy on specific services remains.

Common Mistakes That Stall or Kill Authorisation

1. Treating net worth as a snapshot, not a covenant. Several early-stage PAs have raised Rs. 25 crore, consumed it in burn, and found themselves below threshold when RBI asks for a fresh balance sheet during the in-principal to final authorisation window. Maintain a minimum Rs. 25 crore net worth at every point after application.

2. Filing the PRAVAAH application before the SAR is complete. RBI will return the application as incomplete. The SAR alone takes 60–90 days from engagement to final report from a CERT-In auditor. Begin it on day one, not after you think you are ready to apply.

3. Building the nodal account on a generic current account. Banks have specific escrow products for payment aggregators. A generic current account is not configured for the settlement, lien, and reporting obligations that RBI expects. Engage a bank's transaction banking desk — not retail banking — to structure this.

4. Using a foreign cloud region for payment data. A single misconfigured S3 bucket in Singapore can result in a data localisation breach. Conduct a data flow mapping exercise before go-live and re-audit it quarterly.

5. Ignoring Section 194-O until a merchant complains. Many PA platforms launch without wiring TDS deduction into the settlement engine, and then face a demand from merchants at year-end — along with RBI audit findings about the reconciliation gap. Build TDS computation into the settlement engine at MVP stage.

6. Mis-classifying merchants. Onboarding a crypto exchange, a fantasy gaming platform, or an adult content platform without enhanced due diligence or senior management sign-off is a prohibited merchant control failure under PA guidelines — grounds for licence suspension.

Worked Example: The Cost of a Delayed Authorisation

Consider a founder who incorporates in June 2026, targets a PA authorisation, but delays the SAR engagement until September 2026 because the tech build is not ready. The SAR completes in November 2026. PRAVAAH filing happens December 2026. RBI's review cycle of 6–9 months means in-principal approval lands in mid-2027 at the earliest, and final CoA in late 2027 or early 2028. During this 18-month window, the company is paying the ops and compliance team — assume Rs. 25 lakh per month in fixed costs — but generating zero payment revenue. Total opportunity cost of the SAR delay alone: Rs. 75–1,00,00,000 in cash burn before a single merchant transaction is processed. Begin the SAR engagement the same week the company is incorporated.

Key Takeaways

There are six regulated payment categories in India. Choose your lane before you structure the company — the capital, compliance, and revenue model are all category-specific.
PA authorisation demands Rs. 25 crore net worth, sustained throughout the life of the licence, not just at application date.
The System Audit Report (SAR) is the longest-lead item. Commission it immediately — do not wait for the tech build to stabilise.
Nodal accounts are escrow, not operating accounts. T+1 settlement and daily reconciliation are legal obligations, not best practices.
Section 194-O TDS at 1% must be computed on gross merchant sales and deducted before settlement from day one of operations, with quarterly Form 26Q filing.
All payment data must reside in India. Audit your cloud architecture for data residency before go-live; a single misconfigured service triggers a regulatory breach.
Tax obligations — GST at 18%, TDS under 194-O, and FEMA/eBRC for cross-border flows — must be wired into the payment engine, not handled manually in a spreadsheet.