Fintech has been the buzzword in the last decade and payments technology has been at its forefront. However, with greater innovation comes greater responsibility to monitor and regulate the institutions involved. Despite its mass acceptance and large user base, one such institution brought into the spotlight of legal debate is Google India’s payments operation, Google Pay. This article explains the legal debate behind it and what it means for India’s payments ecosystem.
A public interest litigation was filed before the Delhi High Court in 2019 questioning the legality of Google Pay’s operations in India. Sources indicate that the petitioner argued that Google Pay does not figure in the list of entities authorised by the RBI to operate a payments system and hence has been operating in an unauthorised manner. The petitioner also raised concerns around Google’s unmonitored and unauthorised access to users’ sensitive personal data such as transaction details, etc., which violated one’s privacy. Google India, on the other hand, maintained its stance that it operates as a ‘technology service provider’ to its partner banks, facilitates payments through the Unified Payments Interface (UPI) infrastructure, and does not perform payment processing and settlement functions.
The Delhi High Court questioned the Reserve Bank of India (RBI) on how Google Pay was operating a payments system without authorisation from the RBI.
Overview Of Payments System Law In India
In India, payments systems are governed and regulated by the (Indian) Payment and Settlement Systems Act, 2007 and the regulations made thereunder (PSS Act). Under the PSS Act, the RBI is the designated authority for the regulation and supervision of payment systems in India. A payment system is a system that enables payments to be effected between a payer and a beneficiary, and involves the process of clearing, payment or settlement, or all of them. Payment systems include electronic payment systems, credit and debit cards, online payment gateways, money transfer or similar operations and prepaid payment instruments (PPI). As per the PSS Act, no person can operate or commence a payment system unless authorised by the RBI.
Typically, companies that merely provide software support services to its customers for connecting to or utilising the services of a payment gateway are not classified as being part of a payment system. Similarly, companies that don’t receive or handle payments / money from its customers and undertake clearing / settlement of payments with payment gateways are not classified to be part of a payments system. Therefore, infrastructure service providers (such as telecom companies, web service providers, software manufacturers, servers holding companies) do not register themselves with RBI under the PSS Act.
Google Pay’s Operations In India
The GPay or Google Pay application is claimed to be a UPI-based mobile application for sending and receiving money directly from the bank accounts of the sender and receiver, respectively. As a pre-requisite to participating in the UPI platform, one must be an issuer of Prepaid Payment Instruments (PPI) or be a Payment Service Provider (PSP), i.e., an entity regulated by the RBI under the Banking Regulation Act 1949 and authorised to provide mobile banking service. Google Pay does not appear to fall under either category. A closer look at its operations suggests that it only provides the technology to ‘connect’ to the UPI system for undertaking fund transfers. In fact, the National Payments Corporation of India (NPCI), India’s umbrella organisation for operating retail payments and settlement systems, has listed Google Pay as one of the ‘third-party applications’ to facilitate transactions on the UPI platform.
Further, Google Pay is neither involved in the processing or settlement of payments, but is a software which customers use as an interface, with the processing and settlement being carried out by the PSP banks. NPCI permits a “multi-bank PSP model” which allows technology players / third party application providers to connect to the UPI system through multiple PSP banks (which are required to be authorised by the RBI), on whom a great level of ownership and responsibility has been imposed. Google Pay, at present, is connected to the UPI-platform through 4 PSP banks.
As regards data privacy concerns, the NPCI requires that that only customer data (including customer consented data) can be stored in the application provider’s system (and specifically, UPI transaction data should be stored in an encrypted format) and all customer payment sensitive data can only be stored in the systems of the PSP banks, effectively doing away with data privacy concerns in applications such as Google Pay.
RBI’s Stance Before Delhi HC
Before the Delhi High Court, RBI stated that Google Pay is not a payment system operator but only a third-party application provider, and therefore doesn’t require authorization under the PSS Act or require coverage under the ambit of Ombudsman Scheme for Digital Transactions 2019.
RBI’s stance before the Delhi High Court has the potential to open a floodgate of opportunity for technology companies seeking to innovate in the payments space, conclusively exempting them from any licensing or authorisation requirement under the PSS Act. While the matter is sub-judice (and has the ability to impact the entire community of payment application providers), it will be interesting to see if the Delhi High Court defers to the RBI’s stance or rules otherwise to mitigate the systemic risk involved in permitting unauthorised players to operate in the sensitive payments space and handling the public money. Nonetheless, RBI having taken the above view, gives much confidence to players in the payments technology sector and the investor community in this space.
Akash Srinivasan also contributed to this article. The views of the author(s) are personal and do not constitute legal / professional advice of Khaitan & Co. For any further queries or follow up please contact the law firm at [email protected].