The Reserve Bank of India (“RBI”) has vide its ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’ dated March 17, 2020 (“Payment Aggregator Guidelines”) has necessitated every Payment Aggregator to have a merchant on-boarding policy which shall be approved by its Board of Directors (“Board”).
Accordingly, Board of Aurus Paytech Private Limited (“Company” or “Aurus Paytech”) has adopted this Merchant On-boarding Policy (“Policy”) to provide the minimum requirements pertaining to the procedures that the Company has implemented while associating with any merchant.
The Policy has been prepared with the objective to establish a framework for the implementation of adequate merchant on-boarding processes, procedures and controls and to ensure that the merchants on-boarded do not have any mala-fide intention of duping their customers or to sell fake / counterfeit / prohibited products, etc.
Our assessment and evaluation processes of the merchants are primarily based on: (i) the guidelines and rules framed by the RBI under its Payment Aggregator Guidelines; (ii) advice and counsel of our banking partners and renowned consultants; (iii) prevailing industry best practices; and (iv) our own zeal to provide our merchants and customers a safe, trusted, reliable and a secure platform to allow exchange of payments all across. These assessments, evaluations and processes shall be updated from time to time as per the regulatory guidelines formulated and enforced.
To initiate the on-boarding process, merchants must follow these steps:
A simultaneous process of evaluating and assessing a prospective merchant as well as a detailed risk assessment of the prospective merchant’s based on variety of factors including but not limited to the pre-screening, background and antecedent check, merchant history check, business details, model and functioning, business owners check, domain check, DNS check, website evaluation, credit risk undertaking and checking for ‘restricted business’ activities, cross checking against banking and credit authorities, etc. is undertaken to provide efficiency, remove bias and cross-verify the assessments of each team. It is imperative for a merchant that its website shall clearly indicate the terms and conditions of the service and timelines for processing returns and refunds.
The Company shall have the right to obtain periodic security assessment reports either based on the risk assessment (large or small merchants) and/or at the time of renewal of contracts with the merchants.
The Company’s evaluation and risk assessment procedures are laid down in detail under Company’s Risk Management Policy and Policy on KYC, AML and CFT Measures.
In addition to the documents required under Policy on KYC, AML and CFT Measures and documents pertaining to compliance of Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) pertaining to the infrastructure of the merchant to be onboarded, additional documentation and clarifications if required are to be sought from the prospective merchant for their onboarding. Also, every merchant to be on-boarded will have to additionally submit an undertaking to the Company that it does not save customer card and such related data. Company may, in its sole discretion, carry out a security audit of the merchants to check compliance by them, as and when required.
Once the documentation has all been submitted and a preliminary check conducted, discussions are now entered into with the prospective merchant seeking clarifications and concluding any discrepancies (if any). Pursuant to the preliminary review undertake n, an interim decision may be rendered to the prospective merchant in regard to the Company’s services.
Pursuant to final discussions and successful completion of the review of the prospective merchant and their compliance to the satisfaction of the Company, the prospective merchant is then required to execute an in-house mandatory agreement along with a comprehensive list of KYC documents (physical copy) in accordance with Company’s Policy on KYC, AML and CFT Measures to be provided to support the details provided by the prospective merchant duly authenticated and signed as true -copy by the authorized signatories. The said agreement to be executed with the merchant shall contain all the detailed and requisite provisions with respect to the security and privacy of customer data in compliance with the applicable laws. Further, the agreement should also specify compliance to the PA-DSS and provide for incident reporting obligations on the merchant.
Furthermore, a third-party check of all directors, promoters, shareholders and senior management of the prospective merchant may be conducted against government sanctioned lists, enforcement lists, credible diverse media, public court records, geography specific research, third party contributors, client requests, etc.
The Company shall on an ongoing basis monitor the merchant already on-boarded by keeping a watch on the following activities, including but not limited to spike in activities, exceeding any threshold prescribed earlier, unusual cross border activities, changes in the website products and adverse media attention.
If any merchant is found to be availing the Company’s services for a business / operation that is categorized as restricted business by any of the regulators and/or any product or service, which is not in compliance with all applicable laws and regulations - whether state, local or international including the laws of India, the services rendered to the said merchant will be terminated with the immediate effect.
This Policy may be amended subject to the prior written approval of the Board, from time to time, in line with the business requirements of the Company or any statutory enactment or amendment thereto