RBI Payment Aggregator License: Requirements for Fintech in 2026
India processed over ₹2,500 crore worth of digital transactions daily in 2025, and every rupee flowing through third-party payment platforms needs regulatory oversight. The RBI payment aggregator licence is the regulatory permission that allows non-bank entities to collect payments from customers, pool those funds in an escrow account, and settle them to merchants. Without this authorization from the Reserve Bank of India, operating a payment aggregation business is illegal under the Payment and Settlement Systems Act, 2007. The licence requires a minimum net worth of ₹25 crore, PCI-DSS certification, data localization compliance, and takes 4 to 6 months to obtain. Whether you are building a fintech platform, launching a marketplace, or running a subscription billing service, here is everything you need to know about getting your PA licence in 2026.
Five facts about the RBI Payment Aggregator Licence:
- PA licence is mandatory for any non-bank entity handling funds on behalf of merchants under the PSS Act, 2007
- Minimum net worth: ₹15 crore at application, ₹25 crore within 3 years (and maintained permanently)
- Application submitted via Form PA to RBI's Department of Payment and Settlement Systems (DPSS)
- Total investment ranges from ₹16 crore to ₹18 crore including net worth, IT infrastructure, and compliance costs
- Over 60 entities have received in-principle or final PA authorization from RBI as of 2026
What Is an RBI Payment Aggregator Licence?
A payment aggregator licence is an authorization issued by the Reserve Bank of India that permits non-bank entities to act as intermediaries between customers and merchants in digital payment transactions. The PA collects payments from buyers, holds them in an escrow account with a scheduled commercial bank, and then settles the amounts to the respective merchants, typically within T+1 working day.
The PA licence is governed by Section 7 of the Payment and Settlement Systems Act, 2007 (PSS Act). The detailed operating guidelines are issued by the RBI's Department of Payment and Settlement Systems (DPSS) through the PA-PG Guidelines first released on March 17, 2020 (Circular DPSS.CO.PD.No.1810/02.14.008/2019-20) and updated in November 2024 with expanded compliance requirements.
The core function of a PA is fund handling. Unlike a payment gateway that only transmits transaction data between banks and merchants, a payment aggregator actually touches the money. This distinction is critical because it places PAs under direct regulatory supervision, requiring capital adequacy, cybersecurity standards, KYC compliance, and periodic reporting to RBI.
Think of a PA as the financial plumbing of online commerce. When a customer pays ₹5,000 on an e-commerce platform, the PA collects that ₹5,000, deducts its commission, and routes the remainder to the merchant's bank account. Without a PA licence, this fund flow is unauthorized. RBI introduced these guidelines after recognizing that unregulated fund pooling by intermediaries posed risks to consumer money and financial stability.
If you are setting up a fintech startup that will handle payment flows, the PA licence is your foundational regulatory requirement, not optional, not something you can get later. You need it before you begin operations.
Payment Aggregator vs Payment Gateway: Key Differences
One of the most common points of confusion in the digital payments space is the difference between a payment aggregator and a payment gateway. RBI draws a clear line between the two based on a single criterion: does the entity handle funds? If yes, it is a PA and needs a licence. If no, it is a PG and operates as a technology service provider. Here is a detailed comparison:
| Parameter | Payment Aggregator (PA) | Payment Gateway (PG) |
|---|---|---|
| Core Function | Collects, pools, and settles merchant funds | Routes transaction data between banks and merchants |
| Fund Handling | Yes, handles customer and merchant funds | No, does not touch funds at any stage |
| RBI Licence Required | Mandatory PA authorization under PSS Act, 2007 | No separate RBI licence required |
| Escrow Account | Must maintain escrow account with scheduled bank | Not applicable |
| Net Worth Requirement | ₹15 crore (initial), ₹25 crore (within 3 years) | No specific net worth mandate |
| KYC/AML Compliance | Full KYC of merchants and transaction monitoring | Limited to technology and data security |
| Settlement Responsibility | Must settle to merchants within T+1 working day | No settlement responsibility |
| Data Localization | Mandatory: all payment data stored in India | RBI guidelines apply if processing payment data |
| PCI-DSS Certification | Mandatory with annual QSA audit | Recommended but not always mandatory |
| Examples | Razorpay, PayU, CCAvenue, Cashfree | Technology backends of banking payment systems |
The practical implication is straightforward: if your business model involves collecting money from customers before passing it to merchants, you are a payment aggregator and must have RBI authorization. If you only provide the technology layer for processing payments (encryption, routing, authentication) without any fund flow through your systems, you are a payment gateway. Many companies operate as both, in which case the PA licence covers the entire operation.
Register Your Company for PA Licence Eligibility
Only companies incorporated under the Companies Act, 2013 can apply for a PA licence. Start your company registration with IncorpX, starting at ₹5,999.
Register Your Private Limited CompanyWho Needs an RBI Payment Aggregator Licence in 2026?
The short answer: any non-bank company that sits between a buyer and a seller and handles the money in between. But the actual scope is broader than most founders realize. RBI's November 2024 update expanded the PA framework to include offline PAs and cross-border payment aggregators, widening the net considerably.
Here are the types of businesses that must obtain a PA licence:
- E-commerce marketplaces that collect buyer payments and distribute them to multiple sellers after deducting commissions
- Fintech payment platforms that offer merchant payment acceptance solutions, whether card-based, UPI, net banking, or wallet-based
- Bill aggregators that collect utility payments, insurance premiums, or subscription fees on behalf of service providers
- Ticketing and booking platforms that pool payments for travel, events, or hospitality and settle to vendors
- Food delivery and ride-hailing apps that collect from customers and distribute to restaurants, drivers, and other partners
- Subscription billing platforms that manage recurring payments and distribute to multiple content or service providers
- Cross-border payment facilitators that handle inbound or outbound international merchant settlements
- Offline payment aggregators (added in November 2024) that deploy POS devices and handle card or QR-based merchant settlements
Banks are exempt because they already operate under banking licences that cover payment services. However, a private limited company building a payment product must get this authorization before processing a single transaction. The RBI has been firm on enforcement: entities found operating without authorization face penalties under Section 4 of the PSS Act, including fines up to ₹10 lakh and ₹1 lakh per day for continuing violations.
Eligibility Criteria for PA Licence
Not every business can apply for a PA licence. RBI has set clear eligibility requirements that act as a quality filter, ensuring only financially sound and well-governed entities enter the payment aggregation space.
Company Incorporation
The applicant must be a company incorporated under the Companies Act, 2013 (or the earlier Companies Act, 1956). This means LLPs, partnership firms, sole proprietorships, societies, and trusts cannot apply. If your business currently operates as an LLP, you must convert it into a private limited or public limited company before submitting Form PA to RBI.
Net Worth Requirement
New applicants must demonstrate a minimum net worth of ₹15 crore at the time of application. Within 3 years of receiving authorization, the net worth must reach ₹25 crore, and this ₹25 crore threshold must be maintained at all times going forward. Net worth is calculated as paid-up equity capital plus free reserves minus accumulated losses, deferred revenue expenditure, and intangible assets.
Fit and Proper Criteria
RBI evaluates the promoters and directors of the applicant company against "fit and proper" standards. This includes:
- No criminal record or pending criminal cases related to financial fraud
- Financial integrity, including no history of wilful default with banks
- Adequate professional experience in the payments or financial services sector
- Good track record with other regulatory bodies (SEBI, IRDAI, etc.)
IT Infrastructure and Security
The applicant must have (or demonstrate a concrete plan for) adequate IT infrastructure including secure payment processing systems, fraud detection mechanisms, data encryption capabilities, and disaster recovery systems. PCI-DSS certification is a prerequisite, not something you can obtain after getting the licence.
Governance and Compliance Framework
RBI expects board-approved policies for merchant onboarding, KYC/AML compliance, information security, grievance redressal, and risk management. These are not boilerplate documents; RBI reviews them during due diligence and expects them to be operationally implemented.
Net Worth Requirements: ₹15 Crore to ₹25 Crore Timeline
The net worth requirement is the single biggest barrier to entry for PA licence applicants. RBI structured this as a phased requirement to give entities time to build capital, but the final threshold of ₹25 crore is non-negotiable.
| Category | Net Worth Requirement | Deadline |
|---|---|---|
| New PA applicants (at application) | ₹15 crore minimum | At the time of submitting Form PA |
| New PA applicants (post-authorization) | ₹25 crore minimum | Within 3 years of receiving PA authorization |
| Existing PAs (Phase 1) | ₹15 crore minimum | March 31, 2023 |
| Existing PAs (Phase 2) | ₹25 crore minimum | March 31, 2025 |
| All PAs (ongoing) | ₹25 crore minimum | Must be maintained at all times |
If your net worth falls below ₹25 crore at any point after the applicable deadline, RBI can restrict new merchant onboarding, suspend your PA authorization, or initiate cancellation proceedings. Annual net worth certificates signed by a tax professionals must be submitted to RBI. There is no grace period for net worth shortfalls.
For startups and growth-stage companies, meeting the ₹15 crore minimum usually means raising external capital. Most successful PA applicants have completed Series A or Series B funding rounds before filing Form PA. The net worth is not just a filing requirement; it serves as a financial cushion to protect merchant and customer funds in case the PA faces operational difficulties.
Structure Your Company for ₹15 Crore Net Worth Compliance
IncorpX helps fintech founders incorporate companies with the right share capital structure for PA licence eligibility. Get expert guidance on authorized capital, share premium, and investor documentation.
Start Your Company RegistrationStep-by-Step PA Licence Application Process
The PA licence application process is structured but involves multiple regulatory touchpoints. Here is the complete process broken down into actionable steps:
Step 1: Incorporate a Company (if not already done)
Ensure your business is registered as a private limited or public limited company under the Companies Act, 2013. You need a valid Certificate of Incorporation, PAN, TAN, and GST registration. If you are converting from an LLP or sole proprietorship, complete the conversion first.
Step 2: Meet the ₹15 Crore Net Worth Threshold
Infuse sufficient capital into the company to achieve ₹15 crore net worth. This can be through paid-up share capital, share premium, or retained earnings. Get a net worth certificate from a tax professionals confirming the ₹15 crore threshold.
Step 3: Set Up IT Infrastructure and Obtain PCI-DSS Certification
Build or procure the payment processing technology stack, including encryption systems, fraud detection, server infrastructure hosted in India (for data localization), and disaster recovery. Engage a Qualified Security Assessor (QSA) for PCI-DSS certification. This step alone can take 3 to 6 months and cost ₹50 lakh to ₹2 crore.
Step 4: Open an Escrow Account
Approach a scheduled commercial bank to open an escrow account specifically for payment aggregation operations. The bank will require your business plan, RBI application intent, and company documents. The escrow account must be operational before or during the RBI application process.
Step 5: Draft Board-Approved Policies
Prepare and get board approval for: merchant onboarding policy, KYC/AML policy, information security policy, grievance redressal policy, risk management framework, data privacy policy (aligned with DPDP Act, 2023), and fraud prevention policy. Each of these must be detailed and implementable, not template documents.
Step 6: Submit Form PA to RBI DPSS
Complete Form PA with all supporting documents and submit it to the Reserve Bank of India's Department of Payment and Settlement Systems. The form requires detailed information about the company, promoters, business model, technology infrastructure, compliance framework, and financial position.
Step 7: Respond to RBI Due Diligence Queries
RBI will review your application and may issue queries or requests for additional information. Respond promptly and comprehensively. Delays in responding to RBI queries are the most common reason for extended processing timelines. Typical queries relate to technology architecture, capital adequacy, and promoter backgrounds.
Step 8: Receive In-Principle or Final Authorization
If RBI is satisfied with the application and due diligence, it grants either an in-principle authorization (with conditions to be met before final approval) or direct final authorization. The entire process from Step 6 to Step 8 takes 4 to 6 months. After receiving authorization, you can begin PA operations subject to ongoing compliance.
Documents Required for PA Licence Application
The documentation for a PA licence application is extensive. Incomplete submissions are the primary cause of delays and rejections. Organize your documents into four categories:
Corporate Documents
- Certificate of Incorporation issued by the Registrar of Companies
- Memorandum of Association (MOA) and Articles of Association (AOA)
- Board resolution authorizing the PA licence application
- Details of directors and key management personnel with DIN numbers
- Shareholding pattern with beneficial ownership details
- Digital Signature Certificates of authorized signatories
Financial Documents
- Audited financial statements for the last 3 years (or since incorporation if less than 3 years)
- Net worth certificate from a tax professionals confirming ₹15 crore minimum
- Projected financial statements for the next 5 years
- Details of the escrow account opened with a scheduled commercial bank
- Capital structure and funding sources documentation
IT and Security Documents
- PCI-DSS compliance certificate from a Qualified Security Assessor
- IT infrastructure architecture document with server locations (must be in India)
- Information security policy with encryption standards and access controls
- Disaster recovery and business continuity plan
- Vulnerability assessment and penetration testing reports
- Data privacy and localization compliance documentation
Compliance and Policy Documents
- KYC/AML policy aligned with RBI Master Direction on KYC, 2016
- Board-approved merchant onboarding policy with risk categorization framework
- Customer grievance redressal mechanism with escalation matrix
- Risk management and fraud prevention framework
- PMLA, 2002 compliance documentation and FIU-IND reporting procedures
- Detailed business plan covering operations, revenue model, and growth projections
Get Expert Help with PA Licence Documentation
IncorpX's compliance team prepares all corporate, financial, and regulatory documents required for your PA licence application. Our tax professionals handle net worth certification and financial projections.
Talk to a Compliance ExpertEscrow Account and Fund Settlement Rules
The escrow account is the backbone of the PA framework. RBI designed this mechanism to ensure that customer and merchant funds are never mixed with the PA's own operating capital. Here is how it works:
When a customer pays ₹5,000 for a product on a merchant's website, that ₹5,000 flows into the PA's escrow account (not the PA's current account). The PA then settles this amount to the merchant's bank account, minus the PA's commission, within T+1 working day. The PA can only withdraw its commission from the escrow account; the rest belongs to the merchants.
Key Escrow Account Rules
- The escrow account must be opened with a scheduled commercial bank approved by RBI
- All customer payments must be routed through the escrow account without exception
- Settlement to merchants must happen within T+1 working day from the transaction date
- The PA cannot earn or use interest accrued on escrow account funds for its own purposes
- The escrow bank monitors fund flows and reports irregularities to RBI
- Separate escrow accounts may be required for different payment modes or merchant categories
The escrow account structure means that even if a payment aggregator becomes insolvent or faces financial distress, merchant funds remain protected. The scheduled commercial bank holding the escrow account acts as a custodian, and RBI can direct the bank to settle pending amounts to merchants directly. This is a significant improvement over the pre-2020 era when unregulated intermediaries could misuse pooled funds.
From a practical standpoint, opening the escrow account requires building a relationship with a scheduled commercial bank willing to offer this service. Not all banks provide escrow accounts for PAs; the bank itself takes on monitoring responsibilities and regulatory risk. Prepare a detailed proposal for the bank that includes your business model, expected transaction volumes, settlement frequency, and compliance framework.
KYC, AML, and Data Localization Compliance
Three compliance pillars define the ongoing operational requirements for payment aggregators: Know Your Customer (KYC), Anti-Money Laundering (AML), and data localization. Each of these is enforced through separate regulatory frameworks but converges in the PA's compliance infrastructure.
KYC Requirements
PAs must conduct thorough KYC verification of every merchant before onboarding. This includes PAN verification, bank account verification, business existence verification (through GST registration, shop establishment licence, or other proofs), and verification of the authorized signatory's identity. For high-value merchants (annual turnover exceeding ₹40 lakh), enhanced due diligence is required, including physical or video verification of business premises.
Customer KYC requirements vary based on transaction limits. For small-value transactions, minimum KYC (mobile number and basic identity) may suffice. For larger transactions, full KYC with Aadhaar or PAN-based verification is mandatory. The PA must implement risk-based KYC processes aligned with the RBI Master Direction on KYC, 2016.
AML and PMLA Compliance
Payment aggregators fall under the reporting entity framework of the Prevention of Money Laundering Act (PMLA), 2002. This means:
- Registration with FIU-IND (Financial Intelligence Unit, India) for suspicious transaction reporting
- Maintaining transaction records for a minimum of 5 years after the business relationship ends
- Implementing automated transaction monitoring systems to detect unusual patterns
- Filing Cash Transaction Reports (CTRs) for transactions exceeding ₹10 lakh
- Filing Suspicious Transaction Reports (STRs) within 7 working days of detection
- Appointing a Principal Officer responsible for PMLA compliance
Data Localization
RBI's April 2018 circular mandates that all payment system data must be stored exclusively on servers located in India. For payment aggregators, this means end-to-end transaction data, including customer details, payment credentials, transaction metadata, and settlement records, must reside in India. While cross-border processing is permitted for the transaction leg, all data must be brought back and deleted from foreign servers within the prescribed timeframe. This requirement aligns with the broader data localization framework under the DPDP Act, 2023.
PCI-DSS and Cyber Security Requirements
Cybersecurity is not a checkbox for payment aggregators; it is a continuous, audited process with direct regulatory consequences. RBI mandates multiple layers of security compliance for all authorized PAs.
PCI-DSS Certification
Every PA must maintain PCI-DSS (Payment Card Industry Data Security Standard) certification. This involves:
- Annual on-site assessment by a Qualified Security Assessor (QSA)
- Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)
- PA-DSS compliance for any proprietary payment applications
- Annual penetration testing of internal and external network environments
- Maintaining an information security policy reviewed and updated annually
PCI-DSS certification costs between ₹3 lakh to ₹8 lakh per year, depending on the scope of assessment and the QSA engaged. For a detailed breakdown of what this involves, see our guide on PCI-DSS compliance for fintech companies.
Cyber Security Audit and Reporting
Beyond PCI-DSS, RBI requires PAs to maintain a cybersecurity framework that includes:
- Quarterly cyber security audit reports submitted to RBI
- Annual system audit by a CERT-In empanelled auditor
- Monthly security incident reporting to RBI for any breaches or attempted attacks
- Board-level Information Security Committee meetings at least quarterly
- Incident response plan with defined escalation procedures and communication protocols
Merchant Security Obligations
PAs are also responsible for ensuring that their merchants do not store customer card credentials or sensitive authentication data. The merchant onboarding policy must include security requirements for merchants, and the PA must conduct periodic security checks on merchant systems. This is particularly important for merchants using the PA's APIs for custom checkout experiences.
PA Licence Cost Breakdown: Total Investment Required
The PA licence is one of the most capital-intensive regulatory authorizations in India's fintech sector. Here is a realistic cost breakdown for 2026:
| Cost Component | Estimated Cost | Frequency |
|---|---|---|
| RBI Licensing Fee | Nil (RBI does not charge a licensing fee for PA authorization) | One-time |
| Company Incorporation | ₹5,000 to ₹15,000 | One-time |
| Minimum Net Worth Capital | ₹15 crore (initial), ₹25 crore (within 3 years) | Ongoing maintenance |
| IT Infrastructure Setup | ₹50 lakh to ₹2 crore | One-time (plus annual maintenance) |
| PCI-DSS Certification | ₹3 lakh to ₹8 lakh | Annual |
| Legal and Compliance Advisory | ₹5 lakh to ₹15 lakh | One-time (application phase) |
| Escrow Account Setup | Varies by bank (₹50,000 to ₹5 lakh deposit) | One-time |
| CERT-In Empanelled Auditor | ₹3 lakh to ₹6 lakh | Annual |
| Ongoing Compliance (Expert, audits) | ₹5 lakh to ₹10 lakh | Annual |
| Total Estimated Investment | ₹16 crore to ₹18 crore | Including net worth capital |
The single largest cost component is the net worth requirement. If you strip out the ₹15 crore minimum capital, the direct licensing costs (infrastructure, certification, advisory, audits) add up to ₹1 crore to ₹3 crore. Still substantial, but the capital requirement is what separates serious players from speculative entrants, which is exactly RBI's intention.
For context, an NBFC registration costs significantly less in terms of net worth (₹2 crore for non-deposit-taking NBFCs), which is why some fintech companies explore NBFC routes first before pursuing a PA licence. However, the two serve completely different functions, and operating as a PA under an NBFC licence is not permitted.
Plan Your PA Licence Budget with Expert Guidance
IncorpX's fintech advisory team helps you structure the optimal capital plan, identify cost efficiencies, and prepare a realistic budget for your PA licence application.
Get a Free ConsultationCommon Reasons for PA Licence Rejection
Not every PA licence application succeeds. RBI has rejected or returned applications for specific, avoidable reasons. Understanding these helps you prepare a stronger submission:
1. Insufficient Net Worth Documentation
The most common issue. Applicants either fail to meet the ₹15 crore threshold at the time of application or provide net worth certificates with calculation errors. Solution: engage a reputable tax professionals to prepare the net worth certificate using the exact formula RBI prescribes (paid-up equity capital + free reserves minus accumulated losses, deferred revenue expenditure, and intangible assets).
2. Inadequate IT Infrastructure
Applicants who present a "planned" IT setup without any existing infrastructure face pushback. RBI expects to see a functional (or near-functional) payment processing system, not a PowerPoint presentation. Solution: build or procure core infrastructure before applying and include architecture diagrams, server hosting agreements, and security audit reports.
3. Failure to Meet Fit and Proper Criteria
Promoters or directors with adverse financial history, pending litigation related to financial fraud, or connections to entities under RBI regulatory action face rejection. Solution: conduct thorough background checks on all directors and key personnel before filing. If there are concerns, address them proactively with legal counsel.
4. Incomplete or Template-Based Policies
RBI can identify generic, copy-pasted policies that are not tailored to the applicant's specific business model. A merchant onboarding policy that reads identically to a publicly available template will raise red flags. Solution: develop bespoke policies that reference your specific technology, business model, merchant categories, and risk profile.
5. Missing PCI-DSS Certification
Applying without a valid PCI-DSS certificate (or at least an ongoing assessment by a QSA) signals unpreparedness. Solution: initiate PCI-DSS certification at least 3 to 6 months before filing the PA application.
6. Delayed Response to RBI Queries
This does not result in outright rejection but can lead to application lapse. If RBI issues queries and the applicant takes weeks or months to respond, the application loses priority and may be returned. Solution: designate a single point of contact for RBI correspondence and commit to responding within 7 to 10 working days of receiving any query.
For startups going through due diligence, the same level of preparedness expected by investors applies to RBI's evaluation process. Treat the PA application with the same rigour as a Series B fundraise.
Post-Authorization Compliance: What Comes After the Licence
Getting the PA licence is not the finish line; it is the starting line. RBI imposes continuous compliance obligations that require dedicated resources and management attention. Here is what you must maintain after receiving authorization:
- Annual net worth certificate from a tax professionals confirming ₹25 crore minimum
- Quarterly cyber security audit reports submitted to RBI
- Monthly security incident reporting to RBI (even if no incidents occurred)
- Annual system audit by a CERT-In empanelled auditor
- Ongoing FIU-IND reporting for suspicious transactions and cash transactions exceeding ₹10 lakh
- Annual PCI-DSS reassessment with quarterly vulnerability scans
- Board-level compliance reviews at least quarterly
- Merchant activity monitoring and periodic risk reassessment
- Customer grievance resolution within prescribed timelines
Many companies underestimate the post-authorization compliance burden. A typical PA needs a dedicated compliance team of 3 to 5 people, covering regulatory reporting, KYC operations, security monitoring, and merchant risk management. Outsourcing some of these functions to compliance service providers is common but does not absolve the PA of regulatory responsibility.
Summary
The RBI payment aggregator licence is a high-stakes regulatory authorization that requires ₹15 crore to ₹25 crore in net worth, PCI-DSS certification, comprehensive KYC/AML policies, data localization compliance, and an escrow account with a scheduled commercial bank. The application process through Form PA to RBI's DPSS takes 4 to 6 months, with total investment ranging from ₹16 crore to ₹18 crore including net worth capital.
For fintech founders and payment businesses, the PA licence is not a barrier; it is a credibility marker. With over 60 entities authorized by RBI as of 2026, the path is well-established. The key is meticulous preparation: get your company incorporation right, build your net worth before applying, invest in IT infrastructure and security certifications, and prepare policies that reflect your actual business model, not generic templates.
If you are planning to enter the payment aggregation space, start with the foundational step of incorporating a private limited company with the right capital structure. IncorpX's fintech compliance team can guide you through every stage, from incorporation and DSC procurement to RBI application preparation and post-authorization compliance.
Start Your PA Licence Registration with IncorpX
From company incorporation to RBI Form PA filing, IncorpX's fintech advisory team handles the complete PA licence registration process. Get started with company registration at ₹5,999.
Register Your Company Today
