Should Payment Gateways Be Subject To India’s Anti-Money Laundering Law?

Bringing payment gateways within the fold of the PMLA is problematic for three reasons, writes Bhargavi Zaveri.

The icons of e-commerce apps in India, displayed on a smartphone in Bengaluru. (Photographer: Samyukta Lakshmi/Bloomberg)
The icons of e-commerce apps in India, displayed on a smartphone in Bengaluru. (Photographer: Samyukta Lakshmi/Bloomberg)

Recently, the Financial Intelligence Unit in the ministry of finance penalised PayPal to the tune of Rs 96 lakh for not registering itself as a ‘payment system operator’ under the Prevention of Money Laundering Act, 2002, India’s anti-money laundering law. The crux of PayPal’s defense to the FIU was that it is not licensed by the RBI as a payment system operator, and that it is an intermediary in India’s payment system. Globally, only intermediaries that were licensed by the local financial sector regulator were subjected to anti-money laundering laws. PayPal appealed against the FIU’s order before the Delhi High Court. In January 2021, the court directed the finance ministry to constitute a committee comprising its own and RBI’s nominees to decide the following question: should providers of payment gateway services be classified as payment system operators?

The answer to this question is critical for the e-commerce industry that nearly entirely operates through third-party payment gateways. It is critical for physical retailers who accept credit and debit card payments, all of which are processed through payment gateways. It is critical for the payment gateway industry that processed retail payment transactions worth about Rs 10,000 crore for the nine-month period of March-December 2020, as per NPCI data.

Indeed, the answer to this question is critical for participants in the Indian payments system, such as GooglePay, PhonePe, etc., all of whom are merely ‘intermediaries’, and do not ‘operate’ a payment system as such.

If payment gateways are brought within the ambit of the PMLA, it sets a precedent for extending the anti-money laundering regime to such intermediaries.

That is problematic for three reasons.

Linkages To Fully-KYC-ed Bank Accounts

First, payment gateways process transactions between two financial instruments that are linked to bank accounts. The holders of these instruments have already undergone a full know-your-client process with their respective banks. When you purchase a ticket on BookMyShow or place an order for a mask on an entrepreneur’s website, and make payment using a credit card, debit card, or net banking, the payment is processed by a payment gateway. Similarly, when you swipe your card at a point-of-sale terminal at the chemist next door (assuming plastic cards are still your preferred payment mode), the payment is processed by a payment gateway. These instruments are linked to your fully-KYC-ed bank account. Banks, in turn, are reporting entities under the PMLA. The same applies to merchant-to-merchant payments, such as online payments made by foreign importers to Indian exporters. While Indian law draws an artificial distinction between payment gateways and payment aggregators, with the latter being more stringently regulated, we will leave this distinction aside as it does not affect the question of applicability of anti-money laundering laws.

When you pay a merchant through a payment gateway, the transaction is cleared in a nodal account maintained with a local bank that disburses the money to the merchant’s account.

This ‘settlement’ account is maintained as an internal account of the nodal bank, and the payment gateway neither has access to this account nor the right to operate it.

Here again, the key point is that nodal banks have end-to-end visibility of the transactions processed in the nodal account. The nodal bank is a reporting entity under the PMLA as well. In short, banks know the identities of the payer, payee and have end-to-end visibility of the transaction processed by payment gateways. This is true of cross-border payments made through payment gateways as well, as the nodal account of the payment gateway is maintained with a local bank in India which receives, collects, and disburses the money to the offshore bank account of the payee.

Costs Of Disruption To Businesses

Second, bringing payment gateways or any service provider within the ambit of the PMLA is not a trivial policy tweak. To trace the proceeds of crime, the PMLA sets up an elaborate reporting framework that requires banks, financial institutions, and securities markets intermediaries, to report suspicious transactions, such as sudden large cash withdrawals, transactions entered into by politically connected persons, etc. to the FIU. It imposes an extensive burden on the service provider to ascertain a ‘beneficial owner’ of a transaction. This requires businesses to build robust internal processes for customer due diligence at the point of onboarding customers. Further, monitoring of customers’ transactions requires sophisticated transaction mapping technology infrastructure that is capable of identifying patterns at the level of each customer, out-of-ordinary transactions and raise red flags for suspicious transactions on an ongoing basis. The failure to raise timely alerts can potentially invite scrutiny and penalties for non-compliance by the payment gateway.

Disproportionately Affects Small Businesses

Third, in the business model of payment gateways, merchants are their customers. The payment gateway is responsible for ensuring the integrity of the payment transaction, the data security of the payment instruments attached to the gateway, and protection from fraud. Payment gateways generally run checks on merchants for verifying their identity and the accuracy of their bank account details. This is done to protect consumers who purchase goods and services from the merchant. For example, if you buy groceries online, the payment gateway through which you pay must ensure that the payment is indeed credited to the bank account of the vendor in time.

Bringing payment gateways within the fold of the PMLA will likely increase the set-up and maintenance costs of merchants’ accounts, as it involves additional checks and monitoring each transaction at the level of each payer and payee from the perspective of anti-money laundering.

This is irrespective of the volumes and value of the transaction involved. The burden of these additional costs is disproportionately borne by small businesses which use the internet as a platform to sell their products.

High Costs Versus Benefits Ratio

Finally, these costs might have been justified in two situations. First, if there was no other way to obtain end-to-end visibility of the transactions processed by payment gateways. As explained above, transactions processed by payment gateways are necessarily linked to bank accounts of consumers and merchants who themselves have undergone detailed KYC processes with their banks and do so on an ongoing basis. (Remember that SMS from your bank alerting you to update your KYC... although nothing in your life has changed since your last KYC ordeal?) More importantly, payment gateway providers enter into agreements with the nodal bank for setting up the settlement account, and this arrangement itself can be used to harness information about the transactions that are processed through payment gateways.

The second situation which might have justified the costs is where governments had the capacity to parse and process the repetitious data dump generated from such multi-level reporting of the same transaction data, the capacity to confiscate the money laundered, and the capacity to prosecute the money launderer. Indeed, recent academic literature on the effectiveness of anti-money laundering laws questions the effectiveness of these laws. A recent paper indicates that anti-money laundering frameworks, which were aggressively rolled out globally post the 2001 terror attacks in the United States, had “less than 0.1% impact on criminal finances” (Paul 2021).

Keeping in mind the objective of anti-money laundering laws, payment gateways, which merely instruct banks to credit or debit accounts and deal in retail consumer-to-business transactions, are hardly the right instrument to target anti-money laundering enforcement.

There are negligible chances of someone using a payment gateway to convert illegitimate gains of any remarkable value into a legal business.

These probabilities must be taken into account when balancing the objectives of anti-money laundering frameworks, increasing the costs of doing business online, and the overarching aim of digital inclusion. State capacity is a precious resource and must not be squandered towards pursuing small change. One such policy mistake was made in 2017 when prepaid payment instruments were asked to undertake a full-fledged paper-based KYC process, which effectively killed the business model of PPIs.


To conclude, the impact of the precedent that the Delhi High court will set when it decides the question of applying PMLA to payment gateways is understated.

The court has, for the time being, referred the question to a committee comprising of government and the RBI nominees. While this approach has its own set of problems, this committee does offer another opportunity for the Government of India and the RBI to decide where to draw the line on seeking information under the ever-expanding anti-money laundering regime. In short, for PayPal and other similar intermediaries in India’s relatively fledgling payment system, hope is still a strategy.

Bhargavi Zaveri is a Senior Researcher at the Finance Research Group.

The views expressed here are those of the author and do not necessarily represent the views of BloombergQuint or its editorial team.