Policies

Aurionpro Payment Solutions Pvt. Ltd.(“the Company”, “AuroPay”, “we”, “our”) as a regulated entity (RE) has set out a secure and frictionless Merchant Onboarding practices and procedures to be adopted for acquiring new Merchants on its AuroPay platform.

Reserve Bank of India (“RBI”) vide its Guidelines on Regulation of Payment Aggregators(PA) and Payment Gateways dated 17 March 2020, as amended or clarified from time to time (“PA Guidelines”) has mandated payment aggregators to devise and maintain a board approved Merchant Onboarding Policy (“Policy”).

The Merchant Onboarding Policy is required to lay down guiding principles for onboarding of Merchants subject to compliance with the requirements specified by the PA Guidelines and other applicable regulations such as RBI Mater Directions- Know your Customer Directions, 2016, as amended or clarified from time to time (“KYC Master Directions”). Besides, the Policy takes into consideration the recommendations from our banking partners and prevailing industry practices with the main aim of providing our Merchants a safe and reliable platform experience.

SCOPE AND OBJECTIVES:

1. The scope and objectives of this Policy are as follows:
   1. To comply with the requirement of PA Guidelines and other Applicable Laws, and adopt appropriate KYC and Merchant onboarding process for online Merchants (as applicable) that have an existing banking relationship & maintain a KYC compliant bank account for settlement purposes.
   2. To adopt a simple, safe, secure, and robust process for appropriate collection, identification, verification, evaluation, categorisation and activation of prospective Merchants to be onboarded by AuroPay.
   3. To provide a clear outline of roles and responsibilities as well as information on the PA onboarding process.
   4. To define ongoing merchant monitoring measures to be undertaken by AuroPay.
   5. To ensure transparency.
2. This Policy shall be applicable to all the merchants with whom AuroPay establishes a relationship and must be read & complied in conjunction with AuroPay’s Terms of Service, Merchant Agreement and other policies including but not limited to KYC/AML Policy, as applicable.

GOVERNANCE & APPLICABILITY:

AuroPay’s Board of Directors (also referred to as the “Board”), bears the overall responsibility for ensuring that the said Policy, applicable laws and regulations are duly implemented across the organisation and adhered to. The Board shall additionally ensure that the Policy is consistent with sound and prudent practices.

DEFFINITIONS:

All capitalized terms in this Policy, unless defined in-line, shall have the meanings as set out herein below:

• “Aadhaar number” means an identification number issued to an individual under subsection (3) of section 3, and includes any alternative virtual identity generated under subsection (4) of section 3 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016);
• “Applicable Laws” means all statutes, regulations, rules, guidelines and circulars to the extent applicable to PA services undertaken by AuroPay, the foremost of which are directions, circulars and guidelines issued by the RBI, or rules, guidelines, directions, instructions, requests issued by acquiring bank, card network organisation or as applicable.
• “Certified Copy” shall mean comparing the copy of the proof of possession of Aadhaar number where offline verification cannot be carried out or officially valid document so produced by the merchant with the original and recording the same on the copy by the authorised officer of the RE as per the provisions contained in the Act.
• “Designated Director” means a person designated by the RE to ensure overall compliance with the obligations imposed under chapter IV of the PML Act and the Rules and shall include the Managing Director or a whole-time Director, duly authorized by the Board of Directors, if the RE is a company.
• “Digital KYC” means the capturing live photo of the customer and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the RE as per the provisions contained in the Act.
• “Due Diligence” means identifying and verifying the merchant and the beneficial owner using reliable and independent sources of identification.
• “Equivalent e-Document” means an electronic equivalent of a document, issued by the issuing authority of such document with its valid digital signature.
• “Merchant” means an entity who uses AuroPay to collect payments from its customers for goods and services purchased from a merchant through any online platforms.
• “Non-profit organisations (NPO)” means any entity or organisation, constituted for religious or charitable purposes referred to in clause (15) of section 2 of the Income-tax Act, 1961 (43 of 1961), that is registered as a trust or a society under the Societies Registration Act, 1860 or any similar State legislation or a company registered under Section 8 of the Companies Act, 2013 (18 of 2013).
• “On-going Due Diligence” means regular monitoring of transactions in accounts to ensure that those are consistent with RE’s knowledge about the merchants, merchants’ business and risk profile, the source of funds / wealth.
• “Payment Participants” means all parties involved in the payment system including acquiring bank, issuer or card associations (as applicable) as defined and specified under the Applicable Law.
• “Periodic Updation” means steps taken to ensure that documents, data or information collected under the Due Diligence process is kept up-to-date and relevant by undertaking reviews of existing records at periodicity prescribed by the Reserve Bank of India (RBI).
• “Principal Officer” means an officer at the management level nominated by the RE, responsible for furnishing information.
• “Unique transaction reference number” refers to a combination of letters, numbers or symbols, determined by the payment service provider, in accordance with the protocols of the payment and settlement system.

KEY ELEMENTS OF ONBOARDING

1. Real-time onboarding of merchants
2. Digital verification of Know Your Customers (KYC) documents thereby minimizing human errors
3. Complete visibility and real-time tracking of applications
4. Digital process eliminating the need of physical forms and documents
5. Digital process leading to faster and secure onboarding, collection, verification and storage
6. Transparency in the process subject to compliance with the applicable laws, rules and guidelines

MERCHANT ONBOARDING PHASES:

As per the RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways and Master Direction on Know Your Customer (KYC), 2016, AuroPay shall undertake Merchant assessment by carrying out background and antecedent check in order to comply with the regulatory requirements and as a preventive measure against the risks involved in the approval of the new Merchants. Below given is the process followed by AuroPay for onboarding Merchants:

1. Merchant Signup and Authentication
   Prospective Merchants can be on boarded onto the AuroPay platform via:
   • Self-Signup through website/application – Where the prospective merchants may directly register themselves using the merchant portal or application or the link and fill basic details of the merchant & upload personal & business ID proofs, capture bank account details etc.
   • Alternatively, Onboarding through sales teams – Where the prospective merchants will be onboarded through Operations Team upon the submission of all the required documents and form by the Merchant.

In self-signup, the Merchant can create an account on AuroPay Sign up page to receive a temporary password through which they get restricted access to the platform. Moving ahead, the Merchant shall submit a duly signed merchant Application Form (MAF) and upload their KYC documents as listed out under Annexure – A (“Entity Wise KYC Documentation”) attached herewith. The documents that need to be submitted depends on the composition type of the Merchant. All the documents of an Individual/the legal entity need attestation. The legal entities documents needs to be attested by an Authorized Signatory of the entity. To establish that the Authorized Signatory has the authorization to transact on behalf of the legal entity, a Board / Authority Resolution and Power of Attorney is required.

AuroPay assure that all information collected is stored on secure servers, encrypting the sensitive information and is kept confidential.

AuroPay sales person will perform an initial check of these KYC documents with the originals and submit them to AuroPay Merchant Onboarding Team for further verification. In case need arises, AuroPay shall contact the Prospective Merchant on the registered contact details and complete the e-KYC formalities. Operations Team shall resolve any queries of Merchants.

Risk Assessment and Evaluation:

Prior to enrolling a Merchant for PA services, AuroPay undertakes a simplified process of appropriate Merchant identification based on the Merchant types, including basic risk assessment, evaluation and where possible, validation of the information collected from the Merchant. This exercise includes, but is not limited to the below:

• Onboarding checks based on the information and documents collected from Merchants, identification of beneficial owner(s), global and domestic sanctions list, regulatory defaulters and Politically Exposed Person (“PEP”) screening, and other appropriate checks.
• Due diligence on the Merchant assessing the legitimacy of the business, including its legal structure and operational details.
• Confirmation from the Merchant that it is neither engaged nor will use the PA services for restricted business activities notified by AuroPay.
• Confirmation from the Merchant that its system and infrastructure is Payment Card Industry-Data Security Standard (“PCI-DSS”) and Payment Application-Data Security Standard (“PA-DSS”) infrastructure compliant (as applicable).
• Confirmation from the Merchant that its website (where applicable) clearly indicates the terms and conditions of the service and timeline for processing returns and refunds.
• Confirmation from the Merchant that its site, database or server does not store and/or save customer card credentials and such related sensitive data.
• AuroPay undertakes Money Laundering (ML) and Terrorist Financing (TF) risk assessment by taking into cognizance the sector-specific vulnerabilities during the merchant onboarding process.
• Merchant compliance with applicable law related to security of personal data.
• AuroPay undertakes to provide such information to a Payment Participant, and any regulator or law enforcement authority as required under Applicable Law.

Based on the Merchant risk assessment, Merchants shall be categorized as low, medium or high-risk which in turn will determine the level of scrutiny applicable to them. Risk rating will be generally based on due diligence factors such as Merchant's existence, financial stability, industry, business model and products sold / services offered, etc. The rejected Merchants are the merchants who are engaged in Illegal or restricted activities or are prohibited owning to risky (possible fraud) and grey past records, etc.

Merchant Agreement:

Upon successful submission of the MAF application along with KYC documents and risk assessment report, the Back Operations Team will evaluate the same and accordingly, the Merchant will be either approved or rejected or sent for rework. Thereafter, completion of discussion with regard to the commercial and integration, the Prospective Merchant is then expected to execute the Merchant Agreement.

1. The Merchant Agreement along with the Schedule is shared with the Merchant. This Schedule will show the predefined charges & rates based on the type of product/service opted for by the Merchant.
2. The Merchant Agreement is then either physically or digitally signed and stamped by the Merchant. AuroPay, in order to facilitate quick and hassle-free execution of the documents, has adopted e-Sign services to enable the Merchants to digitally sign documents.
3. The Agreement is then franked as per the prevalent stamp duty of the respective state.
4. Post this, the Agreement is scanned and uploaded on the Application.

Merchant Account Activation:

Upon completion of all the evaluation requirements as laid down internally and successful onboarding of the Merchant, Merchant Identification (MID) Number is generated on the Merchant Management System (MMS).

Post generation of MID, an onboarding kit is shared for web integration, testing of test transaction. After the successful integration, their access to the dashboard is granted and the Merchant will be able to receive PA services. AuroPay reserves the right to reject or cancel onboarding a Merchant to the PA services, at any time and where AuroPay is unable to apply appropriate checks, either due to non-cooperation of such Merchant or inconsistency of the information furnished by them.

Merchants can reach out to AuroPay Customer Care for any support required during the onboarding process.

ONGOING MONITORING:

After onboarding, businesses need to do constant due diligence checks to monitor any changes in Merchants behaviour and/or activities. The backend Operations team would monitor and conduct regular checks on the Merchant’s activities to ensure compliance with laws and regulations, particularly those related to AML and CFT.

AuroPay process for ongoing monitoring involves continuous evaluation of onboarded Merchants based on established risk profile and ensuring all relevant information pertaining to transaction, source of fund and the Merchant is reviewed regularly.

Ongoing due diligence checks assist organizations in improving their chances against financial crimes and is a crucial aspect of risk management. AuroPay shall monitor on an ongoing basis the following types of activities:

1. Suspicious transactions with inconsistent patterns
2. Instant surge in transactions to a particular entity
3. Fraud reporting incidents/cases or any non-compliance
4. Unusual cross-border activities
5. Strict monitoring for Merchants identified under high-risk category
6. Adverse media reports
7. Increase in chargeback/return/refund cases
8. Change in website details or contact information can indicate fraud.

AML/CFT Check for Ongoing Monitoring:

AuroPay conducts AML/CFT checks under the below listed parameters on all the prospective as well as onboarded Merchants:

SECURITY COMPLIANCE ASSESSMENT:

RBI Guidelines and KYC Master Directions explicitly state that Payment Aggregators should undertake comprehensive security assessment during onboarding process to ensure that minimal baseline security controls are adhered to by the Merchants. AuroPay is exposed to significant cyber risks and compliance liabilities due to its Merchants. For this purpose, it is vital that AuroPay shall conduct comprehensive security assessments during onboarding. Whether the Merchant is taking payments via credit card, using contactless payment options, or exclusively online payments, the Merchant needs to be fully compliant with all security requirements.

As per the set standards, AuroPay will check and confirm the following details on the Merchants’ website/mobile app:

• Domain must be registered
• Website must be SSL Certified
• Website IP must be in India
• All Services/Products must be displayed with pricing in INR
• No Banned Products/Categories in the Website
• Terms and Conditions Policy
• Privacy Policy
• Refund and Cancellation Policy
• Shipping and Delivery Policy (If Shipping is applicable)
• Contact Us Page
• Payment Card Industry-Data Security Standard (PCI-DSS) and Payment Application-Data Security Standard (PA-DSS) compliance of the infrastructure
• Website safe and secure integration with AuroPay

Additionally, AuroPay ensures that Merchant Agreements include clauses related to security/ privacy of Customer data as well as compliance to PA-DSS and incident reporting obligations

RESTRICTED MERCHANT CATEGORIES:

The onboarding process does not permit merchants from these categories to get onboarded. The merchant must check whether his business falls on the prohibited list as stated under Annexure B – (“Restricted Categories”) and proceed accordingly.

Merchant offboarding process

The offboarding process is initiated when a merchant requests termination of their account or when the company decides to terminate the merchant's account due to policy violations or other reasons.

The Merchant will be notified about the offboarding process via email, including the reasons for termination and the effective date of termination.

A thorough review of the Merchant's account will be conducted to ensure all transactions are completed, and there are no outstanding issues or disputes.

Any outstanding payments or dues will be settled. The Merchant will be provided with a final statement of account.

The Merchant's data will be retained for a specified period as per legal and regulatory requirements. After this period, the data will be securely deleted from all systems.

The Merchant's access to the platform and related services will be revoked. All login credentials will be deactivated.

A confirmation email will be sent to the Merchant, confirming the completion of the offboarding process and providing any necessary follow-up information.

POLICY REVIEW & APPROVAL:

The Policy is reviewed on an annual basis and updated to incorporate changes as per RBI Guidelines. All updates/changes to the Policy will be communicated to the relevant staff/relevant stakeholders on a periodic basis. All such changes /modifications will be reported to the Board for approval.

Appendix A - Entity Wise KYC Documentation

Annexure B – Restricted Categories

A merchant shall not use AuroPay services to accept payments connected with the following businesses and business activities:

• Virtual currency, other cryptocurrencies and tokens (that can be monetized, resold, converted, traded into physical/digital goods & services outside the virtual world)
• Prevented Drugs, prevented Drug equipment & Drug test prevention aids, Narcotics or Steroids
• Illegal substances and products
• Miracle Cures
• Forex & Currencies, Stamps and coins
• Items or Downloads that infringe or violate Copyright, Trademark, Right of publicity or privacy or any other proprietary right under the laws of any jurisdiction
• Human remains and body parts
• Firearms, weapons or Ammunitions
• Counterfeit products and Replica Goods
• Unauthorized copyright media and software
• Merchants involved with bestiality, rape, hate, violence, or incest
• Child abuse imagery and child pornography
• Hacking and cracking materials
• Fake credentials, fake academic papers, etc.
• Gambling, gaming and/or any other activity with an entry fee and a prize, including, but not limited to casino games, sports betting, horse racing, lottery tickets, other ventures that facilitate gambling, games of skill (whether or not it is legally defined as a lottery) and sweepstakes
• Stolen goods including digital and virtual goods
• Tobacco, e-cigarettes and Alcohols
• Fireworks & Hazardous materials
• Medical consultation
• Immigration/Visa passport
• Cyber lockers
• Files sharing and storage
• Associated with purchases of annuities or lottery contracts, lay-away systems, off-shore banking or transactions to finance or refinance debts funded by a credit card
• Escort Services, Adult Contents & entertainment, Pornographies & Sexually Oriented Materials or Services
• Pyramid or Ponzi Schemes, Matrix Programs and other “Get Rich Quick” Schemes and Investment Schemes
• Ticket brokers
• Gold bars and Precious metals/materials
• Extended warranties
• Telemarketing companies that solicit orders primarily with outbound telephone calls, facsimile or email. Includes “Up-Sellers.”
• 3rd party/aggregation
• Collection agencies
• Payday lenders
• Credit repair companies
• Loan modification
• Government loans
• Items that promote hate, racism, religious persecution and offensive content
• Items encouraging illegal activity
• Associated with the sale of traveller’s cheques or money orders
• Provide certain credit repair or debt settlement services, credit transactions or insurance activities
• Companies primarily engaged in the sale of coupons, certificates, prepaid, gift cards and stored value cards
• Any such activities that are restricted or prohibited under the applicable laws, rules, regulations, notifications or guidelines issued by the government or the regulatory authority within the jurisdiction.

If you are not sure whether your business falls into the Restricted Business category, feel free to contact us. Our team will take every aspect of your specific company into consideration in order to make the right decision.

Note: AuroPay and our payment processing partners reserves the right to amend, change or add to the above listed underwriting tiers and underwriting terms and conditions at any time without notice. Our payment processing partners within its sole discretion reserves the right to decline any application at any time for any reason.