home / blog / PA Compliance Checklist for New Brands

Share on linkedin Share on Facebook share on WhatsApp
back to articles

Payments Compliance & Licensing

PA Compliance Checklist for New Brands

Before your fintech or brand can collect payments, you need RBI’s Payment Aggregator approval. Here’s the essential compliance checklist for 2025.

By Billcut Tutorial · November 17, 2025

payment aggregator compliance checklist india

What a Payment Aggregator Licence Means in 2025

In India’s fast-growing digital payments space, any business that collects online payments for merchants or itself must comply with RBI’s Payment Aggregator (PA) framework. Under Rbi Pa Guidelines 2025, all new brands facilitating checkout, subscriptions, or invoice payments need a valid PA licence or a tie-up with a licensed aggregator.

RBI introduced the PA model to ensure customer funds, refunds, and merchant settlements happen transparently through regulated channels. For startups, this means stricter KYC norms, escrow maintenance, and system audits — but also credibility and user trust.

By 2025, RBI has further tightened rules for PA onboarding, data storage, and fraud detection, making compliance a business advantage rather than a burden.

Insight: Without a PA licence or partnership, new brands cannot legally accept digital payments from customers in India.

Core RBI Rules Every New Brand Must Follow

Before applying, brands should understand what the RBI expects. Under Pa Licence Application Process, the regulator categorizes applicants as “standalone aggregators” or “merchant platforms” that handle funds for others.

Key RBI requirements as of 2025:

  • Net worth: Minimum ₹25 crore for existing PAs, ₹15 crore for new ones (to be reached within 3 years).
  • Escrow account: All customer payments must pass through a nodal or escrow account with a scheduled commercial bank.
  • Settlement timelines: T+1 day for merchants after receipt of funds.
  • KYC and merchant due diligence: Mandatory verification of all onboarded merchants, including directors and UBOs.
  • Data storage: Transaction data must be stored only in India, under Pa Data Security Framework.
  • Cyber audit: Annual system audit by a CERT-In empanelled auditor.

These norms apply to all aggregators — from fintechs like Razorpay and Cashfree to new retail or service platforms offering digital checkout flows.

Tip: Keep your compliance dashboard live — RBI audits often happen with just 7 days’ notice.

Your Step-by-Step PA Compliance Checklist

Getting PA approval can feel daunting, but breaking it down helps. Here’s a simple compliance roadmap for new entrants planning to file applications in 2025.

  1. Legal entity setup: Register as a company under the Companies Act, 2013 — sole proprietorships aren’t eligible.
  2. Capital verification: Submit CA-certified net worth statement meeting the ₹15–25 crore requirement.
  3. Escrow arrangement: Open an escrow or nodal account with an RBI-approved bank.
  4. Merchant KYC & due diligence: Design a standard onboarding policy and internal fraud-check list.
  5. Technology readiness: Implement secure APIs, two-factor authentication, and transaction logging.
  6. Data localisation compliance: Host all UPI, card, and wallet data within India.
  7. Customer grievance cell: Appoint a nodal officer and publish contact details on your website.
  8. Auditor empanelment: Hire a CERT-In-approved IT auditor to conduct annual compliance checks.
  9. Application submission: File your PA application via RBI’s COSMOS portal with full documentation.

RBI typically takes 3–6 months to review an application. New brands can operate under “in-principle” approval during review but must submit quarterly progress reports.

Insight: Treat your RBI application like an investor pitch — clarity and documentation matter more than size.

Audit, Risk and User Trust: Staying Licence-Ready

Even after approval, compliance doesn’t stop. RBI’s 2025 updates emphasize ongoing monitoring — not one-time paperwork. As covered under Merchant Onboarding Rules, every PA must maintain real-time visibility into merchant activity and transaction patterns.

Checklist for ongoing compliance:

  • Conduct semi-annual security and data audits.
  • Review merchant KYC every 12 months.
  • Automate risk alerts for unusual payment behaviour.
  • Ensure refund SLAs match your merchant contracts.
  • Maintain a clear audit trail for every transaction.

RBI also now mandates public disclosure of refund and dispute redressal timelines on PA websites. For users, this transparency builds trust; for regulators, it shows operational maturity.

Tip: A transparent refund and dispute policy is now a key RBI compliance indicator — not just good customer service.

As fintechs mature, RBI’s PA framework is shifting from “licence and forget” to “licence and verify.” For startups, that means the real compliance test begins after getting the licence — in how safely, swiftly, and fairly they handle user money.

Frequently Asked Questions

1. Who needs a Payment Aggregator licence?

Any brand that collects or processes payments for merchants online in India needs a PA licence from RBI or must partner with an existing one.

2. What is the net worth requirement?

New PAs must have at least ₹15 crore at application time and reach ₹25 crore within three years.

3. Can startups apply for a PA licence?

Yes, if registered as a company and meeting RBI’s capital, governance, and audit norms.

4. How long does the PA approval process take?

Typically 3–6 months, depending on documentation completeness and audit readiness.

5. What happens if a brand operates without a licence?

RBI can issue cease-and-desist orders and restrict all payment collection activity until compliance is achieved.

Are you still struggling with higher rate of interests on your credit card debts? Cut your bills with BillCut Today!

Get Started Now