Onboarding Merchants on PSPs: Complete KYC Steps Explained

Onboarding merchants on a Payment Service Provider platform includes various intricate steps. In this blog, we will break down each step involved in the merchant onboarding process along with KYC compliance requirements.

---

As a payment aggregator (‘PA’), when we on-board merchants, we need to address certain risks that arise, like fraud, excessive chargebacks, money laundering, tax evasion, etc. For this, regulatory guidelines and applicable laws require us to adopt several precautionary measures, including the Know-Your-Customer (‘KYC’) and merchant due diligence procedures.

In this blog, we will try to understand what onboarding merchants on a PSP actually entails. We will also deep dive into the merchant onboarding process and the KYC requirements therein.

Merchant Onboarding Meaning

First, let’s go back to the basics. What is merchant onboarding, anyway?

In simple terms, merchant onboarding is the process of signing up a business on a Payment Service Provider’s (PSP) platform. 

In India, usually, the PSPs are payment aggregators that offer payment collection, disbursement, BaaS and identity verification services. 

We, at Cashfree Payments, are one the biggest Payment Aggregators in India.

We carry out a range of checks for merchants, which start prior to onboarding and continue until the end of your relationship with us. The processes discussed may be replicated by financial service entities or any other businesses that would want to onboard merchants onto their platform – both to comply with regulations and to mitigate risk.

What is Merchant KYC?

Regulated financial institutions like banks, PAs, investment companies, etc., conduct KYC whenever a client attempts to open an account with them or onboard with them (eg.: the KYC process you undertake when opening a bank account). A client may be an individual or a legal entity.

But what is KYC Compliance?

The aim of merchant KYC is to establish the client’s identity, address and legitimacy via verification of its key documents. In combination with due diligence and other mandated checks, these allow us to say identify potential fraudsters, and shell companies, detect money laundering, etc. (Related Read: Challenges of tackling merchant fraud). Often non-regulated entities, like an online marketplace, for example, need to also perform a full or partial KYC as a precaution. These allow us to take a step towards securing not only ourselves but also the end customers and the financial system as a whole.

As PAs we can service a range of businesses, from e-commerce marketplaces, financial services like lending, wealth management/ credit management/payments/insurance, etc., edtech, health tech, digital entertainment and streaming services like video/music/gaming, subscriptions like for SaaS companies, hospitality/ transportation services like taxi aggregators/hotel booking aggregators/vehicle rentals, etc. The checks we undertake thus vary from business to business, particularly based on the merchant’s legal form and line of business.

Onboarding Merchants: The Complete KYC Procedure

The Reserve Bank of India’s (‘RBI’) Master KYC Direction, the RBI PA Guidelines and the Prevention of Money Laundering Act, 2002 (the ‘PMLA’) (among others), together require the following 8 stage process:

Step 1: The KYC document check or CDD process

The first stage of onboarding merchants is the KYC document check or the Customer Due Diligence Check (‘CDD’) process. It can be one or more of the following forms- Individual KYC and Business KYC:

• Individual KYC: When you are a merchant who is an individual (eg.: a sole proprietor), we carry out a ‘KYC’ process, or CDD for an individual. Broadly, we verify your identity via an ‘Officially Valid Document’ or OVD check (identity documents like Aadhaar, passport, driving license, etc.), individual PAN verification, and if necessary, current address proof check (utility bills, etc.). We can also ask for more documents to verify your financial/business status, say asking for your business registration documents. 

• Business KYC: When you are a business partner we are onboarding, we carry out a Business KYC process, or CDD for a business. Here we replace the OVD check with an ‘entity-proof’ check. This again differs based on what type of entity you are legal. For example, if you are a company, we need to verify your certificate of incorporation, memorandum and articles of association, etc. If you are a trust/partnership, on the other hand, we will need your trust/partnership deed, registration certificates, etc. Once we’ve verified your licensing/registration, we need to ascertain that the officer/employee transacting with us on your behalf has the authority from you to do so. For this, we need your relevant Board resolutions, power of attorney, etc. Next, we need your Business PAN, and address proof (GST) if your licensing/registration documents don’t reflect your current address. We also need to conduct  ‘beneficial owner’ checks, we need to verify who has actual ownership/control, like the directors, shareholders, etc., and carry out the ‘KYC’ process separately for them. We also verify numerous other documents for due diligence processes (discussed below).

Platform KYC (Onboarding Vendor)

Lastly, depending on your line of business, you may have on-boarded end merchants. In other words, you are a merchant onboarding vendors. Hence, you may be needed to carry out a KYC or verification process for them as well, whether under regulations that apply to you or as an additional diligence measure. A supplementary check you can carry out here is a bank account, Aadhar, PAN verification and GST verification as a tool to help you ascertain the validity of the bank accounts of the end merchants you onboard. 

Here is a complete merchant onboarding flow chart for a better understanding

During onboarding merchants, methods of verifying the documents also vary, like the traditional physical check (original seen and verified, in-person verification). Today digital checks like digital document and signature checks (eKYC, DigiLocker, etc.), API-based verification, Digital KYC and Video KYC procedures are being introduced to ease the process and replace earlier physical checks.

For us as PA, relaxations are also being brought into the CDD process, allowing us to rely on the KYC you would have already undergone while opening accounts with the bank you are banking with. In another welcome move by merchant onboarding specialists, the RBI has extended the Central KYC Registry for legal entities, introducing a new mode for digital KYC for businesses via a KYC identifier (previously this was only allowed for individuals).  

Step 2: Verification against sanction and PEP lists 

Next, our merchant onboarding agents need to verify the names of our clients and their beneficial owners against certain lists, like national and international terrorist lists, or ‘Politically Exposed Persons’ lists. If a name matches a sanctions list, we also need to report this to the Financial Intelligence Unit of India (‘FIU-IND’). Along with these, we verify numerous other lists, like blacklists/ greylists/ defaulter lists for companies, directors, etc. issued by banks, the Ministry of Corporate Affairs, the Securities and Exchange Board of India, the Enforcement Directorate, the Office of Foreign Assets Control (U.S.), etc. (for a detailed list please see Appendix II below). These checks aid us in the fight against terrorism and money laundering and also help us define risk levels for a specific client.

Step 3: Onboarding policies and merchant screening

While onboarding merchants, we carry out a background and antecedent check, which takes the form of an initial screening, and for which we define an internal merchant Onboarding Policy. Our aim here is to verify the nature, purpose and bona fides of a prospective client’s business. We conduct a range of checks such as licensing/registration checks, credit checks, profit and loss statement checks, balance sheet reviews, etc., based on information we seek directly from the prospective client, together with checking publicly available information like the merchant’s websites, product listings, end-customer reviews, social media activity, etc., to ascertain business legitimacy. We are also required under law to ascertain whether you are PCI-DSS compliant. 

Pro Tip: Integrated Payment System

Step 4: Merchant profiling and diligence levels

After these initial checks, we need to classify merchants as low/medium/high risk. Diligence levels and levels of post-onboarding monitoring that we carry out are defined based on this, for example, we need to conduct enhanced due diligence for PEPs but simplified due diligence for self-help groups. Also, we are prohibited from servicing some businesses altogether (tobacco, hacking, gambling, weapons, etc.), while others are considered high-risk (pharmaceuticals, matrimony, gaming, security brokers, jewellery, etc.) requiring increased monitoring and diligence.

Step 5: Ongoing due diligence

Post-onboarding merchants, our due diligence checks will continue to keep track of any changes in merchant behaviour that are a cause for concern. For example, a change in merchant website details or an unexpected listing of high-risk products can indicate fraud. These may also call for reviewing merchant risk profiles and due diligence levels.

Step 6: Transaction monitoring

A crucial check post onboarding we do is monitoring merchant transactions, to spot any possible red flags, such as variations in expected transaction characteristics. These can be expected total transaction volume, average order value, chargeback frequency, etc. For example, if a merchant exceeds the maximum permitted transaction limits, displays an unusual refund pattern, or receives multiple end-customer complaints – these are causes for concern. In case of any suspicious transactions (say which raise money laundering concerns) and also transactions exceeding certain thresholds (eg. cash transactions above Rs.10L, cross border wire transfers above Rs.5L), they must be reported to FIU-IND by regulated entities. 

Step 7: Record-keeping and Internal Governance requirements

Next, we keep records of all merchant transactions and identity documents, normally for at least 5 years. These need to be provided to authorities upon request, such as for an investigation. There are also numerous internal governance mandates to ensure the effective implementation of requirements, like dedicated internal committees, internal audits, periodic risk assessments and adequate employee training. A Designated Director and a Principal Officer, who have specific reporting obligations under the PMLA, must also be appointed. 

Step 8: Periodic Updates 

Lastly, we need to update both merchant risk profiles and KYC periodically. As per law, we must update merchant KYC every 10 (low risk), 8 (medium risk) and 2 (high risk) years. The ongoing due diligence checks also aid us with this.

List of Abbreviations

1. AMFI- Association of Mutual Funds in India
2. AoA- Articles of Association 
3. BBPS- Bharat Bill Payment System 
4. BIS- Bureau of Indian Standards
5. CBI- Central Bureau of Investigation
6. CBIC- Central Board of Indirect Taxes and Customs
7. CBSE- Central Board of Secondary Education
8. CDD- Customer Due Diligence
9. CIN- Corporate Identification Number
10. CoI– Certificate of Incorporation
11. CoR- Certificate of Registration
12. DGFT- Directorate General of Foreign Trade
13. DGFT’s HBP– DGFT’s Handbook of Procedures
14. DIN- Director Identification Number
15. DL- Driving license 
16. DLP- Digital Lending Platforms 
17. DMT- Domestic Money Transfer
18. EPIC– Electors Photo Identity Card
19. FCRA- The Foreign Contribution (Regulation) Act
20. FFMC- Full Fledged Money Changers
21. FIU-IND- Financial Intelligence Unit- India 
22. GST- Goods and Services Tax
23. GSTIN- Goods and Services Tax Identification Number
24. IATA- International Air Transport Association 
25. IATO- Indian Association of Tour Operators 
26. IEC- Import Export Code
27. IRDA– Insurance Regulatory and Development Authority
28. ISIL- Islamic State of Iraq and the Levant 
29. IT- Income Tax
30. ITC-HS- Indian Trade Classification based on Harmonized System of Coding
31. KYC- Know your customer 
32. LoB- Line of Business
33. LLP- Limited Liability Partnership
34. Master KYC Direction- Master Direction – Know Your Customer (KYC) Direction, 2016
35. MCA- Ministry of Corporate Affairs 
36. MHA- Ministry of Home Affairs
37. MLM Cos– Multi-Level Marketing Companies 
38. MoA- Memorandum of Association 
39. MORTH- Ministry of Road Transport and Highway
40. NBFC- Non-Banking Financial Company
41. NBFC-AFC- NBFC Asset Finance Company 
42. NBFC-MFI- NBFC Micro Finance Institution
43. NBFC-P2P- NBFC Peer-to-Peer Lending Platform 
44. NCAGR– North Carolina Department of Agriculture and Consumer Services
45. NGO- Non-Governmental Organization
46. NPCI- National Payments Corporation of India
47. NSDL- National Securities Depository Ltd.
48. NSE- National Stock Exchange 
49. OCR- Optical Character Recognition 
50. OVD- Officially Valid Document
51. PA- Payment Aggregator
52. PAN- Permanent Account Number
53. PEP- Politically exposed person 
54. PMLA- Prevention of Money Laundering Act, 2002
55. PoA- Power of Attorney 
56. PPI- Prepaid Payment Instruments 
57. RBI- Reserve Bank of India 
58. RBI PA Guidelines- Guidelines on Regulation of Payment Aggregators and Payment Gateways
59. RNG- Random Number Generator
60. SaaS- Software-as-a-Service
61. SEBI- Securities Exchange Board of India 
62. STPI- Software Technology Parks of India
63. TIN– Tax Information Network
64. UIDAI- Unique Identification Authority of India
65. UIN- Unique Identification Number 
66. UNSCR– United Nations Security Council Resolution
67. WMD- Weapons of Mass Destruction