Rwanda
Regulation on Payment Initiation and Aggregation Services
Regulation 7 of 2018
- Published in Official Gazette 14 on 2 April 2018
- Assented to on 27 March 2018
- Commenced on 2 April 2018
- [This is the version of this document from 2 April 2018.]
Chapter One
General provisions
Article One – Scope and purpose of this Regulation
This Regulation regulates activities specific to those payment service providers that limit their activities to facilitate initiation and authorisation of electronic fund transfers by way of a variety of services to merchants and/or users Payment Initiation Services (PIS).This regulation defines operation requirements to be maintained by Payment initiation service providers at all times in the course of their activities.Article 2 – Definitions
In this Regulation, the following terms and expressions shall mean:1°account servicing payment service provider (ASPSP): the payment service provider managing the account of the payer;2°acquiring payment service provider: a payment service provider that accepts and processes payment transactions for the user of a payment instrument, which results in a transfer of funds to the user;3°authentication: a procedure that allows the PSP to verify a customer’s identity;4°electronic Fund transfer (EFT): the series of transactions for the transfer of money or the execution of a payment when executed in non-paper form;5°issuing payment service provider: a payment service provider that issues a payment instrument;6°merchant: any person that accepts payment instruments as payment for their goods and services;7°payment Aggregator: the intermediary collecting funds received from customers for payment to merchants using any electronic/online payment mode, for goods and services availed by them and subsequently facilitate the transfer of these funds to the merchants in final settlement of the obligations of the paying customers;8°payment card: any card or other device, including a code or any other means of access to an account, that may be used from time to time to obtain money or to make payment, and includes a debit card, credit card and stored-value card;9°payment gateway: a payment service facilitating the authorization of card or direct payments processing for e-businesses, online retailers, or the like. A payment gateway facilitates a payment transaction by the transfer of information between a payment portal (such as a website, mobile phone or interactive voice response service) and the front end processor or acquiring bank;10°payment initiation services: all services facilitating the authorization and/or validation of an electronic fund transfer or otherwise facilitating the execution of electronic transactions. They include, but are not limited to, payment aggregation and management of gateways or payment terminals;11°In payment terminal: a device or channel which interfaces with payment cards or any payment instrument to make electronic funds transfers. It includes, but is not limited to Automated Teller Machine (ATM) terminal, point of sale (POS) terminal, credit card terminal, EFTPOS terminal). A payment terminal allows a merchant to insert, swipe, or manually enter the required information related payment instrument, to transmit this data to the merchant service provider for authorization and finally, to transfer funds to the merchant;12°sensitive payment data: data, including personalised security credentials, which are exposed to being used to carry out fraud. For the activities of payment initiation service providers, the name of the account owner and the account number do not constitute sensitive payment data;13°supervised institutions: a bank, a nonbank financial institution or a micro-finance institution within the meaning of the Laws governing those institutions and duly supervised by the Central Bank;14°user: no person using a payment instrument or receiving payment services;15°strong customer authentication: an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;16°nodal account: an account held by a Payment Aggregator with any of the banks or peps for the purpose of pooling the monies collected from all the merchants and facilitating the subsequent payouts to the said merchants;17°authentication: verifying identities of parties: there should be a mutual authentication between payment gateway and other parties, including Acquiring and Issuing Payment Service Provider. Protection against fraud needs to be in place;18°integrity: preventing of unauthorized modification of data while it is in the communication media integrity of data between the merchant and the payment gateway, as well as the customer and the payment gateway is needed;19°confidentiality: the preventing of disclosure of data from unauthorized parties. Payment Gateways and payment terminal service providers must guarantee the secrecy of such details;20°unique identifier: a combination of letters, numbers or symbols specified to the payment service user by the payment service provider and to be provided by the payment service user to identify unambiguously another payment service user and/or the payment account of that other payment service user for a payment transaction;21°funds: banknotes and coins, scriptural money or electronic money as defined in point 12 of the article 2 of the Regulation N° 08/2016 of 01/12/2016 governing electronic money issuerChapter II
Common operation requirements
Article 3 – Licensing requirements
The non-financial institutions that propose to provide payment initiation service shall adhere to licensing requirements established under the regulation of National Bank of Rwanda governing payments services providers.Article 4 – Compliance with the Regulations
Irrespective of the individual requirements, any provider managing a payment initiation service provider or a payment gateway shall ensure at a minimum at all times while providing the services that:1°it complies with operational standards as may be prescribed by the Central Bank from time to time;2°any other condition that may be specified by the Central Bank from time to time, the fulfillment of which in the opinion of the Central Bank shall be necessary to ensure that the commencement of or carrying on the business in Rwanda shall not be prejudicial to the public interest.Article 5 – Internal control mechanisms to comply with obligations in relation to anti-money laundering and terrorist financing requirement
In order to comply with Anti-Money Laundering and Counter Financing of Terrorism obligations, a payment initiation service provider shall put in place internal control mechanisms. In that regards, the following measures shall be in place:1°the assessment framework of risks associated with the PISP’s customer base, the products and services provided, the distribution channels used and the geographic areas of operation;2°policies and procedures to comply with Customer Due Diligence requirements and the policies and procedures to detect and report suspicious transactions or activities;3°the systems and controls to ensure their anti-money laundering and counter terrorist financing policies and procedures remain up to date, effective and relevant;4°the systems and controls to ensure that the agents and distributors do not expose the PIPS to increased money laundering and terrorist financing risk;5°comply with other AML/CFT requirements provided for in the AML/CFT Law and the regulation on governing payment service providers;Chapter III
Payment initiation service providers
Article 6 – IT security and protection of data
The payment initiation service provider shall dispose of high-quality technology to ensure authentication, integrity, and confidentiality of data.In that regards, the payment initiation service provider shall:1°ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transmitted by the payment initiation service provider through safe and efficient channels;2°ensure that any other information about the payment service user, obtained when providing payment initiation services, is only provided to the payee and only with the payment service user’s explicit consent;3°every time a payment is initiated, identify itself towards the account servicing payment service provider of the payer and communicate with the account servicing payment service provider, the payer and the payee in a secure way;4°not store sensitive payment data of the payment service user;5°not request from the payment service user any data other than those necessary to provide the payment initiation service;6°not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer;7°not modify the amount, the payee or any other feature of the transaction.Article 7 – Duties of the account servicing payment service provider
The account servicing payment service provider shall:1°communicate securely with payment initiation service providers;2°immediately after receipt of the payment order from a payment initiation service provider, provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider;3°treat payment orders transmitted through the services of a payment initiation service provider without any discrimination other than for objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer.Article 8 – Right of payer to use payment initiation service
A payer shall have the right to make use of a payment initiation service to obtain payment services. The right to make use of a payment initiation service shall not apply where the payment account is not accessible online.When the payer gives its explicit consent for a payment to be executed, the account servicing payment service provider shall perform the actions specified in Article 5 in order to ensure the payer’s right to use the payment initiation service.Article 9 – Receipt of payment orders
The time of receipt is when the payment order is received by the payer’s payment service provider.The payer’s account shall not be debited before receipt of the payment order. If the time of receipt is not on a business day for the payer’s payment service provider, the payment order shall be deemed to have been received on the following business day.Article 10 – Incorrect unique identifiers
If a payment order is executed in accordance with the unique identifier, the payment order shall be deemed to have been executed correctly with regard to the payee specified by the unique identifier.If the unique identifier provided by the payment service user is incorrect, the payment service provider shall not be liable for non-execution or defective execution of the payment transaction.However, the payer’s payment service provider shall make reasonable efforts to recover the funds involved in the payment transaction. The payee’s payment service provider shall cooperate in those efforts also by communicating to the payer’s payment service provider all relevant information for the collection of funds.In the event that the collection of funds under the previous paragraph is not possible, the payer’s payment service provider shall provide to the payer, upon written request, all information available to the payer’s payment service provider and relevant to the payer in order for the payer to file a legal claim to recover the funds.Article 11 – Notification and rectification of unauthorized or incorrectly executed payment transactions
The payment service user shall obtain rectification of an unauthorized or incorrectly executed payment transaction from the payment service provider only if the payment service user notifies the payment service provider without undue delay on becoming aware of any such transaction giving rise to a claim and no later than a month after the debit date.Article 12 – Liability in the case of payment initiation services for non-execution, defective or late execution of payment transactions
Where a payment order is initiated by the payer through a payment initiation service provider, the account servicing payment service provider shall, without prejudice to Article 7 and 8, refund to the payer the amount of the non-executed or defective payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.The burden shall be on the payment initiation service provider to prove that the payment order was received by the payer’s account servicing payment service provider in accordance with Article 6 and that within its sphere of competence the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the non-execution, defective or late execution of the transaction.If the payment initiation service provider is liable for the non-execution, defective or late execution of the payment transaction, it shall immediately compensate the account servicing payment service provider at its request for the losses incurred or sums paid as a result of the refund to the payer.Article 13 – Strong customer authentication
The initiation of payment, as well as access to sensitive payment data, shall be protected by strong customer authentication. Payment initiation service providers shall have a strong customer authentication procedure in line with the definition provided in this regulation.Article 14 – Transaction monitoring
Transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions should be operated before the final authorisation; suspicious or high-risk transactions must be subject to a specific screening and evaluation procedure.Article 15 – Prohibition to hold user’s funds
When exclusively providing payment initiation services, the payment initiation service provider shall not at any stage of the payment chain hold the user’s funds. When a payment initiation service provider intends to provide payment services in relation to which it holds user funds, it should obtain full authorisation for those services.Chapter IV
Payment aggregator services
Article 16 – Nodal Accounts for collection of payments
Payment Aggregators shall open Nodal Accounts with a bank or e-money issuer for facilitating collection of payments from customers of merchants.Permitted credits and debits in these accounts shall be:1°credits;a.payments from various persons towards purchase of goods/services;b.transfers from other banks as per pre-determined agreement into the nodal account;c.transfers representing refunds for failed/disputed transactions.2°Debitsa.Payments to various merchants/service providers.b.transfers to other ASPSPs as per pre-determined agreement into the account, if that account is the nodal account for the Payment Aggregator;c.transfers representing refunds for failed/disputed transactions;d.commissions to the Payment Aggregator;No payment other than the commissions at pre-determined rates/frequency shall be payable to the Payment Aggregator. Such transfers shall only be effected to an ASPSP’s account indicated to the ASPSP by the Payment Aggregator.Article 17 – Settlement
The final settlements of funds to the merchants shall be transferred to the ultimate beneficiaries with minimum time delay.Banks shall implement a settlement cycle for all final settlements to merchants within a maximum of T+1.Article 18 – Concurrent Audit
ASPSPs shall subject the accounts specified in Article 16 to concurrent audit and a certificate to the effect that these accounts are operated in accordance with these Regulations shall be submitted to Central Bank on a quarterly basis.Chapter V
Payment terminal services providers
Article 19 – Permitted activities
Payment Terminal Service Providers shall offer services to acquirers, covering all aspects relating to terminal management and support, including, but not limited to:1°purchase and replacement of spare parts,2°provision of connectivity,3°training,4°repairs,5°Development of value-added services.Payment Terminal Providers shall ensure that their deployed terminals are functional at all times. Appropriate mechanism must be put in place to remotely detect failures.A Payment Terminal Provider shall not hold at any time the payer’s funds in connection with the provision of the payment initiation service.Article 20 – Display of information to users
All terminals shall dispose of the relevant technology to permit to clearly indicate in a easily understandable manner:1°the terms and conditions of usage;2°how to notify at any time break downs of the terminal;3°how to best protect its own payment instrument by misuse within the terminals.Chapter VI
Miscellaneous provisions
Article 21 – interoperability
All payment terminals deployed shall be technically enabled to accept all payment instruments issued by all payment service providers in Rwanda.All persons authorized to operate payment systems shall facilitate compliance with this Regulation and provide in relevant contract the rules that affect intermediation of transfers by a payment initiation service provider or a Payment aggregator.Article 22 – Regulations applicable to other payment system operators
All persons authorized to operate payment systems shall facilitate compliance with this Regulation and provide in relevant contract the rules that affect intermediation of transfers by a payment initiation service provider or a Payment Gateway.Article 23 – Periodic reports
Providers of Payment Gateways and payment initiation service providers must submit both periodic and incidental reports to the Central Bank on the implementation of payment transaction processing.For the purpose of periodic reports, the relevant information system must be audited by an independent auditor at least once every three years.Chapter VI
Final provisions
[Please note: Chapter numbering as in original.]Article 24 – Repealing provision
All prior regulatory provisions inconsistent with this Regulation are hereby repealed.Article 25 – Drafting, consideration and approval of this Regulation
This Regulation was drafted, considered and approved in English.Article 26 – Commencement
This Regulation shall come into force on the date of its publication in the Official Gazette of the Republic of Rwanda.History of this document
02 April 2018 this version
Commenced
27 March 2018
Assented to