Upon receiving the application from the merchants, RPS should perform the pre-screening on the application.
Applications should include all the necessary information for background verification. The most important fields include type of business, account documentation, tax ID, credit/processing history. Based on application data, the acquirer/processor makes a decision whether it can grant the business a merchant account or not. That is, whether it is reliable, whether expected residual revenue amount is “worth the trouble and responsibility”, and whether the risks are acceptable.
As per the RBI Master Guidelines on KYC, the KYC documents will be collected, verified as part of the KYC verification. Further re-KYC will also be carried out at defined intervals as per the regulations.
RPS should check various lists for risk and fraud prevention. Verification of the checklists is done to prevent risk imposing acts such as terrorism, money laundering, etc.
Checklists include the Politically Exposed Persons (PEP) list, lists of sanction lists of the individuals and entities, suspected of having terrorist links, etc.
If the registrant matches any record in the list, then he/she would be reported to the Financial Intelligence Unit of India (‘FIU-IND’).
Other lists to be checked are from the Securities and Exchange Board of India, the bank, the Enforcement Directorate, the Ministry of Corporate Affairs, etc. for the defaulters, blacklisted, or grey listed members.
RPS should analyse the merchant’s business model and operations and the background screening should be done at this stage for the purpose of verification of the authenticity of the merchant’s intentions, business model, and purpose of registration or getting the account.
Verification should done for the website or mobile application, products, site owners, shareholders, the legality of the business/products, online presence, and impression, reviews, email address, mobile number, customer care details, address, match with previously rejected merchant list, etc.
The operations team would contact the merchant on the registered details if any further requirements or modifications are to be done.
Prior to onboarding the merchant, RPS should perform the Information Security risk-assessment against the specific security controls implemented in their ecosystem.
The due diligence shall continue after the merchant onboarding. RPS would track the merchant account for any changes or deviations from the approved details and documents.
Ongoing monitoring should watch for:
- Spikes in activities
- Exceeding thresholds
- Out of area or unusual cross-border activities
- Changing website products or links
- Inclusion of people on sanction lists
- Adverse media mentions