What the 2025 PA Directions changed about the risk
On 15 September 2025 the RBI released the Reserve Bank of India (Regulation of Payment Aggregators) Directions, 2025, consolidating and tightening the rules under which a payment aggregator operates. For a broker, the value of reading the Directions is not regulatory box-ticking; it is that they describe, with precision, where a payment aggregator's money and data sit and therefore where the insurable loss can occur.
A payment aggregator (PA) stands between a merchant and the customer's money. It collects funds for goods and services, holds them briefly and settles them to merchants. That custody function, holding money that belongs to someone else, is the defining risk. It is what makes a PA fundamentally different from an ordinary software startup and what shapes the entire insurance conversation.
The Directions raise the bar in three ways that matter for cover: they set higher capital thresholds, they ring-fence customer money in escrow, and for cross-border flows they impose a specific account structure. Each of these is a place where a loss can happen, and each maps to a different part of the insurance stack.
Net worth, escrow and the InCA/OCA structure
The Directions set concrete requirements that a broker should treat as the spine of the risk assessment.
On capital, a non-bank PA must have minimum net worth of Rs 15 crore at application and Rs 25 crore by the end of the third financial year. The rising threshold signals a regulator that wants only adequately capitalised entities holding customer funds, and it gives a broker a baseline read on the financial substance behind the risk.
On custody, non-bank PAs must hold merchant funds in a separate escrow account with a Scheduled Commercial Bank. The escrow is the regulatory firewall between the PA's own money and the money it is holding for merchants. For cross-border PAs the account is split into an Inward Collection Account (InCA) and an Outward Collection Account (OCA), with escrow operations to be compliant by 31 December 2025.
This escrow plumbing is where the crime exposure concentrates. An escrow account holding pooled merchant funds is precisely the target a dishonest insider or an external fraudster aims at. The InCA/OCA split for cross-border flows adds operational complexity, more accounts, more reconciliation, more points at which an instruction can be manipulated, which a broker should weigh when sizing crime and cyber limits.
Commercial crime and fidelity: the first layer
For a custody business, commercial crime insurance (sometimes structured with fidelity cover) is the foundational layer, because the largest single-event loss is usually the theft of money rather than a service failure.
The crime exposures cluster around the escrow and settlement flow. The clearest is employee dishonesty: an insider with access to settlement instructions or escrow operations diverting funds. Then there is third-party fraud: social-engineering and funds-transfer fraud where an attacker manipulates an instruction so money is settled to the wrong account. For a cross-border PA running InCA and OCA accounts, the number of points at which an instruction can be intercepted or altered is higher, which raises the relevance of crime cover that responds to fraudulently induced transfers.
When placing crime cover for a PA, the broker should pay attention to:
- The insured perils, confirming the policy responds to both employee dishonesty and external funds-transfer and social-engineering fraud, not only to one.
- The definition of covered property, ensuring it captures merchant funds held in escrow and not only the PA's own money.
- The limit relative to flow, sized against the value passing through the escrow accounts.
- Sub-limits and conditions on social-engineering fraud, which crime policies often cap and condition on verification controls.
The escrow firewall reduces the chance that a PA's failure harms merchants, but it does not stop a determined insider or fraudster, which is what crime cover exists to address.
Cyber and the technology errors layer
A PA is a technology business holding payment data, so cyber insurance sits alongside crime, addressing the attack and data dimensions that crime cover does not.
The cyber exposures are characteristic of a payments platform. A data breach of cardholder or customer information triggers notification, regulatory and liability costs. A ransomware or systems-availability event can halt settlement, with knock-on liability to merchants who could not be paid. Network intrusion can be the route through which funds are ultimately stolen, which is where cyber and crime cover need to be read together so a single loss does not fall into the gap between them.
Technology errors-and-omissions cover (professional indemnity for a technology provider) responds to a different failure: the PA's service itself being defective, causing financial loss to a merchant rather than a breach or a theft. For a business whose product is the reliable movement of money, a settlement failure caused by a defect in its own platform is a real exposure, and it is professional indemnity rather than crime or cyber that answers it.
The structuring discipline is to read crime, cyber and technology errors cover as one programme. An external attacker who breaches the network (cyber) and then diverts funds (crime) creates a loss that touches two policies, and the broker's job is to ensure the wordings interlock rather than each pointing at the other.
Management liability, the PG carve-out and assembling the stack
A PA operating under RBI supervision faces regulatory scrutiny and the possibility of investor and stakeholder action, which is where directors and officers (D&O) liability cover belongs. A regulator that sets rising net-worth thresholds and mandatory escrow is a regulator that can examine, question and act, and the individuals running the PA carry personal exposure for how the business safeguards customer money and complies with the Directions. D&O responds to claims against directors and officers arising from those decisions and from regulatory action.
One scoping point shapes the conversation. A Payment Gateway (PG) falls outside the scope of the PA Directions, because a pure gateway provides technology routing without taking custody of funds, but it is encouraged to adopt the RBI baseline technology recommendations. For a broker, this carve-out matters because it changes the risk: a PG that does not hold money has a lighter crime exposure and a heavier technology and cyber emphasis, while a full PA holding escrow funds needs the crime layer at full weight. Confirming whether a client is a PA or a PG is the first question, because it determines the shape of the stack.
Pulling it together, a payment aggregator's programme typically combines commercial crime and fidelity for theft of escrow funds, cyber for breach and availability, technology errors-and-omissions for defective service, and D&O for regulatory and management exposure, each sized against the custody and flow profile the 2025 Directions describe.
Building that stack well depends on the detail of the wordings, how each policy defines covered property, where the crime and cyber boundaries meet, and which conditions a settlement-fraud loss must satisfy. Sarvada gives commercial insurance brokers structured, searchable access to insurer policy wordings and the intelligence around them, so a payment-aggregator programme can be assembled around what the policies actually cover rather than around generic fintech assumptions. Request Access to place custody-heavy fintech risks with that wording detail in front of you.