XFLOW INDIA MERCHANT ONBOARDING POLICY
Last Updated: 17 January 2024
1. Introduction
Xflow Payments India Private Limited (the “Company”, “Xflow”, “we”, or“us)has formulated this Merchant Onboarding Policy (“Policy”) to document the practices and procedures to be followed by the Company for acquiring and onboarding of new merchants. For facilitating export payments, “merchants will be the Indian exporters. For facilitating import payments, “merchants will be the overseas exporter/payment aggregator/ecommerce marketplace that the Company enters into an agreement with for the provision of cross-border payment aggregation services in India.
The Policy sets forth rules for onboarding and acceptance of merchants for the provision of the Company’s cross-border payment aggregator services. This policy has to be read with the Company’s KYC/AML Policy which covers merchant due diligence, reporting and record management and endeavours of the Company in line with the RBI Master Directions- Know Your Customer Directions (KYC), 2016, as amended from time to time.
2. Objectives, Scope and Applicability
The purpose of this Policy is to:
- Establish clear, standardized procedures within the Company for onboarding of merchants so that each merchant goes through a similar process, reducing the likelihood of oversights and inconsistencies.
- Ensure that merchant onboarding is compliant with regulatory requirements and Xflow policies, to prevent fraudulent, unlawful activities.
This Policy applies to all the merchants with whom the Company establishes or seeks to establish a relationship for providing cross-border payment aggregation services.
3. Merchant Onboarding Process
A potential merchant may express interest in our services by reaching out to us through our website or our sales team. The merchant will be asked to provide details such as name, email id, phone number, etc. to sign up.
As a prerequisite to enabling cross-border transactions, the merchant will be asked to provide certain information depending on the entity type of the merchant. This information will be used by Xflow to carry out due diligence on the merchant for KYC/KYB identification and sanction/PEP screening, in accordance with our KYC/AML policy.
Once the merchant provides the relevant information, our onboarding team will conduct an initial review to ensure that all requisite information has been provided. If any additional information is required, the team will promptly reach out to the merchant.
Thereafter, the onboarding team will check (and where required, verify) the information and documents provided by the merchant to identify the merchant (and in case the merchant is an entity, the individuals associated with the entity such as authorised signatory) in accordance with our KYC/AML policy.
The Company’s standard due diligence process includes:
- Identification and verification of merchant’s identity details such as merchant’s name, incorporation information including registration number, legal entity type;
- Identification (and where required, verification of) individuals associated with the merchant such as authorised signatory and collection of all relevant documentary evidence in accordance with the Company’s KYC/AML Policy;
- Name screening will be done against the negative/sanctions list published by the United Nations Security Council.
For details of the various checks carried out, please refer to our KYC/AML Policy.
Apart from KYC/KYB/Sanctions/PEP screening, the team will also evaluate and assess the prospective merchant and carry out a risk assessment of the background and antecedents of the prospective merchant. For this, we will review:
- the business description and details provided by the merchant to check if the merchant is dealing in the same product/service as specified on the website/social media page;
- the website/social media page of the merchant (where available) to check the business model of the merchant and ensure that the business does not fall within the [Xflow Prohibited Business List] (https://docs.xflowpay.com/prohibited-business/) as may be updated from time to time, and the merchant is not transacting in any goods/service that is prohibited under the foreign trade policy;
- any relevant adverse media reporting on the merchant;
- where available, information such as the merchant’s product listings, end-customer reviews, social media activity, etc., to ascertain antecedents of the merchant including any history of duping customers or selling fake/ counterfeit/ prohibited products;
Based on the above, a risk categorisation of the prospective merchant will also be carried out.
If the information provided is not satisfactory or if we have any queries regarding the business model of the prospective merchant, the team will reach out for more information.
As the final step of the onboarding journey, the Company will enter into a contractual legal agreement with the merchant and the fees and commercials will be agreed upon. After all these checks are completed to our satisfaction, we will activate the merchant. The merchant will then be able to submit transactions to us for processing. Any merchant will be accepted/activated to receive our services only after the relevant due diligence, identification measures and procedures are completed to our satisfaction.
4. Merchant Security Assessment
For services provided by Xflow hosted on premise, security controls implemented by the merchants will be identified and assessed as required. The Company will conduct a security assessment of the merchant in such cases in order to verify compliance to the baseline technology requirements under the PA-CB Guidelines issued by RBI. In addition, the Company would also check if the same are enough for preventing security defects and vulnerabilities. The security assessment would include, but not be limited to the following checks:
- Information security governance
- Information technology framework and infrastructure
- The quality of the security measures put in place on the merchant’s IT systems and networks to ensure compliance with regulatory security standard benchmarks
- The merchant’s ability to protect user confidentiality, sensitive data, system resources, etc.
- Performance of data encryption algorithm
- Cyber crisis, data breach and information security incident management solution implemented by the merchant
- Periodic security assessment reports
- Data storage security
- Regulatory reporting framework
PCI DSS verification
PCI DSS compliance will only need to be verified if the merchant processes card transactions through Xflow, the merchant receives card data, and the framework is applicable to the merchant as per the conditions set out below. In a scenario where an external audit attesting compliance to the framework is not applicable to the merchant, a self-declaration regarding the same may be obtained from the merchant. Below are the categories of merchants who require an external audit and RoC verifying compliance of PCI DSS requirements:
Level 1: Merchants that process over 6 million card transactions annually. Below are the categories of merchants that require only a self-attestation and internal RoC to verify compliance to PCI DSS Requirements: Level 2: Merchants that process 1 to 6 million transactions annually. Below are the categories of merchants that require only a self-attestation to verify compliance to PCI DSS Requirements: Level 3: Merchants that process 20,000 to 1 million transactions annually. Level 4: Merchants that process fewer than 20,000 transactions annually.
The merchant will also be expected to comply with applicable law related to security of personal data. A review will be conducted periodically in order to ensure compliance with regulatory security standard benchmarks.
5. Ongoing Monitoring
The Company will also carry out ongoing monitoring and transaction monitoring of the merchant in accordance with the KYC/AML Policy. For example, the Company will monitor the following types of activities and patterns:
- Sudden surge in transactions by a merchant.
- Non-compliance in terms of information sharing.
- Increase in chargeback/return/refund cases where applicable.
- Transactions inconsistent with the expected activity of a merchant.
- Inconsistencies in login behaviour of a merchant compared to normal and expected behaviour.
In accordance with the KYC/AML Policy, the Company will report transactions of a suspicious nature to the Financial Intelligence Unit - India (FIU-IND). Furthermore, if any responsible employee encounters anything suspicious under prevention of laundering of proceeds of crime and financing terrorism, merchants shall undergo increased scrutiny as set in the applicable internal procedures.
6. Deactivation of Merchants
The Company may suspend or terminate the provision of services with immediate effect in the event of:
- Violation of merchant agreement between the Company and the merchant
- The business declared by the merchant differs from the actual business conducted and the actual business falls within prohibited or restricted category of business
- Fraud or suspicious transactions
The merchant will be made aware that Xflow will retain the merchant’s KYC information, transactional information or any other information that the Company is permitted to store as permitted under applicable laws even after termination of contract.
7. Policy Review
The Board / Senior Management shall review the policy annually, or as and when required, to incorporate any changes in the regulatory provisions, as prescribed by the regulator or as per applicable laws.