Payout API RBI Compliance Checklist 2026

· Updated · 4 min read

This checklist consolidates the RBI guidelines that apply to any
fintech originating push payments through a payout API in 2026. We’ve
written it from the point of view of the engineering + compliance teams working
together: each item maps to a technical control you can audit.

Disclaimer — this article summarises publicly available RBI circulars and
NPCI operating rules current as of 2026. It is not legal advice; validate with
your compliance officer before acting on any specific item.

1. Licensing fit — pick your lane

You cannot originate payouts directly; you rely on a licensed party. The
three common paths:

  • PPI (Prepaid Payment Instrument) issuer — you operate on top of a PPI wallet, pay out from customer balances. Requires your provider to hold a PPI licence.
  • PA-PG (Payment Aggregator / Payment Gateway) — RBI PA-PG framework (March 2020 + subsequent amendments) is the dominant licence for acquiring merchants. Provider must be RBI-authorised.
  • Banking-BaaS partnership — an RBI-licensed bank partners via APIs; settlement is on the bank’s books.

2. KYC & customer due-diligence

  • ☐ Beneficiary KYC before first credit (PAN + account proof at minimum; full V-KYC for >₹50,000/month cumulative).
  • ☐ Name-match between PAN holder and bank-account holder for account-verification flows.
  • ☐ Re-KYC cadence defined (typically 24 months for low-risk, 12 months for medium, 6 months for high).
  • ☐ UBO (Ultimate Beneficial Owner) traced for all corporate beneficiaries.
  • ☐ Sanctions-list screening (UN, OFAC, MHA) at onboarding and on a recurring basis.

3. Transaction monitoring (AML / PMLA)

  • ☐ Real-time rules engine — velocity, amount, geography, device-fingerprint.
  • ☐ Suspicious Transaction Report (STR) workflow with FIU-IND filing SLA (within 7 days of suspicion).
  • ☐ Cash Transaction Report (CTR) for any aggregated single-day ≥ ₹10 lakh equivalent.
  • ☐ Alert tuning — reviewed quarterly, documented.

4. Data localisation (RBI circular on storage of payment system data)

RBI’s April 2018 circular, reinforced since, requires end-to-end
payment data to be stored only within India. Practical implications:

  • ☐ All primary datastores (OLTP + OLAP) in AWS ap-south-*, Azure Central India, or on-prem India DC.
  • ☐ Backups also India-region; if cross-border egress is needed for processing, delete the India data within 24 h and keep only India-stored copy.
  • ☐ CDN / log-shipping audited — many incidents originate from CloudFront, Datadog or Sentry ingesting payment data to US/EU regions.
  • ☐ Annual board-approved System Audit Report submitted to RBI.

5. Reconciliation & settlement

  • ☐ T+1 three-way reconciliation: your ledger ↔ payout-provider ledger ↔ bank settlement file.
  • ☐ Automated break-flagging with SLA for resolution (commonly T+2 for ≥ ₹10k breaks).
  • ☐ Unreconciled balances reported to finance weekly, to board monthly.

6. Audit trail & log retention

  • ☐ Immutable, append-only logs for every state transition on every transaction.
  • ☐ 10-year retention (PMLA) for financial records; 7 years for auxiliary logs.
  • ☐ Logs include: user, IP, user-agent, device-fingerprint, reason code, operator (if internal).
  • ☐ WORM-style storage (Object Lock / immutability) to prevent tampering even by DBAs.

7. Customer-facing obligations

  • ☐ Grievance policy published on website (Nodal Officer name + contact).
  • ☐ Complaint-escalation matrix: L1 (24 h) → L2 (7 days) → RBI Ombudsman.
  • ☐ Visible fee disclosure pre-transaction.
  • ☐ Refund SLA stated (most regulators converging on T+7 for retail refunds).

8. Security controls (technical)

  • ☐ PCI-DSS scope minimisation (see our dedicated guide — coming soon).
  • ☐ Encryption at rest (AES-256) and in transit (TLS 1.2+; 1.3 preferred).
  • ☐ Secrets management via KMS; no credentials in env files or code.
  • ☐ Quarterly VAPT with remediation SLA.
  • ☐ Annual board-approved cyber-security policy.

9. Operational resilience

  • ☐ RTO < 2 h, RPO < 15 min for core payout services.
  • ☐ Multi-AZ active-passive, tested DR drill twice yearly.
  • ☐ Incident post-mortem < 5 business days; customer-facing incidents published within 24 h.

10. Board & governance

  • ☐ Information-security committee with quarterly minutes.
  • ☐ Risk-management framework document, reviewed annually.
  • ☐ Fit-and-proper declarations for directors and senior management.

A note on keeping this checklist fresh

RBI issues material circulars every 2–3 months. We revise this article
quarterly; the last update date is visible in the byline above. For the live
list of circulars, the authoritative source is
rbi.org.in.

Related NxtBanking resources

Know More