A Prepaid Payment Instrument(“PPI”) is a regulated payment instrument that facilitates the purchase of goods and services against a pre-funded value stored on such instrument or accessible through it. Under the regulatory framework issued by the Reserve Bank of India (“RBI”), a PPI represents value paid for by the holder in advance and enables payment transactions without extending any form of credit or deposit-taking by the issuer.[1] In other words, PPIs operate on a pay-before-you-use principle, distinguishing them from bank accounts and credit-based payment products.
From a functional standpoint, PPIs play a critical role in India’s digital payments ecosystem. They enable low-value, high-frequency transactions, support cash-lite payment environments, and allow controlled usage of funds for specific purposes or merchant networks. Common manifestations of PPIs include digital wallets, prepaid cards, gift vouchers, and corporate benefit instruments such as meal or incentive cards.[2] By ring-fencing the stored value and prescribing defined usage conditions, the RBI has positioned PPIs as a structured alternative to cash while ensuring traceability and customer protection.
Importantly, PPIs are not treated as informal or lightly regulated instruments. The RBI’s regulatory approach reflects a clear policy intent to balance innovation in payment mechanisms with systemic safeguards such as anti-money laundering controls, consumer grievance redressal, and technological security.[3] Accordingly, entities issuing PPIs are brought squarely within the payment systems regulatory perimeter under the Payment and Settlement Systems Act, 2007 (“PSS Act”), and are subject to authorisation, supervision, and ongoing compliance obligations.
For businesses, particularly fintech companies, consumer platforms, and corporates designing closed payment ecosystems, understanding what constitutes a PPI is not merely academic. Product structuring decisions, customer onboarding flows, and fund-handling models can directly trigger regulatory applicability. Mischaracterising a payment instrument may expose entities to regulatory action for operating an unauthorised payment system. Against this backdrop, a clear appreciation of what PPIs are, and why they are regulated the way they are, forms the foundation for navigating India’s evolving digital payments landscape.
How Are PPIs Regulated in India? – The RBI Framework
The regulation of PPIs in India is anchored in a clear statutory and supervisory architecture administered by the RBI. PPIs are treated as payment systems under the PSS Act, bringing them squarely within the RBI’s mandate to authorise, regulate, and supervise payment mechanisms operating in the country. As a result, no entity may issue or operate PPIs without prior RBI approval.
The PSS Act empowers the RBI to grant authorisation for payment systems, issue binding directions, and conduct inspections and oversight. The Master Directions on Prepaid Payment Instruments, 2021[4] (“Master Directions on PPIs”), are issued in exercise of these statutory powers and constitute the principal regulatory instrument governing PPI issuance and operations. This framework underscores that PPI regulation is not discretionary or sector-specific, but part of India’s formal payments law regime
Prior to the current framework, PPIs were governed through a series of circulars and earlier master directions. The Master Directions on PPIs consolidate and supersede those instruments to the extent specified, with the stated objective of ensuring regulatory clarity, uniform compliance standards, and technological neutrality. This consolidation reflects regulatory continuity rather than a reset, aligning legacy practices with the evolving digital payments ecosystem.
The Master Directions on PPIs operate as binding delegated legislation applicable to both banks and authorised non-bank PPI issuers. They are designed to be technology- and business-model-neutral, applying uniformly across wallets, cards, and other PPI form factors. The Master Directions span the entire regulatory lifecycle, from authorisation and eligibility to operational compliance and supervisory oversight.
At a structural level, the framework mandates prior authorisation, typically involving in-principle approval followed by final authorisation upon fulfilment of stipulated conditions. Thereafter, issuers remain subject to continuous supervision through reporting obligations, audits, and inspections, with the RBI retaining powers to issue corrective directions or take enforcement action where required.
While the Master Directions on PPIs form the binding legal framework, RBI’s FAQs on PPIs dated November 22, 2022 (“PPI FAQs”)[5] and clarificatory communications serve an interpretative role, assisting stakeholders in understanding regulatory intent and application. These instruments must be read harmoniously, with the Master Directions prevailing in case of inconsistency
Categories of PPIs Recognised Under the Master Directions on PPIs
The Master Directions on PPIs adopt a calibrated approach to categorising PPIs, based on risk exposure, customer due diligence, and permissible usage. Rather than treating all prepaid instruments uniformly, the framework differentiates PPIs by linking their functionality to the level of KYC and funding traceability, thereby aligning regulatory intensity with potential misuse risks.
1. Closed System PPIs:
Closed system PPIs are instruments issued for the purchase of goods or services exclusively from the issuing entity. These instruments do not permit third-party merchant acceptance, cash withdrawal, or redemption, and are typically used for platform-specific credits, vouchers, or loyalty balances. Given their limited scope and low systemic risk, closed PPIs fall outside regulatory ambit of the Master Directions on PPIs.
2. Small PPIs – Cash Loading Permitted:
Small PPIs with cash loading are intended for low-value and entry-level digital payment use cases. These instruments may be issued after obtaining only minimum customer details, without full KYC. However, due to the higher anonymity risk associated with cash funding, such PPIs are subject to strict balance and transaction limits and tightly controlled usage conditions. The RBI permits this category primarily to support financial inclusion while ensuring appropriate safeguards.
3. Small PPIs – Cash Loading Not Permitted:
Small PPIs without cash loading operate under a comparatively lower risk profile. While they may also be issued on the basis of minimum customer details, loading is restricted to banking channels or other regulated payment instruments, enhancing traceability of funds. Consequently, the RBI permits relatively higher transaction limits for this category, reflecting its risk-based regulatory calibration.
4. Full KYC PPIs:
Full KYC PPIs represent the most comprehensive category under the framework. These instruments may be issued only after completing full KYC in accordance with RBI norms and are eligible for significantly higher balance and transaction limits. Full KYC PPIs offer greater operational flexibility and are suitable for recurring and higher-value payment requirements, subject to ongoing compliance obligations.
5. Special Purpose PPIs:
In addition to the above categories, the Master Directions on PPIs recognise certain special purpose PPIs, including:
a. PPI – Gift, issued for gifting or promotional purposes, with restrictions on reloadability and redemption;
b. PPI – Mass Transit Services (MTS), enabling payments across various modes of public transport, and enabling automatic fare collection related to transit services, toll collection and parking;
c. PPIs issued to foreign nationals and NRIs visiting India (initially from G20 countries), which are limited-purpose instruments subject to prescribed usage conditions and caps during the period of stay
Foundational Eligibility to issue PPIs
Issuance of PPIs in India is treated as a regulated payment system activity, not a permissive commercial offering. The Master Directions on PPIs make it explicit that any entity proposing to issue PPIs must first fall within the regulatory perimeter and obtain prior authorisation from the RBI. This threshold inquiry, who can issue PPIs and on what conditions, is central to the regulatory design.
1. Who Is Eligible to Issue PPIs?
Under the Master Directions on PPIs, PPIs may be issued by:
a. Banks licensed and regulated by the RBI; and
b. Non-bank entities incorporated in India that obtain specific authorisation from the RBI to operate a payment system.
For non-bank entities, incorporation in India is a mandatory threshold condition. Partnerships, limited liability partnerships (LLPs), individuals, and unincorporated bodies are not eligible to apply for PPI authorisation. This reflects RBI’s preference for corporate structures with defined governance and accountability.
2. Capitalisation and Net Worth Requirements
Financial resilience is a key entry condition. Non-bank PPI issuers are required to maintain a minimum positive net worth, as prescribed by the RBI, and to achieve the stipulated threshold within the timelines set out in the Master Directions on PPIs. Thereafter, compliance must be maintained on a continuous basis, supported by periodic auditor certifications submitted to the RBI. This requirement is intended to ensure that issuers have sufficient financial capacity to manage operational and settlement risks.
3. Authorisation Process
Entities seeking to issue PPIs must submit an application under section 4 of the PSS Act. The RBI evaluates the application across multiple dimensions, including the business model, governance structure, and technological readiness. Successful applicants are granted in-principle approval, subject to fulfilment of specified conditions, followed by final authorisation upon demonstration of operational preparedness. Only after receipt of final authorisation may issuance commence.
4. Fit and Proper Criteria, and Governance Expectations:
The RBI assesses the fit and proper status of promoters, directors, and key managerial personnel, including their integrity, track record, and financial soundness. The regulator retains discretion to impose conditions or decline authorisation where governance concerns arise.
5. Exclusions from the Ambit of the Master Directions on PPIs:
The Master Directions on PPIs also clarify what does not fall within their scope. Closed system PPIs, used solely for the issuer’s own goods or services, and instruments that do not constitute a “payment system”, such as pure discounts, vouchers without redemption of stored value, or internal loyalty credits, are excluded. This exclusionary clarity helps prevent over-regulation and misclassification.
Operational Compliances for PPI Issuers
Once authorised, PPI issuers are subject to a regime of continuous operational compliance, reflecting the RBI’s position that payment systems require ongoing supervision and discipline. The Master Directions on PPIs make it clear that authorisation is only the starting point; day-to-day operations must consistently align with regulatory expectations laid down by the RBI.
1. Customer Onboarding and KYC Compliance:
Operational compliance begins at the onboarding stage. The Master Directions expressly prohibit anonymous PPIs and prescribe differentiated KYC requirements depending on the category of PPI issued. Small PPIs may be issued on the basis of minimum customer details, whereas Full KYC PPIs require compliance with the RBI’s KYC Directions, including customer identification, verification, and ongoing due diligence. Issuers are also required to undertake periodic updation of customer information and monitor transactions on a continuous basis.
2. Loading, Reloading and Funding Controls:
The framework imposes strict controls on how value may be introduced into a PPI. Loading is permitted only through modes expressly allowed under the Master Directions, including cash (where permitted), banking channels, and other regulated payment instruments. Credit loading is expressly prohibited, reinforcing the prepaid and non-credit nature of PPIs. Reloadability and funding flexibility are directly linked to the category of PPI and the level of KYC completed.
3. Usage Restrictions, Limits and Redemption:
PPIs are subject to prescribed balance and transaction limits, which vary based on their classification. Issuers must enforce category-specific usage restrictions and ensure that PPIs are not used for prohibited transactions. The Master Directions also regulate refunds, reversals, and redemption, requiring transparent processes and timely settlement in favour of customers or merchants, as applicable.
4. Escrow and Safeguarding of Customer Funds:
A core operational safeguard is the requirement for non-bank PPI issuers to maintain a dedicated escrow account with a scheduled commercial bank. Customer funds must be ring-fenced and utilised only for permitted purposes. Issuers are prohibited from paying interest on PPI balances and from commingling customer funds with their own operational funds. These requirements ensure that PPIs do not assume deposit-like characteristics.
5. Reporting, Audit and Supervisory Oversight:
PPI issuers are required to submit periodic reports to the RBI and to conduct system and compliance audits at prescribed intervals. Proper accounting, reconciliation, and record maintenance form part of this compliance architecture. The RBI retains broad powers to inspect operations, seek information, and issue directions where deficiencies are identified.
6. Restrictions on Activities and Outsourcing:
The Master Directions on PPIs impose clear operational boundaries. PPI issuers are prohibited from engaging in lending or credit extension through PPIs. While certain functions may be outsourced, the issuer retains ultimate responsibility for regulatory compliance, customer protection, and risk management.
Security, Fraud Prevention and Customer Grievance Redressal
1. Regulatory Intent: Trust as the Foundation of PPIs:
The RBI’s security and customer-protection framework for PPIs is premised on a clear regulatory objective: PPIs must scale only alongside commensurate safeguards. Given their wide retail adoption, low entry barriers for users, and increasing interoperability with UPI and card networks, PPIs are treated as high-velocity, high-risk instruments, warranting enhanced controls against fraud, misuse, and consumer harm.
2. Information Security and Risk Management Framework:
Every PPI issuer is mandated to implement a Board-approved Information Security Policy, supported by periodic reviews, incident-based reassessments, and system audits. The Directions prescribe minimum baseline controls, including:
a. two-factor authentication (2FA) for wallet transactions and debit operations;
b. debit-card-equivalent additional factor authentication (AFA) for PPI cards;
c. velocity checks, cooling-off periods after loading or beneficiary addition, and transaction alerts indicating post-transaction balances.
These controls are designed to curb social-engineering frauds, credential compromise, and rapid fund exfiltration—risks that are disproportionately higher in prepaid ecosystems.
3. Fraud Monitoring, Incident Reporting and Cyber Resilience:
PPI issuers are required to maintain centralised MIS and transaction-monitoring systems capable of detecting abnormal patterns, repeated failed logins, suspicious loading behaviour, and beneficiary misuse. Any cyber security incident or breach must be immediately reported to the RBI and CERT-In.
Further, non-bank issuers must submit annual system audits and cyber-security audits conducted by CERT-In empanelled auditors, reinforcing regulatory supervision through ex-post technical scrutiny.
From an operational standpoint, this effectively places PPI issuers at par with other regulated payment system operators, despite their non-bank status.
4. Customer Protection and Limitation of Liability:
The Master Directions on PPIs embed a consumer-centric liability framework, distinguishing between issuer fault, third-party breaches, and customer negligence. Where unauthorised transactions arise due to issuer or system deficiencies, customer liability is nil. Even in third-party breach scenarios, liability is capped based on the timeliness of customer reporting.
Issuers must also effect notional reversal within ten days of complaint reporting, without awaiting insurance settlement, underscoring RBI’s emphasis on immediate consumer relief over backend dispute resolution.
5. Customer Grievance Redressal and Ombudsman Access:
All PPI issuers are required to establish a publicly disclosed grievance redressal framework, appoint a nodal officer, and resolve complaints preferably within 48 hours, and in any event within 30 days. Customers of both bank and non-bank PPI issuers have recourse to the Reserve Bank – Integrated Ombudsman Scheme, 2021, reinforcing parity in consumer protection across regulated entities.
Taken together, the security and grievance architecture under the Master Directions on PPIs reflects RBI’s calibrated approach: encouraging innovation while institutionalising trust, traceability, and redressal as non-negotiable pillars of the PPI ecosystem.
Co-Branding of PPIs
Co-branding of PPIs is recognised as a commercial arrangement built on top of a regulated payment system, not as a mechanism to share or dilute regulatory responsibility. The framework administered by the RBI is anchored in a clear policy position: only an RBI-authorised entity may issue PPIs, and branding partnerships cannot alter this legal reality. The regulatory concern is to prevent customer confusion, misrepresentation of unregulated entities as financial service providers, and diffusion of accountability.
1. Permissible Co-Branding Structures:
Under the Master Directions on PPIs, co-branding is permitted only where the PPI is issued exclusively by an authorised bank or non-bank PPI issuer. The co-brand partner may act as a distribution, marketing, or business partner but cannot participate in issuance, fund handling, escrow maintenance, or regulated onboarding activities. The legal and operational distinction between the issuer and the co-brand partner must remain unambiguous at all times.
2. Allocation of Responsibility and Liability:
The framework adopts a non-negotiable approach to accountability. All regulatory obligations continue to vest solely with the authorised PPI issuer, including compliance with KYC norms, maintenance of escrow accounts, transaction processing, security and fraud controls, and customer grievance redressal. Any lapse by the co-brand partner does not mitigate the issuer’s liability towards customers or the RBI. This approach ensures that co-branding does not become a tool for regulatory arbitrage.
3. Branding, Disclosure and Customer Communication:
Issuers are required to ensure clear and prominent disclosures identifying the authorised PPI issuer and accurately describing the limited role of the co-brand partner. Branding or marketing materials must not suggest that the co-brand partner is itself a regulated payment service provider. Oversight of customer communications remains the issuer’s responsibility.
Interoperability of PPIs
Interoperability of PPIs reflects the RBI’s broader policy vision of building an open,competitive, and user-centric digital payments ecosystem. The shift away from siloed wallet systems towards interoperable payment instruments is intended to enhance customer convenience, reduce fragmentation, and prevent market concentration driven by closed-loop networks. Under the Master Directions on PPIs, interoperability is positioned not as an optional feature, but as a regulatory expectation for eligible PPIs.
In regulatory terms, interoperability refers to the ability of a PPI issued by one issuer to be used seamlessly across different payment acceptance infrastructures, irrespective of the issuing entity. The Master Directions on PPIs mandate interoperability for PPIs issued in the form of wallets and cards, subject to the conditions prescribed therein. This ensures that PPI holders are not restricted to the issuer’s proprietary ecosystem and can transact across a wider network of merchants and payment platforms.
1. Modes of Interoperability:
The framework recognises two principal modes through which interoperability may be achieved:
a. Wallet interoperability, primarily enabled through integration with the Unified Payments Interface (UPI); and
b. Card-based interoperability, facilitated through authorised card networks.
Issuers are required to comply with the technical, operational, and settlement standards prescribed by the relevant network participants, while remaining fully accountable for regulatory compliance.
2. Compliance Implications and Issuer Responsibility:
While interoperability expands usage and customer reach, it does not dilute issuer responsibility. PPI issuers continue to bear full liability for KYC compliance, transaction security, fraud monitoring, settlement, and customer grievance redressal, even when transactions are routed through interoperable rails. Enhanced authentication, reconciliation mechanisms, and risk controls are therefore integral to interoperable PPI operations.
Conclusion
Prepaid Payment Instruments have evolved from niche wallet products into integral components of India’s formal payments infrastructure. Through the Master Directions on PPIs, the RBI has made it clear that PPIs are not informal conveniences, but regulated payment systems subject to authorisation, supervision, and ongoing compliance. This regulatory positioning reflects a deliberate balance between enabling innovation and safeguarding consumer trust.
Several themes emerge from the framework. First, risk-based regulation sits at the core of PPI oversight—functionality, limits, and flexibility are directly linked to the level of KYC and traceability. Second, regulatory responsibility remains firmly anchored with authorised issuers, even as PPIs expand through co-branding and interoperability. Third, consumer protection—through security controls, fraud prevention, and grievance redressal—is treated as non-negotiable, reinforcing confidence in prepaid instruments at scale.
For businesses and founders, the implications are practical and immediate. PPI compliance is not an afterthought to be addressed post-launch, but a design consideration that must inform product architecture, customer journeys, and partnerships from the outset. Misclassification or regulatory shortcuts can expose entities to enforcement action and reputational risk. Looking ahead, PPIs are likely to see deeper integration with mainstream payment rails, accompanied by heightened supervisory expectations. In this landscape, regulatory discipline should be viewed not as a constraint, but as a strategic enabler, one that allows PPIs to scale sustainably while preserving trust in India’s digital payments ecosystem.
[1] RBI, Master Direction on Prepaid Payment Instruments, 2021, para 2.1, accessible at https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12156
[2] RBI, FAQs on Prepaid Payment Instruments, 2022, Q.1–2, accessible at https://www.rbi.org.in/commonperson/english/scripts/FAQs.aspx?Id=2812
[3] RBI, Master Direction on Prepaid Payment Instruments, para 4
[4] RBI, Master Direction on Prepaid Payment Instruments, 2021 para 3
[5] RBI, FAQs on Prepaid Payment Instruments dated November 22, 2022, accessible at https://www.rbi.org.in/commonperson/english/scripts/FAQs.aspx?Id=2812