To enhance self-discipline in payment outsourcing services, standardize industry practices, mitigate risks in merchant acquiring businesses, protect the rights of market participants, and promote the healthy development of the payment services market, the China Payment Clearing Association (CPCA) recently issued the Record-Filing Management Standards for Merchant Acquiring Outsourcing Service Providers (hereinafter referred to as the Record-Filing Standards) and the Evaluation Management Standards for Merchant Acquiring Outsourcing Services (hereinafter referred to as the Evaluation Standards).
Background on Outsourcing Service Providers
Outsourcing service providers typically refer to enterprises commissioned by licensed payment institutions to handle non-core acquiring services, including but not limited to merchant acquisition and servicing, terminal deployment and maintenance, and payment method aggregation. Since 2020, under the guidance of the People’s Bank of China, the CPCA has established a registration mechanism for outsourcing institutions to improve market transparency, strengthen governance, and combat illegal activities such as gambling-related fraud, online POS machine sales, and payment code manipulation. In 2024, the CPCA released the Self-Regulatory Measures for Merchant Acquiring Outsourcing Services (hereinafter referred to as the Measures), which serve as the foundational framework for outsourcing service management.
Key Provisions of the New Standards
The newly introduced Record-Filing Standards and Evaluation Standards complement the Measures by specifying detailed requirements for registration, information reporting, risk data sharing, blacklist management, and industry evaluations. These provisions ensure practical implementation and support the standardized growth of the outsourcing services market.
Mandatory Registration Before Operation
The Record-Filing Standards outline specific registration procedures and criteria, emphasizing compliance before business operations begin. Key principles include:
- Goal-Oriented Approach: Ensuring comprehensive oversight of outsourcing activities through mandatory registration.
- Efficiency and Standardization: Streamlining registration processes and reducing unnecessary documentation.
- Enhanced Data Reporting: Requiring regular submission of critical business data to monitor industry trends.
Outsourcing providers may register for one or more service categories, including merchant services, terminal maintenance, merchant referrals, payment acceptance branding, and transaction routing (including aggregated payment technology services). However, manual service providers are prohibited from registering for transaction routing services.
Data Security Requirements for Aggregated Payment Services
With the rise of mobile payments, aggregated payment services have become mainstream but have also faced issues such as unauthorized data collection. The Record-Filing Standards require transaction routing service providers to:
- Comply with national data security laws and define clear responsibility boundaries with licensed institutions.
- Maintain independent and secure business systems meeting industry standards.
- Implement encryption mechanisms for sensitive data and strict access controls.
Risk Management and Blacklist Standards
Since 2017, the CPCA has conducted self-regulatory evaluations of outsourcing providers to improve market transparency and facilitate better partnerships between licensed institutions and service providers. The Evaluation Standards introduce an updated scoring system that assesses operational capabilities, risk management, and service quality more accurately.
30 Identified Risk Behaviors
The Evaluation Standards list 30 prohibited activities, including:
- Engaging in money laundering, fraud, or other illegal practices.
- Unauthorized merchant fund settlement or subcontracting.
- Falsifying transaction data or frequently switching licensed partners.
Risk levels are categorized into three tiers based on severity, with clear blacklisting criteria and information-sharing requirements.
Next Steps for Implementation
The CPCA plans to enforce the new standards through:
- Strengthening registration management to enhance market transparency.
- Ensuring licensed institutions fulfill their oversight responsibilities and share risk data.
- Conducting industry evaluations to facilitate market competition and eliminate non-compliant providers.
These measures aim to foster a fair and orderly payment services ecosystem while supporting sustainable market growth.
Related topics:
