RBI casts info security duty on payment sector entities
3 min read 02 Jun 2023, 10:54 PM ISTBoards responsible for implementing security policy; phased rollout from April 2024
PremiumPayment companies, credit card networks and prepaid wallets, among others, will have to craft information security policies, conduct risk assessment exercises, and enable customers to flag fraudulent transactions, the central bank proposed in draft guidelines issued on Friday.
The guidelines on cyber-resilience and digital payments security controls for Payment system operators (PSOs) will be implemented in a phased manner, the Reserve Bank of India (RBI) said, with the biggest entities liable to comply the first. The central bank has also sought feedback from all stakeholders on its proposals by 30 June.
The guidelines will help establish a framework for information security preparedness, with a focus on cyber resilience, the RBI said. In April 2022, it had announced its intention to issue new norms for PSOs.
While large non-bank PSOs must comply by April 2024, medium and small non-bank PSOs will have to meet the requirements by April 2026, and April 2028, respectively. Large non-bank PSOs include Clearing Corp. of India Ltd (CCIL), National Payments Corp. of India (NPCI), as well as NPCI Bharat Bill Pay Ltd, besides card payment networks and non-bank ATM networks. White label ATM operators, prepaid payment instruments issuers, trade receivables discounting system (TReDS) operators, Bharat Bill Payment operating units and payment aggregators will also be part of this category.
Medium non-bank PSOs will include cross-border (in-bound) money transfer operators that operate under money transfer service scheme, besides medium prepaid payment instrument issuers.
Small prepaid payment instrument issuers and instant money transfer operators form part of the small non-bank PSO category.
To effectively identify, monitor, control and manage cyber- and technology-related risks arising out of linkages of PSOs with unregulated digital payments providers, PSOs need to ensure adherence by such unregulated entities as well, RBI added.
According to the draft guidelines, the board of directors of a PSO will be responsible for ensuring adequate oversight of all information security risks, including cyber risk and resilience. However, primary oversight could be delegated to a sub-committee of the board that must meet at least once every quarter, the regulator said.
The PSO should formulate a board-approved information security policy to manage potential risks covering all applications and products concerning payment systems as well as their management, it said. The policy should be reviewed annually.
The policy will cover all roles and responsibilities of a board, and its sub-committees, senior management and key personnel. It will also cover measures to identify, assess, manage and monitor cyber security risk which will also include various types of security controls to ensure cyber resilience and processes for training and awareness of employees and other stakeholders, it said.
The PSO should undertake a cyber risk assessment exercise following the launch of new products, services and technologies, or any major changes to the infrastructure or processes of existing products and services, it said.
Action points from such assessments have to be implemented under the oversight of chief information security officer, or an equivalent executive, RBI added.
Apart from existing guidelines applicable to PSOs for digital payment transaction, fresh instructions have also been proposed. For instance, PSOs should enable their members with online alert mechanisms, comprising parameters, such as failed transactions, transaction velocity, and new account parameters, as well as time zones, geo-location, and IP address origin, among others.
“The PSO shall provide a facility on its mobile application and website that would enable customers, with necessary authentication, to mark a fraudulent transaction for seamless and immediate notification to the issuer of payment instrument. It will also ensure facilitation of such mechanism by the system participants," it said.
“The board will entrust the responsibility and accountability for implementing information security policy and cyber resilience framework as well as for continuously assessing the overall IS posture of PSO to a senior-level executive like the chief information security officer," the guidelines said.