RBI tightens payments security norms for banks, digital payment operators

Mumbai: The central bank late Thursday sought to strengthen India’s digital payments architecture, publishing detailed guidelines to improve security, control and compliance among banks, gateways, wallet operators and other non-bank entities that are at the vanguard of helping New Delhi achieve its goal of a ‘less-cash’ transaction economy.

The new rules come at a time when India’s burgeoning payments ecosystem has seen increased instances of outages, frauds and cyber-breaches. The new rules set the framework for all regulated entities to standardize their security operations to emulate best practices defined by Mint Road.

“The Master Direction provides necessary guidelines…to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services,” the central bank said in a circular.

“The guidelines are technology and platform agnostic and shall create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner,” Reserve Bank of India (RBI) said.

All regulated entities have been given six months to ensure compliance.

The 21-page master circular issues specifications on a diverse set of application areas, including mandates from source code protection of third-party UPI apps, cyber security guidelines for safety against external attacks, card payments and internet banking security protocols.

“Going by the pre-eminent role being played by the digital payment systems in India, RBI gives the highest importance to the security controls around it,” the central bank said.

“While the guidelines will be technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner. Necessary guidelines will be issued separately,” RBI added.

The central bank governor Shaktikanta Das had first hinted at the introduction of these guidelines in his Monetary Policy Committee address on December 4, 2020. Das had said such a detailed specification for the payment ecosystem would seek to bring a “common minimum standard.”

These rules will have implications for not only regulated banks, but also third-party payment applications such as Google Pay, WhatsApp Pay and PhonePe on how the nteract with their banking partners and store customer data.

It will also affect the business models of several payment gateways that rely on delayed settlement of merchant funds to banking partners. The rules now specify that a payment operator or a bank cannot delay settlements to nodal settlement accounts beyond 24 hours.

“The Board and Senior Management shall be responsible for implementation of this policy. The policy shall be reviewed periodically, at least on a yearly basis. REs may formulate this policy separately for its different digital products or include the same as part of their overall product policy,” the central bank said.



Source Link