Highlight: Learn about the most recent RBI laws regarding digital payments in India.
The digital payments ecosystem in India has matured in recent years, with the pandemic hastening the adoption of digital payments. An increasing number of citizens, including those living in non-metro cities and India’s hinterlands, have begun to transition to cashless transactions via Unified Payments Interface (UPI), Aadhaar-enabled Payments System (AePS), Internet Banking, and others.
The Reserve Bank of India (RBI) proposed in its statement on ‘Development and Regulatory Policies’ dated December 4, 2020, to establish a robust governance structure for digital payment products and implement common minimum security controls for channels such as internet and mobile banking and card payments. In accordance with the announcement, the RBI issued the Reserve Bank of India (Digital Payment Security Controls) Directions, 2021 (Master Directions) on February 18, 2021.
These rules apply directly to scheduled commercial banks, small finance banks, payment banks, and NBFCs that issue credit cards. The new set of rules also lays out the criteria that will be utilized to enforce the rules.
In a circular, the central bank stated, “The Master Direction provides necessary guidelines to establish a robust governance structure and implement common minimum standards of security controls for digital payment products and services. The guidelines are technology and platform agnostic and shall create an enhanced and enabling environment for customers to use digital payment products more safely and securely.”
The Master Directions will apply to four regulated entities (REs):
- Scheduled Commercial Banks (excluding Regional Rural Banks)
- Small Finance Banks
- Payments Banks; and
- Credit card issuing Non-Banking Financial Companies.
The Master Directions establish a new set of regulatory guidelines for a more secure and safe digital payment system. The following are the key features of the new guidelines:
- The REs are required by the Master Directions to develop a policy for digital payment products and services with the approval of their respective boards of directors. The policy must be reviewed regularly, at least once a year. On a regular basis, the policy shall incorporate appropriate processes into their governance and risk management programs to identify, monitor, and manage the specific risks associated with the digital payment products and services portfolio. The policy must explicitly address the payment security requirements’ functionality, security, and performance.
- If the REs rely on third-party service providers, adequate mechanisms and controls for monitoring such third-party activities must be put in place following RBI outsourcing guidelines. These entities must also undertake risk assessments for the safety and security of digital payment products, processes, and services, according to the Master Directions.
- According to the Master Directions, these REs must implement a web application firewall solution as well as distributed denial of service (DDOS) mitigation techniques to secure the digital payment products and services offered over the internet. Furthermore, to track user activity, security changes and identify suspicious behaviour and transactions, mobile banking, mobile payment, and internet banking applications must have effective logging and monitoring capabilities.
- The REs must establish an escrow mechanism for the source code of digital payment applications licensed by a third-party vendor, according to the Master Directions, to ensure service continuity in the event that the third-party vendor defaults or is unable to deliver services.
- When sending SMS or e-mails, REs will be expected to protect client information such as account numbers, card details, and other sensitive information. They’d need a system in place to actively monitor non-genuine, unauthorized, and malicious apps on the internet and in major app stores and take the appropriate steps to shut them down if necessary. Digital payment application security measures must ensure that the apps manage, store, and safeguard payment data.
- The Master Directions require REs to implement multi-factor authentication for electronic payments and fund transfers, including cash withdrawals from ATMs/business correspondents, through digital payment applications to combat various cyber-attack mechanisms and protect the confidentiality of payment data. In addition, REs should define the maximum number of unsuccessful log-in or authentication attempts beyond which access to the digital payment product/service would be stopped.
- REs would need to implement configuration aspects for detecting suspicious transactional behaviour, alerting customers in the event of failed authentication, and so on.
- A real-time reconciliation mechanism for all digital payment transactions will be implemented between RE and all other stakeholders, such as payment system operators, card networks, business correspondence, and so on, to improve the detection and prevention of suspicious transactions.
- Certain requirements are outlined in the Master Directions in order to protect customers’ interests and raise customer awareness. To educate customers, REs would need to incorporate secure and safe guidelines and training materials for end-users into digital payment applications. After each or major updates to the digital payment application, the REs shall make it mandatory for the consumer to go through secure usage guidelines while recording confirmation during the onboarding procedure in the first instance.
- The Master Directions require REs to provide a customer grievance redressal mechanism. The REs must include a section on the digital payment application that clearly specifies the process and procedure for lodging consumer grievances (with forms/contact information, etc.). Furthermore, the REs must follow current RBI instructions regarding the online dispute resolution system for digital payments.
- To prevent authentication-related brute force attacks or Denial of Service (DoS) attacks, the Master Directions require REs to implement additional levels of authentication to internet banking websites, such as adaptive authentication, strong CAPTCHA with server-side validation, and so on.
- The REs would ensure that mobile applications require re-authentication whenever the device or application is inactive for a specified period of time, and each time the user launches the application. Furthermore, the mobile application should not store sensitive personal or consumer authentication information on the device, such as user IDs, passwords, keys, hashes, or hardcoded references, and any sensitive customer information should be securely erased from the memory when the customer exits the app.
- The Master Directions require REs to follow various payment card standards as prescribed by the Payment Card Industry for comprehensive payment card security, depending on the applicability/readiness of updated versions of the standards.
- To improve ATM security, REs must: To improve ATM security, REs must:
- Implement security measures such as BIOS password, disabling USB ports, applying the latest patches of operating system and other software, terminal security solution, disabling auto-run facility time-based admin access, and so on;
- Implement an anti-skimming and whitelisting solution; and
- Upgrade all ATMs to supported operating system versions. The use of ATMs with unsupported operating systems is strictly prohibited.
These rules will affect not only regulated banks but also third-party payment apps like Google Pay, WhatsApp Pay, and PhonePe in terms of how they interact with banking partners and store customer data.