In an attempt to improve the safety and security of the payment systems operated by payment system operators (PSOs), the Reserve Bank of India (RBI) has proposed a framework for overall information security preparedness with an emphasis on cyber resilience.  

The framework is part of the draft paper on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs, issued by the central bank on Friday, for which it has sought feedback and comments by June 30. The central bank had first announced issuing such directions as part of the monetary policy statement of April 2022.

To provide adequate time for PSOs to put in place the necessary compliance structure, RBI has proposed a phased implementation wherein large non-bank PSOs will be required to comply with the norms from April 2024, medium PSOs from April 2025 and small PSOs from April 2028.

Also read: RBI fines Indian Overseas Bank ₹2.2 crore for breach of multiple norms

Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), NPCI Bharat Bill Pay Limited, Card Payment networks, non-bank ATM networks, White Label ATM Operators (WLAOs), large PPI (prepaid payment instrument) issuers, Trade Receivables Discounting System (TReDS) Operators, Bharat Bill Payment Operating Units (BBPOUs) and Payment Aggregators (PAs) will be considered large non-bank PSOs.

Cross-border (in-bound) Money Transfer Operators under Money Transfer Service Scheme (MTSS) and Medium PPI Issuers will be considered medium non-bank PSOs, whereas small PPI issuers and Instant Money Transfer Operators as small non-bank PSOs.

Draft paper

The draft directions cover governance mechanisms for identification, assessment, monitoring and management of cybersecurity risks including information security risks and vulnerabilities, and specify baseline security measures for ensuring safe and secure digital payment transactions.

“To effectively identify, monitor, control and manage cyber and technology related risks arising out of linkages of PSOs with unregulated entities who are part of their digital payments ecosystem (like payment gateways, third-party service providers, vendors, merchants, etc.), PSOs shall ensure adherence to these Directions by such unregulated entities as well, subject to mutual agreement,” RBI said.

For this, PSOs will need to put in place an organisational, board-approved Information Security policy, to be reviewed annually. They will also need to formulate a Cyber Crisis Management Plan and define Key Risk Indicators (KRIs) to identify potential risk events and Key Performance Indicators (KPIs) to assess the effective of security controls.

The board of the PSOs will be responsible for ensuring adequate oversight over information security risks, including cyber risk and cyber resilience, led by a senior-level executive. However, primary oversight may be delegated to a board sub-committee which should meet every quarter to review and monitor the required parameters.

PSOs will need to undertake a cyber risk assessment for the launch of new products, services, technologies or any major changes to the infrastructure or processes of existing products and services. They will also need to develop a Business Continuity Plan (BCP) on different cyber threat scenarios, including extreme but plausible events to which it may be exposed, to be reviewed annually.

The central bank also proposed specific guidelines for digital payments, mobile payment services, card networks, PPI issuers and other security measures, among others.

Related Topics
comment COMMENT NOW