.svg)
The Reserve Bank of India has issued new master directions on cyber resilience and digital payment security controls for non bank payment system operators following an initial consultation in June 2023.
The master directions impose a slew of cybersecurity implementation and reporting measures on payment system operators.
Key considerations
Payment system operators will now be legally required to implement cybersecurity governance measures and controls by the following deadlines:
- April 1, 2025 for large non-bank payment system operators.
- April 1, 2026 for medium non-bank payment system operators.
- April 1, 2028 for small non-bank payment system operators.
The required baseline cybersecurity controls consist of comprehensive approved and documented policies for the following areas:
- Inventory and access management.
- Network, data and cloud security.
- Application security life cycle (ASLC), patch change and management life cycles.
- Security testing and vendor risk management.
- Business continuity, incident response and employee awareness/training plans.
- Application programming interfaces (APIs).
- Other security measures including fraud resolution procedures and anti-phishing programmes.
The master directions also contain additional specific cybersecurity requirements for payment system operators that provide digital payments, including mobile payments, card payments and prepaid payment instruments (PPIs).
Non-bank payment system operators that provide digital payments must ensure that they have online customer alerts in place for the parameters specified in the master direction, including changes in time zones and IP addresses. They should also ensure that any consumer alerts sent conceal customer information, provide adequate information on the specific transaction area and are formatted in accordance with the specifications of the master directions if it is a one-time password (OTP).
Non-bank payment system operators that provide mobile payment services will have to take steps to ensure that their apps are secure, have proper authentication and device binding capabilities, and have customer protection measures, including fraud detection and cooling-off measures, in place.
Non-bank payment system operators that issue prepaid payment instruments (PPIs) will be required to implement a cooling-off period for fund transfers and cash withdrawals after those funds are loaded into PPIs. They will also be encouraged to make OTPs and transaction alerts available in customers’ local/chosen language.
Why should you care?
The issuance of these master directions represents the first time that India has released a formal comprehensive piece of regulation targeting cybersecurity and cyber resilience — a move that is a likely reflection of the increasing digitisation of the Indian payments market.
The implementation of these guidelines should not cause too many ripples in the industry as most of the required controls are likely to have already been implemented by most major payment service operators. There may, however, be some costs in tailoring existing measures to meet the specific requirements of the master direction.
Although small payment system operators are likely to have less extensive controls currently in place, the fact that there is a nearly four-year implementation period means that there is ample time to ensure compliance.
One area that is likely to require direct action and expense by all payments operators is the requirement that payment service operators appoint a senior executive with specific expertise in information security and cybersecurity, as this is likely to be a C-suite appointment.
