The Reserve Bank of India (RBI) has published detailed guidelines to build up India's digital payments architecture and improve security, control and compliance among banks, gateways, wallets and other non-banking entities that are at the front line of helping New Delhi accomplish its goal of a 'less-cash' economy.
The new rules come at a time when India’s rising payments ecosystem has seen increased instances of outages, frauds and cyber breaches. The new rules set the framework for all regulated entities to standardise their security operations to emulate best practices by Mint Road.
These rules are openly applicable for scheduled commercial banks, small finance banks, payment banks and credit card-issuing NBFCs. The new set of customs also specifies the criteria under which regulated entities can form partnerships and interact with third-party apps and ecosystem players such as mobile applications, payment operators and gate ways.
“The Master Direction provides necessary guidelines to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services,” the central bank said in a circular. “The guidelines are technology and platform agnostic and shall create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner."
All regulated entities have been given six months to ensure compliance.
The 21-page master circular issues specifications on a varied set of application areas, including mandates from source code protection of third-party UPI apps, cyber security rule for safety against external attacks, card payments and internet banking security protocols.
“Going by the pre-eminent role being played by the digital payment systems in India, RBI gives the highest importance to the security controls around it,” RBI said. “While the guidelines will be technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner. Necessary guidelines will be issued separately."
RBI Governor Shaktikanta Das had first hinted at the introduction of these guidelines in his Monetary Policy Committee address on December 4, 2020. Das had said such a detailed specification for the payment ecosystem would seek out to bring a “common minimum standard".
These rules will have implications for not only regulated banks, but also third-party payment applications such as Google Pay, WhatsApp Pay and PhonePe on how the interact with their banking partners and store customer data.
It will also affect the business models of several payment gateways that rely on delayed settlement of merchant funds to banking partners. The rules now state that a payment operator or a bank cannot delay settlements to nodal settlement accounts beyond 24 hours.
“The Board and Senior Management shall be responsible for implementation of this policy. The policy shall be reviewed periodically, at least on a yearly basis. REs may formulate this policy separately for its different digital products or include the same as part of their overall product policy,” the central bank said.