The Reserve Bank of India (RBI) in the Statement on Development and Regulatory Policies dated 4 December 2020 had proposed to set up a robust governance structure for digital payment products and to implement common minimum standards of security controls for channels like internet, mobile banking, and card payments. In line with the announcement, the RBI on 18 February 2021 issued the Reserve Bank of India (Digital Payment Security Controls) Directions, 2021 (Master Directions)1.
The Master Directions shall be applicable to 4 (four) categories of the regulated entities (REs): (i) Scheduled Commercial Banks (excluding Regional Rural Banks); (ii) Small Finance Banks; (iii) Payments Banks; and (iv) Credit card issuing Non-Banking Financial Companies. The Master Directions provide for a new set of regulatory guidelines for a safer and secure digital payment system. Set out below are the key features of the new guidelines:
- The Master Directions require the REs to formulate a policy for digital payment products and services with the approval of their respective board of directors. The policy shall be reviewed periodically at least on a yearly basis. The policy shall incorporate appropriate processes into their governance and risk management programs for identifying, monitoring and managing the specific risks associated with the portfolio of digital payment products and services on a regular basis. The policy shall explicitly discuss the functionality, security and performance of the payment security requirements.
- In case the REs are dependent on third party service providers, then adequate mechanism and controls for monitoring the activities of such third parties shall be put in place in line with RBI guidelines on outsourcing. The Master Directions further require such entities to conduct risk assessments with regard to the safety and security of digital payment products and associated processes and services.
- As per the Master Directions, these REs shall be required to implement web application firewall solution and distributed denial of service (DDOS) mitigation techniques to secure the digital payment products and services offered over the internet. Further, the mobile banking, mobile payment applications and internet banking application must have effective logging and monitoring capabilities to track user activity, security changes and identify suspicious behaviour and transactions.
- The Master Directions require the REs to have an escrow arrangement for the source code of digital payment applications that are licensed by a third party vendor so as to ensure continuity of services in the event such third party vendor defaults or is unable to provide services.
- The REs shall be required to protect customer information such as account numbers, card numbers and other sensitive information when transmitted via SMS or e-mails. They would need to have a mechanism in place to actively monitor non-genuine, unauthorised and malicious applications online and on popular app-stores and take requisite action to bring them down, if necessary. The security controls for digital payment applications must ensure how the applications handle, store and protect payment data.
- In order to combat various cyber-attack mechanisms and to protect the confidentiality of payment data, the Master Directions require the REs to implement multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ business correspondents, through digital payment applications. Further, the REs should also set down the maximum number of failed log-in or authentication attempts after which access to the digital payment product/ service shall be blocked.
- REs would need to implement the configuration aspects for identifying suspicious transactional behaviour to alert the customers in case of failed authentication, time frame for the same, etc.
- A real time reconciliation framework for all digital payment transactions between RE and all other stakeholders such as payment system operators, business correspondents, card networks, etc., shall be put in place for better detection and prevention of suspicious transactions.
- The Master Directions prescribe certain requirements to protect customers' interest and promote customers' awareness. With a view to educate the customers, the REs would need to incorporate secure and safe guidelines and training materials for end users within the digital payment applications. The REs shall make it mandatory (e. not providing any option to circumvent/ avoid the material) for the consumer to go through secure usage guidelines (even in the consumer's preferred language) while recording confirmation during the on-boarding procedure in the first instance after each or major updates of the digital payment application.
- The Master Directions require the REs to provide for a grievance redressal mechanism for the customers. The REs shall have to incorporate a section on the digital payment application, which shall clearly specify the process and procedure (with forms/ contact information, etc.) to lodge consumer grievances. Besides, the REs shall adhere to extant instructions issued by RBI in relation to online dispute resolution system for digital payments.
- The Master Directions require the REs to implement additional levels of authentication to internet banking website such as adaptive authentication, strong CAPTCHA (preferably with anti-bot features) with server-side validation, etc., in order to prevent authentication related brute force attacks or Denial of Service (DoS) attacks.
- The REs would need to ensure that the mobile applications require re-authentication whenever the device or application remains unused for a designated period and each time the user launches the application. Further, the mobile application should not store sensitive personal or consumer authentication information such as user IDs, passwords, keys, hashes, hard coded references on the device and the application should securely wipe any sensitive customer information from the memory when the customer exits the application. Further, the Master Directions require the REs to deactivate older mobile application versions in a phased but time bound manner (not exceeding six months from the date of release of newer version) i.e., maintaining only one version of the mobile application on a platform/ operating system.
- The Master Directions require the REs to follow various payment card standards as per Payment Card Industry prescriptions for comprehensive payment card security as per applicability/readiness of updated versions of the standards.
- In order to improve the security of the ATMs, REs would need to: (i) implement security measures such as BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other softwares, terminal security solution, time-based admin access, etc; (ii) implement anti-skimming and whitelisting solution; and (iii) upgrade all the ATMs with supported versions of operating system. Any use of ATMs having unsupported operating systems shall be prohibited.
The Master Directions shall come into effect after 6 (six) months from 18 February 2021. However, in respect of instructions already issued either by Department of Payment and Settlement Systems, Department of Regulation or Department of Supervision of RBI including those to select REs, by way of circular or advisory, the timeline would be with immediate effect or as per the timelines already prescribed.
1. The Master Directions can be accessed at the following link:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.