In February 2021, the Reserve Bank of India (RBI) issued the RBI (Digital Payment Security Controls) Directions, 2021 (master directions). The trigger for these regulations was the exponential growth of digital payments and the need to create a framework emphasizing security controls for payment systems. The master directions prescribe minimum security standards for digital payment products and aim to create a more secure digital environment for customers.
The master directions apply to these regulated entities (RE), scheduled commercial banks other than regional rural banks, small finance banks, payments banks and credit card issuing non-banking financial companies. They will come into effect on 18 August 2021, giving REs time to upgrade their security infrastructure and to carry out training.
The master directions prescribe general security controls and platform-specific security measures such as for mobile applications, and internet banking and cards for REs that are digital payment service providers.
General security controls apply to all REs and digital payments solutions providers, to standardise the governance and management of security risks of digital payments. REs must implement board-approved policies for digital payment products and services, addressing payment security requirements from the aspect of functionality, security and performance. The onus of implementation falls on the boards of directors and senior management. REs need to incorporate processes into their governance and risk management and internal controls systems to analyse, identify, monitor and manage product-specific risks, including compliance and fraud risk.
The master directions stipulate the safeguards and arrangements to be adopted by REs where digital payments applications are licensed from third parties. REs must conduct regular risk assessments on third parties. Customer protection has become important for the RBI, which expects REs to communicate appropriate guidelines to customers at various stages of their engagement with digital payment applications. REs should establish transparent and effective grievance mechanisms. REs offering internet banking to their customers must adopt security controls to prevent authentication-related attacks. Mobile payments application security controls prescribe specific measures that REs must take, such as the secure and verifiable installation and operation of updated versions of their mobile applications; employing alternative or additional authentication methods to guard against jailbroken mobile devices, and minimising the collection from, and storage of, customer data from mobile devices, especially sensitive personal and authentication information.
REs issuing physical or virtual credit, debit or prepaid cards, must follow a set of payments security controls, including updated security standards prescribed by the payments card industry. The master directions require REs to put in place appropriate monitoring and surveillance systems for card transactions; set appropriate domestic and international transaction limits, and implement prescribed security measures at POS terminals and ATMs.
The RBI increasingly recognises the effect of cyber attacks in the digital payments space, their consequences for a large, and growing consumer base, and the need to enforce standardised security measures by using existing industry standards. The master directions stipulate a secure by design approach in which REs embed security in the development life cycles of their digital payment applications.
The impact of the master directions on technology platforms that integrate and partner with REs is uncertain. There is no direct regulatory control over such platforms, but there is a clear expectation that REs will ensure that all their partner technology platforms adopt a minimum level of security controls and standards. Technical requirements from the master directions will probably become terms in contracts between REs and their technology partners.
The RBI’s focus on digital security, data protection and privacy, means that the next regulatory step might well be the addition of a privacy by design requirement to the secure by design approach, most likely with the enactment of the Personal Data Protection Bill, 2019.
Shilpa Mankar Ahluwalia is a partner and Vrinda Pareek is an associate at Shardul Amarchand Mangaldas & Co
Tel: +91 11 4159 0700, 4060 6060
New Delhi | Mumbai | Gurugram | Chennai | Bengaluru | Ahmedabad | Kolkata