The 2021 Directions will gain effect on 18th August, 2021 i.e. after a period of six months from the day they are placed on the official website of the Reserve Bank of India (RBI).
However, in respect of instructions already issued either by Department of Payment and Settlement Systems (DPSS), Department of Regulation (“DoR”) or Department of Supervision (“DoS”) of RBI including those to select Regulated Entities (“Res”), by way of circular or advisory, the timeline would be with immediate effect or as per the timelines already prescribed .
Applicability:
The provisions of these directions will apply to the following Regulated Entities (REs):
a) Scheduled Commercial Banks (excluding Regional Rural Banks);
b) Small Finance Banks;
c) Payments Banks; and
d) Credit card issuing NBFCs.
In a Press Release dated 18th February, 2021 the RBI has informed that the 2021 Directions provide necessary guidelines for the Regulated Entities (Scheduled Commercial Banks, Small Finance Banks, Payment Banks and Credit Card issuing NBFCs) to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services. The guidelines are technology and platform agnostic and shall create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner.
Key Takeaways:
1. Governance and Management of Security Risks:
i. Regulatory Entities have to formulate a policy for digital payment products and services with the approval of their Board. The contours of the policy, while discussing the parameters of any “new product” including its alignment with the overall business strategy and inherent risk of the product, risk management/ mitigation measures, compliance with regulatory instructions, customer experience, etc., should explicitly discuss about payment security requirements from Functionality, Security and Performance (FSP) angles.
ii. The Board and Senior Management will be responsible for implementation of this policy. The policy will be reviewed periodically, at least on a yearly basis.
iii. REs may formulate this policy separately for its different digital products or include the same as part of their overall product policy.
iv. The policy document should require that every digital payment product/ services offered addresses the mechanics, clear definition of starting point, critical intermittent stages/ points and end point in the digital payment cycle, security aspects, validations till the digital payment is settled, clear pictorial representation of digital path and exception handling.
v. REs must incorporate appropriate processes into their governance and risk management programs for identifying, analysing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis and in a holistic manner.
vi. As a part of this process, REs should define product-level limits on the level of acceptable security risk, document specific security objectives and performance criteria including quantitative benchmarks for evaluating the success of the security built into the digital payment product or service, periodically compare actual results with projections and qualitative benchmarks to detect and address adverse trends or concerns in a timely manner and modify the business plan/ strategy involving the product, when appropriate, based on the security performance of the product or service.
2. Application Security Life Cycle (ASLC):
i. Res should implement multi-tier application architecture, segregating application, database and presentation layer in the digital payment products and services.
ii. Further a ‘secure by design’ approach should be followed by REs in the development of digital payment products and services. REs shall ensure that digital payment applications are inherently more secure by embedding security within their development lifecycle.
iii. Security objectives should be explicitly defined by REs.
iv. For digital payment applications that are licensed by a third party vendor, REs should have an escrow arrangement for the source code for ensuring continuity of services in case the vendor defaults or is unable to provide services.
3. Authentication Framework:
i. In view of the proliferation of cyber-attacks and their potential consequences, REs should implement, except where explicitly permitted/ relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications. At least one of the authentication methodologies should be generally dynamic or non-replicable.
ii. REs may also adopt adaptive authentication to select the right authentication factors depending on risk assessment, user risk profile and behaviour. Properly designed and implemented multi-factor authentication methods are more reliable and stronger fraud deterrents and are more difficult to compromise.
iii. REs should set down the maximum number of failed log-in or authentication attempts after which access to the digital payment product/ service is blocked. They should have a secure procedure in place to re-activate the access to blocked product/ service. The customer shall be notified for failed log-in or authentication attempts.
4. Fraud Risk Management:
The REs should document and implement the configuration aspects for identifying suspicious transactional behaviour in respect of rules, preventive, detective types of controls, mechanism to alert the customers in case of failed authentication, time frame for the same, etc
5. Reconciliation Mechanism:
A real time/ near-real time (not later than 24 hours from the time of receipt of settlement file(s)) reconciliation framework for all digital payment transactions between RE and all other stakeholders such as payment system operators, business correspondents, card networks, payment system processors, payment aggregators, payment gateways, third party technology service providers, other participants, etc., must be put in place for better detection and prevention of suspicious transactions.
6. Customer Protection, Awareness and Grievance Redressal Mechanism:
i. REs should incorporate secure, safe and responsible usage guidelines and training materials for end users within the digital payment applications. They shall also make it mandatory (i.e. not providing any option to circumvent/ avoid the material) for the consumer to go through secure usage guidelines (even in the consumer’s preferred language) while obtaining and recording confirmation during the on-boarding procedure in the first instance and first use after each update of the digital payment application or after major updates to secure and safe usage guidelines.
ii. REs should educate customers about the need to maintain the physical and logical security of their devices accessing digital payment products and services including recommending secure/ regular installation of operating system and application updates, downloading applications only from authorised sources, having antimalware/ anti-virus applications on devices, etc.
7. Further, the 2021 Directions has instructions for:
i. REs offering/ intending to offer internet banking facility to their customers.
ii. REs offering/ intending to offer mobile banking/ mobile payments facility to their customers through mobile application.
iii. REs offering/ intending to issue cards (credit/ debit/ prepaid) (physical or virtual) to their customers
Source: Reserve Bank of India
