RBI comes out with guidelines to strengthen digital payments systems

Reported by: |Updated: February 19, 2021

The Reserve Bank of India has issued detailed guidelines to banks and financial services institutions on strengthening digital payments architecture and improve security, control and compliance. The guidelines are applicable to banks, payment gateways, wallets and other non-banking entities that are involved in financial transactions in the country. The new rules are intended to create an effective framework for standardizing security operations that are at par with global standards.

A notification by the RBI said these rules are directly applicable for scheduled commercial banks, small finance banks, payments banks and credit card-issuing NBFCs. The new rules specify the criteria under which regulated entities can form partnerships and interact with third-party apps and ecosystem players such as mobile applications, payment operators and gateways.

The notification said: “The Master Direction provides necessary guidelines…to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services…. The guidelines are technology and platform agnostic and shall create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner.”

RBI has given 6 months for the institutions to implement the guidelines.

The document contains specifications on various application areas, including mandates on source code protection of third-party UPI apps, cyber security guidelines for safety against external attacks, card payments and internet banking security protocols. It specifically lays down guidelines for internet banking, mobile payments, card payments, customer protection and grievance redressal mechanism. It said: “In view of the proliferation of cyber-attacks and their potential consequences, regulated entities should implement, except where explicitly permitted/ relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs/ micro-ATMs/ business correspondents, through digital payment applications.”

RBI feels that this is expected to improve the security of digital payment channels and also acts as a convenience factor for users. These directions contain requirements for robust governance, implementation and monitoring of certain minimum standards on common security controls for channels like internet and mobile banking, card payments, etc.

The document also said financial services institutions covered under the notification should make it mandatory (i.e. not providing any option to circumvent/ avoid the material) for the consumer to go through secure usage guidelines (even in the consumer’s preferred language) while obtaining and recording confirmation during the on-boarding procedure in the first instance and first use after each update of the digital payment application or after major updates to secure and safe usage guidelines.

These institutions should also inform about types of threats and attacks used against the consumers while using digital payment products and precautionary measures to safeguard against the same.

The document said the institutions should deactivate the older application versions in a phased but time-bound manner not exceeding six months from the date of release of the newer version.