In a bid to improve governance, India’s central bank has decided to tighten the norms around security and compliance for banks and fintech companies.
Aiming to help improve on factors such as security, control and compliance, the Reserve Bank of India, aka RBI, recently released a set of detailed guidelines for wallet operators, payment gateways, banks and other non-banking entities who run payments operation within the country borders.
The introduction of these guidelines was first hinted at by the RBI Governor Shaktikanta Das in his Monetary Policy Committee address previous year on December 4th. This new set of rules comes at a time when frauds, outages and several instances of data breaches has been observed to have spiked in the country’s payment ecosystem.
RBI’s newly minted framework dubbed as the ‘Master Direction’ is basically a set of all best practices as recommended by the central bank and will help standardardise the security operations of all regulated payment processing entities.
Issued on Thursday, the RBI circular announcing the same mentioned that the Master Direction provides necessary guidelines in order to implement and set up a robust governance structure along with deploying common minimum standards of security controls for various digital payments’ products and services.
Furthermore, the circular also said that the guidelines are completely technology and platform agnostic and therefore will create an ‘enhanced and enabling environment’ for customers to use digital payments in a safer and more secure way.
RBI has granted six months to all regulated payment processing entities to ensure compliance. The 21-page Master Direction circular issued specifications for – source code protection of third-party UPI apps, guidelines related to cybersecurity to prevent external attacks & card payments and internet banking security protocols.
The central bank also mentioned that necessary guidelines will be issued separately and hightest importance will be given to security controls around the digital payment systems in India.
Now, note here that these newly formulated rules will also have implications on third-part payment apps such as WhatsApp Pay, Google Pay, PhonePe, etc besides regulated bank on how they interact with their partnered banks and store customer data. What more?
Well, it is bound to affect the business models of several payment gateways as well who are reliant on the delayed settlement of merchant funds to the banks of their users. According to the RBI’s new rules, a payment operator or a bank cannot delay settlements for their customers’ bank accounts by more than 24 hours maximum.
The RBI in the circular mentioned that the Board and Senior Management will be held responsible for the implementation of this policy and that the policy itself will be reviewed at least on a yearly basis mandatorily.
It now remains to be seen how does Indian payment processing entities react to it and if these norms by the RBI will be able to successfully accomplish its primary goal of improving security and compliance in the country’s digital payments space. We will keep you updated on all future developments. Until then, stay tuned.