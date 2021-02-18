The Reserve Bank of India ( RBI ) on Thursday said that regulated entities will have to formulate a board-approved policy for digital payment products and services, in an attempt to improve governance standards for such systems.

Released as a master direction on digital payment security controls, the norms will be applicable to scheduled commercial banks, small finance banks, payment banks and credit card issuing non-banking financial companies. However, these will not apply to regional rural banks (RRBs), the central bank said. These directions will come into effect six months from Thursday.

The regulator said that the board-approved policy must explicitly discuss necessary controls to protect the confidentiality of customer data and integrity of data associated with the digital product and services offered. It should also discuss, RBI said, the availability of requisite infrastructure with necessary back up and be accompanied by an assurance that the payment product is built in a secure manner.

“The board and senior management shall be responsible for implementation of this policy. The policy shall be reviewed periodically, at least on a yearly basis. Regulated entities may formulate this policy separately for its different digital products or include the same as part of their overall product policy," RBI said on Thursday.

It added that these regulated entities will have to conduct risk assessments with regard to the safety and security of digital payment products and associated processes and services. The risk assessment should take into account known vulnerabilities at each of the touchpoints and the remedial action taken by the entity; dependence on third party service providers; and risk arising out of integration of digital payment platform with other systems both internal and external.

That apart, lenders also have to implement multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from ATMs. These measures have been suggested in the view of the proliferation of cyber-attacks, RBI said, adding that at least one of the authentication methodologies should be generally dynamic or non-replicable.

Importantly, these entities have been asked to implement a realtime or near-realtime reconciliation framework for all digital payment transactions. They also need to incorporate secure, safe and responsible usage guidelines and training materials for customers within the digital payment applications.

Apart from these broad guidelines, RBI has also issued specific norms with regard to internet banking security controls, mobile payment security controls and that for card payments.

“Going by the pre-eminent role being played by digital payment systems in India, RBI gives highest importance to the security controls around it," the central bank had said on 4 December. It had added that while these guidelines will be technology and platform-agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in more safe and secure manner.

