The Reserve Bank of India (RBI) prioritizes the safety and security of payment systems. To ensure that authorized non-bank Payment System Operators (PSOs) can withstand existing and emerging information systems and cybersecurity risks, the RBI announced in its Monetary Policy Statement on April 08, 2022, that it would issue directions on Cyber Resilience and Payment Security Controls for PSOs.
A draft Master Direction was published on June 02, 2023, to seek comments and feedback from stakeholders. Following this feedback, the RBI has issued final Directions. These Directions outline robust governance mechanisms for identifying, assessing, monitoring, and managing risks. They also cover baseline security measures to ensure system resiliency and secure digital payment transactions, while aiming to migrate to the latest security standards. Existing instructions on security and risk mitigation for payments using cards, Prepaid Payment Instruments (PPIs), and mobile banking remain applicable. In case of any discrepancies, the guidelines in this Master Direction will prevail.
These Directions are issued under Section 10 (2) read with Section 18 of the Payment and Settlement Systems Act, 2007 (Act 51 of 2007). The Directions, named the Reserve Bank of India (Cyber Resilience and Digital Payment Security Controls for non-bank PSOs) Master Directions, 2024, come into effect when published on the RBI’s official website. A phased implementation approach is prescribed: large non-bank PSOs must comply by April 1, 2025, medium non-bank PSOs by April 1, 2026, and small non-bank PSOs by April 1, 2028.
The provisions of these Directions apply to all authorized non-bank PSOs. PSOs must ensure adherence to these Directions by unregulated entities in their digital payments ecosystem, such as payment gateways and third-party service providers, subject to mutual agreement. An organizational policy approved by the Board must be in place to manage these risks.
The Directions aim to enhance the safety and security of payment systems operated by PSOs by providing a framework for overall information security preparedness, emphasizing cyber resilience. The Board of Directors of the PSO is responsible for ensuring adequate oversight of information security risks, including cyber risk and cyber resilience. Primary oversight can be delegated to a sub-committee of the Board, which must meet at least once every quarter.
PSOs must formulate a Board-approved Information Security (IS) policy to manage potential information security risks, covering all applications and products concerning payment systems. The IS policy must be reviewed annually and cover roles and responsibilities of the Board, senior management, and other key personnel, measures to identify, assess, manage, and monitor cybersecurity risk, and processes for training and awareness of employees and stakeholders.
In summary, the RBI’s Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs provide a comprehensive framework for ensuring the resilience and security of digital payment systems.
