The Reserve Bank of India (RBI) issued the master directions on ‘Digital Payment Security Controls’ on 18.02.2021. These directions provide necessary guidelines for setting up a robust governance structure and implementing standard security controls for digital payment services and products.
These directions apply to four regulating entities, i.e. scheduled commercial banks, payment banks, small finance banks and credit card issuing NBFCs. They provide that the four regulating entities have to formulate a policy for digital payment services and products with their board’s approval. The regulating entities need to review the policy periodically, at least once a year.
The directions also provide that wherever the regulating entities depend on third-party service providers, the regulating entities need to establish adequate controls for monitoring the third-party provider’s activity. They should have trained resources having the necessary expertise to manage the digital payment infrastructure.
The regulating entities should conduct risk assessment relating to digital payment products and services’ security and safety. The regulating entities’ internet banking application and mobile application should have adequate monitoring capabilities for tracking user activities, security changes, and identifying anomalous behaviour.
The regulating entities should also provide a mechanism for the customers to mark or identify a fraudulent transaction and send an immediate notification to the regulating entities. This mechanism will help detect frauds in the early stage and enable the payment system to trace the transaction and mitigate the loss.
The regulating entities need to implement multi-factor authentication for payments made through electronic modes and fund transfers, including cash withdrawals from ATMs. The authentication methods should be non-replicable or dynamic such as a One Time Password and biometric/PKI/EMV chip card.
The regulating entities should establish secure, responsible and safe usage guidelines and training materials for customers within the digital payment application. They should make it mandatory for customers to read the usage guidelines when obtaining confirmation during the onboarding and first use after updating the digital payment application.
The regulating entities need to mention the procedure and process to lodge consumer grievances on the digital payment application. The reporting facility on these applications should provide an option to register a consumer grievance. The directions also provide that the reporting and resolution procedures, consumer dispute handling and the expected timelines of regulating entities response should be defined.
The regulating entities should educate customers about maintaining their devices’ logical and physical security by accessing digital payment products and services. They should also inform the customers about the application updates, standard installation of the operating system, downloading applications only from authorised sources, anti-virus applications on devices, etc.
The directions also contain guidelines regarding internet banking security controls, mobile payments application security controls, and card payments security, which must be implemented and followed by the regulating entities.
The Digital Payment Security Control directions create an enhanced and enabling environment for the customers to use digital payment services and products more safely and securely. They provide the option to the customers to send notification of frauds to the regulating entities. They provide for a better customer grievance mechanism.
These directions specifically state safety measures for internet banking, mobile application and card payments. The security to be provided by the regulating entities is of the highest standards. These directions ensure the highest security controls for digital payments, which will reduce frauds and cybercrimes.
For any clarifications/feedback on the topic, please contact the writer at email@example.com