RBI proposes cyber security framework for payment system operators, seeks feedback by June 30

In an effort to improve the safety and security of payment systems operated by Payment System Operators (PSOs), the Reserve Bank of India The RBI proposed a comprehensive information security readiness framework with a focus on cyber resilience.

The framework is part of a draft paper on electronic resilience and digital payment security controls for non-bank peace support operations, released by the central bank on Friday, and for which the central bank sought feedback and comment by June 30. The Central Bank had first announced such directions as part of its April 2022 Monetary Policy Statement.

To provide sufficient time for PSOs to implement the necessary compliance structure, the RBI has proposed a phased implementation whereby large non-bank PSOs are required to comply with the standards from April 2024, medium PSOs from April 2025 and small PSOs from April 2028.

Also read: RBI fines Indian Overseas Bank ₹ 2.2 crore for breach of multiple standards

Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), NPCI Bharat Bill Pay Limited, Card Payment Networks, Non-Banking ATM Networks, ATM Operators (WLAOs), Large PPI Issuers (Payment Instrument Advance), Trade Receivables Discounting System (TReDS) operators, Bharat Bill Payment Operating Units (BBPOUs) and Payment Collectors (PAs) will be considered as large non-bank support subsidy operations.

Cross-border (internal) money transfer operators under the MTSS and medium PPI issuers would be considered medium non-bank peace support operations, while small PPI issuers and instant money transfer operators would be considered small non-bank peace support operations.

draft paper

The draft directives cover governance mechanisms for identifying, assessing, monitoring and managing cybersecurity risks including information security risks and vulnerabilities, and outlining key security measures to ensure safe and secure digital payment transactions.

“To effectively identify, monitor, control and manage cyber and related technology risks that arise from PSO’s links with non-regulated entities that are part of its digital payment system (such as payment gateways, third party service providers, suppliers, merchants, etc.), PSOs must ensure that these directives are adhered to by these disorganized entities as well, subject to mutual agreement,” RBI said.

For this, PSO will need to establish an Information Security Organizational Policy approved by the Board, to be reviewed annually. They will also need to formulate a cyber crisis management plan and define key risk indicators (KRIs) to identify potential risk events and key performance indicators (KPIs) to assess the effectiveness of security controls.

The Peace Support Operations Board will be responsible for ensuring adequate oversight of information security risks, including cyber risk and cyber resilience, led by a senior executive. However, primary oversight may be delegated to a sub-committee of the Board of Directors which must meet quarterly to review and monitor required standards.

Peace Support Operations will need to conduct a cyber risk assessment for the launch of new products, services or technologies or any major changes to the infrastructure or operations of existing products and services. They will also need to develop a Business Continuity Plan (BCP) on various cyber threat scenarios, including extreme but plausible events that you may be exposed to, to review annually.

The central bank has also proposed specific guidelines for digital payments, mobile payment services, card networks, PPI issuers and other security measures, among others.