The Master Direction on Digital Payment Security Controls released by the Reserve Bank of India (RBI) on 18 February 2021 provides necessary guidelines and common minimum standards that regulated entities (REs) should adhere to in the areas of governance and security for digital products and services.1 The RBI has given significant importance towards the security of digital transactions, considering the growth of digital payments systems in India.
This edition of PwC’s Financial RegTech newsletter provides an overview of the RBI’s Master Direction on Digital Payment Security Controls, 2021.
The Master Direction requires all REs to set up robust governance and security structures, catering to secure internet and mobile banking, digital and card payments, among others. This comes against the backdrop of increasing adoption of digital payments, aided by a Government push as well as lifestyle changes owing to the COVID-19 pandemic. As per the latest reports by a leading technology advocacy group, the adoption of digital payments has increased manifold in the last five years and is expected to account for 58% of all transactions by 2025.
The share of digital payments is expected to grow to 58% by 2025
Source: NASSCOM
The guidelines have been issued to create a safe and secure environment for customers, thereby increasing the speed of adoption. These directions shall come into effect within six months of issuance, unless they have already been notified separately via a circular or an advisory.
The provisions under the Master Direction will be applicable to the following regulated entities:
Regulated entities are required to formulate their policy for digital payments products and services with the following main tenets:
In the following sections, we will analyse the Fraud Risk Management and Reconciliation Framework mandated by the RBI in its Master Direction.
The share of digital payments in transactions in India is estimated to grow up to 58% in 2025 from 3% in 2005.
The RBI’s Master Direction mandates all regulated entities to set up robust governance and security controls for digital payments, with elaborate fraud risk management and reconciliation.
REs are expected to define automated rules for identifying and alerting customers in case of suspected behaviour, failed authentication, etc. The configuration aspects of these rules and preventive controls should be well documented and implemented.
System alerts to cover these rules shall include (but not limited to) the following parameters:
A systematic process for fraud analysis shall be put in place to identify the reasons and formulate preventive mechanisms for such incidents. Additionally, the RBI also mandates that regulated entities should come up with the following operational changes to augment their Fraud Risk Management tool:
A characteristic of Fraud Risk Management is sending system alerts to flag transactions on unusual patterns such as high transaction velocity, high-risk Merchant Category Codes (MCC), invalid CVVs and PINs, rogue IP addresses, etc.
Banks and financial institutions should focus on upskilling their staff on the fraud management tool, RBI guidelines and SOPs to handle fraud incidences.
The RBI also mandates the introduction of a real-time/near real-time reconciliation mechanism for all digital transactions between REs and other stakeholders such as payments system operators, card networks, payments system processors, FinTech aggregators, payments gateways and technology partners. Such a reconciliation framework will enable better detection and prevention of suspicious transactions. It should be used within 24 hours of the transaction and receipt of settlement files.
The RBI mandates the introduction of a real-time/near real-time reconciliation framework for all digital transactions between REs and other stakeholders in order to detect and prevent suspicious transactions.
Additionally, REs are also required to undertake the following measures:
The RBI has come up with stringent guidelines to develop a robust ecosystem, taking into account the meteoric growth in the adoption of digital payments channels and the increasing use of such channels for fraudulent activities. At the centre of this framework lies the mandate for an elaborate Fraud Risk Management system coupled with a near real-time reconciliation mechanism to detect and prevent suspicious transactions.
Additionally, the RBI has also come up with various guidelines related to internet banking, mobile payments and security controls for card payments.
A majority of digital payments end users are first-time users with little or no knowledge of digital platforms, the risks attached and various fraudulent techniques. The central bank has taken these aspects into consideration and stressed on the importance of customer education and staff upskilling. End users will be in a better position to utilise digital payments platforms when they are aware of their rights, responsibilities, risks attached and the various risk management and grievance redressal mechanisms available. It is essential for the entire ecosystem to work together in countering the risk of fraud.
The RBI’s Master Direction is a significant step and will go a long way in mitigating the various risks that are attached with the digital payments ecosystem, thereby enhancing security and stability, and increasing adoption.
The RBI has fixed the WMA limit to INR 120,000 crore for the first half of FY21–22. It has also assured that in case the Government of India (G0I) uses 75% of this limit, fresh market loans will be floated. The interest rate for the WMA is fixed at the repo rate and that of overdrafts (OD) is fixed at the repo rate plus two percent.
The detailed notification can be accessed here.
In August 2019, the RBI published a framework for processing e-mandates on recurring online transactions done using cards and wallets. In January 2020, this framework was then extended to Unified Payments Interface (UPI) transactions as well.
In this framework, the usage of Additional Factor of Authentication (AFA) was mandatory for registration and processing of the first transaction for an amount of up to INR 5,000. The deadline for implementing the same was set to 31 March 2021.
However, some stakeholders have still not implemented this framework. To avoid customer inconvenience, the RBI has extended the implementation deadline by six months, i.e. September 2021. Stringent supervisory action will be initiated against stakeholders who are non-compliant post the extended timeline.
The detailed notification can be accessed here.
According to a circular dated 7 February 2014, the RBI issued a notice to non-banking financial company-micro finance institutions (NBFC-MFIs) regarding the pricing of credit given by them. The circular stated that the central bank will consider the average base rate of five largest commercial banks to derive the base rate for the next quarter. This average rate will be published by the RBI on the last day of the working quarter.
In alignment with the above-mentioned circular, the average base rate for the first quarter of FY21–22, i.e. April 2021 to June 2021 is fixed at 7.81%.
The detailed notification can be accessed here.
SAARCFINANCE is an association of central bank governors and finance secretaries of the SAARC region. RBI Governor Shaktikanta Das currently presides over the meetings of this association. This symposium was inaugurated by the RBI Governor on 2 March 2021.
The RBI Governor highlighted the importance of using technology by central banks in the areas of big data, digital currencies, regulatory technology (RegTech), supervisory technology (SupTech) and cyber security. The symposium included a keynote address followed by a panel discussion on ‘Cyber security in Central Banks’ and a presentation on ‘Comparison of Financial Sector Regulatory Regimes in the SAARC Region’.
The RBI Governor’s tenure as the SAARCFINANCE Chair comes to an end on 1 April 2021 and he handed over the position to the Governor of the Maldives Monetary Authority.
The detailed notification can be accessed here.
The Securities Exchange Board of India (SEBI) has been issuing various circulars from time to time for effective surveillance of the securities market. The Master Circular is a compilation of all the circulars issued by the Integrated Surveillance Department which are operational. In case of any inconsistency between the Master Circular and the applicable circulars, the content of the relevant circular shall prevail.
The circular provides information on:
The Master Circular can be accessed here.
It has come to SEBI’s notice that unsolicited messages containing stock tips/investment advice with respect to listed companies are increasingly being circulated through bulk SMS, encouraging investors and the general public to invest in or purchase the stocks of certain listed companies. In order to curb the problem of unsolicited commercial communication, all SEBI-registered entities, including MIIs (which use bulk SMS for providing their services to the investors) are advised to ensure strict compliance with the Telecom Regulatory Authority of India’s (TRAI) Telecom Commercial Communications Customer Preference Regulations (TCCCP), 2018. Non-compliance with the provisions of said regulations may result in the disruption of delivery of their messages.
The official circular can be accessed here.
The Insurance Regulatory and Development Authority of India (IRDAI) has permitted all general and health insurance companies to offer shortterm COVID-specific health insurance policies. Considering the prevailing COVID-19 situation, the IRDAI has decided to allow all insurers to offer and renew policies including the ‘Corona Kavach Policy’ and the ‘Corona Rakshak Policy’.
The advice primarily focuses on the fees, fines and penalties applicable and the derogation criteria. It aims to provide a simple framework by leveraging the existing frameworks for Trade Repositories and Securitisation Repositories, and streamlining the approach for assessment of the exemption criteria. Post the ESA’s review, authorisation and supervision of authorised reporting mechanisms (ARMs) and approved publication arrangements (APAs) will transfer from the National Competent Authorities (NCAs) to ESMA.
ESMA has proposed application, authorisation and annual supervisory fees for DRSPs. It has adopted an approach for the calculation of fees for 2022, the first year of its supervision of DRSPs. It has also proposed a simplified timeline for payment of the fees.
In its technical advice on fines and penalties for DRSPs, ESMA has proposed on specific procedures and aspects. After submitting its technical advice to the Commission, ESMA will continue working with NCAs on a smooth transfer of supervisory responsibilities for the relevant DRSPs as of 1 January 2022.
The official notification can be accessed here.
The Financial Conduct Authority (FCA) has launched a new campaign encouraging individuals working in financial services to report potential wrongdoing, which also includes materials for firms to share with employees. Financial institutions should take advantage of the additional resources available and incorporate these into their whistle-blower programmes.
The official notification can be accessed here.
ESMA published the results of the 2020 Common Supervisory Action (CSA) on Undertakings for the Collective Investment in Transferable Securities (UCITS) liquidity risk management (LRM).
The 2020 CSA aimed to get a comprehensive market overview, including detailed insights into the practical implementation and quality of liquidity risk management processes. The COVID-19 outbreak gave further stimulus to deepening the exercise.
Compliance with the UCITS LRM ensures protection for investors, financial stability and orderly functioning of financial markets.
The FCA has announced the dates that panel bank submissions for all LIBOR settings will cease, after which representative LIBOR rates will no longer be available. This is an important step towards the end of LIBOR. The Bank of England and the FCA urge market participants to continue to take necessary action to ensure that they are ready.
The official notification can be accessed here.
ESMA has submitted its response to the European Commission’s (EC) targeted consultation on the European Single Access Point (ESAP). It has proposed a phased approach, prioritising the financial and non-financial information of public companies. The ambition to set up the ESAP will increase investors’ trust in companies across the European Union (EU) and lower the cost of capital. ESMA believes that full benefit can be reaped only if the information available in the single database is comparable in terms of content and rendered in a structured and machine-readable format.
Acknowledgements: This newsletter has been researched and authored by Samrat Biswas, Akanksha Mota and Prachi Gujare.