Key proposals include a mechanism to disable mobile devices payments if a remote user has been granted access to the device. RBI also wanted to ensure that transaction alerts mentioned the names of merchants and not payment gateways. A cooling off period of at least 12 hours for payment after a change of registered mobile phone number or email ID was also suggested. The instructions are based on the licensing of the payment system operators by the head office Bank, and issuing master instructions makes them fully regulated entities. These measures are part of the draft guidelines on “Cyber Resilience and Digital Payment Security Controls for Payment System Operators (PSOs)”. PSO is an umbrella term that includes financial market infrastructure providers such as retail payment organizations like NPCI, card payment networks like Visa, Mastercard, RuPay, non-bank ATM networks and major issuers of prepaid instruments.
In addition to institutionalizing best practices that some large PSOs are already using, the regulator has attempted to address some root causes of fraud. For example, there are cases of scams where the victim is tricked into installing a remote access app like AnyDesk that allows the scammer to take control of the device. The instructions classify PSOs by the space in which they operate and by their scope of business. The directives will come into force from April 2024 for large public service obligations, from April 2026 for medium-sized public service obligations and from April 2028 for small public service obligations.
The infrastructure providers and their subordinate entities, which also include TReDS (Trade Receivables Discounting System) operators, Bharat Bill Payment Operating Units (BBPOUs) and Payment Aggregators (PAs), are classified as large non-bank PSOs.
Cross-border (inbound) money transfer providers under the Money Transfer Service Scheme (MTSS) and medium-sized issuers of prepaid instruments are treated as medium-sized non-bank BERs. Small issuers of prepaid instruments and providers of instant transfers are small not-for-profit non-banks.
The central bank has requested feedback on the draft standards by June 30.