From April 1, all licensed payment system operators (PSOs) will have to submit detailed “compliance certificates” to the central bank twice a year, signed by their CEOs or managing directors, confirming adherence to all RBI regulations around security and storage of payment data.
In a letter issued by the central bank’s Department of Payment and Settlement Systems (DPSS) on Friday to all PSOs, RBI has asked these certificates be submitted on April 30 and October 31 for the period ending March 31 and September 30, respectively, every year. ET has reviewed a copy of the letter.
Turn: Other Requirements
These requirements are over and above the ones mandated by the central bank in April of 2018 where it asked all PSOs to submit board-approved System Audit Report (SAR) by CERT-empanelled auditors.
The payment companies were then asked to submit a one-time compliance report with data localisation norms which mandate the data relating to payments in India will be stored in a server physically present in the country, by December of 2018.
“In addition to these requirements, it is hereby advised that a compliance certificate duly signed by the CEO/MD/chairman, shall be submitted on an ongoing basis at half-yearly basis…” the letter issued by the central bank said in its letter cited above.
A mail sent to the RBI didn’t elicit a response till the time of going to press.
The new specification comes at a time when several Indian payment and tech startups are said to have suffered data breaches in recent months. Gurugram-based Mobikwik in January joined a list of high-profile targets that have been allegedly afflicted by cyber breaches. Other companies include grocery e-tailer Big Basket, educational technology platform Unacademy and payment aggregator JusPay.
While top Mobikwik executives have repeatedly denied any breach, several top cyber-researchers corroborated the extent and the nature of the attack on the servers of the fintech startup, and claimed that the personal information of over 100 million Indians was put up on the dark web for sale.
Another attack on payment aggregator Juspay was also reported in January where data of over 100 million client customers was allegedly leaked and sold on the dark web for bitcoins worth just $6,000.
Data of nine million card users was leaked in separate attacks on the servers of Noida-based e-marketplace ClickIndia and Gurugram-based neobank Chqbook earlier in 2021.
According to industry sources, the Reserve Bank of India is learnt to be examining these security breaches. It is of the view that cyber attacks can be limited if exposure of sensitive data is restricted to select servers that can be better supervised.
The central bank also has introduced several new rules in this regard, including the Payment Aggregator and Payment Gateway guidelines which will restrict the exposure of customer data to a select few servers of only the licensed gateways. These guidelines will come into effect from June 2021.
“As digital payments have grown, the scrutiny on security of users has also become a central theme of RBI’s supervision mandate for this sector,” said an industry official requesting anonymity.
“The payments industry must brace for tightened scrutiny by the central bank, especially with regard to how they treat customer data. We have already seen several surprise security audits and notices by authorities at payment companies, this year,” the official added.