RBI Tightens Norms for Digital Payments; Asks Banks, FIs To Protect Consumer Confidentiality, Data
The Reserve Bank of India (RBI), in its master directions, has asked regulated entities (REs) like banks and financial institutions, to put in place adequate safeguards to protect integrity of data, customer confidentiality and security of data in digital payment products and related services for channels like internet, mobile banking and card payments, among others.
, "REs shall develop sound internal control systems and consider the operational risk before offering digital payment products and related services. For digital payment applications that are licensed by a third-party vendor, REs shall have an escrow arrangement for the source code for ensuring continuity of services in case the vendor defaults or is unable to provide services."
Earlier, the National Payments Corporation of India (NCPI) was tasked to set the ground rules, both as a service-provider and as a quasi-regulator for digital payments. This is for the first time that RBI has issued detailed directions on digital payments for REs, including all commercial banks, small finance banks, payment banks and credit card-issuing non-banking financial companies (NBFCs).
In view of the proliferation of cyber-attacks and their potential consequences, RBI has asked REs to implement, except where explicitly permitted or relaxed, multi-factor authentication for payments through electronic modes and fund transfers, including cash withdrawals from automated teller machines (ATMs), micro-ATMs and business correspondents, through digital payment applications.
"At least one of the authentication methodologies should be generally dynamic or non-replicable. This includes the use of one-time password (OTP), mobile devices (device binding and SIM), biometric, public key infrastructure (PKI), hardware tokens, Europay, MasterCard, and Visa (EMV) chip card (for card present transactions) with server-side verification could be termed either in dynamic or non-replicable methodologies," RBI says.
Properly designed and implemented multi-factor authentication methods are more reliable and stronger fraud deterrents and are more difficult to compromise, the central bank says, while directing REs to adopt adaptive authentication to select the right authentication factors depending on risk assessment, user risk profile and behaviour.
RBI has also asked REs to set maximum number of failed log-in or authentication attempts after which access to the digital payment product or service is blocked. "They (REs) should have a secure procedure in place to re-activate access to blocked product or service. The customer should be notified for failed log-in or authentication attempts," it added.
Often, customers face delays while receiving refund for failed transactions and in case of suspicious transactions. In the master directions, RBI has asked RE and all other stakeholders such as payment system operators, business correspondents, card networks, payment system processors, payment aggregators, payment gateways, third-party technology service providers and other participants to put in place a real time or near-real time (not later than 24 hours from the time of receipt of settlement files) reconciliation framework for all digital payment transactions.
RBI also specified that digital payment products and services should be provided to customers only after obtaining specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions.
Further it says, "REs should provide a mechanism on their mobile and internet banking application for their customers to, with necessary authentication, identify or mark a transaction as fraudulent for seamless and immediate notification to his RE. On such notification by the customer, the REs may endeavour to build the capability for seamless or instant reporting of fraudulent transactions to the corresponding beneficiary or counterparty’s RE; vice-versa have mechanism to receive such fraudulent transactions reported from other REs. The objective of this mechanism is to accelerate early detection and enable the banking or payment system to trace the transaction trail and mitigate the loss to the defrauded customer at the earliest possible time."
Mobile apps of majority banks and financial institutions are always in work-in-progress mode where the less said the better. Most of these apps are developed and maintained by third party vendors for banks and financial institutes. Most important issue with all such apps is there are no periodic updates, especially in terms of security and user-friendliness.
However, with the new master direction, RBI wants these REs to detect any anomalies or exceptions for which the mobile application was not programmed and ask the customer to remove this app and install a new one. "...the customer shall be directed to remove the current copy or instance of the application and proceed with installation of a new copy or instance of the application. REs shall be able to verify the version of the mobile application before the transactions are enabled."
As if this is not enough challenge for REs, the central bank wants them to verify if the device is not rooted or jailbroken. It says, "REs may explore the feasibility of implementing a code that checks if the device is rooted or jailbroken prior to the installation of the mobile application and disallow the mobile application to install or function if the phone is rooted or jailbroken."
RBI also asked REs to ensure device binding of mobile application. This means, the customer has to use the same device on which she is using her mobile SIM registered with the RE.
According to the directions, the mobile application should require re-authentication whenever the device or application remains unused for a designated period and each time the user launches the application. "Applications must be able to identify new network connections or connections from unsecured networks like unsecured wi-fi connections and must implement appropriate authentication, checks and measures to perform transactions under those circumstances."
"The mobile application should not store, retain sensitive personal or consumer authentication information such as user IDs, passwords, keys, hashes, hard coded references on the device and the application should securely wipe any sensitive customer information from memory when the customer or user exits the application," RBI added.
According to RBI, while the guidelines are technology and platform agnostic, it will create an enhanced and enabling environment for customers to use digital payment products in more safe and secure manner.