The Committee on Payment and Settlement Systems (CPSS) and International Organisation of Securities Commissions (IOSCO) had, in April 2012, published 24 principles as part of its report titled ';Principles for Financial Market Infrastructures (PFMIs)';. The principles apply to all systemically important payment systems (SIPS), central securities depositories (CSDs), securities settlement systems (SSSs), CCPs and TRs (collectively ';financial market infrastructures';). In line with this approach, the RBI adopted the above international standards and in June 2013, issued a policy document titled as 'Regulation and Supervision of FMIs regulated by RBI' which detailed the criteria for designating an FMI, applicability of the PFMIs to the FMIs, tools for oversight of FMIs and other related aspects.
Since then, the country has witnessed continuous expansion in the payment landscape not only in payment infrastructures but also in terms of volume and value of digital payment transactions. With an aim to better clarify RBI's oversight objectives and policies and in keeping with the commitment made in Vision 2019-2021, a revised policy document titled ';Oversight Framework for FMIs and Retail Payment Systems'; was released on June 13, 2020. The revised framework broadly covers the legal framework for oversight, definition and scope of oversight, oversight activities, supervisory considerations that have arisen since the time of the previous document and cooperation with other regulatory authorities, etc.
Off-site supervision of authorised payment systems is conducted using various tools, such as (a) analysis of prescribed data / information received on periodic basis from regulated entities, (b) fraud monitoring / system of alerts, (c) regular meetings with authorised PSOs, (d) market intelligence, and (e) oversight reports and surveys.
Presently, card payment networks, (other than NPCI) and Cross-border Money Transfer (in-bound service) operators are regulated and overseen through off-site supervision only as they are institutionalised in foreign jurisdictions. These entities are, however, required to submit, on an annual basis, a System Audit Report (SAR) of their entire systems, including the domestic infrastructure. RBI continuously engages with these entities to ascertain gaps, if any, in their risk assessments.
CCIL is an FMI and its oversight is done as per the oversight policy for FMIs. The offsite supervision of CCIL is undertaken through the following:
Onsite inspection complements the offsite monitoring mechanism, and are carried out on periodic basis as determined by RBI. It is based on the risk profile of the entity derived from its annual self-assessment. In addition to information furnished by the entity, market intelligence, if any, is also considered during inspection.
Currently, RBI conducts onsite inspection of CCIL, NPCI, authorised PPI issuers, White Label ATM Operators, ATM Network Operators, Instant Money Transfer Operator and TReDS Operators. Of these, CCIL and NPCI are assessed against the 24 PFMIs using the ';Committee on Payments and Market Infrastructures - International Organisation of Securities Commissions (CPMI-IOSCO) - Assessment Methodology. Onsite inspection of CCIL is conducted annually, NPCI biennially, and others either annually or biennially or triennially depending on the size of their business and volume / value of transactions handled by them.
With rapid advancement in the payment ecosystem and advent of non-bank entities in the payment landscape, coupled with changing technologies and digital consumer demands, new trends in payment transaction frauds are coming to light. While payment system participants and PSOs have put in place advanced security systems to protect consumers, including real-time transaction analysis, behavioural biometrics on devices, tracking technology, etc., to help identify and prevent potential frauds, the payment industry continuously demands higher levels of fraud prevention services and security technologies. It is essential to appropriately capture information pertaining to all frauds relating to payment transactions processed through payment systems which would help put in place active risk management practices to fight online fraud on internet and on mobile devices.
Accordingly, RBI has created CPFIR, a web-based reporting platform to facilitate online payment fraud reporting by system participants.
The registry of all payment related frauds helps ascertain deficiencies in the systems and processes, enable strengthening of existing controls and helps in devising additional controls as part of sound and efficient risk management processes. Faster dissemination of information on payment frauds by RBI to system participants would facilitate introduction of necessary safeguards and preventive measures to ensure that adequate caution and controls are put in place by the system participants. The aggregated fraud data will also be published to educate customers on emerging risks.
RBI has been publishing data on transactions carried out using various payment systems operated by authorised PSOs. In view of the rapid developments in the payment ecosystem and evolution of new systems, products and channels used to undertake digital payment transactions. RBI reviewed the definition of digital payment transactions. It also enhanced the scope and coverage of Payment System Indicators published in its monthly RBI Bulletin to include recent payment systems and also disseminate granular details of payment transactions. Further, the payment transactions undertaken using different payment channels and details of payment system infrastructure are also disseminated. The data in the revised form and structure is being published in the RBI Bulletin from the month of January 2020 onwards.
Authorised PSOs are mandated to carry out a System Audit on an annual basis by a Certified Information System Auditor (CISA) qualified auditor and registered with the ISACA or by a holder of a Diploma in Information System Audit (DISA) qualification of the Institute of Chartered Accountants of India (ICAI).
Payment landscape has experienced extensive leveraging of advanced technology in facilitating processing of payment transactions by the PSOs as well as their service providers / intermediaries / third party vendors and other entities in the payment ecosystem. On the other hand, the number, frequency and impact of cyber incidents / attacks have increased manifold. In order to enhance the resilience of the payment systems and to bring in standardisation and ensure that relevant areas of information system processes and applications are covered, the scope of SAR was revised in January 2020.
The enhanced scope broadly covers Information Security Governance, Access Control, Hardware Management, Network Security, Data Security, Physical and Environmental Security, Human Resource Security, Business Continuity Management, System Scalability, IT Project Management, Vendor / Third Party Risk Management, Incident Management, Change Management, Patch Management, Log Management, Secure Mail and Messaging systems, Mobile and/or other Input / Output Device Management Policy, Security Testing and Source Code Review, Online Systems Security, Mobile Online Services (applicable for entities offering services through mobile applications), etc.
PSS Act empowers RBI to (a) impose penalty for a contravention or a default and (b) compound contraventions of any of the punishable offences under the Act. In order to bring in transparency, RBI reviewed and revised the process of levy of penalty on authorised PSOs / banks under the PSS Act, on January 10, 2020. The revised framework centres around objectivity and transparency in the decision-making process. The decision to impose penalty and calculation of the penalty amount is based on a set of pre-defined objective criteria. Further, adequate opportunities are provided to the PSOs / banks to present their case.
New situations like failure of a major bank, a pandemic situation, etc., bring out unique solutions and warrant an aggressive approach as well. BCP plans get tested in live scenarios and for extended periods. Such BCP plans include situations of non-availability of adequate and critical resources, places of normal operations, etc.
In view of the situation arising out of COVID-19 in March 2020, a host of unprecedented measures were taken to ensure seamless and unhindered operation of not only centralised payment systems (RTGS and NEFT) but also payment systems operated by other operators, like IMPS, UPI, NACH, CTS, cards, etc. Coordinated efforts with Government, PSOs and Regulated Entities (REs), including banks and non-banks, ensured uninterrupted functioning of all PSS operating across the country. Further, certain relaxations were given to REs to allow them to cope-up with the restrictions in physical movement.
The day-to-day operations of the RTGS system were shifted to be carried out from the Primary Data Centre (PDC). Staff performing critical functions pertaining to centralised payment systems were isolated in a quarantined environment at a hotel near the PDC with necessary travel arrangements in place. The hotel, PDC and vehicles were sanitised regularly to safeguard employee welfare. Two teams of staff, with an additional team on permanent standby, ensured seamless operations. Rotation of staff every fortnight after thorough screening by RBI in-house doctors, facilitated unhindered operations.
Sustained efforts were undertaken by the department to ensure that PSOs and their services were declared as 'essential services'. The Government DBT payments to help the poor and marginalised commenced on a large scale in April 2020 which was smoothly facilitated by the NACH-APBS.
CCIL implemented business continuity measures by entering into an arrangement with a hotel in the vicinity to provide accommodation exclusively for its key staff personnel. Similar arrangements were also in place at the on-city secondary site and the remote disaster recovery site with minimum staff essential to take over in case of any disruption in the activities at the primary site. The staff and participants were provided remote access to the systems through Virtual Private Network (VPN) facility to facilitate operations with skeletal staff working from office. Further, to minimise risks and to ensure that market participants maintain adequate checks and supervisory controls while optimising the thin resources and ensuring safety of personnel, trading hours for various markets were reduced / revised in April 2020.
RBI has also put in place a Standard Operating Procedure (SOP) to be followed when a bank is placed under All Inclusive Directions / or Moratorium so that payment systems can operate without any disruption. The SOP gets refined with every incident and is circulated amongst all the stakeholder departments in the Reserve Bank for co-ordinated and effective implementation in a seamless manner. The SOP was tested in the incident of March 2020 and modified with experience gained which ensured that payment systems operated smoothly after the November 2020 incident.
Source : RBI
Last Modified : 9/17/2021
This topic provides information about Best practic...
This topic provides information about Promoting Di...
This topic provides information about Payment and ...
This topic provides information about Digital ASHA...