RBI has implemented these new rules as emphasized during cases of high-profile cyberattacks against India’s technology ecosystem, including payment solution systems such as Mobikwik, Juspay, and Upstox, where customers’ payments data were put at risk.
Payment companies’ outsourcing of settlement and payment-related activities to third-party operators has been reviewed and finalised by the Reserve Bank of India. Alongside this formalisation of new guidelines by the central bank come different notorious cyber-attacks – targeting payment solution systems such as Mobikwik, Juspay, and Upstox. These attackers have been targeting the payment data of customers.
Licensed non-bank Payment System Operators or PSOs are said to not be able to outsource functions of core management which includes observance with the KYC standards to third-party service providers and internal audits.
The core management functions also comprise payment system operations management incorporating netting and settlement, supervising transactions, account reconciliations, customer data management, item reporting and processing, information technology and security management, risk management, and more. Moreover, the need for outsourcing responsibilities by the payment companies’ board is obliged to be cautiously evaluated as per the central bank.
RBI has pointed up the careful evaluation in care of Payment System Operators regarding their activities and critical processes, involving comprehensive risk assessment based on their selection of service providers.
They also added that once those critical processes have been disordered, they could potentially inflict extensive impressions and impact operations, profitability, customer service, and reputation.
It has ultimately been stressed through the new guidelines as well on how the board members and licensed payment operators’ senior management shall be liable in instances of third-party losses. The central bank mentioned that the PSO obligations are not intended to reduce any outsourcing activity. The responsibility and accountability of these outsourcing activities are under the board and senior management.
It was the 5th of February 2021 when the Reserve Bank of India has initially announced its fresh set of guidelines during the monetary policy event to envision and empower more effective management in payment settlements and outsourcing activities of attendant risks. In February, RBI Governor Shaktikanta Das highlighted that a constant and thorough upgrade of digital payment companies’ resilience to operational risks is necessary throughout his MPC address.