Supervision Norms for Payment Companies

Supervision Norms for Payment Companies


Cyber security crimes have increased manifold which has compelled Reserve Bank of India, the Regulator to tighten the supervision norms for payment companies. RBI has said that from April 1, all licensed payment system operators (PSOs) will have to submit detailed “compliance certificates” to the central bank twice a year. This should be signed by their CEOs or managing directors, confirming adherence to all RBI regulations around security and storage of payment data.

1. A letter issued by the central bank’s Department of Payment and Settlement Systems (DPSS) to all PSOs, reveals that there is an instruction from RBI to submit these certificates, on April 30 and October 31 for the period ending March 31 and September 30, respectively, every year.
2. It is also stated that these requirements are over and above the ones mandated by RBI in April 2018 when it called all PSOs to submit board-approved annual System Audit Report (SAR) by CERT-empanelled auditors.
3. At that time the payment companies were then asked to submit a one-time compliance report with data localisation norms which mandate the data relating to payments in India will be stored in a server physically present in the country, by December of 2018. Now in addition to this, the Central Bank has advised that a compliance certificate duly signed by the CEO/MD/Chairman, shall be submitted on an ongoing basis at half-yearly basis.

• Several payment and tech startups have in the recent past suffered data breaches.
• Gurugram-based Mobikwik in January joined a list of high-profile targets that have been allegedly afflicted by cyber breaches.
• Other companies that have recently been affected are grocery e-tailer Big Basket, educational technology platform Unacademy and payment aggregator JusPay.

No Comments

Give a comment