In an effort to enhance the safety and security of payment systems, the Reserve Bank of India (RBI) has introduced a set of guidelines aimed at improving cyber resilience. These guidelines, outlined in a draft paper titled "Cyber Resilience and Digital Payment Security Controls for non-bank PSOs," provide a roadmap for payment system operators (PSOs) to safeguard digital transactions effectively. Let's explore the key aspects of this initiative in a simple and understandable manner.

To ensure a smooth transition, the RBI has divided the implementation process into phases. The largest non-bank PSOs, such as Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), and Card Payment networks, are required to comply with the guidelines by April 2024. Medium-sized PSOs, including Cross-border Money Transfer Operators and Medium PPI Issuers, will have until April 2025. Finally, small PSOs, like Small PPI Issuers and Instant Money Transfer Operators, have until April 2028 to meet the compliance requirements. This staggered approach gives PSOs enough time to establish the necessary measures effectively.

The draft paper highlights several key areas aimed at improving cyber resilience and digital payment security controls. PSOs are expected to have governance mechanisms in place to identify, assess, monitor, and manage cybersecurity risks, including vulnerabilities. The RBI emphasizes the need for baseline security measures to ensure secure digital payment transactions.

To address risks associated with unregulated entities within the digital payments ecosystem, PSOs must ensure that these entities also adhere to the specified security measures. This collaborative approach strengthens the overall security of the payment ecosystem.

PSOs are required to develop an information security policy approved by their boards, which should be reviewed annually. They must also create a Cyber Crisis Management Plan and establish Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to identify potential risk events and assess the effectiveness of security controls.

The responsibility for overseeing information security risks, including cyber risk and resilience, lies with the board of PSOs. A senior-level executive leads this effort, and a board sub-committee may be formed to provide primary oversight. The sub-committee should meet quarterly to review and monitor the necessary parameters.

PSOs need to conduct cyber risk assessments before launching new products, adopting new technologies, or making significant changes to existing infrastructure or processes. They must also develop a Business Continuity Plan (BCP) that considers various cyber threat scenarios and undergoes annual review to ensure its effectiveness.

The RBI has proposed specific guidelines for digital payments, mobile payment services, card networks, prepaid payment instrument (PPI) issuers, and other security measures.

To ensure the guidelines align with industry needs, the RBI has invited feedback and comments from all stakeholders. This open dialogue allows for refinements and enhancements to the framework. Interested parties have until June 30 to provide their input.

The RBI's proposed guidelines for enhancing cyber resilience in payment systems demonstrate its commitment to ensuring secure digital transactions in India. PSOs now have a clear path to follow, with requirements for information security policies, risk assessments, and business continuity planning. By embracing these guidelines, PSOs can strengthen the payment ecosystem and protect the interests of consumers and businesses alike.