Mumbai: The RBI on Tuesday said non-bank payment system operators will have to put in place a real-time fraud monitoring solution to identify suspicious transactional behaviour and generate alerts.
Also, non-bank payment system operators (PSOs) will have to ensure that an online session on mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login, according to Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs.
The directions have come into effect from Tuesday, but the Reserve Bank has also prescribed a phased implementation to provide adequate time to PSOs to put in place the necessary compliance structure.
RBI said the directions aim to improve safety and security of the payment systems operated by PSOs by providing a framework for overall information security preparedness with an emphasis on cyber resilience.
Regarding mobile payments, RBI said PSOs should ensure that an authenticated session, together with its encryption protocol, remains intact throughout an interaction with the customer.
“In case of any interference or if the customer closes the application, the session shall be terminated, and the affected transactions resolved or reversed out,” it said.
Further, the PSO should ensure that an online session on mobile application is automatically terminated after a fixed period of inactivity and customers are prompted to re-login.
“The PSO shall put in place a control mechanism, to identify any presence of remote access applications (to the extent possible) and prohibit access to the mobile payment application while the remote access is live,” the directions said. RBI further said the card networks should facilitate implementation of transaction limits at card, bank identification number (BIN) as well as at card issuer level.
“Such limits shall mandatorily be set at the card network switch itself,” it said. Also, the card networks should institute an alert mechanism on a 24x7 basis, to be triggered to the card issuer in case of any suspicious incident. RBI also said card networks will have to ensure that card details of the customers are stored in an encrypted form at any of their server locations.
The central bank has also encouraged Prepaid Payment Instruments issuers to communicate OTP and transaction alerts with users in a language of their choice, including vernacular languages.
RBI said the PSO should put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information in respect of data available with it or at vendor managed facilities.
They will also have to develop a business continuity plan based on different cyber threat scenarios, including extreme but plausible events to which it may be exposed.
According to the directions, while sending SMS or e-mail alert to customers, either by PSO or payment system participants, it has to be ensured that bank account number, card number, or other confidential information are redacted/masked to the extent possible.
“The PSO shall provide a facility on its mobile application / website that would enable customers, with necessary authentication, to identify / mark a fraudulent transaction for seamless and immediate notification to the issuer of payment instrument,” it said.
Moreover, the RBI also issued a Master Direction on the Treatment of Wilful Defaulters and Large Defaulters under which banks and NBFCs will have to examine the ‘wilful default’ aspect in all non-performing asset accounts with outstanding amounts of Rs 25 lakh and above.
A lender will identify and classify a person as a ‘wilful defaulter’ by following a specified procedure. The evidence of wilful default will be examined by an identification committee, according to the direction.
‘Wilful defaulter’ means a borrower or a guarantor who has committed wilful default, and the outstanding amount is Rs 25 lakh and above. “The lender shall examine the ‘wilful default’ aspect in all NPA accounts with an outstanding amount of Rs 25 lakh and above...from time to time,” it said.
If a wilful default is observed in the internal preliminary screening, the lenders will complete the process of classification/declaring the borrower as a wilful defaulter within six months of the account being classified as NPA.
The Master Direction further said the lenders should formulate a non-discriminatory board-approved policy that clearly sets out the criteria based on which the photographs of persons classified and declared as wilful defaulters shall be published.