The major regulatory initiatives of the Reserve Bank of India and the development regarding know-your-customer norms, introduced in the month of July 2024 are discussed below.

Draft Framework on Alternative Authentication for Digital Payments

The Reserve Bank of India (RBI) issued the ‘Framework on Alternative Authentication Mechanisms for Digital Payment Transactions’ in draft form (Framework) on July 31, 2024. The RBI has invited comments on the draft Framework up to September 15, 2024. The Framework has been issued in context of the requirement of Additional Factor of Authentication (AFA) applicable to electronic payments and with the objective to reduce dependence on SMS-based OTP as the AFA.

Under the Framework, the RBI has laid down principles of authentication (Authentication Principles) that the payment system providers and payment system participants must follow in respect of digital / electronic payments. The Framework reaffirms that all digital payments must mandatorily be authenticated through AFA that is dynamically created after initiation of the payment, is specific to the transaction and cannot be re-used. Issuers will need to obtain explicit consent before enabling new factor of authentication.

The transactions that have been exempted from Framework are: (a) small value card present transactions of up to INR 5,000 per transaction, (b) e-mandates for recurring transactions, up to the values of INR 15,000 or INR 1,00,000 in certain specific cases, (c) prepaid payment instruments (PPI) for mass transit service and gift PPIs, (d) National Electronic Toll Collection (NETC) transactions, (e) offline payment transactions of up to INR 500.

The issuers of the instrument, i.e., bank or non-bank where deposit account, credit line or PPI account is maintained needs to adopt a risk-based approach, which is based on risk profile of customer and/or beneficiary, transaction value, channel of origination, while deciding the appropriate AFA. The Framework also mandates issuers to provide transaction alerts to customers for digital payments.

Cyber Resilience and Digital Payment Security Controls for PSOs

The RBI issued ‘Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank Payment System Operators’ on July 30, 2024 (Directions), to prescribe a robust governance mechanism for the identification, assessment, monitoring and management of the information systems and cyber security risks, with the non-bank payment system operators (PSOs).

The Directions will be applicable to PSOs and are proposed to be implemented in a phased manner, commencing April 01, 2025, and going on until April 01, 2028, which depends on the categorisation of PSOs, which is based on the nature of payment system activity undertaken by the PSO. For example, NPCI, card payment networks, large PPI issuers, Bharat Bill Payment Operating Units (BBPOUs) and Payment Aggregators (PAs) will be categorised as large PSOs and need to comply with the Directions from April 01, 2025, whereas small PPI issuers and instant money transfer operators will be categorised as small PSOs and need to comply with the Directions from April 01, 2028.

The key requirements introduced by the Directions are: –

1. Board of the PSO is responsible to ensure adequate oversight over information security risks, including cyber risk and cyber resilience. The Board is permitted to delegate the primary oversight to a sub-committee.
2. PSOs must have a Board-approved Cyber Crisis Management Plan to detect, contain, respond and recover from cyber threats. The PSOs are required to establish policies, procedures, and controls for access privileges, to protect access to information assets.
3. PSOs need to put in place network security measures to protect its network and systems from external threats and document a policy to identify and implement patches to technology and software assets.
4. PSOs must follow a ‘secure by design’ approach, ensure that all its applications are subject to rigorous security testing and must have a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information. PSOs need to comply with the extant guidelines on outsourcing of services.
5. PSOs must safeguard its applications from risks from insecure APIs.
6. If the PSO is providing cloud services, it will need to implement a cloud operation policy.
7. PSOs must have a Board-approved incident response mechanism, including notification to relevant stakeholders.
8. PSOs must provide online alerts for digital payments based on parameters like failed transactions, transaction velocity, biometrics, etc., after redaction of confidential information.
9. In respect of security practices and risk mitigation measures for mobile payment services, PSO must take steps like: (a) online sessions are automatically terminated after inactivity, (b) access is blocked upon certain number of failed attempts, and (c) cooling period is provided after a change in the registered mobile numbers or email address.
10. PSOs issuing PPIs must communicate the OTP and transaction alerts in the customer’s preferred language and implement suitable cooling periods for fund transfers.

Amendments to the KYCs Framework

The Ministry of Finance, Government of India notified the ‘Prevention of Money Laundering (Maintenance of Records) Amendment Rules, 2024’, on July 19, 2024 (Amendment) to amend certain provisions pertaining to know-your-customer (KYC). This Amendment seems to have been issued with the objective of promoting the usage of the Central KYC Records Registry through a unique number or code assigned to a customer (KYC Identifier) for the purposes of KYC.

Pursuant to the Amendment, the reporting entities (REs) are now mandatorily required to obtain the KYC Identifier records from customers / clients or retrieve the KYC Identifier from the Central KYC Records Registry and then proceed with the KYC records available online using such KYC Identified, for conducting due diligence and customer’s identity verification. This position is a deviation from the earlier mechanism where the customer had a choice to provide the KYC Identifier.

Customers will, however, be required to submit KYC records or additional information in the following scenarios: (a) there is a change in the available information, (b) KYC records are incomplete, (c) the validity period of the document has lapsed, or (d) if RE considers it necessary to verify customer’s identity, perform enhanced due diligence, or build appropriate risk profile. In such cases, REs must provide such updated information within 7 days to the Central KYC Records Registry to the client’s existing records.

RBI issues draft directions regarding Aadhaar Enabled Payment System

In order to protect bank customers from frauds perpetuated through Aadhaar Enabled Payment System (AePS) due to identity theft or compromise of customer credentials, the RBI has issued draft directions ‘Due Diligence of AePS Touchpoint Operators’ (AePS Directions). The RBI has invited comments on the draft AePS Directions up to August 31, 2024.

For functioning of the AePS facility, acquiring banks onboard agents to operate AePS touchpoints and terminals that facilitate AePS transactions using Aadhaar based biometric / OTP authentication. The AePS Directions mandate that the acquiring bank must undertake due diligence of such agents / operators proposing to operate the AePS terminals in accordance with the Master Direction – Know Your Customer Direction, 2016. An AePS touchpoint operator must be onboarded only by one acquiring bank. The acquiring bank is required to monitor activities of AePS touchpoint operators, including AePS transactions performed and set operational conditions (like limits) based on location of operation and risk profile.

Directions for Management of Fraud Risk by NBFCs

The RBI issued ‘Master Directions on Fraud Risk Management in Non-Banking Financial Companies’ on July 15, 2024 (Directions), with the aim to prevent fraudulent activities and improve mechanism of detection and reporting of frauds by Non-Banking Financial Companies (NBFCs). The key takeaways of the Directions are:

1. Applicability: The Directions are applicable to all NBFCs in upper layer, middle layer and those in base layer with an asset size of at least INR 500 crore.
2. Board-approved Policy: Each NBFC must formulate a board-approved policy for fraud risk management to deal with fraudulent activities. A transparent mechanism must also be developed to deal with whistleblower complaints. The policy must provide for the governance framework for fraud risk management, which must involve issuance of show-cause notices
3. Special Committee: The board of an NBFC is required to formulate a special committee, which comprises of the CEO and 2 independent directors, to oversee the effectiveness of fraud risk management. This committee will be responsible for monitoring frauds cases (including root cause analysis) and suggest mitigating measures to strengthen internal controls and minimise frauds incidence.

4. Framework for Early Warning Signals: NBFCs of upper layer and middle layer need to implement a framework for early warning signals that comprises of quantitative and qualitative indicators to monitor credit facilities or loan accounts and other financial and non-credit transactions. The NBFCs must implement a robust and resilient design of the EWS system to ensure system’s integrity is maintained, personal and financial data of customers is secure and ensure real-time monitoring of transaction for prevention or detection of potential frauds.

5. Auditors: NBFCs must engage external and internal auditors for investigations into suspicious fraudulent activities. Further, the Directions prescribe conditions and clauses that need to be implemented for engagement of internal or external auditors, depending on NBFC’s policy.
6. Audit of Securities: NBFCs must undertake legal audit and verification of title deeds and other documents in respect of credit facilities exceeding INR 1 crore, on a periodic basis until repayment.

7. Reporting: NBFCs are required to report fraud incidents to law enforcement agencies and RBI, and instances of theft, burglary, dacoity and robbery, to the RBI.
8. Penal Measures: Any person or entity classified or reported as fraud will be debarred from seeking credit facilities for a period of 5 years, from RBI regulated financial entities.

Enablement of UPI Mandate Feature of Single Block Multiple Debits

The National Payments Council of India (NPCI) permitted customers to enable the UPI mandate feature for Single Block Multiple Debits through its circular dated July 31, 2024 (Circular). The Circular will enable customers to pre-authorise transactions by blocking funds for use for multiple debits until the blocked amount is exhausted, the mandate is revoked, or the mandate expires. The customer needs to be provided all communication about the customer mandates. This feature needs to be enabled by November 30, 2024.