Image Source: AGENCIES

RBI tightens supervision norms for payment companies amid rising cyber-security breaches

31-03-2021

As instances of cyber-security breaches at Indian tech startups over the last few months is on the rise, the Reserve Bank of India has tightened its supervision norms over payment companies storing customer data. From April 1, all licensed payment system operators (PSOs) will have to submit detailed “compliance certificates” to the central bank twice a year, signed by their CEOs or managing directors, confirming adherence to all RBI regulations around security and storage of payment data. The publication, which reviewed a copy of the letter issued by the central bank’s Department of Payment and Settlement Systems (DPSS) on Friday to all PSOs, mentioned that RBI has asked these certificates be submitted on April 30 and October 31 for the period ending March 31 and September 30, respectively, every year. Worth mentioning here is that these requirements are over and above the ones mandated by RBI in April 2018 when it asked all PSOs to submit board-approved annual System Audit Report (SAR) by CERT-empanelled auditors. The payment companies were then asked to submit a one-time compliance report with data localisation norms which mandate the data relating to payments in India will be stored in a server physically present in the country, by December of 2018. "In addition to these requirements, it is hereby advised that a compliance certificate duly signed by the CEO/MD/chairman, shall be submitted on an ongoing basis at half-yearly basis…" the letter issued by the central bank said. Worth mentioning here is that several payment and tech startups have in the recent past suffered data breaches. Gurugram-based Mobikwik in January joined a list of high-profile targets that have been allegedly afflicted by cyber breaches. Other companies that have recently been affected are grocery e-tailer Big Basket, educational technology platform Unacademy and payment aggregator JusPay.