New draft rules to add another regulator, say mobile wallet firms

For mobile wallet entities, the new set of guidelines from the government under the draft Information Technology (Security of Prepaid Payment Instruments) Rules, 2017, issued for public consultation, means yet another body they'd have to consult before conducting any business.

Till now, they say, they only had to adhere to Reserve Bank of India guidelines. "It means more going to two bodies for checks and balances; more paperwork for us. What they should do is to form a separate body altogether, handling all sorts of guidelines around online payments," said a senior executive of a mobile wallet entity. The new draft rules, he added, should cover all payment methods and not only wallets.

"We already have solid cyber security measures in place and treat the data of our users with utmost care. If the government asks us to put additional measures which might be unnecessary, our costs might increase," said another.

"We are already implementing many of these suggestions and our 55 million users and 1.5 million merchants are already benefiting from our robust security systems, which are PCI-DSS and ISO 27001 certified. Our fraud detection team carries out risk assessment on a regular basis, which ensures our grievance redressal tickets are closed within 30 minutes of raising it," said Bipin Preet Singh, founder and chief executive, MobiKwik.

According to the new draft rules, each Prepaid Payment Instruments (PPI) company (mainly wallet firms) will have a privacy policy posted on its website. It will also have to appoint a chief grievance officer, with contact details displayed on the site.

This officer will have to act upon any complaint within 36 hours and close it in a month. The draft also mandates that companies have enough safeguards in place to avoid any hacking attacks and if there is one, it is to be swiftly reported to the government agencies.

"Every e-PPI issuer shall have in place and publish on its website and mobile applications the privacy policy and the terms and conditions for use of the payment systems operated by it in simple language, capable of being understood by a reasonable person," it said in the draft.

Also, every e-PPI issuer shall carry out risk assessment to identify and assess the risks associated with the security of the payment systems operated by it. "An e-PPI issuer shall review the security measures at least once a year, and after any major security incident or breach or before a major change to its infrastructure or procedures. Issuer shall implement security measures in accordance with the information security policy to mitigate the identified risks," it said.

What e-wallet firms have to disclose

• Information collected directly from the customer and information collected otherwise
• Uses of the information
• Period of retention of information 
• Purposes for which information can be disclosed and the recipients
• Sharing of information with law enforcement agencies
• Security practices and procedures
• Name and contact details of the Grievance Redressal Officer along with mechanism for grievance redressal
• Any other details as may be specified by the Centre for this purpose