RBI issues final directions on cybersecurity controls for non-bank PSOs

RBI has given different timelines to these entities, depending on their size, to set up compliance structures

Don't want to miss the best from Business Standard?

The Reserve Bank of India (RBI) on Tuesday issued final guidelines on cyber resilience and digital payment security controls for non-bank payment system operators (PSOs), wherein it has mandated different timelines for these entities, based on their sizes, to set up necessary compliance structures. These directions come into effect on July 30.

Large non-bank PSOs such as Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), Bharat Bill Payment Operating Units (BBPOUs), and Payment Aggregators (PAs), among others, need to abide by the directions by April 2025.

Medium non-bank PSOs such as cross-border (in-bound) money transfer operators under the Money Transfer Service Scheme (MTSS) and medium prepaid payment instrument (PPI) issuers have time until April 2026.

Small PPI issuers and instant money transfer operators are required to comply with the guidelines by April 2028.

According to the guidelines, entities are required to report incidents such as cyber-attacks, outages of critical systems, internal frauds, settlement delays, among others, to the RBI within six hours of the detection of the attack. Cyber security incidents are required to be reported to CERT-IN.

Additionally, the Board of Directors of the PSO would be responsible for ensuring adequate oversight over information security risks, including cyber risk and resilience. Such entities would also be required to prepare a board-approved cyber crisis management plan (CCMP) to detect, contain, respond, and recover from cyber threats and attacks.

PSOs would be required to conduct a cyber-risk assessment exercise with respect to the launch of new products or services, or while undertaking changes to existing systems infrastructure on their platform.

Periodic training programmes on information security issues for employees and vendors would be required to be conducted by non-bank PSOs.

Those entities who have subscribed to cloud services would be required to put in place a cloud operation policy.

A real-time or near real-time fraud monitoring solution to identify suspicious transactional behaviour and generate alerts would be required to be set up as per the latest directions.