Now Loading

RBI Issues New Cyber Security Guidelines for Non-Bank Payment Providers

Cyber Security Guidelines

The Reserve Bank of India (RBI) has introduced new guidelines aimed at bolstering the cyber resilience of non-bank payment system operators (PSOs). Announced on Tuesday, the master circular addresses the need for enhanced digital payment security controls and establishes a compliance framework with varying deadlines for different categories of PSOs.

Large non-bank PSOs, including major entities like Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), Bharat Bill Payment Operating Units (BBPOUs), and Payment Aggregators (PAs), must meet the new requirements by April 1, 2025. This category also encompasses Non-bank ATM Networks, White Label ATM Operators (WLAOs), large PPI Issuers, and Trade Receivables Discounting System (TReDS).

Medium-sized PSOs, such as Cross-border Money Transfer Operators and Medium PPI Issuers, are required to comply by April 1, 2026. Smaller entities, including Small PPI Issuers and Instant Money Transfer Operators, have until April 1, 2027, to adhere to the guidelines.

The new rules mandate that non-bank PSOs report any unusual incidents, including cyber-attacks, critical system outages, internal fraud, and settlement delays, to the RBI and CERT-In. They must also implement robust data leak prevention measures and maintain a real-time fraud monitoring system to detect and respond to suspicious transactions.

Additionally, PSOs are required to operate a 24/7 support facility to address unauthorized transactions and coordinate with law enforcement agencies promptly.

Upcoming Conferences