FinTechDigital Payment Systems: Security Controls Mechanism

INTRODUCTION

The world is rapidly advancing towards better technology. The goal of a cashless economy is being targeted with the introduction of multiple Digital Payment Systems.

The previous article on Digital Payment Systems in India discussed about its concept, regulatory framework and how it has become the stepping stone for revolution of financial systems in India.

While the advantages of the growing digitized economy are innumerable, the threats associated with it are a major concern for every nation. The data stored electronically is posed with the constant risk of being released to the hackers. Secure, encrypted, and well-functioning Digital Payments Systems are the need of the hour to maintain people’s trust in the cashless transactions and protect them from any form of irrecoverable loss, particularly when the growth rate towards cashless mode of economy is lower in India as compared with other countries owing to the skeptical nature of the citizens because of rampant cyber frauds and outages.

In light of this pressing issue, the Reserve Bank of India (‘RBI’) has come up recently with the Reserve Bank of India (Digital Payment Security Controls) Directions, 2021 (‘the Directions’) which seeks to make the payment gateways more secure by mandating the set-up of a robust governance structure and adoption of basic security controls standards.

This article shall elaborate upon the digital payment security controls brought in force by RBI to provide a robust governance structure and implement minimum standards of security controls.

NEED FOR DIGITAL PAYMENT SECURITY CONTROLS

The digital payments industry is fast growing and often imposing a burden on the players to be updated with the recent technology to provide access to user-friendly tools to its customers. However, the concerned entities did not pay much heed to this. Many prominent banks witnessed system outages last year. These outages happened because of lack of consolidation between the existing old system and the newly deployed applications and systems.

Concerned with the security of digital payments in light of these incidences, the RBI took stern action against HDFC Bank post observing consistent outages of its system by barring HDFC Bank from issuing new credit cards and introducing new digital products from 02.12.2020. However, this ban was lifted on 17.08.2021.

Taking into consideration the necessity of maintaining financial stability and citizen’s interest, RBI has consistently emphasized that it is the duty of banks and NBFCs to take the matters of governance, risk management, and internal controls seriously. The Payment and Settlement System Act, 2007 has also been criticized for being not up-to-date with respect to the digital payments and its security control mechanisms.

In light of these concerns, the need for a proper framework regulating the security control measures of Digital Payment Systems arose. Thus, RBI issued the Directions to guide the payment system operators towards a more secured and regulated payment system.

These Directions provide necessary guidelines for the regulated entities to set up a robust governance structure and implement common minimum standards of security controls for digital payment products and services.

APPLICABILITY OF THE DIRECTIONS

The Directions are made applicable on the following Regulated Entities (‘REs’) concerned with Digital Payment Systems:

• Scheduled Commercial Banks (Regional Rural Banks are excluded)
• Small Finance Banks
• Payment Banks
• Credit Card issuing Non-Banking Financial Companies

The Directions came into effect from 18.08.2021, i.e., 6 months from 18.02.2021 being the date of issuance of the Directions. However, the Directions apply with immediate effect or as per the prescribed timelines in respect of instructions already issued either by Department of Payment and Settlement Systems, Department of Regulation, or Department of Supervision of RBI, including those to select REs by way of circular or advisory.

SECURITY CONTROL MECHANISMS STIPULATED BY THE DIRECTIONS

1. General Controls

• Policy for Digital Payment Products

The preliminary mandate under the Directions is for the REs to formulate a policy for their digital payment products and services which elaborates upon the payment security aspects from a Functionality, Security and Performance (FSP) perspective.

The policy should be inclusive of controls to keep the customer data confidential, capacity building expansion to keep up with the growth of users, efficient transaction processing, and ensuring minimal customer service disruption, establishing proper review mechanism for corrective action.

Such policy is to be reviewed at least once in a financial year. The REs can adopt a uniform policy for all the products or services or adopt different policies based on the digital payment products’ or services’ distinct features and requirements.

The policy document should require that every digital payment product/services offered addresses the mechanism, clear definition of starting point, critical intermittent stages/points and end point in the digital payment cycle, security aspects, validations till the digital payment is settled, clear pictorial representation of digital path and exception handling.

• Risk Assessment

REs are required to follow a well-functioning governance and risk management program which can identify, analyse, monitor, and manage the risks such as compliance risk and fraud risk. It is the duty of the Board or the Senior Management of the RE to keep a regular check with the help of monitoring systems to ensure that the product or the service for digital payment is in line with the operational and security norms.

Product-level limits on the level of security risk that is acceptable should be defined by the REs. In case of involvement of a third-party service provider, proper controls shall be adopted for monitoring its activities in accordance with the guidelines on outsourcing issued by RBI.

REs are required to conduct regular risk assessments with regard to the safety and security of digital payment products. Sound internal control systems are to be developed by REs taking into account the operational risk of such products/services.

• Robust Capacity Management Plan

REs shall ensure that the digital payment architecture is robust and scalable, commensurate with the transaction volumes and customer growth. The IT strategy of the RE shall ensure that a robust capacity management plan is in place to meet evolving demand.

Necessary capacity, systems and procedures should be in place to periodically test the backed-up data and application pertaining to digital products to ensure recovery without loss of transactions or audit-trails.These facilities are to be tested at least on a half-yearly basis for digital payment of products and services.

• Storage of Sensitive Information

An appropriate level of encryption and security is to be implemented in the digital payment ecosystem. Web applications providing the digital payment products and services should not store sensitive information in HTML hidden fields, cookies, or any other client-side storage to avoid any compromise in the integrity of the data. REs shall implement Web Application Firewall (WAF) solution and Distributed Denial-of-Service (DDoS) mitigation techniques to secure the digital payment products and services offered over the internet.

• Application Security Life Cycle

The Directions stipulate that a multi-tier application architecture, segregating application, database and presentation layer shall be implemented for the digital payment products and services. The REs must work according to ‘secure by design’ approach while developing the digital payment products and services.

In case of third-party licensed digital payment applications, the REs should have an Escrow Arrangement so as to have the source code which would ensure continuity of services even when the third party fails to do so. In absence of this arrangement, the REs are then supposed to obtain a certificate from the application developer guaranteeing that it is free of any vulnerabilities.

REs shall refer to standards such as OWASP – Mobile Application Security Verification Standard (MASVS), OWASP-Application Security Verification Standard (ASVS) and other relevant OWASP standards, security and data protection guidelines in ISO 12812-1:2017 – Mobile Financial Services, threat catalogues and guides developed by the National Institute of Standards and Technology, for application security and other protective measures.

• Multi-factor Authentication

To minimize the possibility of any cyber-attack, multi-factor authentication must be operable except where explicitly bypassed/relaxed. The authentication methodologies such as use of One-Time Password, biometric tokens, EMV chip card should be generally dynamic or non-replicable.

Multifactor Authentication would ensure confidentiality of payment data and thus retain the trust in digital payment by protecting from all kinds of cyber-attacks. A maximum number of failed log-in or authentication attempts should be prescribed, post which access must be blocked for secured authentication.

• Fraud Risk Management

The Directions prescribe regular conduct of fraud analysis to identify the reasons behind occurrence of such fraudulent activity, if any. Proper training must be given to the staff regarding fraud controls and their usage, investigating techniques, techniques useful in prevention of fraud, etc. To ensure efficient incident response, a list of contact details of service providers, intermediaries, external agencies, and other REs must be maintained.

• Grievance Redressal

According to the Directions, usage guidelines and training materials for end users must be provided. The application shall consist of a reporting facility to register grievances. Along with redressal, REs must also spread awareness about the types of threats and possible attacks against the consumers while using digital payment products and the precautionary measures to be adopted by the end users.

2. Internet Banking Security Controls

In addition to the General Controls, the Directions stipulate that for Internet Banking, REs must ensure that based on the RE’s vulnerability assessment on authentication-related attacks such as brute force/ Denial of Service (DoS) attacks, additional levels of authentication to internet banking website such as adaptive authentication, strong CAPTCHA with server-side validation, etc. should be in force. REs must ensure that the delivery of one-time password for login purpose is secure and encrypted.To ensure security, such password shall be valid for a limited time only.

3. Mobile Payment Application Security Controls

With respect to Mobile Payment Applications, security control mechanism should be such that the REs can verify the mobile application version before the transactions are allowed. The security and compatibility condition of the device should be checked to ensure that the account related activities are done through a safe and secure route.

The re-authentication requirement should be enabled each time the application exceeds the time limit being unused and when the application is launched. It should be ensured that the mobile application does not store sensitive consumer authentication information including IDs, passwords, keys, etc.

4. Card Payments Security

To maintain the security of card payments, various payment card standards are prescribed by the Payment Card Industry. REs shall ensure robust surveillance and monitoring of card transactions (especially overseas cash withdrawals) and setting up of rules and limits commensurate with their risk appetites.

IMPACT OF THE DIRECTIONS

The Directions are aimed towards general public bearing little or no knowledge regarding the functioning and safety precautions to be adopted while using Digital Payment Systems. Taking this into account, the Directions focus on increasing customer awareness regarding their rights, responsibilities, risks associated, and grievance redressal mechanism available to them; along with providing proper training to staff to detect and prevent issues concerning Digital Payment Systems.

The Directions issued by the RBI provide stringent guidelines to be followed by the REs to prevent the misuse of such Digital Payment Platforms for fraudulent activities, by establishing a detailed Fraud Risk Management system in conjunction with a reconciliation mechanism which identifies and blocks suspicious transactions.

The Directions are likely to enhance the security and stability of Digital Payment Systems, as proper implementation of the guidelines prescribed will ensure reduced occurrence of various risks associated with Digital Payment Systems.

Despite the Directions prescribing no direct regulatory control over third-party technology platforms associated with REs for the provision of Digital Payment services, REs are required to ensure that such technology partners maintain a minimum level of security controls and standards. Hence, third-party platforms are also subject to the security controls guidelines prescribed by the Directions.

AMLEGALS REMARKS

The Directions issued by the RBI are a much-needed positive move to ensure digital payments security. They have been comprehensively framed to touch upon the minute details of the Digital Payment Systems and thus ensure an encrypted secure transaction.

The digital payment products need to be regularly monitored by the Board or the Senior Management of the Entity and in case of any adverse trend being detected, appropriate actions by modifying the plan or strategy must be taken. The vividly described risk monitoring process under these Directions is expected to minimise the security threats in digital payments.

With respect to system outages observed with the increasing customer base and demand leading to huge traffic on the platform, that the Directions require that a capacity management plan is put in place and regularly updated.

Stern provisions have been given to ensure the integrity of customer data. The provision of Escrow Arrangement is embedded to meet the objective of regular supply of services uninterrupted by any default by a third party. Emphasis has been laid on stronger authentication methods to eliminate the chances of cyber frauds. However, comprehensive security controls mechanisms are expected to be laid down by the Personal Data Protection Bill, 2019, which is yet to be notified.

This being said, the Directions would bring a positive change as the Digital Payment Systems under this framework would become more alert and responsible towards customers to ensure the convenience of secure digital transactions which would in turn help in achieving the goal of a Cashless Economy.

–TEAM AMLEGALS, assisted by Ms. Kulsoom Farhat Khan (Intern)