Following a series of data breaches involving operators such as MobiKwik and payment aggregator JusPay, the Reserve Bank of India (RBI) will soon issue cybersecurity norms for Payment Service Providers (PSPs), according to a top RBI official.
Although the requirements for fintech-driven payment services providers would be similar to the cyber hygiene norms released recently for banks and non-banking finance companies, the RBI is clear that as digital transactions gain momentum, companies will need to do more than just follow the minimum standards to ensure security.
Commenting on the development, RBI Executive Director, T. Rabi Sankar, said “On cyber frauds, Reserve Bank of India has issued very recently basic guidelines on cyber hygiene and cybersecurity for banks and certain NBFCs,”
He said “We would follow that up with respect to other entities such as payments systems operators in the payments space. Those are getting finalised and will be issued soon,”
“Having said that, the minimum standards set by the regulator for the regulated entities are needed, but they would never be enough. As digitisation increases in any sphere, payments or otherwise, as people do more and more digital transactions, institutions themselves will have to do more than the minimum standards that regulators set, to deal with any cybersecurity threats,”. He added that Individual users will also need to be vigilant, since there is no way around being mindful of the risks associated with digital transactions.
Sankar also expressed concerns about the dominance of two or three players in the fintech-backed retail payments space, speaking at a webinar hosted by RIS, India International Centre, and the University of Essex on ‘Banks, Finance and the changing form of technology’
He said “Look at the popularity of UPI because of the client base of a couple of Big Tech companies. But this process has to be managed…. the concentration of two or three third-party providers in this retail payments space could give rise to competitive weaknesses. That is a challenge that we need to look at and solve going forward,”
The vital task for regulators over the next decade, he asserted, would be to accelerate the adoption of fintech without jeopardising the financial system’s credibility or stability.
Mr. Sankar pointed out that there aren’t many payment systems in India, and the number of players is small, and that two apps provide roughly 70% of third-party services in the UPI system.
RBI said “Strictly speaking, they are not providers as such, as they are just the front-end and just onboard customers. They have no control on the entire UPI itself. In that sense, there is not so much a concern on antitrust or monopolistic tendencies because there is hardly any pricing that happens there,”