Do RBI's Draft SRO Guidelines Adequately Address Security?Security Professionals Discuss Proposed Framework for SROs Overseeing Payment Operations
The Reserve Bank of India’s draft of a framework for new self-regulatory organizations, including one that would help oversee payment system operators, fails to adequately address security issues, some observers say.
In February, RBI announced plans to create an SRO for payment systems operators. The non-governmental organization will have the power to create and enforce industry and professional regulations and standards.
The SRO will oversee nearly 100 payment system operators, such as financial market infrastructure providers, retail payments organizations, card payment networks, money transfer organizations, ATM networks, pre-paid payment instruments and white label ATM operators.
The draft guidelines for the not-for-profit SROs, which RBI recently released, lack sufficient details on compliance with security processes, including data localization requirements, some security professionals say.
The final version of the guidelines should stress the need for the SROs to collaborate with all stakeholders in framing rules and regulations and adhering to security standards, including establishing multifactor authentication and complying with global payments standards and with the Gopalakrishna Committee report on harnessing technologies to respond to growing threats, according to some observers.
"RBI's guidelines on the working structure of the SROs should result in an industry-wide upgrade of overall security levels, to the extent that standards and expectations are clearly spelled out," says Tom Wills, director of Secure Strategies, a financial consulting organization.
"Since the cybersecurity threats and vulnerabilities when it comes to payments are the same the world over, I expect that the SROs will also work very similarly to the way existing global standards are enforced, with certification requirements and fines."
Some security practitioners say RBI's data localization requirements – which require domestic storage of sensitive data to improve privacy and security - may be the biggest hurdle for the new SROs to overcome.
While National Payments Corp. of India, which operates various payment instruments, including Unified Payments Interface, has started auditing data localization norms for digital payment firms, RBI has not clearly explained how the SROs will help meet these norms.
Dr. Onkar Nath, a former CISO and security strategist, says RBI does not adequately emphasize on implementing best security standards and information assurance. “The SROs need to be made accountable for any security incidents," Nath says.
Sriram Natarajan, president of Quinte Financial Technologies, a global fintech company, says the SROs should focus on ensuring the organizations they oversee conduct audits and meet integrity standards.
"The SROs will have to ensure the existing global standards are [followed] and ensure that enough security is built around the use of social media tools, like WhatsApp payments for online transactions,” Natarajan says.
A top priority for the SROs should be to meet the cybersecurity requirements - which call for use of certain technologies - as specified in the Gopala Krishna Committee report issued by RBI, says Siba Narayanan Panda, former CISO and vigilance officer at PayTM Payments Bank.
"Given the current challenges for the payments industry, the SROs need to [use] industry and global best practices … such as artificial intelligence and quantum key cryptography and suggest necessary improvements in dealing with the security and fraud issues," Panda says.
Shomiron Dasgupta, CEO at Netmonastery, a cyberthreat defense solutions firm, points out: “We expect to see clarification from RBI on the application of the cybersecurity framework to the SROs for payment system operators. The typical payment industry-specific cybersecurity risks such as online fraud, information theft and malware or virus attacks remain valid for members of the SRO, too.”
RBI’s Dayal explains that while self-regulation will focus on issues of systemic importance, compliance will be essential. "As the industry is forced to think in terms of developing systems that conform to best international practices, the industry would be in a better position to ensure global competitiveness," he says.
As the payment ecosystem matures and as the number of payments systems grows, the industry must develop standards for system security, pricing practices, customer protection measures, and grievance redressal mechanisms, RBI noted in releasing its draft SRO guidelines.
Yogesh Dayal, RBI’s chief general manager, says the new SROs will oversee operators in all segments of payment systems and will be expected to observe best practices on security, customer protection, and competitiveness.
"The SROs shall serve as a two-way communication channel between the PSOs [payment service operators] and RBI and work toward establishing minimum benchmarks and standards in the payments space, apart from helping disciplined behavior by members," Dayal says.
The SROs will be a not-for-profit companies under the Indian Companies Act, acting as an arm of RBI in helping PSOs security and compliance expectations.
The functions of the SROs will include:
- Serve as a communication channel between its members and RBI;
- Help establish minimum benchmarks and security standards and help instill professional behavior among its members;
- Impart training to the staff of its members and others and conduct awareness programs for safe digital transactions;
- Conduct or promote research and development for creating a secure and safe digital payment ecosystem
- Provide any information, including data, sought by RBI as requested.
RBI plans to designate several SROs to oversee various segments. For example, the Microfinance Institutions Network, or MFIN, was recently officially recognized as the SRO for non-bank financial company microfinance institutions in India.
"In essence, ours is a supportive role,” says Alok Prasad, CEO of MFIN. “MFIN will be acting on behalf of the RBI and performing a given role within well-defined parameters. An SRO framework is not only a leap of faith on the part of the RBI but practically an 'experiment' in regulatory architecture."