It requires banks that use third-party apps for digital transactions to have the apps’ source code in escrow should the vendor be unable to provide services. It is not clear whether this is applicable for only proprietary apps of the bank developed by third-parties or all third-party apps.
Bankers say that this regulation could have far-reaching implications if it is applied to third-party apps for the Unified Payments Interface (UPI).
Currently, banks are responsible if there is any data breach from a third-party unregulated entity. In UPI payments, the market is dominated by third-party apps like Google Pay and PhonePe with Amazon and WhatsApp preparing to play a larger role.
The new directions issued by the RBI apply to all commercial banks, small finance banks, payment banks and credit card-issuing non-banking financial companies (NBFCs). This is the first time that the central bank has got into the operational part of digital payments. Earlier, the central bank had left it to the National Payments Corporation of India to set the ground rules, both as a service provider and as a quasi-regulator.
The directions further require banks to do security testing, including review of source code, vulnerability assessment (VA) and penetration testing (PT) of their digital payment apps. This is to assure that the application is secure for putting through transactions, while preserving confidentiality and integrity of the data that is stored and transmitted.
“The regulator has taken a holistic approach to this segment because digital payments, which have become mainstream today, will become the primary mode of payments in future. These guidelines will go a long way in developing trust and bringing scale,” said Paytm founder Vijay Shekhar Sharma.
The RBI had earlier come out with norms to regulate payment gateways. According to payment service providers, the latest move will improve confidence in the market. “This is good for the ecosystem as it helps build higher confidence with the consumer and the merchant. This will ensure that better quality and better-governed players participate in the processing of payment transactions. This definitely will improve governance,” said Rajeev Agarwal, CEO of digital payments company Innoviti.
Another new regulation is the requirement that banks and other regulated entities do reconciliation of payments in real time or near real time. In any case, this should not be later than 24 hours from the receipt of settlement files for detection and prevention of suspicious transactions.