Master Directions on Cyber Resilience and Digital Payment Security Controls

Current Context: The Reserve Bank of India (RBI) has issued final guidelines on cyber resilience and digital payment security controls for non-bank payment system operators (PSOs) on 30th July 2024.

• Here are the key points:
• Timelines for Compliance:
• Large PSOs (e.g., Clearing Corporation of India Limited, NPCI, Bharat Bill Payment Operating Units, Payment Aggregators) must comply by April 2025.
• Medium PSOs (cross-border money transfer operators under MTSS, medium prepaid payment instrument issuers) have until April 2026.
• Small PSOs (instant money transfer operators, certain PPI issuers) need to comply by April 2028.
• Incident Reporting:
• Entities must report incidents like cyber-attacks, system outages, internal frauds, etc., to the RBI within six hours of detection.
• Cybersecurity incidents should also be reported to CERT-IN.
• Oversight and Preparedness:
• PSO boards are responsible for overseeing information security risks, including cyber risk and resilience.
• PSOs must prepare a cyber crisis management plan (CCMP) to detect, contain, respond to, and recover from cyber threats.
• Risk Assessment:
• PSOs should assess cyber risks when launching new products/services or changing existing systems.
• Regular training programs on information security are essential for employees and vendors.
• Fraud Monitoring:
• PSOs must set up a real-time or near real-time fraud monitoring solution to identify suspicious transactional behavior.

Question:

1 Which of the following Payment System Operators (PSOs) must comply with the RBI's guidelines by April 2025?

• A) Medium PSOs
• B) Small PSOs
• C) Large PSOs
• D) All PSOs

Answer: C) Large Payment System Operators (PSOs) (e.g., Clearing Corporation of India Limited, NPCI, Bharat Bill Payment Operating Units, Payment Aggregators) must comply by April 2025.