Comments on the Ministry of Electronics & Information Technology’s Draft Rules for Security of Prepaid Payment Instruments

By Malavika Raghavan, IFMR Finance Foundation

On 8 March 2017, the Ministry of Electronics & Information Technology (MeitY) released a set of draft rules for security of prepaid payment instruments (Draft Rules), inviting comments by 20 March 2017.[1] The IFMR Finance Foundation’s Future of Finance Initiative has provided its response to the Draft Rules.

The Draft Rules propose new requirements for pre-paid payment instrument (PPI) issuers, requiring them to:

  • put in place information security policy and privacy policies, and undertake risk assessments to assess risks associated with the security of their payment systems, and
  • institute a range of measures on customer identification, authentication, awareness, and education, and separately, a set of security practices.

The Draft Rules seek to broaden the category of customer information that is considered “personal information” for the purposes of the Information Technology Act, 2000 (IT Act), improper disclosure of which can be penalised by a fine up to Rs. 5 lakhs or imprisonment up to 3 years (or both). It also seeks to give transaction history data held by PPI issuers a higher degree of protection as “sensitive personal data and information” under the IT Act.[2]

The Draft Rules are an important and progressive step towards highlighting customer data protection and privacy concerns of customers using PPIs. However, MeitY has taken the interesting position of making rules for a particular institution type (PPIs here), which makes it akin to a sectoral regulator. It is also interesting to note that the Draft Rules traverse areas in which Reserve Bank of India (RBI) regulation already exists. In this regard we note that on 20 March 2017, the RBI released its updated “Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India”, inviting comments by 31 March 2017.

In our comments to MeitY we have sought to highlight that the Draft Rules:

  • dealing with privacy and data protection, while incorporating some of the key (and internationally recognised) data protection principles can benefit from a more complete coverage of these principles,
  • while certainly taking the lead in customer data protection, should, keeping in tune with several other jurisdictions, go a step further and consider a broadening of the scope of Sensitive Personal Data and Information (SPDI) by covering any “personally identifiable financial information that any institution collects about an individual in connection with providing a financial product or service (unless that information is otherwise publicly available) – We characterise this as “Non-Public Personal Information (NPI), and make a case for treating NPI as SPDI for the purposes of the Information Technology Act, 2000
  • should attempt consistency with the existing framework of the Information Technology Act, 2000 (particularly the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011) so as to avoid multiplicity of legal standards.

We consider MeitY to be best placed to continue its role as the overarching standards setting body for issues relating to security and integrity of electronic transactions, and we see the actual monitoring and enforcement of such standards to be delegated to sector specific and specialised regulators (such as RBI, SEBI, IRDA, PFRDA, TRAI, Airports Authority of India, Registrar of Companies, All India Council for Technical Education, others. Therefore, in the context of PPIs, it would be wise to take note of existing regulations and monitoring systems already present within the RBI, as further described in our response document.

Our response to MeitY’s public consultation is available here.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.

[1] The deadline has since been extended to 5 April 2017.

[2] For an explanation of these categories, see our blog on Electronic Financial Data and Privacy in India (published December 2016).