26
Apr

Comments on the RBI Draft Master Directions on Issuance and Operation of Prepaid Payment Instruments in India

By Bhusan Jatania, IFMR Finance Foundation

The Reserve Bank of India (RBI) released the Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India (Draft Circular) on 20 March 2017. The IFMR Finance Foundation’s Future of Finance Initiative has provided its response to the Draft Circular.

While the Draft Circular builds upon a series of PPI related circulars issued by the RBI, it proposes significant changes such as:

  • increasing a PPI issuer’s net-worth requirement to Rs. 25 crores (from the existing Rs. 1 crore),
  • allowing PPI issuers to access payment systems in the future (without providing details),
  • requiring comprehensive system audit of PPI issuers on an annual basis (and before granting licenses to new applicants), and
  • compulsory conversion of existing PPIs (which hold minimum information about the user) to full KYC PPIs (this has to be achieved within 60 days of the Draft Circular coming into force).

In our comments to RBI we have recommended that the Draft Circular:

  • provide a higher standard of customer data protection,
  • create a more level-playing field for bank-led and non-bank led PPI issuers, and
  • clarify customer liability for unauthorised / fraudulent transactions involving PPIs.

In our response we have also compared the Draft Circular to the recent draft rules for security of prepaid payment instruments released by the Ministry of Electronics & Information Technology on 8 March 2017 (to which we also provided a response, available here).

We believe that the proposed regulatory revamp of wallet providers is driven by the principle that emergence of dominance should lead to greater supervision. The RBI appears to have taken a view that the digital payments sector, characterised by significant user expansion, has emerging customer abuse, data security and systemic risk considerations. And while the industry has raised some concerns of regulatory extravagance around the Draft Circular, it should largely be seen as a step in the right direction.

Our response to RBI’s public consultation is available here.


About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.

27
Mar

Comments on the Ministry of Electronics & Information Technology’s Draft Rules for Security of Prepaid Payment Instruments

By Malavika Raghavan, IFMR Finance Foundation

On 8 March 2017, the Ministry of Electronics & Information Technology (MeitY) released a set of draft rules for security of prepaid payment instruments (Draft Rules), inviting comments by 20 March 2017.[1] The IFMR Finance Foundation’s Future of Finance Initiative has provided its response to the Draft Rules.

The Draft Rules propose new requirements for pre-paid payment instrument (PPI) issuers, requiring them to:

  • put in place information security policy and privacy policies, and undertake risk assessments to assess risks associated with the security of their payment systems, and
  • institute a range of measures on customer identification, authentication, awareness, and education, and separately, a set of security practices.

The Draft Rules seek to broaden the category of customer information that is considered “personal information” for the purposes of the Information Technology Act, 2000 (IT Act), improper disclosure of which can be penalised by a fine up to Rs. 5 lakhs or imprisonment up to 3 years (or both). It also seeks to give transaction history data held by PPI issuers a higher degree of protection as “sensitive personal data and information” under the IT Act.[2]

The Draft Rules are an important and progressive step towards highlighting customer data protection and privacy concerns of customers using PPIs. However, MeitY has taken the interesting position of making rules for a particular institution type (PPIs here), which makes it akin to a sectoral regulator. It is also interesting to note that the Draft Rules traverse areas in which Reserve Bank of India (RBI) regulation already exists. In this regard we note that on 20 March 2017, the RBI released its updated “Master Directions on Issuance and Operation of Pre-paid Payment Instruments (PPIs) in India”, inviting comments by 31 March 2017.

In our comments to MeitY we have sought to highlight that the Draft Rules:

  • dealing with privacy and data protection, while incorporating some of the key (and internationally recognised) data protection principles can benefit from a more complete coverage of these principles,
  • while certainly taking the lead in customer data protection, should, keeping in tune with several other jurisdictions, go a step further and consider a broadening of the scope of Sensitive Personal Data and Information (SPDI) by covering any “personally identifiable financial information that any institution collects about an individual in connection with providing a financial product or service (unless that information is otherwise publicly available) – We characterise this as “Non-Public Personal Information (NPI), and make a case for treating NPI as SPDI for the purposes of the Information Technology Act, 2000
  • should attempt consistency with the existing framework of the Information Technology Act, 2000 (particularly the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011) so as to avoid multiplicity of legal standards.

We consider MeitY to be best placed to continue its role as the overarching standards setting body for issues relating to security and integrity of electronic transactions, and we see the actual monitoring and enforcement of such standards to be delegated to sector specific and specialised regulators (such as RBI, SEBI, IRDA, PFRDA, TRAI, Airports Authority of India, Registrar of Companies, All India Council for Technical Education, others. Therefore, in the context of PPIs, it would be wise to take note of existing regulations and monitoring systems already present within the RBI, as further described in our response document.

Our response to MeitY’s public consultation is available here.

About the Future of Finance Initiative:

The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.


[1] The deadline has since been extended to 5 April 2017.

[2] For an explanation of these categories, see our blog on Electronic Financial Data and Privacy in India (published December 2016).