Tag Archives: payment system operators

aadhar authentication e-KYC licence

RBI is vide its circular dated 13th September, 2021 opening up the window for NBFCs, payment system providers and payment system participants to obtain aadhar authentication e-KYC licence (KYC User Agency) or sub KUA. What is this now? I wonder what happened to the Central KYC registry. There are no parameters specified, which means any such NBFCs etc. can apply?

https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12161&Mode=0

Application for Aadhaar e-KYC Authentication Licence

In terms of Section 11A of the PML Act, 2002, entities other than banking companies may, by notification of the Central Government, be permitted to carry out authentication of client’s Aadhaar number using e-KYC facility provided by the Unique Identification Authority of India (UIDAI). Such notification shall be issued only after consultation with UIDAI and the appropriate regulator.

A detailed procedure for processing of applications under the aforementioned Section for use of Aadhar authentication services by entities other than banking companies has been provided by the Department of Revenue, Ministry of Finance vide their circular dated May 9, 2019.

2. Accordingly, Non-Banking Finance Companies (NBFCs), Payment System Providers and Payment System Participants desirous of obtaining Aadhaar Authentication License – KYC User Agency (KUA) License or sub-KUA License (to perform authentication through a KUA), issued by the UIDAI, may submit their application to this Department for onward submission to UIDAI. The applications can also be forwarded over email. The format of the application is provided in the Annex to this circular.

Leave a comment

Filed under banking laws

tokenisation – enhancements

We invite reference to our circular DPSS.CO.PD No.1463/02.14.003/2018-19 dated January 8, 2019 on “Tokenisation – Card transactions”, permitting authorised card networks to offer card tokenisation services subject to the conditions listed therein. Initially limited to mobile phones and tablets, this facility was subsequently extended to laptops, desktops, wearables (wrist watches, bands, etc.), Internet of Things (IoT) devices, etc., vide our circular CO.DPSS.POLC.No.S-469/02-14-003/2021-22 dated August 25, 2021 on “Tokenisation – Card Transactions : Extending the Scope of Permitted Devices”.

2. Reference is also invited to our circulars DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020 (as updated from time to time) and CO.DPSS.POLC.No.S33/02-14-008/2020-2021 dated March 31, 2021 on “Guidelines on Regulation of Payment Aggregators and Payment Gateways”, advising that neither the authorised Payment Aggregators (PAs) nor the merchants on-boarded by them shall store customer card credentials [also known as Card-on-File (CoF)].

3. On a review of the tokenisation framework and to enable cardholders to benefit from the security of tokenised card transactions as also the convenience of CoF, it has been decided to effect the following enhancements –

  1. Extend the device-based tokenisation1 framework referred to at paragraph 1 above to CoF Tokenisation (CoFT) as well.
  2. Permit card issuers to offer card tokenisation services as Token Service Providers2 (TSPs).
  3. The facility of tokenisation shall be offered by the TSPs only for the cards issued by / affiliated to them.
  4. The ability to tokenise3 and de-tokenise card data shall be with the same TSP.
  5. Tokenisation of card data shall be done with explicit customer consent requiring Additional Factor of Authentication (AFA) validation by card issuer.
  6. Additional requirements relating to CoFT are listed in the Annex.

4. Further, in the interest of cIarity, the following points may be noted –

  1. With effect from January 1, 2022, no entity in the card transaction / payment chain, other than the card issuers and / or card networks, shall store the actual card data. Any such data stored previously shall be purged.
  2. For transaction tracking and / or reconciliation purposes, entities can store limited data – last four digits of actual card number and card issuer’s name – in compliance with the applicable standards.
  3. Complete and ongoing compliance with the above by all entities involved, shall be the responsibility of the card networks.

5. This directive is issued under Section 10 (2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).

Annex

(CO.DPSS.POLC.No.S-516/02-14-003/2021-22 dated September 07, 2021)

Conditions to be fulfilled for offering CoFT services

1. For the purpose of CoFT, the token shall be unique for a combination of card, token requestor and merchant4.

2. If card payment for a purchase transaction at a merchant is being performed along with the registration for CoFT, then AFA validation may be combined.

3. The merchant shall give an option to the cardholder to de-register the token. Further, a token requestor having direct relationship with the cardholder shall list the merchants in respect of whom the CoFT has been opted through it by the cardholder; and provide an option to de-register any such token.

4. A facility shall also be given by the card issuer to the cardholder to view the list of merchants in respect of whom the CoFT has been opted by her / him, and to de-register any such token. This facility shall be provided through one or more of the following channels – mobile application, internet banking, Interactive Voice Response (IVR) or at branches / offices.

5. Whenever a card is renewed or replaced, the card issuer shall seek explicit consent of the cardholder for linking it with the merchants with whom (s)he had earlier registered the card.

6. The TSP shall put in place a mechanism to ensure that the transaction request has originated from the merchant and the token requestor with whom the token is associated.

7. All other provisions of the RBI circulars dated January 8, 2019 and August 25, 2021 shall be applicable.

Leave a comment

Filed under Uncategorized

outsourcing of payment & settlement related activities

RBI circular dated 3rd August, 2021 wherein they have laid down conditions for outsourcing of payment & settlement related activities by payment system operators. Here’s the gist.

1. Introduction

1.1. This framework is applicable to non-bank PSOs insofar as it relates to their payment and / or settlement-related activities.

1.2. It seeks to put in place minimum standards to manage risks in outsourcing of payment and / or settlement-related activities (including other incidental activities like on-boarding customers2, IT based services, etc.).

1.3. The framework is not applicable to activities other than those related to payment and / or settlement services, such as internal administration, housekeeping or similar functions.

1.4. For the purpose of this framework, ‘outsourcing’ is defined as use of a third party (i.e. service provider) to perform activities on a continuing basis that would normally be undertaken by the PSO itself, now or in the future. ‘Continuing basis’ would include agreements for a limited period.

1.5. The term ‘service provider’ includes, but is not limited to, vendors, payment gateways, agents, consultants and / or their representatives that are engaged in the activity of payment and / or settlement systems. It also includes sub-contractors (i.e., secondary service providers) to whom the primary service providers may further outsource whole or part of some activity related to payment and settlement system activities outsourced by the PSO.

1.6. This framework is applicable to a service provider, whether located in India or elsewhere.

1.7. The service provider, unless it is a group company of the PSO, shall not be owned or controlled by any director or officer of the PSO or their relatives; the terms – control, director, officer and relative – have the same meaning as assigned to them under the Companies Act, 2013.

1.8. Outsourcing process is associated with several risks; following is an illustrative list of such risks:

  1. Compliance Risk – Where privacy, customer / consumer and prudential laws are not adequately complied with by the service provider;
  2. Concentration and Systemic Risk – Where the overall industry has considerable exposure to one service provider and hence, individual PSO may lack control over the service provider;
  3. Contractual Risk – Where the PSO may not have the ability to enforce the contract;
  4. Country Risk – When political, social or legal climate creates added risk;
  5. Cyber Security risk – Where breach in IT systems may lead to potential loss of data, information, reputation, money, etc.;
  6. Exit Strategy Risk – When over-reliant on one firm, the PSO loses related skills internally, and it becomes difficult to bring the activity back in-house; and where the PSO has entered into contracts that makes speedy exit prohibitively expensive;
  7. Legal Risk – Where the PSO is subjected to fines, penalties, or punitive damages resulting from supervisory actions, as well as to private settlements due to acts of omission and commission by the service provider;
  8. Operational Risk – Arising due to technology failure, fraud, error, inadequate financial capacity to fulfil obligations and / or to provide remedies;
  9. Reputation Risk – Where the service provided is poor and customer interaction is inconsistent with the overall standard expected from the PSO; and
  10. Strategic Risk – Where the service provider conducts business on its own behalf, inconsistent with the overall strategic goals of the PSO.

1.9. It is essential that the PSO, which is outsourcing its activities, ensures the following:

  1. Exercises due diligence, puts in place sound and responsive risk management practices for effective oversight, and manages the risks arising from such outsourcing of activities.
  2. Outsourcing arrangements do not impede its effective supervision by RBI.

1.10. Outsourcing of activities by the PSOs shall not require prior approval from RBI.

2. Activities that shall not be outsourced

2.1. The PSOs shall not outsource core management functions3, including risk management and internal audit; compliance and decision-making functions such as determining compliance with KYC norms. However, while internal audit function itself is a management process, the auditors for this purpose can be appointed by the PSO from its own employees or from the outside on contract.

3. Criticality of outsourcing

3.1. The PSO shall carefully evaluate the need for outsourcing its critical processes and activities, as also selection of service provider(s) based on comprehensive risk assessment. The critical processes are those, which if disrupted, shall have the potential to significantly impact the business operations, reputation, profitability and / or customer service.

4. PSO’s role and regulatory and supervisory requirements

4.1. Outsourcing of any activity by the PSO shall not reduce its obligations, and those of its board and senior management, who are ultimately responsible for the outsourced activity. The PSO shall, therefore, be liable for the actions of its service providers and shall retain ultimate control over the outsourced activity.

4.2. The PSO, while exercising due diligence in respect of outsourcing, shall consider all relevant laws, regulations, guidelines and conditions of authorisation / approval, licensing or registration.

4.3. Outsourcing arrangements shall not affect the rights of a customer of a payment system against the PSO, as well as those of a payment system participant against the PSO, including her / his ability to avail grievance redressal as applicable under the relevant laws. Responsibility of addressing the grievances of its customers shall rest with the PSO, including in respect of the services provided by the outsourced agency (i.e., service provider).

4.4. A PSO, which has outsourced its customer grievance redressal function, must also provide its customers the option of direct access to its nodal officials for raising and / or escalating complaints. Such access should be enabled through adequate phone numbers, e-mail ids, postal address, etc., details of which shall be displayed prominently on its website, mobile applications, advertisements, etc., and adequate awareness shall also be created about the availability of this recourse.

4.5. If the customer is required to have an interface with the service provider to avail products of the PSO, then the PSO shall state the same through the product literature / brochure, etc., and also indicate therein the role of such service provider.

4.6. A PSO must ensure that outsourcing does not impede or interfere with the ability of the PSO to effectively oversee and manage its activities; nor does it prevent RBI from carrying out its supervisory functions and objectives.

5. Outsourcing policy

5.1. To outsource any of its payment and settlement-related activities, the PSO shall have a board-approved comprehensive outsourcing policy, which incorporates, inter-alia, criteria for selection of such activities and service providers; parameters for grading the criticality of outsourcing; delegation of authority depending on risks and criticality; and, systems to monitor and review the operation of these activities.

6. Role of the board and responsibilities of the senior management

6.1. Role of the board

The board of the PSO, or a committee of the board to which powers have been delegated, shall be responsible, inter-alia, for the following:

  1. approving a framework to evaluate the risks and criticality of all existing and prospective outsourcing;
  2. approving policies that apply to outsourcing arrangements;
  3. mapping appropriate approval authorities for outsourcing depending on risks and criticality;
  4. setting up suitable administrative mechanism of senior management for the purpose of this framework;
  5. undertaking periodic review of outsourcing policy, strategies and arrangements for their continued relevance, safety and soundness;
  6. deciding on business activities to be outsourced and approving such arrangements; and
  7. complying with regulatory instructions.

6.2. Responsibilities of the senior management

The senior management shall be responsible for:

  1. evaluating the risks and criticality of all existing and prospective outsourcing, based on the framework approved by the board;
  2. developing and implementing sound and prudent outsourcing policies and procedures commensurate with the nature, scope and complexity of the outsourcing activity;
  3. reviewing periodically the effectiveness of policies and procedures, and for identifying new outsourcing risks as they arise;
  4. communicating, in a timely manner, to the board any information related to outsourcing risks;
  5. ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested periodically; and
  6. ensuring an independent review and audit for compliance with the set policies.

6.3. A central record of all outsourcing arrangements shall be maintained and it shall be readily accessible for review by the board and senior management of the PSO. The record shall be updated promptly, and half yearly reviews shall be placed before the board or its senior management.

7. Evaluating capability of the service provider

7.1. While considering / renewing an outsourcing arrangement, the PSO shall include issues related to undue concentration of such arrangements with a service provider.

8. Outsourcing agreement

8.1. The terms and conditions governing the contract between the PSO and the service provider shall be carefully defined in written agreements and vetted by PSO’s legal counsel for their legal effect and enforceability. Every such agreement shall address the risks and the strategies for mitigating them. The agreement shall be sufficiently flexible to allow the PSO to retain adequate control over the outsourced activity and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement shall also bring out the nature of legal relationship between the parties, i.e. whether agent, principal or otherwise. Some of the key provisions of the agreement should incorporate the following:

  1. defining activity to be outsourced, including appropriate service and performance standards;
  2. having access by the PSO to all books, records and information relevant to the outsourced activity, available with the service provider;
  3. providing for continuous monitoring and assessment by the PSO of the service provider, so that any necessary corrective measure can be taken immediately;
  4. including termination clause and minimum period to execute such provision, if deemed necessary;
  5. ensuring controls are in place for maintaining confidentiality of customer data and incorporating service provider’s liability in case of breach of security and leakage of such information related to customers;
  6. incorporating contingency plan(s) to ensure business continuity;
  7. requiring prior approval / consent of the PSO for use of sub-contractors by the service provider for all or part of an outsourced activity;
  8. retaining PSO’s right to conduct audit of the service provider, whether by its internal or external auditors, or by agents appointed to act on its behalf, and to obtain copies of any audit or review reports and findings made about the service provider in conjunction with the services performed for the PSO;
  9. adding clauses to allow RBI or person(s) authorised by it to access the PSO’s documents, record of transactions and other necessary information given to, stored or processed by the service provider, within a reasonable time;
  10. keeping clauses to recognise the right of RBI to cause an inspection to be made of a service provider of a PSO and the books of accounts, by one or more of its officers or employees or other persons;
  11. requiring clauses relating to a clear obligation on any service provider to comply with directions given by RBI insofar as they involve activities of the PSO;
  12. maintaining confidentiality of customer’s information even after the agreement expires or gets terminated; and
  13. preserving documents and data by the service provider in accordance with legal / regulatory obligations of the PSO, and the PSO’s interests in this regard shall be protected even after termination of the services.

9. Confidentiality and security

9.1. Public confidence and customer trust in the PSO is a prerequisite for its stability and reputation. PSO shall ensure the security and confidentiality of customer information in the custody or possession of the service provider.

9.2. Access to customer information by staff of the service provider shall be on ‘need to know’ basis, i.e., limited to areas where the information is required to perform the outsourced function.

9.3. The service provider shall be able to isolate and clearly identify the PSO’s customer information, documents, records and assets to protect their confidentiality. Where the service provider acts as an outsourcing agent for multiple PSOs, there should be strong safeguards (including encryption of customer data) to avoid co-mingling of information, documents, records and assets of different PSOs.

9.4. The PSO shall regularly review and monitor the security practices and control processes of the service provider and require the service provider to disclose security breaches.

9.5. The PSO shall immediately notify RBI about any breach of security and leakage of confidential information related to customers. In such eventualities, the PSO would be liable to its customers for any damage.

9.6. The PSO shall ensure that the extant instructions related to storage of payment system data shall be strictly adhered to by service provider, domestic or off-shore.

10. Responsibilities of Direct Sales Agents (DSAs) / Direct Marketing Agents (DMAs)

10.1. The PSOs shall ensure that the DSAs / DMAs are properly trained to handle their responsibilities with care and sensitivity, particularly for aspects such as soliciting customers, hours of calling, privacy of customer information, conveying the correct terms and conditions of the products on offer, etc.

10.2. The PSOs shall put in place a board-approved code of conduct for DSAs / DMAs and obtain their undertaking to abide by the same.

11. Business continuity and management of disaster recovery plan

11.1. Service provider shall develop and establish a robust framework for documenting, maintaining and testing business continuity and recovery procedures arising out of any outsourced activity. The PSO shall ensure that the service provider periodically tests the business continuity and recovery plans, and shall also consider conducting occasional joint exercises for testing of business continuity and recovery procedures with its service provider.

11.2. To mitigate risk of unexpected termination of the outsourcing agreement or liquidation of the service provider, the PSO shall retain adequate control over its outsourcing and shall have the right to intervene with appropriate measures to continue its business operations and its services to the customers in such cases without incurring prohibitive expenses or any break in its operations and services to the customers.

11.3. As part of contingency plan, the PSO shall consider the availability of alternative service provider(s), as well as the possibility of bringing the outsourced activity back in-house in an emergency and assess the cost, time and resources that would be involved.

11.4. The PSO’s information, documents and records, and other assets shall be isolable by the service provider. This is to ensure that in appropriate situations, all documents, record of transactions and information given to the service provider, and assets of the PSO, can be removed from the possession of the service provider in order to continue its business operations, or deleted, destroyed or rendered unusable.

12. Monitoring and control of outsourced activities

12.1. The PSO shall put in place a management structure to monitor and control its outsourcing activities. It shall ensure that outsourcing agreement with the service provider contains provisions to address monitoring and control by it of the outsourced activities.

12.2. Regular audit by either the internal or external auditors of the PSO shall be conducted to assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangements and the PSO’s compliance with its risk management framework.

12.3. The PSO shall, at least on an annual basis, review the financial and operational conditions of the service provider to assess its ability to fulfil its outsourcing obligations. Such due diligence reviews shall highlight any deterioration or breach in performance standards, confidentiality and security, and in business continuity preparedness.

12.4. In the event of termination of the outsourcing agreement for any reason in cases where the service provider deals with the customers, the same shall be given due publicity by the PSO informing the customers so as to ensure that they stop dealing with the concerned service provider.

12.5. Certain cases like outsourcing of cash management, may involve reconciliation of transactions between the PSO, the service provider and its sub-contractors, if any. In such cases, PSO shall ensure that this reconciliation process is carried out in a timely manner.

12.6. A robust system of internal audit of all outsourced activities shall be put in place and monitored by the board of the PSO.

13. Outsourcing within a group / conglomerate

13.1. The PSO could have back office and service arrangements / agreements with group entities; for instance, sharing of premises, legal and other professional services, hardware and software applications, centralised back office functions, outsourcing certain payment and settlement services to other group entities, etc. Such arrangements with group entities shall be based on the PSO’s board-approved policy and service level arrangements / agreements with its group entities. The agreements shall cover demarcation of shared resources like premises, personnel, etc. Wherever there are multiple group entities involved or any cross-selling is observed, the customers shall be informed about the actual company / entity offering the product / service.

13.2. The PSO shall ensure that such arrangements:

  1. are appropriately documented in written agreements with details like scope of services, charges for services and maintaining confidentiality of customer’s data;
  2. do not cause any confusion among customers as to whose products / services they are availing, by clear physical demarcation of the site of activities of different group entities;
  3. do not compromise ability of the PSO to identify and manage risks on a standalone basis; and
  4. do not prevent RBI from being able to obtain information required for supervision of the PSO or pertaining to the group as a whole.

13.3. The PSO shall ensure that its ability to carry out operations in a sound fashion is not affected if premises or other services (such as IT systems and support staff) provided by the group entities become unavailable.

13.4. If sharing of premises is done with the group entities for cross-selling, the PSO shall take measures to ensure that the entity’s identification is distinctly visible and clear to the customers. Any communication by group entities (marketing brochure, verbal communication by staff / agent, etc.) in the PSO’s premises shall mention nature of arrangement of the entities with the PSO, so that customers are clear about the seller of the product.

13.5. The PSO’s advertisement or any agreement shall not give any overt or tacit impression that it is in any way responsible for the obligations of its group entities.

13.6. The risk management practices to be adopted by the PSO while outsourcing to a related party (i.e. party within the group / conglomerate) shall be identical to those specified above in this framework for a non-related party.

14. Additional requirements for off-shore outsourcing

14.1. The engagement of a service provider in a foreign country exposes the PSO to country risk. To manage such country risk, the PSO shall closely monitor government policies and, political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and on a continuous basis, and establish sound procedures for dealing with country risk problems. This includes having appropriate contingency and exit strategies. In principle, arrangements shall only be entered into with parties operating in jurisdictions generally upholding confidentiality clauses and agreements. The governing law of the arrangement shall also be clearly specified.

14.2. The activities outsourced outside India shall be conducted in a manner so as not to hinder efforts to supervise or reconstruct the India activities of the PSO in a timely manner.

14.3. As regards off-shore outsourcing of its services relating to Indian operations, the PSO shall ensure the following:

  1. The off-shore regulator regulating the off-shore service provider shall neither obstruct the arrangement nor object to RBI’s visit(s) for audit / scrutiny / examination / inspection / assessment or visit(s) by PSO’s internal and external auditors;
  2. The regulatory authority of the off-shore location does not have access to the data relating to Indian operations of the PSO simply on the ground that the processing is being undertaken there (not applicable if off-shore processing is done in the home country of the PSO); and
  3. The jurisdiction of the courts in the off-shore location where data is processed, does not extend to the operations of the PSO in India on the strength of the fact that the data is being processed there even though the actual transactions are undertaken in India.

15. Members / Participants of payment systems operated by the PSOs

15.1. In some payment systems operated by the PSOs, there could be other members / participants also. Some of these entities such as token requestors in tokenisation services rendered by card networks, third party application providers in Unified Payments Interface (UPI), etc., may not be directly regulated or supervised by RBI. Many of these entities may provide payment services directly to customers as well. It is prudent for such entities to put in place a system to manage risks arising out of activities outsourced by them.

15.2. As a best practice, the PSOs may engage with all participants in a payment transaction chain to encourage them to implement this framework in letter and spirit.

Leave a comment

Filed under banking laws

FATF non compliant jurisdictions

RBI has issued a circular dated 14th June, 2021 wherein they have barred investments from jurisdictions which are non FATF compliant into Payment System Operators (PSOs). Its not a complete ban but they are not authorised to give significant influence to investors from FATF non compliant jurisdictions. A threshold of 20% of the voting power or potential voting power has been established to distinguish significant influence.

PSOs who already have investments from FATF non compliant jurisdictions may continue with the said investments and also seek fresh investments from the same, in order to maintain continuity of business operations.

The circular can be found here

https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12114&Mode=0

Leave a comment

Filed under banking laws

payment system compliances – covid relaxations

RBI has vide its circular dated 21st May, 2021 given relaxations from compliances to payment system operators as follows:

Leave a comment

Filed under banking laws

payments infrastructure development fund scheme

Payments Infrastructure Development Fund (PIDF) Scheme

The objective of PIDF is to increase the number of acceptance devices multi-fold in the country. The Scheme is expected to benefit the acquiring banks / non-banks and merchants by lowering overall acceptance infrastructure cost.

1. Validity Period and PIDF Target

1.1 Three years from January 01, 2021, extendable by two further years, if necessary.

1.2 Increasing payments acceptance infrastructure by adding 30 lakh touch points – 10 lakh physical and 20 lakh digital payment acceptance devices every year.

2. Governance Structure of PIDF

2.1 PIDF shall be governed by an ex-officio Advisory Council (AC).

2.2 Composition of the AC :–

  1. Shri B P Kanungo, Deputy Governor, Reserve Bank of India;
  2. Shri Sunil Mehta, Chief Executive, Indian Banks’ Association;
  3. Shri D Nageswara Rao, Chief General Manager, DFIBT, NABARD;
  4. Shri Dilip Asbe, Chief Executive Officer, National Payments Corporation of India;
  5. Shri Vishwas Patel, Chairman, Payments Council of India;
  6. Shri Shailesh Paul, Vice President and Head Merchant Sales and Solutions, Visa;
  7. Shri Rajeev Kumar, Senior Vice President, Market Development, Mastercard;
  8. Shri R Vittal Raj, Chartered Accountant, Kumar & Raj Chartered Accountants; and
  9. Shri Ajay Michyari, Regional Director, Reserve Bank of India, Mumbai Regional Office (Administrator of PIDF).

The Chief General Manager, Department of Payment & Settlement Systems, Reserve Bank of India shall function as the Secretariat to the AC.

2.3 The AC may constitute sub-committees to look into different aspects of the PIDF, as required.

2.4 The AC may co-opt members at its discretion.

2.5 AC shall devise suitable rules for operating the PIDF.

3. Target Geographies

3.1 The primary focus shall be to create payment acceptance infrastructure in Tier-3 to Tier-6 centres.

3.2 North Eastern states of the country shall be given special focus.

3.3 While setting parameters for utilisation of funds, the focus shall be to target those merchants who are yet to be terminalised (merchants who do not have any payment acceptance device).

3.4 The AC shall devise a transparent mechanism for allocation of targets to acquiring banks / non-banks in different segments / locations.

3.5 The tentative distribution of targets across centers will be as follows:

Distribution of Acceptance Devices% Share of Total
Tier-3 and Tier-4 centres30
Tier-5 and Tier-6 centres60
North Eastern States10

4. Market Segments and Merchant Categories

4.1 Merchants providing essential services (transport, hospitality, etc.), government payments, fuel pumps, PDS shops, healthcare, kirana shops may be targeted, especially in the targeted geographies.

5. Types of Acceptance Devices Covered

5.1 Multiple payment acceptance devices / infrastructure supporting underlying card payments, such as physical PoS, mPoS (mobile PoS), GPRS (General Packet Radio Service), PSTN (Public Switched Telephone Network), QR code-based payments, etc.

5.2 As the cost structure of acceptance devices vary, subsidy amounts shall accordingly differ by the type of payment acceptance device deployed. A subsidy of 30% to 50% of cost of physical PoS and 50% to 75% subsidy for Digital PoS shall be offered.

5.3 Payment methods that are not inter-operable shall not be considered under PIDF.

5.4 The subsidy shall not be claimed by applicant from other sources like NABARD, etc. In case other mechanisms exist for providing subsidy or reimbursing cost of deployment of acceptance infrastructure, no reimbursement shall be claimed from PIDF therefor.

6. Initial Corpus

6.1 Initial corpus of PIDF has to be substantial to initiate pan-India terminalisation and to cover the pay-outs in the first year. Contributions to the PIDF shall be mandatory for banks and card networks.

6.2 RBI shall contribute ₹ 250 crore to the corpus; the authorised card networks shall contribute in all ₹ 100 crore.

6.3 The card issuing banks shall also contribute to the corpus based on the card issuance volume (covering both debit cards and credit cards) at the rate of ₹ 1 and ₹ 3 per debit and credit card issued by them, respectively.

6.4 It shall be the endeavour to collect the contributions by January 31, 2021.

6.5 Any new entrant to the card payment eco-system (card issuer and card network) shall contribute an appropriate amount to the PIDF.

7. Recurring Contribution

7.1 Besides the initial corpus, the PIDF shall also receive annual contribution from card networks and card issuing banks as under:

a) Card networks – Turnover based – 1 basis point (bps) i.e., 0.01 paisa per Rupee of transaction;

b) Card issuing banks – Turnover based – 1 bps and 2 bps i.e., 0.01 paisa and 0.02 paisa per Rupee of transaction for debit and credit cards respectively; also at the rate of ₹ 1 and ₹ 3 for every new debit and credit card issued by them respectively during the year.

7.2 RBI shall contribute to yearly shortfalls, if any.

8. Collection Mechanism

8.1 By January 31st and July 31st based on card data of December 31st and June 30th respectively.

9. Types of Expenses Covered

9.1 The parameters / rules for claiming the amount of subsidy for the capital expenditure, taking into account the type of device, deployment location etc., shall be framed by the AC.

9.2 Subsidy shall be granted on half yearly basis, after ensuring that performance parameters are achieved, including conditions for ‘active’ status of the acceptance device and ‘minimum usage’ criteria, as defined by the AC.

9.3 The minimum usage shall be termed as 50 transactions over a period of 90 days and active status shall be minimum usage for 10 days over the 90-day period.

9.4 The subsidy claims shall be processed on half yearly basis and 75 percent of the subsidy amount shall be released. The balance 25 percent shall be released later subject to the status of the acceptance device being active in 3 out of the 4 quarters of the ensuing year.

10. Deployment Targets for Acquirers

10.1 Acquirers need to adopt a scientific process for identification of deployment areas, submit proposals to Regional Director, Mumbai Regional Office (MRO), RBI and effectively implement the project. The PIDF proposal format for submission in this regard is enclosed (Format I).

11. Claims

11.1 The scheme is on reimbursement basis; accordingly, the claim shall be submitted only after making payment to the vendor.

11.2 Maximum cost of physical acceptance device eligible for subsidy – ₹ 10,000 (including one-time operating cost up to a maximum of ₹ 500).

11.3 Maximum cost of digital acceptance device eligible for subsidy – ₹ 300 (including one-time operating cost up to a maximum of ₹ 200).

11.4 Subsidised amount of cost of physical and digital payment acceptance devices based on location of deployment shall be as under:

LocationPhysical payment acceptance device
(% of total cost)
Digital payment acceptance device
(% of total cost)
Tier-3 and Tier-4 centres3050
Tier-5 and Tier-6 centres4060
North Eastern States5075

11.5 Acquirers shall submit their claims through their bankers to RBI, MRO with self-declaration about fulfilment of ‘minimum usage’ and ‘active status’ criteria for deployed devices.

11.6 All initial claims shall be submitted for reimbursement of expenses (less the Input Tax Credit received / receivable by the bank / non-bank under GST) as per format (Format II). The second claim for 25% of eligible subsidy shall be submitted as per format (Format III).

12. Monitoring of Implementation of Targets

12.1 Implementation of targets under PIDF shall be monitored by RBI, MRO with assistance from Card networks, Indian Banks’ Association (IBA) and Payments Council of India (PCI).

12.2 Acquirers shall submit quarterly deployment reports on achievement of targets to RBI, MRO.

12.3 Acquirers meeting / exceeding their targets well in time and / or ensure greater utilisation of acceptance devices in terms of transactions shall be incentivised while those who do not achieve their targets shall be disincentivised, by scaling up or down the extent of reimbursement of subsidy as follows.

Target Achievement / Utilisation% of Subsidy Eligible
Less than 75 percent90
75 percent to 125 percent100
Greater than 125 percent110

Leave a comment

Filed under banking laws

payment system operator – cooling period

RBI circular dated 4th December, 2020 wherein they have introduced the concept of cooling period in respect of payment system operators whose application is rejected or revoked or cancelled. Read on

Authorisation of entities for operating a Payment System under the Payment and
Settlement Systems Act, 2007 (PSS Act) – Introduction of Cooling Period

Please refer to provisions contained in Section 4 of PSS Act and ‘Oversight Framework for Financial Market Infrastructures and Retail Payment Systems issued on June 13, 2020’, in terms of which any person before commencing or operating a payment system shall obtain authorisation from the Reserve Bank and for the purpose shall apply in a prescribed format to RBI as defined in Payment and Settlement Systems Regulations, 2008.

2. To inculcate discipline and encourage submission of applications by serious players as also for effective utilisation of regulatory resources, it has been decided to introduce the concept of Cooling Period in the following situations –

  1. Authorised Payment System Operators (PSOs) whose Certificate of Authorisation (CoA) is revoked or not-renewed for any reason; or
  2. CoA is voluntarily surrendered for any reason; or
  3. Application for authorisation of a payment system has been rejected by RBI.
  4. New entities that are set-up by promoters involved in any of the above categories; definition of promoters for the purpose, shall be as defined in the Companies Act, 2013.

3. The Cooling Period shall be for one year from the date of revocation / non-renewal / acceptance of voluntary surrender / rejection of application, as the case may be. In respect of entities whose application for authorisation is returned for any reason by RBI, condition of Cooling Period shall be invoked after giving the entity an additional opportunity to submit the application.

4. During the Cooling Period, entities shall be prohibited from submission of applications for operating any payment system under the PSS Act.

5. This directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).

Leave a comment

Filed under Uncategorized

perpetual validity to PSOs

RBI circular dated 4th December, 2020 announcing perpetual validity to Payment System Operators subject to them fulfilling some compliance conditions. Read on.

Perpetual Validity for Certificate of Authorisation (CoA) issued to Payment System Operators (PSOs) under Payment and Settlement Systems Act, 2007 (PSS Act)

This has reference to the Statement on Developmental and Regulatory Policies dated October 9, 2020 wherein Reserve Bank of India (RBI) had announced granting of authorisation for all PSOs under PSS Act on a perpetual basis, subject to certain conditions.

2. Currently, RBI grants authorisation to new entities desirous of operating a payment system for specified periods up to five years. Similar approach is adopted for renewal of validity of authorisation to existing entities. To reduce licensing uncertainties and enable PSOs to focus on their business as also to optimise utilisation of regulatory resources, it has been decided to, hereafter, grant authorisation for all PSOs (both new and existing) on a perpetual basis, subject to the usual conditions.

3. For existing authorised PSOs, grant of perpetual validity shall be examined as and when the CoA becomes due for renewal subject to their adherence to the following:

  1. Full compliance with the terms and conditions subject to which authorisation was granted;
  2. Fulfilment of entry norms such as capital, networth requirements, etc.;
  3. No major regulatory or supervisory concerns related to operations of the PSO, as observed during onsite and / or offsite monitoring;
  4. Efficacy of customer grievance redressal mechanism;
  5. No adverse reports from other departments of RBI / regulators / statutory bodies, etc.

4. Existing PSOs who do not satisfy all conditions will be given one-year renewals to enable them to comply; if any entity fails to do so in a reasonable time, its authorisation may be withdrawn.

5. If an entity becomes non-compliant with any of the conditions of authorisation, RBI may undertake action as deemed fit under the provisions of PSS Act, including imposition of restrictions on payment system operations and / or revocation of CoA.

6. This directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act, 2007 (Act 51 of 2007).

Leave a comment

Filed under banking laws

cancellation of payment system licences

RBI has vide its press release dated 13th November, 2020 cancelled the licences of five payment system operators. While three of them were cancelled because of surrender/ non renewal, two of them were cancelled due to non compliance with regulatory requirements. It would have been good if they had specified what exactly were the compliances which were not carried out by these two operators.

https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=50662

Leave a comment

Filed under banking laws

SROs for payment system operators

RBI has vide its circular dated 23rd October, 2020 put in place a framework for recognition of self regulatory organisations for payment system operators, somewhat on the lines of AMFI. Details are given below.

Framework for Recognition of a Self-Regulatory Organisation
for Payment System Operators1

(DPSS.CO.PD.No.503/02.12.004/2020-21 dated October 22, 2020)

1. Introduction

1.1. The Reserve Bank of India (RBI), as the regulator of payment and settlement systems in the country, sets the necessary regulatory framework, through a consultative process, to ensure that different types of payment systems operate in the country to meet the various payment needs in the economy. Over time, a bouquet of payment instruments has evolved to meet the expectations of different segments of users.

1.2. As the payment ecosystem matures and the number of payments systems proliferate, it becomes necessary, in the interest of optimal use of regulatory resources, that the payments industry develops standards in respect of system security, pricing practices, customer protection measures, grievance redressal mechanisms, etc. While self-regulation would release regulatory resources that can be better focused on issues of systemic importance, it would, by virtue of being developed by the industry itself, be more appropriate and encourage better compliance. As the industry is forced to think in terms of developing systems that conform to best international practices, it would enhance global competitiveness.

1.3. It has, therefore, been decided to encourage the establishment of a Self-Regulatory Organisation (SRO) for Payment Systems Operators (PSOs).

1.4. An SRO is a non-governmental organisation that sets and enforces rules and standards relating to the conduct of member entities in the industry, with the aim of protecting the customer and promoting ethical and professional standards. The SRO is expected to resolve disputes among its members internally through mutually accepted processes to ensure that members operate in a disciplined environment and even accept penal actions by the SRO. An ideal SRO would function beyond the narrow self-interests of the industry and address larger concerns, such as protecting customers, furthering training and education and strive for development of members, the industry and the ecosystem as a whole.

1.5. Regulations, standards, dispute resolution and enforcement by an SRO get legitimacy not just by mutual agreement of its members, but also by the efficiency with which self-regulation is perceived to be administered. Such regulations supplement, but do not replace, applicable laws or regulations.

2. Characteristics of an SRO

2.1. An SRO is expected to have the following characteristics in order to gain the trust and confidence of its members:

  • Authority, derived from membership agreements, to set behavioural and professional standards and enforce them on the members;
  • Objective and well-defined processes to make rules and enforce them among members;
  • Standardised procedures for handling conflicts and disputes, as well as methods to resolve them through a transparent and consistent dispute resolution mechanism;
  • Effective means of oversight over its members and ensuring that they adhere to the rules and regulations of the industry as also mutually accepted ethical and professional standards of behaviour; and
  • Develop surveillance methods for effective monitoring.

3. Eligibility for Recognition of an SRO by RBI

3.1. The SRO shall be set-up as a not-for-profit company under the Companies Act, 2013.

3.2. Only regulated payment system entities, viz, banks and non-bank PSOs can be members of an SRO.

3.3. The SRO shall be professionally managed with clear bye laws.

3.4. The memorandum / bye laws of the SRO shall specify the criteria for admission of members and the functions it will discharge. It shall also provide for the manner in which the Board of Directors (governing body) would function.

3.5. RBI may, if it deems necessary, require that the appointment of important positions in the Board of Directors of the SRO be subject to its prior approval.

3.6. The SRO shall be financially viable to carry on the activities handled or assigned to it. The fee for membership of the SRO shall be reasonable and uniform across all members.

4. Requirements Related to Management of Affairs of the SRO

4.1. The Board of Directors and management of the SRO shall satisfy the fit and proper criteria (FPC) on an ongoing basis. Here, FPC would mean that the person is of high integrity, with blemishless character and having relevant expertise in relevant fields in the payments ecosystem.

4.2. Any change in directorship or adverse development about any Director shall be immediately reported to RBI.

4.3. At least one-third of members in the Board of Directors shall be independent and not associated with member institutions.

4.4. The Board shall frame a code of conduct to be followed by its members.

4.5. The SRO should be in a position to monitor adherence to the code of conduct as well as compliance with regulations by its members.

4.6. The SRO shall follow transparent practices for establishing its governance processes; setting standards, prescribing benchmarks, etc.

5. Grant of Recognition as an SRO

5.1. A group / association of payment system operators (banks as well as non-banks) shall apply to RBI seeking recognition as an SRO.

5.2. RBI reserves the right to require the applicant to submit further information or clarification as deemed necessary, before deciding on the grant of recognition as an SRO.

5.3. On finding the applicant suitable, RBI shall issue a “Letter of Recognition” as an SRO.

5.4. RBI, if in its considered opinion, concludes that the SRO is functioning in a manner detrimental to the public interest, it may withdraw its recognition to an SRO after giving due opportunity to the entity to further its views / comments.

6. Functions and Responsibilities of the Recognised SRO

6.1. The recognised SRO shall serve as the representative voice of its members in public discussions or in interactions with RBI or any other authorities or in any communication with other bodies.

6.2. The recognised SRO shall work towards establishing minimum benchmarks, ethical and behavioural standards and help instil professional and healthy market behaviour among its members. It shall work towards development of not only the entities it represents but also the payment industry as a whole.

6.3. The recognised SRO shall promptly inform RBI about any violation that comes to its notice, of the provisions of the Payments and Settlement Systems Act, 2007 or any other guidelines / regulations / directions issued by RBI.

6.4. The recognised SRO shall establish an uniform grievance redressal and dispute resolution framework across its members, including addressing inter-PSO issues.

6.5. The recognised SRO shall impart training to the staff of its members and others. It shall conduct awareness programmes for spreading awareness about safe payment transactions.

6.6. The recognised SRO shall conduct or promote research and development for creating a secure and safe payments ecosystem.

6.7. The recognised SRO shall carry out any work assigned to it by RBI and examine any proposals or suggestions referred to it by RBI.

6.8. The recognised SRO shall provide any information, including data, sought by RBI periodically or as requested.

6.9. The recognised SRO shall be invited for periodical interactions with RBI, and shall reasonably be expected to look at the larger picture of the segment / industry in offering its views / inputs / suggestions. The SRO shall strive to address concerns beyond the interest of its membership, viz. to protect customers, participants and other stakeholders in the ecosystem.

6.10. The recognised SRO shall play a constructive role in supplementing and complementing the present regulatory / supervisory arrangements.

6.11. The recognised SRO shall abide by the directions issued by RBI from time to time.

6.12. The recognised SRO shall continue to adhere to the criteria under which it has been recognised as an SRO at all times.

Leave a comment

Filed under banking laws

payment system operators

RBI press release dated 8th October, 2020 on development & regulatory issues.

Perpetual Validity for Certificate of Authorisation (CoA) issued to
Payment System Operators (PSOs)

Currently, the Reserve Bank issues “on-tap’ authorisation under the Payment and Settlement Systems Act, 2007 to non-banks issuing Prepaid Payment Instruments (PPIs), operating White Label ATMs (WLAs) or the Trade Receivables Discounting Systems (TReDS), or participating as Bharat Bill Payment Operating Units (BBPOUs). Authorisation (including renewal of authorisation) of such PSOs has been largely for specified periods up to five years. While such limited period licences were necessitated in the initial period of evolution of the payment system, it can lead to business uncertainty for the PSOs and involves avoidable use of regulatory
resources in the process of renewal. Furthermore, the Reserve Bank’s oversight framework has gradually developed into a more mature and comprehensive system, which clearly lays out its oversight expectations and the methodologies adopted for oversight of PSOs. To reduce licensing uncertainties and enable PSOs to focus on their business and optimise utilisation of scarce regulatory resources, it has been decided to grant authorisation for all PSOs (both new applicants as well as existing PSOs) on a perpetual basis, subject to certain conditions. Detailed instructions will be
issued separately.

Leave a comment

Filed under banking laws

pan India umbrella entity for retail payments

RBI has vide its press release dated 18th August, 2020 placed on its website, the framework for authorisation of pan India umbrella entity for retail payments.

It invites applications for such umbrella entities which has to be submitted in the prescribed form and last date for submission is february 26, 2021.

The framework states as under:

A. Objective

To set-up pan-India umbrella entity / entities focussing on retail payment systems. Such entity shall be a Company incorporated in India under the Companies Act, 2013 and may be a ‘for-profit’ or a Section 8 Company as may be decided by it.

B. Authorisation under the Payment and Settlement Systems Act, 2007 (PSS Act)

The umbrella entity shall be a Company authorised by Reserve Bank of India (RBI) under Section 4 of the PSS Act, 2007. It shall be governed by the provisions of the PSS Act and other relevant statutes and directives, prudential regulations and other guidelines / instructions.

C. Eligible Promoters & Shareholding

All entities eligible to apply as promoter / promoter group of the umbrella entity shall be owned and controlled by resident Indian citizens’1 [as defined in the rules / regulations framed under the Foreign Exchange Management Act, 1999 (FEMA), as amended from time to time] with 3 years’ experience in the payments ecosystem as Payment System Operator (PSO) / Payment Service Provider (PSP) / Technology Service Provider (TSP)2. The shareholding pattern shall be diversified. Any entity holding more than 25% of the paid-up capital of the umbrella entity shall be deemed to be a Promoter.

D. Memorandum of Association (MoA)

The Memorandum of Association (MOA) of the applicant entity must cover the proposed activities of operating a pan-India umbrella entity for retail payment systems.

E. Foreign Investment

In case of any Foreign Direct Investment (FDI) / Foreign Portfolio Investment (FPI) in the applicant entity, it shall:

  1. Fulfil, additionally, the capital requirements as applicable under the rules / regulations framed under FEMA, as amended from time to time.
  2. Submit, with application of authorisation, necessary approval from the competent authority as required under rules / regulations framed under FEMA, as amended from time to time.

F. Fit and Proper Criteria

The Promoters / Promoter Groups, shall conform to the Reserve Bank’s ‘fit and proper’ criteria. Director of a Promoter Company / Group Company shall be deemed to be a “fit and proper” person if:

1. Such person has a record of fairness and integrity, including but not limited to –

  1. financial integrity;
  2. good reputation and character; and
  3. honesty;

2. Such person has not incurred any of the following disqualifications –

  1. Convicted by a court for any offence involving moral turpitude or any economic offence or any offence under the laws administered by the RBI;
  2. Declared insolvent and not discharged;
  3. An order, restraining, prohibiting or debarring the person from accessing / dealing in any financial system, passed by any regulatory authority, and the period specified in the order has not elapsed;
  4. Found to be of unsound mind by a court of competent jurisdiction and the finding is in force; and
  5. Is financially not sound.

3. If any question arises as to whether a person is a fit and proper person, the RBI’s decision on such question shall be final.

G. Capital

The umbrella entity shall have a minimum paid-up capital of ₹500 crore. No single Promoter / Promoter Group shall have more than 40% investment in the capital of the umbrella entity. The Promoters / Promoter Groups shall upfront demonstrate capital contribution of not less than 10% i.e., ₹50 crore at the time of making an application for setting up of the umbrella entity. The balance capital shall be secured at the time of commencement of business / operations. The Promoter / Promoter Group shareholding can be diluted to a minimum of 25% after 5 years of the commencement of business of the umbrella entity. A minimum net-worth of ₹300 crore shall be maintained at all times.

H. Scope of Activities

The scope of activities of the umbrella entity shall be as follows:

  1. Set-up, manage and operate new payment system(s) in the retail space comprising of but not limited to ATMs, White Label PoS; Aadhaar based payments and remittance services; newer payment methods, standards and technologies; monitor related issues in the country and internationally; take care of developmental objectives like enhancement of awareness about the payment systems.
  2. Operate clearing and settlement systems for participating banks and non-banks; identify and manage relevant risks such as settlement, credit, liquidity and operational and preserve the integrity of the system(s); monitor retail payment system developments and related issues in the country and internationally to avoid shocks, frauds and contagions that may adversely affect the system(s) and / or the economy in general.
  3. Fulfil its policy objectives and ensure that principles of fairness, equity and competitive neutrality are applied in determining participation in the system; frame necessary rules and the related processes to ensure that the system is safe and sound, and that payments are exchanged efficiently.
  4. Carry on any other business as suitable to further strengthen the retail payments ecosystem in the country. It is expected that the umbrella entity shall offer innovative payment systems to include hitherto excluded cross-sections of the society and which enhance access, customer convenience and safety and the same shall be distinct yet interoperable.
  5. It is also expected to interact and be interoperable, to the extent possible, with the systems operated by NPCI.
  6. The umbrella entity may be permitted to participate in Reserve Bank’s payment and settlement systems, including having a current account with Reserve Bank, if required.

I. Governance Structure

The umbrella entity shall conform to the norms of corporate governance along with ‘fit and proper’ criteria for persons to be appointed on its Board. The Reserve Bank retains the right to approve the appointment of Directors as also to nominate a member on the Board of the umbrella entity.

J. Business Plan

The application for setting up the umbrella entity shall contain a detailed business plan covering the payment system/s proposed to be set-up and / or operated along with other documents to duly establish its experience in the payments ecosystem.

Such plan shall, inter alia, include technology, security features, market analysis / research, benefit, if any, of such payment systems, operational structure of the payment systems, time-period for setting up the payment systems and proposed scale of operations, etc. A proposed organisational strategy in terms of fulfilling its responsibility as an umbrella entity shall also be given in the business plan. The umbrella entity shall commence business / operations within a time of 6 months, extendable to a maximum of one year, if required, from the date of ‘in-principle approval’.

K. Procedure for Application

The application shall be submitted in an envelope superscribed “Application for Umbrella Entity ”, addressed to the Chief General Manager, Department of Payment and Settlement Systems, Central Office, Reserve Bank of India, 14th Floor, Central Office Building, Shahid Bhagat Singh Marg, Mumbai – 400 001 and shall be submitted in the prescribed form (Form A) till the close of business hours on February 26, 2021.

L. Procedure for Processing of Applications

The applications will be taken up for processing only after the last date of receipt of applications, in the order of their receipt at the Reserve Bank of India. Scrutiny of applications will be undertaken by an External Advisory Committee (EAC). The EAC will submit its recommendations to the Reserve Bank. Board for Regulation and Supervision of Payment and Settlement Systems (BPSS), will be the final authority on issuing authorisation for setting up umbrella entity / entities. Reserve Bank will endeavour to complete the process within a period of six months.

Leave a comment

Filed under banking laws

online dispute resolution

RBI has mandated setting up on an online dispute resolution (ODR) system for digital payments by banks and non banks and authorised payment system operators. It will be a system driven, rule based mechanism with minimal human intervention. Initially the ODR will be for failed transaction by January 1, 2021 Any entity setting up a payment system in India thereafter or participating therein, shall make available the ODR system at the commencement of its operations. Based on experience gained, ODR arrangement would later be extended to cover disputes and grievances other than those related to failed transactions.

There are some minimum requirements for ODR to be maintained which are as under:

Minimum Requirements of the ODR System
1. Applicability1.1. These requirements apply to all authorised Payment Systems Operators (PSOs) – banks and non-banks – and their participating members [Payment System Participants (PSPs)].2. Concept of the ODR system
2.1. The ODR system should be a transparent, rule-based, system-driven, user-friendly and unbiased mechanism for resolving customer disputes and grievances, with zero or minimal manual intervention.
3. Structure of the ODR system
3.1. Each PSO shall make available an ODR system for resolving disputes and grievances arising out of failed transactions and provide the participating PSPs an access to the system.
3.2. The PSO and its PSPs shall provide the customers an access for lodging the disputes and grievances relating to failed transactions, irrespective of such transactions being on-us or off-us in nature.4. Types of transactions covered under the scope of the ODR system
4.1. To begin with, disputes and grievances relating to failed transactions shall be covered under the ODR system. The scope, thus, includes all transaction types mentioned in the RBI circular DPSS.CO.PD No.629/02.01.014/2019-20 dated September 20, 2019 on “Harmonisation of Turn Around Time (TAT) and customer compensation for failed transactions using authorised Payment Systems”.
4.2. All provisions, including those relating to TAT and compensation to customers mentioned in the above circular need to be adhered to while resolving disputes and grievances using the ODR system.
5. Lodging and tracking of disputes and grievances5.1. Customers shall be provided with one or more channels – web-based or paper-based complaint form, IVR, mobile application, call centre, SMS, through branches or offices, etc. – for lodging disputes and grievances. As mentioned above, such facility shall be provided by the PSO as well as by the PSP (the issuer institutions with whom the customer has a relationship) with a mechanism to link / access the ODR system put in place by the PSO. The industry may progressively increase the variety of these channels.
5.2. In addition to the above channels, in case of mobile phone-based systems like Unified Payments Interface (UPI), third party app providers (TPAPs) shall also provide customers with a facility to lodge disputes and grievances through the same mobile app used for making payments, which shall be integrated with the ODR system.
5.3. The process of lodging the dispute or grievance shall be simple and involve only necessary minimum details. The ODR system should be made capable of automatically fetching full details based on the information provided by the customer. The aspect of data confidentiality shall specifically be taken care of while designing such parameters.5.4. Once a customer has lodged the dispute or grievance, a unique reference number shall be allocated by the ODR system. Facility shall be provided to the customers for tracking the status of the dispute or grievance using this reference number.

Copy of RBI circular can be found here

Leave a comment

Filed under Uncategorized

payment frauds

RBI has mandated all authorised payment system operators and participants to undertake multi lingual campaign by way of SMS, advertisements, in print and visual media etc. to educate its users on safe and secure use of digital payment systems.

This is in view of the increasing instances of frauds taking place in the digital banking space due to the ignorance and gullibility of digital payment users like sharing OTP, PIN, passwords, swapping sim cards, opening links received in messages and mails, downloading spurious apps etc.

Gist of RBI circular dated 22nd June 2020 is given below:

As you are aware, safety and security of digital transactions are of paramount importance. Reserve Bank has been taking measures to improve awareness through its e-BAAT programmes and organising campaigns on safe use of digital payment modes, to avoid sharing critical personal information like PIN, OTP, passwords, etc.

2. Inspite of these initiatives, incidence of frauds continue to bedevil digital users, often using the same modus operandi users were cautioned about, such as luring them to disclose vital payment information, swapping sim cards, opening links received in messages and mails, etc. There are also cases of users being tricked into downloading spurious apps that access critical information stored on devices. It is, therefore, essential that all payment systems operators and participants – banks and non-banks – continue and reinforce efforts to spread awareness about digital safety.

3. All authorised payment systems operators and participants are hereby advised to undertake targeted multi-lingual campaigns by way of SMSs, advertisements in print and visual media, etc., to educate their users on safe and secure use of digital payments.

Copy of RBI circular can be found here

This is a good move by the RBI in this regard.

Leave a comment

Filed under banking laws