1. PREPAID PAYMENT INSTRUMENTS – COMPLIANCE
Below is a summary of the various compliances that are required to be followed by all Prepaid
Payment Instrument (“PPI”) issuers as provided in the Master Direction on Issuance and Operation of
Prepaid Payment Instruments (“Master Direction”):
(i) Safeguards Against Money Laundering Provisions
PPI issuers are required to ensure that all the Know Your Customer (“KYC”) procedures issued
by the Department of Banking Regulation (“DBR”), Reserve Bank of India (“RBI”), in their Master
Direction – Know Your Customer (KYC) Directions (“Master Guidelines”) updated from time to
time, are duly applied. The agents involved must also be subjected to due diligence and KYC
measures.
PPI issuers are required to undertake the following:
(a) ensure that all provisions of the Prevention of Money Laundering Act, 2002 and the
subsequent Rules, as amended from time to time are complied with.
(b) maintain a log of all the transactions undertaken, using the PPIs for at least ten years.
This data must be made available for scrutiny to the RBI or any other agency/agencies as
may be advised by the RBI.
(c) file Suspicious Transaction Reports (“STRs”) with the Financial Intelligence Unit - India
(“FIU-IND”).
(ii) Security, Fraud Prevention And Risk Management Framework
PPI issuers are further required to:
(a) have a strong risk management system in order to put in place adequate information and
data security infrastructure and systems for prevention and detection of frauds.
(b) put in place, a board approved ‘Information Security Policy’ for the safety and security of
the payment systems operated by them, and implement security measures in accordance
with this policy to mitigate identified risks.
(c) review the security measures on an on-going basis (minimum once a year), after any
security incident or breach, and before/after a major change to their infrastructure or
procedures.
(d) put in place a centralised database/management information system (“MIS”) to prevent
multiple purchase of PPIs at different locations, leading to circumvention of limits, if any,
prescribed for their issuance.
(e) ensure that the compliance with the regulatory requirements is strictly adhered by it and
its agents.
(f) establish a mechanism for monitoring, handling and follow-up of cyber security incidents
and cyber security breaches, which must be reported immediately to the Department of
Payment and Settlement Systems (“DPSS”), RBI, Central Office, Mumbai. It must also be
2. reported to Computer Emergency Response Team – India (“CERT-IN”) as per the details
notified by CERT-IN.
(g) ensure that the following framework is put in place to address the safety and security
concerns for risk mitigation and fraud prevention in case of wallets:
- ensure that if the same login is provided for the PPI and other services offered by
the PPI issuer, then the same must be clearly informed to the customer by
SMS/email/post or by any other means. Additionally, the option to logout from the
website/mobile PPI account must be provided prominently;
- an appropriate mechanism to restrict multiple invalid attempts to login/access the
PPI, inactivity, timeout features, etc;
- a system where every successive payment transaction in a wallet is authenticated
by explicit customer consent;
- cards (physical or virtual) are required to necessarily have Additional Factor of
Authentication (“AFA”) as required for debit cards, except in case of PPIs issued
under PPI-MTS (PPI - Mass Transit System);
- provide customer induced options for fixing a cap on the number of transactions
and transaction’s value for different types of transactions/beneficiaries. Customers
must be allowed to change the caps, with additional authentication and validation;
- a limit on the number of beneficiaries that may be added in a day, per PPI;
- an alert system when a beneficiary is added;
- suitable cooling period for funds transfer on opening the PPI or loading/reloading
of funds into the PPI or after adding a beneficiary;
- a mechanism to send alerts when transactions are done using the PPIs. In addition
to the debit or credit amount intimation, the alert must also indicate the balance
available/remaining in the PPI after completion of the said transaction;
- a mechanism for velocity check on the number of transactions effected in a PPI per
day/per beneficiary;
- a suitable mechanism to prevent, detect and restrict occurrence of fraudulent
transactions including loading/reloading funds into the PPI;
- put in place suitable internal and external escalation mechanisms in case of
suspicious operations, in addition to alerting the customer in case of such
transactions.
While the requirements prescribed in the guidelines are minimum. The issuing entities
are permitted to undertake further checks and balances if required.
3. (iii) Customer Protection And Grievance Redressal Framework
PPI issuers are required to:
(a) disclose all important terms and conditions in clear and simple language to the customers
at the time of issuing the PPIs. The disclosures that must be included are:
- charges and fees associated with the use of the PPI;
- expiry period and terms and conditions pertaining to the same.
(b) set up a formal, publicly disclosed customer grievance redressal framework and appoint
a nodal officer to look into the customer complaints and grievances. The complaint
facility, when made available on the website/mobile, must be clearly and easily
accessible. The framework must include, at the minimum, the following:
- disseminate the information of their customer protection and grievance redressal
policy in simple language (preferably in English, Hindi and the local language);
- clearly indicate the customer care contact details, including details of nodal
officials for grievance redressal (telephone numbers, email address, postal
address, etc.) on the website, mobile wallet apps, and cards;
- agents must display proper signage of the PPI issuer and the customer care contact
details;
- specific complaint numbers for the complaints lodged along with the facility to
track the status of the complaint by the customer;
- initiate action to resolve any customer complaint/grievance expeditiously,
preferably within 48 hours and resolve the same not later than 30 days from the
date of receipt of such complaint/grievance;
- display the detailed list of their authorized/designated agents (name, agent ID,
address, contact details, etc.) on the website/mobile app;
- display Frequently Asked Questions (FAQs) on their website/mobile app related to
the PPIs;
- outline the amount and process of determining customer liability in case of
unauthorised/fraudulent transactions involving PPIs as per the guidelines provided
by the RBI.
(c) provide an option for the PPI customers to generate/receive account statements for at
least the past 6 months. The account statement, at the minimum, must provide details
such as date of transaction, debit/credit amount, net balance and description of
transaction. Additionally, the PPI issuers must provide transaction history for at least 10
transactions.
4. (d) non-banking PPI issuers must report regarding the receipt of complaints and action taken
status, in the format prescribed in the Master Direction, on a quarterly basis by the 10th
of the following month to the respective Regional Office of DPSS, RBI.
(e) ensure transparency in pricing and the charge structure, such as :
- uniformity in charges at agent level;
- disclose charges for various types of transactions on its website, mobile app, agent
locations, etc;
- specific agreements with agents prohibiting them from charging any fee to the
customers directly for services rendered by them on behalf of the PPI issuers;
- require each retail outlet/sub-agent to post a signage indicating their status as service
providers for the PPI issuer and the fees for all services available at the outlet;
- acknowledging the amount collected from the customer by issuing a receipt (printed
or electronic) on behalf of the PPI issuer.
(iv) Information System Audit
All PPI issuers are required to, at the minimum, put in place the following framework:
(a) Application Life Cycle Security: The source code audits are required to be conducted by
professionally competent personnel/service providers or have assurance from
application providers/OEMs that the application is free from embedded
malicious/fraudulent code.
(b) Security Operations Centre (“SOC”): Integration of system level (server), application level
logs of mobile applications (PPIs) with SOC for centralised and coordinated monitoring
and management of security related incidents.
(c) Anti-Phishing: Subscribe to anti-phishing/anti-rouge app services from external service
providers for identifying and taking down phishing websites/rouge applications in the
wake of increase of rogue mobile apps/phishing attacks.
(d) Risk-based Transaction Monitoring: Risk-based transaction monitoring or surveillance
process is required to be implemented as part of fraud risk management system.
(e) Vendor Risk Management:
PPI issuers are required to:
- enter into an agreement with the service provider that amongst others, provides
for right of audit/inspection by the regulators of the country;
- give RBI access to all information resources (online/in person) that are present with
them (PPI issuers), these must also be made accessible to RBI officials when sought,
5. though these infrastructure/enabling resources may not physically be located in
the premises of the PPI issuers;
- adhere to the relevant legal and regulatory requirements relating to geographical
location of infrastructure and movement of data out of borders;
- review the security processes and controls being followed by service providers
regularly;
- ensure service agreements include a security clause on disclosing the security
breaches if any, specific to PPI issuer’s ICT infrastructure or process including, not
limited to software, application and data as part of Security Incident Management
Standards, etc.
(f) Disaster Recovery: PPI issuers are required to consider having disaster recovery facilities
to recover rapidly from cyber-attacks/other incidents and safely resume critical
operations while ensuring security of processes and protection of data.
Do reach out to our TMT Group, should you have any comments or question.
Mathew Chacko Aashima Johur Ankita Hariramani
mathew@spiceroutelegal.com aashima.johur@spiceroutelegal.com ankita.hariramani@spiceroutelegal.com
Aadya Misra Abhinav Sharma Aishwarya Todalbagi
aadya.misra@spiceroutelegal.com abhinav.sharma@spiceroutelegal.com aishwarya.todalbagi@spiceroutelegal.com