RBI tightens supervision norms for payment companies amid rising cyber-security breaches

As instances of cyber-security breaches at Indian tech startups over the last few months is on the rise, the Reserve Bank of India has tightened its supervision norms over payment companies storing customer data. With effect from April 1, all licensed payment system operators (PSOs) have to submit detailed “compliance certificates” to the central bank twice a year, signed by their CEOs or managing directors, confirming adherence to all RBI regulations around security and storage of payment data, say reports.

Worth mentioning here is that these requirements are over and above the ones mandated by RBI in April 2018 when it asked all PSOs to submit board-approved annual System Audit Report (SAR) by CERT-empanelled auditors.

The payment companies were then asked to submit a one-time compliance report with data localisation norms which mandate the data relating to payments in India will be stored in a server physically present in the country, by December of 2018. “In addition to these requirements, it is hereby advised that a compliance certificate duly signed by the CEO/MD/chairman, shall be submitted on an ongoing basis at half-yearly basis…” the letter issued by the central bank said.

Worth mentioning here is that several payment and tech startups have in the recent past suffered data breaches. Gurugram-based Mobikwik in January joined a list of high-profile targets that have been allegedly afflicted by cyber breaches. Other companies that have recently been affected are grocery e-tailer Big Basket, educational technology platform Unacademy and payment aggregator JusPay.