Master Direction on Issuance and Operation of Prepaid Payment Instruments (Updated as on November 17, 2020) - আরবিআই - Reserve Bank of India
Master Direction on Issuance and Operation of Prepaid Payment Instruments (Updated as on November 17, 2020)
updated-as-on:
- 2020-11-17
- 2020-02-28
- 2020-01-16
- 2019-12-24
- 2019-08-30
- 2019-02-25
- 2017-12-29
- 2017-10-11
RBI/DPSS/2017-18/58 October 11, 2017 All Prepaid Payment Instrument Issuers, System Providers and System Participants Dear Sir / Madam, Master Direction on Issuance and Operation of Prepaid Payment Instruments Please refer to paragraph 16 of Statement on Developmental and Regulatory Policies regarding issuance of Master Direction on Prepaid Payment Instruments (PPIs) announced in the Fourth Bi-monthly Monetary Policy Statement, 2017-18 by the Reserve Bank of India (RBI). 2. The RBI has issued a number of circulars from time to time on issuance and operation of PPIs. In the light of developments in the field, progress made by PPI Issuers, experience gained and with a view to foster innovation and competition, ensure safety and security, customer protection, etc., it was decided to review the instructions relating to the issuance and operation of PPIs and issue comprehensive Directions on the subject. 3. The draft Master Direction on PPIs was placed on the RBI website on March 20, 2017 for public feedback. The comments / views received from all stakeholders have been examined by the Reserve Bank in preparation of the final Directions. 4. The Master Direction, issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007, replaces all circulars listed in Table-1 of Annex-1 and partially replaces all circulars mentioned in Table-2 of Annex-1 issued till date on the subject. 5. The Master Direction is effective from today. Existing PPI Issuers shall ensure compliance with the revised requirements on or before February 28, 2018, except where timelines have been specified in this Direction. Yours faithfully, (Nanda S. Dave) Master Direction on Issuance and Operation of Prepaid Payment Instruments 1. Introduction 1.1 In exercise of the powers conferred under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 (Act 51 of 2007), the Reserve Bank of India (RBI) being satisfied that it is necessary and expedient in the public interest to do so, hereby, issues these Directions. 1.2 Short title and commencement
1.3 Applicability: The provisions of the Master Direction shall apply to all PPI Issuers, System Providers and System Participants. 1.4 Purpose
1.5 For the purpose of these Directions, the term ‘entities’ refers to banks and non-bank entities who have approval / authorisation from the RBI to issue PPIs as well as those who are proposing to issue PPIs. 1.6 Banks and non-bank entities have been issuing PPIs in the country after obtaining necessary approval / authorisation from RBI under the Payment and Settlement Systems Act, 2007 (PSS Act). These entities have been operating within the framework of the initial guidelines on “Issuance and Operation of PPIs” issued in April 2009 and the subsequent Master Circulars issued on the subject, as amended from time to time. Taking into account the developments in the field and the progress made by PPI issuers, all existing guidelines issued on the subject till date have been reviewed and are contained in the Master Direction. 1.7 The Master Direction lays down the eligibility criteria and the conditions of operation for payment system operators involved in the issuance of semi-closed and open system PPIs in the country. All entities approved / authorised to operate payment systems involving the issuance of PPIs shall comply with these Directions. 1.8 No entity can set up and operate payment systems for issuance of PPIs without prior approval / authorisation of RBI. 2. Definitions For the purpose of this Master Direction, the following definitions shall be applicable: 2.1 Issuer: Entities operating the payment systems issuing PPIs to individuals / organisations. The money so collected is used by these entities to make payment to the merchants who are part of the acceptance arrangement and for facilitating funds transfer / remittance services. 2.2 Holder: Individuals / Organisations who obtain / purchase PPIs from the issuers and use the same for purchase of goods and services, including financial services, remittance facilities, etc. 2.3 Prepaid Payment Instruments (PPIs): PPIs are payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. PPIs that can be issued in the country are classified under three types viz. (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs. 2.4 Closed System PPIs: These PPIs are issued by an entity for facilitating the purchase of goods and services from that entity only and do not permit cash withdrawal. As these instruments cannot be used for payments or settlement for third party services, the issuance and operation of such instruments is not classified as payment systems requiring approval / authorisation by the RBI. 2.5 Semi-closed System PPIs: These PPIs are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations / establishments which have a specific contract with the issuer (or contract through a payment aggregator / payment gateway) to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks. 2.6 Open System PPIs: These PPIs are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc. Banks issuing such PPIs shall also facilitate cash withdrawal at ATMs / Point of Sale (PoS) / Business Correspondents (BCs). 2.7 Limits: All ‘limits’ in the value of instruments stated in the Master Direction, indicate the maximum value of such instruments, denominated in INR, that shall be issued to any holder, unless otherwise specified. 2.8 Merchants: These are establishments who have a specific contract to accept the PPIs issued by the PPI issuer (or contract through a payment aggregator / payment gateway) against the sale of goods and services, including financial services. 2.9 Net-worth: Net-worth will consist of ‘paid up equity capital, preference shares which are compulsorily convertible into equity capital, free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets but not reserves created by revaluation of assets’ adjusted for ‘accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any’. It shall be noted that while compulsorily convertible preference shares reckoned for computation of net-worth can be either non-cumulative or cumulative, these should be compulsorily convertible into equity shares and the shareholder agreements should specifically prohibit any withdrawal of this preference share capital at any time. 3. Eligibility to issue semi-closed and open system PPIs 3.1 Banks which comply with the eligibility criteria, including those stipulated by the respective regulatory department of RBI, shall be permitted to issue semi-closed and open system PPIs, after obtaining approval from RBI. 3.2 Non-bank entities which comply with the eligibility criteria, including those stipulated by the respective regulatory department of RBI, shall be permitted to issue only semi-closed system PPIs, after obtaining authorization from RBI. 4. Capital and other eligibility requirements 4.1 All entities (both banks and non-banks), regulated by any of the financial sector regulators and seeking approval / authorisation from the RBI under the PSS Act, shall apply to Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai along with a ‘No Objection Certificate’ from their respective Regulator, within 45 days of obtaining such clearance. 4.2 Non-bank entities applying for authorisation shall be a company incorporated in India and registered under the Companies Act 1956 / Companies Act 2013. 4.3 Non-bank entities having Foreign Direct Investment (FDI) / Foreign Portfolio Investment (FPI) / Foreign Institutional Investment (FII) shall also meet the capital requirements as applicable under the extant Consolidated FDI policy guidelines of Government of India. 4.4 The Memorandum of Association (MOA) of the applicant non-bank entity shall cover the proposed activity of operating as a PPI issuer. 4.5 All non-bank entities seeking authorisation from RBI under the PSS Act shall have a minimum positive net-worth of Rs. 5 crore as per the latest audited balance sheet at the time of submitting the application. These entities shall submit a certificate in the enclosed format (Annex-2) from their Chartered Accountants (CA) to evidence compliance with the applicable net-worth requirement while submitting the application for authorisation. The application shall be processed by RBI based on this net-worth which shall be maintained at all times. Thereafter, by the end of the third financial year from the date of receiving final authorisation, the entity shall achieve a minimum positive net-worth of Rs. 15 crore which shall be maintained at all times. Illustratively, if an entity is issued final authorisation on March 1, 2018, then this entity shall achieve a minimum positive net-worth of Rs. 15 crore for the financial position as on March 31, 2020. Similarly, if an entity is issued final authorisation on May 1, 2018, then this entity shall achieve a minimum positive net-worth of Rs. 15 crore for the financial position as on March 31, 2021. Subsequently, the audited balance sheet and net-worth as on 31st March shall be submitted to RBI within six months of close of financial year, failing which the entity may not be permitted to carry out this business. 4.6 Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate in the enclosed format (Annex-2) from their Chartered Accountants regarding the current net-worth along with provisional balance sheet. 4.7 All existing non-bank PPI issuers (at the time of issuance of this Master Direction) shall comply with the minimum positive net-worth requirement of Rs. 15 crore for the financial position as on March 31, 2020 (audited balance sheet). This shall be reported to RBI, along with CA certificate in the enclosed format (Annex-2) and audited Balance Sheet, by September 30, 2020 failing which the entity may not be permitted to carry out this business. Thereafter, the minimum positive net-worth of Rs. 15 crore shall be maintained at all times. Till such time, the existing PPI issuers shall continue to maintain the capital requirements applicable to them at the time of their authorisation. 4.8 All authorised non-bank entities shall submit a certificate in the enclosed format (Annex-2) from their Chartered Accountants to evidence compliance with the applicable net-worth requirement as per the audited balance sheet of the financial year within six months of completion of that financial year. 5. Authorisation Process 5.1 A non-bank entity desirous of setting up payment systems for issuance of PPIs shall apply for authorisation in Form A (available on RBI website) as prescribed under Regulation 3(2) of the Payment and Settlement Systems Regulations, 2008 along with the requisite application fees. 5.2 The applications shall be initially screened by RBI to ensure prima facie eligibility of the applicants. The directors of the applicant entity shall submit a declaration in the enclosed format (Annex-3). RBI shall also check ‘fit and proper’ status of the applicant and management by obtaining inputs from other regulators, government departments, etc., as deemed fit. Applications of those entities not meeting the eligibility criteria, or those which are incomplete / not in the prescribed form with all details, shall be returned without refund of the application fees. 5.3 In addition to the compliance with the applicable guidelines, RBI shall also apply checks, inter-alia, on certain essential aspects like customer service and efficiency, technical and other related requirements, safety and security aspects, etc. before granting in-principle approval to the applicants. 5.4 Subject to meeting the eligibility criteria and other conditions, the RBI shall issue an ‘in-principle’ approval, which shall be valid for a period of six months. The entity shall submit a satisfactory System Audit Report (SAR) to RBI within these six months, failing which the in-principle approval shall lapse automatically. SAR shall be accompanied by a certificate from the Chartered Accountant regarding compliance with the requirement of minimum positive net-worth of Rs. 5 crore. An entity can seek one-time extension for a maximum period of six months for submission of SAR by making a request in writing, to DPSS, Central Office, RBI, Mumbai, in advance with valid reasons. The RBI reserves the right to decline such a request for extension. 5.5 Subsequent to the issue of the in-principle approval, if any adverse features regarding the entity / promoters / group or business practices, etc., come to notice, the RBI may impose additional conditions and if warranted, the in-principle approval may be withdrawn. 5.6 Pursuant to receipt of satisfactory SAR and net-worth certificate, the RBI shall grant final Certificate of Authorisation. Entities granted final authorisation shall commence business within six months from the grant of Certificate of Authorisation failing which the authorisation shall lapse automatically. An entity can seek one-time extension for a maximum period of six months by making a request in writing, to DPSS, Central Office, RBI, Mumbai, in advance with valid reasons. The RBI reserves the right to decline such a request for extension. 5.7 The Certificate of Authorisation shall be valid for five years unless otherwise specified and shall be subject to review including cancellation of Certificate of Authorisation. 5.8 Entities seeking renewal of authorisation shall apply in writing to DPSS, RBI, Central Office, Mumbai at least three months before the expiry of validity of Certificate of Authorisation, failing which RBI reserves the right to decline the request for renewal. 5.9 Any proposed major change, such as changes in product features / process, structure or operation of the payment system, etc. shall be communicated with complete details, by way of a letter, addressed to the Chief General Manager, DPSS, RBI, Central Office, Mumbai. RBI shall endeavor to reply within 15 business days after receipt of above communication at DPSS, RBI, Central Office, Mumbai. 5.10 Any takeover or acquisition of control or change in management of a non-bank entity shall be communicated by way of a letter to the Chief General Manager, DPSS, RBI, Central Office, Mumbai within 15 days with complete details, including ‘Declaration and Undertaking’ (Annex-3) by each of the new directors, if any. RBI shall examine the ‘fit and proper’ status of the management and, if required, may place suitable restrictions on such changes. 6. Safeguards against Money Laundering (KYC / AML / CFT) Provisions 6.1 The Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines issued by the Department of Banking Regulation (DBR), RBI, in their “Master Direction – Know Your Customer (KYC) Directions” updated from time to time, shall apply mutatis mutandis to all the entities issuing PPIs and their agents. 6.2 As PPI issuers are operating a Payment System, provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time, are also applicable to all PPI issuers. All entities shall put in place necessary systems to ensure compliance with these guidelines. 6.3 PPI issuers shall maintain a log of all the transactions undertaken using the PPIs for at least ten years. This data shall be made available for scrutiny to RBI or any other agency / agencies as may be advised by RBI. The PPI issuers shall also file Suspicious Transaction Reports (STRs) to Financial Intelligence Unit-India (FIU-IND). 7. Issuance, loading and reloading of PPIs 7.1 All entities approved / authorised to issue PPIs by RBI are permitted to issue reloadable or non-reloadable PPIs depending upon the permissible type / category of PPIs as laid down in paragraph 9 and 10 of these Directions. 7.2 PPI issuers shall have a clear laid down policy, duly approved by their Board, for issuance of various types / categories of PPIs and all activities related thereto. 7.3 PPI issuers shall ensure that the name of the company which has received approval / authorisation for issuance and operating of PPIs, is prominently displayed along with the PPI brand name in all instances. The authorised entities shall also regularly keep RBI informed regarding the brand names employed / to be employed for their products. 7.4 PPI issuers shall ensure that no interest is payable on PPI balances. 7.5 PPIs shall be permitted to be loaded / reloaded by cash, by debit to a bank account, by credit and debit cards, and other PPIs (as permitted from time to time). The electronic loading / reloading of PPIs shall be through above payment instruments issued only by regulated entities in India and shall be in INR only. 7.6 Cash loading to PPIs shall be limited to Rs.50,000/- per month subject to overall limit of the PPI. 7.7 The PPIs may be issued as cards, wallets, and any such form / instrument which can be used to access the PPI and to use the amount therein. PPIs in the form of paper vouchers shall no longer be issued from the date of this Master Direction except for Meal Paper Vouchers where separate timeline has been indicated. 7.8 Banks shall be permitted to issue and reload PPIs at their branches, ATMs and through their BCs appointed as per the guidelines issued by RBI in this regard. 7.9 Banks and non-banks shall be permitted to issue and reload such payment instruments through their authorised outlets or through their authorised / designated agents subject to following conditions:-
7.10 PPI issuers shall ensure that there is no co-mingling of funds originating from any other activity that the Issuer may be undertaking such as BCs of bank/s, intermediary for payment aggregation, payment gateway facility, etc. 7.11 PPIs under co-branding arrangements:
7.12 All PPI issuers already having co-branding arrangements at the time of issuance of this Master Direction shall review their existing arrangements to meet the above requirements on or before December 31, 2017. The details of all the existing co-branding arrangements by all PPI issuers shall be reported to DPSS, RBI, Central Office, Mumbai within one month of release of this Master Direction in the format enclosed (Annex-4). Further, any new arrangement shall also be reported to RBI within seven days of finalisation of arrangement. 7.13 Prepaid meal instruments: Banks and non-bank entities issuing PPIs in the form of prepaid meal instruments, shall ensure that these are issued only as semi-closed PPIs, are in electronic form and reloadable. No cash withdrawal or funds transfer shall be permitted from such instruments. Such PPIs need not be issued as a separate category of PPI. No prepaid meal instruments in paper voucher form shall be issued after February 28, 2018. 7.14 There shall be no remittance without compliance to KYC requirements. PPI issuers, including their agents, shall not create new PPIs each time for facilitating cash-based remittances to other PPIs / bank accounts. PPIs created for previous remittance by the same person shall be used. 8. Cross-Border Transactions The use of INR denominated PPIs for cross border transactions shall not be permitted except as under: 8.1 PPIs for cross-border outward transactions
8.2 PPIs for credit towards cross-border inward remittance
8.3 Foreign Exchange PPIs: Entities authorized under the Foreign Exchange Management Act (FEMA) to issue foreign exchange denominated PPIs are outside the purview of this Master Direction. 9. Types of PPIs 9.1 Semi-closed PPIs by bank and non-bank PPI Issuers Semi-closed PPIs issued by banks and non-banks would have same features, unless otherwise specified. (i) PPIs upto Rs.10,000/- by accepting minimum details of the PPI holder
(ii) PPIs upto Rs.1,00,000/- after completing KYC of the PPI holder
(iii) PPIs upto Rs. 10,000/- with loading only from bank account
9.2 Open system PPIs after completing KYC of the PPI holder
10. Specific categories of PPIs From the date of issuance of this Master Direction, PPI issuers shall cease to issue PPIs of any other category as permitted earlier except the following two categories: 10.1 Gift instruments Banks and non-bank entities are permitted to issue prepaid gift instruments subject to the following conditions:
10.2 PPIs for Mass Transit Systems (PPI-MTS)
11. Conversion of existing PPIs issued by banks and non-banks
12. Deployment of Money Collected 12.1 To ensure timely settlement, the non-bank PPI issuer shall invest the money collected against issuance of PPIs only as provided herein. 12.2 For the schemes operated by banks, the outstanding balance shall be part of the ‘net demand and time liabilities’ for the purpose of maintenance of reserve requirements. This position will be computed on the basis of the balances appearing in the books of the bank as on the date of reporting. 12.3 Non-bank PPI issuers are required to maintain their outstanding balance in an escrow account with any scheduled commercial bank. An additional escrow account may be maintained with a different scheduled commercial bank at the discretion of the PPI issuer. For the purpose of maintenance of escrow account, payment systems operated by non-bank entities for issuance of PPIs shall be deemed to be ‘designated payment systems’ under Section 23A of the PSS Act, 2007 (as amended in 2015). Maintenance of escrow balance shall be subject to the following conditions:- (i) (Deleted) (ii) In case there is a need to shift the escrow account from one bank to another, the same shall be effected in a time-bound manner without unduly impacting the payment cycle to merchants. Migration shall be completed in the minimum possible time with prior intimation to RBI. (iii) The balance in the escrow account shall not, at the end of the day, be lower than the value of outstanding PPIs and payments due to merchants. While as far as possible PPI issuers shall ensure immediate credit of funds to escrow on issue, load / reload of PPIs to the PPI holders, under no circumstance such credit to escrow account shall be later than the close of business day (the day on which the PPI has been issued, loaded / reloaded). This shall be monitored by the non-bank PPI issuer on a daily basis and any shortfall shall be immediately reported to the respective Regional Office of DPSS, RBI. (iv) Only the following debits and credits shall be permitted in the escrow account; in case where an additional escrow account is being maintained, credit and debit from one escrow account to the other shall also be permitted. However, inter-escrow transfers shall be avoided as far as possible and if resorted to, auditor’s certification shall clearly mention such transactions: Credits
Debits
Note: (1) The payment towards service charges, commission and forfeited amount shall be at pre-determined rates / frequency. Such transfers shall only be effected to a designated bank account of the PPI issuer as indicated in the agreement with the bank where escrow account is maintained. (2) All these provisions shall be part of Service Level Agreement that will be signed between the PPI issuer and the bank maintaining escrow account. (v) The agreement between the issuer / operator and the bank maintaining escrow account shall include a clause enabling the bank to use the money in the escrow account only for purposes mentioned in these Directions. (vi) Settlement of funds with merchants shall not be co-mingled with other business, if any, handled by the PPI issuer. (vii) No interest shall be payable by the bank on such balances, except as indicated in paragraph 12.4 below. (viii) PPI issuers shall be required to submit the list of merchants acquired by them to the bank and update the same from time to time. The bank shall be required to ensure that payments are made only to eligible merchants / purposes. There shall be an exclusive clause in the agreement signed between the PPI issuer and bank maintaining escrow account towards usage of balance in escrow account only for the purposes mentioned above. (ix) With the growing acceptance of PPIs in e-commerce payments, including in digital market places, the payment mechanism is often facilitated using the services of payment aggregators / payment gateways. In such a scenario, the emerging practice observed is that the PPI Issuer has the necessary agreements with the digital market place and / or the payment aggregator / gateway rather than the individual merchants who are accepting the PPIs issued by the Issuer as a payment instrument. In view of the above, PPI issuers shall obtain an undertaking from the digital market place and / or payment aggregator / gateway that the payments made by the Issuers are used for onward payments to the respective merchants. Such undertaking shall be submitted by the Issuers to the bank maintaining the escrow account. (x) A certificate (format enclosed Annex-5) signed by the auditor(s), shall be submitted by the authorised entities to the respective Regional Office of DPSS, RBI on a quarterly basis certifying that the entity has been maintaining adequate balance(s) in the escrow account(s) to cover outstanding value of PPIs issued and payments due to merchants. In case, an additional escrow account is being maintained, it shall be ensured that balances in both accounts are considered for the above certification. This shall also be indicated in the certificate. The same auditor shall be employed to audit both escrow accounts. The certificate shall be submitted within a fortnight from the end of quarter to which it pertains. Entities shall also submit an annual certificate (Annex-5), signed by the auditor, coinciding with accounting year of the entity to RBI. (xi) Adequate records indicating the daily position of the value of instruments outstanding and payments due to merchants vis-à-vis balances maintained with the banks in the escrow accounts shall be made available for scrutiny to RBI or the bank where the account is maintained on demand. 12.4 As an exception to paragraph 12.3 (vii), the non-bank PPI issuer can enter into an agreement with the bank maintaining the escrow account, to transfer "core portion" of the amount, in the escrow account to a separate account on which interest is payable, subject to the following:- a) The bank shall satisfy itself that the amount deposited represents the "core portion" after due verification of necessary documents. b) The amount shall be linked to the escrow account, i.e. the amounts held in the interest bearing account shall be available to the bank, to meet payment requirements of the entity, in case of any shortfall in the escrow account. c) This facility is permissible to entities who have been in business for at least one year (26 fortnights) and whose accounts have been duly audited for the full accounting year. d) No loan is permissible against such deposits. Banks shall not issue any deposit receipts or mark any lien on the amount held in such form of deposits. e) Core portion shall be calculated separately for each of the escrow accounts and will remain linked to the respective escrow account. Escrow balance and core portion maintained shall be clearly disclosed in the auditors’ certificates submitted to RBI on quarterly and annual basis. Note: For the purpose of these Directions, "Core Portion" shall be computed as under:- Step 1: Compute lowest daily outstanding balance (LB) on a fortnightly (FN) basis, for one year (26 fortnights) from the preceding month. 13. Validity and Redemption 13.1 All PPIs issued in the country shall have a minimum validity period of one year from the date of last loading / reloading in the PPI. PPI issuers are free to issue PPIs with a longer validity. In case the PPI is issued in the form of card (with validity period mentioned on the card), then the customer shall have the option to seek replacement of the card. 13.2 PPI issuers shall caution the PPI holder at reasonable intervals, during the 45 days’ period prior to expiry of the validity period of the PPI. The caution advice shall be sent by SMS / e-mail / post or by any other means in the language preferred by the holder indicated at the time of issuance of the PPI. 13.3 Non-bank PPI issuers cannot transfer the outstanding balance to their Profit & Loss account for at least three years from the expiry date of PPI. In case the PPI holder approaches the PPI issuer for refund of such amount, at any time after the expiry date of PPI, then the same shall be paid to the PPI holder in a bank account. 13.4 Banks issuing PPIs shall be guided by the instructions on Depositor Education and Awareness Fund issued by Department of Banking Regulation, RBI, vide, circular DBOD.No.DEAF Cell.BC.101/30.01.002/2013-14 dated March 21, 2014, as amended from time to time. 13.5 Issuers shall clearly indicate the expiry period of the PPI to the customer at the time of issuance of PPIs. Such information shall be clearly enunciated in the terms and conditions of sale of PPI. Where applicable, it shall also be clearly outlined on the website / mobile application of the issuer. 13.6 PPIs with no financial transaction for a consecutive period of one year shall be made inactive by the PPI issuers after sending a notice to the PPI holder/s. These can be reactivated only after validation and applicable due diligence. These PPIs shall be reported to RBI separately. 13.7 The holders of PPIs shall be permitted to redeem the outstanding balance in the PPI, if for any reason the scheme is being wound-up or is directed by RBI to be discontinued. 14. Transactions Limits 14.1 The holder is allowed to use the PPI for these purposes within the overall PPI limit applicable. PPI issuers shall decide to put in place such limits taking into account the risk perception of the holders as per their risk management policy. 14.2 All financial limits indicated against each type / category of the PPI shall be strictly adhered to. 14.3 Handling refunds: a) Refunds in case of failed / returned / rejected / cancelled transactions shall be applied to the respective PPI immediately, to the extent that payment was made initially by debit to the PPI, even if such application of funds results in exceeding the limits prescribed for that type / category of PPI. b) However, refunds in case of failed / returned / rejected / cancelled transactions using any other payment instrument shall not be credited to PPI. c) PPI issuers shall be required to maintain complete details of such returns / refunds, etc., and be in readiness to provide them as and when called for. d) Further, PPIs issuers shall also put in place necessary systems that enable them to monitor frequent instances of refunds taking in place in specific PPIs and be in a position to substantiate with proof for audit / scrutiny purposes. 14.4 In the case of open system PPIs, cash withdrawal at Point of Sale (POS) terminals shall be permitted upto a limit of Rs.2000/- per day in rural areas and Rs.1000/- per day in other areas, subject to the same conditions as applicable hitherto to debit cards (for cash withdrawal at POS). 15. Security, Fraud prevention and Risk Management Framework 15.1 A strong risk management system is necessary for the PPI issuers to meet the challenges of fraud and ensure customer protection. PPI issuers shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds. 15.2 All PPI issuers shall put in place Board approved Information Security policy for the safety and security of the payment systems operated by them, and implement security measures in accordance with this policy to mitigate identified risks. PPI issuers shall review the security measures (a) on on-going basis but at least once a year, (b) after any security incident or breach, and (c) before / after a major change to their infrastructure or procedures. 15.3 PPI issuers shall ensure that the following framework is put in place to address the safety and security concerns, and for risk mitigation and fraud prevention:
15.4 The requirements prescribed here are minimum and the entities may deploy additional checks and balances, as considered appropriate. 15.5 PPI issuers shall put in place centralised database / management information system (MIS) to prevent multiple purchase of PPIs at different locations, leading to circumvention of limits, if any, prescribed for their issuance. 15.6 Where direct interface is provided to their authorised / designated agents, PPI issuers shall ensure that the compliance to regulatory requirements is strictly adhered to by these systems also. 15.7 PPI issuers shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and cyber security breaches. The same shall be reported immediately to DPSS, RBI, Central Office, Mumbai. It shall also be reported to CERT-IN as per the details notified by CERT-IN. 16. Customer Protection and Grievance Redressal Framework 16.1 PPI issuers shall disclose all important terms and conditions in clear and simple language (preferably in English, Hindi and the local language) to the holders while issuing the instruments. These disclosures shall include:
16.2 PPI issuers shall put in place a formal, publicly disclosed customer grievance redressal framework, including designating a nodal officer to handle the customer complaints / grievances, the escalation matrix and turn-around-times for complaint resolution. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible. The framework shall include, at the minimum, the following:
16.3 PPI issuers shall create sufficient awareness and educate customers in the secure use of the PPIs, including the need for keeping passwords confidential, procedure to be followed in case of loss or theft of card or authentication data or if any fraud / abuse is detected, etc. 16.4 Bank PPI issuers shall continue to be guided by RBI circulars DBR.No.Leg.BC.78/09.07.005/2017-18 dated July 6, 2017 or DCBR.BPD.(PCB/RCB).Cir.No.06/12.05.001/2017-18 dated December 14, 2017, as applicable on Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions. 16.4.1 Non-bank PPI issuers shall be guided by the following guidelines, which have been inserted as per DPSS circular DPSS.CO.PD.No.1417/02.14.006/2018-19 dated January 04, 2019 on Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Payment Transactions (applicable from March 01, 2019). 16.4.2 With a view to further strengthen customer protection for the PPIs which are issued by authorised non-bank PPI issuers, the criteria for determining the customers’ liability in unauthorised electronic payment transactions resulting in debit to their PPIs have been reviewed as under: Applicability 16.4.3 The provisions of these paragraphs will be applicable to all authorised non-bank PPI issuers. PPIs issued under the arrangement of PPI-MTS as per paragraph 10.2 will be outside the purview of these paragraphs except for the cases of contributory fraud / negligence / deficiency on the part of the PPI-MTS issuer. Categories of electronic payment transactions 16.4.4 For the purpose of these paragraphs, electronic payment transactions have been divided into two categories:
16.4.5 Reporting of unauthorised payment transactions by customers to non-bank PPI issuers
Limited liability of a customer 16.4.6 A customer’s liability arising out of an unauthorised payment transaction will be limited to:
The above shall be clearly communicated to all PPI holders. Reversal timeline for zero liability / limited liability of a customer 16.4.7 On being notified by the customer, the non-bank PPI issuer shall credit (notional reversal) the amount involved in the unauthorised electronic payment transaction to the customer’s PPI within 10 days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any), even if such reversal breaches the maximum permissible limit applicable to that type / category of PPI. The credit shall be value-dated to be as of the date of the unauthorised transaction. 16.4.8 Further, non-bank PPI issuers shall ensure that a complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the non-bank PPI issuer’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions of paragraph 16.4.6 above. In case the non-bank PPI issuer is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the amount as prescribed in paragraph 16.4.6 shall be paid to the customer, irrespective of whether the negligence is on the part of customer or otherwise. Board approved policy for customer protection 16.4.9 Taking into account the risks arising out of unauthorised debits to PPIs owing to customer negligence / non-bank PPI issuer negligence / system frauds / third party breaches, non-bank PPI issuers need to clearly define the rights and obligations of customers in case of unauthorised payment transactions in specified scenarios. Non-bank PPI issuers shall formulate / revise their customer relations policy, with approval of their Boards, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic payment transactions and customer liability in such cases of unauthorised electronic payment transactions. The policy must be transparent, non-discriminatory and should stipulate the mechanism of compensating the customers for the unauthorised electronic payment transactions and also prescribe the timelines for effecting such compensation. Non-bank PPI issuers shall provide the details of their Board approved policy in regard to customers’ liability formulated in pursuance of the provisions of paragraph 15 and 16 of PPI MD, to all customers at the time of issuing the PPI. Non-bank PPI issuers shall display their Board approved policy, along with the details of grievance handling / escalation procedure, in public domain / website / app for wider dissemination. Burden of proof 16.4.10 The burden of proving customer liability in case of unauthorised electronic payment transactions shall lie on the non-bank PPI issuer. Reporting and monitoring requirements 16.4.11 Non-bank PPI issuers shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or one of its Committees. The reporting shall, inter-alia, include volume / number of cases and the aggregate value involved and distribution across various categories of cases. The Board or one of its Committees shall periodically review the unauthorised electronic payment transactions reported by customers or otherwise, as also the action taken thereon, the functioning of the grievance redressal mechanism and take appropriate measures to improve the systems and procedures. 16.5 PPI issuers shall provide an option for the PPI holders to generate / receive account statements for at least past 6 months. The account statement shall, at the minimum, provide details such as date of transaction, debit / credit amount, net balance and description of transaction. Additionally, the PPI issuers shall provide transaction history for at least 10 transactions. 16.6 In case of PPIs issued by banks, customers shall have recourse to the Banking Ombudsman Scheme for grievance redressal. 16.7 Non-bank PPI issuers shall report regarding the receipt of complaints and action taken status thereon in the enclosed format (Annex-6) on a Quarterly basis by the 10th of the following month to the respective Regional Office of DPSS, RBI. Banks shall submit the same report to DPSS, Mumbai Regional Office, RBI. 16.8 PPI issuers shall ensure transparency in pricing and the charge structure as under:
16.9 PPI issuers shall be responsible for addressing all customer service aspects related to all PPIs (including co-branded PPIs) issued by them as well as their agents. 16.10 PPI issuers shall also display Frequently Asked Questions (FAQs) on their website / mobile app related to the PPIs. 17. Information System Audit 17.1 Authorised non-bank entities shall submit the System Audit Report, including cyber security audit conducted by CERT-IN empaneled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI. 17.2 Banks shall also be guided by the RBI circular DBS.CO/CSITE/BC.11/33.01.001/2015-16 on Cyber Security Framework in Banks dated June 02, 2016, which inter alia, covers requirements for mobile-based applications. 17.3 The scope of the Audit shall include the following:
17.4 All PPI issuers shall, at the minimum, put in place following framework:
18. Interoperability The ability of customers to use a set of payment instruments seamlessly with other users within the segment are based on adoption of common standards by all providers of these services so as to make them inter-operable. Accordingly, it has been decided as under:
19. Reporting requirements PPI issuers shall submit the following reports as per prescribed templates and frequency in this Master Direction:
20. Repeal and other provisions
Table 1: List of Circulars repealed in the Master Direction
Table 2: List of Circulars partially repealed (to the extent they are applicable to issuance and operation of PPIs) in the Master Direction
|