Oversight Framework for Financial Market Infrastructures (FMIs) and Retail Payment Systems (RPSs) - आरबीआय - Reserve Bank of India
Oversight Framework for Financial Market Infrastructures (FMIs) and Retail Payment Systems (RPSs)
This document sets out the policy framework adopted by the Reserve Bank of India for the oversight of Financial Market Infrastructures (FMIs) and Retail Payment Systems (RPSs) operating in India. A Financial Market Infrastructure (FMI) is defined as a multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling, or recording payments, securities, derivatives, or other financial transactions. The term FMI generally refers to Systemically Important Payment Systems (SIPS), Central Securities Depositories (CSDs), Securities Settlement Systems (SSSs), Central Counter Parties (CCPs), and Trade Repositories (TRs) that facilitate the clearing, settlement, and recording of financial transactions. 1.2 FMIs form the backbone of the financial system and contribute to financial stability and economic growth by providing reliable, safe, secure and efficient payment, clearing and settlement services to the users. They perform a unique role in the financial system by connecting a variety of financial institutions and financial markets together by way of their transactions with each other. Market functioning and financial stability rely on ensuring the continuity of the services that these infrastructures provide. 1.3 Payment and settlement systems enable lending and repayment of money, allow businesses to receive payments for goods and services offered, and facilitate payment of salaries and benefits to the general public. They also enable the transfer of money and financial instruments between economic entities. Payment systems typically handle large volumes and values of transactions, which are necessary for any market economy to function. 1.4 SSSs enable the purchase and sale of equities and bonds, and also effect their settlement by book entry according to a set of predetermined multilateral rules. A CSD provides securities accounts, central safekeeping services, and asset services, which may include the administration of corporate actions and redemptions and play an important role in ensuring the integrity of securities issues. These are systems that keep records of ownership of individual securities and also facilitate the transfer of ownership of these securities between people or entities. On the other hand, CCPs sit between the buyers and sellers of financial contracts and offer their guarantee and assurance to the participants that their contractual obligations in a range of financial and commodity markets will be honoured even if the original counterparty defaults. A TR is an entity that maintains a centralised electronic record (database) of transaction data. 1.5 Central Banks are closely involved and have interest in FMIs for the purpose of conduct of its monetary policy and implementation of Government’s fiscal policy as well as achieving enhanced financial inclusion, which largely depend on the availability of reliable and effective FMIs. The fundamental purpose of money to function as a means of exchange is fulfilled only by efficient payment and settlement systems. This in-turn affects the Central Banks’ objective of maintaining public confidence in money and in the instruments and systems used to transfer money. 1.6 While safe and efficient FMIs contribute to maintaining financial stability and promoting economic growth, several incidents in the financial market have also shown that there could be major financial risks embedded in them. If these risks are not managed prudently, they could create a systemic risk situation in which the financial market could stop functioning and be a potential source of financial shocks, such as liquidity dislocations and credit losses. 1.7 Retail payment systems, especially the electronic ones, which consist of different systems and platforms, payment products and services that allow firms, corporates, individuals, governments, and other economic agents to transfer money on a daily basis without having to use cash, have become increasingly prevalent in the Indian economy. This has been largely due to the dynamism the digital innovation has brought with new mobile and online payment solutions and products. The retail electronic payments eco-system in the country is now characterized by the existence of a wide variety of payment systems, payment instruments and payment channels that can be used by different segments of users (individuals, corporate / businesses, and government) to meet their differing payment needs. 1.8 Among the new ways adopted by retail payment systems are the use of mobile phones as a device and access channel for making and receiving payments (mobile payments), use of internet on different devices for making purchases (internet payments), use of payment cards in ATM and PoS networks and with contactless technology (card payments and tokenization), electronic billing and use of various systems and platforms for making instant payments. Further, although retail payment systems have traditionally been generated by banks and other financial institutions, the payment space has now been increasingly opened up for non-bank players acting as operators of platforms for payment systems or as payment system providers (PSPs). 1.9 While efforts continue to be made for promoting universal access to and use of financial services in an attempt to reduce poverty and improve opportunities and living standards for people, retail electronic payment systems is being represented as a highly potential instrument for fostering financial inclusion as individuals and firms interact in the economy via the payments they make to each other. Unlike large value payment systems focused on meeting the needs of financial institutions and large corporations in different financial markets, retail payment systems focus on the needs of each individual for making and receiving payments. 1.10 Efficiency is thus very relevant for retail payment systems. The speed and ease with which payments can be executed will have the potential to affect economic activity. The speed of processing, the accessibility and convenience of the system, its reliability and accuracy are various aspects of quality that may add value to the users. Central Banks have an operational role in the clearing and settlement services and also perform oversight role on retail payment systems. 1.11 It is important that FMIs as well as retail payment systems are resilient to disruption, including financial and operational shocks, so that they continue to provide critical service to the economy and support wider financial stability and economic development. As such, Central Banks have an important role to play in this area given their responsibility to preserve the smooth functioning of payments systems, and more recently to support efforts for promoting financial inclusion. 2.1 The Committee on Payment and Settlement Systems (CPSS, now Committee on Payments and Market Infrastructures – CPMI), in May 2005, published the report on “Central bank oversight of payment and settlement systems”1. The report highlights the importance of Oversight and states as follows: “Oversight of payment and settlement systems is a central bank function whereby the objectives of safety and efficiency are promoted by monitoring existing and planned systems, assessing them against these objectives and, where necessary, inducing change.” 2.2 This report has listed five general principles to be followed by the central banks for conducting effective oversight of payment and settlement systems, regardless of the differences between central banks in the scope of oversight in terms of the broad public policy objectives of safety and efficiency, which are reproduced below:
2.3 The CPSS and International Organisation of Securities Commissions (IOSCO) have established, over the years, international risk-management standards for payment systems that are systemically important, CSDs, SSSs, and CCPs. In February 2010, the CPSS and the Technical Committee of IOSCO launched a comprehensive review of the three existing sets of standards for FMIs2 – the Core Principles for Systemically Important Payment Systems (CPSIPS), the Recommendations for Securities Settlement Systems (RSSS), and the Recommendations for Central Counterparties (RCCP) – in support of the FSB’s broader efforts to strengthen core financial infrastructures and markets by ensuring that gaps in international standards are identified and addressed. Accordingly, a comprehensive set of 24 principles were issued as part of the report titled “Principles for Financial Market Infrastructures” (PFMI)3 published in April 2012. 2.4 The main objectives of these principles for FMIs are to enhance safety and efficiency in payment, clearing, settlement, and recording arrangements, and more broadly, to limit systemic risk and foster transparency and financial stability. 2.5 The document has, in addition to the Principles, indicated five responsibilities that are expected from the central banks, market regulators and other relevant authorities for FMIs. These are reproduced below:
2.6 The Reserve Bank of India (RBI) has adopted the above international standards, i.e. “the PFMIs” and “Central Bank Oversight of Payment and Settlement Systems” for implementation by the FMIs regulated by it, through issuance of Policy document on “Regulation and Supervision of FMIs regulated by RBI”, in June 2013. This document describes in detail the criteria for designating an FMI4, applicability of the PFMIs to the FMIs, oversight of FMIs and other related aspects. 2.7 From 1998 onwards, RBI has been continuously bringing out a Payment Systems Vision document covering a period of three years, enlisting the road map for implementation. As per Vision 2012-15, the approach was to proactively encourage electronic payment systems for ushering in a less-cash society in India and to ensure payment and settlement systems in the country are safe, efficient, interoperable, authorised, accessible, inclusive and compliant with international standards. Subsequently, the Vision 2015-18 laid stress on building best of class payment and settlement systems for a ‘less-cash’ India through responsive regulation, robust infrastructure, effective supervision and customer centricity. While building on the constructs and achievements of the Vision statement of 2015-18, the Payment Systems Vision 2019-21 recognises the need for continued emphasis on innovation, cyber security, financial inclusion, customer protection and competition. While the core theme of the current Vision statement is “Empowering Exceptional (e)Payment Experience”, it focusses on empowering every Indian with access to a bouquet of e-payment options that is safe, secure, convenient, quick and affordable. While the pursuit towards a ‘less cash’ society continues, accompanied by the ambition to have a less-card India as well, the endeavour is to also ensure increased efficiency, uninterrupted availability of safe, secure, accessible and affordable payment systems as also to serve segments of the population which are hitherto untouched by the payment systems. 2.8 The efforts made by RBI have resulted in continuous expansion of payment landscape not only in terms of growth in payment infrastructure but also in terms of volume and value of digital payment transactions. There has been continued decrease in the share of paper-based clearing instruments, coupled with consistent growth and launch of new payment systems in individual segments of retail electronic payment systems as well as increase in registered customer base for mobile banking. Especially, the Retail Payment Systems (RPS) have risen to prominence with the new payment systems, such as Unified Payments Interface (UPI) and Aadhaar enabled Payment System (AePS), put in place by National Payments Corporation of India (NPCI) gaining traction, entry of non-bank players in the payment ecosystem bringing in innovation by leveraging technological advancements, and a gradual shift in the customer behaviour from cash to digital payments. With the continuously changing payment system landscape, the oversight objectives and activities have also concomitantly evolved over a period of time. Supervision involves assessing the safety and soundness of payment systems, providing feedback as appropriate, and using powers for timely intervention where necessary. With changing landscape of the payment ecosystem and the need for transparency and clarity among the stakeholders as well as central bank’s responsibility to clearly define and disclose their regulatory, supervisory, and oversight policies with respect to FMIs and RPSs, the Reserve Bank of India has revised / updated the existing policy document (published on RBI website in June 2013) as “Oversight Framework for FMIs and Retail Payment Systems”. 2.9 This revised policy document describes the approach of RBI in its oversight of not only FMIs (regulated by RBI) but also the RPSs operating in India. In addition to FMIs, the applicability of PFMIs to some of the important RPSs is also discussed and provided for. Since some of the Principles may not be relevant for certain specific types of FMIs and important RPSs, RBI may impose higher requirements, depending on the gravity of the risks the RPSs expose to the market participants or in the context of wider financial sector stability. The table of acronyms used in the document is given as Appendix 11. Section 3: Legal Framework for Oversight 3.1 The Payment and Settlement Systems Act, 2007 (PSS Act) has designated and confers upon the RBI the right to regulate and supervise Payment Systems5 within the country. The RBI exercises its powers, performs the functions and discharges the duties conferred on it under the PSS Act through the “Board for Regulation and Supervision of Payment and Settlement Systems (BPSS)”. Exercising these powers, the RBI has prescribed standards for payment instruments such as cheques, for secure message transmission in the form of SFMS (Structured Financial Messaging System), etc. 3.2 Chapter III of the PSS Act lays down that “no person, other than the Reserve Bank, shall commence or operate a payment system except under and in accordance with an authorisation issued by the Reserve Bank under the provisions of this Act”. Thus, it is clear that all payment systems functioning in India, involving payment obligations as a result of clearing or settlement of one or more payment instructions relating to funds, securities or foreign exchange or derivatives or other transactions, have to be authorised by the RBI. The PSS Act also provides powers to RBI to issue authorisation for operating the payment systems, and also to revoke the authorisation given to such system providers in case of contraventions of any provisions of PSS Act, PSS Regulations, 2008, orders or directions issued by the RBI or operation of payment system in contrary to the terms and conditions subject to which the authorisation was issued. 3.3 After the global financial crisis in 2007-08, several developments took place, driven primarily by the G20, for reforming the Over the Counter (OTC) derivatives markets. The TRs emerged as a new type of FMI particularly in the OTC derivatives market. In line with the G20 commitment and the global developments, the PSS Act was amended to include Trade Repository6 as another category of payment system. Accordingly, the provisions of PSS Act also apply to the TRs that have been designated as such by the RBI. 3.4 Chapter IV of the PSS Act and its various Sections / clauses, provide for the Regulation and Supervision of such Payment Systems. The powers to regulate and supervise comprise:
3.5 Chapter VII of PSS Act and its Sections deal with Offences and Penalties and empowers RBI to impose monetary penalties on persons contravening or committing default of the nature pertaining to wilful omission of any material statement or wilful submission of any false statement, information, returns or other documents, or in case of contravention of any provision of PSS Act or any regulation, order or direction issued thereunder. It also empowers RBI to compound the contraventions of any offence punishable under PSS Act, which are not punishable with imprisonment only, or with imprisonment and also with fine. 3.6 The PSS Act also provides legal basis for gross or netting procedure and ensures finality and irrevocability of settlement, as soon as the money, securities, foreign exchange or derivatives or other transactions payable as a result of settlement is determined, whether or not such money, securities or foreign exchange or derivatives of other transactions is actually paid. It also mandates the system providers to disclose to the existing or potential system participants, the terms and conditions including the charges and the limitations of liability under the payment system, supply them with copies of the rules and regulations governing the operation of the payment system, netting arrangements and other relevant documents. 3.7 In exercise of powers conferred by sub-section (1) read with clauses (b) to (f) of sub-section (2) of Section 38 of PSS Act, the RBI notified the Payment and Settlement System Regulations, 2008. The Regulations provide for process and procedures for authorisation of a Payment System; specification of standards7, issued by RBI, to be followed by the authorised system providers; and furnishing of returns, documents and other information including accounts and Balance sheet to the RBI. The PSS Act and the Regulations framed thereunder, provide the legal framework for the conduct of oversight of payment systems, SSSs, CCPs and TRs by RBI. Section 4: Designation of FMIs Regulated by RBI 4.1 The CPSS-IOSCO – PFMIs defines an FMI as a multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling or recording payments, securities, derivatives, or other financial transactions. The Principles are designed to apply to all SIPS, CSDs, SSSs, CCPs and TRs. 4.2 One of the responsibilities of regulatory authorities is to define and publicly disclose the criteria used to identify FMIs that should be subject to regulation, supervision and oversight. Though the expression ‘FMI’ has not been defined explicitly in the PSS Act, the definition of payment system therein includes all categories of FMIs, including TRs, as well as non-systemically important payment systems. 4.3 Criteria for declaring a payment system as SIPS – A payment system, authorised by RBI, would be categorised as an FMI if it has the potential to trigger or transmit systemic disruptions, or as and when it reaches systemic or system wide importance. The parameters considered are: (i) volume and value of transactions handled / processed; (ii) share in the overall payment systems; (iii) markets in which it is operating; (iv) number and types of participants; (v) degree of interconnectedness and interdependencies; (vi) criticality in terms of concentration of payment activities, etc. Based on the above parameters, the RBI shall declare the names of payment systems as SIPS. 4.4 FMIs operated by RBI – The RTGS system is the only large value payment system functioning in India and the value of transactions processed as a percentage of total payment transactions is 77% during the month of March 2020. It also settles Multilateral Net Settlement Batch (MNSB) files emanating from other ancillary payment systems including the systems operated by the CCIL8 and NPCI9. Accordingly, it has been designated as a SIPS. Further, the SSS for the government securities10, both for outright and repo transactions conducted in the secondary market, operated by the RBI, is designated as an FMI. RBI also acts as the CSD for government securities, and thus designated as an FMI. 4.5 FMIs operated by private sector and regulated by RBI – The CCIL, functioning as a central counterparty in various segments of the financial markets regulated by the RBI (viz. the government securities segment, tripartite repo, USD-INR and forex forward segments)11, is designated as an FMI as per the definition provided in the PFMI Report. RBI has also designated CCIL as a Trade Repository12 under Section 34 A (2) of PSS Act for OTC interest rate, credit and forex derivative transactions as mandated from time to time, and thus designated as an FMI. NPCI is the umbrella organisation for operating retail payment systems in the country; its share as against the entire payment landscape of India stood at 64.5% by volume and 4.07% by value during the month of March 2020. With the growing retail volumes handled by NPCI and the resultant increase in the extent of concentration of retail payments under NPCI, and given the criticality of its operations in terms of volume of transactions handled, any disruption can have an impact on the payment and settlement of transactions initiated by public at large, especially the lower and middle class population, and the financial inclusion drive of the Government and RBI. Accordingly, NPCI has been designated as a system wide important payment system (SWIPS) and would be assessed against the PFMIs. 4.6 Other critical market infrastructures which are designated as FMIs 4.6.1 The PFMIs in general are not addressed to market infrastructures such as trading exchanges, trade execution facilities, or multilateral trade-compression systems. However, the report states that the relevant authorities may decide to apply some or all of these principles to types of infrastructures not formally covered by the report. Considering the criticality of the Negotiated Dealing System-Order Matching (NDS-OM)13 in the government securities market, it was designated as an FMI in the policy document of June 2013. The CPSS-IOSCO subsequently came out with the ‘Assessment methodology for the oversight expectations applicable to critical service providers’. Accordingly, the NDS-OM would be assessed as per this methodology. Accordingly, NDS-OM is not classified as an FMI, but will be overseen and assessed as per the methodology prescribed by CPSS-IOSCO for critical service providers. 4.6.2 The operations of the FMIs / payment systems are dependent on some critical infrastructure viz. Indian Financial Network (INFINET) – the communication network and SFMS – the messaging infrastructure operated by The Indian Financial Technology and Allied Services (IFTAS). RBI has also given approval to SWIFT India Domestic Services Private Limited (SIDSPL) to provide messaging services for domestic financial transactions in India. The critical infrastructure would thus be assessed against the CPMI-IOSCO “Assessment methodology for the oversight expectations applicable to critical service providers”14 (to the extent applicable to infrastructure providers). The entities covered would be
4.7 Applicability of PFMIs to FMIs in India 4.7.1 As mentioned earlier, RBI has adopted the PFMIs through its policy document “Regulation and Supervision of FMIs regulated by RBI”. Accordingly, all RBI authorised payment systems declared as SIPS / SWIPS on the basis of above criteria and SSSs, CCPs, CSDs and TRs are expected to comply with the PFMI standards. Thus, RTGS, NPCI, SSS / CSD, and CCIL (as CCP and TR)15 are mandated by RBI to comply with the PFMI standards. They would also be assessed using the PFMI framework16. 4.7.2 Most principles in PFMI report are applicable to all types of FMIs covered. However, a few principles are only relevant to specific types of FMIs. The applicability of the principles and key considerations to specific types of FMIs in India is shown in Appendix 9. 4.7.3 The RPSs, those not designated as SIPS / SWIPS, but regulated by RBI, such as Prepaid Payment Instrument Issuers, card payment networks, ATM networks, Cross-border Money Transfer (in-bound) operators, White Label ATM Operators, Instant Money Transfer Operators, Trade Receivables Discounting System (TReDS) operators, Bharat Bill Payment System (BBPS) Operator, and Bharat Bill Payment Operating Units (BBPOUs), would not be subject to assessment against all PFMIs, except for submission of Self-Assessment Template (SAT) dovetailed to their specific requirements on an annual basis. However, some of the PFMIs are so fundamental that they should also be observed by even these RPSs. For the purpose, the RBI will be classifying such RPSs as Important Retail Payment Systems (IRPS) and Other Retail Payment Systems (ORPS). 4.7.4 Although both IRPS and ORPS are required to comply with a select set of PFMIs, a differentiation has been made between the two types of retail payment systems according to their share in payment landscape, the potential effects on account of their failure and the potential to undermine public confidence in payment systems. In the light of this, the RBI has identified the PFMIs with which IRPS and ORPS should comply with. The same is given in Appendix 10. The RBI has decided that 12 and 7 PFMIs out of 17 applicable to payment systems, are applicable to IRPS and ORPS, respectively. Section 5: Definition and Scope of Oversight 5.1 Definition of Oversight 5.1.1 The definition of “Oversight of payment and settlement system” provided by CPSS in the report on Central Bank Oversight of Payment and Settlement Systems, has been adopted by the RBI. 5.1.2 By convention, “the term oversight is reserved to designate the specific responsibilities and tools central banks have with regard to payment and settlement systems due to their unique character of being both a public authority and a bank. Oversight is a necessary complement to any other means central banks may use to achieve their public policy objectives for payment and settlement systems (such as operating certain systems themselves or providing settlement services to systems).”17 5.2 Oversight Responsibilities 5.2.1 As indicated earlier, the PSS Act, 2007 and PSS Regulations, 2008 provide for the RBI to conduct oversight of payment and settlement systems, as part of its mandate. The RBI is empowered under the PSS Act to issue guidelines for the proper and efficient management of the payment systems generally or with reference to any particular payment system. 5.3 Oversight Objectives 5.3.1 The main objective of PFMIs is to enhance safety and efficiency in payment, clearing, settlement and recording arrangements, and more broadly, to limit systemic risk and foster transparency and financial stability. Poorly designed and operated FMIs can contribute to and exacerbate systemic crises if the risks of these systems are not adequately managed, and as a result, financial shocks could be transmitted from one participant or FMI to others. The effects of such disruption could extend beyond and thus threaten the stability of broader economy. 5.3.2 RBI issues bank notes and provides banking facilities in the form of current accounts to all banks and financial institutions functioning in the country. RBI promotes settlement of all payment transactions in central bank money and plays a role in ensuring safety and efficiency in FMIs so as to prevent systemic risk. 5.3.3 Prevention of systemic risk – RBI oversees FMIs and all authorised payment systems, including RPSs, so as to contain the systemic risk implications that have the potential to affect nation’s financial system and consequently its monetary and financial stability. Any malfunctioning of an FMI is likely not only to have a negative effect on the FMI’s participants but it could also give rise to broader risk externalities, if participants are no longer able to complete their payment or securities transactions on time. The situation could worsen due to the interconnectedness feature of payment systems. As a result, the liquidity strains of the participants might spread more widely through the financial system, putting pressure on asset prices and reducing market confidence and thus potentially endangering the stability of financial system. Furthermore, if FMIs including payment and settlement systems, which facilitate the exchange of money for goods, services and financial assets, were inefficient or failed altogether, money would not fulfill its function of acting as means of exchange effectively and one of the key tasks of central banks, namely to maintain public confidence in money and in the instruments and systems used to transfer money, would not be achieved. 5.3.4 Payment and Settlement Systems typically exhibit economies of scale, i.e. they have high fixed costs and marginal costs that are very low with increase in number of processed transactions. In such a scenario, concentration among a few large-scale providers, or even a natural monopoly, may be the most efficient market structure. Significant market concentration, however, may lead to a high dependency on a few key payment and settlement systems, without readily available alternatives. Moreover, market concentration may be significant enough to give payment and settlement providers market power that leads them to provide lower levels of services at higher prices, lower investment in risk reduction and perhaps a lower level of innovation than is socially optimal. 5.3.5 Considering the above issues, the RBI has, apart from safety, security and efficiency of FMIs and payment systems, adopted customer confidence, wider accessibility and customer convenience, and customer protection as its oversight objectives, and transformed them into its various regulations, standards, directions, and guidelines applicable to them. These objectives are also enshrined in RBI’s Payment Systems Vision Document. 5.3.6 With a view to promoting safety, security and efficiency of FMIs and RPSs, the RBI aims for following outcomes: 5.3.6.1 Governance arrangements – They should document clear and transparent governance arrangements18 with clear lines of roles and responsibilities as well as accountability of its Board, its board level sub-committees and management. They should have objectives in line with those with RBI, and also support the stability of the broader financial system. Their Board and Management should be composed of suitable members with an appropriate mix of skills, experience, and knowledge of the FMI and / or RPSs. 5.3.6.2 Comprehensive management of risks – They should have a board approved sound risk management framework, including policies, processes, procedures and systems, for identification and assessment, measurement, monitoring and management of range of risks (such as legal, credit, liquidity, operational, business and other risks) arising in or out of the business as well as it poses to other entities as a result of interdependencies. Their Board should regularly monitor their risk profile to ensure that it is consistent with their business strategy and risk-tolerance policy. 5.3.6.3 Credit risk management19 – They may face credit risk from their participants, its payment and settlement processes, or both. The default of a participant (and its affiliates) could have the potential to cause severe disruptions to an FMI / RPS, its other participants, and more broadly to the financial markets. Therefore, FMIs and RPSs should establish a robust framework to manage their credit exposures to their participants and the credit risk arising from their payment, clearing, and settlement processes. 5.3.6.4 Liquidity risk management – They should have a robust framework to manage their liquidity risk arising from their participants, settlement banks, nostro agents, custodian banks, liquidity providers and other entities. They should also maintain sufficient liquid resources, with thorough rigorous stress testing by considering wide range of stress scenarios, in all relevant currencies to effect same day settlement or intraday or multiday settlement, of payment obligations with high degree of confidence. 5.3.6.5 Collateral – In order to manage the risk from a participant default, they should consider the impact of participant defaults by collateralising their current and potential future credit exposures. The collateral should be with low credit, liquidity and market risks after enforcing appropriately conservative haircuts and concentration limits in order to ensure that the liquidation value of the collateral is greater than or equal to the obligation that the collateral secures in extreme but plausible market conditions. 5.3.6.6 Default management – They should have clearly defined rules and procedures that enable them to meet their obligations to non-defaulting participants in the event of a participant default as well as for replenishment of resources. 5.3.6.7 Operational risk management – Operational risk is the risk that arises from deficiencies in information systems, internal processes, and personnel or disruptions from external events, that result in the reduction, deterioration, or breakdown of services provided by the FMIs. Thus, the FMIs and RPSs should establish a robust framework to manage their operational risks with appropriate systems, policies, procedures and controls. They should also ensure that the systems have scalable capacity so as to handle increasing volumes. As a part of the framework, they should also have a business continuity plan that addresses events posing a significant risk of disrupting operations, for timely recovery of operations and fulfilment of FMI’s obligations, including in the event of a wide-scale or major disruption. 5.3.6.8 Recovery and Resolution Plans – The FMIs should ensure that they can continue to provide critical services in all circumstances. However, it is possible that in certain extreme circumstances, an FMI may become non-viable as a going concern or insolvent. Such a situation would lead to systemic disruptions to the institutions and markets supported by the FMI and financial system more broadly. The FMIs should, therefore, identify scenarios that may potentially prevent them from providing their critical operations and services as a going concern, and prepare a host of viable range of options for their recovery to normalcy or their ultimate resolution and orderly wind-down, for instance transferring their critical operations and services to an alternate entity. The range of options for recovery should be documented in the form of Recovery and Resolution Plan (RRP), which should contain, inter-alia, identification of FMI’s critical operations and services, summary of key recovery or resolution strategies, and description of measures to be taken to implement the key strategies. The RRP shall be approved by the RBI on an annual basis. 5.3.6.9 Disclosure of rules and procedures – In order to help the current and prospective participants, authorities and public to understand risks, fees and other material costs, the FMIs and RPSs should have clear and comprehensive rules and procedures, which should be publicly disclosed. The rules shall, inter-alia, include the system’s design and operations, rights and obligations of FMI / RPS and its participants, risk-based objective criteria for participation by direct and indirect (tiered) participants and other FMIs / RPS, as well as procedures for facilitating the suspension and orderly exit of a participant that breaches or no longer meets the participation requirements. 5.3.6.10 Settlement finality – They should provide clear and certain final settlement. The same should be clearly defined in their rules and procedures. 5.3.6.11 Settlement in central bank money – They should preferably conduct their money settlements in central bank money, where practical and available, to avoid credit and liquidity risks. 5.3.6.12 The FMIs and RPSs should be efficient and effective in meeting the requirements of their participants and the markets they serve. 5.4 Scope of Oversight 5.4.1 The term “scope of oversight” refers to those FMIs and RPSs that central banks oversee by applying some form of standards or policies. The PSS Act, designates the RBI as the authority to regulate and supervise payment systems in India and for matters related therewith or incidental thereto. Accordingly, the scope of oversight is enshrined in the PSS Act. The scope of oversight thus covers all authorised payment systems and aspects / matters related to payment systems. It includes all types of payment systems, SSSs, CSDs, CCPs and TRs. 5.4.2 The PSS Act, also provides that no person can operate a payment system without authorisation from the RBI. It is necessary to ensure that all payment systems operate in a safe and efficient manner as also as per the provisions of the statute, Regulations framed thereunder and the instructions / guidelines / circulars / directives issued by the RBI from time to time. In addition, as indicated earlier, the RBI also lays out its strategies and focus as part of its Payment System Vision document. Thus, all designated FMIs and RPSs20 fall within the scope of oversight by RBI. 5.4.3 Availability of robust infrastructure to support electronic payments is a critical factor influencing the adoption of electronic payments. The service providers of the following critical infrastructure also fall within the scope. Oversight of these service providers would be undertaken by following the CPMI-IOSCO “Assessment methodology for the oversight expectations applicable to critical service providers”21 (to the extent applicable to infrastructure providers).
5.4.4 Presently, the card payment networks, except NPCI, and Cross-border Money Transfer (in-bound service) operators are regulated and overseen by way of off-site surveillance only as they are incorporated in foreign jurisdictions. These entities are required to submit System Audit Report of their entire systems, including the domestic infrastructure, on an annual basis. Continuous engagements are made with these entities to understand any gaps in their risk assessments and customer grievance redressal mechanism and also mandate them to make further improvements, if considered necessary. Going forward, steps shall be taken to further intensify the oversight process for such entities by way of on-site inspections, if required. 5.4.5 Some designated FMIs, such as SSS and CSD are owned and operated by RBI. Though RBI is exempted from the authorisation requirements as an operator of payment systems under the PSS Act, RBI oversees as well as assesses these FMIs against the international standards22 with the same rigour as in case of other FMIs and, where necessary, takes action to remedy deficiencies, if any. 5.4.6 CCIL has been designated as TR for OTC interest rate and forex derivative transactions. TRs have emerged as a new type of FMI and have recently grown in importance, particularly in the OTC derivatives market, especially as a channel for reporting transaction data to relevant authorities and the public, for the purpose of enhancing the transparency of the OTC derivatives market. In addition to the principals to a trade, their agents, CCPs, and other service providers offering complementary services, the data stored in a TR may be used by a wider range of entities and stakeholders. Considering that the continuous availability, reliability, and accuracy of such data is critical, RBI also oversees TRs. 5.4.7 Regulation of Payment Gateway Service Providers and Payment Aggregators and outsourced technology service providers 5.4.7.1 Annex F of the PFMIs outlines five oversight expectations for critical service providers in order to support a financial market infrastructure’s (FMI) overall safety and efficiency. The operational reliability of an FMI may be dependent on the continuous and adequate functioning of third party service providers that are critical to an FMI’s operations, such as information technology and messaging providers. 5.4.7.2 With the enhanced facilitation by banks and PPI Issuers, the use of electronic / online payment modes for payments to merchants for goods and services like bill payments, online shopping, etc., has gained large scale momentum over the years, which has led to increasing role of Technology Service Providers (TSPs), Third Party Application Service Providers, intermediaries such as Payment Gateways (PGs)23 and Payment Aggregators (PAs)24, etc. Further, Electronic Commerce and Mobile Commerce (e-commerce and m-commerce) service providers act as intermediaries by providing platforms for facilitating such payments. These outsourced TSPs and intermediaries act as the bridge between the merchants and customers, and also play a role in processing and completion of payment transactions. Being part of the payment process chain these entities also handle sensitive customer data. Managing customer data, data privacy, Know Your Customer (KYC) requirements of merchants are also important from the point of view of security and customer confidence in the ecosystem. In addition, currently most of acquiring of merchants is done by third party aggregators and technology providers. Entities may also provide cross border settlement services and are governed by guidelines issued by Foreign Exchange Department (FED, RBI) on Online Payment Gateway Service Providers (OPGSPs). 5.4.7.3 The customer, ordinarily has very limited / no access to these service providers and intermediaries and thus has to rely on merchants or banks who only can seek redress from the service providers and intermediaries. Lack of proper redress mechanism and uniformity in practice across the entities is also a matter of concern. The technology set-up of the service providers and intermediaries varies amongst the entities and the architecture changes over time keeping in view their predominant business objective including the need to provide efficient processing, seamless customer experience, etc. They may resort to multiple integration to provide redundancy. 5.4.7.4 RBI had earlier issued guidelines on managing risks in respect of outsourcing of financial services by banks. Further, with a view to safeguard the interests of the customers and users and to ensure that the payments made by the intermediaries (PGs and / or PAs) using electronic / digital / online payment modes were duly accounted for by the intermediaries receiving such payments and transmitted to the accounts of the merchants or to similar other entities, certain guidelines were issued to banks and payment system operators for addressing a few aspects of the functioning of intermediaries. As such, these entities were not subjected to direct regulation nor regulations for outsourcing arrangements were made applicable to them. 5.4.7.5 Since these service providers and intermediaries also have exposure to the payment system landscape and are, therefore, exposed to the associated cyber threats, and thus could be potential source of risk in such a technology and customer experience intensive business, RBI had announced measures in its Monetary Policy Statements for 2018-19 for mandating certain regulatory controls on these entities. Based on the feedback received on discussion paper and taking into account the important functions of the intermediaries in the online payments space as also keeping in view their role vis-à-vis handling funds, it was decided to (a) regulate in entirety the activities of PAs, and (b) provide baseline technology-related recommendations to PGs. Accordingly, the RBI shall regulate and supervise non-bank PAs and the existing non-bank PAs are also required to submit application seeking for authorisation on or before June 30, 2021. On the other hand, the PGs shall be considered as ‘technology providers’ or ‘outsourcing partners’ of banks or non-banks, as the case may be and have been prescribed to put in place certain baseline technology related cyber security controls. 5.4.7.6 Recognizing the cyber threat that critical service providers pose to the payment system landscape, certain base lines requirements have been mandated for such service providers of the banking sector through the RBI regulated entities. To start with, instructions were issued mandating baseline Cyber Security Controls for the third-party ATM Application Switch Service Providers. The RBI regulated entities have also been advised and are required to ensure that the contract agreement signed between them and the third party ATM Application Switch Service Providers as well as those providing any other type of payment system related services to them (limited to the IT ecosystem, such as physical infrastructure, hardware, software, reconciliation system, network interfaces, security solutions, hardware security module, middleware, associated people, processes, systems, data, information, etc.) necessarily mandate such service providers to comply with the specified cyber security controls on an ongoing basis and to provide access to the RBI for on-site / off-site supervision. Section 6: Oversight Activities 6.1 The three key ways in which oversight activity is carried out are through (i) monitoring existing and planned systems; (ii) assessment of the FMIs and RPSs against the oversight objectives; and (iii) inducing change for improvements, where necessary. The activities and the tools used for the same are briefly indicated below25: 6.2 Monitoring existing and planned systems 6.2.1 Monitoring a system implies that the overseer (regulator) has a good understanding of the system. To obtain such an understanding, the overseer has to have information on the design, risk management, operations and other aspects of the payment system. To this end, information on the system is obtained from various sources, which are as under: (i) Sources of information
(ii) Powers to obtain information: Powers to obtain information and perform on-site inspections are closely related to regulatory authorities’ powers to induce change. RBI has adequate powers under its statute, i.e. PSS Act and PSS Regulations to call for returns, documents or other information from any authorised payment system operator in regard to the operation of particular payment systems in such form and in such manner as it may prescribe from time to time. RBI also has powers to enter any premises where a payment system is being operated and may inspect any equipment, including any computer system or other documents situated at such premises and call upon any employee of such system provider or participant thereof, to furnish any information or documents required. (iii) Information on system participants: The central banks typically use some information about the individual participants in systems in order to carry out oversight. This is required because participants’ behaviour can affect the safety, security and efficiency of the FMI or payment system. Thus, it becomes necessary to judge whether the design or process and procedure of FMI or payment system needs to be changed. Such aspects are expected to be controlled at the time of initial on-boarding of the participants in the FMI or payment system and continuous inspection and audit to be conducted of the system participants, as per the documented operation rules of FMI or payment systems. The rules, inter-alia, include risk-based objective criteria for participation by direct and indirect (tiered) participants and other FMIs, as well as procedures for facilitating the suspension and orderly exit of a participant that breaches or no longer meets the participation requirements. 6.2.2 Monitoring of Planned systems 6.2.2.1 Authorisation process26: The authorisation is a pre-emptive process set up by the RBI to monitor new and planned payment systems. The details regarding the design, operation of the system, access criteria (business rules), process flow of transaction, technology to be used, security features, interoperability, financials, fit-and-proper criteria of the promoters, etc. are examined and vetted by RBI, before authorisation is granted. As such, authorisation process set up by RBI in respect of new and planned systems ensures weeding out payment systems with weak system design, risk and financial parameters. The details of information sought from various payment systems at the time of authorisation are given in Appendix 2. 6.2.2.2 Other data / information sources: Apart from the information furnished by the entity seeking authorisation, the RBI may request for additional information based on the system proposed to be operated, e.g. for entities desirous of operating cross-border payment systems, the license issued by the overseas regulators is sought for. Also for entities incorporated in India, information / no objection from the respective regulators is obtained. 6.2.2.3 Approval by the BPSS / Empowered Committee: The information submitted by an applicant of new payment system is examined before proposing to the BPSS / Empowered Committee for final approval for authorisation. The powers for authorisation shall be handled in accordance with the powers delegated by the appropriate authority (BPSS / Empowered Committee). The entities are issued in-principle approval for the proposed payment system and the final Certificate of Authorisation (CoA) is issued only after submission of a satisfactory system audit report of the systems proposed to be operated as payment system. 6.2.3 Monitoring of existing systems 6.2.3.1 RBI has adopted a risk-based approach for conducting oversight of existing payment and settlement systems. More focus of its oversight activities is directed to the largest risks to the financial system. The oversight of FMIs is typically accompanied by an assessment of the importance of particular FMI to financial stability and to the functioning of the economy as a whole. 6.2.3.2 Oversight Process and Tools – The oversight of FMIs and RPSs is primarily a combination of offsite supervision / surveillance and onsite inspection. 6.2.3.2.1 Off-site surveillance – The off-site surveillance and monitoring of FMIs and authorised RPSs are conducted by way of various tools, such as (a) submission of prescribed data / information by the regulated entities, (b) fraud monitoring / system of alerts, (c) regular meetings with authorised payment system operators, (d) market intelligence, and (e) oversight reports and surveys. (i) Data / Information collection and compilation
(ii) Fraud Monitoring / System of Alerts
(iii) Regular meetings with authorised payment system operators – RBI conducts meetings with senior executives of FMIs and RPSs, and their major system participants to discuss their strategic plans and risk management practices. Quarterly review meetings are conducted with the senior management of CCIL and NPCI, as well as quarterly / half-yearly meetings with other authorised retail payment system operators. RBI also engages with a broad range of stakeholders, such as Payments Council of India, Internet and Mobile Association of India, Confederation of ATM Industry, Indian Banks Association, etc., on periodic basis. (iv) Market Intelligence – Market Intelligence is a key feature of any oversight process. Market intelligence is gathered from a variety of sources such as : periodical informal meetings / discussions with system operators and participants; participation in industry level meetings / conferences / symposia; media reports; web browsing on a regular basis for keeping track of payment system developments; participant complaints on frequent disruptions in promised service functionality / faulty service; customer complaints; surveys; interactions with other departments within the RBI, etc. (v) Oversight report / surveys – An important factor which contributes to refinement of oversight strategy and regulatory framework is, in addition to feedback received through market intelligence, customer feedback, complaints, etc., the ability to gauge first-hand, the issues / difficulties faced by customers with respect to usage of payment systems. In order to ascertain these issues, RBI engages with various stakeholders / professionals to conduct periodic user / customer surveys on specific aspects of payments systems. The findings from these engagements / surveys not only provide insights into the ease of usage of existing payment products and processes by customers for meeting their various payment needs but also generate ideas for reviewing policies and empowering the users through structured awareness intervention. Periodic / Need based surveys are undertaken / feedback obtained from customer. Based on analysis of the data collected, the survey findings are summarised and published. 6.2.3.2.2 Point of Arrival and Performance Metrics RBI has created the Point of Arrival (PoA) and Performance Metrics (PM) to assess and monitor the payment systems and participant entities respectively, on a regular basis. The purpose of creation of a PoA and PM is to augment the monitoring system through a periodic assessment with broadened scope and to facilitate the applicants and participants for conscious efforts to strive towards improvement. It will ensure that all system operators, participants and prospective entrants in a payment system category are aware of regulatory and supervisory expectations. It will also help in not only promoting efficiency of payment systems but also providing a robust environment that enables innovation towards making them safe, secure and fast. PoA comprises of specifying goal-posts for a payment system like KYC of system participants, business proliferation, financial position, customer grievance handling, regulatory comfort on value to the segment, etc. based on which its continuance or otherwise in the ecosystem can be decided. PM involves defining a set of targets for identified parameters like meeting business projections, business and technical declines, uptime / settlement delays, governance issues, etc., to be fulfilled by the participants at the point of gaining access along with certain time-based targets for monitoring the efficiency and effectiveness of the payment system participants. While the former addresses the system-related aspects of performance, the latter takes care of the participant-related aspects. 6.3 Assessment 6.3.1 Assessment is carried out to ensure that the entities’ systems meet the relevant policy guidelines, standards and oversight objectives. For systemically important / system-wide important payment systems and FMIs that could potentially impact the country’s economy and financial stability, the RBI uses international standards, i.e. the PFMIs as the benchmark for oversight, evaluates whether the entities meet the requirements set out in the international standards, and make its own assessment. 6.3.2 Assessment could be carried out in the form of Self-Assessment by the entities itself, which help emphasise that the entity has undertaken the responsibility of meeting the required standards and an external assessment in the form of on-site inspections by the central bank, which enables the central bank to form its own assessment based on all the information available to it. 6.3.2.1 Off-site self-assessment
6.3.2.2 Onsite Inspection (i) Onsite inspection / audit complements the offsite monitoring and surveillance mechanism put in place for the FMIs / retail payment systems. (ii) Onsite inspection activity is based on the risk profile of the entity derived from the annual self-assessment carried out by the entity and the information furnished by the entity and market intelligence, if any. FMIs and RPSs are subjected to periodic onsite inspection as determined by RBI from time to time. (iii) Prior approval of changes – Section 11 of PSS Act enjoins upon the FMIs and payment systems not to cause any change in the system which would affect the structure or the operation of payment system, without prior approval from RBI. Thus, the offsite monitoring as well as on-site inspection would also include assessment of any changes / amendments to the FMI’s system rules, regulations, bye-laws, notifications, risk management framework, in order to ensure that such changes are within the accepted risk management and efficiency standards. (iv) The on-site inspection of CCIL is conducted on an annual basis, whereas in case of SWIPS (NPCI), it is done once in two years with a compliance audit to be carried out before undertaking the on-site inspection. TR is also covered as part of CCIL. The on-site inspection of RTGS, CSD and SSS is proposed to be carried out periodically. Further, the assessment of FMIs and SIPS / SWIPS against the PFMIs are also carried out as part of the on-site inspection by RBI. The assessment of the FMIs operated by RBI are also to be carried out as per the PFMI. (v) Since clear and comprehensive disclosures enhance safety and efficiency in payment, clearing, settlement and recording arrangements, all FMIs and SIPS / SWIPS are also expected to provide clear and sufficient information to their participants and prospective participants, authorities and public to enable them to identify clearly and understand fully the risks and responsibilities of participating in the system. As a measure of enhanced transparency, CCIL discloses its self-assessment in compliance with the PFMIs on an annual basis, as per the CPSS-IOSCO ‘Disclosure Framework and Assessment Methodology’27, prescribed in the PFMIs. CCIL also publishes its quantitative disclosures on a quarterly basis as per the public disclosure standards for CCPs28. (vi) In case of PPI Issuers, the frequency of on-site inspection has been linked to the categorisation of the entities based on certain criteria / parameters, i.e. number of PPIs issued, amount outstanding and value of PPI transactions. The entities have been categorised into three types, i.e. small, medium and large, as provided hereunder:
Accordingly, the on-site inspection periodicity of large PPI Issuers is annual, biennial for medium and triennial for small PPI Issuers. For new PPI Issuers, on-site inspection shall be done within six months of commencement of PPI operations. Needless to add, the periodicity can be flexible and increased / modified depending on market intelligence, developments and / or other cases of need. (vii) In case of NEFT system29, keeping in view the volume and value of transactions processed as part of the total retail payment transactions at 8% and 59% respectively during the financial year 2019-20, the on-site inspection as well as assessment against the relevant PFMIs shall be conducted bi-annually by RBI. (viii) The card networks and cross-border money transfer (in-bound service) operators are presently assessed through submission of off-site returns and are not within the scope of on-site inspection by RBI. However, in order to ensure that the technology deployed to operate the authorised payment system/s is / are being operated in a safe, secure, sound and efficient manner and as per the process flow submitted by them at the time of authorisation, they have been mandated to get a System Audit done on an annual basis by a Certified Information System Auditor (CISA) qualified auditor and registered with the ISACA or by a holder of a Diploma in Information System Audit (DISA) qualification of the Institute of Chartered Accountants of India (ICAI). Steps will be taken to conduct on-site inspection of such entities and to start with, the need for an onsite visit will be examined by RBI for the purpose of interaction with the executives of the entities as well as the overseas regulators. (ix) The schedule of activities that would be conducted on an ongoing basis in respect of various FMIs and RPSs is given in Appendix 1. 6.4 Inducing change 6.4.1 On the basis of information collected and received as part of monitoring and assessment, in some cases RBI may conclude that the FMIs as well as retail payment systems’ design, risk management practices, and business operations specific to authorised systems, has a sufficient degree of safety and efficiency and that no further action is required. If any deficiencies are observed in systems of FMIs / RPSs and it is concluded that some issues require improvements and it is necessary to induce change, RBI takes action and induces change using a range of tools at its disposal30. 6.4.2 Considering that the discussions with the system operator and participants play an important part in achieving oversight objectives, RBI believes to have regular dialogues / discussions with the authorised payment system operators and participants with respect to issues for improvement and inducing change by way of possible solutions that have a bearing on their system’s design and operational structure. Such dialogues help both RBI as well as the system operators to come to a common understanding and solution for improvement which are in line with the oversight objectives of safety, security and efficiency of payment systems. 6.4.3 In cases where the issues are identified in majority of the payment systems, RBI issues advisory in the form of public statements so that the market self-discipline’s itself. Another important tool used by the RBI is issuance of Displeasure or Cautionary letter and / or taking penal action in terms of the powers conferred on it under the provisions contained in PSS Act. The penal action could include revocation of the CoA issued to the entity. In cases where RBI imposes monetary penalty on authorised payment system operators on account of contraventions, such entities are mandatorily required to disclose the details of monetary penalty paid in their Notes to Accounts that are part of Annual Financial Statements for the financial year in which the penalty was levied. Further, RBI also discloses the information about penalty levied on its website. 6.4.4 The RBI has powers under PSS Act to issue specific directions to a payment system or a system participant if its act, omission or course of conduct will result / is likely to result in systemic risk or affect the payment system, monetary policy or credit policy of the country. 6.4.5 If there are major supervisory concerns against an entity, RBI may also choose not to renew its Certificate of Authorisation (CoA) at the end of its validity. 6.4.6 Customer protection 6.4.6.1 RBI has put in place following mechanisms for effective redressal of grievances: (i) Reserve Bank – Integrated Ombudsman Scheme, 2021 – The RB-IOS provides a single reference point for customers to file complaints, submit documents, track status and provide feedback against RBI regulated entities specified therein. A toll-free number is also available for customers to seek assistance in filing complaints and information on grievance redress, with multi-lingual support. (ii) Internal Ombudsman Scheme for non-bank System Participants, 2019 – The Internal Ombudsman (IO) scheme for the large non-bank system participants, with more than one crore PPIs outstanding, was institutionalised in 2019. The scheme facilitates a swift, efficient and effective complaint redressal mechanism within the entity to ensure that customer complaints are adequately addressed at the level of non-bank System Participant itself by an independent authority placed at the apex level in the entity’s grievance redress mechanism. (iii) Limiting Liability of Customers in Unauthorised Electronic Banking Transactions – With the increased thrust on financial inclusion and customer protection from the loss due to unauthorized transactions, the Reserve Bank has, in July 6, 2017, formulated the criteria for determining the customer liability in these circumstances to be implemented by commercial banks. Accordingly, zero liability of customer exists where the unauthorized transactions has occurred due to contributory fraud/negligence/ deficiency on the part of bank (irrespective of whether the transactions is reported by the customer or not) and in case of third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of transactions. The above circular is also applicable to bank PPI Issuers. Banks are also required to provide customers with 24x7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting unauthorised transactions that have taken place and / or loss or theft of payment instrument such as card, etc. The loss / fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. (iv) Limiting Liability of Customers in Unauthorised Electronic Payment Transactions in Prepaid Payment Instruments (PPIs) issued by Authorised Non-banks – Similar criteria, like those for banks above, have also been formulated for determining the customers’ liability in unauthorised electronic payment transactions resulting in debit to their PPIs issued by non-bank PPI Issuers. Accordingly, zero liability of customer exists where the unauthorized transactions has occurred due to contributory fraud/negligence/ deficiency on the part of PPI Issuer (irrespective of whether the transactions is reported by the customer or not) and in case of third party breach where the deficiency lies neither with the PPI Issuer nor with the customer but lies elsewhere in the system, and the customer notifies the PPI Issuer within three working days of transactions. (v) Harmonising Turn Around Time (TAT) for resolution of customer complaints and compensation for failed payment transactions - A large number of customer complaints emanate on account of unsuccessful or ‘failed’ transactions. Failure could be on account of various factors not directly attributable to the customer such as disruption of communication links, non-availability of cash in ATMs, time-out of sessions, non-credit to beneficiary’s account due to various causes, etc. Rectification / Compensation paid to the customer for these ‘failed’ transactions is not uniform. In order to bring uniformity and discipline in reversal of such failed transactions, RBI has put in place a framework harmonising the Turn Around Time for resolution of customer complaints and customer compensation for failed transactions in some payment systems, i.e. ATMs, Unified Payments Interface (UPI), Immediate Payment Service (IMPS), PPIs and card payments. The framework has come into effect from October 15, 2019. The framework prescribes the TAT for failed transactions as also a compensation framework providing suo moto compensation to customers for delay in execution or reversal of such transactions beyond the prescribed TAT. Wherever financial compensation is involved, the same shall be effected to the customer’s account suo moto, without waiting for a complaint or claim from the customer. The principle behind the TAT is based on the following:
6.4.7 Resilience of infrastructure 6.4.7.1 Resilience is ensured by continuously monitoring the technical, operational, and financial viability of the entities to ensure continuous system viability. Measures are laid out to ensure that the entities monitor payment and settlement flows, have enough early warning devices guarding against abnormalities across the payment circuits, and have well-tested emergency procedures in place. This enables the entities to operate smoothly at all points of their process, and to be resilient to disturbances. 6.4.8 Guidance on cyber resilience for FMIs 6.4.8.1 The level of cyber resilience, which contributes to an FMI’s operational resilience, is a decisive factor in the overall resilience of the financial system and the broader economy. “Cyber resilience” is an FMI’s ability to anticipate, withstand, contain, and rapidly recover from a cyber-attack. CPMI and IOSCO have published guidance on cyber resilience for FMIs. 6.4.8.2 An FMI should have a framework that clearly articulates how it determines its cyber resilience objectives and cyber risk tolerance, as well as how it effectively identifies, mitigates, and manages its cyber risks to support its objectives. The FMI’s Board should endorse this framework, ensuring it is aligned with the FMI’s formulated cyber resilience strategy. The FMI’s cyber resilience framework should support financial stability objectives while ensuring the ongoing efficiency, effectiveness and economic viability of its services to its users. To be effective in keeping pace with the rapid evolution of cyber threats, FMIs are directed to implement an adaptive cyber resilience framework that evolves with the dynamic nature of cyber risks and allows the FMI to identify, assess and manage security threats and vulnerabilities for the purpose of implementing appropriate safeguards into its systems. 6.4.8.3 FMIs regulated by RBI are required to have the cyber resilience framework put in place as per the standards stipulated by RBI from time to time and guided in the CPMI document31. 6.4.8.4 Measures to Strengthen Cyber Security in Banks / system participants – (i) In view of the rapid growth in use of Information Technology by banks and their constituents, RBI had provided guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds in April 2011, advising banks to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns. (ii) With continuous increase in number, frequency and impact of cyber incidents / attacks in the recent past, and the urgent need to enhance the resilience of the banking system by improving the current defences in addressing cyber risks, the RBI issued detailed guidelines in June 2016 advising banks to put in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents / disruptions, if and when they occur. Banks were also advised to adhere to following:
(iii) Standing Committee on Cyber Security – The Reserve Bank of India has set up an Inter-disciplinary Standing Committee on Cyber Security (with members drawn from academia / various disciplines) to, inter alia, review the threats inherent in the existing/emerging technology; study adoption of various security standards/protocols; interface with stakeholders; and suggest appropriate policy interventions to strengthen cyber security and resilience. (iv) A Crisis Management Group (CMG) has been set up within the RBI to deliberate on the response measures to be taken by the stakeholders in the wake of critical/potential cyber-attacks. (v) Under the guidance of the Standing Committee, four sub-groups have been constituted to examine in detail, specific areas of concerns, i.e. Card based Payments and Security, Mobile Banking and Security, Vendor Risk Management, and Cloud computing services and security. (vi) A web-based application portal is being developed to further enhance the efficiency and consistency of offsite monitoring over all the supervised entities. 6.4.9 Storage of Payment System Data In recent times, there has been considerable growth in the payment ecosystem in the country, particularly in the realm of digital transactions. Such systems are also highly technology dependent, which necessitate adoption of safety and security measures, which are best in class, on a continuous basis. Ensuring safety and security of the payment systems has always been the cornerstone of the RBI’s approach towards payment system regulation and development. Multiple players with niche roles are part of each digital transaction and many of such players have global presence. To ensure better monitoring and to have unfettered supervisory access to data stored with the system providers as also with their service providers / intermediaries / third party vendors and other entities in the payment ecosystem, all system providers are required to ensure that the entire data relating to payment systems operated by them is stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required. 6.4.10 Publishing of Payment System Indicators The Reserve Bank publishes data on aggregates of various payment and settlement system indicators on the RBI website for the information of the stakeholders and general public. The scope of dissemination of such data has since been enhanced to include more granular information on payment data covering the payment systems authorised by the Reserve Bank. 6.4.11 Annual Report to BPSS The activities undertaken by the department during the year, covering the policy initiatives, authorisation granted to entities and oversight activities pertaining to all the regulated entities are informed to the BPSS in the form of an Annual Report. The report is also intended to track the achievement of the Payment System Vision and monitor progress of the activities undertaken by the department. In addition, ad-hoc reports are placed before the Board on functioning of various payment and settlement systems. Section 7: Co-operation with Other Regulatory Authorities 7.1 While performing oversight, it is important to have a clear understanding about the interconnectedness and interdependencies of a particular FMI and its participants with other entities not falling within the regulatory domain of RBI. There could be cross-sectoral risks arising from such interdependencies between the member participants of a payment system and their technology service providers. Further, in cases where systems deal with multiple public authorities, co-operation between the authorities is expected to be beneficial. Effective co-operation between authorities is thus essential and necessary to help to avoid the possibility of gaps, inefficiency, duplication and inconsistencies in the oversight function. 7.2 In addition, due to globalisation, the cross-border FMIs and payment systems have significantly increased over time. Interdependencies between FMIs operating in different jurisdictions have become more obvious with indirect connections between global banks as participants across FMIs. 7.3 Inter-Regulatory and Intra-Regulatory Committees – In order to have a coordinated approach towards regulation and supervision of FMIs and retail payment systems, the RBI has set up an Inter-regulatory Committee comprising of sectoral regulatory authorities – SEBI, IRDA, TRAI, etc., to remove frictions in regulation and ease system operator / customer comfort. The endeavour is also to have a coordinated approach to regulation and supervision within RBI across different related departments – Department of Regulation, Department of Supervision, Financial Markets Regulation Department, Financial Markets Operations Department, Foreign Exchange Department, Customer Education and Protection Department, Department of Information Technology, Department of Economic and Policy Research, Department of Statistics and Information Management, Department of Government and Bank Accounts, etc. Similar engagements are already in place with the subsidiaries of Reserve Bank – Institute for Development and Research in Banking Technology (IDRBT), Reserve Bank Information Technology Pvt. Ltd. (ReBIT), etc. Accordingly, an Intra-regulatory Committee has been set up to encourage regulatory cooperation and sort out issues in guidelines and instructions. The Committees shall meet at periodic intervals and help enable coordinated supervision over the regulated entities in the payments space as also facilitate augmenting growth of digital transactions in the country. 7.4 At present, there are no RBI authorised payment system operators providing payment services outside India. However, with the availability of low cost innovative digital payment products in India, many countries have expressed interest in partnering in this growth and replicating our products based on their country specific requirements. Cross-country co-operation with Bhutan is already in place with our CTS, NACH and NEFT operational there as well. NEFT is available for one-way transfers from India to Nepal. Specific interests / requests are being received for implementing CTS, NEFT, UPI, messaging solutions, etc., by certain jurisdictions. Thus, there is scope for enhancing global outreach of our payment systems, including remittance services, through active participation and co-operation in international and regional fora by collaborating and contributing to standard setting. Considering that efforts are being taken to increase and widen the scope, coverage and usage of RuPay card scheme and UPI to enhance their brand value internationally, the risks of such systems would also be high. The participants in a domestic system might become dependent on the funds they are to receive in an offshore system to fund their domestic debt position, leading to possible liquidity risk issues. This could also be on account of different time zones and also due to lacking nature of suitable depth in the currency markets of such economies, and more so in the event of financial distress. In such cases, there would be a requirement for constant cooperation with the concerned central banks and other regulatory authorities. 7.5 The Reserve Bank has been facilitating the increased participation of non-bank players in the payments ecosystem in India. These entities are playing a significant role in provision of payment services by bringing in innovation and convenience to customers and leveraging on technological developments. Since such entities are not mandated to be necessarily a RBI regulated one but could also perform other forms of unregulated business, with a view to ensuring that such entities do not pose a risk to their subsidiaries which also conduct financial business that are regulated by any one of the financial regulators, a system is put in place for seeking information from the concerned financial regulator for ensuring fit and proper criteria of the promoters and management is ensured while granting any authorization / licence to do relevant financial business. 7.6 Participation in Domestic and International Fora and Committees RBI is represented in various international and domestic fora pertaining to payment and settlement systems and financial market infrastructures. These, inter-alia, include the Committee on Payments and Market Infrastructures (CPMI), Regulatory Oversight of LEI, Task Force on Payment Aspects of Financial Inclusion (constituted by CPMI), SAARC Payments Council, SWIFT Oversight Forum. 7.7 Benchmarking Exercise 7.7.1 RBI has undertaken an exercise of benchmarking India’s Payment Systems vis-à-vis payment systems in a mix of 21 countries, representing advanced economies, Asian economies and the BRICS nations. The analysis was attempted under 41 indicators covering 21 broad areas including regulation, oversight, payment systems, payment instruments, payment infrastructure, utility payments, Government payments, customer protection and grievance redressal, securities settlement and clearing systems and cross border personal remittances. The study found that India has a strong regulatory system and robust large value and retail payment systems which have contributed to the rapid growth in the volume of transactions in these payment systems. There has been substantial growth in e-payments by Government and also in digital infrastructure in terms of mobile networks. 7.7.2 Such exercises provide a perspective on the performance of India compared to other countries, in the payment systems space. It highlights strengths and weaknesses relative to comparable payments and usage trends in other countries. The exercise, therefore, attempted to (a) arrive at an understanding of preferences Indians have for making and receiving payments and how these preferences compare with other countries, and (b) measure the efficiency of our payment systems. Such exhaustive domestic and international assessments of our payment systems augment their efficiency and provide insights into areas of further focus. 7.8 Study to assess the progress of digitisation from cash to electronic 7.8.1 With cash being the well-established and widely used payment instrument, and at the same time rapid increase in non-cash payments, especially those using electronic or digital modes, prompted RBI to conduct a study to assess the level of digitisation in payments. The study analysed the measures of cash (proxy for cash payments), the enablers for payment systems and the measures of electronic payments over a timeframe of the last 5 financial years to ascertain the shift in India, if any, from cash to digital payments. Further, a comparison with the 26 member countries of the Committee on Payments and Market Infrastructures (CPMI) over the same five year period has also been attempted to evaluate India’s performance vis-à-vis other countries. 7.8.2 The parameters considered as indicative of cash payments are Currency in Circulation (CIC), Share of High Value denominated currency and Low Value denominated currency, and Cash Withdrawals from ATMs, whereas parameters used for assessing the level of digitisation were Growth of digital payments, Digital Payments to GDP, and infrastructure. 7.8.3 The study revealed that while CIC across the country increased at a CAGR of 10.2% over the past 5 years, the CIC to GDP reduced from 11.6% in 2014-15 to 11.2% in 2018-19. The cash withdrawals from ATMs increased during the same period, however, the percentage of cash withdrawals to GDP was constant at around 17%. Further, while the digital payments in the country have witnessed CAGR of 61% and 19% in terms of volume and value, respectively, the value of digital payments to GDP has also increased from 660% in 2014-15 to 862% in 2018-19. In addition, the deployment of ATMs has grown at a low pace (CAGR – 4%) and the PoS terminals contrastingly grown at high pace (CAGR – 35%). 7.8.4 The study findings indicate that cash, as a payment mode, is still important but it is increasingly seen as a way to store value, more than to make payments. India’s growing use of retail digital payments, along with the radical reconstruction of its cash economy, indicates a shift in the relationship with cash. This is evidenced by the steep growth observed in the retail digital payments. Section 8: Organisation of the Oversight Function 8.1 In order to conduct effective oversight, the central banks need to have the ability to carry out oversight effectively by having sufficient resources, including suitably qualified personnel and an organisational structure that allows those resources to be used effectively. It is important that those involved in carrying out oversight are able to draw on the skills and expertise of other central bank functions (for example, legal, markets, credit, audit and IT). 8.2 A dedicated Oversight Division in the Department of Payment and Settlement Systems (DPSS) at Central Office of RBI has been institutionalised and is tasked with the responsibility to conduct oversight of all payment systems. The Central Office Oversight Division is supported by DPSS cells set-up at four Regional Offices at Mumbai, Delhi, Chennai and Kolkata. Skilled resources are drawn from other departments while undertaking the assessment / onsite inspection of FMIs / RPSs. While the DPSS Cells at four Regional Offices conduct on-site inspection of various retail payment systems and Cheque Clearing Houses, the Central Office Oversight Division carries out on-site inspection of FMIs and SWIPS (NPCI). Schedule of Activities A. FMIs The FMIs would be overseen as per the “Oversight Framework for Financial Market Infrastructures and Retail Payment Systems”. The entities covered as part of this framework and the activities to be undertaken are as follows: (i) Real Time Gross Settlement System (RTGS): RTGS system is owned and operated by the RBI. Assessment would be against the PFMIs -
(ii) Central Securities Depository (CSD) - Securities Settlement Systems (SSS): The CSD-SSS for the Government Securities system is operated by PDO / Mumbai office. Assessment would be against the PFMIs.
(iii) Clearing Corporation of India Ltd (CCIL)
(iv) National Electronic Funds Transfer (NEFT): NEFT system is owned and operated by the RBI. Though it is a retail payment system, keeping in view the volume of transactions processed by it, it will be assessed on an on-going basis against the PFMIs –
(v) National Payments Corporation of India (NPCI): The RBI oversees the NPCI, an umbrella organisation for all retail payments systems in India.
B. Retail Payment Systems The Retail Payment Systems regulated by the RBI are: (i) Cards Payment Networks
(ii) Cross-border Money Transfer – in-bound only – Operators
(iii) ATM Networks
(iv) Pre-paid Payment Instruments (PPIs)
(v) Bharat Bill Payment System (BBPS) BBPS is an integrated bill payment system which will offer interoperable bill payment service to customers online as well as through a network of agents. NPCI has been granted approval to function as the Bharat Bill Payment Central Unit (BBPCU) which is a single authorised entity operating the BBPS. The BBPCU has formulated necessary operational, technical and business standards for the entire system and its participants, after approval of the RBI. Banks and non-bank entities function as Bharat Bill Payment Operating Units (BBPOU)
(vi) Trade Receivables Discounting System (TReDS)
(vii) White Label ATM Operators (WLAOs)
(viii) Other retail payment systems
Information submitted as part of the application PART – A: Covering the details of the applicant, constitution of applicant, address of Registered Office and Principal Offices (if applicant is a company), principal place of business, main business of the applicant company / firm / other entity, management information, etc. PART – B: Covering particulars of Payment System sought to be set up (full details to be furnished) including process flow, technology to be used, security features, inter-operability, etc., expected benefits to the financial system / country from the operationalisation of the payment system sought to be set up, previous experience of applicant and associated companies / firms / entities in the payment systems area, type of payment system proposed to be set up, method of settlement of payment claims, namely .whether gross, net or a hybrid method combining both gross and net methods, whether the applicant or settlement agent will act as a central counterparty to provide guaranteed / secured settlement, customer grievances redressal machinery proposed for the payment system sought to be set up, the time proposed to be taken to dispose customer complaints, etc. PART – C: covering amount of finance required for executing payment system project, sources of finances for executing the payment system project, rate of return on investment expected from the payment system sought to be set up, how does the applicant proposes to recover investment and earn income, etc. PART – D: Any other information the applicant wishes to furnish. Returns, documents and other information to be submitted by Authorised Payment Systems 1. Every Authorised Payment System provider shall submit the returns as prescribed and at the frequency indicated by the RBI. 2. Details of the defaults in fulfilling the payment obligations by the system participants to be reported on the date of occurrence. 3. Monthly return containing the details of the defaults in fulfilling the payment obligations by the system participants. This to be submitted within seven working days from the end of the month. (The return and format for submission is as Appended). 4. Quarterly certificate from the bankers about functioning of system provider's escrow account with them. 5. Quarterly statement regarding any disputes between participants or between participants and the system provider. This to be submitted within seven working days from the end of the quarter. 6. Annual return relating to the staff strength, income and expenditure. 7. Annual return from the system provider showing changes in its Board of Directors or partners, as the case may be, changes in shareholding pattern whereby the aggregate shareholding of an individual or a group becomes equivalent to 5% or more of the paid-up capital of the system provider and changes in Memorandum or Articles of Association of the system provider. 8. Furnishing of accounts and balance sheets: (1) Every system provider shall furnish to the Bank within three months from the date on which its annual accounts are closed and balanced, a copy of its audited balance sheet as on the last date of the relevant year together with a copy of the profit and loss account for the year and a copy of the Auditor's report. Provided that the Bank may, on an application made by the system provider, extend the said period of three months for furnishing of returns by a further period not exceeding three months. (2) The system provider shall also publish, a copy of its balance sheet, profit and loss account and Auditor's report submitted to the Bank under sub-regulation (1), in any two leading newspapers, one in English and the other in Hindi, or place a copy of the same on its website within a period of one month from the date of submission of the same to the Bank. The documents / information shall be submitted by the system provider from its registered office to the RBI (Department of Payment and Settlement Systems, Central Office) situated in Mumbai. The RBI may at any time, direct that certain returns / data and documents stated above to be submitted to any of its other office as may be specified. Data / Information to be furnished by CCIL o Authorised CCP shall inform RBI about the appointment / reappointment of the Directors and shall send to RBI within 15 calendar days from the date of appointment by the Board, the Directors’ profile, declaration on “fit and proper” criteria submitted by Directors as prescribed and their consent to act as Directors. o Authorised CCP shall inform about transfer or divestment within 15 calendar days of approval of transfer or divestment of equity shares by its Board. o Monthly and Fortnightly report on Forex Participation and Settlement Statistics. o Monthly report for trades settled in all segments. o Details of shortage/ default in any segment to be submitted to the RBI on the same day. Also submit a monthly report for each segment with the details of shortage/ defaults during the month. o Monthly certificate from auditors confirming segment-wise segregation of collaterals. o Annual return on staff strength, income and expenditure. o Annual return on changes in Board of directors, changes in shareholding and changes in Memorandum of Association or Articles or Association. o Submit Audited Balance Sheet, Profit & Loss Account & Auditors Report on an annual basis. o Submit Operations audit report, concurrent audit report and implementation status review of the operations audit report for every month. o Submit the IT process operation review report quarterly. o Submit the Systems Audit report from CISA qualified auditor annually. o Submission of ISO Audit Report annually. o Comprehensive Risk Management Framework annually. o Submit the report of Monthly Summary of Stress Test Result. o Submit the investment policy for the year to the RBI annually. o Submission of report of risk assessment by external experts annually. o Deviations in membership eligibility criteria for participants in any segment submitted annually and periodically in case of interim review. o Imposition of restrictions on members, as and when any restriction is imposed. o Report on FX-CLEAR API trading activity. o Submission of Business Continuity Plan on an annual basis. o Submission of the Information Security Policy and Cyber Security Policy on an annual basis. o Periodic intimation of Business Continuity Drills and submission of report thereof. o Calendar of review items placed before the board on an annual basis. o Information regarding any notification/circular issued to members, as and when the notification/circular is issued. o Information regarding any changes in Bye-laws, rules and regulations, as and when the same is revised. o Intimation and report of Table Top Exercise, as and when conducted. o Intimation and report of Portfolio Compression Exercise in Derivatives segment, as and when conducted. o Intimation of any disruption or delayed payment, as and when such incident occurs. o Submission of Quantitative Disclosures on quarterly basis. o Submission of Qualitative Disclosures on annual basis. o Submission of Self-Assessment on Annual basis. o Submission of daily data for disclosure on RBI website. o Every authorised CCP shall submit an audited net-worth certificate as at close of financial year from the statutory auditor within six months of the closure of the financial year. o Submission of Default History Report of Securities/Triparty Repo segment on half-yearly basis. o Submission of report on important issues identified by Independent Directors which may involve conflict of Interest that may have significant impact on the functioning of authorised CCP or may not be in the interest of its market segments. Overview of the Principles for Financial Market Infrastructures General organisation Principle 1: Legal basis An FMI should have a well-founded, clear, transparent, and enforceable legal basis for each material aspect of its activities in all relevant jurisdictions. Key considerations
Principle 2: Governance An FMI should have governance arrangements that are clear and transparent, promote the safety and efficiency of the FMI, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders. Key considerations
Principle 3: Framework for the comprehensive management of risks An FMI should have a sound risk-management framework for comprehensively managing legal, credit, liquidity, operational, and other risks. Key considerations
Credit and liquidity risk management Principle 4: Credit risk An FMI should effectively measure, monitor, and manage its credit exposures to participants and those arising from its payment, clearing, and settlement processes. An FMI should maintain sufficient financial resources to cover its credit exposure to each participant fully with a high degree of confidence. In addition, a CCP that is involved in activities with a more-complex risk profile or that is systemically important in multiple jurisdictions should maintain additional financial resources sufficient to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the two participants and their affiliates that would potentially cause the largest aggregate credit exposure to the CCP in extreme but plausible market conditions. All other CCPs should maintain additional financial resources sufficient to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would potentially cause the largest aggregate credit exposure to the CCP in extreme but plausible market conditions. Key considerations
Principle 5: Collateral An FMI that requires collateral to manage its or its participants’ credit exposure should accept collateral with low credit, liquidity, and market risks. An FMI should also set and enforce Key considerations
Principle 6: Margin A CCP should cover its credit exposures to its participants for all products through an effective margin system that is risk-based and regularly reviewed. Key considerations
Principle 7: Liquidity risk An FMI should effectively measure, monitor, and manage its liquidity risk. An FMI should maintain sufficient liquid resources in all relevant currencies to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate liquidity obligation for the FMI in extreme but plausible market conditions. Key considerations
Settlement Principle 8: Settlement finality An FMI should provide clear and certain final settlement, at a minimum by the end of the value date. Where necessary or preferable, an FMI should provide final settlement intraday or in real time. Key considerations
Principle 9: Money settlements An FMI should conduct its money settlements in central bank money where practical and available. If central bank money is not used, an FMI should minimise and strictly control the credit and liquidity risk arising from the use of commercial bank money. Key considerations
Principle 10: Physical deliveries An FMI should clearly state its obligations with respect to the delivery of physical instruments or commodities and should identify, monitor, and manage the risks associated with such physical deliveries. Key considerations
Central securities depositories and exchange-of-value settlement systems Principle 11: Central securities depositories A CSD should have appropriate rules and procedures to help ensure the integrity of securities issues and minimise and manage the risks associated with the safekeeping and transfer of securities. A CSD should maintain securities in an immobilised or dematerialised form for their transfer by book entry. Key considerations
Principle 12: Exchange-of-value settlement systems If an FMI settles transactions that involve the settlement of two linked obligations (for example, securities or foreign exchange transactions), it should eliminate principal risk by conditioning the final settlement of one obligation upon the final settlement of the other. Key consideration
Default management Principle 13: Participant-default rules and procedures An FMI should have effective and clearly defined rules and procedures to manage a participant default. These rules and procedures should be designed to ensure that the FMI can take timely action to contain losses and liquidity pressures and continue to meet its obligations. Key considerations
Principle 14: Segregation and portability A CCP should have rules and procedures that enable the segregation and portability of positions of a participant’s customers and the collateral provided to the CCP with respect to those positions. Key considerations
General business and operational risk management Principle 15: General business risk An FMI should identify, monitor, and manage its general business risk and hold sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialise. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations and services. Key considerations
Principle 16: Custody and investment risks An FMI should safeguard its own and its participants’ assets and minimise the risk of loss on and delay in access to these assets. An FMI’s investments should be in instruments with minimal credit, market, and liquidity risks. Key considerations
Principle 17: Operational risk An FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide-scale or major disruption. Key considerations
Access Principle 18: Access and participation requirements An FMI should have objective, risk-based, and publicly disclosed criteria for participation, which permit fair and open access. Key considerations
Principle 19: Tiered participation arrangements An FMI should identify, monitor, and manage the material risks to the FMI arising from tiered participation arrangements. Key considerations
Principle 20: FMI links An FMI that establishes a link with one or more FMIs should identify, monitor, and manage link-related risks. Key considerations
Efficiency Principle 21: Efficiency and effectiveness An FMI should be efficient and effective in meeting the requirements of its participants and the markets it serves. Key considerations
Principle 22: Communication procedures and standards An FMI should use, or at a minimum accommodate, relevant internationally accepted communication procedures and standards in order to facilitate efficient payment, clearing, settlement, and recording. Key consideration
Transparency Principle 23: Disclosure of rules, key procedures, and market data An FMI should have clear and comprehensive rules and procedures and should provide sufficient information to enable participants to have an accurate understanding of the risks, fees, and other material costs they incur by participating in the FMI. All relevant rules and key procedures should be publicly disclosed. Key considerations
Principle 24: Disclosure of market data by trade repositories A TR should provide timely and accurate data to relevant authorities and the public in line with their respective needs. Key considerations
IT Audit, Security, Fraud prevention and Risk Management Framework A strong risk management system is necessary for the entities to meet the challenges of fraud and ensure customer protection. Entities are expected to put in place adequate information and data security infrastructure and systems for prevention and detection of frauds. 2. In order to ensure that the technology deployed to operate the payment system/s authorised is/are being operated in a safe, secure, sound and efficient manner, the authorised entities were advised in December 2009 to furnish their respective System Audit Report (SAR) conducted by a Certified Information Systems Auditor (CISA) registered with Information Systems Audit and Control Association (ISACA) or by a holder of a Diploma in Information System Audit (DISA) qualification of the Institute of Chartered Accountants of India (ICAI), on an annual basis within two months of close of their respective financial year. For entities which follow an April-March financial year, the system audit report should be submitted by 1st June of that year. Entities, which follow a calendar year annual closing, are advised to submit their system audit reports by 1st March of the following year. The scope of the System Audit should include evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing systems and applications, documentation, etc. The audit should also comment on the deviations, if any, in the processes followed from the process flow submitted to the Reserve Bank while seeking authorisation. 3. The authorised payment system operators were advised in November 2010 to observe the following minimum practices:
4. In addition, the Prepaid Payment Instrument Issuers were advised to put in place a strong risk management system and adequate information and data security infrastructure and systems to meet the challenges of fraud and ensure customer protection. They were also advised to adopt following best practices: i. All PPI Issuers shall put in place Board approved Information Security policy for the safety and security of the payment systems operated by them and implement security measures in accordance with this policy to mitigate identified risks. Entities shall review the security measures (a) on on-going basis but at least once a year, (b) after any security incident or breach, and (c) before / after a major change to their infrastructure or procedures. ii. Entities shall ensure that a framework is put in place to address the safety and security concerns, and for risk mitigation and fraud prevention. Entities shall put in place suitable mechanism to prevent, detect and restrict occurrence of fraudulent transactions. Also, a suitable internal and external escalation mechanisms in case of suspicious operations, besides alerting the customer in case of such transactions to be put in place. Entities may also put in place mechanism for velocity check on the number of transactions effected in an instrument. iii. Entities may put in place centralised database / management information system (MIS) to keep a track of the issuance/ usage of the payment instrument. iv. Where direct interface is provided to their authorised / designated agents, entities shall ensure that the compliance to regulatory requirements is strictly adhered to by these systems also. v. Authorised non-bank PPI Issuers have also been advised to submit the System Audit Report, including cyber security audit conducted by CERT-IN empanelled auditors, within two months of the close of their financial year to the CO / respective Regional Office of DPSS, RBI. The scope of the Audit shall include the following:
vi. All entities shall, at the minimum, put in place following framework:
5. Entities shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and cyber security breaches. The same shall be reported immediately to DPSS, RBI, Central Office, Mumbai. It shall also be reported to CERT-IN as per the details notified by CERT-IN. System Audit of Authorised Payment System Operators under Payment and Settlement Systems (PSS) Act, 2007 – Review of Scope and Coverage32 1. Authorised entities shall furnish their respective System Audit Report (SAR) conducted by CERT-IN empanelled auditors or a Certified Information Systems Auditor (CISA) registered with Information Systems Audit and Control Association (ISACA) or by a holder of a Diploma in Information System Audit (DISA) qualification of the Institute of Chartered Accountants of India (ICAI), on an annual basis within two months of close of their respective financial year. For entities which follow an April-March financial year, the system audit report should be submitted by 1st June of that year. Entities, which follow a calendar year annual closing, are advised to submit their system audit reports by 1st March of the following year. 2. There should not be any conflict of interest for auditor, i.e. the firm conducting system audit or any of its sister concerns should not have been engaged in providing any type of service/s to the audited entity during the last two financial years. 3. The scope of system audit must include the items indicated below. Auditors need to comment on each item, indicating any observation (or the lack of it). Controls need to be tested for both Design (Test of Design – ToD) and Operating Effectiveness (Test of Operating Effectiveness – ToE). (i) Information Security Governance – Assessment of the top management’s role in overseeing the development, implementation and maintenance of the organization’s information security management. It should include the following amongst others:
(ii) Access Control – Assessment of the access control mechanism in place to restrict and filter access to the IT assets of the organisation. It should include the following amongst others:
(iii) Hardware Management – Assessment of controls with regard to hardware asset management from acquisition through disposal. Validation of effectiveness of controls on secure use of removable media. (iv) Network Security – Assessment of the countermeasures in place to protect the network from malicious attacks and minimise or eliminate the possibility of any losses being incurred by the entity as a result of the network being compromised. (v) Data Security - Assessment of the security measures implemented across the information life cycle starting from collection/ creation of data to storage, access, transmission and its eventual archival and/or deletion. (vi) Physical and Environmental Security – Assessment of the physical and environmental security controls in place to protect assets from internal and external threats. (vii) Human Resource Security – Assessment of the controls pertaining to human factors to prevent threats such as data leakage, data theft and misuse of data. It should include the following amongst others:
(viii) Business Continuity Management – Assessment of the disaster recovery capabilities of the audited entity and regular BCP drills. Controls should be designed so as to enable the entity to recover rapidly from any disrupting event and safely resume critical operations aligned with recovery time and recovery point objectives while ensuring security of processes and data is protected. (ix) System Scalability – Assessment of controls relating to scalability of systems from a growth perspective and Turn Around Time (TAT) of transaction processing. (x) IT Project Management – Assessment of controls in place for developing or acquiring new systems focusing on project risk. Examine whether systems are based on sound design principles which have built in security functionality such as Secure Software Development Life Cycle (S-SDLC) and are able to withstand malicious attacks by design and ensure that no security weaknesses have been introduced during the build process. (xi) Vendor / Third Party Risk Management – Assessment of controls in place to ensure that outsourcing related risks are managed through adequate oversight measures that should include the following amongst others:
(xii) Incident Management – Assessment of the entity’s response mechanism in the event of a security incident. Examine the organisation’s capability to identify the incident, contain the damage, investigate the incident, effectively respond and restore normal operations as quickly as possible with the least possible impact. Also, verify the effectiveness of controls around determination and elimination of the root cause to prevent the occurrence of repeated incidents. (xiii) Change Management – Assessment of controls in place for ensuring that changes are applied appropriately and do not compromise the information security of the organisation. (xiv) Patch Management – Assessment of the mechanism in place to consistently monitor and configure systems and applications against known vulnerabilities in operating systems and other software. (xv) Log Management – Assessment of the security controls around generation, transmission, access, analysis, storage, archiving and ultimate disposal of log data. (xvi) Secure Mail and Messaging systems – Assessment of controls in place to ensure that the entity’s inbound and outbound traffic in the form of mail, messages or any other media are secure. (xvii) Mobile and/or other Input / Output Device Management Policy – Assessment of security controls with regard to portable devices (e.g. smartphones, laptops etc.) having access to sensitive data. (xviii) Security Testing and Source Code Review – Assessment of the adequacy of system performance under stress-load scenarios, security controls including vulnerability assessment, penetration testing, configuration review and source code review. (xix) Online Systems Security – Assessment of controls in place to ensure security of payment information processing systems and Application Programming Interfaces (APIs) provided to internal/ external applications. (xx) Mobile Online Services (applicable for entities offering services through mobile applications) – Assessment of the controls in place to protect mobile applications and provided by the entity to its customers from malicious attacks. 4. The auditors need to check open observations and compliance noted in the previous system audit so as to ensure sustained compliance. 5. Deviations, if any, in the processes followed by the entity from the process flow submitted to RBI while seeking authorisation should be mentioned by the auditor. 6. The SAR and compliance status must be placed before the Board of the entity. For each open observation, specific time-bound (maximum 3 months) corrective action must be taken and reported to RBI. It is imperative that timelines of compliance should be given adequate importance. SAR observations shall be closed only after receiving closure acceptance from the auditor. General applicability of principles to specific type of FMIs
Applicability of PFMIs to Important Retail Payment Systems (IRPS) and Other Retail Payment Systems (ORPS)
Table of Acronyms
1 CPSS – Central Bank oversight of payment and settlement systems – May 2005 2 CPSS “Core Principles for systemically important payment systems” (January 2001), CPSS-IOSCO “Recommendations for securities settlement systems” (November 2001), and CPSS-IOSCO “Recommendations for central counterparties” (November 2004). 3 Available at the BIS website (http://www.bis.org/publ/cpss101a.pdf). 4 Real Time Gross Settlement (RTGS), Securities Settlement Systems (SSSs), Clearing Corporation of India Ltd. (CCIL) and Negotiated Dealing System (NDS). 5 “Payment system” means a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange. It includes the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations or similar operations. The term “Payment System” shall be construed as reference to a “designated trade repository”. “settlement” means settlement of payment instructions and includes the settlement of securities, foreign exchange or derivatives or other transactions which involve payment obligations. 6 Trade Repository means a person who is engaged in the business of collecting, collating, storing, maintaining, processing or disseminating electronic records or data relating to such derivatives or financial transactions, as may be specified by the RBI from time to time. 7 Schedule to PSS Regulations 2008 includes Uniform Regulations and Rules for Bankers’ Clearing Houses, PGs on National Electronic Funds Transfer (NEFT) System, Operational Manual on NEFT System, Real Time Gross Settlement (RTGS) system (Membership) Regulations, 2004, RTGS (Membership) Business Operating Guidelines, 2004, PGs on Cheque Truncation System (CTS) and Bye Laws, Rules and Regulations of Clearing Corporation of India Limited (CCIL). 8 CCIL was set up and established in 2001 as RBI’s initiative for creating a guaranteed platform for systemically important payment systems. The CCIL is owned and managed by commercial banks. It functions as a CCP for select categories of transactions such as those in the government securities, inter-bank foreign exchange market, call money market, etc. thus effectively managing and mitigating the counterparty risks arising out of possible default by any constituent. 9 NPCI was established in 2009 for acting as an umbrella organisation with the responsibility to set up and manage country’s retail payment ecosystem. Its major objective was to facilitate robust, scalable, secured and affordable payment mechanism to benefit the common man across the country and further the cause of financial inclusion. 10 The Integrated Banking Department (IBD) of RBI, Mumbai manages and operates the SSS for the government securities, both for outright and repo transactions conducted in the secondary market. Government securities (outright) are settled using DVP model 3 mechanism on a T+1 basis. Repos are settled on T+0 or T+1 basis. In addition, the IBD also acts as depository for dematerialised government securities. 11 In addition to functions of CCP, CCIL also provides non-guaranteed settlement in the rupee denominated interest rate derivatives like Interest Rate Swaps / Forward Rate Agreement market. It also provides non-guaranteed settlement of cross currency trades to banks in India through Continuous Linked Settlement (CLS) bank by acting as a third-party member of a CLS Bank settlement member. 12 The provisions of PSS Act shall apply to the designated TR as they apply to, or in relation to, payment systems to the extent applicable. 13 NDS-OM is owned by the RBI and is operated by CCIL on behalf of the RBI. NDS-OM, introduced in 2005, is an electronic, screen based, anonymous, order driven trading system for dealing in Government securities. The NDS-OM ensures complete anonymity among the participants and brings transparency in secondary market transactions in Government securities. The NDS-OM facilitates Straight-Through-Processing (STP) as all the trades on the system are automatically sent to CCIL for settlement. With the efficiency and ease of its operations, the NDS-OM today accounts for around 90 per cent of the trading volume in government securities. 14 The same is available at https://www.bis.org/cpmi/publ/d123.pdf and https://www.bis.org/cpmi/publ/d146.pdf. 15 RBI has issued direction to CCIL under Section 10 (2) and 18 of PSS Act that CCIL shall be subjected to regulation and supervision using the PFMIs. They have also been directed to adhere with the PFMI requirements for both CCP as well as TR activities. 16 https://www.bis.org/cpmi/info_pfmi.htm?m=3%7C16%7C598. 17 Central Bank Oversight of Payment and Settlement Systems, May 2005, CPSS, BIS 18 RBI has, in October 2018, issued policy directions, under Section 18 of Payment and Settlement Systems (PSS) Act, 2007, relating to capital requirements and governance framework for CCPs as also providing a framework for recognition of foreign CCPs. 19 The PFMI Principles relating to credit and liquidity risks are not applicable to CSDs and TRs as they do not face credit and liquidity risks. 20 The list of 'Payment System Operators’ authorised by RBI to set up and operate in India under the PSS Act, 2007 is given at /en/web/rbi/-/publications/certificates-of-authorisation-issued-by-the-reserve-bank-of-india-under-the-payment-and-settlement-systems-act-2007-for-setting-up-and-operating-payment-system-in-india-12043. 21 The same is available at https://www.bis.org/cpmi/publ/d123.pdf and https://www.bis.org/cpmi/publ/d146.pdf 22 The PFMIs say that “In general, the principles are applicable to FMIs operated by central banks, as well as those operated by the private sector. Central Banks should apply the same standards to their FMIs as those that are applicable to similar private sector FMIs. However, there are exceptional cases where the principles are applied differently to FMIs operated by central banks due to requirements in relevant law, regulation, or policy. (Para 1.23 of PFMIs). 23 PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds. 24 PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period. 25 Central Bank Oversight of Payment and Settlement Systems, May 2005, CPSS, BIS 26 Section 4 of PSS Act, 2007 implies that any person before commencing or operating a payment system shall obtain authorisation from the RBI and for the purpose it shall apply in a prescribed format to RBI as defined in PSS Regulations, 2008. 27 The document CPSS-IOSCO – PFMIs – Disclosure Framework and Assessment Methodology – December 2012 is available at https://www.bis.org/cpmi/publ/d106.pdf. 28 The document CPSS-IOSCO – Public quantitative disclosure standards for CCPs – February 2015 is available at https://www.bis.org/cpmi/publ/d125.pdf 29 NEFT system is a retail payment system, owned and operated by RBI. 30 The tools available to central banks to induce change vary significantly, ranging from moral suasion to statutory powers to enforce oversight decisions. The tools include: Moral suasion, public statements, Voluntary agreements and contracts, Participation in systems, cooperation with other authorities, statutory power to require change, and enforcement and sanctions. 31 https://www.bis.org/cpmi/publ/d146.htm - Guidance on cyber resilience for financial market infrastructure – June 2016. 32 Implemented vide letter DPSS.CO.OD.No. 1325/06.11.001/2019-20 dated January 10, 2020. |