Supervision

Oversight Framework for Financial Market Infrastructures (FMIs) and Retail Payment Systems

The Committee on Payment and Settlement Systems (CPSS) and International Organisation of Securities Commissions (IOSCO) had, in April 2012, published 24 principles as part of its report titled ';Principles for Financial Market Infrastructures (PFMIs)';. The principles apply to all systemically important payment systems (SIPS), central securities depositories (CSDs), securities settlement systems (SSSs), CCPs and TRs (collectively ';financial market infrastructures';). In line with this approach, the RBI adopted the above international standards and in June 2013, issued a policy document titled as 'Regulation and Supervision of FMIs regulated by RBI' which detailed the criteria for designating an FMI, applicability of the PFMIs to the FMIs, tools for oversight of FMIs and other related aspects.

Since then, the country has witnessed continuous expansion in the payment landscape not only in payment infrastructures but also in terms of volume and value of digital payment transactions. With an aim to better clarify RBI's oversight objectives and policies and in keeping with the commitment made in Vision 2019-2021, a revised policy document titled ';Oversight Framework for FMIs and Retail Payment Systems'; was released on June 13, 2020. The revised framework broadly covers the legal framework for oversight, definition and scope of oversight, oversight activities, supervisory considerations that have arisen since the time of the previous document and cooperation with other regulatory authorities, etc.

Offsite supervision

Off-site supervision of authorised payment systems is conducted using various tools, such as (a) analysis of prescribed data / information received on periodic basis from regulated entities, (b) fraud monitoring / system of alerts, (c) regular meetings with authorised PSOs, (d) market intelligence, and (e) oversight reports and surveys.

Presently, card payment networks, (other than NPCI) and Cross-border Money Transfer (in-bound service) operators are regulated and overseen through off-site supervision only as they are institutionalised in foreign jurisdictions. These entities are, however, required to submit, on an annual basis, a System Audit Report (SAR) of their entire systems, including the domestic infrastructure. RBI continuously engages with these entities to ascertain gaps, if any, in their risk assessments.

CCIL is an FMI and its oversight is done as per the oversight policy for FMIs. The offsite supervision of CCIL is undertaken through the following:

• Self-Assessment: As a measure of enhanced transparency, CCIL is required to disclose its self-assessment in compliance with the PFMIs on an annual basis, as per the 'Disclosure Framework and Assessment Methodology', prescribed in the PFMIs. CCIL also publishes its quantitative disclosures on a quarterly basis as per the public disclosure standards for CCPs.
• Assessment by external experts: CCIL undertakes a review of its risk models and risk management processes by external experts annually. The report submitted by the external experts is examined by the department.
• External and / or internal audits of control measures: CCIL is required to undertake audits on an ongoing basis to verify risk control measures in existence, the suitability of such measures, effectiveness of the risk controls and adherence to the risk control measures. CCIL is required to submit to RBI the operational, technology and other audit reports as prescribed along with the compliance measures on a periodic basis. The scope and coverage of such audits are finalised in consultation with RBI.
• System of alerts: RBI has mandated CCIL to put in place a mechanism for proactively reporting to it on a priority basis any abnormal events / developments, aberration, delays, incidents, etc., at the earliest possible time. The system of alerts is in place for shortages, defaults, margin calls, imposition of any restrictions on members, etc., in any segment. This system of alerts helps track various risk events in a timely manner to prevent any disruptions in the functioning of CCIL.
• Reports and Returns: RBI has prescribed periodic returns that are submitted by CCIL. Further, adhoc returns are also called for as and when necessary. This information / data are in addition to other information furnished by the entity, such as, audit reports, balance sheet, minutes of board meetings, etc.
• Prior approval of changes: The offsite monitoring and surveillance also includes assessment of any changes / amendments to the rules, regulations, bye-laws, notifications, risk management framework of the FMIs, to ensure that such changes / amendment are within the accepted risk-management and efficiency standards. Similarly, introduction of new products or changes in the structure or operation of any existing product are assessed against the PFMIs and become effective only after approval by RBI.

Onsite Inspection

Onsite inspection complements the offsite monitoring mechanism, and are carried out on periodic basis as determined by RBI. It is based on the risk profile of the entity derived from its annual self-assessment. In addition to information furnished by the entity, market intelligence, if any, is also considered during inspection.

Currently, RBI conducts onsite inspection of CCIL, NPCI, authorised PPI issuers, White Label ATM Operators, ATM Network Operators, Instant Money Transfer Operator and TReDS Operators. Of these, CCIL and NPCI are assessed against the 24 PFMIs using the ';Committee on Payments and Market Infrastructures - International Organisation of Securities Commissions (CPMI-IOSCO) - Assessment Methodology. Onsite inspection of CCIL is conducted annually, NPCI biennially, and others either annually or biennially or triennially depending on the size of their business and volume / value of transactions handled by them.

Central Payments Fraud Information Registry (CPFIR)

With rapid advancement in the payment ecosystem and advent of non-bank entities in the payment landscape, coupled with changing technologies and digital consumer demands, new trends in payment transaction frauds are coming to light. While payment system participants and PSOs have put in place advanced security systems to protect consumers, including real-time transaction analysis, behavioural biometrics on devices, tracking technology, etc., to help identify and prevent potential frauds, the payment industry continuously demands higher levels of fraud prevention services and security technologies. It is essential to appropriately capture information pertaining to all frauds relating to payment transactions processed through payment systems which would help put in place active risk management practices to fight online fraud on internet and on mobile devices.

Accordingly, RBI has created CPFIR, a web-based reporting platform to facilitate online payment fraud reporting by system participants.

The registry of all payment related frauds helps ascertain deficiencies in the systems and processes, enable strengthening of existing controls and helps in devising additional controls as part of sound and efficient risk management processes. Faster dissemination of information on payment frauds by RBI to system participants would facilitate introduction of necessary safeguards and preventive measures to ensure that adequate caution and controls are put in place by the system participants. The aggregated fraud data will also be published to educate customers on emerging risks.

Definition of Digital Payment Transactions and Dissemination of Granular Payment System Data

RBI has been publishing data on transactions carried out using various payment systems operated by authorised PSOs. In view of the rapid developments in the payment ecosystem and evolution of new systems, products and channels used to undertake digital payment transactions. RBI reviewed the definition of digital payment transactions. It also enhanced the scope and coverage of Payment System Indicators published in its monthly RBI Bulletin to include recent payment systems and also disseminate granular details of payment transactions. Further, the payment transactions undertaken using different payment channels and details of payment system infrastructure are also disseminated. The data in the revised form and structure is being published in the RBI Bulletin from the month of January 2020 onwards.

Scope of System Audit Report (SAR)

Authorised PSOs are mandated to carry out a System Audit on an annual basis by a Certified Information System Auditor (CISA) qualified auditor and registered with the ISACA or by a holder of a Diploma in Information System Audit (DISA) qualification of the Institute of Chartered Accountants of India (ICAI).

Payment landscape has experienced extensive leveraging of advanced technology in facilitating processing of payment transactions by the PSOs as well as their service providers / intermediaries / third party vendors and other entities in the payment ecosystem. On the other hand, the number, frequency and impact of cyber incidents / attacks have increased manifold. In order to enhance the resilience of the payment systems and to bring in standardisation and ensure that relevant areas of information system processes and applications are covered, the scope of SAR was revised in January 2020.

The enhanced scope broadly covers Information Security Governance, Access Control, Hardware Management, Network Security, Data Security, Physical and Environmental Security, Human Resource Security, Business Continuity Management, System Scalability, IT Project Management, Vendor / Third Party Risk Management, Incident Management, Change Management, Patch Management, Log Management, Secure Mail and Messaging systems, Mobile and/or other Input / Output Device Management Policy, Security Testing and Source Code Review, Online Systems Security, Mobile Online Services (applicable for entities offering services through mobile applications), etc.

Penalty Framework

PSS Act empowers RBI to (a) impose penalty for a contravention or a default and (b) compound contraventions of any of the punishable offences under the Act. In order to bring in transparency, RBI reviewed and revised the process of levy of penalty on authorised PSOs / banks under the PSS Act, on January 10, 2020. The revised framework centres around objectivity and transparency in the decision-making process. The decision to impose penalty and calculation of the penalty amount is based on a set of pre-defined objective criteria. Further, adequate opportunities are provided to the PSOs / banks to present their case.

Business Continuity Plan (BCP)

New situations like failure of a major bank, a pandemic situation, etc., bring out unique solutions and warrant an aggressive approach as well. BCP plans get tested in live scenarios and for extended periods. Such BCP plans include situations of non-availability of adequate and critical resources, places of normal operations, etc.

In view of the situation arising out of COVID-19 in March 2020, a host of unprecedented measures were taken to ensure seamless and unhindered operation of not only centralised payment systems (RTGS and NEFT) but also payment systems operated by other operators, like IMPS, UPI, NACH, CTS, cards, etc. Coordinated efforts with Government, PSOs and Regulated Entities (REs), including banks and non-banks, ensured uninterrupted functioning of all PSS operating across the country. Further, certain relaxations were given to REs to allow them to cope-up with the restrictions in physical movement.

The day-to-day operations of the RTGS system were shifted to be carried out from the Primary Data Centre (PDC). Staff performing critical functions pertaining to centralised payment systems were isolated in a quarantined environment at a hotel near the PDC with necessary travel arrangements in place. The hotel, PDC and vehicles were sanitised regularly to safeguard employee welfare. Two teams of staff, with an additional team on permanent standby, ensured seamless operations. Rotation of staff every fortnight after thorough screening by RBI in-house doctors, facilitated unhindered operations.

Sustained efforts were undertaken by the department to ensure that PSOs and their services were declared as 'essential services'. The Government DBT payments to help the poor and marginalised commenced on a large scale in April 2020 which was smoothly facilitated by the NACH-APBS.

CCIL implemented business continuity measures by entering into an arrangement with a hotel in the vicinity to provide accommodation exclusively for its key staff personnel. Similar arrangements were also in place at the on-city secondary site and the remote disaster recovery site with minimum staff essential to take over in case of any disruption in the activities at the primary site. The staff and participants were provided remote access to the systems through Virtual Private Network (VPN) facility to facilitate operations with skeletal staff working from office. Further, to minimise risks and to ensure that market participants maintain adequate checks and supervisory controls while optimising the thin resources and ensuring safety of personnel, trading hours for various markets were reduced / revised in April 2020.

RBI has also put in place a Standard Operating Procedure (SOP) to be followed when a bank is placed under All Inclusive Directions / or Moratorium so that payment systems can operate without any disruption. The SOP gets refined with every incident and is circulated amongst all the stakeholder departments in the Reserve Bank for co-ordinated and effective implementation in a seamless manner. The SOP was tested in the incident of March 2020 and modified with experience gained which ensured that payment systems operated smoothly after the November 2020 incident.

Source : RBI