The Reserve Bank of India (RBI) will soon issue cybersecurity norms for payment service providers (PSPs), following a series of data breaches faced by operators including Mobikwik and payment aggregator JusPay, a top RBI official said.
While the standards for fintech-driven payment services providers will be similar to cyber hygiene norms issued recently for banks and non-banking finance companies, the RBI is quite clear that firms will have to do more than observe the minimum standards to ensure safety as digital transactions gain further traction.
“On cyber frauds, Reserve Bank of India has issued very recently basic guidelines on cyber hygiene and cybersecurity for banks and certain NBFCs,” said RBI executive director T. Rabi Sankar. “We would follow that up with respect to other entities such as payments systems operators in the payments space. Those are getting finalised and will be issued soon,” he added.
“Having said that, the minimum standards set by the regulator for the regulated entities are needed, but they would never be enough. As digitisation increases in any sphere, payments or otherwise, as people do more and more digital transactions, institutions themselves will have to do more than the minimum standards that regulators set, to deal with any cybersecurity threats,” he said, adding that individual users would also need to be alert as there is no alternative to being aware of the risks in undertaking digital transactions.
Mr, Sankar, who was speaking at a webinar on ‘Banks, Finance and the changing form of technology’ hosted by RIS, India International Centre and the University of Essex, also raised concerns about the domination of two or three players in the fintech-backed retail payments space.
“Look at the popularity of UPI because of the client base of a couple of Big Tech companies. But this process has to be managed…. the concentration of two or three third-party providers in this retail payments space could give rise to competitive weaknesses. That is a challenge that we need to look at and solve going forward,” he said.
Over the next decade, the critical challenge for regulators would be to speed up the absorption of fintech without undermining the financial system’s integrity or stability, he asserted.
Stressing that there are not too many payment systems in India and the number of players is limited, Mr. Sankar observed that two apps provide about 70% of third-party services in the UPI system.
“Strictly speaking, they are not providers as such, as they are just the front-end and just onboard customers. They have no control on the entire UPI itself. In that sense, there is not so much a concern on antitrust or monopolistic tendencies because there is hardly any pricing that happens there,” the central bank official said.
‘No antitrust norms’
The National Payments Corporation of India (NPCI) had laid down a framework for a more even distribution of share of third-party app providers in the UPI system, the senior RBI official noted, adding that the regulator was, however, not looking at any antitrust provisions against dominant players at this juncture.
“If UPI is gaining popularity, you will have to think twice about stepping in and controlling the market share of two or three popular apps because that could actually hurt absorption of this tech in the population,” he said.
