RBI sets new cyber security norms for non-bank PSO’s

The RBI has issued a comprehensive set of guidelines aimed at strengthening the cyber resilience and security controls of non-bank payment system operators (PSOs). These guidelines, encapsulated in a master circular on ‘Cyber Resilience and Digital Payment Security Controls,’ delineate a phased compliance structure based on the size of the PSOs. The guidelines mandate immediate reporting of significant incidents, such as cyberattacks and system outages, to the RBI and CERT-In.

Image source: PTI

The Reserve Bank of India (RBI) has issued guidelines for non-bank payment system operators (PSOs) to ensure their resilience in the face of current and emerging information system and cyber security risks.

The master circular on ‘cyber resilience and digital payment security controls,’ issued on Tuesday evening, establishes a compliance structure and different timelines for PSOs based on their size.

The large non-bank PSOs must comply with the guidelines by April 1, 2025. These include Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), Bharat Bill Payment Operating Units (BBPOUs), Payment Aggregators (PAs), Non-bank ATM Networks, White Label ATM Operators (WLAOs), Large PPI Issuers, and Trade Receivables Discounting System (TReDS), among others.

Medium non-bank PSOs, which include cross-border (in-bound) money transfer operators under the Money Transfer Service Scheme (MTSS) and medium PPI issuers, must comply with these guidelines by April 1, 2026.

Small non-bank PSOs, such as small PPI issuers and instant money transfer operators, must abide by the norms by April 1, 2027.

Non-bank PSOs must promptly notify the RBI of any unusual incidents. These include cyberattacks, critical system and infrastructure outages, internal fraud, and settlement delays. They are also directed to report any cyber security incident to CERT-In.

They should also implement a comprehensive data leak prevention policy that ensures the confidentiality, integrity, availability, and protection of business and customer information (both in transit and at rest) for data stored with them or at vendor-managed facilities, in accordance with the criticality and sensitivity of the information held / transmitted.