RBI guidelines on digital payments and customer protection in unauthorized banking transactions & Payment and Settlement Systems Act, 2007

 

RBI guidelines on digital payments and customer protection in unauthorized banking transactions & Payment and Settlement Systems Act, 2007

RBI has established comprehensive guidelines to enhance the security of digital payments and protect customers from unauthorized electronic banking transactions.

Digital Payment Security Controls:

In February 2021, the RBI issued the "Master Direction on Digital Payment Security Controls," applicable to Scheduled Commercial Banks, Small Finance Banks, Payment Banks, and Credit Card-issuing Non-Banking Financial Companies (NBFCs). These guidelines mandate the implementation of robust security measures across various digital payment channels, including internet banking, mobile payments, and card transactions. Key areas covered include:

• Governance and Management of Security Risks: Establishing a structured approach to identify and manage security risks associated with digital payments.
• Application Security Life Cycle (ASLC): Ensuring security is integrated throughout the development and deployment of payment applications.
• Authentication Framework: Implementing strong authentication mechanisms to verify user identities.
• Fraud Risk Management: Developing strategies to detect and mitigate fraudulent activities.
• Customer Protection and Awareness: Educating customers about security practices and providing mechanisms for grievance redressal.

Customer Protection in Unauthorized Transactions:

Zero Liability: Customers bear no liability if the unauthorized transaction results from:

Ø Fraud or negligence by the bank.

Ø Third-party breaches where the customer notifies the bank within three working days of receiving communication about the unauthorized transaction.

Limited Liability: If the unauthorized transaction occurs due to customer negligence like: sharing payment credentials, the customer is liable until the bank is notified. For delays in reporting (four to seven working days), customer liability is limited based on the type of account, with specific caps defined by the RBI. For instance, for savings accounts, the maximum liability is ₹10,000.

Reporting and Resolution: Customers should promptly report unauthorized transactions. Upon notification, banks are required to credit the disputed amount to the customer's account within 10 working days, pending investigation. The entire grievance redressal process should not exceed 90 days.

Payment and Settlement Systems Act, 2007

The Payment and Settlement Systems Act, 2007 (PSS Act) was enacted to regulate and supervise payment systems in India. It ensures the integrity and reliability of India's payment systems, protecting both customers and providers, and promoting a stable digital payment ecosystem.

1.    Regulatory Authority (Section 3)

The Reserve Bank of India (RBI) is authorized to regulate and oversee payment and settlement systems in India, ensuring their security and efficiency.

2.    Authorization of Payment Systems (Section 4)

All entities operating payment systems in India must obtain authorization from the RBI. The RBI assesses factors like the operator's financial status, experience, and the need for such a payment system before granting authorization.

3.    Revocation of Authorization (Section 8)

RBI may revoke an entity’s authorization if it fails to comply with the Act or the terms of authorization, or if its operations are deemed harmful to the public interest or the security of the payment system.

4.    Oversight and Inspection (Sections 6 and 7)

RBI has the authority to inspect any authorized payment system, ensuring compliance with safety, security, and operational standards.

5.    Rights and Duties of System Participants (Section 23)

This section provides that payment system participants must follow all regulatory directions from the RBI, and the system should ensure prompt, secure settlement of transactions.

6.    Settlement Finality (Section 23A)

Ensures that once a payment instruction is settled, it is final and irrevocable. This protects participants from risks due to reversals after settlement, especially in cases of insolvency.

7.    Protection for System Providers (Section 26) : Grants immunity to system providers from liability if they act in good faith within the scope of their authorization, thus protecting them from litigation in case of unintended errors.