featured 28062 scaled

RBI Guidelines for Banks and Digital Payments: What’s New?

Highlight: Learn about the most recent RBI laws regarding digital payments in India.

India’s digital payments ecosystem has evolved rapidly, accelerated further by the pandemic as consumers across metro and non-metro areas increasingly adopt cashless methods such as Unified Payments Interface (UPI), Aadhaar-enabled Payments System (AePS), internet banking, and card-based transactions. To strengthen the safety and governance of these digital channels, the Reserve Bank of India (RBI) introduced new regulatory directions that set minimum security standards and governance requirements for digital payment products and services.

On December 4, 2020, the RBI announced its intention to create a robust governance structure and common security controls for internet and mobile banking as well as card payments. Following that announcement, the RBI issued the Reserve Bank of India (Digital Payment Security Controls) Directions, 2021 (referred to here as the Master Directions) on February 18, 2021. These Directions are technology- and platform-agnostic and aim to create a safer environment for customers using digital payment products.

The Master Directions directly apply to four categories of regulated entities (REs):

  • Scheduled Commercial Banks (excluding Regional Rural Banks)
  • Small Finance Banks
  • Payments Banks
  • Non-Banking Financial Companies that issue credit cards

The Master Directions introduce comprehensive requirements across governance, risk management, technology controls, customer protection, and operational resilience. Key elements of the new framework include the following.

  • Governance and policy: REs must adopt a board-approved policy for digital payment products and services, reviewed at least annually. The policy should embed processes to identify, monitor, and manage risks specific to their digital payment portfolios and explicitly address functionality, security, and performance requirements.
  • Third-party risk and outsourcing: When REs rely on third-party vendors, they must establish adequate monitoring mechanisms and controls in line with RBI outsourcing guidelines, and perform risk assessments to ensure the safety and continuity of digital payment services.
  • Network and application security: REs are required to deploy web application firewalls and DDoS mitigation techniques for internet-facing payment services. Mobile and internet banking applications must include effective logging and monitoring to track user activity, security changes, and anomalous or suspicious transactions.
  • Source code escrow: For digital payment applications licensed from third-party vendors, REs must ensure an escrow mechanism for source code to maintain service continuity if a vendor fails to perform.
  • Protection of customer data and malicious app monitoring: REs must avoid exposing sensitive customer information (such as account numbers and card details) in SMS or email communications and actively monitor for fraudulent or malicious apps on the web and in app stores, taking appropriate actions to remove or block them. Digital payment apps must securely manage, store, and protect payment data.
  • Authentication and access controls: Multi-factor authentication (MFA) is required for electronic payments and fund transfers, including cash withdrawals via ATMs or business correspondents initiated through digital applications. REs must also define and enforce limits on unsuccessful login or authentication attempts, and adopt measures like adaptive authentication and strong CAPTCHA with server-side validation to guard against brute-force and DoS attacks.
  • Session management and local data security: Mobile apps should require re-authentication after specified inactivity periods and on each launch. Apps must not store sensitive authentication data—such as user IDs, passwords, keys, or hashes—on the device and should securely erase sensitive information from memory when the user exits the app.
  • Transaction monitoring and reconciliation: REs must implement configuration and controls to detect suspicious transactional behavior and alert customers about failed authentications. A real-time reconciliation mechanism between REs and stakeholders (payment system operators, card networks, business correspondents, etc.) is mandated to improve detection and prevention of suspicious transactions.
  • Customer awareness and onboarding: REs need to integrate secure-use guidelines and training material within digital payment applications. Following major updates or during onboarding, customers should be required to review secure usage guidance, with the RE recording customer confirmation.
  • Grievance redressal and dispute resolution: The Master Directions require a clear, accessible grievance mechanism within digital payment applications that outlines how customers can lodge complaints, and REs must adhere to existing RBI directions on online dispute resolution for digital payments.
  • Payment card security standards: REs are expected to implement Payment Card Industry standards applicable to them, adopting updated versions of such standards as appropriate and feasible.
  • ATM security: Specific measures for ATMs include enforcing BIOS passwords, disabling USB ports, applying operating system and software patches, deploying terminal security solutions, disabling autorun features, implementing time-based administrative access, anti-skimming and whitelisting solutions, and upgrading ATMs to supported operating systems. The use of ATMs running unsupported operating systems is strictly prohibited.

These Master Directions affect not only banks but also third-party payment providers and apps in how they interact with banking partners, manage customer data, and implement security controls. The rules strengthen oversight, promote consistent security practices, and aim to build trust in India’s rapidly expanding digital payments ecosystem while protecting consumer interests.