RBI Calls for Self-Regulation for FintechMove Seen As Way to Boost Shift to Secure Cashless Transactions
The Reserve Bank of India has called for a self-regulation approach for the fintech industry to help ensure data security.
In a recently released vision document, RBI calls for creation of a Self-Regulatory Organization that will create security standards for fintech. RBI expects the number of digital transactions to reach 87 billion by December 2021.
The document, "Payment and Settlement Systems in India: Vision 2019 - 2021," says India is moving toward "a highly digital and cash-light society."
A Need for Security Standards
Reacting to the move, Prakash Kumar Ranjan, a Gurgaon-based security researcher who works at a financial company, says: "With so many payment companies coming up and the RBI expecting digital payments to grow more than four times by December 2021, a minimum security standard is the need of the hour."
He adds: "Historically, RBI has never spelled out specific control needed to secure your infrastructure. Even with banks, it has always given broad security framework. It always spells out the problem areas, and leaves it on organizations to decide on solutions. The banking industry has been mature enough to adapt latest technologies, but the same cannot be said about the fintech industry. Hence, RBI thought of having an SRO in place."
RBI anticipates the number of digital payments players in the market growing, says Yogesh Dayal, the central bank's chief general manager. "We have a 'no compromise' approach toward the safety of payments systems, which should address security vulnerabilities to retain customer confidence," he says.
In another recent move, RBI proposed fintech firms be allowed to test new products and services that might require the relaxation of certain compliance regulations in what's called a "regulatory sandbox" approach (see RBI Proposes 'Regulatory Sandbox' Approach to Testing FinTech).
A Self-Governance Approach
The RBI sees self-governance as the best approach to regulation. "There is a need for a self-regulatory governance framework to foster best practices on important aspects like security, customer protection, pricing, etc," Dayal says.
A self-regulatory organization can "cover the entire gamut of digital payment system operators," he says. "The SRO will, of course, work toward establishing minimum benchmarks and standards."
Ranjan explains: "As the name suggests, the SRO will be completely independent in its functioning. Various fintech companies will come together to elect representatives who will design and formulate minimum security standards which need to be followed by the industry."
"The SRO will spell out specific solutions to a particular problem," Ranjan says. "This will go a long way in securing digital payments. I know that in the long run, RBI plans to conduct audits [to check security controls] for payment companies much like it does with banks."
For now, it's unclear what action will be taken against companies that fail to meet the minimum security requirements. More clarity on how exactly will SRO will function and its standards enforced is expected in the coming months.
Reduce Cash Transactions
RBI is leading efforts to shift India from cash-based to digital payments. And its new document mentions that RBI wants digital payments to be extended to those who do not have smartphones.
"General innovation in mobile payment services has supported app-based access limited to smartphones and such devices," Dayal says. "There is a need to innovate payment services for feature phones to provide the necessary thrust toward enhanced adoption of digital payments by various strata of society, which will be vigorously followed for implementation."
Some security experts foresee security challenges when it comes to payment systems designed to run on less sophisticated feature phones. For example, many users will require extensive training on how to securely use digital payment systems.