RBI Warns Payment System Operators of Third-Party RisksSecurity Experts Say Holding Outsourcers Accountable for Fraud Prevention Is Essential
Now that the Reserve Bank of India has issued guidance on how payment system operators, or PSOs, must manage risks associated with third-party relationships to help prevent fraud, security experts say that the regulator needs to promote compliance among outsourcers and hold them accountable for fraud prevention.
For example, outsourcing any security activity does not reduce obligations for PSOs because they're liable for any actions or fraud by service providers, security experts point out. PSOs need to ensure that third-party service providers adhere to stringent data localization principles, adopt advanced monitoring capabilities and empower consumers to manage risk, they add.
The RBI has mandated that all the PSOs - and their outsourcing partners - store data domestically to help ensure security.
Ratan Jyoti, CISO, Ujjivan Small Finance Bank, says that mapping the risk and undertaking periodic review of outsourcing policies and strategies is vital when dealing with outsourcers.
Issue With Outsourcing
RBI’s guidance is designed to put in place minimum standards to manage risks in outsourcing payment- and settlement-related activities, including onboarding customers and IT-based services.
“This framework applies to nonbank PSOs insofar as it relates to their payment and settlement-related activities,” says P. Vasudevan, RBI's chief general manager. It applies to all service providers, whether located in India or abroad.
RBI sets the deadline of March 31, 2022, for PSOs to ensure that all their outsourcing arrangements comply with the framework.
For the first time, RBI has come up with this notification stating that PSOs cannot outsource core management functions, including risk management and internal audit, compliance and decision-making functions tied to KYC efforts.
When outsourcing other functions, PSOs must exercise due diligence, put in place sound and responsive risk management practices and manage the risks arising from outsourcing of activities, according to the RBI's guidance.
Risks that arise from outsourcing, the RBI says, include: compliance risk; contractual risk; cybersecurity risk; and operational, reputational and strategic risks. If critical outsourced processes are disrupted, the regulator notes, that could affect business operations, reputation, profitability and customer service.
The 100 PSOs in India must carefully evaluate the need for outsourcing critical processes and activities, select service providers based on a comprehensive risk assessment and have a board-approved comprehensive outsourcing policy, the RBI states in its guidance.
Meanwhile, security practitioners emphasize the need for PSOs to meet data localization norms and provide secure access management in managing third-party risks.
Meeting data localization requirements for storing data on local servers enables PSOs to better manage security, data management and other issues, says Sriram Natarajan, president of Quinte Financial Technologies, a global fintech company.
Jyoti adds: “The engagement of a service provider in a foreign country exposes the PSO to country risk. To manage such country risk, the PSO shall closely monitor government policies and political, social, economic and legal conditions in countries where the service provider is based, both during the risk assessment process and continuously, and establish sound procedures for dealing with country risk problems.”
But many outsourcers that serve Indian PSOs are resisting data localization because it creates the extra expense of setting up large domestic data storage operations, Natarajan says.
PSOs must take the initiative to carefully monitor outsourcers' security practices, many practitioners say.
“An important component of managing third-party risks is monitoring the security technologies that vendor partners use and ensuring their policies are aligned with their cybersecurity policies," says Prakash Kumar Ranjan, head, information system audit, at Airtel Payments Bank.
The operational risk team must carry out a vendor risk assessment, due diligence check and financial check and involve an outsourcing committee in the process, he says.
“The importance of creating an inventory of third-party vendors a company uses is most critical,” Ranjan says.
Also essential, Jyoti says, is continuous monitoring of a third-party security framework.
Authentication and Access Management
Encryption of customer data handled by a service provider also is essential, Jyoti says.
Payments security requires risk-based authentication and intelligence-based detection and monitoring capabilities, says Singapore-based Shivakumar Sriraman, head of the risk, Southeast Asia, at Visa.
The security road map to tackle the third-party risks in the payments ecosystem includes four pillars: devaluing the data, protecting it with authentication, harnessing the data and empowering consumers in managing risks, Sriraman says.
Natarajan says the payment organization providing the access management authentication process involving APIs should ensure secure access.
RBI's Vasudevan says PSOs must maintain a central record of all outsourcing arrangements that's readily accessible for review by the board and senior management.
PSOs must also create a management structure to monitor and control their outsourcing activities, he adds.