Assessing RBI's Interoperability MovesGuidelines Should Help Ease Monitoring of Security
The Reserve Bank of India's new guidelines on interoperability of prepaid payment instruments will lead to better management of cybersecurity and security audits. But many questions are yet to be answered.
Interoperability refers to the ability to transfer data from one prepaid payment instrument to another in a standard and seamless format.
The issuance of the guidelines is a welcome step for mobile wallet companies that have been waiting for this announcement for months. As a result of interoperability, consumers eventually will no longer have to subscribe to multiple e-wallets. They will be able to freely move money from a know-your-customer compliant digital wallet offered by one company to another wallet, and, eventually, to bank accounts.
The RBI has directed all non-card PPIs to accommodate the United Payments Interface, or UPI, developed by National Payments Corporation of India.
While compliance with the interoperability guidelines is expected to make the entire payment experience seamless for end users, it puts additional onus on NPCI to secure its network. One vulnerability in that can impact millions of customers across various wallets.
"Payments security will be big factor of importance now because the digital trail will be spread between multiple entities," says Dharshan Shanthamurthy, CEO at SISA, a payment security specialist firm. "The motivation of someone to break into the system has also just gotten higher."
The move to interoperability will not only help with tracing transactions but also provide a single platform for all e-Wallet providers. It will also lead to better management and monitoring of security for all wallets.
"Security is expected to improve as RBI will ask PPI providers to undergo standard and stringent security audits," says Rakesh Goyal, a cybersecurity expert at Sysman Computers. "Each PPI provider will now have two aspects of security: Their own application/infrastructure and the interface with UPI, which will be the same standard for all. With interoperability, NPCI can have PPI providers security audited regularly."
Over the years, RBI has been recognized for promptly adopting the latest security technologies. Nevertheless, India has experienced many attacks against banks. Many banks have failed to implement RBI's mandate on security measures like adopting SOC.
The RBI's issuance of interoperability guidelines comes after the Supreme Court on Sept. 26 barred private firms, including payment companies, from accessing Aadhaar details of consumers. The decision impacted telecom and wallet companies who had been using Aadhaar-based authentication to onboard customers (see: Banks to Discontinue Aadhaar-based Payments Through UPI, IMPS).
Today, there's no clarity on the alternative means to authenticate customers online without accessing Aadhaar. Most payment firms have designed their wallets with Aadhaar authentication in mind.
Plus, RBI has not specified any timeline for implementation of the interoperability guidelines, which are to be enabled in three phases. In the first phase, interoperability of PPIs issued in the form of wallets will be introduced through UPI. In the second phase, interoperability between wallets and bank accounts through UPI would be introduced. And in the last phase, interoperability for PPIs issued in the form of cards would be implemented through card networks, the RBI notification says.
With no timeline, it could take years before the measures actually get implemented.
Furthermore, payment firms claim there still isn't any clarity on the exact procedures for interoperability. So the payments industry is waiting for RBI's next announcement.