New draft rules to add another regulator, say mobile wallet firms
Adding another layer of oversight for things already being done, say many, on proposed guidelines to ensure better security
For mobile wallet entities, the new set of guidelines from the government under the draft Information Technology (Security of Prepaid Payment Instruments) Rules, 2017, issued for public consultation, means yet another body they would have to consult before conducting any business.
Till now, they say, they only had to adhere to Reserve Bank of India guidelines. “It means more going to two bodies for checks and balances; more paperwork for us. What they should do is to form a separate body altogether, handling all sorts of guidelines around online payments,” said a senior executive of a mobile wallet entity. The new draft rules, he added, should cover all payment methods and not only wallets.
“We already have solid cyber security measures in place and treat the data of our users with utmost care. If the government asks us to put additional measures which might be unnecessary, our costs might increase,” said another.
“We are already implementing many of these suggestions and our 55 million users and 1.5 million merchants are already benefiting from our robust security systems, which are PCI-DSS and ISO 27001 certified. Our fraud detection team carries out risk assessment on a regular basis, which ensures our grievance redressal tickets are closed within 30 minutes of raising it,” said Bipin Preet Singh, founder and chief executive, MobiKwik.
According to the new draft rules, each Prepaid Payment Instruments (PPI) company (mainly wallet firms) will have a privacy policy posted on its website. It will also have to appoint a chief grievance officer, with contact details displayed on the site. This officer will have to act upon any complaint within 36 hours and close it in a month. The draft also mandates that companies have enough safeguards in place to avoid any hacking attacks and if there is one, it is to be swiftly reported to the government agencies.
“Every e-PPI issuer shall have in place and publish on its website and mobile applications the privacy policy and the terms and conditions for use of the payment systems operated by it in simple language, capable of being understood by a reasonable person,” it said in the draft.
Also, every e-PPI issuer shall carry out risk assessment to identify and assess the risks associated with the security of the payment systems operated by it. “An ePPI issuer shall review the security measures at least once a year, and after any major security incident or breach or before a major change to its infrastructure or procedures. Issuer shall implement security measures in accordance with the information security policy to mitigate the identified risks,” it said.