Policy Radar: Do CERT-In’s FAQs on Cybersecurity Directions help industry compliance?

Asheeta Regidi Head, Fintech Policy at Cashfree.

Indian Computer Emergency Response Team (CERT-In) recently issued new Cybersecurity Directions, which among other requirements mandated:

  • A 6-hour reporting timeline for a list of cybersecurity incidents such as hacking, identity theft, phishing, data breaches, etc. 
  • A requirement to keep and store ICT logs for 6 months in India.
  • VPNs, cloud service providers and cryptocurrency exchanges to keep KYC/subscriber data for 5 years.

These apply to all entities, including companies, intermediaries (websites, payment companies, etc.), data centers, e-govt. service providers and so on.

Impact on the payments industry and merchants 

Given the broad scope of these directions, they impact payments industry, merchants, banks, etc equally.

The requirements, particularly the tight timelines and localisation of storage and data have raised concerns across the board, leading CERT-In to issue FAQs clarifying the directions. 

Here’s looking at some key issues and how far the FAQ clarifications help:

Reporting timeline

The 6-hour reporting timeline for a blanket list of cybersecurity incidents is difficult to comply with. For instance, relevant personnel and other resources will need to be available round-the-clock to report a late-night breach. Many of the listed incidents also are undefined, creating ambiguity.

FAQs clarifications:

  • A threshold is now specified – the incident must either impact public infrastructure, be large-scale/frequent, a data breach/leak or affect human safety.
  • Explanations for the listed incidents have been introduced. 
  • Intermediaries need to report any cybersecurity incident based on severity, even if unlisted.

Despite the clarifications, the reporting timeline is still narrower than global standards, which often range between 24-72 hours. Earlier, even in India reporting only needed to be done within a reasonable time.

Additionally, identifying a given incident as a cybersecurity incident, or assessing its severity and impact is often not possible within this timeframe, leading to possible over or under-reporting of incidents.

ICT log storage

For the ICT log requirements, the Directions did not clarify what ICT includes, leading to ambiguity as to which logs need to be stored. ICT in general is a very broad term that consists of almost anything from computers, software, internet, communications tech, and so on.

Another factor is that these logs need to be stored in India, introducing a data localisation angle and preventing companies from exploring economical storage options abroad. For payment companies, payments data is already subject to RBI data localisation mandates, but an impact may still be felt on other non-payments data they hold. 

FAQs clarifications:

  • These list logs for firewalls, intrusion prevention systems, web/database/mail, critical system logs, etc. to illustrate the type of logs required.
  • Logs may also be stored outside India provided entities can produce the logs to CERT-In within a reasonable timeframe. 

While these definitely help, the logs list specified is non-exhaustive, creating concerns as to the sufficiency of logs maintained. 

On data localisation, while the FAQs seem to indicate that there is no need to store logs in India, it can also be a data mirroring requirement, i.e., that entities can store data abroad but must also keep a copy in India. More clarity is thus needed on these points.

Cardless cash withdrawals at ATMs via UPI

The RBI has allowed banks, ATM networks and white-label ATM operators to provide the option of interoperable cardless cash withdrawals at their ATMs, as first announced in April. These can now be UPI based.

Impact on customers

For customers, ATM withdrawals only add to the many conveniences of UPI, not to mention the convenience of their smartphone for transactions. 

The usability of UPI is ever-increasing – from simply offline QR code payments, to feature phone payments via UPI 123Pay or even cross-border payments via the UPI-PayNow link (Singapore), etc.

Impact on card industry 

In the offline space, UPI has completely changed the landscape for payments by overtaking cards. Now, UPI-based card withdrawls are expected to create a further change in customer payment habits. For instance, UPI volumes as of November 2021 stand at 418.64 crore vs. 54.18 crore for cards. Similarly, for transaction value for the same period, UPI is at ₹7.6 lakh crore vs. ₹1.5 lakh crores for cards. 

Source: RBI

The convenience and wider applicability of UPI, particularly UPI QR codes and simple mobile number-based UPI VPAs, have already had a major impact on merchant and customer payment behavior in the offline space.

Though, cards are regaining space now via tech like NFC and softPoS, which allows merchants to download an app on their phones and accept card payments from customers. Even device-based tokenisation, which allows customers to use their smartphones/smart wearables to store card tokens and make card payments, is slowly creating more use cases for cards.

RBI cancels registration of 5 NBFCs

The RBI has cancelled the certificate of registration (CoR) of 5 NBFCs for violating outsourcing norms and Fair Practices Code (FPC) with their digital lending operations. Issues highlighted for cancellation include charging of excessive interest rates and undue harassment of customers for loan recovery. 

The move comes as the regulator tightens the noose around illegal digital lending practices, taking similar steps as in the recent past:

  • In June 2020, the RBI took initial steps requiring Digital Lending Apps (DLAs) to adhere to outsourcing norms and FPC, and listing steps requiring banks/NBFCs to disclose names of DLAs they have engaged with on their website, loan sanction letters with the bank/NBFC’s letterhead, etc. 
  • In November 2021, the RBI released its Digital Lending Report which made many short-term recommendations such as setting up of a nodal agency to verify apps, disbursing loans directly to borrower accounts, explicit consent for data collection, documented algorithmic features, and so on.

Impact on payments industry

For the payments industry, each of these steps by the RBI are important and helpful from a risk compliance point of view. 

The latest cancellation of CoRs for example requires payments companies to cross-check whether any of these NBFCs or the specified DLAs are being serviced directly or indirectly (via partnerships) for payments, and take action.

Impact on fintech industry

While the regulatory action has directly impacted NBFCs and digital lending players, it also points to a need for all fintech players to ensure fair, just and compliant practices, with an improved focus on consumer protection and satisfaction.

In fact, earlier this year in May, the RBI constituted a new committee to review customer service standards of all RBI-regulated entities and share suggestions.

RBI’s Digital Lending Report had indicated an increased regulatory focus on customer protection in the fintech space, also proposing for National Financial Consumer Protection Regulations, National Financial Crime Record Bureau, etc. 

What changes for customers

Hopefully, customers will be the biggest beneficiaries of these steps, seeing reduced fraud and increased compliance amongst market players with RBI norms.  Moreover, it will instill more confidence amongst retail borrowers struggling with harassment and other coercive recovery practices.

Other notable updates

Net-worth requirements reduced for BBPOUs

The RBI has reduced the minimum net-worth requirements for non-bank entities to set up Bharat Bill Payment Operating Units (BBPOUs) to ₹25 crore from the existing ₹100 crore. The move is likely to open doors for greater participation in the segment.

Now pay life insurance premium from India Posts m-banking app

The Department of Posts has launched digital payment facility for Postal Life Insurance and Rural Postal Life Insurance through the India Post Payments Bank’s mobile banking app.

WhatsApp Pay to display users legal name

As a fraud mitigation measure, WhatsApp Pay has notified it will display user’s legal name (their bank account) for every transaction. According to FAQs on WhatsApp’s website, this is a requirement set by the NPCI.

DigiSaathi enabled on WhatsApp

NPCI’s 24×7 helpline for payment products, DigiSaathi will now be available on WhatsApp via a chatbox. In future, this will also be available on other social media channels.

RBI rejects 6 applications for universal bank/small finance bank licence

RBI has rejected 6 out of 11 applications for universal bank and small finance bank licence, including fintech entities and others backed by large corporate houses.

This edition has been assisted by Urmil Shah and edited by Sunny Lamba.

References:

CERT-In Directions | CERT-In FAQs | UPI-based withdrawals at ATMs | CoR cancellation by RBI

Asheeta Regidi Head, Fintech Policy at Cashfree.