PTLB’s LPO Model Uses Disruptive Innovations And Technologies

Disruptive InnovationLegal process outsourcing (LPO) is not a new phenomenon in India and is in existence for long. LPO is generally managed by organisations not typically into legal practice but employing lawyers and legal professionals. As qualified lawyers are working for these organisations so legal assignments are managed effectively and efficiently. However, LPO covers very limited fields of legal services and are mostly monotonous. They are not very challenging and are usually referred to as clerical works.

On the other hand, a law firm covers vast number of legal fields and the work at such a law firm is challenging and more satisfying. Similarly, such law firm also has experience of vast majority of legal professionals most of whom are experts of their respective fields. Clearly, when a legal matter involves specialised and high end work, LPO is not the right choice. LPO comes into picture only to reduce cost for routine legal matters.

A typical LPO model involves an arrangement between a foreign law firm or company and the LPO Company established in a developing nation. As the cost of labour is much lower in developing countries in comparison of a developed country, low end works are assigned to such LPO companies. These LPO companies then execute the work in a time bound manner and provide the end result to the foreign law firm/company. This is a winning situation for both foreign law firm/company and LPO company.

As the assigned LPO work is more or less standard in nature, there is very limited use of information and communication technology (ICT) for such LPO assignments. A LPO company can execute the assignment and send it through e-mail/Internet and this ends the technology aspect for traditional LPO model. However, technology is disrupting this traditional LPO model and now LPO dealings are no more confined to just e-mail interactions.

Perry4Law’s Techno Legal Base (PTLB) has taken a bold step in this regard by launching the first ever Disruptive LPO Model of India and worldwide known as PTLB LPO. Now availing of LPO services of PTLB from any part of the world is as simple as opening of a LPO support request. This disruptive LPO model is using ICT4D for legal services aiming at reduced costs and avoidance of wastage of time and efforts.

PTLB LPO is disruptive innovation in the sense that it would create a new market and value network and eventually disrupts existing LPO market and value network in India. While we can not disclose many more features and support systems that would collaborate and support PTLB LPO in near future yet we can safely say that when we would launch these additional support services, LPO industry in India and other jurisdictions would change forever.

PTLB strongly recommend that foreign law firms and companies must at least go through the PTLB LPO platform as future of LPO is all set for a big change. These foreign law firms and companies cannot change to a disruptive LPO model immediately as it needs some basic level of understanding and working knowledge. Starting right now is the right strategy in this regard so that they can gradually shift to the same. Of course, they can also use the traditional LPO model if it suits them more.

What matters economically for the LPO business model is not the technological sophistication itself as many disruptive innovations are not advanced technologies at all. Rather, they are often novel combinations of existing off-the-shelf components, applied cleverly to existing LPO value network. The Disruptive LPO Model of PTLB would not only help new set of customers/clients but even existing customers/clients would be significantly benefitted from the same. The constructive integration of existing, new, and forward-thinking innovation(s) of PTLB LPO could improve the economic benefits of existing customers/clients, once their top management understood the systemic benefits as a whole. The simplicity of creation of a support ticket at PTLB LPO platform is unmatchable and there would be no trouble for foreign law firms/companies in quick adoption of the same.

Posted in Uncategorized | Comments Off

Centre Of Excellence For Digital India Laws And Regulations In India (CEDILRI)

Centre Of Excellence For Digital India Laws And Regulations In India (CEDILRI)Digital India is an ambitious project of Narendra Modi Government. It is another form of e-governance project but with a different name and administrative order. In Congress Government’s times, the e-governance initiatives were governed by National E-Governance Plan (NeGP) and now these initiatives are governed by Digital India project.

Both NeGP and Digital India are not governed by any legal framework or laws. This is a very serious lacuna of NeGP and Digital India as issues like e-health, e-courts, e-prison, cyber security, etc cannot be effectively managed in the absence of effective laws.

Perry4Law Organisation (P4LO) has understood this limitation of Indian Government very well. We have launched many techno legal initiatives to help national and international stakeholders who are looking for legal enablement of ICT systems in India. As far as Digital India is concerned, we have launched a dedicated platform named Centre of Excellence for Digital India Laws and Regulations in India (CEDILRI).

CEDILRI has already discussed issues like need for Digital India laws in India and e-health laws in India. Further, CEDILRI has also discussed about the establishment of National E-Health Authority (NeHA) of India while providing its suggestions in this regard. Perry4Law Organisation (P4LO), CEDILRI and other techno legal segments of P4LO have also been managing useful newsletters and updates for national and international stakeholders. These include the dailies titled Digital India, Digital India Laws, Digital India Cyber Security, Smart Cities Cyber Security in India, Privacy Laws in India, etc. These dailies and newsletters are covering cutting edge and contemporary issues about Digital India and Civil Liberties.

Perry4Law Organisation (P4LO) hopes that national and international stakeholders would find our initiatives useful. At the same time we expect the Indian Government to consider the suggestions and opinions given by the CEDILRI from time to time so that Digital India and NeGP can grow in India.

Posted in Uncategorized | Comments Off

Draft Circular Of RBI On Customer Protection–Limiting Liability Of Customers In Unauthorised Electronic Banking Transactions

Draft Circular Of RBI On Customer Protection–Limiting Liability Of Customers In Unauthorised Electronic Banking TransactionsBanks customers in India are facing many cyber problems while dealings with their respective banks. These include inadequate cyber security, illegal fund transfers due to phishing and cyber crimes, unreasonable delay in settlement of customer’s dues, etc. The problem regarding cyber security is worst. Realising the gravity of the situation, the Reserve Bank of India (RBI) finally prescribed the cyber security framework for banks in India but it has failed to inspire the banks in India so far. This is so because although the RBI has given a deadline of September 30, 2016 to the Indian banks to implement techno legal cyber security policy yet there are no signs that banks in India have actually started even considering this cyber security policy. This is just like the other policies that RBI has prescribed from time to time with no actual and practical implementation from the banks.

We at Perry4Law Organisation (P4LO) believe that this is not the fault of banks of India as it is the RBI and Indian government that have failed to enforce these policies against Indian banks. When the basic level cyber security breaches disclosure norms in India are missing, banks have no incentive and motivation to either ensure cyber security or report any possible cyber breach. It is high time for RBI and Indian government to ensure that banks in India comply with techno legal cyber law due diligence (pdf) and cyber security compliances as per the prescribed standards and rules. This is very much required for the successful implementation of the Digital India project that the current government is pushing very hard.

RBI has now released the draft circular titled Customer Protection–Limiting Liability of Customers in Unauthorised Electronic Banking Transactions for public comments. These comments can be sent to RBI on or before August 31, 2016 through post or e-mail. The draft circular has focused on reversal of erroneous debits made to customers’ accounts arising from fraudulent and other transactions. The paper has reiterated the increased thrust on financial inclusion and customer protection as the two crucial pillars of financial stability. The paper has also taken into account the tremendous increase in customer grievances relating to unauthorised transactions resulting in erroneous debits to their accounts/cards while reviewing the criteria for determining the customer liability in these circumstances.

RBI has proposed the following revised directions in this regard:

(1) Strengthening of systems and procedures: Broadly, the electronic banking transactions can be divided into two categories: (i) Remote/ Online payment transactions (transactions that do not require physical payment instruments to be present at the point of transactions e.g. internet banking, mobile banking, card not present (CNP) transactions) and (ii) Face-to-face/ proximity payment transactions (transactions which require the physical payment instrument such as a card or mobile phone to be present at the point of transaction e.g. ATM , POS, etc.). The systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place:

(a) Appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers;

(b) Robust and dynamic fraud detection and prevention mechanism;

(c) Mechanism to assess the risks (for example, gaps in the banks’ existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events; and

(d) Appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom.

(2) Reporting of unauthorised transactions by customers to banks: Banks must ask their customers to mandatorily register for alerts for electronic banking transactions. The alerts shall be sent to the customers through different channels (email or SMS) offered by the banks. The customers must be advised to notify the bank concerned of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction. The longer the time taken to notify the bank, the higher will be the risk of loss to the bank/customer. To facilitate this, banks must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting fraudulent transactions that have taken place and/or loss or theft of payment instrument such as card, etc. The loss/fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them. This shall be important in determining the extent of the customer’s liability.

(3) Liability of a Customer: The liability of the customer shall be as following:

(i) Zero Liability of a Customer: A customer’s entitlement to zero liability shall arise where the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in the following events:

(a) Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)

(b) Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.

(ii) Limited Liability of a Customer: A customer shall be liable for the loss occurring due to fraudulent transactions in the following cases:

(a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

(b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction, the customer liability shall be limited to the transaction value or ₹ 5000/-, whichever is lower. Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per bank’s Board approved policy. Banks shall provide the details of the bank’s policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.

(iii) Overall liability of the customer in third party breaches, as detailed above, where the fault lies neither with the bank nor the customer but lies elsewhere in the system and the customer has notified as per the prescribed time framework and manner, is summarised as follows:

(a) Within 3 working days: Zero liability,

(b) Within 4-7 working days of receiving the communication: The transaction value or ₹ 5000/-, whichever is lower,

(c) Beyond 7 working days of receiving the communication: As per bank’s Board approved policy.

(4) Reversal Timeline for Zero Liability/ Limited Liability: On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer. Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.

Further, banks shall ensure that:

(i) A complaint is resolved within 90 days from the date of reporting; and

(ii) In case of debit card/bank account the customer does not lose out on interest, and in case of credit card the customer does not bear any additional burden of interest.

(5) Board approved Policy for Customer Protection Policy: Taking into account the risks arising out of unauthorised debits to customer accounts owing to customer negligence/ banking system frauds/ third party breaches, banks need to clearly define the rights and obligations of customers in case of unauthorised transactions in specified scenarios. Banks shall formulate/ revise their customer relations policy, with approval of their Board, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions and customer liability in such cases of unauthorised electronic banking transactions. The policy must be transparent, non-discriminatory and should stipulate the mechanism of compensating the customers for the unauthorised electronic banking transactions and also prescribe the timelines for effecting such compensation, based on the circumstances of each case. The policy shall be displayed on the bank’s website along with the details of grievance handling/ escalation procedure. The instructions contained in this circular shall be incorporated in the policy.

(6) Burden of Proof: The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank. The bank’s above policy shall also specify the maximum time period for establishing customer liability after which the bank shall compensate the customer.

(7) Reporting and Monitoring Requirements: The banks shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or its Committee. The reporting shall, inter-alia, include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM trasanctions, etc. The Standing Committee on Customer Service in each bank shall review, on a monthly basis, the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereupon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures.

Perry4Law Organisation (P4LO) strongly recommends that banks in India must now pay more attention to techno legal compliance requirements as the regulatory regime in India is fast changing.

Posted in Uncategorized | Comments Off

Internet Intermediary Liability Law In India Must Be Stringent For GST, Taxation And Cyber Law Purposes

Praveen DalalInternet intermediary liability in India has been prescribed by the Information Technology Act, 2000 (IT Act 2000) that is the cyber law of India. It has seen many ups and downs and finally it faced an unjustified and undesirable onslaught from none other than the Supreme Court of India. Clearly, the Supreme Court of India erred in delivering the judgment that created more troubles for India than solutions. It is clearly counter productive in the long run and Indian government needs to act urgently in this regard if sufficient steps have not already been undertaken by it.

The present techno legal requirements of India mandate for a stronger cyber law due diligence (pdf) for various stakeholders in India rather than a weak one. But the judgment of Supreme Court came as a big blow to the cyber law due diligence regime of India. Perry4Law Organisation (P4LO) made a strong techno legal representation to the Indian government regarding revisiting the cyber law due diligence and Internet intermediary liability obligations of various stakeholders in India. P4LO was assured by Indian government that its suggestions would be duly considered while drafting new laws and amending the existing cyber law of India.

Internet intermediaries like Google, Facebook, Twitter, etc are complying with laws of different countries. Surprisingly, when it comes to India, they are not at all interested in complying with Indian laws. Unfortunately, Indian government was not properly represented before the Supreme Court during the Section 66A case and this resulted into a wrong decision. In fact, Supreme Court was misled by stating that Internet intermediaries are not required to manage online contents in other jurisdictions. As a matter of fact, European Union, US, UK, etc have further made stringent the requirements to remove inappropriate online contents hosted on Internet intermediary platforms. However, due to industrial lobbying, the cyber law due diligence and Internet intermediary liability was made ridiculously weak in India.

When EU is enforcing right to be forgotten, India is treading in an altogether wrong direction of weak cyber law that requires urgent re-enactment. In one unfortunate case, a victim’s morphed picture was posted on Facebook and police did little to get it removed. The victim could not directly approach the Facebook as Supreme Court has ridiculously read down Section 79 making it impotent. She ultimately committed suicide and this is the net consequence of a bad decision on the part of Indian Supreme Court and inaction on the part of Indian government to bring suitable provisions in the IT Act 2000. We hope such incidence would not be repeated in future and Indian government would urgently do something in this regard.

Indian government has taken some positive steps in the direction of making Internet intermediaries and foreign companies amendable to Indian laws. India has formulated the Geospatial Information Regulation Bill, 2016 to regulate all stakeholders including foreign companies. Similarly, Perry4Law Organisation (P4LO) has been suggesting for long to make companies like Google, Facebook, Twitter, etc liable for India laws including for tax laws and cyber law. Now tax liability of companies like Google has increased in India and they may further be subjected to Indian laws through future legislations. To mitigate the adverse effects of Section 66A judgment, Indian government must urgently bring suitable amendments in the IT Act 2000 as was conveyed to P4LO.

Another area that requires suitable regulation pertain to social media and their activities having an impact within Indian territories. We have no dedicated social media regulations in India as on date. In many cases, abuse of social media in India has proved fatal for the internal security, personal property and lives of Indian citizens. Section 66A judgment has further weakened the provisions that can force the social media platforms to take down objectionable contents. Victims and public spirited individuals can no longer ask directly such social media platforms to take down objectionable contents under the IT act 2000. It smacks of double standard that social media platforms and foreign companies are bound to follow laws of all other countries regarding taking down of objectionable contents but they oppose doing the same in India. The social media laws in India need clarity and codification by Indian government.

This is a time to allow class action suits and proceedings in India against social media platforms and foreign companies rather than allowing them to twist and bypass Indian laws. The least Indian government can do is not to bow before the pressure created by industrial lobbying of these foreign companies in India. Through a collective pressure tactics of media reports and indutrial representations, these foreign companies are able to get what they want. If they fail at the government level, they approach the Supreme Court and misled it in passing judgments that are against national interest and interest of Indian citizens in the long run. In one such propaganda the foreign companies and their industrial lobbying groups have once again started targeting the proposed Goods and Services Tax (GST) Act 2016. This is because the proposed GST Act has grouped the Internet intermediary platforms/websites such as Facebook, YouTube, Twitter and online reviewers in the category of “agents” and has made them liable/responsible for inappropriate contents on their websites.

As per Section 2(2) of the proposed GST Act, an “agent” means a person who carries on the business of supply or receipt of goods and/or services on behalf of another, whether disclosed or not and includes a factor, broker, commission agent, arhatia, del credere agent, intermediary or an auctioneer or any other mercantile agent, by whatever name called, and whether of the same description as hereinbefore mentioned or not. This is a good definition by design and purpose and it should be further expanded in favour of Indian revenue generation.

Some have argued that this this definition of agent and other provisions in the GST Act could contradict the safe-harbour provision of the IT Act 2000, which exempts online platforms from being responsible for third-party or user-generated content if the Internet intermediary complies with certain conditions. Firstly, this is a baseless assumption as availing of the safe harbour by an Internet intermediary depends upon compliance of provisions of the IT Act 2000 at the first place. No Internet intermediary is absolutely immuned under the IT Act 2000 or any similar law in other jurisdictions through safe harbour provisions. On the other hand, EU and other countries have recently made the provisions of safe harbour more stringent and this has made the Internet intermediaries more responsible and law abiding in these jurisdictions. Bit when it comes to India, these Internet intermediaries raise lots of hue and cry and put pressure upon Indian government to make laws and provisions that are counter productive.

Secondly, Indian government itself is in the process of reformulating the provisions that were struck down or read down by the Supreme Court in Section 66A case. When Perry4Law Organisation (P4LO) we made a legal representation to Indian government, we were assured that new provisions would be formulated very soon and our inputs would be used for the same. When Section 79 of the IT Act 2000 itself would be amended and made compatible with the Geospatial Bill, GST Act and other similar future laws, there would be no confusion or controversy left that can be agitated by these industrial lobbies. Perry4Law Organisation (P4LO) once again strongly recommend that the IT Act 2000 in general and section 79 in particular must be suitable amended by Indian government as soon as possible for smooth functioning of Indian cyberspace. The best bet is to ensure a techno legal framework that incorporates all these suggestions and conditions.

Posted in Uncategorized | 1 Comment

SEBI Must Ensure Cyber Security And Cyber Resilience Of Stock Exchanges And Financial Market Infrastructures Of India

SEBI Must Ensure Cyber Security And Cyber Resilience Of Stock Exchanges And Financial Market Infrastructures Of IndiaCyber security and cyber resilience for financial market infrastructures is one of the core priority issues for governments and nations around the world. However, this is not an easy task to manage as it requires tremendous techno legal expertise that very few individuals and organisations possess these days. Even the regulatory and governing framework in this regard is still evolving at the international level.

In one such latest international development, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). As per the latest cyber guidance, the safe and efficient operation of financial market infrastructures (FMIs) is essential to maintaining and promoting financial stability and economic growth. If not properly managed, FMIs can be sources of financial shocks, such as liquidity dislocations and credit losses, or a major channel through which these shocks are transmitted across domestic and international financial markets. In this context, the level of cyber resilience, which contributes to an FMI’s operational resilience, can be a decisive factor in the overall resilience of the financial system and the broader economy.

The cyber guidance document also mentions that financial stability may depend on the ability of an FMI to settle obligations when they are due, at a minimum by the end of the value date. An FMI should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption and to enable itself to complete settlement by the end of the day of the disruption, even in the case of extreme but plausible scenarios. Notwithstanding this capability to resume critical operations within two hours, when dealing with a disruption FMIs should exercise judgment in effecting resumption so that risks to itself or its ecosystem do not thereby escalate, whilst taking into account that completion of settlement by the end of day is crucial. FMIs should also plan for scenarios in which the resumption objective is not achieved. Although authorities recognise the challenges that FMIs face in achieving cyber resilience objectives, it is also recognised that current and emerging practices and technologies may serve as viable options to attain those objectives. Furthermore, the rationale for establishing this resumption objective stands irrespective of the challenge to achieve it. The chapter on response and recovery provides guidance on how an FMI should respond in order to contain, resume and recover from successful cyber attacks.

It is clear that as per the latest cyber guidance, Indian FMIs such as exchanges, depositories and clearing corporations will have to ramp up their network resilience so as to recover and resume operations within two hours of a cyber attack. Presently, SEBI has not prescribed any time-frame for Indian stock exchanges and other players to resume operations following a cyber attack. SEBI has, however, put in place most of the other proposals outlined in the cyber guidance. But now SEBI would be required to ensure a robust and resilient cyber security infrastructure for stock exchanges and FMIs as well.

These are the first internationally agreed guidelines on cyber security for the financial industry. SEBI was part of the working group on cyber resilience, which framed the cyber guidance. SEBI may introduce these requirements for Indian stock exchanges and FMIs within next few months. Perry4Law Organisation (P4LO) welcomes these developments and is committed to extend its techno legal expertise to SEBI and Indian government for the proper implementation of this cyber guidance.

Posted in Uncategorized | Comments Off

Payment and Settlement Systems in India: Vision-2018

Payment and Settlement Systems in India Vision-2018Reserve Bank of India (RBI) has released a vision statement titled Payment and Settlement Systems in India: Vision-2018 (pdf). The objective of this vision docuemnt is to build best of class payment and settlement systems for a ‘less-cash’ India through responsive regulation, robust infrastructure, effective supervision and customer centricity. In short, the aim of this vision document is to improve the techno legal online payment infrastructure of India. Perry4Law Organisation (P4LO) welcomes this move of RBI and would come up with its detailed suggestions in due course of time.

The vision document reads as follows:

1.1 The Vision-2018 for Payment and Settlement Systems in India reiterates the commitment of the Reserve Bank of India (the Bank) to encourage greater use of electronic payments by all sections of society so as to achieve a “less-cash” society. The objective is to facilitate provision of a payment system for the future that combines the much-valued attributes of safety, security and universal reach with technological solutions which enable faster processing, enhanced convenience, and the extraction and use of valuable information that accompanies payments.

1.2 Since 2012-13, all segments of electronic payments, particularly retail electronic payments, have shown healthy growth both in terms of volume and value of usage. For example, RTGS and NEFT volumes increased almost threefold between 2013 and 2016 reflecting greater adoption of the system by all segments of users. Similarly, with increasing number of banks offering mobile banking services and driven by the growth in e-commerce and use of mobile payment applications, the volume of mobile banking transactions has increased nearly seven-fold and the value of transactions has shown a steep rise. Card transactions have also grown significantly at both ATMs as well as at the Point-of-Sale (POS) with the growth in debit card usage at POS picking up significantly. The growth in volume and value of transactions using prepaid payment instruments (PPIs) issued by banks and authorised non-bank entities has also been significant. The volume and value in Immediate Payment Service (IMPS) has also grown significantly with the development of the IMPS as a multi-channel system providing various options to customers to originate transactions. Cheque payments, on the other hand, are showing a declining trend in terms of volume as well as value between 2013 and 2016.

1.3 The broad contours of Vision-2018 revolve around the 5 Cs:

  • Coverage – by enabling wider access to a variety of electronic payment services
  • Convenience – by enhancing user experience through ease of use and of products and processes
  • Confidence – by promoting integrity of systems, security of operations and customer protection
  • Convergence – by ensuring interoperability across service providers
  • Cost – by making services cost effective for users as well as service providers

1.4 Vision-2018 focuses on four strategic initiatives viz., responsive regulation, robust infrastructure, effective supervision and customer centricity.

  1. Firstly, RBI, in consultation with all the stakeholders, will continue its efforts to create a regulatory framework to promote twin objectives of enhanced coverage with interoperability of the payments system and convenience with security for the end-users in sync with emerging developments and innovations.

  2. Secondly, building a robust payments infrastructure in the country to increase the accessibility, availability, interoperability and security of the payment systems will continue to remain a key objective.

  3. Thirdly, Vision-2018 will focus on effectiveness of supervisory mechanisms to strengthen the resilience of the Financial Market Infrastructures (FMIs) and System Wide Important Payment Systems (SWIPS) in the country besides setting up appropriate oversight framework for new systems, and augmenting the data reporting and fraud monitoring systems.

  4. Finally, Vision-2018 will adopt a customer centric approach to streamline the customer grievance redressal mechanism, focus on building customer awareness and education, and initiate customer protection measures.

2. Expected outcomes of Vision-2018

2.1 New policies that are proposed to be framed under Vision-2018 with focus on electronic payments will influence the trends in payment systems in the country. Taking into account the positive developments during the period under Vision 2012-2015, and with the concerted efforts of the Government and all other stakeholders like banks, payment system operators, users, etc.Vision-2018 is expected to result in:

  1. Continued decrease in the share of paper-based clearing instruments;
  2. Consistent growth in individual segments of retail electronic payment systems viz. NEFT, IMPS, Card transactions, mobile banking, etc.;

  3. Increase in registered customer base for mobile banking;
  4. Significant growth in acceptance infrastructure; and
  5. Accelerated use of Aadhaar in payment systems

Payment & Settlement Systems in India: Vision-2018


Building best of class payment and settlement systems for a “less-cash” India through responsive regulation, robust infrastructure, effective supervision and customer centricity






1. Orienting policy with emerging developments and innovations

Framing new policy : Policy framework for CCPs; Exit policy for authorised entities; framework for imposition of penalty; regulation of payment gateway service providers and payment aggregators; monitoring framework for new technologies

Review of existing policies / guidelines in following areas: Prepaid payment instruments (PPIs); mobile banking; White Label ATMs (WLA); Nodal account for Intermediaries

1. Facilitating faster payment services

• National Electronic Funds Transfer (NEFT) – more frequent settlement cycles and exploring feasibility of adoption of ISO messaging format

• Mobile Banking – enhancing options for customer registration for mobile banking services; enabling wider access to mobile banking services in multiple languages for non-smartphone users

• Encourage innovative mobile based payment solutions

1. Assessment of resilience of payment and settlement infrastructure including FMIs and System-Wide Important Payment Systems (SWIPS)

• Draft framework for testing resilience

• Resilience of communication / messaging infrastructure

• Resilience of IT systems of PSOs

• Building capability to process transactions of one system in another system

1. Strengthening customer grievance redressal mechanism

• Frame necessary guidelines to  ensure enhanced customer grievance redressal mechanism in authorized payment systems

• Require payment systems operators to adequately train front-office staff and agents

2. Setting up Payments System Advisory Council (PSAC) of industry and Government representatives/ experts to strengthen the consultative process 2. Improving Accessibility

• Increasing acceptance infrastructure

• Implementation of the Bharat Bill Payment System (BBPS)

• Implementation of the Trade Receivables Discounting System (TReDS)

2. Design an Oversight framework• On the basis of proportionality of risk posed by PSOs

• For large-value payment systems, retail payment systems (including IS audit), BBPS and TReDS.

2. Enhancing customer education and awareness

• Electronic Banking Awareness And Training (e- BAAT)

• Framework requiring PSOs to disclose fees and terms and conditions of their service.

3. Amendments to PSS Act

• Improved governance of Payment System Operator (PSO)

• Resolution of Central Counter Party (CCP)/ Financial Market Infrastructure (FMI)

• Non-Registration of charge on  collateral with CCPs

3. Promoting Interoperability

• Unified Payment Interface (UPI)

• Toll Collection

• Payments for Mass Transit systems

3. Strengthening reporting framework including fraud monitoring

• Move the reporting of periodic returns by payment systems operators to XBRL platform

• Draw a framework for collection of data on frauds in payment systems

3. Protection of customer interest

• Encourage PSOs to develop robust fraud and risk monitoring systems

• Endeavour to build a framework to limit customer liability for unauthorised electronic transactions

4.Strengthen Financial stability

• Encouraging adoption of Legal Entity Identifier (LEI) by financial entities

• Settlement of funds leg of financial transactions in central bank money

4. Enhancing Safety and Security

• Migration to EMV Chip & PIN cards

• EMV card processing at ATM based on chip data

• Security of ATM transactions by holistically strengthening the safety and security of ATM infrastructure

• Examining feasibility of Aadhaar-based authentication

4. Analysing data and publishing reports

• Oversight report on select retail and large value systems

• Analysis of Payment System related data within the Bank

4. Positive confirmation

• incorporate the feature of sending positive confirmation of payment to the remitter in  Real Time Gross Settlement (RTGS) system

• Strengthen positive confirmation feature of NEFT

5. Cheque clearing systems

• Endeavour to eliminate Paper-to-Follow arrangements for all cheques issued by State Governments

• Promoting use of positive pay mechanism, national archive on cheque images, etc.

• Encouraging complete migration of cheques to CTS-2010 standards

5. Conducting customer surveys

• Engage with various stakeholders / professionals to conduct user / customer surveys on specific aspects of payment systems


3. Strategic Initiatives: Responsive Regulation

3.1 Creating a Responsive Regulatory Framework is the first strategic initiative under Vision-2018.

3.2 The legal framework for payment and settlement systems in the country is provided under the Payment and Settlement Systems Act (the PSS Act), 2007. The PSS Act empowers the Bank to regulate and supervise the payment and settlement systems in the country.

3.3 In discharging its roles and responsibilities under the Act, the Bank has been putting in place policy framework, issuing guidelines and instructions to banks and authorised payment system operators relating to safety, security and efficiency of payment systems. Besides formulation of new policies and guidelines, existing policies and instructions are all continually reviewed, taking into account the feedback received from the stakeholders.

3.4 Taking into account the rapid developments and innovations in the area of payment systems, the Vision-2018 envisages a more responsive regulatory framework based on consultations with stakeholders. The policy framework will support payment system initiatives that enhance access to payment services. The principle of “similar business, similar risk, similar rules” will invariably be applied.

3.5 Accordingly, the key focus areas for responsive regulation would be:

3.5.1 New issues / areas for policy framework

  1. Policy framework for Central Counter Parties (CCPs): The CCPs are the critical financial market infrastructure (FMI) and the efficient of the same is important. RBI has already declared the policy framework for regulation and supervision of FMIs under the regulatory jurisdiction of the RBI. The PFMIs against which FMIs are assessed lay emphasis on having effective governance framework and management of various risks, including legal, credit and liquidity risks against which FMIs are assessed. To begin with, the RBI would come out with regulations on Governance, Capital/ net worth requirement, registration/authorisation of foreign CCPS. At a later date, RBI may come out with regulations on risk management, if required. This will also serve as effective criterion to measure the equivalence standards of third country regulatory framework for the purpose of recognizing foreign CCPs operating outside and desirous of applying for recognition in India under these regulations.

  2. Regulation of payment gateway service providers and payment aggregators: The increasing growth of electronic payments, especially online payments, riding the growth of e-commerce and m-commerce transactions, has brought to the fore the increasing role and importance of entities that facilitate such online payments such as payment gateway providers and payment aggregators. The current guidelines on maintenance of nodal accounts for such intermediaries (monitored through banks) are indirect and address only a few specific aspects of their functioning. Given their increasing role, the guidelines will be revised for the payments related activities of these entities.

  3. Exit Policy: Co-existence of an exit policy along with the policy on authorisation of entities which participate in the payment and settlement system is essential for the overall hygiene of the ecosystem. The exit policy would lay down the parameters and processes for voluntary exit of a payment system operator (PSO) authorised to operate a retail payment system. Such a policy would ensure that the interests of the consumers and other stakeholders are protected.

  4. Framework for imposition of penalty: Guidelines and standards for various payment and settlement systems are issued under the provisions of the PSS Act. Non-adherence to these guidelines and standards by participants and operators attract the penal provisions under the PSS Act. A framework for imposition of such penalties under the PSS Act would be put in place.

  5. Monitoring framework for new technologies / innovations: In order to ensure that regulations keep pace with the developments in technology impacting the payment space, the global level developments in technology such as distributed ledgers, blockchain etc. will be monitored, and regulatory framework, as required, will be put in place. Further, the payments eco-system is dynamically evolving with the advancements and innovations taking place, particularly in the area of FinTechs. In order to provide a platform for innovators to showcase their models to the industry, particularly in the areas of interest to payment systems and services, the Reserve Bank has organised an innovation contest through the Institute for Development and Research in Banking Technology (IDRBT). Learnings from such interfaces will also be used as inputs for policy adaptations.

3.5.2 Review of existing policies

  1. Prepaid Payment Instruments (PPIs): With increase in number of entities authorised to issue PPIs in the country, their usage for purchase of goods and services as well as funds transfer has also been growing. Over the years, the guidelines have been expanded to include several types of PPIs, some of which are not really being issued / used actively. Similarly, with growing use of PPIs, the initial forbearance given on KYC requirements, customer-facing aspects such as safety and security, risk mitigation measures, complaint redressal mechanism, forfeiture of unutilised balances, fraud monitoring and reporting requirements, etc. merit a review. A comprehensive review of the PPI guidelines will be undertaken keeping in view the changing scenario.

  2. Mobile banking Guidelines: To promote mobile phones as access channel to payment and banking services, the guidelines will be reviewed to address issues related to customer registration for mobile banking, safety and security of transactions, risk mitigation and customer grievance redressal measures.

  3. White Label ATM (WLA) Guidelines: These Guidelines, formed with the objective of ensuring expansion of ATM infrastructure in rural and semi-urban areas, have not resulted in the much needed growth in ATM infrastructure in the desired geographical segments of the country due to multiple factors. The WLA Guidelines will accordingly be examined holistically and targets realigned to meet present conditions.

3.5.3 Payment System Advisory Council (PSAC)

The Board for Regulation and Supervision of Payment and Settlement Systems (BPSS), set up under the PSS Act, is the apex body for regulating and supervising the payment system related developments and policies in the country. Vision-2018 envisages setting up of a Payments System Advisory Council (PSAC) to assist the BPSS in formulation of new policies, assessing the impact of new technological developments by providing necessary insights about futuristic developments and innovations in the area. The PSAC could have representations from diverse fields such as technology, telecommunication, FinTech, security solution providers, academia, Government, etc. and strive to provide to the BPSS the necessary consultative feedback from stakeholders for making strategic decisions in the area of payment systems.

3.5.4 Amendments to PSS Act

Sound legal basis, including good governance, is the cornerstone for building a safe and efficient payments eco-system. Keeping this in view, amendments relating to settlement finality in the event of Central Counter Party (CCP) being declared insolvent or dissolved or wound down, and statutory charge on escrow account, have been made to the PSS Act which have come into effect from June 01, 2015.The Reserve Bank, as a member of the international Standard Setting Bodies (SSBs), is committed to adopting the international standards including those relating to recovery and resolution of FMIs. Efforts would, therefore, be made to bring in further amendments to the legal framework for addressing issues, such as:

  1. Resolution / insolvency of Central Counter Party (CCP) / Financial Market Infrastructure (FMI).
  2. Non-registration of charge on collateral with CCP: The Companies Act, 2013 has enlarged the meaning of „charge‟ under that Act, covering the right of system provider to appropriate collateral. In a dynamic market scenario, where the market participants constantly move in and move out the collaterals from the control of the CCP, it is practically impossible to continuously register or modify the charge. Non registration of charge under the Companies Act should not in any manner affect the right of the CCP to appropriate the collaterals and the settlement finality. As legal certainty is extremely crucial in this market, for avoiding litigation, necessary amendment to clarify this position would be taken up.

  3. Better governance in critical payment systems operators both in retail and large value payment systems by appointing observers on the board of the service providers or by appointing additional directors, as required.

3.5.5 Measures to strengthen financial stability

  1. Adoption of Legal Entity Identifier: The legal entity identifier (LEI) uniquely identifies parties to financial transactions globally. The need for this was felt in the aftermath of the last financial crisis. Use of LEI would facilitate monitoring the exposure of entities across systems. Bank would put in place a framework to encourage the adoption of LEI for certain transactions / markets / categories of institutions.

  2. Settlement of funds leg of securities and commodity market transactions in central bank money: Settlement in central bank money helps to avoid credit and liquidity risks. Towards this end, steps would be taken to implement funds settlement of all securities and commodity market transactions in central bank money.

4. Strategic Initiatives: Robust Infrastructure

4.1 Development of a Robust Payments Infrastructure is the second strategic initiative under Vision-2018.

4.2 Availability of robust infrastructure to support electronic payments is a critical factor influencing the adoption of electronic payments. This is further augmented by policies that increase the efficiency and speed of payments, enhance transaction security, facilitate risk mitigation, improve accessibility and promote interoperability. Bank will explore options to strengthen technological resilience without impeding innovation. Bank will also encourage smaller banks such as Regional Rural Banks and Cooperative Banks in adoption of modern payment systems.

4.3 Accordingly, the key focus areas for building a robust payments infrastructure would be as outlined below:

4.3.1 Facilitating faster payment services

The payments eco-system in the country provides multiple options to different segments of users for funds transfer as well as for making payments in exchange of value for goods and services. With increasing adoption of electronic payments, particularly those driving e-commerce and m-commerce, there is a growing demand for „faster‟ payment services which, in turn, facilitate ease in doing financial transactions. Towards this end, the measures that will be initiated will include:

  1. National Electronic Funds Transfer (NEFT): The growing adoption of NEFT by individuals, businesses and government agencies/departments, necessitate a review of the system to enable faster payment processing through introduction of more frequent settlement cycles. Similarly, the feasibility of adopting ISO messaging format for NEFT will be explored.

  2. Mobile Banking: The high mobile density in the country is being increasingly leveraged to offer payment services by a wide range of payment service providers so as to enable an on-the-go, faster payment experience to the customers. In addition to the efforts to on-board or increase customer registration level for mobile banking through simplified registration process and increasing the access points for same (through authorised ATM networks), the policy efforts will also focus on ensuring that access to mobile banking services is seamlessly provided to the large number of users of non-smartphone handsets in multiple languages.

  3. Service providers will be encouraged to adopt technology to provide innovative easy to use mobile based payment solutions in an interoperable environment without compromising on security.

4.3.2 Improving accessibility

In order to improve access to more electronic payment channels, Vision-2018 will give priority to the following:

  1. Increasing acceptance infrastructure for electronic payments : The large number of bank accounts opened under the Prime Minister Jan Dhan Yojana (PMJDY) as well as the large number of cards issued to these account holders, particularly in rural and semi-urban areas, necessitate that the access to electronic payment services to these customers are quickly augmented. Hence, a policy framework will be put in place for setting up necessary acceptance infrastructure including ATMs and POS, across all geographical and industry segments such as groceries, education, transport, utilities, government services, healthcare, etc. in the country.

  2. Implementation of the Bharat Bill Payment System (BBPS): BBPS, which is being set up to provide an accessible multi-tier infrastructure facilitating anytime, anywhere, any bill payment, will be made operational. Based on the progress in BBPS and its activities, the scope of payments covered under the system will also be gradually widened to include other types of services, in addition to the repetitive payments for everyday utility services such as electricity, water, gas, telephone and Direct-to-Home (DTH) planned for the present.

  3. Implementation of the Trade Receivables Discounting System (TReDS): TReDS, which is an institutional mechanism for facilitating the financing of trade receivables of MSMEs from corporate buyers through multiple financiers, will be made fully operational.Bank would pursue with other authorities/Government to amend their regulatory framework for speedier implementation and wider coverage of TReDS.

4.3.3 Promoting interoperability

The ability of customers to use and re-use a set of payment instruments seamlessly across different segments to meet a variety of payment requirements should not be constrained by a „silo‟ approach to developments in the payments eco-system. The requirement of users for seamless payment experience are met only when the payment systems are inter-operable and are able to communicate within their own segments on the basis of common standards adopted by all providers of these services. Vision-2018 envisages promoting interoperability in areas which have a high potential for driving electronic payments, including for small value transactions, such as the following:

  1. Unified Payment Interface (UPI): At present although a large number of banks are offering mobile banking services these are not completely inter-operable, especially for merchant transactions. This, in turn, has impacted the use of mobile payments for merchant / P2B (Person to Business) transactions. Full operationalisation of UPI, which aims at this customer convenience, will provide the standard interface for communication across different mobile-banking applications of banks thus facilitating inter-operability in P2B payments.

  2. Toll Collections: Collection of toll, largely done in the form of cash payments, is another segment where efforts to migrate to electronic payments have been sporadic and isolated. Such disparate developments have led to the propagation of different systems across different parts of the country, not only causing confusion and inconvenience to the customers, but also pushing them further into cash payments. Hence, electronification of the toll collection systems on a pan-India basis in an interoperable environment will be encouraged.

  3. Payments for Mass Transit Systems: Another segment which has a huge potential for migrating large number of small value cash transactions to electronic payments, is in the area of mass transit (road transport, metro rail, etc.). Though there have been developments in recent times in different parts of the country to put in place automated fare collection for mass transit systems all of them work on proprietary systems and standards, thus coming in the way of inter-operability. Hence, the focus will be to ensure that the payment mechanisms being put in place in this segment are interoperable and built on open standards, preferably using open system payment instruments.

4.3.4 Enhancing Safety and Security

Safety and security of payment systems and transactions is an important factor that helps in boosting the trust and confidence of the customers in using electronic payment mechanisms. Towards this end, Bank will continue to adopt and implement international standards and best practices that enhance payment systems security. Some of the measures envisaged include:

  1. Migration of cards to EMV Chip and PIN: Banks have been advised that all new cards issued by them should be EMV Chip and PIN cards. A roadmap for migration of all existing magnetic stripe cards to EMV Chip and PIN cards has also been laid down. Bank will continue monitoring the progress made by the banks so as to ensure adherence to the timelines.

  2. EMV card processing at ATMs: Presently the ATMs in the country read and process the card transactions only on the basis of data contained in the magnetic stripe, even though the card may be a Chip and PIN card. With the roadmap in place for issuance of EMV Chip and PIN cards, the aim will be to ensure that all the ATMs in the country migrate to processing of EMV Chip and PIN cards on the basis of Chip data rather than magnetic stripe data.

  3. Security of ATM transactions: Although ATM infrastructure is widely used for meeting cash requirements of the customers, it is increasingly being used as a channel for carrying out other non-financial transactions and delivering value-added services. As such, the operational and logical access security aspects of ATMs assume significance, and any shortcomings in these areas make the systems vulnerable to attacks by fraudsters, thus impairing customer confidence and trust. The Bank will, therefore, examine holistically the physical and logical safety and security requirements of ATMs infrastructure and issue necessary guidelines to strengthen them.

  4. Aadhaar-based authentication: Examine the technical, operational and business feasibility of using Aadhaar as a factor of authentication for payment transactions.

4.3.5 Measures for cheque clearing systems

As cheques continue to be used for limited purposes by certain segments of users, it is sought to enhance the efficiency of cheque clearing systems in the following ways:

  1. Working towards eliminating paper-to-follow arrangement for cheques issued by the State Governments so that clearing of such cheques is also based on cheque images.

  2. Promoting use of positive pay mechanism, wider use of national archive of cheque images etc.
  3. Encouraging complete migration of cheques to CTS-2010 standards for better fraud detection and more effective risk mitigation

  4. Decreasing the frequency of clearing for instruments not complying with CTS-2010 cheque standards.

4.4 The above efforts will ensure ubiquitous participation i.e., provide an environment for payment products that are broadly accessible to everyone and available to be used in a variety of circumstances taking into account convenience, cost and risk considerations.

5. Strategic Initiatives: Effective Supervision

5.1 Effective Supervision over Payment Systems and the Operators will be the third strategic initiative under Vision-2018.

5.2 As migration to alternate modes of payment, viz., electronic payments, both for financial markets as also businesses and individuals are increasing, resiliency of payment systems gains importance. Resiliency is the ability to continue to operate even if a system has failed completely by switching activity to a separate system or process or a combination of both. The assurance of the authorised payment systems‟ resilience comes from the oversight framework.

5.3 In order to have robust Payment and Settlement Systems in the country, it is not only essential to continuously self-test the resilience of the existing payment systems but also assess the various standards adopted for our systems vis-à-vis the existing international standards / best practices for similar systems. In this context, the resiliency of not just the Financial Market Infrastructures (FMIs) but also that of System-Wide Important Payment Systems (SWIPS) assumes significance.

5.4 Keeping the above in view, the Bank would be initiating the following actions in respect of FMIs and SWIPS:

5.4.1 Assessment of resilience of payment and settlement infrastructures

  1. A framework to test the resilience of (both retail and large value) payment systems in the country would be drafted.

  2. For ensuring continued operations and availability of the payment systems, resilience of communication / messaging infrastructure would be assessed.

  3. Payment systems being largely driven by changes in technology, a suitable framework to audit and assure the existence of risk control measures and resilience of their IT systems by payment systems operators would be put in place.

  4. In addition to the existing arrangements to ensure business continuity in individual payment systems, efforts would be made to enhance resilience by building necessary capability to process transactions of one system in another system. For instance, building the capability to process NEFT transactions in RTGS system and vice versa.

  5. As necessary, the support and help of external agencies, both existing and upcoming, will be taken to assess the resilience of the payment and settlement systems.

5.4.2 Oversight framework for existing and new payment systems

A well-structured oversight framework complements the framework for resilience of payment infrastructure. The following measures would be part of the oversight framework for existing and new payment systems that would be implemented:

  1. Proportionality of oversight: The intensity of oversight would be made proportionate to the systemic risks or system-wide risks posed by a payment system or operator or participant.

  2. Large-value payment systems: On-site inspection of FMIs and SWIPS would be carried out periodically with self-assessment to be carried out by FMI / SWIPS on a more frequent basis.

  3. Retail payment systems: A detailed framework on oversight of retail payment systems would be framed. The focus would continue to be on off-site surveillance, regular self-assessment and need based inspection of retail payments. As these systems are largely driven by changes in technology, an appropriate framework for IS Audit would also be put in place

  4. Bharat Bill Payment System (BBPS): An oversight framework to cover both Bharat Bill Payment Central Unit (BBPCU) and Bharat Bill Payment Operating Units (BBPOUs) will be put in place to ensure the safety, security and resilience of the BBPS.

  5. Trade Receivables Discounting System (TReDS): The TReDS will also be functioning as pan-India system. Therefore, a comprehensive oversight framework to ensure the smooth functioning of TReDS and its resilience, including the risk management framework as required, would be put in place.

5.4.3 Strengthening reporting framework including fraud monitoring

  1. Reporting framework: As part of off-site surveillance process, payment system operators (PSOs) are directed to adhere to periodic reporting requirements. The periodic returns would be moved to XBRL system. This would offer major benefits at all stages of business reporting and analysis, aiding in better quality of information and decision-making. In addition, a structured reporting framework for PSOs to communicate the findings of the audit of their IT systems along with their compliance would also be put in place.

  2. Fraud Monitoring: To further strengthen the confidence in the payment systems and minimise instances of frauds, there is a need to monitor the types of frauds that may be taking place in various payment systems. Accordingly, to begin with, a framework for collection of data on frauds in payment systems would be drawn up in consultation with the industry.

5.4.4 Data analysis and publication of reports

  1. Oversight report for retail and large value payment systems: Bank would take steps to publish a separate oversight report for payment systems in the country on a regular basis.

  2. Analysis of Payment System related data within the Bank: With automation of regulatory reporting and generation of large volumes of data, studies would be undertaken to identify the emerging trends / attributes of payment system, seasonality, pattern analysis, etc. This would strengthen the regulatory decision support system.

6. Strategic Initiatives: Customer Centricity

6.1 Focus on customer is the final key thrust areas of Vision-2018.

6.2 Customer acceptance and usage of payment products provide one half of the required network effect in payment systems with the other half coming from the entities willing to accept such payments. Confidence, convenience, and cost are key aspects that will encourage wider customer adoption and usage of electronic payments. Customers‟ increasing expectations are driving provider responses. Towards this end, Vision-2018 would strive to keep the customer interest at the centre of payment system policy actions.

6.3 The measures in this regard would include:

a. Strengthening customer grievance redressal mechanism: A robust and responsive customer grievance redressal system is essential to build an environment of trust and confidence in payment systems. Further, customer experience should be uniform irrespective of whether the service is being provided by banks or non-bank entities. Hence,

  1. The Bank would frame necessary guidelines to ensure that existing complaint redressal framework of authorised non-bank entities is improved, and that new payment systems are set up with appropriate mechanisms to address customer grievances in a proactive manner.

  2. Payment System Operators (PSOs) would also be required to adequately train their own front office staff and their agents to understand and appropriately address diverse requirements when servicing their customers.

b. Enhancing customer education and awareness: Customer confidence in payment systems is reposed with usage combined with better awareness of the product and processes. A well-informed customer base would also facilitate faster migration away from cash payments. Involvement of stakeholders in this exercise can help to reap greater benefits, and, as such, the Bank would collaborate with other stakeholders in creating an environment of awareness and education on e-payments. Hence,

  1. The Bank, in collaboration with all the stakeholders, would endeavour to enhance customer awareness through structured Electronic Banking Awareness And Training (e-BAAT) programs.

  2. Further, the Bank would prepare a framework requiring PSOs to transparently disclose all fees they charge as part of their service along with the applicable terms and conditions, including liability and use of customer data.

c. Protecting Customer‟s interest: The Bank would encourage payment system providers to adopt best practices for protecting customer interest by putting in place robust fraud and risk monitoring systems. In addition, a regulatory framework to limit customer liability in case of unauthorised transactions would be put in place.

d. Ensuring positive confirmation for RTGS transactions: Presently the NEFT system has the feature of sending positive confirmation to remitters regarding the completion of the funds transfer, thus giving an assurance to the remitter that the funds have been successfully credited to the beneficiary account. In order to provide the same confidence to customers using RTGS system for funds transfer, the Bank will incorporate the feature of positive confirmation for RTGS transactions too. Further, the feature in the NEFT system will also be strengthened by ensuring that all banks send the confirmation in a timely manner.

6.4 Conducting Customer Surveys: An important factor which contributes to refinement of policies and regulatory framework is the ability to gauge first-hand the developments / changes taking place in customer habits with respect to payment choices. In order to ascertain these changes, the Bank will engage with various stakeholders / professionals to conduct user / customer surveys over a period of time on specific aspects of payments systems. The findings from these surveys would not only provide insights into the use of existing payment products and processes by customers for meeting their various payment needs but also generate ideas for reviewing policies and empowering the users through structured awareness intervention.

Posted in Uncategorized | 1 Comment

CDSCO Working Towards Drafting New Drugs And Cosmetics Act 2016 And Medical Devices Act 2016

CDSCO Working Towards Drafting New Drugs And Cosmetics Act 2016 And Medical Devices Act 2016Medicines and medical devices are in existence for many years. Information and communication technology (ICT) has changed the way medicines and medical devices were sold in old times. Even medical devices have assumed a totally different identity with the introduction of smart technology and artificial intelligence. Now smart gadgets have connected individuals with hospitals, clinics and family doctors in a 24 x 7 x 365 mode. Health related data and information is available in real time to both doctors and the patients that has significantly improved the health of patients as remedial measures can be taken well in advance based on the data provided by smart e-health gadgets.

However, laws in India are lagging far behind and they are not compatible with the concepts like e-health, telemedicine, m-health, online pharmacies, etc. Further, India has still not enacted necessary dedicated laws for cyber security, privacy, data protection (pdf), online pharmacies, Ayurvedic preparations, etc without which Indian healthcare industry cannot grow and survive. Indian e-health and medical device manufacturers are also not complying with techno legal requirements like cyber law due diligence (pdf), encryption laws, etc. If we wish to incorporate e-health, m-health and telemedicine into a smart city model, then we have additional techno legal compliances that must be ensured.

Indian government is in the process of removing redundant and outdated laws and enacting new one as per contemporary requirements. Healthcare industry is also on the priority list of Indian government for legislative business. For instance, the Central Drugs Standards Control Organisation (CDSCO) is working towards drafting a new Drugs and Cosmetics Act, 2016 and a Medical Devices Act, 2016. The move follows after the ministry of health and family welfare initiated steps to revisit the D&C Act 1940 and Rules 1945. The objective of this step is to enact contemporary laws that can ensure safety, efficacy and quality of drugs and medical devices.

The director (Admin) of Central Drugs Standards Control Organisation (CDSCO) has on June 6, 2016 asked all state drugs controllers to give feedback based on their experience within 15 days from the said notice. There have been several transformations like new brands, biologicals and biotech drugs besides the fixed dose combinations that need a set of dedicated rules. These rules are also relevant keeping in mind the regulatory requirements of different countries where Indian medicines and medical and healthcare products are exported.

For instance, recently the United States Food and Drug Administration (U.S. FDA) issued an Import Alert 66-40 (pdf) titled Detention Without Physical Examination Of Drugs From Firms Which Have Not Met Drug GMPs. This alert deals with detention without physical examination of drugs from firms which have not met drug good manufacturing practices (GMPs). Many Indian pharmaceutical companies have been listed on this alert and import from them has been banned. In fact, Lupin has recalled 9,210 bottles of Suprax drugs for failure to pass purity test.

Border enforcement of intellectual property rights (IPRs) by countries including Europen Union has also posed problem for Indian pharmaceutical and healthcare companies. EU and India even decided to sign a letter of understanding to protect off patent generic drug consignments. Further, due to policy decisions of United States, Novartis AG’s heart drug Diovan was also kept out of patients reach. This is despite the fact that Indian patent law is in conformity with WTO and international obligations. Expiring medicine Patents can boost pharmaceutical business and e-commerce as the generic pharmaceutical companies can provide affordable drugs in large quantity.

The Drugs and Cosmetics Act & Rules 2016 will try to ensure compliance with some of these issues by the Indian pharma industry. There is also the introduction of Central Licensing Authority (CLA) along with State Licensing Authority (SLA) and Central Licensing Approval Authority (CLAA) for Schedule III drugs in the last year’s Amendment Bill. The new regulations may also cover the Uniform Code for Pharma Marketing, Formation of Task Force to formulate bulk drug policy, medical devices policy, creation of price monitoring and resource units in the state drugs control department.

Posted in Uncategorized | Comments Off

India Speeding Up Formation Of Tri Service Cyber Command For Armed Forces Of India

India Speeding Up Formation Of Tri Service Cyber Command For Armed Forces Of IndiaIndia has been working in the direction of establishing a Tri Service Cyber Command for Armed Forces of India since 2013. In the year 2014, India government reiterated its commitment to form the cyber command but again no concrete steps were taken by then government in this regard. The position remains the same till the month of June 2016 as we have no dedicated cyber command for armed forces in India till now.

However, things are going to change very soon. Some officials and analysts in India are calling for progress on the tri-service command on cyber security that is still pending approval by the Ministry of Defense. Perry4Law Organisation (P4LO) has been recommending about such cyber command since 2013 and we once again request the Indian government to do the needful in this regard. The proposed cyber command could cover all the three segments of armed forces of India. P4LO also strongly recommend that sector specific Computer Emergency Response Teams (CERTs) must also be established on the lines of CERT-In. Indian government must also expand the role of the first Chief Information Security Officer (CISO) of India, the position presently held by Dr. Gulshan Rai.

Cyber attacks against India have significantly increased and India must be well prepared to deal with the same. In fact, Indian cyberspace must be protected on a priority basis and suitable techno legal offensive and defensive mechanisms must be established by Indian government in this regard. Indian cyber security is lagging far behind as compared to other countries. India is still struggling to deal with issues like cyber warfare, cyber espionage and cyber terrorism, etc. The critical infrastructure protection in India and its problems, challenges and solutions (pdf) are still to be managed by Indian government.

At P4LO we firmly believe that a dedicated cyber warfare policy of India (Pdf) must be formulated as soon as possible. The present effort of Indian government seems to be a step towards that objective. However, the main thing is the implementation of various policies formulated from time to time. Till now Indian government has not been able to implement the objectives of the National Cyber Security Policy of India 2013 (NCSP 2013). Further, India government has also failed to integrate the NCSP 2013 with the National Security Policy of India.

Another major failure of Indian government in this regard is the failure to enact a legislation mandating strict cyber security disclosure norms in India. Although proposed in the year 2013, the disclosure norms for cyber security breaches in India are still not implemented. This would prevent actual and effective implementation of cyber security norms in India. Recently the Reserve Bank of India (RBI) has hinted for such disclosure norms on the part of banks in India. A cyber security framework for banks in India has been prescribed by RBI and banks are required to comply with the same till 30th September 2016. So work in these directions is also taking place in India although in a very slow manner.

A proposal to set up a dedicated tri-service command for cyber security has been forwarded to the Ministry of Defense after top officials with the Indian air force, army and navy approved the idea. But the plan has yet to be approved. A draft proposal for setting up a separate tri-command on cyber warfare was prepared in consultations with the chiefs of the Indian air force, Indian army and Indian navy after Chinese hackers broke into the computer systems of the headquarters of the Eastern Naval Command in Visakhapatnam in 2012 where the homemade Arihant nuclear submarine was undergoing sea trials.

During the same time, Defence Research and Development Organisation (DRDO) informed that their computer systems were breached and sensitive files were leaked. A top defence ministry officer admitted that India has delayed on the cyber security front. “Cyber command would ensure both offensive and defensive cyber security capabilities. Issues like cyber warfare, cyber espionage and cyber terrorism, etc. would be taken care of by a cyber command. Nevertheless, the proposal to set up the cyber command was kept in abeyance. P4LO hopes that Indian government would now clear the cyber command as we have a government that has both will and courage to see through this much needed project.

Posted in Uncategorized | Comments Off

Cyber Security Framework For Indian Banks Prescribed By Reserve Bank Of India (RBI)

Cyber Security Framework For Indian Banks Prescribed By Reserve Bank Of India (RBI)Cyber security in India is never given a priority and this is the reason why we have no robust and resilient cyber security infrastructure in India. Banking sector of India is no different from other businesses or industries. Cyber security of banks in India is in a very bad shape. Despite many reminders of Reserve Bank of India (RBI), banks have paid no attention to strengthen their cyber security. Banks in India are also not following any cyber crisis management plan (CCMP) for meeting cyber attacks situations. Indian government has also not prescribed any cyber breach disclosure norms in India and banks and organisations are not reporting cyber breaches happening at their branches.

Perry4Law Organisation (P4LO) has been suggesting that cyber security of banks in India needs strengthening. This is more so in the era of zero day vulnerabilities and almost invincible malware that are creating havoc upon businesses and individuals alike. Even Reserve Bank of India decided to set up an IT subsidiary to deal with cyber crimes and cyber security related issues.

It seems the Reserve Bank of India (RBI) has finally accepted the recommendation of P4LO and a cyber security framework for Indian banks has been prescribed by the Reserve Bank Of India (RBI). A notification (pdf) has been issued by RBI in this regard and now cyber security obligations of banks in India have significantly increased. This is in addition to the cyber law and cyber security obligations of directors of Indian companies as prescribed under the Indian Companies Act, 2013 (pdf). A dominant majority of directors in banking and non banking companies in India are ignoring the cyber security obligations as prescribed by the Information Technology Act, 2000, Indian Companies Act, 2013, etc.

RBI has laid down the following cyber security framework for banks in India:

(1) Use of Information Technology by banks and their constituents has grown rapidly and is now an integral part of the operational strategies of banks. The Reserve Bank, had, provided guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (G.Gopalakrishna Committee) vide Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011, wherein it was indicated that the measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns.

(2) Since then, the use of technology by banks has gained further momentum. On the other hand, the number, frequency and impact of cyber incidents / attacks have increased manifold in the recent past, more so in the case of financial sector including banks, underlining the urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis. In view of the low barriers to entry, evolving nature, growing scale/velocity, motivation and resourcefulness of cyber-threats to the banking system, it is essential to enhance the resilience of the banking system by improving the current defences in addressing cyber risks. These would include, but not limited to, putting in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.

(3) There is an urgent need for a Board approved Cyber security Policy for banks in India. Banks should immediately put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board. A confirmation in this regard may be communicated to Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Reserve Bank of India, Central Office, World Trade Centre-I, 4th Floor, Cuffe Parade, Mumbai 400005 at the earliest, and in any case not later than September 30, 2016.

(4) It may be ensured that the strategy deals with the prescribed aspects. Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank. In order to address the need for the entire bank to contribute to a cyber-safe environment, the Cyber Security Policy should be distinct and separate from the broader IT policy / IS Security policy so that it can highlight the risks from cyber threats and the measures to address / mitigate these risks.

(5) The size, systems, technological complexity, digital products, stakeholders and threat perception vary from bank to bank and hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework. While identifying and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal & external threats. Depending on the level of inherent risks, the banks are required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorisation. Riskiness of the business component also may be factored into while assessing the inherent risks. While evaluating the controls, Board oversight, policies, processes, cyber risk management architecture including experienced and qualified resources, training and culture, threat intelligence gathering arrangements, monitoring and analysing the threat intelligence received vis-à-vis the situation obtaining in banks, information sharing arrangements (among peer banks, with IDRBT/RBI/CERT-In), preventive, detective and corrective cyber security controls, vendor management and incident management & response are to be outlined.

(6) An arrangement for continuous surveillance must be made by the banks. Testing for vulnerabilities at reasonable intervals of time is very important. The nature of cyber-attacks are such that they can occur at any time and in a manner that may not have been anticipated. Hence, it is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is also essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.

(7) IT architecture should be conducive to security. The IT architecture should be designed in such a manner that it takes care of facilitating the security measures to be in place at all times. The same needs to be reviewed by the IT Sub Committee of the Board and upgraded, if required, as per their risk assessment in a phased manner. The risk cost/potential cost trade off decisions which a bank may take should be recorded in writing to enable an appropriate supervisory assessment subsequently.

(8) An indicative, but not exhaustive, minimum baseline cyber security and resilience framework to be implemented by the banks is given in Annex 1. Banks should proactively initiate the process of setting up of and operationalising a Security Operations Centre (SOC) to monitor and manage cyber risks in real time. An indicative configuration of the SOC is given in Annex 2.

(9) Comprehensively address network and database security. Recent incidents have highlighted the need to thoroughly review network security in every bank. In addition, it has been observed that many times connections to networks/databases are allowed for a specified period of time to facilitate some business or operational requirement. However, the same do not get closed due to oversight making the network/database vulnerable to cyber-attacks. It is essential that unauthorized access to networks and databases is not allowed and wherever permitted, these are through well-defined processes which are invariably followed. Responsibility over such networks and databases should be clearly elucidated and should invariably rest with the officials of the bank.

(10) Ensuring Protection of customer information. Banks depend on technology very heavily not only in their smooth functioning but also in providing cutting-edge digital products to their consumers and in the process collect various personal and sensitive information. Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.

(11) Cyber Crisis Management Plan. A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. Considering the fact that cyber-risk is different from many other risks, the traditional BCP/DR arrangements may not be adequate and hence needs to be revisited keeping in view the nuances of the cyber-risk. As you may be aware, in India, CERT-IN (Computer Emergency Response Team – India, a Government entity) has been taking important initiatives in strengthening cyber-security by providing proactive & reactive services as well as guidelines, threat intelligence and assessment of

preparedness of various agencies across the sectors, including the financial sector. CERT-IN also have come out with National Cyber Crisis Management Plan and Cyber Security Assessment Framework. CERT-In/NCIIPC/RBI/IDRBT guidance may be referred to while formulating the CCMP.

(12) CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. Banks need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, banks should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

(13) Cyber security preparedness indicators. The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment.

(14) Sharing of information on cyber-security incidents with RBI. It is observed that banks are hesitant to share cyber-incidents faced by them. However, the experience gained globally indicates that collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks. It is reiterated that banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Such collaborative efforts will help the banks in obtaining collective threat intelligence, timely alerts and adopting proactive cyber security measures.

(15) Supervisory Reporting framework. It has been decided to collect both summary level information as well as details on information security incidents including cyber-incidents. Banks are required to report promptly the incidents, in the format given in Annex-3.

(16) An immediate assessment of gaps in preparedness to be reported to RBI. The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately. The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the Chief Information Security Officer.

(17) Organisational arrangements. Banks should review the organisational arrangements so that the security concerns are appreciated, receive adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action.

(18) Cyber-security awareness among stakeholders / Top Management / Board. It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized. Banks should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing. It is well recognised that stakeholders’ (including customers, employees, partners and vendors) awareness about the potential impact of cyber attacks helps in cyber-security preparedness of banks. Banks are required to take suitable steps in building this awareness. Concurrently, there is an urgent need to bring the Board of Directors and Top Management in banks up to speed on cyber-security related aspects, where necessary, and hence banks are advised to take immediate steps in this direction.

Perry4Law Organisation (P4LO) welcomes the step taken by RBI to strengthen the cyber security of banks in India. At the same time, we are also open to extend our techno legal cyber law and cyber security expertise to those banks that need our services. Please establish a client attorney relationship if you are a bank/director and you need our techno legal cyber security assistance.

Posted in Uncategorized | Comments Off

Cyberspace May Be Designated As An Official Operational Domain Of Warfare By NATO Members

Cyberspace  May Be Deignated As An Official Operational Domain Of Warfare By NATO MembersCyberspace has become a very hostile and turbulent domain. Sophisticated malware and cyber attacks are very common in cyberspace these days. The NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) has even released a manual titled the Tallinn Manual on the International Law Applicable to Cyber Warfare (pdf) to provide an academic guidance for international cyber warfare related acts. Perry4Law Organisation (P4LO) has also launched two dedicated blogs titled International Legal Issues of Cyber Security and International Legal Issues of Cyber Attacks for all stakeholders.

Legal issues of Internet and cyberspace are very difficult to manage. For instance, authorship attribution for cross border cyber attacks convictions is a controversial and complicated area that requires attention of nations across the world. US agency DARPA has solicited innovative research proposals in the area of cyber attribution. There are many more challenges that nations around the world are facing in the cyberspace and the same can be managed only by establishing an international techno legal framework. From conflict of laws in cyberspace to civil liberties protection in cyberspace, governments around the world have to manage many sensitive, crucial and constitutional norms. This situation is further made complicated due to absence of international treaties on cyber law and cyber security (pdf).

Nevertheless, a proposed effort of NATO would be a significant step in this direction. According to media reports, NATO members will likely agree during a summit meeting in Warsaw next month to designate cyber as an official operational domain of warfare, along with air, sea, land and space. Major General Ludwig Leinhos, who heads the German military’s effort to build up a separate cyber command, told a conference at the Berlin air show that he expected all 28 NATO members to agree to the change during the coming Warsaw summit. Leinhos, who previously held a senior job at NATO headquarters, said he also expected NATO members to agree to intensify their efforts in the cyber security arena. NATO had also requested cyber security cooperation from India in the past. The United States announced in 2011 that it viewed cyberspace as an operational domain of war, and said it would respond to hostile attacks in cyberspace as it would to any other threat.

However, the bigger question is will NATO also provide warscale privacy protection and civil liberties safeguards while engaging in the cyber warfare or traditional warfare activities due to cyberspace violations? There are many more techno legal issues involved in this process, and we at P4LO hope that these issues would be resolved by NATO while recommending cyberspace as a war frontier.

Posted in Uncategorized | 1 Comment