You are reading it here first: Nineteen out of the sixty-nine authorised payment system operators did not submit a System Audit Report (SAR) for the financial year 2020-21 as required by the Reserve Bank of India (RBI), a Right to Information (RTI) response revealed.
The central bank began demanding the annual submission of a SAR from all authorised payment system operators starting this year amidst the increasing number of cyber-security attacks and data breaches targeting Indian companies. A SAR covers the security practices of a company among other things.
Notable entities that had not submitted a SAR by the September 30 deadline include Visa, Mobikwik, State Bank of India, and Punjab National Bank.
The RTI request demanding the list of compliant entities was filed by Srikanth Lakshmanan of CashlessConsumer, a consumer collective on digital payments. In light of the revelation that many entities had not submitted this report, Srikanth told MediaNama:
While RBI highlights data security and acts hard on data residency compliance, it is laughable that basic yearly information security auditing and compliance in submission of System Audit Report within prescribed timelines is not tracked and we have seen no action against erring regulated entities. If this is the seriousness towards data security, it exposes that the agenda that drove RBI towards data localization regime is clearly not care for data security.
Payment operators that did not submit a SAR for FY 2020-21
- Visa Worldwide Pte. Limited, Singapore (Cards Payment Network )
- Bank of India (ATM network)
- Punjab National Bank (ATM network)
- State Bank of India (ATM network)
- UAE Exchange Centre LLC, UAE (Cross border Money Transfer)
- Appnit Technologies Private Limited (Prepaid Payment Instrument)
- Bajaj Finance Limited (Prepaid Payment Instrument)
- Delhi Metro Rail Corporation Limited (Prepaid Payment Instrument)
- Eko India Financial Services Private Limited (Prepaid Payment Instrument)
- E-Meditek Global Private Limited (Prepaid Payment Instrument)
- LivQuik Technology (India) Private Limited (Prepaid Payment Instrument)
- Muthoot Vehicle & Asset Finance Ltd. (Prepaid Payment Instrument)
- One Mobikwik Systems Limited – Mobikwik Wallet (Prepaid Payment Instrument and Bharat Bill Payment Operating Unit)
- Paul Merchants Finance Private Limited (Prepaid Payment Instrument)
- RapiPay Fintech Private Limited (Prepaid Payment Instrument)
- Smart Payment Solutions Pvt. Ltd. (Prepaid Payment Instrument)
- Mynd Solutions Private Limited (Trade Receivables Discounting System)
- Receivables Exchange of India Limited – RXIL (Trade Receivables Discounting System)
- CSC e-Governance Services India Ltd (Bharat Bill Payment Operating Unit)
The strange absence of Visa
In April this year, the RBI barred American Express and Diners Club from onboarding new Indian customers onto their credit card networks because they did not comply with the data localisation guidelines put forth by the central bank in 2018. In July, Mastercard joined the list of barred entities as well. While the restriction imposed on Diners was lifted on November 9, Mastercard and American Express continue to be barred.
Visa, however, did not suffer from any restrictions because it reportedly complied with the guidelines. This allowed the company to capture a large market share in the credit card space because it was the only major international card operator in India for a while.
But as part of the data localisation guidelines, payment companies had to furnish a SAR covering compliance in terms of data storage, maintenance of database, data backup restoration, and data security. So Visa had to have submitted a SAR to show its compliance, which makes its absence from the list provided by RBI strange. It could be that Visa submitted a one-time SAR to prove that it satisfies the data localisation guidelines but did not submit the annual SAR required by RBI.
MediaNama has reached out to Visa for clarification and will update this report when we get a response.
MobiKwik already under RBI-scanner for data breach
Another notable absence from the list of entities that submitted SARs is IPO-bound Mobikwik. The payment startup is already under the RBI’s scanner after suffering a data breach earlier this year, an RTI response revealed last month.
In February, cybersecurity researcher Rajshekhar Rajaharia alleged that sensitive data belonging to millions of cardholders and users stored on MobiKwik’s servers was compromised and that it was put up for sale online. In April, PTI reported that RBI had ordered a third-party forensic audit into allegations of the data breach. In the RTI response, RBI acknowledged the receipt of the forensic audit report and said that it is currently being examined.
Given these circumstances, the non-submission of a SAR makes you wonder what is going on at Mobikwik.
MediaNama has reached out to Mobikwik and will update this post once we get a response.
Power MediaNama’s coverage of the news that is defining the future of the Internet in India. Subscribe here.
What is a System Audit Report?
On January 10, 2020, RBI issued a circular, which is included in appendix 7 of the Oversight Framework for Financial Market Infrastructures (FMIs) and Retail Payment Systems (RPSs), that states the following:
Purpose of SAR:
In order to enhance the resilience of the payment systems by improving the current defenses in addressing new and advanced risks and also to bring in standardisation and ensure that relevant areas of information system processes and applications are covered, a revised scope and coverage of system audit has been formulated and conveyed to authorised non-bank payment system operators. — RBI
What should a SAR contain?
The scope of the System Audit should include evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing systems and applications, documentation, etc. — RBI
- Information Security Governance: This includes an assessment of the top management’s role in overseeing the organisation’s information security management such as policies related to information security, identification and assessment of threats and vulnerabilities, and reviews of information security practices.
- Access Control: An assessment of the access control mechanism in place to restrict access to the IT assets of the company such as who is allowed to access what and how this is ensured.
- Hardware Management: An assessment of controls with regard to hardware asset management from acquisition through disposal.
- Network Security: An assessment of the countermeasures in place to protect the company from malicious cyber-attacks and minimise the possibility of any losses as a result of the network being compromised.
- Data Security: An assessment of the security measures implemented across the information life cycle from data collection to archival/deletion.
- Physical and Environmental Security: An assessment of physical security controls in place to protect assets from internal and external threats.
- Human Resource Security: An assessment of the controls pertaining to human factors to prevent threats such as data leakage, data theft, and misuse of data.
- Business Continuity Management: An assessment of the capabilities of the audited entity to recover from a disaster.
- System Scalability: An assessment of the controls relating to scalability of systems from a growth perspective.
- IT Project Management: An assessment of the controls in place for developing or acquiring new systems and examining whether these systems have built-in security features.
- Vendor/Third-Party Risk Management: An assessment of controls in place to ensure that security risks related to outsourcing are managed through adequate oversight mechanisms.
- Incident Management: An assessment of the response mechanism in the event of a security incident such as the capability to identify the incident, contain the damage, investigate the incident, and effectively respond and restore normal operations.
- Change Management: An assessment of the control in place for ensuring that any changes applied do not compromise the security of the company.
- Patch Management: An assessment of the mechanism in place to monitor and configure systems and applications against known vulnerabilities.
- Log Management: An assessment of the security controls around log data from generation to disposal.
- Secure Mail and Messaging systems: An assessment of controls in place to ensure inbound and outbound traffic in the form of mail, messages or any other media are secure.
- Device Management Policy: An assessment of security controls with regard to portable devices like smartphones and laptops having access to sensitive data.
- Security Testing and Source Code Review: An assessment of the system performance under stress-load scenarios, security controls such as vulnerability assessment and penetration testing, and source code review.
- Online Systems Security: An assessment of controls in place to ensure the security of payment processing systems and application programming interfaces (APIs) provided to internal/external applications.
- Mobile Online Services: An assessment of the controls in place to protect mobile applications provided by the entity to its customers from malicious attacks.
Who is required to submit SAR? All authorised payment system operators including:
- card payment networks
- non-bank ATM networks
- cross-border money transfer operators
- pre-paid payment instruments
- Bharat Bill Payment System operators
- Trade Receivables Discounting System (TReDS) operators
- retail payments organisations (NPCI)
- Financial Market Infrastructure (The Clearing Corporation of India Ltd.)
What about companies incorporated in foreign jurisdictions? “Presently, the card payment networks, except NPCI, and Cross-border Money Transfer (in-bound service) operators are regulated and overseen by way of off-site surveillance only as they are incorporated in foreign jurisdictions. These entities are required to submit System Audit Report of their entire systems, including the domestic infrastructure, on an annual basis. […] Going forward, steps shall be taken to further intensify the oversight process for such entities by way of on-site inspections, if required,” RBI said
Who can conduct the audits?
- CERT-IN empanelled auditors
- Certified Information Systems Auditor (CISA) registered with Information Systems Audit and Control Association (ISACA)
- Holder of a Diploma in Information System Audit (DISA) qualification of the Institute of Chartered Accountants of India (ICAI)
Deadline for submission of SAR:
- Entities following April-March financial year: June 1 of that year
- Entities following January-December financial year: March 1 of the following year
- Exception for FY 2020-21: Owing to the inconvenience posed by Covid-19, RBI shifted the deadline for last financial year’s submission to September 30, 2021.
What happens after the submission of SAR? “The SAR and compliance status must be placed before the Board of the entity. For each open observation, specific time-bound (maximum 3 months) corrective action must be taken and reported to RBI. It is imperative that timelines of compliance should be given adequate importance. SAR observations shall be closed only after receiving closure acceptance from the auditor,” RBI states in its circular.
Payment operators that submitted SAR for FY 2020-21
- A.TREDS Ltd.
- Amazon Pay (India) Pvt.Ltd.
- American Express Banking Corp.
- Bahrain Financing Company, BSC (C)
- Balancehero India Private Limited
- Clearing Corporation of India Limited
- Continental Exchange Solutions Inc. USA
- Diners Club International Ltd.
- Ebix Payment Services Pvt Ltd. (formerly Itz Cash Card Limited)
- Empays Payment Systems India Pvt. Ltd.
- Eroute Technologies Private Limited
- Euronet Services India Private Limited
- Fast Encash Money Transfer Services Ltd.
- GI Technology Private Limited
- Hip Bar Private Limited
- Hitachi Payment Services Pvt. Ltd
- India Transact Services Limited
- India1 Payments Limited (formerly BTI Payments Private Limited)
- IndiaIdeas.com Limited
- Infibeam Avenues Limited (formerly Avenues India Private Limited)
- Ingenico ePayments India Private Limited (formerly TechProcess Payment Services Limited) LivQuik
- Technology (India) Private Limited
- Manappuram Finance Limited
- MasterCard Asia/ Pacific Pte. Ltd.
- MoneyGram Payment Systems Inc., USA
- Mpurse Services Pvt. Ltd.
- Muthoot Finserve USA Inc. (formerly Royal Exchange (USA), Inc.)
- National Payments Corporation of India
- Nucleus Software Exports Limited
- Obopay Mobile Technology India Private Limited
- Ola Financial Services Pvt. Ltd.
- Pay Point India Network Private Limited
- PayU Payments Private Limited
- Phonepe Private Limited
- Pine Labs Private Limited
- Premium eBusiness Ventures Private Limited
- QwikCilver Solutions Pvt. Ltd.
- Sodexo SVC India Pvt. Ltd.
- Spice Money Ltd.
- Tata Communications Payment Solutions Limited
- Transaction Analysts (India) Private Ltd
- Transcorp International Limited
- Transerv Limited
- Transfast Inc. Canada (Formerly Globle Foreign Exchange Inc.)
- Tri O Tech Solutions Private Ltd.
- Unimoni Financial Services Limited
- Vakrangee Limited
- Wall Street Exchange Centre LLC, UAE
- Weizmann Impex Service Enterprise Limited
- Western Union Financial Services Incorporated, USA
- Summary: Framework For India’s New Retail Payments Law Proposed In Report
- RBI Allows Card On File Tokenization In Relief To E-Commerce Companies
- Yes Bank Starts Issuing Cards On Visa Network After RBI’s Mastercard Ban
- RBI Governor Shaktikanta Das Does Not Believe The Hype Around Cryptocurrency In India
Have something to add? Subscribe to MediaNama here and post your comment.