Introduction
The regulatory environment for Non-Banking Financial Companies (“NBFCs”) is largely shaped by the Reserve Bank of India (“RBI”), which prescribes an overarching, ever-evolving framework for NBFCs through its various directions. This guide delves into critical directives covering various cybersecurity and data protection guidelines for NBFCs, which shape the operational landscape for NBFCs engaging in diverse financial services, from credit card issuance to information technology management.
Part A – RBI Master Directions Applicable to NBFCs
1. Directions on Managing Risks and Code of Conduct in Outsourcing Financial Services by Non-Banking Financial Companies, 2023 (“MD on Outsourcing of Financial Services”)
The MD on Outsourcing of Financial Services lay down the safeguards that an NBFC would be required to implement in the event it is outsourcing any of its financial services to a service provider. In this regard, the service provider may either be an affiliated entity within a corporate group or an entity that is external to the corporate group. Typically, ‘outsourced financial services’ include, inter alia, applications processing (such as for loan origination, or credit card), document processing, marketing and research, supervision of loans, data processing, and back office related activities.[1]
2. Master Directions on Outsourcing of Information Technology Services, 2023
The MD on Outsourcing of Information Technology Services aims to mitigate risks faced by REs due to material outsourcing of Information Technology (“IT”) or IT enabled services as identified under the Direction, to providers of IT or IT enabled services.
3. Master Directions on Credit and Debit Card Directions, 2022
The RBI released the MD – Credit Card and Debit Card – Issuance and Conduct Directions[2] (“Credit and Debit Card Directions”) dated April 21, 2022, which applies to banks and NBFCs issuing credit cards and debit cards and provides compliances to be undertaken by the card issuer for online safety. The Credit and Debit Card Directions provide a thorough set of instructions regarding the issue of credit cards and debit cards, co-branded cards, telemarketing, billing, etc., to be followed by card issuers and should be read along with payment and technology rules and cyber security regulations in India applicable to credit, debit, and co-branded cards, as issued by the RBI.
4. Master Directions on Information Technology Framework for the Non-Banking Financial Companies Sector, 2017
The MD on IT Framework lays down thresholds that an NBFC is required to maintain with respect to IT governance, IT policy, information and cyber security, IT operations, IS audit, business continuity planning, and outsourcing of IT Services.
5. Master Directions on Digital Payments Security Controls, 2021 (“DPSC”)
5.1 Applicability
The DPSC Directions are applicable to credit card-issuing NBFCs (hereafter referred to as (“DPSC REs”).
5.2 Compliance Requirements
The DPSC Directions prescribe the following controls for all DPSC REs:
Governance and Management of Security Risks[3]
i. formulate a policy for digital payment products and services with board approval, addressing payment security requirements, infrastructure availability, secure product development and testing, capacity building, customer service continuity, dispute resolution, and review mechanisms. The board and senior management must implement and review it periodically annually;
ii. incorporate processes for identifying, analyzing, monitoring, and managing risks associated with digital payment products and services. The board/senior management must have performance monitoring systems which assess operational and security compliance;
iii. define product-level limits on the level of acceptable security risk, document specific security objectives and performance criteria including quantitative benchmarks for evaluating the success of security measures. They should compare actual results with projections to address concerns in a timely manner;
iv. have trained resources to manage digital payment infrastructure and implement oversight for third-party service providers in line with RBI outsourcing guidelines;
v. conduct risk assessments considering technology, vulnerabilities, third-party dependencies, integration risks, customer experience, compliance, interoperability, data protection laws and compatibility;
vi. evaluate risks associated with technology platforms, application architecture, to address identified threat and control unused features to minimise risk;
vii. develop internal control systems to protect data integrity, customer confidentiality and security;
viii. ensure robust and scalable digital payment architecture, aligned with transaction volumes and customer growth and periodically review the IT/IT security architecture and technology platform; and
ix. periodically test backed-up data and applications for digital products to ensure recovery without transaction loss on a half-yearly basis.
Other Security Controls
i. communication protocols in digital payment channels should adhere to secure standards and implement appropriate encryption and security measures;[4]
ii. web applications should avoid storing sensitive information in vulnerable locations;
iii. implement Web Application Firewall (“WAF”) and Distributed Denial of Service (“DDoS”) mitigation techniques for secure digital payment services;
iv. adopt strong encryption, hashtag, algorithms, cipher suits, and protocols based on accepted standards, complying with instructions and regulations;
v. timely renew digital certificates used in the digital payment ecosystem; and
vi. mobile and internet banking applications should have effective logging, monitoring, and anomaly detection capabilities;
Application Security Life Cycle (“ASLC”)
i. implement multi-tier application architecture segregating application, database, and presentation layers;[5]
ii. follow a ‘secure by design’ approach in developing digital payment products, embedding security in the development lifecycle;[6]
iii. define security objectives throughout the application lifecycle, including requirements gathering design, development, testing, implementation, maintenance, and decommissioning phases;[7]
iv. adopt a threat modelling approach during application lifecycle management;[8]
v. for third party licensed digital payment application, regulated entities must have escrow arrangements for the source code to ensure continuity of services;[9]
vi. conduct security testing, including source code review, Vulnerability Assessment (“VA”) on a half yearly basis and Penetration Testing (“PT”) on a yearly basis, to assure application security. Testing should cover compliance with standards like Open Web Application Security Project (“OWASP”);[10]
vii. use automated VA scanning tools to scan critical systems on the network regularly;[11]
viii. address vulnerabilities identified in earlier scans, either by patching, implementing controls, or accepting residual risks;[12]
ix. perform vulnerability scanning in authenticated mode with necessary administrative rights;[13]
x. thoroughly test functionality and security controls of payment products and services before launch or production deployment;[14]
xi. institute a mechanism to actively monitor for unauthorised/malicious applications and take appropriate action to remove them;[15]
xii. server infrastructure should prevent non-genuine or unauthorised digital payment products and ensure robust and centralised authentication processes;[16]
xiii. digital payment applications should prioritise secure handling, storage, and protection of payment data, following relevant standards and guidelines for application security. DPSC REs must refer to relevant OWASP standards, ISO 12812 guidelines, National Institute of Standards and Technology (“NIST”) guides for application security and other protection measures to identify vulnerabilities;[17] and
xiv. redact/mask customer information during transmission via SMS/emails.[18]
Authentication Framework
i. implement multi-factor authentication for electronic payments and fund transfers, with at least one dynamic or non-replicable authentication method;[19]
ii. set limits on failed login or authentication attempts and have procedures for reactivating access. Customers should be notified of failed attempts.[20]
Fraud Risk Management
i. implement configuration aspects to identify suspicious transaction behaviour, including rules, preventive and detective controls, and customer alert mechanisms;[21]
ii. system alerts shall be parameterised and monitored based on transaction velocity, high risk parameter, counterfeit card indicators, geographic and behavioural anomalies, and other relevant factors;[22]
iii. conduct fraud analysis to identify reasons for fraud occurrence and develop prevention mechanisms;[23]
iv. educate and train staff in fraud control tools, investigative techniques, cardholder and merchant education, regulations, data analysis, and liaison with law enforcement agencies;[24] and
v. maintain updated contact details of stakeholders for incident response and formulate Standard Operating Procedure (“SOPs”) for handling payment ecosystem incidents.[25]
Reconciliation Mechanism
Implement real-time or near-real-time reconciliation frameworks for digital payment transactions between regulated entities and stakeholders to detect and prevent suspicious transactions in line with PA/PG Guidelines.[26] Effective monitoring and periodic effectiveness assessment should also be in place.
Customer Protection, Awareness, and Grievance Redressal Mechanism
i. incorporate secure usage guidelines and mandatory training materials within digital payment applications. Clear procedures and contact information for lodging consumer grievances should be provided and regularly updated;[27]
ii. adhere to online dispute resolution systems for resolving customer disputes and grievances related to digital payments;[28]
iii. educate customers about the security of their devices, regular updates, downloading from authorized sources, installing anti-malware applications as well as about the risks, benefits, liabilities, rights, and obligations related to digital payments. Terms and conditions, including privacy and security policies, should be readily available;[29]
iv. provide customers with clear and effective communication and instructions when introducing new operating features or functions, especially relating to security, integrity, and authentication;[30]
v. provide digital payment products and services only upon the customer’s explicit request and acknowledgment of terms and conditions;[31] and
vi. provide a mechanism on their mobile and internet banking applications for customers to report fraudulent transactions, enabling early detection and mitigation of losses.[32]
Internet Banking Security Controls
The following instructions are applicable to DPSC REs offering/intending to offer internet banking facility to their customers:
i. implement additional authentication measures such as adaptive authentication and strong Completely Automated Public Turing test to tell Computers and Humans Apart (“CAPTCHA”) to prevent authentication-related brute force attacks and application layer Department of Supervision (“DOS”) attacks on internet banking websites;[33]
ii. automatically terminate online sessions after a period of inactivity;[34]
iii. ensure secure delivery of login passwords valid for a limited period. Users should be required to change their password on the first login;[35] and
iv. maintain uniform authentication procedures and appearance when accessing the internet banking application through external websites.[36]
Mobile Payments Application Security Controls
The following instructions are applicable to DPSC REs offering/intending to offer mobile banking/mobile payments facility to their customers through mobile application:
i. anomalies or exceptions in the mobile application should prompt the customer to remove and install a new copy. DPSC REs should verify the version of the mobile application before enabling transactions;[37]
ii. specific controls for mobile applications include device policy enforcement, secure download and installation, deactivation of older versions, secure storage of customer data, encryption, minimal data collection, application sandboxing, identification of remote access applications, and code obfuscation;[38]
iii. validation of device and operating system security and compatibility should ensure safe and secure mobile banking activities;[39]
iv. checksum[40] of the current active application version should be hosted on a public platform for user verification;[41]
v. ensure device binding of mobile application;[42]
vi. ensure that the mobile application should require re-authentication whenever the device/application remains unused for a designated period and each time the user launches the application. Applications must be able to identify new network connections or connections from unsecured networks and implement appropriate authentication/checks/measures to perform transactions;[43]
vii. ensure that the mobile application should not store/ retain sensitive personal/ consumer authentication information such as user IDs, passwords, keys, hashes, hard coded references on the device and the application should securely wipe any sensitive customer information from memory when the customer/ user exits the application;[44] and
viii. ensurethat their mobile application limit the writing of sensitive information into ‘temp’ files and is suitably encrypted/masked/ hashed and stored securely.[45]
Card Payments Security
The following instructions are applicable to DPSC REs offering/intending to issue cards (credit/debit/prepaid) (physical or virtual) to their customers:
i. follow payment card standards such as PCI-PIN, PCI-PTS, PCI-HSM, and PCI-P2PE to ensure comprehensive payment card security. Terminals used for capturing card details should be validated against the PCI-P2PE program, and PoS terminals with PIN entry should be approved by the PCI-PTS program;[46]
ii. acquirers should secure their card payment infrastructure using UKPT, DUKPT, or TLE;[47]
iii. security controls for Hardware Security Modules (“HSMs”) include logging, clustering for high availability, access control lists, privileged identity management, secure key management, and physical key security;[48]
iv. ATM security measures should include BIOS password, disabling USB ports, applying patches, anti-skimming and whitelisting solutions, and using supported operating systems[49];
v. monitor card transactions, set transaction limits, and implement transaction control mechanisms. Card details should not be stored in plain text, and secure processing of card details should be ensured;[50] and
vi. regulated entities using card data scanning tools should test them in a test environment, install them in their premises, avoid remote scanning, and restrict access to the tools and data.[51]
Commercial Practices
RBI REs may also implement certain practices for the implementation of security controls to ensure the safety and security of digital payment products:
i. validate security and compatibility condition of the device/operating system and the mobile application;[52]
ii. implement a code that checks whether the device is rooted/jailbroken before installing the mobile application and disallowing the mobile application from installing/functioning if the phone is rooted/jailbroken;[53]
iii. implement alternatives to SMS-based OTP authentication mechanisms;[54]and
iv. design anti-malware capabilities into their mobile applications.[55]
Part B – CYBER SECURITY RULES IN INDIA: COMPLIANCES APPLICABLE to NBFCs
1. Master Directions on Information Technology Framework for the NBFC sector
Compliance Requirements
1.1 NBFCs are required to appoint the following as IT governance stakeholders: an IT strategy committee, CEOs, business executives, chief information officers, chief technology officers, IT steering committees, chief risk officer and risk committees.
1.2 NBFCs must ensure that it has in place all the policies required under the MD on IT Framework and undertakes measures necessary for their implementation, including ensuring that the service provider complies with the policies through contractual arrangements. For instance:
i. Information technology policy:[56] as part of the information technology policy, NBFCs have to ensure competence at senior and middle management, periodic assessment of the IT training requirements, and migration to IPv6 platform.
ii. Information security policy:[57] Information Security (“IS”) safeguards NBFCs’ assets by controlling access to sensitive data for organizational goals. IS ensures confidentiality, integrity, availability, and authenticity of data through an IS policy. The IS policy must address the following: Identify and classify information assets with distinct inventory, segregate Security Officer/Group duties from IT division, implement role-based access control for well-defined user roles, establish personnel security with background checks for privileged access, enforce physical security for data protection and restricted access, apply “maker-checker” principle for reliable transaction authorization, develop incident management processes to prevent, detect, and respond to incidents, maintain audit trails for IT assets, aiding audits and dispute resolution, employ Public Key Infrastructure (“PKI”) for data confidentiality, integrity, authentication, and non-repudiation.
iii. Cyber security policy: NBFCs should use cyber security preparedness indicators,[58]have in place a Cyber Crisis Management Plan,[59]use digital signatures, run periodic risk assessments of IT systems annually and submit to the Chief Risk Officer (“CRO”), CIO and the board,[60] use technology that ensures confidentiality, integrity, authenticity, and end-to-end encryption,[61] and mitigate social media risks.[62]
iv. Change management policy: NBFCs must realign their IT systems regularly in line with the changing needs of its customers and business. For this purpose, NBFCs must develop a board approved change management policy encompassing: prioritising and responding to change proposals from business, cost benefit analysis of change, assessing risks associated with the change, and change implementation and monitoring. It is the responsibility of the senior management to ensure that the change management policy is carried out.
v. Cyber crisis management plan: NBFCs must develop a Cyber Crisis Management Plan (“CCMP”) as part of the approved strategy, covering: (i) Detection, (ii) Response, (iii) Recovery, and (iv) Containment. NBFCs must prevent cyber-attacks, promptly detect intrusions, and manage fallout. Prepare for emerging threats like ‘zero-day,’ remote access, and targeted attacks. Address various cyber threats: denial of service, DDoS, ransomware, phishing, identity fraud, and more. NBFCs must be well prepared to face emerging cyber-threats, such as ‘zero-day’ attacks, and take necessary preventive and corrective measures in addressing cyber threats such as distributed denial of services attacks.
vi. Information system audit policy:[63] The policy for Information System Audit (“IS Audit”) serves to ensure the confidentiality, integrity, and availability of an organization’s IT infrastructure. This audit aims to identify and mitigate risks associated with IT systems. It integrates seamlessly into the internal audit system of NBFCs, referencing guidelines from professional bodies like ISACA, IIA, and ICAI. A board approved IS Audit framework should be established, with skilled personnel in the Audit Committee capable of comprehending the audit results. Coverage includes evaluating IT policies, controls, recommending actions for deficiencies, and assessing business continuity, disaster recovery, and legal compliance. The audit can be conducted by an internal team or an expert external agency, with an emphasis on independence and legal understanding. The periodicity of the audit should ideally be annual or based on NBFC size, preferably conducted before the statutory audit. Reporting mechanisms are defined, with compliance responsibilities, reporting lines, and timelines clearly outlined. A balanced approach, employing both manual techniques and Computer-Assisted Audit Techniques (“CAATs”), is adopted for the audit process, with CAATs particularly applied to critical functions or areas with financial/regulatory implications.
vii. Chief Information Officer:[64] NBFCs must appoint a chief information officer for formulation, review, and monitoring of BCP/DR Plan. As part of the BCP/DR Plan, NBFCs must, for instance, come up with probabilities of various failure scenarios and consider putting in place necessary backup sites for critical business systems and data centres.
viii. IT services outsourcing policy: NBFCs should carefully define the terms and conditions governing the outsourcing agreement and get its legal counsels to vet such agreements. The terms should cover monitoring, data protection, and audit rights. The RBI’s access rights may also be included. The Board and IT Strategy committee establish governance and risk processes, while the Board holds ultimate responsibility for outsourcing and risk management. The policy should also outline the IT Strategy committee’s role, including risk-based policies, approval authorities, and evaluation of outsourcing. It addresses communication, independent review, and business continuity.
Penalties
There are no penalties stipulated for non-compliance with the MD on the IT Framework. However, non-compliance is likely to lead to regulatory action by the RBI. The RBI has the right to impose penalties of a monetary nature as well as imprisonment. Please note that additionally, RBI has the power to cancel an entity’s certificate of registration.[65] The RBI is empowered to impose a penalty of INR 10,00,000 or twice the amount involved in default, where the amount is quantifiable, whichever is more. Where the default is a continuing one, a further penalty of up to INR 1,00,000 for every day during which the default continues may be imposed.[66]
2. Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs
Compliance Requirements
Please refer to Part A of the Outsourcing Manual by Spice Route Legal to understand the compliance requirements for outsourcing of financial services by NBFCs.
Penalties
There are no penalties stipulated for non-compliance with the MD on Outsourcing of Financial Services. However, non-compliance is likely to lead to regulatory action by the RBI. The RBI is empowered to impose penalties of a monetary nature as well as imprisonment. Please note that additionally, RBI has the power to cancel the certificate of registration of NBFC.[67] The RBI is empowered to impose a penalty of INR 10,00,000 or twice the amount involved in default, where the amount is quantifiable, whichever is more. Where the default is a continuing one, further penalty up to INR 1,00,000 for every day during which the default continues may be imposed.[68]
3. Master Directions on Outsourcing of Information Technology Services
Compliance Requirements
Please refer to Part B of the Outsourcing Manual by Spice Route Legal to understand the compliance requirements for outsourcing of IT services by NBFCs.
Penalties
There are no penalties stipulated for non-compliance with the MD on the IT Framework. However, non-compliance is likely to lead to regulatory action by the RBI. The RBI has the right to impose penalties of a monetary nature as well as imprisonment. Please note that additionally, RBI has the power to cancel an entity’s certificate of registration of NBFC. The RBI is empowered to impose a penalty of INR 10,00,000 or twice the amount involved in default, where the amount is quantifiable, whichever is more. Where the default is a continuing one, a further penalty of up to INR 1,00,000 for every day during which the default continues may be imposed.[69]
Part C – CYBER SECURITY LAW IN INDIA: BREACH REPORTING OBLIGATIONS APPLICABLE to NBFCs
| Applicable Regulation | Kinds of Incident that needs to be reported | Timeline | Provision |
| Master Direction – Information Technology Framework for the NBFC Sector, 2017 | NBFCs are required to report all types of unusual security incidents (both successful as well as attempted incidents which did not fructify) to the Department of Non-Banking Supervision Central Office, Mumbai and provide subsequent updates if the earlier reporting was incomplete.[70] A template for reporting cyber incidents has been attached as Annexure I to the MD on IT Framework. NBFCs should adhere to the template for reporting and must ensure strict breach notification requirements exist in the outsourcing agreements with its service providers. | NBFCs must report unusual security incidents within 24 (Twenty-four) hours. | Paragraph 3.6 and Annex I. |
| Master Direction on Outsourcing of Information Technology Services, 2017 | NBFCs are required to report all types of unusual security incidents (both successful as well as attempted incidents which did not fructify) to the Department of Non-Banking Supervision Central Office, Mumbai and provide subsequent updates if the earlier reporting was incomplete. NBFCs are also required to report suspicious transactions to the FIU-IND as per the provisions of Prevention of Money Laundering (Maintenance of Records) Rules, 2005. | NBFCs must report unusual security incidents within 24 (Twenty-four) hours. | Chapter VI. |
| Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks by NBFCs, 2023 | NBFCs are required to immediately notify the RBI in the event of any breach of security and leakage of confidential customer related information and ensure that the outsourcing agreement has clauses to ensure customer data confidentiality and impose service providers’ liability in case of breach of security and leakage of confidential customer related information.[71] | NBFCs must Immediately notify the RBI. | Paragraphs 5.5(v) and 5.6.5. |
Conclusion
As the NBFC sector booms and its regulation continually evolves, monitoring of regulatory frameworks becomes imperative for NBFCs to ensure compliance. The framework discussed above serves as a comprehensive guide, addressing crucial aspects ranging from cybersecurity controls in digital payments to the intricacies of outsourcing IT services. Compliance with these directives not only safeguards the interests of customers and stakeholders but also ensures the resilience and integrity of the financial ecosystem. NBFCs must remain vigilant, navigating these regulatory waters with a proactive approach to cybersecurity, risk management, and ethical conduct, thereby contributing to the stability and trustworthiness of the financial services sector. As the financial sector embraces digital transformation, NBFCs must not only navigate these cyber security regulations in India but also integrate them seamlessly into their operational fabric, fostering trust and stability in the financial ecosystem.
[1] Paragraph 1.1, MD on Outsourcing of Financial Services.
[2] Master Direction – Credit Card and Debit Card – Issuance and Conduct Directions (RBI/2022-23/92 DoR.AUT.REC.No.27/24.01.041/2022-23)
[3] Paragraph 13, Master Directions on Digital Payments Security Controls.
[4] Paragraph 13, Master Directions on Digital Payments Security Controls.
[5] Paragraph 19, Master Directions on Digital Payments Security Controls.
[6] Paragraph 19, Master Directions on Digital Payments Security Controls.
[7] Paragraph 19, Master Directions on Digital Payments Security Controls.
[8] Paragraph 19, Master Directions on Digital Payments Security Controls.
[9] Paragraph 19, Master Directions on Digital Payments Security Controls.
[10] Paragraph 19, Master Directions on Digital Payments Security Controls.
[11] Paragraph 25, Master Directions on Digital Payments Security Controls.
[12] Paragraph 26, Master Directions on Digital Payments Security Controls.
[13] Paragraph 27, Master Directions on Digital Payments Security Controls.
[14] Paragraph 28, Master Directions on Digital Payments Security Controls.
[15] Paragraph 29, Master Directions on Digital Payments Security Controls.
[16] Paragraph 30, Master Directions on Digital Payments Security Controls.
[17] Paragraph 31, Master Directions on Digital Payments Security Controls.
[18] Paragraph 32, Master Directions on Digital Payments Security Controls.
[19] Paragraph 33, Master Directions on Digital Payments Security Controls.
[20] Paragraph 34, Master Directions on Digital Payments Security Controls.
[21] Paragraph 36, Master Directions on Digital Payments Security Controls.
[22] Paragraph 37, Master Directions on Digital Payments Security Controls.
[23] Paragraph 38, Master Directions on Digital Payments Security Controls.
[24] Paragraph 39, Master Directions on Digital Payments Security Controls.
[25] Paragraph 40, Master Directions on Digital Payments Security Controls.
[26] Paragraph 41, Master Directions on Digital Payments Security Controls.
[27] Paragraph 42, Master Directions on Digital Payments Security Controls.
[28] Paragraph 43, Master Directions on Digital Payments Security Controls.
[29] Paragraph 44, Master Directions on Digital Payments Security Controls.
[30] Paragraph 44, Master Directions on Digital Payments Security Controls.
[31] Paragraph 44, Master Directions on Digital Payments Security Controls.
[32] Paragraph 44, Master Directions on Digital Payments Security Controls.
[33] Paragraph 44, Master Directions on Digital Payments Security Controls.
[34] Paragraph 44, Master Directions on Digital Payments Security Controls.
[35] Paragraph 44, Master Directions on Digital Payments Security Controls.
[36] Paragraph 44, Master Directions on Digital Payments Security Controls.
[37] Paragraph 44, Master Directions on Digital Payments Security Controls.
[38] Paragraph 44, Master Directions on Digital Payments Security Controls.
[39] Paragraph 44, Master Directions on Digital Payments Security Controls.
[40] Paragraph 44, Master Directions on Digital Payments Security Controls.
[41] Paragraph 44, Master Directions on Digital Payments Security Controls.
[42] Paragraph 44, Master Directions on Digital Payments Security Controls.
[43] Paragraph 44, Master Directions on Digital Payments Security Controls.
[44] Paragraph 44, Master Directions on Digital Payments Security Controls.
[45] Paragraph 44, Master Directions on Digital Payments Security Controls.
[46] Paragraph 44, Master Directions on Digital Payments Security Controls.
[47] Paragraph 44, Master Directions on Digital Payments Security Controls.
[48] Paragraph 69, Master Directions on Digital Payments Security Controls.
[49] Paragraph 70, Master Directions on Digital Payments Security Controls.
[50] Paragraph 71, Master Directions on Digital Payments Security Controls.
[51] Paragraph 72, Master Directions on Digital Payments Security Controls.
[52] Paragraph 57, Master Directions on Digital Payments Security Controls.
[53] Paragraph 58, Master Directions on Digital Payments Security Controls.
[54] Paragraph 59, Master Directions on Digital Payments Security Controls.
[55] Paragraph 60, Master Directions on Digital Payments Security Controls.
[56] Para 2 of Master Direction – Information Technology Framework for the NBFC Sector.
[57] Para 3 and 3.1 of Master Direction – Information Technology Framework for the NBFC Sector.
[58] Para 3.4 of Master Direction – Information Technology Framework for the NBFC Sector.
[59] Para 3.5 of Master Direction – Information Technology Framework for the NBFC Sector.
[60] Para 3.9 of Master Direction – Information Technology Framework for the NBFC Sector.
[61] Para 3.10 of Master Direction – Information Technology Framework for the NBFC Sector.
[62] Para 3.11 of Master Direction – Information Technology Framework for the NBFC Sector.
[63] Para 5 of Master Direction – Information Technology Framework for the NBFC Sector
[64] Para 6 of Master Direction – Information Technology Framework for the NBFC Sector
[65] Sections 58B and 58G of the Reserve Bank of India Act, 1934.
[66] Section 58G of the Reserve Bank of India Act, 1934.
[67] Sections 58B and 58G of the Reserve Bank of India Act, 1934.
[68] Section 58G of the Reserve Bank of India Act, 1934.
[69] Section 58G of the Reserve Bank of India Act, 1934.
[70] Paragraph 3.6 and Annex I of the MD on IT Framework.
[71] Paragraphs 5.5(v) and 5.6.5 of the MD on Outsourcing of Financial Services.
