The large non-bank PSOs need to abide by the directions by April 1, 2025. These include Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), Bharat Bill Payment Operating Units (BBPOUs), and Payment Aggregators (PAs), Non-bank ATM Networks, White Label ATM Operators (WLAOs), Large PPI Issuers, and Trade Receivables Discounting System (TReDS), among others.
The medium non-bank PSO, which include Cross-border (in-bound) Money Transfer Operators under the Money Transfer Service Scheme (MTSS) and Medium PPI Issuers, have to abide by these guidelines by April 1, 2026.
Small non-bank PSOs, such as Small PPI Issuers and Instant Money Transfer Operators, must abide by the norms by April 1, 2027.
Non-bank PSOs are mandated to promptly inform the RBI of any unusual incidents. These include cyber-attacks, outages of critical systems, infrastructure, internal fraud, and settlement delays. Additionally, they are directed to report any cyber security incident to CERT-In.They should also put in place a comprehensive data leak prevention policy for confidentiality, integrity, availability and protection of business and customer information (both in transit and at rest) for data available with it or at vendor managed facilities, commensurate with the criticality and sensitivity of the information held / transmitted.The PSO should implement a real-time or near-real-time fraud monitoring solution to identify suspicious transactional behaviour and generate alerts.
The guidelines said they should also have a manned facility that functions 24/7 to facilitate swift resolution of unauthorised/fraudulent transactions reported by customers and provide prompt response to law enforcement agencies.