).CC.No 309/24.01.022/2012-13 November 08, 2012. e) Payment of amount received under promotional activities, incentives, cash-backs, etc. Net-worth Certificate - Audited Annual report with CA certificate on Net-worth – by September 30th (Annex 3.1). 1.2 Roles and Responsibilities of IT Strategy Committee: Some of the roles and responsibilities include: Approving IT strategy and policy documents and ensuring that the management has put an effective strategic planning process in place; Ascertaining that management has implemented processes and practices that ensure that the IT delivers value to the business; Ensuring IT investments represent a balance of risks and benefits and that budgets are acceptable; Monitoring the method that management uses to determine the IT resources needed to achieve strategic goals and provide high-level direction for sourcing and use of IT resources; Ensuring proper balance of IT investments for sustaining NBFC’s growth and becoming aware about exposure towards IT risks and controls. LAN segments for in-house/onsite ATM and CBS/branch network should be different. Security Incident Reporting: The entities shall report security incidents / card holder data breaches to RBI within the stipulated timeframe to RBI. The escrow account shall not be operated for ‘Cash-on-Delivery’ transactions. 4. NBFC should adopt a Board approved BCP Policy. 2.1. 3.2. If not, then the member should be trained on these aspects. A reference is also invited to the discussion paper placed on the RBI website on guidelines for regulation of Payment Aggregators (PAs) and Payment Gateways (PGs). To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available. 4.2 NBFCs are required to realign their IT systems on a regular basis in line with the changing needs of its customers and business. 1.15. Ability to Provide real-time/near-real time information on and insight into the security posture of the UCB, iii. The two most important features of the site are: One, in addition to the default site, the refurbished site also has all the information bifurcated functionwise; two, a much improved search – well, at least we think so but you be the judge. Such arrangements should facilitate forensic auditing, if need be. 4.5 MIS for Supervisory requirements - The MIS that help management in taking strategic decisions shall also assist in generating the required information/returns for the supervisor. 8.1. The promoters of the entity shall satisfy the fit and proper criteria prescribed by RBI. 2.4. Capacity and performance analysis of IT security systems. PAs shall also adopt the technology-related recommendations provided in Annex 2. 8. Banks, however, provide PA services as part of their normal banking relationship and do not therefore require a separate authorisation from RBI. The major role of top management involves implementing the Board approved cyber security policy, establishing necessary organisational processes for cyber security and providing necessary resources for ensuring adequate cyber security. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc. The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance and then establish and monitor policies for risk management. The NBFC (Non-Banking Finance Company) sector has grown in size and complexity over the years. 12.1. If they desire to pursue this activity, it shall be separated from the marketplace business and they shall apply for authorisation on or before June 30, 2021. 2.2. 6.1. Entities seeking authorisation as PA from the RBI under the PSS Act, shall apply in Form A to the Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai. Existing non-bank entities offering PA services shall apply for authorisation on or before June 30, 2021. 8.7. The entity and the escrow account banker shall be responsible for compliance with RBI instructions issued from time to time. UCBs may adopt higher level of security measures based on their own assessment of risk and capabilities. 5.1. 10.4. UCB’s BCP/DR capabilities shall adequately and effectively support the UCB’s cyber resilience objectives and should be so designed to enable the UCB to recover rapidly from cyber-attacks/other incidents and safely resume critical operations aligned with recovery time objectives while ensuring security of processes and data is protected. Disable remote connections from outside machines to the network hosting critical payment infrastructure (Ex: RTGS/NEFT, ATM Switch, SWIFT Interface). 4.1. Since IT/ cyber security affects all aspects of an organisation, in order to consider IT/ cyber security from a UCB-wide perspective a steering committee of executives should be formed with formal terms of reference. 8.2. Periodically conduct Vulnerability Assessment/ Penetration Testing (VA/PT) of internet facing web/mobile applications, servers and network components throughout their lifecycle (pre-implementation, post implementation, after changes etc.). NBFCs need to create a secured environment for physical security of IS Assets such as secure location of critical data, restricted access to sensitive areas like data center etc. 7.5. The budget for IT security/ CISO’s office may be determined keeping in view the current/ emerging cyber threat landscape. This policy may be designed considering the undermentioned basic standards and the same shall be put in place by September 30, 2018. 8.4.2. Ensure the software integrity of the ATM Switch/SWIFT related applications. Similar arrangements need to be ensured at vendor managed facilities as well. Risk based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system across all -delivery channels. However, prior to commencement of any outsourcing arrangement, careful consideration of risks, threats of contractual arrangements and regulatory compliance obligations must take place. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. Where merchant is responsible for delivery, the payment to the merchant shall be not later than on Td + 1 basis. IT Steering Committee: An IT Steering Committee shall be created with representations from various business functions as appropriate. (As per Circular DNBS(Inf. It involves leadership support, organizational structure and processes to ensure that the NBFC’s IT sustains and extends business strategies and objectives. 5.2. ‘Td’ – date of confirmation by the merchant to the intermediary about delivery of goods to the customer. Cyber Crisis Management Plan: The entities shall prepare a comprehensive Cyber Crisis Management Plan approved by the IT strategic committee and shall include components such as Detection, Containment, Response and Recovery. The Committee shall work in partnership with other Board committees and Senior Management to provide input to them. IT Governance has a continuous life-cycle. Data Security in Outsourcing: There shall be an outsourcing agreement providing ‘right to audit’ clause to enable the entities / their appointed agencies and regulators to conduct security audits. These can be an internal security audit or an annual security audit by an independent security auditor or a CERT-In empanelled auditor. Outsourcing service provider should have adequate systems and procedures in place to ensure protection of data/application outsourced. 4.1. Identification and Classification of Information Assets. 1.7. 1.18. An alert mechanism should be set to monitor any change in the log settings. 10.1. IT Strategy Committee UCBs may consider setting up a Board level IT Strategy Committee with a minimum of two directors as members, one of whom should be a professional director. An IT Steering Committee shall be formed with representatives from the IT, HR, legal and business sectors. 6. Otherwise, UCBs, apart from securing their production environment, may enforce these requirements with their respective third party vendors developing application softwares. 1. 2. SIEM is able to meet this requirement to some extent but a holistic approach to problem identification and solution is required. PAs shall prominently display details of the nodal officer on their website. In respect of critical business applications, UCBs may conduct source code audits by professionally competent personnel/service providers or have assurance from application providers/OEMs that the application is free from embedded malicious / fraudulent code. Please save the url of the refurbished site in your favourites as we will give up the existing site shortly and register or re-register yourselves for receiving RSS feeds for uninterrupted alerts from the Reserve Bank. c) Transfer representing refunds for failed / disputed / returned / cancelled transactions. 6.2 Recovery strategy/ Contingency Plan- NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. 8.15. 7.2. Customer Grievance Redressal and Dispute Management Framework. 2.1. NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset. b) Access to books and records / Audit and Inspection: This would include: Ensure that the NBFC has the ability to access all books, records and information relevant to the outsourced activity available with the service provider. 11.2. Directions for NBFCs with asset size below ₹ 500 crore are provided in Section-B. Third step is to look at deep packet inspection approaches, iv. It includes prioritization of IT-enabled investment, reviewing the status of projects (including, resource conflict), monitoring service levels and improvements, IT service delivery and projects. cost benefit analysis of the changes proposed. Strategy Committee should meet at an appropriate frequency but not more than six months should elapse between two meetings. The Board and IT Strategy committee have the responsibility to institute an effective governance mechanism and risk management process for all IT outsourced operations. Compulsorily convertible preference shares can be either non-cumulative or cumulative, and they should be compulsorily convertible into equity shares and the shareholder agreements should specifically prohibit any withdrawal of this preference capital at any time. Software/Application development approach should incorporate secure coding principles, security testing (based on global standards) and secure rollout. This facility shall be permissible to entities who have been in business for 26 fortnights and whose accounts have been duly audited for the full accounting year. At the end of the day, the amount in escrow account shall not be less than the amount already collected from customer as per ‘Tp’ or the amount due to the merchant. The committee should focus on implementation. The CISO shall be an invitee to the IT Strategy committee and IT Steering Committee. Role based Access Control – Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc. Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. Access to Application: There shall be documented standards / procedures for administering an application system, which are approved by the application owner and kept up-to-date.