RBI - PA & PG
RBI SAR Assessment and Reporting based on Guidelines on Regulation of Payment Aggregators and Payment Gateways popularly known as RBI SAR for PA & PG.
CBL is a CERT-In empanelled auditor with 300+ customers in the Fintech industry.
Payment Aggregators (PAs) and Payment Gateways (PGs) are intermediaries that play an important function in facilitating payments in the online space. Entities may be a source of risk in such a technology and customer experience-intensive business if they have inadequate governance practices which may impact customer confidence and experience.
The Reserve Bank of India (RBI) has tightened its supervision norms over payments companies storing and processing customer data. RBI’s department of payment and settlement systems (DPSS) has issued a circular (Ref: RBI Circular – DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020, Annexure 2) to Indian PSOs (Payment Systems Operators) to submit a board-approved system audit report (SAR) by CERT-empanelled auditors by 31st May of every year.
Entities Covered
Indian PSO’s operating as a Payment Aggregator (PA) or Payment Gateway (PG) will come under the purview of this assessment.
“PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments from customers, pool and transfer them on to the merchants after a time period.”
“PGs are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.”
RBI Circular – DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020
RBI PA & PG - Assessment Services
System Audit Report (SAR)
IS Audit Report and Cyber Security Audit Report with observations noted, if any, including corrective / preventive action planned with closure date.
Cyber Security Audit Report
Internal audit and reporting is required to be done. This can be initiated well in advance and is required to be done on a quarterly basis.
Cyber Security Incident reports
A due diligence process for incident management is required to be done, with root cause analysis and preventive action undertaken
Bespoke Advisory Solutions
Customised solutions based on the size of your organization. Our vast experience in cybersecurity consulting will help achieve your compliance with the RBI issued circulars.
Assessor Experience
As a CERT-In empanelled auditor, CBL is qualified to assess, consult, and issue RBI SAR reports for eligible entities.
CBL has extensive experience in the fintech space providing consulting, testing, and monitoring services to 300+ organizations in this space.
As an assessor for various compliance programs, CBL has a deep understanding of the process and security controls in PA and PG environments.
Compliance Management
We built a compliance management tool to ensure managing a compliance standards as detailed as the PCI-DSS and ISO 27001. The RBI Circulars are also built into our compliance tool which will help you organise your compliance management and maintenance over the entire compliance year.
RBI PA-PG Turnkey Services
Crossbow Labs can work with organisations from the inception of the processes to the implementation and maintenance of the controls, including periodic internal audits and compliance management services.
Approach - RBI Circulars
The Reserve Bank of India has defined the processes which are required to be followed by CERT-IN empanelled auditors like Crossbow Labs.
1. Foot Printing
Understand the business and compliance objectives of the service provider. In this phase, we prepare and agree upon a project timeline to conduct process walkthroughs and to perform the relevant assessments.
2. Initial Assessment
Understand Entity Level Controls - Assess the implementation of entity-level controls w.r.t Information security Implementation, roles and responsibilities, Risk Assessment, and Risk Mitigation programs. Perform Test of Design - Assessment of the IT systems and processes implemented vis-a-vis information security risks and operational risks.
3. Final Assessment
Perform Test of Operating Effectiveness: We perform sample-based testing of the controls implemented over a period of time.
4. RBI Compliant Reporting
The report will consist of the scope of work, nature of assessments performed, all the domains audited, the observations noted during the audit, the impact of the observations, and CBL recommendations for remediation.
RBI AUDITS Maintenance & Monitoring
- Compliance to the RBI Circulars requires continuous monitoring, maintenance and improvement of implemented controls on a continuous basis which can be supported by Crossbow Labs teams.
- The Managed Cybersecurity Solution from Crossbow Labs can fully manage the cybersecurity portfolios for compliance programs for organisations which are interested in outsourcing their cybersecurity management to expert teams.
- Crossbow Labs teams will work with the management teams in organisations adhering to the RBI Circulars to ensure the intended business objectives are met.
RBI PA-PG FAQ's
As per RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways, the cyber security audit needs to be performed by a CERT-In empanelled auditor.
Indian PSOs (Payment System Operators) operating as a Payment Aggregator (PA) or Payment Gateway (PG) will come under the purview of this assessment.
Annual audit to be conducted and System Audit Reports (SAR) to be submitted to the respective Regional Office of DPSS, RBI, within two months of the close of their financial year
Yes, the RBI Circular on “System Audit of Payment Systems operated under the PSS Act” (Reference” DPSS.CO.OD.No. 1325/06.11.001/2019-20 dt: Jan 10, 2020) also needs to be considered for assessment.
All domains under an Information Security Management System need to be covered under the cyber security audit by CERT-In empanelled auditor. Baseline Technology-related Recommendations mentioned in RBI guidelines are listed below. For more details please refer to Annexure 2 in RBI Circular DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020)
- Information Security Governance:
- Data Security Standards (PCI DSS, ISO 27001, etc. as applicable)
- Security Incident Reporting
- Merchant Onboarding
- Cyber Security Audit and Reports
- Information Security
- IT Governance
- Enterprise Data Dictionary
- Risk Assessment
- Access to Application
- Competency of Staff
- Vendor Risk Management
- Maturity and Roadmap
- Cryptographic Requirement
- Forensic Readiness
- Data Sovereignty:
- Data Security in Outsourcing
- Payment Application Security