Click here to Visit the RBI’s new website

BBBPLogo

Master Directions

(604 kb)
Master Direction on Issuance and Operation of Prepaid Payment Instruments (Updated as on November 17, 2020)

RBI/DPSS/2017-18/58
Master Direction DPSS.CO.PD.No.1164/02.14.006/2017-18

October 11, 2017
(Updated as on November 17, 2020)
(Updated as on February 28, 2020)
(Updated as on January 16, 2020)
(Updated as on December 24, 2019)
(Updated as on August 30, 2019)
(Updated as on February 25, 2019)
(Updated as on December 29, 2017)

All Prepaid Payment Instrument Issuers, System Providers and System Participants

Dear Sir / Madam,

Master Direction on Issuance and Operation of Prepaid Payment Instruments

Please refer to paragraph 16 of Statement on Developmental and Regulatory Policies regarding issuance of Master Direction on Prepaid Payment Instruments (PPIs) announced in the Fourth Bi-monthly Monetary Policy Statement, 2017-18 by the Reserve Bank of India (RBI).

2. The RBI has issued a number of circulars from time to time on issuance and operation of PPIs. In the light of developments in the field, progress made by PPI Issuers, experience gained and with a view to foster innovation and competition, ensure safety and security, customer protection, etc., it was decided to review the instructions relating to the issuance and operation of PPIs and issue comprehensive Directions on the subject.

3. The draft Master Direction on PPIs was placed on the RBI website on March 20, 2017 for public feedback. The comments / views received from all stakeholders have been examined by the Reserve Bank in preparation of the final Directions.

4. The Master Direction, issued under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007, replaces all circulars listed in Table-1 of Annex-1 and partially replaces all circulars mentioned in Table-2 of Annex-1 issued till date on the subject.

5. The Master Direction is effective from today. Existing PPI Issuers shall ensure compliance with the revised requirements on or before February 28, 2018, except where timelines have been specified in this Direction.

Yours faithfully,

(Nanda S. Dave)
Chief General Manager-in-Charge


Master Direction on Issuance and Operation of Prepaid Payment Instruments

1. Introduction

1.1 In exercise of the powers conferred under Section 18 read with Section 10(2) of the Payment and Settlement Systems Act, 2007 (Act 51 of 2007), the Reserve Bank of India (RBI) being satisfied that it is necessary and expedient in the public interest to do so, hereby, issues these Directions.

1.2 Short title and commencement

  1. These Directions shall be called the Reserve Bank of India (Issuance and Operation of Prepaid Payment Instruments) Directions, 2017 (Master Direction).

  2. These Directions shall come into effect from October 11, 2017.

  3. Existing authorised Prepaid Payment Instrument (PPI) issuers shall ensure compliance with the revised requirements on or before February 28, 2018, except where timelines have been specified in this Direction.

1.3 Applicability: The provisions of the Master Direction shall apply to all PPI Issuers, System Providers and System Participants.

1.4 Purpose

  1. To provide a framework for authorisation, regulation and supervision of entities operating payment systems for issuance of PPIs in the country;

  2. To foster competition and encourage innovation in this segment in a prudent manner while taking into account safety and security of transactions as well as systems along with customer protection and convenience.

  3. To provide for harmonisation and interoperability of PPIs

1.5 For the purpose of these Directions, the term ‘entities’ refers to banks and non-bank entities who have approval / authorisation from the RBI to issue PPIs as well as those who are proposing to issue PPIs.

1.6 Banks and non-bank entities have been issuing PPIs in the country after obtaining necessary approval / authorisation from RBI under the Payment and Settlement Systems Act, 2007 (PSS Act). These entities have been operating within the framework of the initial guidelines on “Issuance and Operation of PPIs” issued in April 2009 and the subsequent Master Circulars issued on the subject, as amended from time to time. Taking into account the developments in the field and the progress made by PPI issuers, all existing guidelines issued on the subject till date have been reviewed and are contained in the Master Direction.

1.7 The Master Direction lays down the eligibility criteria and the conditions of operation for payment system operators involved in the issuance of semi-closed and open system PPIs in the country. All entities approved / authorised to operate payment systems involving the issuance of PPIs shall comply with these Directions.

1.8 No entity can set up and operate payment systems for issuance of PPIs without prior approval / authorisation of RBI.

2. Definitions

For the purpose of this Master Direction, the following definitions shall be applicable:

2.1 Issuer: Entities operating the payment systems issuing PPIs to individuals / organisations. The money so collected is used by these entities to make payment to the merchants who are part of the acceptance arrangement and for facilitating funds transfer / remittance services.

2.2 Holder: Individuals / Organisations who obtain / purchase PPIs from the issuers and use the same for purchase of goods and services, including financial services, remittance facilities, etc.

2.3 Prepaid Payment Instruments (PPIs): PPIs are payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. PPIs that can be issued in the country are classified under three types viz. (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs.

2.4 Closed System PPIs: These PPIs are issued by an entity for facilitating the purchase of goods and services from that entity only and do not permit cash withdrawal. As these instruments cannot be used for payments or settlement for third party services, the issuance and operation of such instruments is not classified as payment systems requiring approval / authorisation by the RBI.

2.5 Semi-closed System PPIs: These PPIs are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations / establishments which have a specific contract with the issuer (or contract through a payment aggregator / payment gateway) to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks.

2.6 Open System PPIs: These PPIs are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc. Banks issuing such PPIs shall also facilitate cash withdrawal at ATMs / Point of Sale (PoS) / Business Correspondents (BCs).

2.7 Limits: All ‘limits’ in the value of instruments stated in the Master Direction, indicate the maximum value of such instruments, denominated in INR, that shall be issued to any holder, unless otherwise specified.

2.8 Merchants: These are establishments who have a specific contract to accept the PPIs issued by the PPI issuer (or contract through a payment aggregator / payment gateway) against the sale of goods and services, including financial services.

2.9 Net-worth: Net-worth will consist of ‘paid up equity capital, preference shares which are compulsorily convertible into equity capital, free reserves, balance in share premium account and capital reserves representing surplus arising out of sale proceeds of assets but not reserves created by revaluation of assets’ adjusted for ‘accumulated loss balance, book value of intangible assets and deferred revenue expenditure, if any’. It shall be noted that while compulsorily convertible preference shares reckoned for computation of net-worth can be either non-cumulative or cumulative, these should be compulsorily convertible into equity shares and the shareholder agreements should specifically prohibit any withdrawal of this preference share capital at any time.

3. Eligibility to issue semi-closed and open system PPIs

3.1 Banks which comply with the eligibility criteria, including those stipulated by the respective regulatory department of RBI, shall be permitted to issue semi-closed and open system PPIs, after obtaining approval from RBI.

3.2 Non-bank entities which comply with the eligibility criteria, including those stipulated by the respective regulatory department of RBI, shall be permitted to issue only semi-closed system PPIs, after obtaining authorization from RBI.

4. Capital and other eligibility requirements

4.1 All entities (both banks and non-banks), regulated by any of the financial sector regulators and seeking approval / authorisation from the RBI under the PSS Act, shall apply to Department of Payment and Settlement Systems (DPSS), RBI, Central Office, Mumbai along with a ‘No Objection Certificate’ from their respective Regulator, within 45 days of obtaining such clearance.

4.2 Non-bank entities applying for authorisation shall be a company incorporated in India and registered under the Companies Act 1956 / Companies Act 2013.

4.3 Non-bank entities having Foreign Direct Investment (FDI) / Foreign Portfolio Investment (FPI) / Foreign Institutional Investment (FII) shall also meet the capital requirements as applicable under the extant Consolidated FDI policy guidelines of Government of India.

4.4 The Memorandum of Association (MOA) of the applicant non-bank entity shall cover the proposed activity of operating as a PPI issuer.

4.5 All non-bank entities seeking authorisation from RBI under the PSS Act shall have a minimum positive net-worth of Rs. 5 crore as per the latest audited balance sheet at the time of submitting the application. These entities shall submit a certificate in the enclosed format (Annex-2) from their Chartered Accountants (CA) to evidence compliance with the applicable net-worth requirement while submitting the application for authorisation. The application shall be processed by RBI based on this net-worth which shall be maintained at all times. Thereafter, by the end of the third financial year from the date of receiving final authorisation, the entity shall achieve a minimum positive net-worth of Rs. 15 crore which shall be maintained at all times. Illustratively, if an entity is issued final authorisation on March 1, 2018, then this entity shall achieve a minimum positive net-worth of Rs. 15 crore for the financial position as on March 31, 2020. Similarly, if an entity is issued final authorisation on May 1, 2018, then this entity shall achieve a minimum positive net-worth of Rs. 15 crore for the financial position as on March 31, 2021. Subsequently, the audited balance sheet and net-worth as on 31st March shall be submitted to RBI within six months of close of financial year, failing which the entity may not be permitted to carry out this business.

4.6 Newly incorporated non-bank entities which may not have an audited statement of financial accounts shall submit a certificate in the enclosed format (Annex-2) from their Chartered Accountants regarding the current net-worth along with provisional balance sheet.

4.7 All existing non-bank PPI issuers (at the time of issuance of this Master Direction) shall comply with the minimum positive net-worth requirement of Rs. 15 crore for the financial position as on March 31, 2020 (audited balance sheet). This shall be reported to RBI, along with CA certificate in the enclosed format (Annex-2) and audited Balance Sheet, by September 30, 2020 failing which the entity may not be permitted to carry out this business. Thereafter, the minimum positive net-worth of Rs. 15 crore shall be maintained at all times. Till such time, the existing PPI issuers shall continue to maintain the capital requirements applicable to them at the time of their authorisation.

4.8 All authorised non-bank entities shall submit a certificate in the enclosed format (Annex-2) from their Chartered Accountants to evidence compliance with the applicable net-worth requirement as per the audited balance sheet of the financial year within six months of completion of that financial year.

5. Authorisation Process

5.1 A non-bank entity desirous of setting up payment systems for issuance of PPIs shall apply for authorisation in Form A (available on RBI website) as prescribed under Regulation 3(2) of the Payment and Settlement Systems Regulations, 2008 along with the requisite application fees.

5.2 The applications shall be initially screened by RBI to ensure prima facie eligibility of the applicants. The directors of the applicant entity shall submit a declaration in the enclosed format (Annex-3). RBI shall also check ‘fit and proper’ status of the applicant and management by obtaining inputs from other regulators, government departments, etc., as deemed fit. Applications of those entities not meeting the eligibility criteria, or those which are incomplete / not in the prescribed form with all details, shall be returned without refund of the application fees.

5.3 In addition to the compliance with the applicable guidelines, RBI shall also apply checks, inter-alia, on certain essential aspects like customer service and efficiency, technical and other related requirements, safety and security aspects, etc. before granting in-principle approval to the applicants.

5.4 Subject to meeting the eligibility criteria and other conditions, the RBI shall issue an ‘in-principle’ approval, which shall be valid for a period of six months. The entity shall submit a satisfactory System Audit Report (SAR) to RBI within these six months, failing which the in-principle approval shall lapse automatically. SAR shall be accompanied by a certificate from the Chartered Accountant regarding compliance with the requirement of minimum positive net-worth of Rs. 5 crore. An entity can seek one-time extension for a maximum period of six months for submission of SAR by making a request in writing, to DPSS, Central Office, RBI, Mumbai, in advance with valid reasons. The RBI reserves the right to decline such a request for extension.

5.5 Subsequent to the issue of the in-principle approval, if any adverse features regarding the entity / promoters / group or business practices, etc., come to notice, the RBI may impose additional conditions and if warranted, the in-principle approval may be withdrawn.

5.6 Pursuant to receipt of satisfactory SAR and net-worth certificate, the RBI shall grant final Certificate of Authorisation. Entities granted final authorisation shall commence business within six months from the grant of Certificate of Authorisation failing which the authorisation shall lapse automatically. An entity can seek one-time extension for a maximum period of six months by making a request in writing, to DPSS, Central Office, RBI, Mumbai, in advance with valid reasons. The RBI reserves the right to decline such a request for extension.

5.7 The Certificate of Authorisation shall be valid for five years unless otherwise specified and shall be subject to review including cancellation of Certificate of Authorisation.

5.8 Entities seeking renewal of authorisation shall apply in writing to DPSS, RBI, Central Office, Mumbai at least three months before the expiry of validity of Certificate of Authorisation, failing which RBI reserves the right to decline the request for renewal.

5.9 Any proposed major change, such as changes in product features / process, structure or operation of the payment system, etc. shall be communicated with complete details, by way of a letter, addressed to the Chief General Manager, DPSS, RBI, Central Office, Mumbai. RBI shall endeavor to reply within 15 business days after receipt of above communication at DPSS, RBI, Central Office, Mumbai.

5.10 Any takeover or acquisition of control or change in management of a non-bank entity shall be communicated by way of a letter to the Chief General Manager, DPSS, RBI, Central Office, Mumbai within 15 days with complete details, including ‘Declaration and Undertaking’ (Annex-3) by each of the new directors, if any. RBI shall examine the ‘fit and proper’ status of the management and, if required, may place suitable restrictions on such changes.

6. Safeguards against Money Laundering (KYC / AML / CFT) Provisions

6.1 The Know Your Customer (KYC) / Anti-Money Laundering (AML) / Combating Financing of Terrorism (CFT) guidelines issued by the Department of Banking Regulation (DBR), RBI, in their “Master Direction – Know Your Customer (KYC) Directions” updated from time to time, shall apply mutatis mutandis to all the entities issuing PPIs and their agents.

6.2 As PPI issuers are operating a Payment System, provisions of Prevention of Money Laundering Act, 2002 and Rules framed thereunder, as amended from time to time, are also applicable to all PPI issuers. All entities shall put in place necessary systems to ensure compliance with these guidelines.

6.3 PPI issuers shall maintain a log of all the transactions undertaken using the PPIs for at least ten years. This data shall be made available for scrutiny to RBI or any other agency / agencies as may be advised by RBI. The PPI issuers shall also file Suspicious Transaction Reports (STRs) to Financial Intelligence Unit-India (FIU-IND).

7. Issuance, loading and reloading of PPIs

7.1 All entities approved / authorised to issue PPIs by RBI are permitted to issue reloadable or non-reloadable PPIs depending upon the permissible type / category of PPIs as laid down in paragraph 9 and 10 of these Directions.

7.2 PPI issuers shall have a clear laid down policy, duly approved by their Board, for issuance of various types / categories of PPIs and all activities related thereto.

7.3 PPI issuers shall ensure that the name of the company which has received approval / authorisation for issuance and operating of PPIs, is prominently displayed along with the PPI brand name in all instances. The authorised entities shall also regularly keep RBI informed regarding the brand names employed / to be employed for their products.

7.4 PPI issuers shall ensure that no interest is payable on PPI balances.

7.5 PPIs shall be permitted to be loaded / reloaded by cash, by debit to a bank account, by credit and debit cards, and other PPIs (as permitted from time to time). The electronic loading / reloading of PPIs shall be through above payment instruments issued only by regulated entities in India and shall be in INR only.

7.6 Cash loading to PPIs shall be limited to Rs.50,000/- per month subject to overall limit of the PPI.

7.7 The PPIs may be issued as cards, wallets, and any such form / instrument which can be used to access the PPI and to use the amount therein. PPIs in the form of paper vouchers shall no longer be issued from the date of this Master Direction except for Meal Paper Vouchers where separate timeline has been indicated.

7.8 Banks shall be permitted to issue and reload PPIs at their branches, ATMs and through their BCs appointed as per the guidelines issued by RBI in this regard.

7.9 Banks and non-banks shall be permitted to issue and reload such payment instruments through their authorised outlets or through their authorised / designated agents subject to following conditions:-

  1. There shall be a Board approved policy clearly laying down the framework for engaging agents for the purpose of issuance and reloading of PPIs.

  2. Issuers shall carry out proper due diligence of the persons appointed as authorised / designated agents for issue / reloading of permissible categories of PPIs.

  3. Issuers shall be responsible for all the PPIs issued by the authorised / designated agents.

  4. Issuers shall be responsible as the principal for all acts of omission or commission of their authorised / designated agents, including safety and security aspects.

  5. Issuers shall ensure preservation of records and confidentiality of customer information in their possession as well as in the possession of their authorised / designated agents.

  6. The PPI issuers shall regularly monitor the activities of their authorised / designated agents and also carry out a review of the performance of various agents engaged by them at least once in a year.

  7. Issuers and their authorised / designated agents shall ensure adherence to applicable laws of the land, including KYC / AML / CFT norms as indicated in paragraph 6.

7.10 PPI issuers shall ensure that there is no co-mingling of funds originating from any other activity that the Issuer may be undertaking such as BCs of bank/s, intermediary for payment aggregation, payment gateway facility, etc.

7.11 PPIs under co-branding arrangements:

  1. The co-branding arrangement shall be as per the Board approved policy of the PPI issuer. The policy shall specifically address issues pertaining to the various risks associated with such an arrangement including reputation risk and the PPI issuer shall put in place suitable risk mitigation measures. The policy shall also clearly lay down the roles, responsibilities and obligations of each co-branding partner.

  2. The co-branding partner shall be a company incorporated in India and registered under the Companies Act 1956 / Companies Act 2013. In case the co-branding partner is a bank, then the same shall be a bank licensed by RBI.

  3. PPI issuers shall carry out due diligence in respect of the co-branding partner to protect themselves against the reputation risk they are exposed to in such an arrangement. In case of proposed tie up with a financial entity, they may ensure that that entity has the approval of its regulator for entering into such arrangement.

  4. The instructions / guidelines on KYC / AML / CFT (as indicated in paragraph 6) shall be adhered to, in respect of all PPIs issued under the co-branding arrangement as well.

  5. The PPI issuer shall be liable for all acts of the co-branding partner. The Issuers shall also be responsible for all customer related aspects of the PPIs.

  6. PPI issuers shall be permitted to co-brand such instruments with the name / logo of the company for whose customers / beneficiaries such co-branded instruments are to be issued.

  7. The name of PPI issuer shall be prominently visible on the payment instrument.

  8. In case of non-bank PPI issuers, where co-branding arrangements take place between two non-bank PPI issuers, the agreement shall clearly indicate which partner shall be the PPI Issuer.

  9. All non-bank PPI issuers desirous of issuing such co-branded PPIs shall seek one time approval from DPSS, RBI, Central Office. Separate approval is not required for each co-branding arrangement.

  10. In case of co-branding arrangements between bank and non-bank entity, the bank shall be the PPI Issuer. The role of the non-bank entity shall be limited to marketing / distribution of the PPIs or providing access to the PPI holder to the services that are offered.

  11. In case of co-branding arrangement between two banks, then the PPI issuing bank shall ensure compliance to above instructions.

  12. Bank PPI issuers shall also adhere to the instructions contained in the circular DBOD.No.FSD.BC.67/24.01.019/2012-13 dated December 12, 2012, as amended from time to time.

7.12 All PPI issuers already having co-branding arrangements at the time of issuance of this Master Direction shall review their existing arrangements to meet the above requirements on or before December 31, 2017. The details of all the existing co-branding arrangements by all PPI issuers shall be reported to DPSS, RBI, Central Office, Mumbai within one month of release of this Master Direction in the format enclosed (Annex-4). Further, any new arrangement shall also be reported to RBI within seven days of finalisation of arrangement.

7.13 Prepaid meal instruments: Banks and non-bank entities issuing PPIs in the form of prepaid meal instruments, shall ensure that these are issued only as semi-closed PPIs, are in electronic form and reloadable. No cash withdrawal or funds transfer shall be permitted from such instruments. Such PPIs need not be issued as a separate category of PPI. No prepaid meal instruments in paper voucher form shall be issued after February 28, 2018.

7.14 There shall be no remittance without compliance to KYC requirements. PPI issuers, including their agents, shall not create new PPIs each time for facilitating cash-based remittances to other PPIs / bank accounts. PPIs created for previous remittance by the same person shall be used.

8. Cross-Border Transactions

The use of INR denominated PPIs for cross border transactions shall not be permitted except as under:

8.1 PPIs for cross-border outward transactions

  1. KYC compliant reloadable semi-closed and open system PPIs issued by banks having AD-I licence shall be permitted to be used in cross-border outward transactions (only for permissible current account transactions under FEMA viz. purchase of goods and services), subject to adherence to extant norms governing such transactions.

  2. PPIs shall not be used for any cross-border outward fund transfer and/or for making remittances under the Liberalised Remittance Scheme. Prefunding of online merchant’s account shall not be permitted using such Rupee denominated PPIs.

  3. Issuers shall enable the facility of cross-border outward transactions only on explicit request of the PPI holders and shall apply a per transaction limit not exceeding Rs.10,000/-, while per month limit shall not exceed Rs. 50,000/- for such cross-border transactions.

  4. In case this facility is made available by issuing the PPI in card form, then this PPI shall be EMV Chip and PIN compliant.

  5. Such PPIs need not be issued as a separate category of PPI.

8.2 PPIs for credit towards cross-border inward remittance

  1. Bank and non-bank PPI issuers, who have been appointed as the Indian agent of the authorised overseas principal, shall be permitted to issue PPIs to beneficiaries of inward remittance under the Money Transfer Service Scheme (MTSS) of the RBI.

  2. Authorised non-bank PPI issuers shall be permitted to issue such PPIs for a period of three years, from the date of this Master Direction, subject to review.

  3. The PPIs shall be KYC compliant, reloadable and issued only in electronic form, including cards.

  4. Such PPIs shall be issued in adherence to extant norms under the MTSS Guidelines issued by Foreign Exchange Department, RBI.

  5. Amounts only upto Rs.50,000/- from individual inward MTSS remittance shall be permitted to be loaded / reloaded in PPIs issued to beneficiaries. Amount in excess of Rs.50,000/- under MTSS shall be paid by credit to a bank account of the beneficiary. Full details of the transactions shall be maintained on record for scrutiny.

  6. The roles and responsibilities of the PPI issuers for the PPI related activities shall be distinct from the roles and responsibilities as Indian Agents under MTSS.

  7. Such PPIs need not be issued as a separate category of PPI.

8.3 Foreign Exchange PPIs: Entities authorized under the Foreign Exchange Management Act (FEMA) to issue foreign exchange denominated PPIs are outside the purview of this Master Direction.

9. Types of PPIs

9.1 Semi-closed PPIs by bank and non-bank PPI Issuers

Semi-closed PPIs issued by banks and non-banks would have same features, unless otherwise specified.

(i) PPIs upto Rs.10,000/- by accepting minimum details of the PPI holder

  1. Bank and non-bank Issuers shall be permitted to issue these PPIs after obtaining minimum details of the PPI holder.

  2. The minimum details shall include mobile number verified with One Time Pin (OTP) and self-declaration of name and unique identification number of any of the ‘officially valid document’ defined under Rule 2(d) of the PML Rules 2005, as amended from time to time.

  3. These PPIs shall be reloadable in nature and issued only in electronic form, including cards.

  4. The amount loaded in such PPIs during any month shall not exceed Rs.10,000/- and the total amount loaded during the financial year shall not exceed Rs.1,00,000/-.

  5. The amount outstanding at any point of time in such PPIs shall not exceed Rs.10,000/-

  6. The total amount debited from such PPIs during any given month shall not exceed Rs. 10,000/-.

  7. These PPIs shall be used only for purchase of goods and services. Funds transfer from such PPIs to bank accounts and also to PPIs of same / other issuers shall not be permitted.

  8. There is no separate limit on purchase of goods and services using PPIs and PPI issuer may decide limit for these purposes within the overall PPI limit.

  9. These PPIs shall be converted into KYC compliant semi-closed PPIs (as defined in paragraph 9.1(ii)) within a period of 24 months from the date of issue of PPI, failing which no further credit shall be allowed in such PPIs. However, the PPI holder shall be allowed to use the balance available in the PPI.

  10. PPI issuers shall ensure that this category of PPI is not issued to the same user in future using the same mobile number and same minimum details.

  11. PPI issuers shall give an option to close the PPI at any time and outstanding balance, at the time of closure, shall be transferred at the request of the holder to the ‘own bank account of the PPI holder’ (duly verified by the Issuer), after complying with KYC requirements of the PPI holder. PPI issuers shall also allow to transfer the funds ‘back to source’ (payment source from where the PPI was loaded) at the time of closure.

  12. The features of such PPIs shall be clearly communicated to the PPI holder by SMS / e-mail / post or by any other means at the time of issuance of the PPI / before the first loading of funds.

(ii) PPIs upto Rs.1,00,000/- after completing KYC of the PPI holder

  1. Bank and non-bank Issuers shall be permitted to issue these PPIs after completing KYC of the PPI holder (as indicated in paragraph 6).

  2. These PPIs shall be reloadable in nature and issued only in electronic form, including cards.

  3. The amount outstanding shall not exceed Rs.1,00,000/- at any point of time.

  4. The funds can be transferred ‘back to source’ (payment source from where the PPI was loaded) or ‘own bank account of the PPI holder’ (duly verified by the Issuer). However, PPI issuers shall set the limits taking into account the risk profile of the PPI holders, other operational risks, etc.

  5. PPI issuers shall provide the facility of ‘pre-registered beneficiaries’ whereby the PPI holder can register the beneficiaries by providing their bank account details, details of PPIs issued by same issuer (or different issuers as and when permitted), etc.

  6. In case of such pre-registered beneficiaries, the funds transfer limit shall not exceed Rs.1,00,000/- per month per beneficiary. PPI issuers shall set the limits within this ceiling taking into account the risk profile of the PPI holders, other operational risks, etc.

  7. The funds transfer limits for all other cases shall be restricted to Rs.10,000/- per month.

  8. There is no separate limit on purchase of goods and services using PPIs and PPI issuer may decide limit for these purposes within the overall PPI limit.

  9. PPI issuers shall clearly indicate these limits to the PPI holders and also provide necessary options to PPI holders to set their own fund transfer limits.

  10. PPI issuers shall also give an option to close the PPI and transfer the balance as per the applicable limits of this type of PPI. For this purpose, the Issuers shall provide an option, including at the time of issuing the PPI, to the holder to provide details of pre-designated bank account or other PPIs of same issuer (or other issuers as and when permitted) to which the balance amount available in the PPI shall be transferred in the event of closure of PPI, expiry of validity period of such PPIs, etc.

  11. The features of such PPIs shall be clearly communicated to the PPI holder by SMS / e-mail / post or by any other means at the time of issuance of the PPI / before the first loading of funds.

(iii) PPIs upto Rs. 10,000/- with loading only from bank account
(inserted vide circular DPSS.CO.PD.No.1198/02.14.006/2019-20 dated December 24, 2019)

  1. Such PPIs shall be issued by bank and non-bank PPI Issuers after obtaining minimum details of the PPI holder.

  2. The minimum details shall necessarily include a mobile number verified with One Time Pin (OTP) and a self-declaration of name and unique identity / identification number of any ‘mandatory document’ or ‘officially valid document’ (OVD) listed in the Master Direction on KYC, as amended from time to time.

  3. These PPIs shall be reloadable in nature and issued in card or electronic form. Loading / Reloading shall be from a bank account and / or credit card.

  4. The amount loaded in such PPIs during any month shall not exceed Rs.10,000 and the total amount loaded during the financial year shall not exceed Rs.1,20,000.

  5. The amount outstanding at any point of time in such PPIs shall not exceed Rs.10,000.

  6. These PPIs shall be used only for purchase of goods and services and not for funds transfer.

  7. PPI issuers shall provide an option to close the PPI at any time and also allow to transfer the funds ‘back to source’ (payment source from where the PPI was loaded) at the time of closure.

  8. The features of such PPIs shall be clearly communicated to the PPI holder by SMS / e-mail / post or by any other means at the time of issuance of the PPI / before the first loading of funds.

  9. The minimum detail PPIs existing as on December 24, 2019 can be converted to this type of PPI, if desired by the PPI holder.

9.2 Open system PPIs after completing KYC of the PPI holder

  1. Only banks shall be permitted to issue open system PPIs after completing KYC of the PPI holder (as indicated in paragraph 6).

  2. These PPIs shall be reloadable in nature and issued only in electronic form, including cards.

  3. The amount outstanding shall not exceed Rs.1,00,000/- at any point of time.

  4. The funds can be transferred ‘back to source’ (payment source from where the PPI was loaded) or ‘own bank account of the PPI holder’ (duly verified by the Issuer). However, PPI issuers shall set the limits taking into account the risk profile of the PPI holders, other operational risks, etc.

  5. PPI issuers shall provide the facility of ‘pre-registered beneficiaries’ whereby the PPI holder can register the beneficiaries by providing their bank account details, details of PPIs issued by same issuer (or different issuers as and when permitted), etc.

  6. In case of such pre-registered beneficiaries, the funds transfer limit shall not exceed Rs.1,00,000/- per month per beneficiary. PPI issuers shall set the limits within this ceiling taking into account the risk profile of the PPI holders, other operational risks, etc.

  7. The funds transfer limits for all other cases shall be restricted to Rs.10,000/- per month.

  8. Funds transfer from such PPIs shall also be permitted to other open system PPIs, debit cards and credit cards as per the limits given above.

  9. There is no separate limit on purchase of goods and services using PPIs and PPI issuer may decide limit for these purposes within the overall PPI limit.

  10. PPI issuers shall clearly indicate these limits to the PPI holders and also provide necessary options to PPI holders to set their own fund transfer limits.

  11. PPI issuers shall also give an option to close the PPI and transfer the balance as per the applicable limits of this type of PPI. For this purpose, the Issuers shall provide an option, including at the time of issuing the PPI, to the holder to provide details of pre-designated bank account or other PPIs of same issuer (or other issuers as and when permitted) to which the balance amount available in the PPI shall be transferred in the event of closure of PPI, expiry of validity period of such PPIs, etc.

  12. The features of such PPIs shall be clearly communicated to the PPI holder by SMS / e-mail / post or by any other means at the time of issuance of the PPI / before the first loading of funds.

10. Specific categories of PPIs

From the date of issuance of this Master Direction, PPI issuers shall cease to issue PPIs of any other category as permitted earlier except the following two categories:

10.1 Gift instruments

Banks and non-bank entities are permitted to issue prepaid gift instruments subject to the following conditions:

  1. Maximum value of each prepaid gift instrument shall not exceed Rs.10,000/-.

  2. These instruments shall not be reloadable.

  3. Cash-out or refund or funds transfer shall not be permitted for such instruments.

  4. KYC details of the purchasers of such instruments shall be maintained by the PPI Issuer. Separate KYC would not be required for customers who are issued such instruments against debit to their bank accounts and / or credit cards in India.

  5. Entities shall adopt a risk based approach, duly approved by their Board, in deciding the number of such instruments which can be issued to a customer, transaction limits, etc.

  6. The gift instruments may be revalidated (including through issuance of new instrument) as per the Board approved policy of the issuer.

  7. The provisions of paragraph 13 on validity and redemption, as applicable, shall be adhered to.

  8. The features of such PPIs shall be clearly communicated to the PPI holder by SMS / e-mail / post or by any other means at the time of issuance of the PPI / before the first loading of funds.

10.2 PPIs for Mass Transit Systems (PPI-MTS)

  1. These semi-closed PPIs shall be issued by mass transit system operators after authorisation to issue and operate such PPIs under the PSS Act.

  2. The PPI-MTS shall necessarily contain the Automated Fare Collection application related to the transit service to qualify as PPI-MTS.

  3. Apart from the mass transit system, such PPI-MTS shall be used only at other merchants whose activities are allied / related to or are carried on within the premises of the transit system.

  4. The issuer may decide about the customer details, if any, required to be obtained for issuance of such PPIs.

  5. The PPI-MTS issued shall be reloadable in nature and the maximum value outstanding in PPI cannot exceed the limit of Rs. 3,000/- at any point of time.

  6. Cash-out or refund or funds transfer shall not be permitted from these PPIs.

  7. Other requirements such as escrow arrangement, customer grievance redressal mechanism, agent due diligence, reporting and MIS requirements, etc. applicable to issuance of PPIs (as indicated under various paragraphs of this Master Direction) shall also be applicable in respect of PPI-MTS.

  8. These PPIs may be revalidated (including through issuance of new instrument) as per the Board approved policy of the issuer.

  9. The provisions of paragraph 13 on validity and redemption, as applicable, shall be adhered to.

  10. The features of such PPIs shall be clearly communicated to the PPI holder by SMS / e-mail / post or by any other means at the time of issuance of the PPI / before the first loading of funds.

11. Conversion of existing PPIs issued by banks and non-banks

  1. PPI issuers shall give an option to all PPI holders to convert the existing semi-closed and open system PPIs issued to them (as per various types / categories permitted earlier) into any type of the PPIs as indicated in paragraph 9. After carrying out the applicable due diligence for that type of PPI, this conversion shall be completed on or before February 28, 2018. For example, if any of the existing PPI is converted into KYC compliant semi-closed PPI, then the same has to be done only after doing the KYC of the PPI holder (as indicated in paragraph 6).

  2. Where PPI holders have not exercised the option as at (a) above, the PPIs issued to them shall mandatorily be converted into minimum detail PPIs as indicated in paragraph 9.1 (i) on March 01, 2018 with all the applicable features.

  3. No further credit / loading shall be allowed in such PPIs till all the minimum details (as indicated in paragraph 9.1 (i)) are obtained. However, the PPI holders shall be allowed to use the existing balance for purchase of goods and services.

  4. PPI issuers shall make their customers aware of these changes and shall also give all such existing PPI holders a one-time option to transfer the outstanding balance in the PPI to a bank account without any transaction limit. No charges shall be levied by the PPI issuers on the PPI holders for such funds transfer. This shall be completed on or before February 28, 2018.

  5. For existing minimum detail semi-closed PPIs, where the outstanding balance is more than Rs. 10,000/- further loading shall not be allowed till the balance is reduced to below Rs. 10,000/-, after which the limits as indicated in paragraph 9.1(i) shall be applicable. The funds transfer facility shall not be permitted from the date of issue of these Directions except for one-time option for outstanding balance as per the details at 11 (d).

  6. PPI issuers shall separately maintain the data relating to migration of existing PPIs for submission of the same to RBI, as and when required.

12. Deployment of Money Collected

12.1 To ensure timely settlement, the non-bank PPI issuer shall invest the money collected against issuance of PPIs only as provided herein.

12.2 For the schemes operated by banks, the outstanding balance shall be part of the ‘net demand and time liabilities’ for the purpose of maintenance of reserve requirements. This position will be computed on the basis of the balances appearing in the books of the bank as on the date of reporting.

12.3 Non-bank PPI issuers are required to maintain their outstanding balance in an escrow account with any scheduled commercial bank. An additional escrow account may be maintained with a different scheduled commercial bank at the discretion of the PPI issuer. For the purpose of maintenance of escrow account, payment systems operated by non-bank entities for issuance of PPIs shall be deemed to be ‘designated payment systems’ under Section 23A of the PSS Act, 2007 (as amended in 2015). Maintenance of escrow balance shall be subject to the following conditions:-

(i) (Deleted)

(ii) In case there is a need to shift the escrow account from one bank to another, the same shall be effected in a time-bound manner without unduly impacting the payment cycle to merchants. Migration shall be completed in the minimum possible time with prior intimation to RBI.

(iii) The balance in the escrow account shall not, at the end of the day, be lower than the value of outstanding PPIs and payments due to merchants. While as far as possible PPI issuers shall ensure immediate credit of funds to escrow on issue, load / reload of PPIs to the PPI holders, under no circumstance such credit to escrow account shall be later than the close of business day (the day on which the PPI has been issued, loaded / reloaded). This shall be monitored by the non-bank PPI issuer on a daily basis and any shortfall shall be immediately reported to the respective Regional Office of DPSS, RBI.

(iv) Only the following debits and credits shall be permitted in the escrow account; in case where an additional escrow account is being maintained, credit and debit from one escrow account to the other shall also be permitted. However, inter-escrow transfers shall be avoided as far as possible and if resorted to, auditor’s certification shall clearly mention such transactions:

Credits

  1. Payments received towards issue, load / reload of PPIs, including at agent locations.

  2. Refunds received for failed / disputed / returned / cancelled transactions.

  3. Payments received from sponsor bank towards settlement obligations from participation in interoperable payment systems, as permitted by RBI from time to time.

Debits

  1. Payments to various merchants / service providers towards reimbursement of claims received from them.

  2. Payment to sponsor bank for processing funds transfer instructions received from PPI holders as permitted by RBI from time to time.

  3. Payments made to sponsor bank towards settlement obligations from participation in interoperable payment systems, as permitted by RBI from time to time.

  4. Payment towards applicable Government taxes (received along with PPI sale / reload amount from the buyers).

  5. Refunds towards cancellation of transactions in a PPI in case of PPIs loaded / reloaded erroneously or through fraudulent means (on establishment of erroneous transfer / fraud). The funds shall be credited back to the same source from where these were received. These funds are not to be forfeited till the disposal of the case.

  6. Any other payment due to the PPI issuer in the normal course of operating the PPI business (for instance, service charges, forfeited amount, commissions, etc.).

  7. Any other debit as directed by the regulator / courts / law enforcement agencies.

Note: (1) The payment towards service charges, commission and forfeited amount shall be at pre-determined rates / frequency. Such transfers shall only be effected to a designated bank account of the PPI issuer as indicated in the agreement with the bank where escrow account is maintained. (2) All these provisions shall be part of Service Level Agreement that will be signed between the PPI issuer and the bank maintaining escrow account.

(v) The agreement between the issuer / operator and the bank maintaining escrow account shall include a clause enabling the bank to use the money in the escrow account only for purposes mentioned in these Directions.

(vi) Settlement of funds with merchants shall not be co-mingled with other business, if any, handled by the PPI issuer.

(vii) No interest shall be payable by the bank on such balances, except as indicated in paragraph 12.4 below.

(viii) PPI issuers shall be required to submit the list of merchants acquired by them to the bank and update the same from time to time. The bank shall be required to ensure that payments are made only to eligible merchants / purposes. There shall be an exclusive clause in the agreement signed between the PPI issuer and bank maintaining escrow account towards usage of balance in escrow account only for the purposes mentioned above.

(ix) With the growing acceptance of PPIs in e-commerce payments, including in digital market places, the payment mechanism is often facilitated using the services of payment aggregators / payment gateways. In such a scenario, the emerging practice observed is that the PPI Issuer has the necessary agreements with the digital market place and / or the payment aggregator / gateway rather than the individual merchants who are accepting the PPIs issued by the Issuer as a payment instrument. In view of the above, PPI issuers shall obtain an undertaking from the digital market place and / or payment aggregator / gateway that the payments made by the Issuers are used for onward payments to the respective merchants. Such undertaking shall be submitted by the Issuers to the bank maintaining the escrow account.

(x) A certificate (format enclosed Annex-5) signed by the auditor(s), shall be submitted by the authorised entities to the respective Regional Office of DPSS, RBI on a quarterly basis certifying that the entity has been maintaining adequate balance(s) in the escrow account(s) to cover outstanding value of PPIs issued and payments due to merchants. In case, an additional escrow account is being maintained, it shall be ensured that balances in both accounts are considered for the above certification. This shall also be indicated in the certificate. The same auditor shall be employed to audit both escrow accounts. The certificate shall be submitted within a fortnight from the end of quarter to which it pertains. Entities shall also submit an annual certificate (Annex-5), signed by the auditor, coinciding with accounting year of the entity to RBI.

(xi) Adequate records indicating the daily position of the value of instruments outstanding and payments due to merchants vis-à-vis balances maintained with the banks in the escrow accounts shall be made available for scrutiny to RBI or the bank where the account is maintained on demand.

12.4 As an exception to paragraph 12.3 (vii), the non-bank PPI issuer can enter into an agreement with the bank maintaining the escrow account, to transfer "core portion" of the amount, in the escrow account to a separate account on which interest is payable, subject to the following:-

a) The bank shall satisfy itself that the amount deposited represents the "core portion" after due verification of necessary documents.

b) The amount shall be linked to the escrow account, i.e. the amounts held in the interest bearing account shall be available to the bank, to meet payment requirements of the entity, in case of any shortfall in the escrow account.

c) This facility is permissible to entities who have been in business for at least one year (26 fortnights) and whose accounts have been duly audited for the full accounting year.

d) No loan is permissible against such deposits. Banks shall not issue any deposit receipts or mark any lien on the amount held in such form of deposits.

e) Core portion shall be calculated separately for each of the escrow accounts and will remain linked to the respective escrow account. Escrow balance and core portion maintained shall be clearly disclosed in the auditors’ certificates submitted to RBI on quarterly and annual basis.

Note: For the purpose of these Directions, "Core Portion" shall be computed as under:-

Step 1: Compute lowest daily outstanding balance (LB) on a fortnightly (FN) basis, for one year (26 fortnights) from the preceding month.
Step 2: Calculate the average of the lowest fortnightly outstanding balances [(LB1 of FN1+ LB2 of FN2+ ........+ LB26 of FN26) divided by26].
Step 3: The average balance so computed represents the "Core Portion" eligible to earn interest.

13. Validity and Redemption

13.1 All PPIs issued in the country shall have a minimum validity period of one year from the date of last loading / reloading in the PPI. PPI issuers are free to issue PPIs with a longer validity. In case the PPI is issued in the form of card (with validity period mentioned on the card), then the customer shall have the option to seek replacement of the card.

13.2 PPI issuers shall caution the PPI holder at reasonable intervals, during the 45 days’ period prior to expiry of the validity period of the PPI. The caution advice shall be sent by SMS / e-mail / post or by any other means in the language preferred by the holder indicated at the time of issuance of the PPI.

13.3 Non-bank PPI issuers cannot transfer the outstanding balance to their Profit & Loss account for at least three years from the expiry date of PPI. In case the PPI holder approaches the PPI issuer for refund of such amount, at any time after the expiry date of PPI, then the same shall be paid to the PPI holder in a bank account.

13.4 Banks issuing PPIs shall be guided by the instructions on Depositor Education and Awareness Fund issued by Department of Banking Regulation, RBI, vide, circular DBOD.No.DEAF Cell.BC.101/30.01.002/2013-14 dated March 21, 2014, as amended from time to time.

13.5 Issuers shall clearly indicate the expiry period of the PPI to the customer at the time of issuance of PPIs. Such information shall be clearly enunciated in the terms and conditions of sale of PPI. Where applicable, it shall also be clearly outlined on the website / mobile application of the issuer.

13.6 PPIs with no financial transaction for a consecutive period of one year shall be made inactive by the PPI issuers after sending a notice to the PPI holder/s. These can be reactivated only after validation and applicable due diligence. These PPIs shall be reported to RBI separately.

13.7 The holders of PPIs shall be permitted to redeem the outstanding balance in the PPI, if for any reason the scheme is being wound-up or is directed by RBI to be discontinued.

14. Transactions Limits

14.1 The holder is allowed to use the PPI for these purposes within the overall PPI limit applicable. PPI issuers shall decide to put in place such limits taking into account the risk perception of the holders as per their risk management policy.

14.2 All financial limits indicated against each type / category of the PPI shall be strictly adhered to.

14.3 Handling refunds:

a) Refunds in case of failed / returned / rejected / cancelled transactions shall be applied to the respective PPI immediately, to the extent that payment was made initially by debit to the PPI, even if such application of funds results in exceeding the limits prescribed for that type / category of PPI.

b) However, refunds in case of failed / returned / rejected / cancelled transactions using any other payment instrument shall not be credited to PPI.

c) PPI issuers shall be required to maintain complete details of such returns / refunds, etc., and be in readiness to provide them as and when called for.

d) Further, PPIs issuers shall also put in place necessary systems that enable them to monitor frequent instances of refunds taking in place in specific PPIs and be in a position to substantiate with proof for audit / scrutiny purposes.

14.4 In the case of open system PPIs, cash withdrawal at Point of Sale (POS) terminals shall be permitted upto a limit of Rs.2000/- per day in rural areas and Rs.1000/- per day in other areas, subject to the same conditions as applicable hitherto to debit cards (for cash withdrawal at POS).

15. Security, Fraud prevention and Risk Management Framework

15.1 A strong risk management system is necessary for the PPI issuers to meet the challenges of fraud and ensure customer protection. PPI issuers shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.

15.2 All PPI issuers shall put in place Board approved Information Security policy for the safety and security of the payment systems operated by them, and implement security measures in accordance with this policy to mitigate identified risks. PPI issuers shall review the security measures (a) on on-going basis but at least once a year, (b) after any security incident or breach, and (c) before / after a major change to their infrastructure or procedures.

15.3 PPI issuers shall ensure that the following framework is put in place to address the safety and security concerns, and for risk mitigation and fraud prevention:

  1. In case of wallets, PPI issuers shall ensure that if same login is provided for the PPI and other services offered by the PPI Issuer, then the same shall be clearly informed to the customer by SMS or email or post or by any other means. The option to logout from the website / mobile account shall be provided prominently.

  2. Issuers shall put in place appropriate mechanisms to restrict multiple invalid attempts to login / access to the PPI, inactivity, timeout features, etc.

  3. Issuers shall introduce a system where every successive payment transactions in wallet is authenticated by explicit customer consent.

  4. Cards (physical or virtual) shall necessarily have Additional Factor of Authentication (AFA) as required for debit cards, except in case of PPIs issued under PPI-MTS.

  5. Issuers shall provide customer induced options for fixing a cap on number of transactions and transaction value for different types of transactions / beneficiaries. Customers shall be allowed to change the caps, with additional authentication and validation.

  6. Issuers shall put in place a limit on the number of beneficiaries that may be added in a day per PPI.

  7. Issuers shall introduce a system of alert when a beneficiary is added.

  8. PPI issuers shall put in place suitable cooling period for funds transfer upon opening the PPI or loading / reloading of funds into the PPI or after adding a beneficiary so as to mitigate the fraudulent use of PPIs.

  9. Issuers shall put in place a mechanism to send alerts when transactions are done using the PPIs. In addition to the debit or credit amount intimation, the alert shall also indicate the balance available / remaining in the PPI after completion of the said transaction.

  10. Issuers shall put in place mechanism for velocity check on the number of transactions effected in a PPI per day / per beneficiary.

  11. Issuers shall also put in place suitable mechanism to prevent, detect and restrict occurrence of fraudulent transactions including loading / reloading funds into the PPI.

  12. Issuers shall put in place suitable internal and external escalation mechanisms in case of suspicious operations, besides alerting the customer in case of such transactions.

15.4 The requirements prescribed here are minimum and the entities may deploy additional checks and balances, as considered appropriate.

15.5 PPI issuers shall put in place centralised database / management information system (MIS) to prevent multiple purchase of PPIs at different locations, leading to circumvention of limits, if any, prescribed for their issuance.

15.6 Where direct interface is provided to their authorised / designated agents, PPI issuers shall ensure that the compliance to regulatory requirements is strictly adhered to by these systems also.

15.7 PPI issuers shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and cyber security breaches. The same shall be reported immediately to DPSS, RBI, Central Office, Mumbai. It shall also be reported to CERT-IN as per the details notified by CERT-IN.

16. Customer Protection and Grievance Redressal Framework

16.1 PPI issuers shall disclose all important terms and conditions in clear and simple language (preferably in English, Hindi and the local language) to the holders while issuing the instruments. These disclosures shall include:

  1. All charges and fees associated with the use of the instrument.

  2. The expiry period and the terms and conditions pertaining to expiration of the instrument.

16.2 PPI issuers shall put in place a formal, publicly disclosed customer grievance redressal framework, including designating a nodal officer to handle the customer complaints / grievances, the escalation matrix and turn-around-times for complaint resolution. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible. The framework shall include, at the minimum, the following:

  1. PPI issuers shall disseminate the information of their customer protection and grievance redressal policy in simple language (preferably in English, Hindi and the local language).

  2. PPI issuers shall clearly indicate the customer care contact details, including details of nodal officials for grievance redressal (telephone numbers, email address, postal address, etc.) on website, mobile wallet apps, and cards.

  3. PPI agents shall display proper signage of the PPI Issuer and the customer care contact details as at (b) above.

  4. PPI issuers shall provide specific complaint numbers for the complaints lodged along with the facility to track the status of the complaint by the customer.

  5. PPI issuers shall initiate action to resolve any customer complaint / grievance expeditiously, preferably within 48 hours and resolve the same not later than 30 days from the date of receipt of such complaint / grievance.

  6. PPI Issuers shall display the detailed list of their authorized / designated agents (name, agent ID, address, contact details, etc.) on the website / mobile app.

16.3 PPI issuers shall create sufficient awareness and educate customers in the secure use of the PPIs, including the need for keeping passwords confidential, procedure to be followed in case of loss or theft of card or authentication data or if any fraud / abuse is detected, etc.

16.4 Bank PPI issuers shall continue to be guided by RBI circulars DBR.No.Leg.BC.78/09.07.005/2017-18 dated July 6, 2017 or DCBR.BPD.(PCB/RCB).Cir.No.06/12.05.001/2017-18 dated December 14, 2017, as applicable on Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions.

16.4.1 Non-bank PPI issuers shall be guided by the following guidelines, which have been inserted as per DPSS circular DPSS.CO.PD.No.1417/02.14.006/2018-19 dated January 04, 2019 on Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Payment Transactions (applicable from March 01, 2019).

16.4.2 With a view to further strengthen customer protection for the PPIs which are issued by authorised non-bank PPI issuers, the criteria for determining the customers’ liability in unauthorised electronic payment transactions resulting in debit to their PPIs have been reviewed as under:

Applicability

16.4.3 The provisions of these paragraphs will be applicable to all authorised non-bank PPI issuers. PPIs issued under the arrangement of PPI-MTS as per paragraph 10.2 will be outside the purview of these paragraphs except for the cases of contributory fraud / negligence / deficiency on the part of the PPI-MTS issuer.

Categories of electronic payment transactions

16.4.4 For the purpose of these paragraphs, electronic payment transactions have been divided into two categories:

  1. Remote / Online payment transactions (transactions that do not require physical PPIs to be presented at the point of transactions e.g. wallets, card not present (CNP) transactions, etc.).

  2. Face-to-face / Proximity payment transactions (transactions which require the physical PPIs such as cards or mobile phones to be present at the point of transactions e.g. transactions at Point of Sale, etc.).

16.4.5 Reporting of unauthorised payment transactions by customers to non-bank PPI issuers

  1. Non-bank PPI issuers shall ensure that their customers mandatorily register for SMS alerts and wherever available also register for e-mail alerts, for electronic payment transactions.

  2. The SMS alert for any payment transaction in the account shall mandatorily be sent to the customers and e-mail alert may additionally be sent, wherever registered. The transaction alert should have a contact number and / or e-mail id on which a customer can report unauthorised transactions or notify the objection.

  3. Customers shall be advised to notify the non-bank PPI issuer of any unauthorised electronic payment transaction at the earliest and, shall also be informed that longer the time taken to notify the non-bank PPI issuer, higher will be the risk of loss to the non-bank PPI issuer / customer.

  4. To facilitate this, non-bank PPI issuers shall provide customers with 24x7 access via website / SMS / e-mail / a dedicated toll-free helpline for reporting unauthorised transactions that have taken place and / or loss or theft of the PPI.

  5. Further, a direct link for lodging of complaints, with specific option to report unauthorised electronic payment transactions shall be provided by non-bank PPI issuers on mobile app / home page of their website / any other evolving acceptance mode.

  6. The loss / fraud reporting system so established shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by non-bank PPI issuers to send alerts and receive their responses thereto shall record time and date of delivery of the message and receipt of customer’s response, if any. This shall be important in determining the extent of a customer’s liability. On receipt of report of an unauthorised payment transaction from the customer, non-bank PPI issuers shall take immediate action to prevent further unauthorised payment transactions in the PPI.

Limited liability of a customer

16.4.6 A customer’s liability arising out of an unauthorised payment transaction will be limited to:

Customer liability in case of unauthorised electronic payment transactions through a PPI
S. No. Particulars Maximum Liability of Customer
(a) Contributory fraud / negligence / deficiency on the part of the non-bank PPI issuer, including PPI-MTS issuer (irrespective of whether or not the transaction is reported by the customer) Zero
(b) Third party breach where the deficiency lies neither with the non-bank PPI issuer nor with the customer but lies elsewhere in the system, and the customer notifies the non-bank PPI issuer regarding the unauthorised payment transaction. The per transaction customer liability in such cases will depend on the number of days lapsed between the receipt of transaction communication by the customer from the non-bank PPI issuer and the reporting of unauthorised transaction by the customer to the non-bank PPI issuer -  
i. Within three days# Zero
ii. Within four to seven days# Transaction value or ₹ 10,000/- per transaction, whichever is lower
iii. Beyond seven days# As per the Board approved policy of the non-bank PPI issuer
(c) In cases where the loss is due to negligence by a customer, such as where he / she has shared the payment credentials, the customer will bear the entire loss until he / she reports the unauthorised transaction to the non-bank PPI issuer. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the non-bank PPI issuer.
(d) Non-bank PPI issuers may also, at their discretion, decide to waive off any customer liability in case of unauthorised electronic payment transactions even in cases of customer negligence.
# The number of days mentioned above shall be counted excluding the date of receiving the communication from the non-bank PPI issuer.

The above shall be clearly communicated to all PPI holders.

Reversal timeline for zero liability / limited liability of a customer

16.4.7 On being notified by the customer, the non-bank PPI issuer shall credit (notional reversal) the amount involved in the unauthorised electronic payment transaction to the customer’s PPI within 10 days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any), even if such reversal breaches the maximum permissible limit applicable to that type / category of PPI. The credit shall be value-dated to be as of the date of the unauthorised transaction.

16.4.8 Further, non-bank PPI issuers shall ensure that a complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the non-bank PPI issuer’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer is compensated as per provisions of paragraph 16.4.6 above. In case the non-bank PPI issuer is unable to resolve the complaint or determine the customer liability, if any, within 90 days, the amount as prescribed in paragraph 16.4.6 shall be paid to the customer, irrespective of whether the negligence is on the part of customer or otherwise.

Board approved policy for customer protection

16.4.9 Taking into account the risks arising out of unauthorised debits to PPIs owing to customer negligence / non-bank PPI issuer negligence / system frauds / third party breaches, non-bank PPI issuers need to clearly define the rights and obligations of customers in case of unauthorised payment transactions in specified scenarios. Non-bank PPI issuers shall formulate / revise their customer relations policy, with approval of their Boards, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic payment transactions and customer liability in such cases of unauthorised electronic payment transactions. The policy must be transparent, non-discriminatory and should stipulate the mechanism of compensating the customers for the unauthorised electronic payment transactions and also prescribe the timelines for effecting such compensation. Non-bank PPI issuers shall provide the details of their Board approved policy in regard to customers’ liability formulated in pursuance of the provisions of paragraph 15 and 16 of PPI MD, to all customers at the time of issuing the PPI. Non-bank PPI issuers shall display their Board approved policy, along with the details of grievance handling / escalation procedure, in public domain / website / app for wider dissemination.

Burden of proof

16.4.10 The burden of proving customer liability in case of unauthorised electronic payment transactions shall lie on the non-bank PPI issuer.

Reporting and monitoring requirements

16.4.11 Non-bank PPI issuers shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or one of its Committees. The reporting shall, inter-alia, include volume / number of cases and the aggregate value involved and distribution across various categories of cases. The Board or one of its Committees shall periodically review the unauthorised electronic payment transactions reported by customers or otherwise, as also the action taken thereon, the functioning of the grievance redressal mechanism and take appropriate measures to improve the systems and procedures.

16.5 PPI issuers shall provide an option for the PPI holders to generate / receive account statements for at least past 6 months. The account statement shall, at the minimum, provide details such as date of transaction, debit / credit amount, net balance and description of transaction. Additionally, the PPI issuers shall provide transaction history for at least 10 transactions.

16.6 In case of PPIs issued by banks, customers shall have recourse to the Banking Ombudsman Scheme for grievance redressal.

16.7 Non-bank PPI issuers shall report regarding the receipt of complaints and action taken status thereon in the enclosed format (Annex-6) on a Quarterly basis by the 10th of the following month to the respective Regional Office of DPSS, RBI. Banks shall submit the same report to DPSS, Mumbai Regional Office, RBI.

16.8 PPI issuers shall ensure transparency in pricing and the charge structure as under:

  1. Ensure uniformity in charges at agent level.

  2. Disclosure of charges for various types of transactions on its website, mobile app, agent locations, etc.

  3. Specific agreements with agents prohibiting them from charging any fee to the customers directly for services rendered by them on behalf of the PPI issuers.

  4. Require each retail outlet / sub-agent to post a signage indicating their status as service providers for the PPI issuer and the fees for all services available at the outlet.

  5. The amount collected from the customer shall be acknowledged by issuing a receipt (printed or electronic) on behalf of the PPI issuer.

16.9 PPI issuers shall be responsible for addressing all customer service aspects related to all PPIs (including co-branded PPIs) issued by them as well as their agents.

16.10 PPI issuers shall also display Frequently Asked Questions (FAQs) on their website / mobile app related to the PPIs.

17. Information System Audit

17.1 Authorised non-bank entities shall submit the System Audit Report, including cyber security audit conducted by CERT-IN empaneled auditors, within two months of the close of their financial year to the respective Regional Office of DPSS, RBI.

17.2 Banks shall also be guided by the RBI circular DBS.CO/CSITE/BC.11/33.01.001/2015-16 on Cyber Security Framework in Banks dated June 02, 2016, which inter alia, covers requirements for mobile-based applications.

17.3 The scope of the Audit shall include the following:

  1. Security controls shall be tested both for effectiveness of control design (Test of Design – ToD) and control operating effectiveness (Test of Operating Effectiveness – ToE).

  2. Technology deployed so as to ensure that the authorised payment system is being operated in a safe, secure, sound and efficient manner.

  3. Evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing systems and applications, documentation, etc.

  4. Evaluating adequacy of Information Security Governance and processes of those which support payment systems.

  5. Compliance as per security best practices, specifically the application security lifecycle and patch / vulnerability and change management aspects for the authorised system and adherence to the process flow approved by RBI.

  6. Comment on the deviations, if any, in the processes followed from the process flow submitted to RBI while seeking authorisation.

17.4 All PPI issuers shall, at the minimum, put in place following framework:

  1. Application Life Cycle Security: The source code audits shall be conducted by professionally competent personnel / service providers or have assurance from application providers / OEMs that the application is free from embedded malicious / fraudulent code.

  2. Security Operations Centre (SOC): Integration of system level (server), application level logs of mobile applications (PPIs) with SOC for centralised and co-ordinated monitoring and management of security related incidents.

  3. Anti-Phishing: PPI issuers shall subscribe to anti-phishing / anti-rouge app services from external service providers for identifying and taking down phishing websites / rouge applications in the wake of increase of rogue mobile apps / phishing attacks.

  4. Risk-based Transaction Monitoring: Risk-based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system.

  5. Vendor Risk Management: (i) PPI issuer shall enter into an agreement with the service provider that amongst others provides for right of audit / inspection by the regulators of the country; (ii) RBI shall have access to all information resources (online / in person) that are consumed by PPI provider, to be made accessible to RBI officials when sought, though the infrastructure / enabling resources may not physically be located in the premises of PPI provider; (iii) PPI issuers shall adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders; (iv) PPI issuer shall review the security processes and controls being followed by service providers regularly; (v) Service agreements of PPI issuers with provider shall include a security clause on disclosing the security breaches if any happening specific to issuer’s ICT infrastructure or process including not limited to software, application and data as part of Security incident Management standards, etc.

  6. Disaster Recovery: PPI issuer shall consider having DR facility to achieve the Recovery Time Objective (RTO) / Recovery Point Objective (RPO) for the PPI system to recover rapidly from cyber-attacks / other incidents and safely resume critical operations aligned with RTO while ensuring security of processes and data is protected.

18. Interoperability

The ability of customers to use a set of payment instruments seamlessly with other users within the segment are based on adoption of common standards by all providers of these services so as to make them inter-operable. Accordingly, it has been decided as under:

  1. Interoperability shall be enabled in phases for the PPIs.

  2. In the first phase, PPI Issuers (both bank and non-bank entities) shall make all KYC-compliant PPIs issued in the form of wallets interoperable amongst themselves through Unified Payments Interface (UPI) within 6 months from the date of issue of this Direction.

  3. In subsequent phases, interoperability shall be enabled between wallets and bank accounts through UPI.

  4. Similarly, interoperability for PPIs issued in the form of cards shall also be enabled in due course. However, banks may continue to issue PPIs in association with authorized card networks, as hitherto.

  5. PPI Issuers shall ensure adherence to the technical and operational requirements for such interoperability, including those relating to safety and security, risk mitigation, etc.

  6. The operational guidelines will be issued separately.

19. Reporting requirements

PPI issuers shall submit the following reports as per prescribed templates and frequency in this Master Direction:

  1. Net-worth Certificate (Annex-2)

  2. Declaration and Undertaking by the Director (Annex-3)

  3. List of Co-branding Partnerships (Annex-4)

  4. Auditor Certificate on maintenance of balance in Escrow Account (Annex-5)

  5. PPI Customer Grievance Report (Annex-6)

  6. PPI Statistics (Annex-7)

20. Repeal and other provisions

  1. With the issue of these Directions, the instructions / guidelines issued by the RBI, contained in Table-1 of Annex-1 stand repealed.

  2. The instructions / guidelines issued by the RBI contained in Table-2 of Annex-1 stand partially repealed to the extent they are applicable to issuance and operations of PPIs.


Annex - 1

Table 1: List of Circulars repealed in the Master Direction

Sr.No. Circular No. Date Subject
1. DPSS.CO.PD.No.1873 / 02.14.06/ 2008-09 27.04.2009 Policy Guidelines for issuance and operation of Prepaid payment Instruments in India
2. DPSS.CO.PD.No.344/ 02.14.06/ 2009-10 14.08.2009 Policy Guidelines for issuance and operation of Prepaid payment Instruments in India
3. DPSS.CO.No.1041/ 02.14.006/ 2010-2011 04.11.2010 Issuance and Operation of pre-paid payment Instruments in India (Reserve Bank) Directions - Additional guidelines
4. DPSS. CO. AD. No. / 780/ 02.27.004 / 2010-11 24.11.2010 Issuance and Operation of Prepaid Payment Instruments
5. DPSS.CO.OSD. No. 1381/ 06.08.001/ 2010-2011 27.12.2010 Collection of Statistics on prepaid instruments
6. DPSS.CO.OSD. No. 1445/ 06.12.001/ 2010-2011 27.12.2010 Issuance and operation of Prepaid Payment Instruments in India – Auditor Certificate on the balances in Escrow account
7. DPSS No. 2174 / 02.14.004 / 2010-2011 23.03.2011 Issuance and Operation of pre-paid payment instruments in India- Clarification
8. DPSS.CO.No.2501/ 02.14.06/ 2010-11 04.05.2011 Policy Guidelines for issuance and operation of Prepaid payment Instruments in India
9. DPSS.CO.PD.No.225/ 02.14.006/2011-12 04.08.2011 Policy Guidelines for issuance and operation of Prepaid payment Instruments in India
10. DPSS.CO.PD. No. 2256 / 02.14.006/ 2011-12 14.06.2012 Policy Guidelines for issuance and operation of Prepaid payment Instruments in India
11. DPSS.CO.PD.No.560/ 02.14.006/2012-13 01.10.2012 Policy Guidelines for issuance and operation of Prepaid payment Instruments in India - Amendments
12. DPSS.CO.OSD.No.1604/ 06.06.005/2012- 13 14.03.2013 Collection of Information on Customer Grievances
13. DPSS.CO.PD.No.563/ 02.14.003/2013-14 05.09.2013 Cash withdrawal at Point of Sale (POS) - Prepaid Payment Instruments issued by banks
14. DPSS.CO.PD.No.2074/ 02.14.006/2013-14 28.03.2014 Issuance and Operation of Prepaid Payment Instruments in India – Consolidated Revised Policy Guidelines
15. DPSS.CO.PD.No.2366/ 02.14.006/2013-14 13.05.2014 Issuance and Operation of Pre-paid Payment Instruments in India – Consolidated Revised Policy Guidelines
16. DPSS.CO.PD.PPI.No.3/ 02.14.006/2014-15 01.07.2014 Master Circular – Policy Guidelines on Issuance and Operation of Pre-paid Payment Instruments in India
17. DPSS.CO.PD.No.980/ 02.14.006/2014-15 03.12.2014 Issuance and operation of Prepaid payment instruments (PPIs) in India-Relaxations
18. DPSS.CO.PD.PPI.No.2/ 02.14.006/2015-16 01.07.2015 Master Circular – Policy Guidelines on Issuance and Operation of Pre-paid Payment Instruments in India
19. DPSS.CO.PD.No.58/ 02.14.006/2015-2016 09.07.2015 Prepaid payment instrument (PPI) guidelines- Introduction of New Category of PPI for Mass Transit Systems (PPI-MTS)
20. DPSS.CO.PD.PPI.No.01/ 02.14.006/2016-17 01.07.2016 Master Circular – Policy Guidelines on Issuance and Operation of Pre-paid Payment Instruments in India
21. DPSS.CO.PD.No.1288/ 02.14.006/2016-17 22.11.2016 Special Measures to incentivise Electronic Payments – (i) Enhancement in Issuance Limits for PPIs in India (ii) Special measures for merchants
22. DPSS.CO.PD.No.1610/ 02.14.006/2016-17 27.12.2016 Master Circular on Issuance and Operations of Prepaid Payment Instruments – Amendments to paragraph 7.9
23. DPSS.CO.PD.No.1669/ 02.14.006/2016-2017 30.12.2016 Special measures to incentivise Electronic Payments – Extension of time

Table 2: List of Circulars partially repealed (to the extent they are applicable to issuance and operation of PPIs) in the Master Direction

Sr. No. Circular No. Date Subject
1. DPSS.AD.No./ 1206/ 02.27.005/2009-2010 07.12.2009 System Audit of the Payment Systems operated under the PSS Act, 2007
2. DPSS.CO.OSD.No.1444 / 06.11.001/ 2010-2011 27.12.2010 Directions for submission of system audit reports from CISA qualified Auditor
3. DPSS.CO.OSD. No.2374 / 06.11.001/ 2010-2011 15.04.2011 Submission of System Audit Reports
4. DPSS.PD.CO.No. 622/ 02.27.019/2011-2012 05.10.2011 Domestic Money Transfer- Relaxations
5. DPSS.CO.AD.No.1204/ 02.27.005/2014-15 02.01.2015 Brand/Name of products offered by authorised entities – Dissemination of Information
6. DPSS.CO.AD.No.1344 / 02.27.005/2014-15 16.01.2015 Computation of Net-worth

Top