Project on Project on Internet Banking - Report of RBI Working Group
Regulatory and Supervisory Concerns - Payment Gateway:

An externally shared service, which will develop, as the pivot of the Internet banking would be the payment gateway. With the increasing popularity of "e-Commerce" i.e., buying and selling over the Internet, electronic payments and settlements for such purchases, is a natural and expected requirement. Banks, which are the vital segment of the payment system in the country, will therefore be required to equip themselves to meet this emerging challenge. In its basic form, the ‘Inter-Bank Payment Gateway’ for payments and settlements of e-Commerce transactions is not very different from the traditional cheque clearing system, which is perhaps the most widely prevalent form of Inter-Bank settlement of funds, or the net settlement system of the international card agencies like Visa, Master Cards and American Express, for the credit card payments.

With the emergence of the Internet and the ability to buy and sell over the Internet, it has become imperative to deploy a similar Inter-Bank Payment Gateway to facilitate authorization for payments and settlement between participating institutions for commercial transactions carried out over the Internet. No one particular model for setting up an Inter-Bank Payment Gateway for such payments has been established as yet and we are, therefore, in a situation where the regulatory and supervisory framework itself needs to be evolved.

Given the above considerations, the following framework for setting up Inter-Bank Payment Gateways for Internet payments in India is suggested:

• Only institutions that are members of the cheque clearing system in the country may be permitted to participate in the Inter-Bank Payment Gateway initiatives for Internet payments

• Both ‘net-settlement’ and ‘gross-settlement’ capabilities might be necessary, net settlement being the settlement mode for transaction below a certain pre-specified threshold value and gross settlement for transactions higher than the pre-specified value.

• The Inter-Bank Payment Gateway should have one nominated bank as the clearing bank to settle all transactions

• The approval for setting up the Inter-Bank Payment Gateway should be granted only by the Reserve Bank of India, in their capacity as the Regulator of banks and Payment Systems in the country. The norms to become eligible to set up the Inter-Bank Payment Gateway should be specified by the Reserve Bank of India, on the basis of which institutions may seek formal approval to set up the Inter-Bank Payment Gateway.

• It is expected that there will not be more than two or three Inter Bank Payment Gateways in the Country and all banks who wish to participate in the payment and settlement for e-Commerce transactions originated over the Internet could become a member of one or more of these Inter-Bank Payment Gateways.

• All payments routed through the Inter-Bank Gateways should only cover direct debits and direct credits to the accounts maintained with the participating Banks by the parties involved in the e-Commerce transaction.

Payments effected using credit cards should not be routed through the Inter-Bank Payment Gateway. These should be authorized by the payer bank (i.e., acquiring bank) directly through its credit card authorization capability.

• It should be obligatory on the part of the Inter-Bank Payments Gateway to establish, at any time, the complete trace of any payment transactions routed through it. The trace should cover date and time stamp when the transaction was originated and authorized, the payee details (account number and name of the payee bank), the payers details (account number and name of the payer bank), as well as a unique Transactional Reference Number (TRN) provided by both the Payee Bank and Payer Bank for each transaction.

• Connectivity between the Inter-Bank Payment Gateway and the computer system of the member Banks should be achieved using a leased line network (not over the Internet), with appropriate data encryption standards.

• All settlements over the Inter-Bank Payment Gateway should be intra-day, as far as possible in real time.

• Until the exchange control aspects with regard to cross-border issues of e-Commerce transactions are fully discussed and documented, payment and settlement of such transactions should not be permitted over the Inter-Bank Payment Gateway.

• Only Inter Bank Payments and Settlements (i.e. transactions involving more than one Bank) should be routed through the Inter-Bank Payment Gateway. Intra-bank payments (i.e., transactions involving only one Bank) should be handled by the bank’s own internal system

• The responsibility for the credit risk associated with every payment transaction routed over the Inter Bank Payment Gateway will rest with the appropriate Payee Bank.

• The mandate and the related documentation (that would form the basis for effecting payments for transactions carried out over the Internet) should be bilateral in nature i.e., (a) between the Payee and the Payee’s bank (b) the Payer and Payer’s bank, (c) between the participating banks and the service provider who is responsible for the operations of the Inter Bank Payment Gateway, and (d) between the banks themselves who are participating in the Inter Bank Payment Gateway Initiative. The rights and obligations of each party should be clearly stated in the mandate and should be valid in a court of la

• All transactions must be authenticated using a user ID and password. SSL/128 bit encryption must be used as the minimum level of security. As and when the regulatory framework is in place, all such transactions should be digitally certified by one of the licensed Certification Authorities.

• The Service Provider who is responsible for the operations of the Inter-Bank Payment Gateway must ensure adequate firewalls and related security measure to ensure privacy to the participating institution, i.e., every institution can access data pertaining to only itself and its customer transactions.

• Internationally accepted standards such as ISO8583 must be used for transmitting payment and settlement messages over the Network.

• It may also be appropriate to have a panel of approved Auditors who will be required to certify the security of the entire infrastructure both at the Inter-Bank Payment Gateway as well as the participating institution’s end prior to making the facility available for customer use. A process of perpetual audit must also be instituted.

It is not enough for the risk identification and assessment exercise to be between the bank and the supervisor alone. The customer too needs to be enlightened of the risks inherent in doing business on the net, and this would be served by having a mandatory disclosure template which would list the risks to the customer and the responsibilities and possible liability of the banks and the customer. Banks should also provide their most recent published financial results on their web-site.

The issue of reputation risk due to customers misunderstanding the hyper-links on the web-sites of banks also needs to be addressed. Fundamentally there are two scenarios where hyperlinks are necessary between non-bank business sites and bank-sites

• Where the Bank is required to inform visitors to its own Web Site about the Portals with whom they have a payment arrangement or Portals that the bank would want its customers to visit. These out-bound hyperlinks are unlikely to have any major security implications to the bank. In order to reflect the stability of the banking system, banks should not be seen as sponsors of or promoters of the products of unrelated businesses or of any businesses, which they are not licensed to run. The hyperlinks should hence be confined to only those portals with which they have a payment arrangement or the sites of their subsidiaries or principals.

• The second type of hyperlink is where the Portal sites link to the bank site to pass information pertaining to a payment by one of their Internet Shoppers. This usually involves making a URL (Universal Resource Locator) link to the bank site to request authorization for payment. Such links deliver to the bank site information regarding the customer (typically his registration no) and the value of the payment to be authorized. Unless the bank exercises the right level of authentication and security, this type of URL links can be the source of a number of security breaches. It is therefore imperative that every bank ensures at least the following minimum-security precautions in order that the bank's as well as its customer’s interests are protected

Upon receiving the URL request from the Portal site, the bank should authenticate the customer who has originated the transaction by asking him to key in, on the browser screen, his user ID and password which the bank would have provided him to facilitate access to his accounts with the bank.

Upon such authentication and due verification, the bank should re-submit the transaction information on the customer’s browser terminal i.e., the name of the Portal site to whom the payment is to be effected as well as the value of the transactions and seek the explicit approval of the customer to authorize the payment.

Depending on the nature of the payment, the payment authorization request should be routed either to the credit card authorizing system if payment is requested using credit card, or to the banks’ host system in case of a direct debit or to the Inter-Bank Payment Gateway in case of debit to customer account in another bank.

Upon receiving the payment authorization, the bank should return the URL request to the originating Portal, with a unique reference number for the transaction, as a conformation to pay as per the settlement cycle agreed with the Portal.

All interactions with the Portal sites as well as the customers browser terminal should be secured using SSL/128 bit encryption as a minimum requirement and should in due course be also augmented with the digital certification requirement as and when digital certificate deployment is enabled in the country.

It was deliberated whether banks undertaking Internet banking should be subject to any additional capital charge because of the potentially higher proneness to unexpected losses. As yet standards have not been developed for measuring additional capital charge on account of operational risks. However, this will be covered in a way once the banks move towards risk-based supervision where supervisory intervention will be linked to the risk profile of individual institutions. In such a scenario, an enhanced supervisory risk assessment on this account could warrant an additional capital charge, which would also be consistent with the second pillar approach of the new capital accord.

The Basle Committee for Banking Supervision (BCBS) has constituted an Electronic Banking Group (EBG) to develop guiding principles for the prudent risk management of e-banking activities as an extension of the existing Basel Committee Risk Management Principles. The Group will identify the areas of concern for supervision of cross border e-banking activities and will promote cooperative international efforts within the banking industry. It will evolve sound practices and will encourage and facilitate exchange of information, training material, guidance etc., developed by other members and supervisors around the world. Therefore, there is a need for continued interaction among the central banks and supervisors with a view to enhancing the abilities of the supervisory community to keep pace with the dynamic e-banking activities. This Working Group, therefore, recommends that the Reserve Bank of India should maintain close contact with regulating / supervisory authorities of different countries as well as with the Electronic Banking Group of BCBS and review its regulatory framework in keeping with developments elsewhere in the world.

[Note:- Electronic Banking Graoup set up Basel Committee for Banking Supervision has submitted its report giving guiding principles for the prudent risk management of e-banking activities. View the Executive Summary thereof.