Prepaid payment instruments: From interoperability to full KYC, how RBI is making digital space more secure

The much awaited master directions on prepaid payment instruments (PPIs) were released by the RBI on Wednesday. The new directions have several changes, even from the draft master directions issued earlier this year. Here’s an overview of the new directions and the changes introduced:

Full KYC mandated for PPIs

Full KYC has now been mandated for PPIs in the new directions. The new directions now allow PPIs of only two types based on their limits. The first is a minimum KYC PPI subject to a limit of Rs 10,000 as the amount outstanding at any point of time. The amount loaded in this PPI cannot exceed Rs 10,000 per month, and Rs 1 lakh in a financial year. The second is a full KYC PPI subject to a limit of Rs 1 lakh as the amount outstanding at any point of time.

The first must be converted into the second by the end of one year of issuance. PPI issuers are to ensure that the first PPI isn’t reissued to the same person with the same mobile number and KYC more than once. This process ensures that all PPIs will be full KYC. Wallet companies had previously expressed concerns with the increased costs that will result with full KYC.

Inter-operability

This is easily the biggest change introduced by the new directions. For example, previously, transfers could not be made from one mobile wallet to another. Both the sender and the recipient were required to have the same wallet in order to transact. Similarly, if a company had a tie up with one wallet, then the payment could not be made by another wallet. A customer needed to have both wallets. The inter-operability simplifies this process, allowing payments to be made with different wallets, and allowing easy transfers between different wallets.

Representational image. Reuters.

Representational image. Reuters.

This will be applied in phases. For 6 months, inter-operability amongst full KYC PPIs will be enabled through UPI. Thereafter, inter-operability between wallets and banks, and thereafter between PPI cards will be enabled. Actually achieving inter-operability may take time due to the full KYC PPIs only requirement, since PPI issuers will take some time to achieve full KYC compliance for PPIs already issued.

New capital requirements of Rs 15 crore for non-banks

In a relief for non-banks issuing PPIs, the proposed capital requirements of Rs 25 crore in the draft directions has been reduced to Rs 15 crore. At the time of application, the net worth must be Rs 5 crore, and this must increase to Rs 15 crore within 3 financial years from the date of authorisation. This means that for an entity authorised on 1 March 2018, the deadline is 31 March 2020, whereas for one authorised on 1 May, 2018, the deadline is 31 March 2021.

The definition of ‘net worth’ has also been amended to include preference shares which are compulsorily convertible into equity capital, in addition to the former inclusions of paid up equity capital, free reserves, balance in share premium accounts and capital reserves.

Existing authorized PPI issuers must meet these requirements by 31 March, 2020. For banks, no capital requirements are prescribed.

Cross border inward and outward remittances

Previously, cross border transactions using PPIs were not permitted except when it was a foreign exchange PPI or when using special PPIs for cross border inward remittance. Under the new directions, all KYC compliant, bank issued PPIs can be used for cross-border outward remittances ( permissible current account transactions only) , made available on express request of the customer. If the PPI is in card form, it must be EMV and chip compliant.


For cross-border inward remittances, both bank and non-bank PPI issuers, who are appointed as the Indian agent of an authorized overseas principal can issue PPIs for beneficiaries of inward remittance under the money transfer service scheme of the RBI. The remittance is subject to a limit of Rs 50,000. For non-bank PPIs, such PPIs can only be issued for a period of 3 years from now.

Foreign exchange PPIs have been continued and are still outside the purview of the PPI directions.

Cash withdrawal at PoS terminals

The new directions have retained the original classification of PPIs into closed, semi-closed and open system PPIs. It has been clarified that issuance of closed system PPIs does not require RBI approval. As mentioned in the draft directions, cash withdrawals are still permitted from bank issued open system PPIs. The limits have been changed to Rs 2,000 per day in rural areas and Rs 1,000 in other areas, from PoS terminals.

Types of PPIs

The former RBI PPI Circular had permitted almost 9 types of special PPIs based on use, such as PPIs for family members, for a corporate’s employees and for foreigners/ tourists. Observing that most of these were not being actively issued, the RBI reduced these to two categories of PPIs- for gift instruments and mass transit systems.


The limit of the former has been reduced to Rs 10,000 from the earlier limit of Rs 50,000. The limit of the latter has been enhanced to Rs 3,000 at any point of time, from the earlier limit of Rs 2,000.

Paper vouchers have been discontinued. Paper meal vouchers can continue to be issued until 31 December, 2017 only.

Cash loading of PPIs

Cash loading of PPIs has been subjected to a limit of Rs 50,000 per month, subject to the overall limits of the PPIs.

No interest

The new directions specify that no interest is payable on PPI balances.

NOC from regulator for application

At the time of application for authorisation, all entities, banks and non-banks must acquire an NOC from their respective regulators, in addition to approval from the DPSS. For example, a telecom service provider will need an NOC from TRAI. This has been prescribed in addition to the checks previously prescribed in the draft directions, such as checking the ‘fit and proper status’, acquiring inputs from other regulators, technical and safety checks, etc.

Validity period of authorisation

The authorisation granted shall be valid only for 5 years, and is subject to review and cancellation.

Memorandum of Association

The Memorandum of Association of a non-bank entity must cover the proposed activity of a PPI issuer.

Security measures like mandatory audits, zero/limited liability for customers

The new directions contain several new requirements for better security and fraud prevention. This includes new detailed cybersecurity norms, including additional factor of authentication (AFA) for PPI cards, restricting multiple invalid attempts to login, etc. PPI issuers are also required to specify how customer liability will be determined for unauthorised trasnactions. This is subject to the recently issued RBI norms on zero/ limited liability norms for unauthorised e-banking transactions.

In addition, non-banks must provide system audit reports, including a cyber security audit conducted by CERT-IN empaneled auditors, within two months of the close of their financial year. Banks are required to adhere to the CyberSecurity Framework prescribed by the RBI for banks.

(The author is a lawyer and writer specialising in cyber law, she is also a certified information privacy professional.)


Published Date: Oct 12, 2017 04:42 pm | Updated Date: Oct 12, 2017 05:45 pm


Also See