What changed
RBI reiterated that maker-checker facility is mandatory for RTGS data entry, and all transactions must be digitally signed and encrypted. It warned that non-adherence has led to fraudulent transactions and delayed/wrong credits. Banks must fix staff accountability for lapses and ensure robust IT security.
What it means for you
Banks must enforce strict two-tier security for RTGS to prevent fraud. Failure to comply could result in termination of RTGS membership or fines under the Payment and Settlement Systems Act. This raises the bar for internal controls and staff accountability in electronic payment systems.
What you must do
- Implement mandatory maker-checker for all RTGS data entry immediately.
- Ensure all RTGS transactions are digitally signed and encrypted.
- Fix staff accountability for any security lapses or fraud.
- Submit an action taken report to RBI by May 29, 2009.
- Review and strengthen internal controls to prevent slackening of two-tier security.
Who it affects
All banks participating in RTGS, RTGS system administrators and IT security teams, Bank staff handling RTGS transactions
What is the two-tier checking requirement for RTGS?
RBI mandates a maker-checker facility during data entry, meaning one person enters the transaction and another authorizes it. All transactions must also be digitally signed and encrypted.
What are the penalties for non-compliance with RTGS security rules?
RBI may terminate or suspend RTGS membership under Section 14 of RTGS (Membership) Regulations, 2004, and impose fines under Section 30 of the Payment and Settlement Systems Act, 2007.
Why did RBI issue this notification?
Due to instances of fraudulent transactions and delayed/wrong credits from non-adherence to maker-checker and misuse of smart cards. RBI wants to strengthen security as RTGS volumes grow.