Navigating Reserve Bank of India’s guidelines for NEFT and RTGS payment systems

This report provides KPMG in India’s point of view on the following Reserve Bank of India (RBI) guidelines for NEFT and RTGS payment systems

Real-time Gross Settlement System Regulation, RBI, Version 1.0 (dated 21 October 2024)

National Electronics Funds Transfer System Procedural Guidelines, RBI, Version 1.1 (dated 25 October 2024)

Regulated entities falling under the purview of above guidelines are required to submit annual system audit reports to RBI comprising of review of access criteria and cyber security baseline requirements. The review is required to be conducted by CERT-In empanelled information security auditors for each financial year.

Access criteria is a set of norms issued by RBI from time to time to allow a member to access the payment systems. The criteria is defined as part of the RTGS guidelines. In case of NEFT, the payment participant has to be an existing member of the RTGS system or apply for both RTGS and NEFT systems. The membership needs to be reviewed on an annual basis.

The circulars also recommend adherence to Cyber Security Baseline Standards as well as rules and guidelines of INFINET, INFINET framework, SFMS, Digital Payment Security Controls, and Storage of Payment System Data as updated from time to time.

KPMG in India has vast experience in helping clients to meet regulatory obligations and assess the current cyber security risk posture in their digital payment lifecycle. Clients are also advised on how to improve systems to help ensure secure, efficient, and reliable transactions which fosters stability.