Scribd
Upload
231 views

UPI Circular 53

This document is a circular from NPCI to all member banks of the Unified Payments Interface (UPI) network regarding compliance with data protection laws. It notes that under the UPI Agreement, member banks must comply with India's Information Technology Act, 2000 and the associated IT Rules on data protection. It specifically references Section 43A and Rules 3 and 7, which relate to maintaining security and privacy of sensitive personal data pertaining to payment system technical architecture, data transfer/processing, and any outsourcing arrangements. Member banks and third party app providers are advised to ensure compliance with these rules to protect information related to UPI transactions and systems. Banks are also asked to comply with all RBI directives regarding storage of payments data

Uploaded by

Vinay Kesari
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
231 views

UPI Circular 53

This document is a circular from NPCI to all member banks of the Unified Payments Interface (UPI) network regarding compliance with data protection laws. It notes that under the UPI Agreement, member banks must comply with India's Information Technology Act, 2000 and the associated IT Rules on data protection. It specifically references Section 43A and Rules 3 and 7, which relate to maintaining security and privacy of sensitive personal data pertaining to payment system technical architecture, data transfer/processing, and any outsourcing arrangements. Member banks and third party app providers are advised to ensure compliance with these rules to protect information related to UPI transactions and systems. Banks are also asked to comply with all RBI directives regarding storage of payments data

Uploaded by

Vinay Kesari
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

NPCI /UPI /OC No.

53 /2018-19 17 July 2018

To,

All Member Banks - Unified Payments Interface (UPI)

Dear Sir/ Madam,

Compliance to the Sec 43A, Rule 3 & 7 of Information Technology Act, 2000

NPCI has executed the Agreement for Provision of Unified Payments Interface (UPI) to
Member (UPI Agreement) for admitting member banks in UPI network. Under Section 15.3
of the Agreement, member banks are obliged to ensure compliance with laws on data
protection under Information Technology Act, 2008 and rules framed thereunder.

2 In continuation to the above referred UPI Agreement and our circulars on compliances
by Merchants & third parties in the ecosystem, including but not limited to Circular No
32 and Circular No 15B dated 15th of September 2017, we draw your reference to
section 43A of Information Technology Act, 2000 (IT Act) and the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information) Rules, 2011(IT Rules) which deal with data protection of sensitive
personal data.
3 Members are requested to note that along with the member banks acting as PSPs, UPI
also provides for the third party App providers to participate in the UPI framework.
Clear and explicit guidelines in regard to data storage have been issued vide our
circular numbers 32 & 15B for Multi Bank model and single SDK model respectively.
4 The third party App providers store restricted data as permissible. It may be noted
that section 43A of the IT Act provides a framework in respect of handling all the
sensitive personal information. In this regard, reference is invited to Rule 3 & 7 in
particular of the IT Rules. Financial transactions conducted via UPI platform fall under
the category of sensitive personal data (where applicable and as defined) or
information under Section 43A of the IT Act.
5 Bearing reference to the aforementioned, it is hereby advised to members and the
third party App providers through member banks to ensure compliance with Rule 3 and
7 of the IT Rules with respect to maintaining security and privacy of information
pertaining to the technical architecture of the systems deployed as a part of the
payment system and transactions, the mechanism of transferring and processing the
data, outsourcing arrangement made with any other vendor and controls followed by
banks/ third party App providers and the respective vendors.
6 Member banks are also requested to ensure compliance with all directives issued by
Reserve Bank of India in regard to storage of payments system data.

We advise necessary compliance to the circular. The details of the circular may please be
brought to the notice of all the relevant departments.
Thanking you,

Vishal Kanvaty
SVP – Innovations & Products

1001A, B wing, 10th Floor, The Capital, Bandra-Kurla Complex, Bandra (East), Mumbai - 400 051
CIN: U74990MH2008NPL189067

You might also like