We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / RBI PPI Master Direction
Reserve Bank of India · India

RBI Prepaid Payment Instruments (PPI)

Rules for issuing and operating prepaid payment instruments (wallets, cards).

Introduction

The Reserve Bank of India (RBI) Master Direction on Prepaid Payment Instruments (PPIs) is the consolidated regulatory framework governing the issuance and operation of prepaid instruments such as wallets, prepaid cards, gift cards and mass transit instruments in India. First issued as the Master Direction on Prepaid Payment Instruments (MD-PPIs) on 27 August 2021 (RBI/2021-22/82, DPSS.CO.PD.No.S-479/02.14.006/2021-22) and periodically amended, the Direction supersedes the earlier 2017 Master Direction and consolidates all PPI-related instructions issued under the Payment and Settlement Systems Act, 2007 (PSS Act).

This guide is an auditor-grade deep-dive prepared by CyberSigma's compliance practice. It translates the regulatory text into a structured, verifiable assessment programme covering authorisation, capital and net-worth, KYC, interoperability, safeguarding of customer funds (escrow), technology and security, customer protection and reporting obligations. It is designed for PPI issuers, applicants seeking authorisation, banks operating PPI programmes, and the internal audit, risk and information-security teams that assure them. The objective is to give practitioners a control-by-control checklist, evidence expectations, an implementation roadmap and a maturity model that stands up to RBI supervisory scrutiny and System Audit Report (SAR) requirements.

Copyright and source note
The RBI Master Direction on Prepaid Payment Instruments is a regulatory instrument issued by the Reserve Bank of India. The official text, master circulars, FAQs and subsequent amendments are published on rbi.org.in and prevail in the event of any conflict. This guide is an original, independently authored interpretation and does not reproduce RBI's copyrighted text verbatim. Always validate against the latest consolidated Master Direction and any subsequent circulars before relying on it for authorisation, audit or attestation.

What is the RBI PPI Master Direction

Prepaid Payment Instruments are instruments that facilitate the purchase of goods and services, conduct of financial services, enable remittances and so on, against the value stored on such instruments. The value stored represents the value paid for by the holder in advance by cash, by debit to a bank account, by credit card, from other PPIs (to the extent permitted) or by any other instrument that the RBI approves from time to time. PPIs may be issued as cards, wallets, or any instrument that stores value electronically or otherwise; paper vouchers are excluded from the ambit.

The Master Direction lays down the eligibility, authorisation, capital, prudential, operational and technology requirements for issuing and operating PPIs. It is issued under Section 18 read with Section 10(2) of the PSS Act, 2007. It classifies PPIs into two broad categories, prescribes KYC-graded loading and usage limits, mandates interoperability, requires safeguarding of outstanding customer balances through an escrow arrangement, and imposes information-security, fraud-prevention, grievance-redress and reporting obligations on issuers and their agents.

Categories of PPI

CategoryDescriptionKey limits and conditions
Small PPI (minimum-detail)Issued by banks and non-banks after obtaining minimum details of the PPI holder; used only for purchase of goods and services at identified merchant locations / establishments that have a specific contract with the issuerLoaded/reloaded only from a bank account/credit card/full-KYC PPI; amount outstanding not to exceed INR 10,000 at any time; total loading in a month not to exceed INR 10,000; total debits in a month not to exceed INR 10,000; no cash withdrawal / fund transfer permitted; conversion to full-KYC PPI required within 24 months (small PPI with cash loading facility) or as prescribed
Full-KYC PPIIssued after completing Know Your Customer of the PPI holder as per the RBI Master Direction on KYC; usable for purchase of goods and services, funds transfer and cash withdrawalAmount outstanding not to exceed INR 2,00,000 at any time; funds transfer and cash withdrawal permitted subject to prescribed limits; interoperability mandatory
Gift PPIIssued as gift instruments; a sub-type with specific relaxationsMaximum value INR 10,000; not reloadable; no cash-out or funds transfer; separate KYC relaxation for the purchaser
PPI for Mass Transit Systems (PPI-MTS)Issued for use across mass transit systems by an operator of a mass transit systemMaximum outstanding INR 3,000; reloadable; usable within the transit ecosystem and at other merchants as permitted; no cash-out / refund except on surrender

Who must comply

The Direction applies to all entities that issue and operate PPIs in India, whether banks or non-bank entities, and to the ecosystem participants who support them. Compliance obligations flow to the following:

Entity typeApplicabilityNature of obligation
Bank PPI issuersBanks that have received approval from RBI (Department of Regulation) to operate PPIsFull compliance with issuance, KYC, escrow-equivalent safeguarding, interoperability, technology and reporting obligations
Non-bank PPI issuersCompanies incorporated in India and authorised by RBI (Department of Payment and Settlement Systems / Department of Regulation) under the PSS Act to issue PPIsAuthorisation, minimum positive net-worth, escrow safeguarding, KYC, interoperability, technology, audit and reporting
Applicants for authorisationEntities seeking a Certificate of Authorisation (CoA) to operate as a PPI issuerNet-worth, fit-and-proper, systems-readiness, and submission of a System Audit Report prior to commencing operations
PPI-MTS operatorsOperators of mass transit systems issuing PPI-MTSCategory-specific limits and safeguarding conditions
Agents and Business Correspondents (BCs)Agents engaged for on-boarding, loading, KYC or servicingBound by the issuer's board-approved policy; the issuer remains responsible for their acts and omissions
Payment aggregators / gateways handling PPI flowsWhere they process PPI transactions or hold fundsAdjacent obligations under the PA-PG guidelines and escrow rules
Escrow / partner banksScheduled commercial banks holding the escrow account for non-bank issuersMaintenance of escrow, permitted debits/credits, monthly certification
Non-bank net-worth threshold
A non-bank entity seeking authorisation to issue PPIs must be a company incorporated in India with a minimum positive net-worth of INR 5 crore as per its latest audited balance sheet at the time of application, and must achieve a minimum positive net-worth of INR 15 crore by the end of the third financial year from the date of receiving the final Certificate of Authorisation, which is to be maintained at all times thereafter.

Structure of the RBI PPI Master Direction

The Master Direction is organised into chapters and paragraphs that move from definitions and eligibility, through operational instructions on issuance and limits, to safeguarding of funds, interoperability, security and customer protection. For assessment purposes it is helpful to reorganise these into control domains. The table below maps the regulatory structure to the assessable control families used throughout this guide.

Control domainCorresponding MD-PPI areaFocus of assessment
Authorisation and eligibilityChapter on eligibility, entry-point norms, CoACertificate of Authorisation, incorporation, fit-and-proper, systems readiness
Capital and net-worthNet-worth requirements and timelinesMinimum net-worth at application and ongoing maintenance
Governance and board oversightBoard-approved policiesBoard policy on PPI issuance, KYC, customer protection, agents, information security
Issuance, categories and limitsTypes of PPIs; loading, reloading and usage limitsCorrect category, KYC-graded limits, cash-loading and cash-out rules
KYC / CDDReference to Master Direction on KYCMinimum-detail vs full-KYC, verification, periodic updation, monitoring
Safeguarding of customer fundsEscrow account maintenance and permitted debits/creditsEscrow with scheduled commercial bank, permitted transactions, no lien
InteroperabilityInteroperability through card networks and UPIFull-KYC PPI interoperability, technical and business enablement
Technology and information securitySecurity, fraud prevention and risk-management frameworkAccess control, encryption, cyber-security, PCI DSS for cards, audit
Customer protection and grievance redressCustomer protection, liability, grievance redressLimited liability, disclosure, redress, RB-IOS ombudsman coverage
Fraud prevention and risk managementBoard-approved risk-management and fraud-prevention frameworkTransaction monitoring, velocity checks, fraud reporting
Validity, redemption and closureValidity, expiry, redemptionMinimum validity, expiry warnings, transfer of outstanding balance
Reporting and auditSystem audit, returns and reporting to RBISAR, cyber-security audit, statutory returns, incident reporting
Agents and outsourcingEngagement of agents / BCs / outsourcingBoard policy, due diligence, issuer accountability
Cross-border and specific-use PPIsPPIs for cross-border transactions, MTS, giftCategory-specific conditions and limits

Master assessment checklist

This is the core of the guide. Each control domain is enumerated below with what an auditor must verify and the evidence typically relied upon. Assessors should treat every row as an assertion to be tested through inspection of documents, configuration, transaction sampling and interview. No domain should be skipped; where a domain is not applicable (for example, cards for a wallet-only issuer), record the rationale for non-applicability rather than omitting it.

Domain 1 — Authorisation and eligibility

What to verifyTypical evidence
Valid Certificate of Authorisation (CoA) from RBI is held and current; scope of CoA matches the PPI products actually operatedCoA copy, RBI approval letters, product catalogue mapped to CoA scope
Entity is a company incorporated in India (for non-banks) with objects clause permitting PPI issuanceCertificate of incorporation, Memorandum and Articles of Association
Fit-and-proper status of promoters, directors and key management personnel maintainedBoard declarations, director KYC, RBI due-diligence submissions
Systems-readiness confirmed prior to commencement; System Audit Report submitted before go-livePre-commencement SAR, RBI acknowledgement, go-live sign-off
Any change in management/control/shareholding above threshold notified/approved as requiredChange-of-control approvals, RBI correspondence, filings
Bank issuers hold requisite RBI (DoR) approval to operate PPIsDepartmental approval, internal board resolution

Domain 2 — Capital and net-worth

What to verifyTypical evidence
Minimum positive net-worth of INR 5 crore held at time of application (non-bank)Audited balance sheet at application, chartered-accountant certificate
Minimum net-worth of INR 15 crore achieved by end of third financial year from CoA and maintained thereafter at all timesLatest audited financials, net-worth certificate signed by statutory auditor
Net-worth computation excludes intangibles/deferred items as prescribed and reconciles to audited accountsNet-worth working papers, auditor certification, reconciliation
Ongoing monitoring so net-worth does not fall below threshold between reporting datesManagement accounts, quarterly net-worth review by board/committee

Domain 3 — Governance and board oversight

What to verifyTypical evidence
Board-approved policy covers PPI issuance, KYC/AML, customer protection, agents, and information security, and is reviewed periodicallyBoard-approved policy documents, review dates, board/committee minutes
Clear accountability: designated senior management and a committee oversee PPI operations and riskOrganisation chart, committee charters, RACI
Compliance function tracks regulatory changes and confirms adherence to the Master Direction and amendmentsCompliance calendar, regulatory-change log, compliance certificates
Internal audit covers PPI operations at a frequency commensurate with riskInternal audit plan, PPI audit reports, management responses

Domain 4 — Issuance, categories and transaction limits

What to verifyTypical evidence
Each PPI is correctly classified (small / full-KYC / gift / MTS) and system enforces the corresponding limitsProduct configuration, limit matrix, rule-engine screenshots
Small PPI outstanding capped at INR 10,000; monthly loading and monthly debits each capped at INR 10,000; no cash-out or funds transferSystem limit config, sample account statements, transaction logs
Full-KYC PPI outstanding capped at INR 2,00,000; funds transfer and cash withdrawal within prescribed limitsLimit config, sampled full-KYC accounts, cash-withdrawal logs
Loading only from permitted sources (bank account, credit card, other permitted PPI); cash loading only where permitted and within limitFunding-source rules, loading transaction logs, reconciliation
Gift PPI capped at INR 10,000, non-reloadable, no cash-out/funds transfer; MTS capped at INR 3,000Gift/MTS product config, issuance logs
Automatic conversion / blocking logic where mandatory KYC not completed within prescribed windowKYC-status workflow, auto-suspension logs, exception reports
Co-branding arrangements comply: issuer is the principal, co-brander does not access customer data beyond permittedCo-branding agreements, data-access controls, board approval

Domain 5 — KYC and customer due diligence

What to verifyTypical evidence
Minimum-detail (mobile number verified by OTP + self-declared name/ID) captured for small PPIOnboarding screens, OTP logs, captured attributes
Full KYC performed as per RBI Master Direction on KYC before enabling funds transfer / cash withdrawal / higher limitsKYC records, OVD/Aadhaar-based verification, V-CIP logs where used
Video-based Customer Identification Process (V-CIP) or other permitted modes implemented with controls (liveness, geo-tag, audit)V-CIP recordings metadata, process SOP, audit trail
Periodic updation of KYC and ongoing due diligence / transaction monitoring in placeKYC review schedule, alerts, STR/CTR filing evidence via principal officer
AML/CFT screening against sanctions and PEP lists at onboarding and on an ongoing basisScreening tool logs, list-update records, disposition of hits
De-duplication so a customer does not hold multiple small PPIs beyond permitted with the same issuerDe-dup logic, unique-customer keying, exception handling

Domain 6 — Safeguarding of customer funds (escrow)

What to verifyTypical evidence
Non-bank issuer maintains an escrow account with a scheduled commercial bank; outstanding PPI balance is fully backedEscrow account agreement, bank confirmation, daily balance reconciliation
Only permitted credits (customer funds, refunds, interest as allowed) and permitted debits (payments to merchants, refunds, permitted commissions) hit the escrowEscrow ledger, permitted-transaction matrix, monthly certificate
No loan is granted against, and no lien/charge is created on, the amount in the escrow accountEscrow agreement clauses, no-lien confirmation from bank
Adjusted net outstanding equals or is covered by escrow balance at end of each dayDaily reconciliation reports, break analysis, exception log
Statutory auditor / chartered accountant certifies escrow maintenance at prescribed frequencyCA certificate, quarterly/annual escrow certification
Additional escrow with a second bank only if permitted, with core-balance maintained appropriatelySecond-escrow approval, movement records

Domain 7 — Interoperability

What to verifyTypical evidence
Full-KYC PPIs are made interoperable through card networks (for card PPIs) and UPI (for wallet PPIs) as mandatedNetwork membership, UPI onboarding, interoperability go-live evidence
Interoperability enabled by default for full-KYC PPIs unless a specific exemption appliesProduct config, default-on settings, exemption records
Technical standards, dispute-resolution and settlement for interoperable transactions align with network/UPI rulesCertification reports, dispute SOP, settlement reconciliations
Customer is informed of interoperability and any charges are transparently disclosedTerms and conditions, fee schedule, customer communications

Domain 8 — Technology and information security

What to verifyTypical evidence
Board-approved information-security and cyber-security policy aligned with RBI expectations and the security controls in the DirectionIS policy, cyber-security policy, board approval
Card-based PPIs comply with PCI DSS and PA-DSS where applicable; PIN/CVV/track data protectedPCI DSS AoC/RoC, ASV scans, segmentation evidence
Encryption of data in transit and at rest; secure storage of authentication credentialsCrypto standards, key-management SOP, config review
Multi-factor / additional-factor authentication for transactions as prescribed; OTP handling secureAFA config, OTP flow, authentication logs
Access control on least-privilege basis; privileged access managed and loggedAccess matrix, PAM logs, periodic access-recertification
Secure SDLC, vulnerability management, penetration testing and patch managementVAPT reports, remediation trackers, patch records
Logging, monitoring and SIEM with defined retention; time-synchronisationSIEM use-cases, log-retention policy, NTP config
Business continuity and disaster recovery with tested RTO/RPO for the PPI systemBCP/DR plan, DR drill reports, RTO/RPO evidence
Data localisation: payment data stored only in India as per RBI storage-of-payment-data directiveData-flow diagrams, hosting location evidence, localisation attestation

Domain 9 — Customer protection and grievance redress

What to verifyTypical evidence
Board-approved customer-protection and limited-liability policy consistent with RBI's limited-liability framework for unauthorised electronic transactionsLiability policy, board approval, customer disclosures
Formal grievance-redress mechanism with defined turnaround times and escalation; Nodal/Grievance officer designated and publishedGRM SOP, TAT dashboard, officer contact details on website/app
Coverage under the Reserve Bank – Integrated Ombudsman Scheme (RB-IOS) with awareness displayedRB-IOS display, complaint-handling records, ombudsman case log
Complaint acknowledgement, resolution tracking and root-cause analysisTicketing system, resolution MIS, RCA reports
Transparent disclosure of all charges, expiry, and terms in a clear manner before issuanceT&C, fee schedule, pre-issuance disclosures, app screenshots
Auto-reversal of failed transactions within prescribed timelines and compensation for delaysFailed-transaction MIS, TAT compliance, compensation records

Domain 10 — Fraud prevention and risk management

What to verifyTypical evidence
Board-approved risk-management and fraud-prevention framework with velocity, amount and pattern limitsFramework document, rule configuration, board approval
Real-time transaction monitoring with alerts, hold/reject actions and case managementMonitoring tool config, alert logs, case-management records
Customer-induced and third-party fraud reported to RBI as per fraud-reporting requirementsFraud register, RBI fraud-reporting submissions, timelines
Cooling-off / limits on new devices, high-risk merchants and cross-border where applicableRule config, device-binding logs, merchant risk-tiering

Domain 11 — Validity, redemption and closure

What to verifyTypical evidence
Minimum validity of one year from date of last loading/reload provided; customers warned before expiryValidity config, pre-expiry notification logs
Outstanding balance transferable to a new PPI/redeemable on expiry; no forfeiture beyond permittedExpiry-handling SOP, balance-transfer records
Redemption/closure process defined; funds returned to source or as customer directs within permitted routesClosure SOP, refund transaction logs
Reloadable vs non-reloadable rules enforced per category (gift PPI non-reloadable)Product config, reload-block evidence

Domain 12 — Reporting, returns and system audit

What to verifyTypical evidence
Annual System Audit Report by a CERT-In empanelled auditor submitted to RBI within prescribed timelinesSAR, CERT-In auditor engagement, RBI submission acknowledgement
Cyber-security posture audited and gaps remediated; independent assurance obtainedCyber-audit report, remediation closure evidence
Statutory and regulatory returns/data submitted to RBI accurately and on timeReturn filings, submission logs, reconciliation to books
Cyber-security incidents and material events reported to RBI/CERT-In within stipulated windowsIncident register, CERT-In/RBI notifications, timelines
Auditor certification of escrow and net-worth submitted at prescribed frequencyCA/statutory-auditor certificates, board noting

Domain 13 — Agents, outsourcing and cross-border

What to verifyTypical evidence
Agents/BCs engaged under board-approved policy with due diligence; issuer remains fully accountableAgent policy, due-diligence records, agent agreements
Outsourcing complies with RBI outsourcing guidance; right-to-audit and data-protection clauses presentOutsourcing register, contracts, audit-rights clauses
Cross-border PPIs (where operated) limited to permitted use, limits and category, with FEMA complianceCross-border product config, limits, FEMA compliance evidence
Agent locations and services monitored; mystery-shopping or supervisory checks performedMonitoring reports, supervisory-visit records

Scoping

Correct scoping determines which domains apply and how deep the assessment must go. Because the Direction covers multiple PPI categories with differing obligations, scoping must be product-led and data-flow-led rather than entity-led alone.

  • Enumerate every live PPI product and map each to its category (small, full-KYC, gift, MTS, cross-border) and CoA scope.
  • Identify all funding sources and payout rails (bank debit, cards, UPI, cash agents) and trace the money flow through the escrow account.
  • Map the technology estate that stores, processes or transmits PPI data, including cloud, data centres and third parties; card environments trigger PCI DSS scope.
  • List all agents, BCs, co-branders, outsourced processors and network partners in scope for accountability testing.
  • Confirm data-localisation boundary: where end-to-end payment data resides and any foreign-leg processing that must be purged after processing.
  • Include the customer-protection and grievance channels (app, web, call centre, ombudsman interface) as in-scope processes.
  • Record any category not offered as 'not applicable' with justification, rather than silently excluding it.

Implementation approach

A phased programme reduces the risk of authorisation delays or supervisory findings. The following four phases take an entity from readiness assessment through to sustained compliance.

Phase 1 — Gap assessment and design (Weeks 1-4)

  • Activities: baseline current-state against all 13 domains; map products to categories and limits; assess net-worth and escrow readiness; review board policies and technology posture.
  • Deliverables: gap-assessment report, prioritised remediation backlog, target operating model, RACI, and a compliance roadmap with owners and dates.

Phase 2 — Remediation and control build (Weeks 4-16)

  • Activities: configure category limits and rule engine; establish/strengthen escrow with daily reconciliation; complete KYC and V-CIP tooling; implement interoperability; harden security (PCI DSS, encryption, AFA, logging); stand up grievance and limited-liability processes.
  • Deliverables: updated board-approved policies, configured systems, escrow agreement and reconciliation, KYC/AML procedures, security control evidence, and grievance-redress SOPs.

Phase 3 — Validation and audit (Weeks 14-20)

  • Activities: internal control testing and transaction sampling; VAPT and PCI DSS assessment; commission the System Audit Report via a CERT-In empanelled auditor; obtain escrow and net-worth certificates.
  • Deliverables: SAR, PCI AoC/RoC, VAPT closure, CA certificates, and a management assertion of readiness for RBI submission.

Phase 4 — Go-live and sustained compliance (Ongoing)

  • Activities: submit SAR and required attestations to RBI; commence/continue operations; embed continuous monitoring, periodic KYC updation, quarterly escrow/net-worth review and annual audits.
  • Deliverables: RBI submissions, compliance calendar, monitoring dashboards, incident and fraud-reporting workflows, and annual re-audit plan.

Maturity and capability model

The following five-level model helps issuers benchmark control maturity across the 13 domains and target incremental improvement. It is a CyberSigma assessment construct, not an RBI grading.

LevelNameCharacteristicsTypical evidence
1Initial / ad-hocControls undocumented; limits enforced manually; escrow reconciled irregularly; no formal auditSporadic records, no policy trail
2DevelopingCore policies drafted; system limits configured but exceptions common; escrow reconciled monthly; ad-hoc KYCDraft policies, partial config, monthly recon
3DefinedBoard-approved policies in force; category limits enforced by rule engine; daily escrow reconciliation; annual SAR obtainedApproved policies, SAR, daily recon
4ManagedMetrics-driven; real-time monitoring and fraud analytics; interoperability fully live; automated KYC updation; grievance TATs trackedKPI dashboards, monitoring logs, TAT MIS
5OptimisedContinuous assurance; predictive fraud controls; automated evidence collection; proactive regulatory-change adoptionContinuous-control-monitoring evidence, change log

Assessment and audit approach

  1. Confirm scope: enumerate products, categories, entities, agents, technology and data flows in scope, with non-applicability rationale documented.
  2. Assemble the criteria set: the current consolidated Master Direction, applicable amendments, KYC Master Direction, storage-of-payment-data directive and PCI DSS where cards are involved.
  3. Perform document review: CoA, board policies, escrow agreement, net-worth certificate, SAR, PCI AoC, VAPT and outsourcing contracts.
  4. Test configuration: verify category limits, funding-source rules, AFA, interoperability defaults and access controls directly in the systems.
  5. Sample transactions: select loading, spend, funds-transfer, cash-out, refund and failed transactions to confirm limits, escrow backing and reversal timelines.
  6. Test KYC and AML: sample small and full-KYC onboarding, V-CIP records, screening hits and periodic updation.
  7. Reconcile escrow: verify daily outstanding-versus-escrow balance and permitted debits/credits over a sampled period.
  8. Assess security: review VAPT, PCI DSS scope, encryption, logging, data localisation and BCP/DR drills.
  9. Evaluate customer protection: test grievance TATs, limited-liability handling and RB-IOS coverage.
  10. Report findings: rate each domain, quantify residual risk, agree remediation owners and dates, and prepare the RBI-facing attestations.

Evidence request list

Request the following, organised by category, ahead of fieldwork:

  • Authorisation: Certificate of Authorisation, RBI approval/correspondence, certificate of incorporation, MoA/AoA, change-of-control approvals.
  • Financial: latest audited financial statements, net-worth certificate, escrow account agreement, escrow certificates, daily escrow-reconciliation reports.
  • Governance: board-approved policies (PPI issuance, KYC/AML, customer protection, information security, agents/outsourcing), board and committee minutes, compliance calendar.
  • Product and limits: product catalogue mapped to categories, limit-configuration matrix, rule-engine exports, co-branding agreements.
  • KYC/AML: onboarding SOPs, V-CIP procedure and audit trail, sanctions/PEP screening logs, STR/CTR filing evidence, KYC-updation schedule.
  • Security: PCI DSS AoC/RoC and ASV scans, VAPT reports and remediation, encryption/key-management standards, access-control matrix, SIEM/log-retention policy, BCP/DR test reports, data-localisation attestation.
  • Interoperability: network membership, UPI onboarding, certification and go-live evidence, dispute-resolution SOP.
  • Customer protection: grievance-redress SOP, TAT MIS, nodal/grievance officer details, RB-IOS display, failed-transaction reversal MIS.
  • Audit and reporting: System Audit Report, cyber-security audit, RBI returns and submission acknowledgements, incident and fraud registers.
  • Third parties: agent/BC agreements and due-diligence records, outsourcing register and contracts with audit-rights clauses.

Roles and responsibilities

RolePrimary responsibilitiesKey artefacts owned
Board of DirectorsApprove policies; oversee risk appetite and compliance; ensure net-worth maintenanceBoard-approved policies, minutes, risk appetite
Chief Compliance OfficerEnsure adherence to the Master Direction and amendments; track regulatory change; coordinate RBI submissionsCompliance calendar, regulatory-change log, RBI filings
Chief Risk OfficerOwn fraud-prevention and risk-management framework; monitor transaction riskRisk framework, fraud register, monitoring MIS
CISO / Head of Information SecurityImplement security controls, PCI DSS, VAPT, data localisation, incident responseIS policy, VAPT/PCI evidence, incident register
Head of Operations / ProductEnforce category limits, escrow operations, interoperability and issuance controlsProduct config, escrow reconciliation, limit matrix
Principal Officer (AML) / KYC headOwn KYC/CDD, screening, STR/CTR filing and periodic updationKYC SOPs, screening logs, STR/CTR records
Nodal / Grievance Redress OfficerHandle complaints, meet TATs, manage RB-IOS interface and limited-liability casesGRM SOP, complaint MIS, ombudsman log
Internal AuditIndependently test controls; report to audit committee; track remediationAudit plan, PPI audit reports
System Auditor (CERT-In empanelled)Conduct annual System Audit and cyber-security assessmentSystem Audit Report

KPIs to track

  • Escrow coverage ratio: escrow balance versus daily outstanding PPI liability (target 100 percent, zero breach days).
  • Net-worth headroom: current net-worth versus INR 15 crore threshold.
  • KYC completion rate: percentage of full-KYC PPIs completed within window; small-PPI conversion rate.
  • Limit-breach incidents: number of attempted transactions exceeding category limits blocked by controls.
  • Interoperability enablement: percentage of full-KYC PPIs interoperable via UPI/card networks.
  • Fraud rate: value and volume of fraud per lakh transactions; detection lead time.
  • Failed-transaction auto-reversal TAT compliance percentage.
  • Grievance resolution: average resolution time and percentage within SLA; RB-IOS escalation rate.
  • Security posture: open critical/high VAPT findings, mean time to remediate, PCI DSS compliance status.
  • Regulatory reporting timeliness: percentage of returns, SAR and incident reports filed on time.

Readiness checklist

  • Valid Certificate of Authorisation held and product scope matches CoA
  • Minimum net-worth (INR 5 crore at application; INR 15 crore ongoing) evidenced by auditor certificate
  • Board-approved policies for PPI issuance, KYC/AML, customer protection, information security and agents in force
  • PPI products correctly categorised with system-enforced loading, outstanding and usage limits
  • Escrow account with a scheduled commercial bank maintained with daily reconciliation and no lien
  • Full KYC (including V-CIP where used) implemented before funds transfer/cash withdrawal enabled
  • Interoperability enabled for full-KYC PPIs via UPI and/or card networks
  • PCI DSS compliance (for card PPIs), encryption, AFA, access control and logging in place
  • Data localisation confirmed with payment data stored in India
  • Fraud-prevention and transaction-monitoring framework operational with RBI fraud reporting
  • Grievance-redress mechanism with published officer, TATs and RB-IOS coverage
  • Annual System Audit Report by CERT-In empanelled auditor obtained and submitted
  • Regulatory returns, incident and fraud reports filed within prescribed timelines
  • Agent/outsourcing due diligence completed with issuer accountability retained

Common gaps

  • Escrow reconciliation performed monthly rather than daily, leaving intra-period under-coverage undetected.
  • Category limits enforced in the UI but not at the core ledger, allowing back-office overrides beyond thresholds.
  • Small PPIs not converted or blocked after the mandatory KYC window lapses.
  • Interoperability configured as opt-in instead of default-on for full-KYC PPIs.
  • Payment data or backups residing outside India, breaching the storage-of-payment-data directive.
  • PCI DSS scope understated by treating tokenised card flows as out-of-scope without validation.
  • Grievance TATs and RB-IOS awareness not published or not met, driving avoidable ombudsman escalations.
  • Agents onboarded without documented due diligence, leaving accountability gaps.
  • System Audit Report delayed beyond the prescribed submission window.
  • Net-worth monitored only at year-end, missing intra-year erosion below the threshold.
  • Limited-liability policy for unauthorised transactions absent or not aligned to RBI's framework.
  • Loading permitted from non-approved sources or cash loading beyond permitted limits.

RBI PPI Master Direction mapped to other frameworks

Mapping helps reuse existing control evidence and integrate PPI compliance into a broader assurance programme.

MD-PPI control domainPCI DSSISO/IEC 27001RBI KYC / PMLANPCI / UPI rules
Technology and information securityRequirements 1-12 (network, crypto, access, monitoring, testing)Annex A controls A.5-A.8Not applicableSecurity certification for UPI participation
Access control and authenticationReq. 7-8 (access, MFA)A.5.15-A.5.18, A.8.2-A.8.5Not applicableAFA / risk-based authentication
Encryption and key managementReq. 3-4A.8.24 cryptographyNot applicablePIN/data protection standards
KYC / CDD and AMLNot applicableA.5.31 legal/regulatoryMaster Direction on KYC, PMLA obligationsBeneficiary verification norms
Safeguarding of funds (escrow)Not applicableA.5.31 complianceNot applicableSettlement and net-outstanding rules
Fraud prevention and monitoringReq. 10-11 logging/testingA.8.15-A.8.16 logging/monitoringSTR/CTR reportingFraud-risk-management framework
Reporting and system auditReq. 12 governanceClause 9 performance evaluation, A.5.35 independent reviewRegulatory reportingAudit and certification requirements
Customer protection and grievanceNot applicableA.5.34 privacy, A.5.31 complianceNot applicableDispute-resolution / TAT norms

How CyberSigma helps

Partner with CyberSigma for RBI PPI compliance
CyberSigma's CERT-In empanelled auditors and PCI QSAs deliver end-to-end RBI PPI Master Direction assurance: authorisation readiness and net-worth/escrow structuring support, category-limit and interoperability control design, KYC/AML and V-CIP process build, PCI DSS and VAPT for card and wallet environments, data-localisation validation, and the annual System Audit Report required by RBI. We combine regulatory depth with hands-on remediation and continuous-control monitoring so your PPI programme not only achieves authorisation but sustains supervisory confidence. Contact CyberSigma to scope your PPI gap assessment and build an evidence-backed roadmap to compliant, audit-ready operations.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Do PPI issuers need a system audit?
Yes — PPI issuers must undergo periodic system audits of their systems, commonly performed by CERT-In empanelled auditors, alongside strong security controls.

Need help with RBI PPI Master Direction?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.