Introduction
The Reserve Bank of India (RBI) Master Direction on Prepaid Payment Instruments (PPIs) is the consolidated regulatory framework governing the issuance and operation of prepaid instruments such as wallets, prepaid cards, gift cards and mass transit instruments in India. First issued as the Master Direction on Prepaid Payment Instruments (MD-PPIs) on 27 August 2021 (RBI/2021-22/82, DPSS.CO.PD.No.S-479/02.14.006/2021-22) and periodically amended, the Direction supersedes the earlier 2017 Master Direction and consolidates all PPI-related instructions issued under the Payment and Settlement Systems Act, 2007 (PSS Act).
This guide is an auditor-grade deep-dive prepared by CyberSigma's compliance practice. It translates the regulatory text into a structured, verifiable assessment programme covering authorisation, capital and net-worth, KYC, interoperability, safeguarding of customer funds (escrow), technology and security, customer protection and reporting obligations. It is designed for PPI issuers, applicants seeking authorisation, banks operating PPI programmes, and the internal audit, risk and information-security teams that assure them. The objective is to give practitioners a control-by-control checklist, evidence expectations, an implementation roadmap and a maturity model that stands up to RBI supervisory scrutiny and System Audit Report (SAR) requirements.
Copyright and source note
The RBI Master Direction on Prepaid Payment Instruments is a regulatory instrument issued by the Reserve Bank of India. The official text, master circulars, FAQs and subsequent amendments are published on rbi.org.in and prevail in the event of any conflict. This guide is an original, independently authored interpretation and does not reproduce RBI's copyrighted text verbatim. Always validate against the latest consolidated Master Direction and any subsequent circulars before relying on it for authorisation, audit or attestation.
What is the RBI PPI Master Direction
Prepaid Payment Instruments are instruments that facilitate the purchase of goods and services, conduct of financial services, enable remittances and so on, against the value stored on such instruments. The value stored represents the value paid for by the holder in advance by cash, by debit to a bank account, by credit card, from other PPIs (to the extent permitted) or by any other instrument that the RBI approves from time to time. PPIs may be issued as cards, wallets, or any instrument that stores value electronically or otherwise; paper vouchers are excluded from the ambit.
The Master Direction lays down the eligibility, authorisation, capital, prudential, operational and technology requirements for issuing and operating PPIs. It is issued under Section 18 read with Section 10(2) of the PSS Act, 2007. It classifies PPIs into two broad categories, prescribes KYC-graded loading and usage limits, mandates interoperability, requires safeguarding of outstanding customer balances through an escrow arrangement, and imposes information-security, fraud-prevention, grievance-redress and reporting obligations on issuers and their agents.
Categories of PPI
| Category | Description | Key limits and conditions |
|---|
| Small PPI (minimum-detail) | Issued by banks and non-banks after obtaining minimum details of the PPI holder; used only for purchase of goods and services at identified merchant locations / establishments that have a specific contract with the issuer | Loaded/reloaded only from a bank account/credit card/full-KYC PPI; amount outstanding not to exceed INR 10,000 at any time; total loading in a month not to exceed INR 10,000; total debits in a month not to exceed INR 10,000; no cash withdrawal / fund transfer permitted; conversion to full-KYC PPI required within 24 months (small PPI with cash loading facility) or as prescribed |
| Full-KYC PPI | Issued after completing Know Your Customer of the PPI holder as per the RBI Master Direction on KYC; usable for purchase of goods and services, funds transfer and cash withdrawal | Amount outstanding not to exceed INR 2,00,000 at any time; funds transfer and cash withdrawal permitted subject to prescribed limits; interoperability mandatory |
| Gift PPI | Issued as gift instruments; a sub-type with specific relaxations | Maximum value INR 10,000; not reloadable; no cash-out or funds transfer; separate KYC relaxation for the purchaser |
| PPI for Mass Transit Systems (PPI-MTS) | Issued for use across mass transit systems by an operator of a mass transit system | Maximum outstanding INR 3,000; reloadable; usable within the transit ecosystem and at other merchants as permitted; no cash-out / refund except on surrender |
Who must comply
The Direction applies to all entities that issue and operate PPIs in India, whether banks or non-bank entities, and to the ecosystem participants who support them. Compliance obligations flow to the following:
| Entity type | Applicability | Nature of obligation |
|---|
| Bank PPI issuers | Banks that have received approval from RBI (Department of Regulation) to operate PPIs | Full compliance with issuance, KYC, escrow-equivalent safeguarding, interoperability, technology and reporting obligations |
| Non-bank PPI issuers | Companies incorporated in India and authorised by RBI (Department of Payment and Settlement Systems / Department of Regulation) under the PSS Act to issue PPIs | Authorisation, minimum positive net-worth, escrow safeguarding, KYC, interoperability, technology, audit and reporting |
| Applicants for authorisation | Entities seeking a Certificate of Authorisation (CoA) to operate as a PPI issuer | Net-worth, fit-and-proper, systems-readiness, and submission of a System Audit Report prior to commencing operations |
| PPI-MTS operators | Operators of mass transit systems issuing PPI-MTS | Category-specific limits and safeguarding conditions |
| Agents and Business Correspondents (BCs) | Agents engaged for on-boarding, loading, KYC or servicing | Bound by the issuer's board-approved policy; the issuer remains responsible for their acts and omissions |
| Payment aggregators / gateways handling PPI flows | Where they process PPI transactions or hold funds | Adjacent obligations under the PA-PG guidelines and escrow rules |
| Escrow / partner banks | Scheduled commercial banks holding the escrow account for non-bank issuers | Maintenance of escrow, permitted debits/credits, monthly certification |
Non-bank net-worth threshold
A non-bank entity seeking authorisation to issue PPIs must be a company incorporated in India with a minimum positive net-worth of INR 5 crore as per its latest audited balance sheet at the time of application, and must achieve a minimum positive net-worth of INR 15 crore by the end of the third financial year from the date of receiving the final Certificate of Authorisation, which is to be maintained at all times thereafter.
Structure of the RBI PPI Master Direction
The Master Direction is organised into chapters and paragraphs that move from definitions and eligibility, through operational instructions on issuance and limits, to safeguarding of funds, interoperability, security and customer protection. For assessment purposes it is helpful to reorganise these into control domains. The table below maps the regulatory structure to the assessable control families used throughout this guide.
| Control domain | Corresponding MD-PPI area | Focus of assessment |
|---|
| Authorisation and eligibility | Chapter on eligibility, entry-point norms, CoA | Certificate of Authorisation, incorporation, fit-and-proper, systems readiness |
| Capital and net-worth | Net-worth requirements and timelines | Minimum net-worth at application and ongoing maintenance |
| Governance and board oversight | Board-approved policies | Board policy on PPI issuance, KYC, customer protection, agents, information security |
| Issuance, categories and limits | Types of PPIs; loading, reloading and usage limits | Correct category, KYC-graded limits, cash-loading and cash-out rules |
| KYC / CDD | Reference to Master Direction on KYC | Minimum-detail vs full-KYC, verification, periodic updation, monitoring |
| Safeguarding of customer funds | Escrow account maintenance and permitted debits/credits | Escrow with scheduled commercial bank, permitted transactions, no lien |
| Interoperability | Interoperability through card networks and UPI | Full-KYC PPI interoperability, technical and business enablement |
| Technology and information security | Security, fraud prevention and risk-management framework | Access control, encryption, cyber-security, PCI DSS for cards, audit |
| Customer protection and grievance redress | Customer protection, liability, grievance redress | Limited liability, disclosure, redress, RB-IOS ombudsman coverage |
| Fraud prevention and risk management | Board-approved risk-management and fraud-prevention framework | Transaction monitoring, velocity checks, fraud reporting |
| Validity, redemption and closure | Validity, expiry, redemption | Minimum validity, expiry warnings, transfer of outstanding balance |
| Reporting and audit | System audit, returns and reporting to RBI | SAR, cyber-security audit, statutory returns, incident reporting |
| Agents and outsourcing | Engagement of agents / BCs / outsourcing | Board policy, due diligence, issuer accountability |
| Cross-border and specific-use PPIs | PPIs for cross-border transactions, MTS, gift | Category-specific conditions and limits |
Master assessment checklist
This is the core of the guide. Each control domain is enumerated below with what an auditor must verify and the evidence typically relied upon. Assessors should treat every row as an assertion to be tested through inspection of documents, configuration, transaction sampling and interview. No domain should be skipped; where a domain is not applicable (for example, cards for a wallet-only issuer), record the rationale for non-applicability rather than omitting it.
Domain 1 — Authorisation and eligibility
| What to verify | Typical evidence |
|---|
| Valid Certificate of Authorisation (CoA) from RBI is held and current; scope of CoA matches the PPI products actually operated | CoA copy, RBI approval letters, product catalogue mapped to CoA scope |
| Entity is a company incorporated in India (for non-banks) with objects clause permitting PPI issuance | Certificate of incorporation, Memorandum and Articles of Association |
| Fit-and-proper status of promoters, directors and key management personnel maintained | Board declarations, director KYC, RBI due-diligence submissions |
| Systems-readiness confirmed prior to commencement; System Audit Report submitted before go-live | Pre-commencement SAR, RBI acknowledgement, go-live sign-off |
| Any change in management/control/shareholding above threshold notified/approved as required | Change-of-control approvals, RBI correspondence, filings |
| Bank issuers hold requisite RBI (DoR) approval to operate PPIs | Departmental approval, internal board resolution |
Domain 2 — Capital and net-worth
| What to verify | Typical evidence |
|---|
| Minimum positive net-worth of INR 5 crore held at time of application (non-bank) | Audited balance sheet at application, chartered-accountant certificate |
| Minimum net-worth of INR 15 crore achieved by end of third financial year from CoA and maintained thereafter at all times | Latest audited financials, net-worth certificate signed by statutory auditor |
| Net-worth computation excludes intangibles/deferred items as prescribed and reconciles to audited accounts | Net-worth working papers, auditor certification, reconciliation |
| Ongoing monitoring so net-worth does not fall below threshold between reporting dates | Management accounts, quarterly net-worth review by board/committee |
Domain 3 — Governance and board oversight
| What to verify | Typical evidence |
|---|
| Board-approved policy covers PPI issuance, KYC/AML, customer protection, agents, and information security, and is reviewed periodically | Board-approved policy documents, review dates, board/committee minutes |
| Clear accountability: designated senior management and a committee oversee PPI operations and risk | Organisation chart, committee charters, RACI |
| Compliance function tracks regulatory changes and confirms adherence to the Master Direction and amendments | Compliance calendar, regulatory-change log, compliance certificates |
| Internal audit covers PPI operations at a frequency commensurate with risk | Internal audit plan, PPI audit reports, management responses |
Domain 4 — Issuance, categories and transaction limits
| What to verify | Typical evidence |
|---|
| Each PPI is correctly classified (small / full-KYC / gift / MTS) and system enforces the corresponding limits | Product configuration, limit matrix, rule-engine screenshots |
| Small PPI outstanding capped at INR 10,000; monthly loading and monthly debits each capped at INR 10,000; no cash-out or funds transfer | System limit config, sample account statements, transaction logs |
| Full-KYC PPI outstanding capped at INR 2,00,000; funds transfer and cash withdrawal within prescribed limits | Limit config, sampled full-KYC accounts, cash-withdrawal logs |
| Loading only from permitted sources (bank account, credit card, other permitted PPI); cash loading only where permitted and within limit | Funding-source rules, loading transaction logs, reconciliation |
| Gift PPI capped at INR 10,000, non-reloadable, no cash-out/funds transfer; MTS capped at INR 3,000 | Gift/MTS product config, issuance logs |
| Automatic conversion / blocking logic where mandatory KYC not completed within prescribed window | KYC-status workflow, auto-suspension logs, exception reports |
| Co-branding arrangements comply: issuer is the principal, co-brander does not access customer data beyond permitted | Co-branding agreements, data-access controls, board approval |
Domain 5 — KYC and customer due diligence
| What to verify | Typical evidence |
|---|
| Minimum-detail (mobile number verified by OTP + self-declared name/ID) captured for small PPI | Onboarding screens, OTP logs, captured attributes |
| Full KYC performed as per RBI Master Direction on KYC before enabling funds transfer / cash withdrawal / higher limits | KYC records, OVD/Aadhaar-based verification, V-CIP logs where used |
| Video-based Customer Identification Process (V-CIP) or other permitted modes implemented with controls (liveness, geo-tag, audit) | V-CIP recordings metadata, process SOP, audit trail |
| Periodic updation of KYC and ongoing due diligence / transaction monitoring in place | KYC review schedule, alerts, STR/CTR filing evidence via principal officer |
| AML/CFT screening against sanctions and PEP lists at onboarding and on an ongoing basis | Screening tool logs, list-update records, disposition of hits |
| De-duplication so a customer does not hold multiple small PPIs beyond permitted with the same issuer | De-dup logic, unique-customer keying, exception handling |
Domain 6 — Safeguarding of customer funds (escrow)
| What to verify | Typical evidence |
|---|
| Non-bank issuer maintains an escrow account with a scheduled commercial bank; outstanding PPI balance is fully backed | Escrow account agreement, bank confirmation, daily balance reconciliation |
| Only permitted credits (customer funds, refunds, interest as allowed) and permitted debits (payments to merchants, refunds, permitted commissions) hit the escrow | Escrow ledger, permitted-transaction matrix, monthly certificate |
| No loan is granted against, and no lien/charge is created on, the amount in the escrow account | Escrow agreement clauses, no-lien confirmation from bank |
| Adjusted net outstanding equals or is covered by escrow balance at end of each day | Daily reconciliation reports, break analysis, exception log |
| Statutory auditor / chartered accountant certifies escrow maintenance at prescribed frequency | CA certificate, quarterly/annual escrow certification |
| Additional escrow with a second bank only if permitted, with core-balance maintained appropriately | Second-escrow approval, movement records |
Domain 7 — Interoperability
| What to verify | Typical evidence |
|---|
| Full-KYC PPIs are made interoperable through card networks (for card PPIs) and UPI (for wallet PPIs) as mandated | Network membership, UPI onboarding, interoperability go-live evidence |
| Interoperability enabled by default for full-KYC PPIs unless a specific exemption applies | Product config, default-on settings, exemption records |
| Technical standards, dispute-resolution and settlement for interoperable transactions align with network/UPI rules | Certification reports, dispute SOP, settlement reconciliations |
| Customer is informed of interoperability and any charges are transparently disclosed | Terms and conditions, fee schedule, customer communications |
Domain 8 — Technology and information security
| What to verify | Typical evidence |
|---|
| Board-approved information-security and cyber-security policy aligned with RBI expectations and the security controls in the Direction | IS policy, cyber-security policy, board approval |
| Card-based PPIs comply with PCI DSS and PA-DSS where applicable; PIN/CVV/track data protected | PCI DSS AoC/RoC, ASV scans, segmentation evidence |
| Encryption of data in transit and at rest; secure storage of authentication credentials | Crypto standards, key-management SOP, config review |
| Multi-factor / additional-factor authentication for transactions as prescribed; OTP handling secure | AFA config, OTP flow, authentication logs |
| Access control on least-privilege basis; privileged access managed and logged | Access matrix, PAM logs, periodic access-recertification |
| Secure SDLC, vulnerability management, penetration testing and patch management | VAPT reports, remediation trackers, patch records |
| Logging, monitoring and SIEM with defined retention; time-synchronisation | SIEM use-cases, log-retention policy, NTP config |
| Business continuity and disaster recovery with tested RTO/RPO for the PPI system | BCP/DR plan, DR drill reports, RTO/RPO evidence |
| Data localisation: payment data stored only in India as per RBI storage-of-payment-data directive | Data-flow diagrams, hosting location evidence, localisation attestation |
Domain 9 — Customer protection and grievance redress
| What to verify | Typical evidence |
|---|
| Board-approved customer-protection and limited-liability policy consistent with RBI's limited-liability framework for unauthorised electronic transactions | Liability policy, board approval, customer disclosures |
| Formal grievance-redress mechanism with defined turnaround times and escalation; Nodal/Grievance officer designated and published | GRM SOP, TAT dashboard, officer contact details on website/app |
| Coverage under the Reserve Bank – Integrated Ombudsman Scheme (RB-IOS) with awareness displayed | RB-IOS display, complaint-handling records, ombudsman case log |
| Complaint acknowledgement, resolution tracking and root-cause analysis | Ticketing system, resolution MIS, RCA reports |
| Transparent disclosure of all charges, expiry, and terms in a clear manner before issuance | T&C, fee schedule, pre-issuance disclosures, app screenshots |
| Auto-reversal of failed transactions within prescribed timelines and compensation for delays | Failed-transaction MIS, TAT compliance, compensation records |
Domain 10 — Fraud prevention and risk management
| What to verify | Typical evidence |
|---|
| Board-approved risk-management and fraud-prevention framework with velocity, amount and pattern limits | Framework document, rule configuration, board approval |
| Real-time transaction monitoring with alerts, hold/reject actions and case management | Monitoring tool config, alert logs, case-management records |
| Customer-induced and third-party fraud reported to RBI as per fraud-reporting requirements | Fraud register, RBI fraud-reporting submissions, timelines |
| Cooling-off / limits on new devices, high-risk merchants and cross-border where applicable | Rule config, device-binding logs, merchant risk-tiering |
Domain 11 — Validity, redemption and closure
| What to verify | Typical evidence |
|---|
| Minimum validity of one year from date of last loading/reload provided; customers warned before expiry | Validity config, pre-expiry notification logs |
| Outstanding balance transferable to a new PPI/redeemable on expiry; no forfeiture beyond permitted | Expiry-handling SOP, balance-transfer records |
| Redemption/closure process defined; funds returned to source or as customer directs within permitted routes | Closure SOP, refund transaction logs |
| Reloadable vs non-reloadable rules enforced per category (gift PPI non-reloadable) | Product config, reload-block evidence |
Domain 12 — Reporting, returns and system audit
| What to verify | Typical evidence |
|---|
| Annual System Audit Report by a CERT-In empanelled auditor submitted to RBI within prescribed timelines | SAR, CERT-In auditor engagement, RBI submission acknowledgement |
| Cyber-security posture audited and gaps remediated; independent assurance obtained | Cyber-audit report, remediation closure evidence |
| Statutory and regulatory returns/data submitted to RBI accurately and on time | Return filings, submission logs, reconciliation to books |
| Cyber-security incidents and material events reported to RBI/CERT-In within stipulated windows | Incident register, CERT-In/RBI notifications, timelines |
| Auditor certification of escrow and net-worth submitted at prescribed frequency | CA/statutory-auditor certificates, board noting |
Domain 13 — Agents, outsourcing and cross-border
| What to verify | Typical evidence |
|---|
| Agents/BCs engaged under board-approved policy with due diligence; issuer remains fully accountable | Agent policy, due-diligence records, agent agreements |
| Outsourcing complies with RBI outsourcing guidance; right-to-audit and data-protection clauses present | Outsourcing register, contracts, audit-rights clauses |
| Cross-border PPIs (where operated) limited to permitted use, limits and category, with FEMA compliance | Cross-border product config, limits, FEMA compliance evidence |
| Agent locations and services monitored; mystery-shopping or supervisory checks performed | Monitoring reports, supervisory-visit records |
Scoping
Correct scoping determines which domains apply and how deep the assessment must go. Because the Direction covers multiple PPI categories with differing obligations, scoping must be product-led and data-flow-led rather than entity-led alone.
- Enumerate every live PPI product and map each to its category (small, full-KYC, gift, MTS, cross-border) and CoA scope.
- Identify all funding sources and payout rails (bank debit, cards, UPI, cash agents) and trace the money flow through the escrow account.
- Map the technology estate that stores, processes or transmits PPI data, including cloud, data centres and third parties; card environments trigger PCI DSS scope.
- List all agents, BCs, co-branders, outsourced processors and network partners in scope for accountability testing.
- Confirm data-localisation boundary: where end-to-end payment data resides and any foreign-leg processing that must be purged after processing.
- Include the customer-protection and grievance channels (app, web, call centre, ombudsman interface) as in-scope processes.
- Record any category not offered as 'not applicable' with justification, rather than silently excluding it.
Implementation approach
A phased programme reduces the risk of authorisation delays or supervisory findings. The following four phases take an entity from readiness assessment through to sustained compliance.
Phase 1 — Gap assessment and design (Weeks 1-4)
- Activities: baseline current-state against all 13 domains; map products to categories and limits; assess net-worth and escrow readiness; review board policies and technology posture.
- Deliverables: gap-assessment report, prioritised remediation backlog, target operating model, RACI, and a compliance roadmap with owners and dates.
Phase 2 — Remediation and control build (Weeks 4-16)
- Activities: configure category limits and rule engine; establish/strengthen escrow with daily reconciliation; complete KYC and V-CIP tooling; implement interoperability; harden security (PCI DSS, encryption, AFA, logging); stand up grievance and limited-liability processes.
- Deliverables: updated board-approved policies, configured systems, escrow agreement and reconciliation, KYC/AML procedures, security control evidence, and grievance-redress SOPs.
Phase 3 — Validation and audit (Weeks 14-20)
- Activities: internal control testing and transaction sampling; VAPT and PCI DSS assessment; commission the System Audit Report via a CERT-In empanelled auditor; obtain escrow and net-worth certificates.
- Deliverables: SAR, PCI AoC/RoC, VAPT closure, CA certificates, and a management assertion of readiness for RBI submission.
Phase 4 — Go-live and sustained compliance (Ongoing)
- Activities: submit SAR and required attestations to RBI; commence/continue operations; embed continuous monitoring, periodic KYC updation, quarterly escrow/net-worth review and annual audits.
- Deliverables: RBI submissions, compliance calendar, monitoring dashboards, incident and fraud-reporting workflows, and annual re-audit plan.
Maturity and capability model
The following five-level model helps issuers benchmark control maturity across the 13 domains and target incremental improvement. It is a CyberSigma assessment construct, not an RBI grading.
| Level | Name | Characteristics | Typical evidence |
|---|
| 1 | Initial / ad-hoc | Controls undocumented; limits enforced manually; escrow reconciled irregularly; no formal audit | Sporadic records, no policy trail |
| 2 | Developing | Core policies drafted; system limits configured but exceptions common; escrow reconciled monthly; ad-hoc KYC | Draft policies, partial config, monthly recon |
| 3 | Defined | Board-approved policies in force; category limits enforced by rule engine; daily escrow reconciliation; annual SAR obtained | Approved policies, SAR, daily recon |
| 4 | Managed | Metrics-driven; real-time monitoring and fraud analytics; interoperability fully live; automated KYC updation; grievance TATs tracked | KPI dashboards, monitoring logs, TAT MIS |
| 5 | Optimised | Continuous assurance; predictive fraud controls; automated evidence collection; proactive regulatory-change adoption | Continuous-control-monitoring evidence, change log |
Assessment and audit approach
- Confirm scope: enumerate products, categories, entities, agents, technology and data flows in scope, with non-applicability rationale documented.
- Assemble the criteria set: the current consolidated Master Direction, applicable amendments, KYC Master Direction, storage-of-payment-data directive and PCI DSS where cards are involved.
- Perform document review: CoA, board policies, escrow agreement, net-worth certificate, SAR, PCI AoC, VAPT and outsourcing contracts.
- Test configuration: verify category limits, funding-source rules, AFA, interoperability defaults and access controls directly in the systems.
- Sample transactions: select loading, spend, funds-transfer, cash-out, refund and failed transactions to confirm limits, escrow backing and reversal timelines.
- Test KYC and AML: sample small and full-KYC onboarding, V-CIP records, screening hits and periodic updation.
- Reconcile escrow: verify daily outstanding-versus-escrow balance and permitted debits/credits over a sampled period.
- Assess security: review VAPT, PCI DSS scope, encryption, logging, data localisation and BCP/DR drills.
- Evaluate customer protection: test grievance TATs, limited-liability handling and RB-IOS coverage.
- Report findings: rate each domain, quantify residual risk, agree remediation owners and dates, and prepare the RBI-facing attestations.
Evidence request list
Request the following, organised by category, ahead of fieldwork:
- Authorisation: Certificate of Authorisation, RBI approval/correspondence, certificate of incorporation, MoA/AoA, change-of-control approvals.
- Financial: latest audited financial statements, net-worth certificate, escrow account agreement, escrow certificates, daily escrow-reconciliation reports.
- Governance: board-approved policies (PPI issuance, KYC/AML, customer protection, information security, agents/outsourcing), board and committee minutes, compliance calendar.
- Product and limits: product catalogue mapped to categories, limit-configuration matrix, rule-engine exports, co-branding agreements.
- KYC/AML: onboarding SOPs, V-CIP procedure and audit trail, sanctions/PEP screening logs, STR/CTR filing evidence, KYC-updation schedule.
- Security: PCI DSS AoC/RoC and ASV scans, VAPT reports and remediation, encryption/key-management standards, access-control matrix, SIEM/log-retention policy, BCP/DR test reports, data-localisation attestation.
- Interoperability: network membership, UPI onboarding, certification and go-live evidence, dispute-resolution SOP.
- Customer protection: grievance-redress SOP, TAT MIS, nodal/grievance officer details, RB-IOS display, failed-transaction reversal MIS.
- Audit and reporting: System Audit Report, cyber-security audit, RBI returns and submission acknowledgements, incident and fraud registers.
- Third parties: agent/BC agreements and due-diligence records, outsourcing register and contracts with audit-rights clauses.
Roles and responsibilities
| Role | Primary responsibilities | Key artefacts owned |
|---|
| Board of Directors | Approve policies; oversee risk appetite and compliance; ensure net-worth maintenance | Board-approved policies, minutes, risk appetite |
| Chief Compliance Officer | Ensure adherence to the Master Direction and amendments; track regulatory change; coordinate RBI submissions | Compliance calendar, regulatory-change log, RBI filings |
| Chief Risk Officer | Own fraud-prevention and risk-management framework; monitor transaction risk | Risk framework, fraud register, monitoring MIS |
| CISO / Head of Information Security | Implement security controls, PCI DSS, VAPT, data localisation, incident response | IS policy, VAPT/PCI evidence, incident register |
| Head of Operations / Product | Enforce category limits, escrow operations, interoperability and issuance controls | Product config, escrow reconciliation, limit matrix |
| Principal Officer (AML) / KYC head | Own KYC/CDD, screening, STR/CTR filing and periodic updation | KYC SOPs, screening logs, STR/CTR records |
| Nodal / Grievance Redress Officer | Handle complaints, meet TATs, manage RB-IOS interface and limited-liability cases | GRM SOP, complaint MIS, ombudsman log |
| Internal Audit | Independently test controls; report to audit committee; track remediation | Audit plan, PPI audit reports |
| System Auditor (CERT-In empanelled) | Conduct annual System Audit and cyber-security assessment | System Audit Report |
KPIs to track
- Escrow coverage ratio: escrow balance versus daily outstanding PPI liability (target 100 percent, zero breach days).
- Net-worth headroom: current net-worth versus INR 15 crore threshold.
- KYC completion rate: percentage of full-KYC PPIs completed within window; small-PPI conversion rate.
- Limit-breach incidents: number of attempted transactions exceeding category limits blocked by controls.
- Interoperability enablement: percentage of full-KYC PPIs interoperable via UPI/card networks.
- Fraud rate: value and volume of fraud per lakh transactions; detection lead time.
- Failed-transaction auto-reversal TAT compliance percentage.
- Grievance resolution: average resolution time and percentage within SLA; RB-IOS escalation rate.
- Security posture: open critical/high VAPT findings, mean time to remediate, PCI DSS compliance status.
- Regulatory reporting timeliness: percentage of returns, SAR and incident reports filed on time.
Readiness checklist
- Valid Certificate of Authorisation held and product scope matches CoA
- Minimum net-worth (INR 5 crore at application; INR 15 crore ongoing) evidenced by auditor certificate
- Board-approved policies for PPI issuance, KYC/AML, customer protection, information security and agents in force
- PPI products correctly categorised with system-enforced loading, outstanding and usage limits
- Escrow account with a scheduled commercial bank maintained with daily reconciliation and no lien
- Full KYC (including V-CIP where used) implemented before funds transfer/cash withdrawal enabled
- Interoperability enabled for full-KYC PPIs via UPI and/or card networks
- PCI DSS compliance (for card PPIs), encryption, AFA, access control and logging in place
- Data localisation confirmed with payment data stored in India
- Fraud-prevention and transaction-monitoring framework operational with RBI fraud reporting
- Grievance-redress mechanism with published officer, TATs and RB-IOS coverage
- Annual System Audit Report by CERT-In empanelled auditor obtained and submitted
- Regulatory returns, incident and fraud reports filed within prescribed timelines
- Agent/outsourcing due diligence completed with issuer accountability retained
Common gaps
- Escrow reconciliation performed monthly rather than daily, leaving intra-period under-coverage undetected.
- Category limits enforced in the UI but not at the core ledger, allowing back-office overrides beyond thresholds.
- Small PPIs not converted or blocked after the mandatory KYC window lapses.
- Interoperability configured as opt-in instead of default-on for full-KYC PPIs.
- Payment data or backups residing outside India, breaching the storage-of-payment-data directive.
- PCI DSS scope understated by treating tokenised card flows as out-of-scope without validation.
- Grievance TATs and RB-IOS awareness not published or not met, driving avoidable ombudsman escalations.
- Agents onboarded without documented due diligence, leaving accountability gaps.
- System Audit Report delayed beyond the prescribed submission window.
- Net-worth monitored only at year-end, missing intra-year erosion below the threshold.
- Limited-liability policy for unauthorised transactions absent or not aligned to RBI's framework.
- Loading permitted from non-approved sources or cash loading beyond permitted limits.
RBI PPI Master Direction mapped to other frameworks
Mapping helps reuse existing control evidence and integrate PPI compliance into a broader assurance programme.
| MD-PPI control domain | PCI DSS | ISO/IEC 27001 | RBI KYC / PMLA | NPCI / UPI rules |
|---|
| Technology and information security | Requirements 1-12 (network, crypto, access, monitoring, testing) | Annex A controls A.5-A.8 | Not applicable | Security certification for UPI participation |
| Access control and authentication | Req. 7-8 (access, MFA) | A.5.15-A.5.18, A.8.2-A.8.5 | Not applicable | AFA / risk-based authentication |
| Encryption and key management | Req. 3-4 | A.8.24 cryptography | Not applicable | PIN/data protection standards |
| KYC / CDD and AML | Not applicable | A.5.31 legal/regulatory | Master Direction on KYC, PMLA obligations | Beneficiary verification norms |
| Safeguarding of funds (escrow) | Not applicable | A.5.31 compliance | Not applicable | Settlement and net-outstanding rules |
| Fraud prevention and monitoring | Req. 10-11 logging/testing | A.8.15-A.8.16 logging/monitoring | STR/CTR reporting | Fraud-risk-management framework |
| Reporting and system audit | Req. 12 governance | Clause 9 performance evaluation, A.5.35 independent review | Regulatory reporting | Audit and certification requirements |
| Customer protection and grievance | Not applicable | A.5.34 privacy, A.5.31 compliance | Not applicable | Dispute-resolution / TAT norms |
How CyberSigma helps
Partner with CyberSigma for RBI PPI compliance
CyberSigma's CERT-In empanelled auditors and PCI QSAs deliver end-to-end RBI PPI Master Direction assurance: authorisation readiness and net-worth/escrow structuring support, category-limit and interoperability control design, KYC/AML and V-CIP process build, PCI DSS and VAPT for card and wallet environments, data-localisation validation, and the annual System Audit Report required by RBI. We combine regulatory depth with hands-on remediation and continuous-control monitoring so your PPI programme not only achieves authorisation but sustains supervisory confidence. Contact CyberSigma to scope your PPI gap assessment and build an evidence-backed roadmap to compliant, audit-ready operations.