The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.khaitanco.com, you acknowledge and confirm that you are seeking information relating to Khaitan & Co of your own accord and that there has been no form of solicitation, advertisement or inducement by Khaitan & Co or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material/information provided on this website should be construed as legal advice. Khaitan & Co shall not be liable for consequences of any action taken by relying on the material/information provided on this website. The contents of this website are the intellectual property of Khaitan & Co.

Please accept the above


See all results for ""

RBI enlarges net of cyber security controls – now covers ATM switch application service providers



Digital transactions and fintech have been the buzz words during the past few years. The Indian government, the regulators and the industry have trained their focus on adopting fintech and digital transactions.

While cashless transactions continue to be driven by fintech, cash continues to have a significant market share in the retail space within the overall payment transactions. It is understood that private sector banks are leading the electronic mode of transactions and PSU banks have an edge in cash transactions at the automated teller machine (ATM) network level.

One key component of banking operations has been transactions undertaken at ATMs and the real time IT network connecting all the ATMs for the seamless execution of transactions by customers. Often these ATMs are exposed to hacking, resulting in fraudulent transactions and data breach.

Every new technology takes time to be perfected and undergoes modifications due to glitches arising during its teething period. In 2016, the debit cards details of several customers were compromised due to a malware injected in ATM network managed by an ATM service provider. There has also been a substantial increase in the number of ATM frauds being reported throughout the country. The Reserve Bank of India (RBI) has at various instances flagged these issues pertaining to ATM frauds to the banks, and asked the banks to improve security measures to prevent ATM frauds.

In this direction, the RBI in its fifth Bi-Monthly Monetary Policy Statement 2019-20 announced its intention to introduce certain cyber security controls for ATM switch application service providers (ASPs) engaged by banks and other regulated entities (RREs) for managing their ATM switch ecosystems.

The RBI realised that the increase in dependency of RREs on ASPs for managing ATMs, exposes the ASPs to the payment system landscapes and associated confidential information, leaving such RREs exposed to cyber security threats. Consequently, the RBI deemed it necessary to formulate and implement certain guidelines to ensure that adequate measures are taken to secure ATMs systems and network.

Recently, the RBI has issued a slew of circulars to strengthen IT systems and frameworks of RREs. The circulars have mandated measures to be undertaken in relation to cyber security primarily to protect customers from cyber frauds, breaches, data leakages, and such other incidents.

With this backdrop, RBI issued a circular DOS.CO/CSITE/BC.4084/31.01.015/2019-20 on 31 December 2019 (Circular) directing all RREs to ensure implementation of cyber security controls by ASPs. The RBI has also stipulated a timeline of 31 March 2020 for RREs to revise their contracts with the ASPs to ensure compliance with these cyber security controls.

Overview of the Circular

The Circular lays down host of cyber security controls to be adopted by ASPs. The RREs will be responsible to ensure that the ASPs abide by this Circular, by appropriately amending the contracts between the RREs and ASPs on or before 31 March 2020. 

The above Circular will apply to RREs such as Scheduled Commercial Banks, Regional Rural Banks, Local Area Banks, Primary (Urban) Co-operative Banks, State and Central Co-operative Banks that generally set up ATMs as well as White Label ATM service providers.

Some of the cyber security controls required to be implemented by ASPs as per the Circular are listed below:


Setting up mechanisms for preventing access of unauthorised software and/or applications and monitoring them.


Establish appropriate controls for securing the physical location of critical assets and protecting them from natural and man-made threats.


Maintain baseline security measures for all applicable devices (such as databases, networks, security systems etc.).


Follow a documented risk-based strategy for patch, vulnerability and change management.


Implement a centralised authentication and authorisation system for accessing network.


Develop a comprehensive data leakage prevention strategy to safeguard sensitive business and customer information.


Maintain, manage and analyse audit logs pertaining to user actions in a system.


Establish a mechanism for incident response and management.


Create a robust defence against the installation, spread, and execution of malicious code.


Periodically conduct vulnerability assessment and penetration tests on applications, servers and network components.


Arrange for network forensics / forensic investigations, mitigation services on standby.


Comply with the relevant standards applicable to IT ecosystem.


These new cyber security norms are similar to those prescribed by the RBI for banks and other regulated entities regarding their IT systems and networks. The RBI vide the Circular has widened its net, by mandating a robust cyber security framework for ASPs, in light of the service providers being increasingly privy to confidential information and exposed to cyber security threats. Implementation of these norms will entail additional time and cost for the ASPs. It will have to be seen whether the timeline of 31 March 2020 would be achieved by the RREs for implementing the Circular.

-      Nikhilesh Panchal (Partner), Malav Shah (Principal Associate) and Srijanee Bhattacherjee (Associate)

For any queries please contact: editors@khaitanco.com

Nikhilesh Panchal (partners)

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2021 Khaitan & Co. All rights reserved.


One Indiabulls Centre
13th Floor, Tower 1
841 Senapati Bapat Marg
Mumbai 400 013 India

T: +91 22 6636 5000

E: mumbai@khaitanco.com

New Delhi

Ashoka Estate, 12th Floor
24 Barakhamba Road
New Delhi 110 001 India

T: +91 11 4151 5454

E: delhi@khaitanco.com


Simal, 2nd Floor
7/1 Ulsoor Road
Bengaluru 560 042 India

T: +91 80 4339 7000

E: bengaluru@khaitanco.com


Emerald House
1B Old Post Office Street
Kolkata 700 001 India

T: +91 22 6636 5000

E: kolkata@khaitanco.com