National Payments Corporation of India (NPCI)
1001A, B Wing, 10th Floor, The Capital, Bandra-Kurla Complex, Bandra (East), Mumbai- 400051, Maharashtra, India.
The relevant jurisdiction for NPCI is India. NPCI in the past has entered into network-to-network agreements with international networks. Such agreements define the rights and obligations of the international network partner and NPCI and is agreed and signed by the respective international network partner. After the formation of its subsidiary, NPCI International Payments Limited (NIPL), such agreements with network partners are entered into by NIPL.
The Reserve Bank of India (RBI)
The date of this disclosure is March 31, 2024.
I. Executive Summary
II. Summary of major changes since last update of the disclosure
III. General Background of FMI
IV. Principle-by-principle summary narrative disclosure
V. List of publicly available resources
Financial market infrastructures (FMIs) that facilitate the clearing, settlement and recording of monetary and other financial transactions can strengthen the markets they serve and play a critical role in fostering financial stability. However, if not properly managed, they can pose significant risks to the financial system and be a potential source of contagion, particularly in periods of market stress. FMIs play a critical role in the financial system and the broader economy. In April 2012, the Committee on Payment and Settlement Systems (CPSS) and Technical Committee of the International Organization of Securities Commission (IOSCO) published the report “Principles for Financial Market Infrastructures (PFMI)”, which establishes new international standards for payment systems that are systemically important, central securities depositories, securities settlement systems, central counterparties and trade repositories.
NPCI is a Technology Company that connects financial institutions (including banks), merchants, digital partners, businesses and other organizations, enabling them to use electronic forms of payment. Through its core payments processing network, NPCI also facilitates the switching (authorization, clearing and settlement) of payment transactions and delivers related products and services for its customers.
NPCI’s customers are mostly financial and other institutions and typically does not have any contractual agreements directly with end consumers.
NPCI has completed Principles for Financial Market Infrastructure (PFMI) assessment for financial year 2023-24.
NIL
General description of the FMI and the markets it serves.
National Payments Corporation of India (NPCI), an umbrella organization for operating retail payments and settlement systems in India, is an initiative of Reserve Bank of India (RBI) and Indian Banks’ Association (IBA) under the provisions of the Payment and Settlement Systems Act, 2007, for creating a robust Payment & Settlement Infrastructure in India.
NPCI was incorporated as a “Not for Profit” Company under the provisions of Section 25 of the Companies Act 1956 (now Section 8 of the Companies Act 2013), with an intention to provide infrastructure to the entire banking system in India for electronic payment and settlement systems. NPCI’s focus is on bringing innovations and widening the reach of retail payment system by using technology that will enable greater efficiency in operations.
General organization of the FMI
NPCI was incorporated as a "Not for profit" company under the provision of section 25 of the Companies Act 1956 (now Section 8 of the Companies Act 2013). NPCI is owned by PSU banks, Private Sector banks, co-operative banks, Regional Rural banks, small finance banks. The oversight of governance of NPCI is vested with the Board of Directors. Board Committees of NPCI are as below:
The above Committees oversee different functions of NPCI with overall supervision of the Board. Under the overall supervision and control of the Board, the Managing Director & Chief Executive Officer (MD & CEO) looks after the day-to-day functions of the company. The MD & CEO is supported by Chief Financial Officer, Chief Operating Officer, Chief Risk Officer and various other senior officials.
Legal and regulatory framework
NPCI, pursuant to the Authorization received from the RBI, is engaged in operating retail payment systems in India.
NPCI was incorporated as a “Not for Profit” company under Section 25 of the Companies Act 1956 (now Section 8 of the Companies Act 2013). A new entity, NPCI International Payments Ltd (NIPL) was incorporated under the Companies Act, 2013, as a wholly-owned subsidiary of NPCI, for the purpose of entering into business arrangements with foreign networks for promotion of NPCI’s products in foreign countries. Similarly, NPCI Bharat Bill Pay Limited (NBBL) was incorporated under the Companies Act, 2013 as a wholly-owned subsidiary of NPCI and the Bharat Bill Payment System (BBPS) business was transferred by NPCI to NBBL.
The Payment and Settlement Systems Act, 2007(hereinafter referred to as the “PSS Act”) designates RBI as the nodal agency for the regulation and supervision of payment systems in India. NPCI and NBBL are authorized by RBI to operate retail payment systems in India under the PSS Act. Pursuant to this Authorization, NPCI and NBBL are carrying out their respective business operations within the territorial jurisdiction of India. NIPL has been authorized by RBI to enter into agreements with international networks and other entities for promotion of NPCI products in foreign countries. Accordingly, NIPL carries out its operations within and outside the territories of India.
With respect to jurisdiction mapping, the exclusive jurisdiction of the courts at Mumbai, India is preferred for all product agreements executed by NPCI.
The general applicability of principles to specific types of FMIs are specified in the Principles for Financial Market Infrastructures (PFMI). Accordingly, not all 24 principles are relevant for NPCI.
For the purpose of this report, NPCI Group (or “The Group”) refers to NPCI and its two wholly owned subsidiaries, namely NPCI International Payment Limited (NIPL) and NPCI Bharat BillPay Limited (NBBL), unless otherwise mentioned.
| Principle | Name | Applicable to Payment Systems | Applicable to NPCI Group | Reason |
|---|---|---|---|---|
| 1 | Legal Basis | Yes | Yes | |
| 2 | Governance | Yes | Yes | |
| 3 | Framework for the comprehensive management of risks | Yes | Yes | |
| 4 | Credit Risk | Yes | Yes | |
| 5 | Collateral | Yes | No | NPCI collects the cash collateral from participants for the purpose of SGF. NPCI does not collect collateral for its exposure to participants. |
| 6 | Margin | No | No | |
| 7 | Liquidity Risk | Yes | Yes | |
| 8 | Settlement Finality | Yes | Yes | |
| 9 | Money Settlement | Yes | Yes | |
| 10 | Physical Deliveries | No | No | |
| 11 | Central Security Depositories | No | No | |
| 12 | Exchange of value settlement system | Yes | No | This principle applies only to FMIs that settle transactions which involve two linked obligations. |
| 13 | Participant Default Rules and Procedures | Yes | Yes | |
| 14 | Segregation and Portability | No | No | |
| 15 | General Business Risk | Yes | Yes | |
| 16 | Custody and Investment Risk | Yes | Yes | |
| 17 | Operational Risk | Yes | Yes | |
| 18 | Access and Participation Requirement | Yes | Yes | |
| 19 | Tiered participation arrangements | Yes | Yes | |
| 20 | FMI Links | No | No | |
| 21 | Efficiency and Effectiveness | Yes | Yes | |
| 22 | Communication procedures and standards | Yes | Yes | |
| 23 | Disclosure of rules, procedures and market Data | Yes | Yes | |
| 24 | Disclosure of market data by trade repositories | No | No |
| Principle | Approach to observing the principle |
|---|---|
|
Principle 1: Legal Basis An FMI should have a well-founded, clear, transparent, and enforceable legal basis for each material aspect of its activities in all relevant jurisdictions. |
NPCI has received Authorization from RBI under section 4 of Payment and Settlement Systems Act, 2007 for carrying out payment services in India. With respect to jurisdiction mapping, the exclusive jurisdiction of the Courts at Mumbai, India is preferred in all product agreements executed by NPCI. NPCI, in the past, had entered into network-to- network agreements with a few international partners. After incorporation of NIPL, all such agreements have been/ are being novated to NIPL. |
|
Principle 2: Governance An FMI should have governance arrangements that are clear and transparent, promote the safety and efficiency of the FMI, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders. |
NPCI has governance arrangements which emphasize on safety and efficiency, support financial stability and other relevant public interest considerations. NPCI has been incorporated as "Not for Profit" organization under the provision of section 25 of the Companies Act, 1956 (now section 8 of the Companies Act, 2013). The roles and responsibilities of Board of Directors are defined in NPCI's Corporate Governance (CG) handbook which includes vision, mission, values and structure. |
|
Principle 3: Framework for the comprehensive management of risks An FMI should have a sound risk-management framework for comprehensively managing legal, credit, liquidity, operational, and other risks. |
NPCI has Enterprise Risk Management Framework, Operational Risk Management Framework, Third Party Risk Management Policy, Investment Policy, Information Security and Settlement Guarantee Mechanism Policy that applies to NPCI Group. All risk management policies are reviewed and approved by Board annually. |
|
Principle 4: Credit Risk An FMI should effectively measure, monitor, and manage its credit exposures to participants and those arising from its payment, clearing, and settlement processes. |
NPCI has established Settlement Guarantee Mechanism (SGM) framework to measure, monitor and manage its credit exposures to participants and those arising from its settlement process. As part of SGM, NPCI has created a settlement guarantee fund (SGF) to ensure availability of liquidity to meet settlement obligations. |
|
Principle 7: Liquidity Risk An FMI should effectively measure, monitor, and manage its liquidity risk. An FMI should maintain sufficient liquid resources in all relevant currencies to effect same-day and, where appropriate, intraday, and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate liquidity obligation for the FMI in extreme but plausible market conditions. |
NPCI has constituted a Settlement Guarantee Mechanism comprising collaterals and line of credit arrangements to address any impact of liquidity risk which may be caused by temporary/permanent defaults by a member participant. |
|
Principle 8: Settlement finality An FMI should provide clear and certain final settlement, at a minimum by the end of the value date. Where necessary or preferable, an FMI should provide final settlement intraday or in real time. |
NPCI operates Deferred Net Settlement system on batch processing. Rules are set out that unsettled payments cannot be revoked by participants. NPCI has put in place mechanism to ensure that final settlement is achieved on the value date. |
|
Principle 9: Money Settlement An FMI should conduct its money settlements in central bank money where practical and available. If central bank money is not used, an FMI should minimize and strictly control the credit and liquidity risk arising from the use of commercial bank money. |
NPCI conducts its money settlement in RTGS account maintained by participant members with RBI. In the case of international alliance, prefunding amount is required to be maintained in commercial banks in India. NPCI has put in place a process to ensure that banks with the highest creditworthiness and competence are accepted for such prefunding arrangements. A separate SGF amount is also maintained by such alliance partners with NPCI. Prefunding account is being monitored on daily basis. |
|
Principle 13: Participant-default rules and procedures An FMI should have effective and clearly defined rules and procedures to manage a participant default. These rules and procedures should be designed to ensure that the FMI can take timely action to contain losses and liquidity pressures and continue to meet its obligations. |
NPCI has defined rules and procedures for participant default in Settlement Guarantee Mechanism (SGM) policy and Standard Operating Procedure (SOP). Policy / SOP covers maintenance of Settlement Guarantee Fund and Loss Sharing Mechanism to ensure to take timely action to contain losses and liquidity pressures and continue to meet its obligation. |
|
Principle 15: General business risk An FMI should identify, monitor, and manage its general business risk and hold sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialize. Further, liquid net assets should always be sufficient to ensure a recovery or orderly wind-down of critical operations and services. |
NPCI identifies, monitors, and manages its general business risk through risk management policies and procedures. NPCI holds sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services. NPCI has a Board approved “Orderly Wind Down Document’’. |
|
Principle 16: Custody and investment risks An FMI should safeguard its own and its participants’ assets and minimize the risk of loss on and delay in access to these assets. An FMI’s investments should be in instruments with minimal credit, market, and liquidity risks. |
NPCI’s Investment Policy defines investment instruments, exposure limits, etc. The details of new and existing investments are reviewed and evaluated by Investment Committee every quarter. |
|
Principle 17: Operational risk An FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact using appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide-scale or major disruption. |
NPCI has policies and procedures to identify, measure, analyze, evaluate, mitigate, monitor and report operational risks resulting from both internal and external factors. NPCI has business continuity management for timely recovery of operations and fulfilment of obligations. |
|
Principle 18: Access and participation requirements An FMI should have objective, risk-based, and publicly disclosed criteria for participation, which permit fair and open access. |
NPCI has defined criteria and requirements to participate as sponsor/member bank or sub-member bank in Procedural Guidelines (PG). PG includes different parameters like operational, financial and legal eligibility. Eligible entities have fair and open access to all the services. NPCI has fair and non-discriminatory access & participation criteria. |
|
Principle 19: Tiered participation arrangements An FMI should identify, monitor, and manage the material risks to the FMI arising from tiered participation arrangements. |
NPCI has established process to allow indirect participation as sub-member through sponsor bank so as to mitigate material risks arising from such tiered participation arrangement. |
|
Principle 21: Efficiency and effectiveness An FMI should be efficient and effective in meeting the requirements of its participants and the markets it serves. |
NPCI has formed Steering Committees for all its products. Steering committees ensure that the products and services offered meet the requirements of the participants and the market it serves. NPCI has established operational and performance parameters which are monitored regularly. |
|
Principle 22: Communication procedures and standards An FMI should use, or at a minimum accommodate, relevant internationally accepted communication procedures and standards to facilitate efficient payment, clearing, settlement, and recording. |
NPCI uses internationally accepted guidelines for EMVCo. Specifications and ISO 8583 messaging protocols and standards. XML or JSON or ISO messaging protocols used for interfacing over secure TCP/IP network are chosen as online and back-office communication standards to facilitate efficient payment, clearing, settlement and recording. |
|
Principle 23: Disclosure of rules, key procedures, and market data An FMI should have clear and comprehensive rules and procedures and should provide sufficient information to enable participants to have an accurate understanding of the risks, fees, and other material costs they incur by participating in the FMI. All relevant rules and key procedures should be publicly disclosed. |
NPCI's rules and procedures are covered in Procedural Guidelines (PG) and in Operating and Settlement Guidelines (OSG). NPCI share these guidelines with the participants during onboarding and subsequently in case of any modification / change. NPCI discloses member performance, abridged steering committee meeting minutes, other statistics, circulars, products/services brief, list of participants, etc. on its website. |
NPCI Website: NPCI - National Payments Corporation of India - Official Website
Board of Directors: Board of Directors | NPCI - National Payments Corporation of India
https://www.npci.org.in/who-we-are/board-of-directors
Management Team: Management Team | NPCI - National Payments Corporation of India
https://www.npci.org.in/who-we-are/management-team
Risk Management: Risk Management @ NPCI | NPCI - National Payments Corporation of India
https://www.npci.org.in/who-we-are/risk-management/risk-management-npci
System Statistics: Statistics of NPCI - National Payments Corporation of India
https://www.npci.org.in/statistics
Principles for Financial Market Infrastructures (PFMI):
https://www.bis.org/cpmi/publ/d101a.pdf
NPCI is an initiative of Reserve Bank of India (RBI) and Indian Banks’ Association (IBA) for creating a robust Payment & Settlement Infrastructure in India. NPCI has been Authorized by RBI for operating retail payments and settlement systems in India under the provisions of the Payment and Settlement Systems Act, 2007 (PSS Act).
Considering the utility nature of the objective of NPCI, it has been incorporated as a “Not for Profit” Company under the provisions of Section 25 of the Companies Act 1956 (now Section 8 of the Companies Act 2013), to provide infrastructure to the entire banking eco-system in India for electronic payment and settlement systems. NPCI is focused on bringing innovations to the retail payment systems through introduction of new technology for achieving greater efficiency in operations and widening the reach of payment systems.
NPCI’s vision is to be the best payment network globally. NPCI’s mission is to touch every Indian with one or other payment services.
NPCI has created a robust payments and settlement infrastructure in the country. NPCI has changed the way payments are made in India through a bouquet of retail payment products.
NPCI is focused on bringing innovations in the retail payment systems through the use of technology and is relentlessly working to transform India into a digital economy. NPCI is facilitating secure payments solution with nationwide accessibility in furtherance of India’s aspiration to be a fully digital society.
NPCI Group Structure
NPCI International Payments Ltd. (NIPL) has been incorporated with an objective of partnering with foreign entities for implementing various NPCI products including RuPay card scheme and UPI outside India.
NPCI Bharat Bill Pay Limited (NBBL) is a one stop solution for variety of payments, such as, electricity, telecom, DTH, gas, water bills, etc. and other repetitive payments like insurance premium, mutual funds, school fees, institution fees, credit cards, fastag recharge, local taxes, housing society payments, etc.
NPCI Board
The Board of Directors of NPCI provides oversight of the strategy and governance to support management in achieving its strategic and business objectives. The Board of NPCI comprise of Independent Directors, RBI Nominee Director, Nominee Directors representing Promoter Banks and Nominee Directors representing Shareholders’ Banks and the MD & CEO.
The Board has delegated the authority to management to design and implement practices and governance that support the achievement of strategies and business objectives through formation of sub-committees, framing policies and delegation of financial power.
Structure of NPCI Group Board and its committees is exhibited below:
NIPL
NBBL
NPCI follows the Three Lines of Defence (LOD) which constitutes Business/Operation functions (first LOD), Risk Management function (second LOD) and Assurance (third LOD). This is structured as under:
Additionally, NPCI’s reporting lines demonstrate segregation of Business/Operation, Risk and Audit Functions. All the business functions have functional reporting to MD & CEO.
The Risk Management function has an additional direct reporting to the Risk Management Committee of the Board. This ensures sufficient independence, authority, resources and access to the Board that enables operations of NPCI to be consistent with the risk-management framework.
Audit Function is independent of management functions. Head of Internal Audit reports functionally to Audit Committee of the Board.
The minutes of the Board Meetings of NPCI subsidiary companies along with the details of significant transactions and arrangements entered into by respective companies are reported to the Board on a quarterly basis. The financial statements of the subsidiary companies are presented to the Audit Committee and Board.
In terms of Section 139 (5) of the Companies Act, 2013, Statutory Auditor for NPCI & Subsidiary Companies are appointed by Comptroller and Auditor General (CAG) of India. This appointment is done every year. Additionally, CAG conducts Supplementary audit of NPCI and Subsidiary Companies every year and also conducts Annual Compliance audit.
An FMI should have a well-founded, clear, transparent, and enforceable legal basis for each material aspect of its activities in all relevant jurisdictions.
Key consideration 1: The legal basis should provide a high degree of certainty for each material aspect of an FMI’s activities in all relevant jurisdictions.
Response:NPCI, pursuant to the authorization received from RBI, is engaged in operating retail payment systems in India. NPCI has been incorporated as a "Not for Profit" company under the provisions of Section 8 of the Companies Act, 2013 (Section 25 of Companies Act, 1956).
NPCI incorporated two wholly-owned subsidiaries under the Companies Act, 2013 namely NPCI International Payment Limited (NIPL) and NPCI Bharat BillPay Limited (NBBL). NIPL has been incorporated with an objective to promote NPCI products in international markets. RBI granted approval to NPCI to function as Bharat Bill Payment Central Unit (BBPCU) under the Bharat Bill Payment System. NBBL has been incorporated with the objective of operationalizing Bharat Bill Payment Central Unit (BBPCU) as per RBI authorization.
The key material aspects of NPCI Group which requires high degree of legal certainty are as follows:
NPCI has been incorporated as an umbrella organization for operating retail payments and settlement systems in India and has received authorization from RBI under Section 4 of Payment and Settlement Systems Act, 2007 for carrying out payment services in India. The relevant jurisdiction for NPCI and NBBL is India. With respect to jurisdiction mapping, the exclusive jurisdiction of the Courts at Mumbai, India is preferred in all product agreements executed by NPCI. However, NPCI in the past entered into network-to-network agreements with international networks. After incorporation of NIPL, all such agreements have been/ are being novated to NIPL. For international arrangements, NPCI, through its subsidiary NIPL, has entered into network-to-network arrangements with international network partners in accordance with all the governing rules and regulations. Such agreements define the rights and obligations of the international network partner and NPCI and are agreed and signed by the respective international network partner.
Key consideration 2: An FMI should have rules, procedures, and contracts that are clear, understandable, and consistent with relevant laws and regulations.
Response: NPCI's legal framework consists of agreements executed with member participants, networks and vendors along with other documents i.e., on-boarding documents and procedural guidelines. These documents cover all material aspects of NPCI's Operations and are consistent with provisions of the PSS Act and the regulatory guidelines prescribed by the RBI. NPCI undertakes periodic review of its procedural guidelines and incorporates changes as may be necessary to align it with the standards prescribed by RBI. Such changes are communicated to members by issuing circulars. Understanding of NPCI's products, operating rules and procedures is disseminated to members and other stakeholders through training, product communication, circulars etc.
For international arrangements, network to network agreements are entered into with international network partners through subsidiary NIPL. Such agreements are executed after deliberations/negotiations with network partners from legal standpoint and also external opinions from law firms are sought wherever required to ensure that the terms are clear and understandable. The regulating documents of NIPL establish all the rules, norms, procedures, standards and regulations in connection with the services and business of international products, technical specifications, settlement rules, operational procedures, AML guidelines, etc.
All the rules and procedure covering all material aspects of operations of NPCI Group, and the agreements executed by the Group with every participant for the respective product are consistent with the provisions of relevant laws including the PSS Act and guidelines, notifications/circulars issued by RBI. The Group undertakes periodic review of their respective procedural guidelines and incorporate changes as may be necessary.
Network to network agreements entered into with international network partners through its subsidiary, NIPL, are executed after detailed negotiations with network partner from legal standpoint. The agreements which are executed by NPCI Group are drafted by the internal legal team and depending on the complexity/criticality of the matter, external support or opinions from law firms are sought, wherever required, to ensure that the terms of agreement, jurisdiction and liabilities of parties are clearly specified.
The procedural guidelines and the operating regulations for each product offered by NPCI Group are approved by the chief of products before they come into effect. The guidelines are reviewed and approved on a periodic basis. All the policies governing NPCI Group are approved by the Board. All agreements entered into by NPCI Group are reviewed by its legal department. Any agreement executed is subject to approval of the authorized officers of NPCI Group.
NPCI's legal framework consists of agreement executed with member participants, networks and vendors and includes other on-boarding documents and procedure guidelines. These documents cover all material aspects of NPCI operations. Such documents for each product / each tie up are drafted in-house in consultation with and approved by all the relevant internal stakeholders. NPCI also discusses these documents, as well as alterations to existing ones with members in formal forums such as product steering committee meetings, task force meetings etc. to ensure consistency with relevant laws and regulations.
Key consideration 3: An FMI should be able to articulate the legal basis for its activities to relevant authorities, participants, and, where relevant, participants’ customers, in a clear and understandable way.
Response: NPCI Group functions within the legal and regulatory framework. The legal basis for activities of NPCI Group is further articulated in the agreements and other documents executed by the Group with its member participants and business counterparts.
Key consideration 4: An FMI should have rules, procedures, and contracts that are enforceable in all relevant jurisdictions. There should be a high degree of certainty that actions taken by the FMI under such rules and procedures will not be voided, reversed, or subject to stays.
Response: The regulatory and legal framework within which NPCI Group function provides a high degree of certainty to the activities and the rules, procedures and contracts entered into by the Group. The agreements entered by the Group are reviewed from legal perspective to ensure that the same are enforceable in India and all the relevant international jurisdictions, including the most appropriate substantive law, dispute resolution mechanism and jurisdiction for such agreement.
Further, depending on complexity/criticality of the matter, legal opinion and advice is sought wherever necessary for mitigating any legal risk arising from agreements entered into or for representation for litigations.
NPCI Group has a well-founded, clear, transparent, and enforceable legal basis for each material aspects of their respective activities in all relevant jurisdictions. Therefore, there is a high degree of certainty that the actions of the Group shall not be voided, reversed or subject to stays. The agreements executed by the Group with their member participants and the procedural guidelines which address the material aspects of payment system operations, including eligibility criteria for on-boarding new member participants, responsibilities and liabilities of member participants, fees and charges, suspension or termination of existing members, enforceability of netting, clearing and settlement procedure, default management procedure (in case of settlement default by participating member), etc. are binding and enforceable against the member participants and networks and articulate a clear and enforceable legal basis for securing contractual certainty.
Further, NPCI Group includes appropriate provisions with respect to applicability of law and dispute resolution in their respective agreements to ensure enforceability of the agreement in India and other foreign jurisdictions and on case-to-case basis, seek opinion from external law firms with respect to enforceability of such agreements.
Key consideration 5: An FMI conducting business in multiple jurisdictions should identify and mitigate the risks arising from any potential conflict of laws across jurisdictions.
Response: NPCI conducts its business primarily in India. Therefore, the legal risk to NPCI arising from conflicts of laws is limited.
In cases where NPCI or its subsidiaries enter into agreement with a foreign entity, the Group endeavours to mitigate any legal risk arising from conflict of law by opting for common law as the governing law of the agreement (Indian law is also based on common law). The risk is further mitigated by performing a due diligence check to ensure that the foreign entity's home country is a signatory to New York Convention, 1958 which provides a uniform international framework for dispute resolution to the parties to international commercial agreements and enables the recognition and enforcement of arbitration awards made in other contracting states. Such arbitration awards are binding and enforceable as per the said treaty. Considering arbitration awards passed in countries who have acceded to New York Convention are enforceable in other countries who have also acceded to the said treaty, either Indian arbitration or neutral international arbitration is preferred for dispute resolution mechanism to ensure enforceability of the award in India and other foreign jurisdictions. Accordingly, NPCI Group includes appropriate provisions with respect to choice of law and dispute resolution in their respective agreements with foreign entity and if necessary, opinion from law firms is sought with respect to ability to enforce such agreements under the foreign entity's home jurisdiction.
An FMI should have governance arrangements that are clear and transparent, promote the safety and efficiency of the FMI, and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders.
Key consideration 1: An FMI should have objectives that place a high priority on the safety and efficiency of the FMI and explicitly support financial stability and other relevant public interest considerations.
Response: The business objectives for the individual entities within the NPCI Group have been documented in the Corporate Governance (CG) Handbook. An overview of the objectives and the process for monitoring the performance in meeting the objectives has been described below:
The Enterprise Risk Management (ERM) policy containing Key Risk Indicators (KRI's) for Reputational Risk (Negative Social Media Sentiments) and Financial Impact (Revenue Risk and Transaction Volume) help in assessing the performance of the NPCI Group against the set objectives. To ensure safety of the payment systems, the Group has a robust cybersecurity strategy in place. Security controls are compliant with standards like PCI DSS v4.0, ISO 27001:2013 - Information Security Management System (ISMS), ISO 22301:2019 - Business Continuity Management System (BCMS) and data privacy controls governed by ISO 27701:2019 - Privacy Information Management System (PIMS). The objective and various policies of NPCI Group support financial stability and relevant public interest considerations.
Key consideration 2: An FMI should have documented governance arrangements that provide clear and direct lines of responsibility and accountability. These arrangements should be disclosed to owners, relevant authorities, participants, and, at a more general level, the public.
Response: The governance arrangements under which the Board of Directors and Management operate, are documented in the Corporate Governance (CG) Handbook of NPCI Group. An overview of the governance structure is provided below:
The Terms of Reference specifying the details about membership, quorum, frequency of meetings and roles & responsibilities of the Committees, are documented in the Corporate Governance Handbook and are also disclosed on the NPCI website. The composition of the Committees is also disclosed on the NPCI website. In addition to the Board level Committees, the following Board approved councils have been set up with experts from relevant fields to provide guidance on following matters:
The Senior Management structure for NPCI consists of MD and CEO who is authorized to exercise all powers, rights and discretions vested by the Board. The MD and CEO exercises reporting authority over the Chief Operating Officer, Chief Technology Officer, Chief Platform Officer, Chief of Finance, Chief HR & Admin and Chief Risk Officer.
The Subsidiaries have their Board and the Board of Directors of the respective Subsidiaries determine and review its policies. The Chief Executive Officers (CEOs) of the respective Subsidiaries report to the Board of Directors. The powers delegated to the CEOs have been defined in the Corporate Governance (CG) Handbook of the respective Subsidiaries. The details regarding the composition of the Board of Directors and the financial performance are given in the Annual Report which is circulated to the shareholders, RBI, MCA and the Ministry of Corporate Affairs (MCA) website. The names and profile of the Management Team members of NBBL have been disclosed on the website.
RBI has authorized NPCI to operationalize the Cheque Truncation System (CTS). To avoid any possible conflict of interest, the roles and responsibilities of RBI and NPCI in the overall ecosystem for CTS, have been documented in the procedural guidelines. As per the procedural guidelines, NPCI will act as a Cheque Processing Centre (CPC) and the Management of clearing house will remain with the President of Clearing House (RBI). Settlement related activity would be undertaken by RBI only and NPCI would be responsible for submitting settlement files to RBI. From an oversight perspective, the member banks are required to conduct annual internal audits to comply with the CTS procedural guidelines.
The shareholding pattern of NPCI consists of 65 shareholders. The Board has been entrusted with the responsibility to protect the interest of all shareholders, employees and ecosystem participants such as member banks. The roles and responsibilities of the Board of Directors of NPCI have been documented in the Corporate Governance (CG) Handbook. The Board ensures that communications to the stakeholders and ecosystem participants are effective. An annual report disclosing the performance of the company and key initiatives undertaken during the financial year, is communicated to the shareholders, RBI and CAG. To provide adequate representation of shareholders, NPCI's board also consists of nominee directors representing shareholder banks.
To provide accountability to the participants, the NPCI Group circulates procedural guidelines and regulating documents to the members participating in the products offered by them. These documents describe the roles and responsibilities of the ecosystem participants. Product specific Steering Committees are established, to discuss and implement key policy level changes and product level enhancements. The Steering Committee comprise of representatives from member banks/non-bank participants and eco-system specialists, wherever required. The governance arrangements are disclosed in the Annual Report of NPCI, circulated to the shareholders, RBI and CAG. The composition of the Board members and their profile along with the terms of reference of the Board level committees, have been disclosed on the NPCI website. The member institutions participating in the product specific Steering Committee are disclosed on the website.
Key consideration 3: The roles and responsibilities of an FMI’s board of directors (or equivalent) should be clearly specified, and there should be documented procedures for its functioning, including procedures to identify, address, and manage member conflicts of interest. The board should review both its overall performance and the performance of its individual board members regularly.
Response: The roles and responsibilities of the Board of Directors for NPCI Group are specified in the Corporate Governance (CG) Handbook documented by the respective entities. As per the CG Handbook, the responsibilities of the Board of Directors include determining and reviewing the company goals, determination of strategic options and ensuring that communications to stakeholders are effective. The Board has delegated the authority to the Management to monitor and evaluate the implementation of policies, strategies and business plans.
The procedures for the functioning of the Board, including the procedures to identify, address and manage member conflicts of interest, are specified in the CG Handbook documented by the respective entities. The CG Handbook is reviewed annually and approved by the Board of the respective entities. The Board of the respective entities comprises of nominee directors, independent directors, non-executive directors, etc. thereby ensuring adequate representation from all relevant stakeholders.
As per the CG Handbook documented for NPCI, NIPL and NBBL, the Board of Directors are required to comply with the Code of Conduct, to ensure adherence to ethical standards while conducting business. Furthermore, the Board of Directors of the respective entities ensure that complete disclosures of related party transactions are being carried out. For NPCI, the related party transactions are required to be pre-approved by the Audit Committee. For NIPL and NBBL, the related party transactions have to be pre-approved by the Board. The Directors of the respective entities are required to give a declaration of independence at the first meeting of the Board in which they participate. Subsequent declarations are given at the first meeting of the Board in every financial year and also whenever there are any changes in the circumstances that affect the status of the Directors.
The Code of Conduct, Related Party Transaction policy and composition of Board members for NPCI and NBBL, is published on their respective websites. The Related Party Transaction policy describes the approval mechanism for related party transactions and the procedure for identification of related parties.
The details regarding the Board level committees constituted by NPCI have been documented in the Corporate Governance (CG) Handbook. The details regarding the Terms of Reference (TOR) for the Committees, specifying the membership requirements, quorum, frequency of meetings, etc. have been documented in the CG Handbook and have also been disclosed on the NPCI website. The composition of the Committees is also disclosed on the NPCI website. The Board level Committees established for NPCI include the following:
The procedures surrounding the performance evaluation of the Board and the Directors have been documented in the Corporate Governance (CG) Handbook of NPCI and its Subsidiaries. Additionally, for NPCI, the performance evaluation criteria for the Board level Committees have been documented. As per the CG Handbook, the Nomination and Remuneration Committee for NPCI is tasked with the responsibility for performance evaluation of each Director. For NIPL and NBBL, the performance evaluation is carried out by the Board.
For NPCI and its Subsidiaries, the performance evaluation for the Board, Directors and Chairman of the Board, is carried out on the basis of an evaluation questionnaire. In case of NPCI, the questionnaire-based evaluation process is also applicable for the performance evaluation of the MD & CEO and Board level Committees. The evaluation of the Board is assessed on parameters such as roles, responsibilities and obligations of the Board and providing feedback to the Management. The evaluation criteria for Directors are based on their participation and contribution in providing relevant guidance in their capacity as Board members. The results of the performance evaluation process are considered for determining the extension of the term of Independent Directors. For the Chairperson of the Board, in addition to the criteria applicable to Directors, evaluation parameters include assessment of leadership abilities and management of meetings.
In the case of NPCI, the evaluation of the MD & CEO is done on the basis of progress made against the annual work plan. The Board level Committees for NPCI are evaluated on the basis of discharge of their functions specified under the Terms of Reference (TOR). The Committee of Independent Directors constituted by NPCI, is responsible for reviewing the performance of Non-Independent Directors. In case of NIPL and NBBL, the performance of Non-Independent Directors is reviewed by the Independent Directors on the Board of the respective entities. The performance evaluations are carried out on an annual basis.
Key consideration 4:The board should contain suitable members with the appropriate skills and incentives to fulfil its multiple roles. This typically requires the inclusion of non-executive board member(s).
Response: The Board comprises of qualified individuals possessing expert knowledge and diversified experience. The criteria for qualification of Directors have been documented in the Corporate Governance (CG) Handbook of NPCI, NIPL and NBBL. As per the General criteria, the Board members are expected to possess a proven record of professional success, leadership and the highest level of professional ethics. The composition of the Board represents an optimal mix of professionalism, knowledge and experience across various fields, viz. Technology, Strategy, Innovation, Banking, Finance, Accounting, Audit, Risk Management, consumer engagement, etc. which enables the Board to discharge its responsibilities and provide effective leadership.
Additionally, for NPCI Group, on appointment of a Board member, a joining kit containing the annual reports, code of conduct policy, etc. is provided to the newly appointed Board members. Induction training is provided to familiarize the Directors with the strategic directions and core values of NPCI Group.
The business objectives put in place by NPCI Group are aimed at encouraging financial inclusion and ensuring reliability of transactions. The objectives have also been framed keeping in view the interests of the public. These objectives established by NPCI Group include provision of an affordable payment mechanism, providing an ecosystem for enabling customers to make recurring payments and transformation of payments across the globe with the use of technology and innovation. Therefore, the potential director candidates are incentivized to join the Board of the respective entities, to contribute towards the growth of the payment ecosystem of the country and to expand the geographical reach of offerings provided by the Group.
The NPCI Group also provides a sitting fees to the Independent Directors who form a part of the Board of the respective entities. The sitting fee provided to the Independent Directors is within the limit prescribed under section 197 of the Companies Act 2013.
The Board of Directors for NPCI Group includes Independent Directors. The composition of the Board of Directors for NPCI and NBBL is disclosed on their respective website and the Annual Report circulated to the shareholders. As on March 31, 2024, there are four independent directors on the Board for NPCI. The details regarding the Board of Directors for NIPL and NBBL are disclosed in the Annual Report. For NBBL, the Board of Directors comprises of one Non-Executive Chairman (who is also an Independent Director), one Independent Director and four Non-Executive Non-Independent Directors. For NIPL, the Board of Directors comprises of one Non-Executive Chairman (who is also an Independent Director), one Independent Director and four Non-Executive Non-Independent Directors.
The definition of Independent Director has been documented in the CG Handbook of NPCI Group. As per the definition, an Independent Director is defined as a non-executive director who apart from receiving directors’ remuneration, does not have any material/pecuniary relationship or transaction with the Company, Promoters, Directors, Senior Management or the holding company, subsidiaries and associates. It is ensured that before appointment the Independent Directors meet the defined criteria.
Key consideration 5: The roles and responsibilities of Management should be clearly specified. An FMI’s Management should have the appropriate experience, a mix of skills, and the integrity necessary to discharge their responsibilities for the operation and risk management of the FMI.
Response: NPCI maintains ‘Success Profiles’ for all its employees. The roles and responsibilities of Management are clearly defined in the ‘success profile’. The success profiles are reviewed and updated on a periodic basis to ensure that roles and responsibilities are aligned to NPCI’s overall objective. NPCI’s ‘Performance Management System Policy’ describes the goal setting process for all employees including the Management.
The roles and objectives of Management at NPCI are established and evaluated through a well-defined process that aligns with the organization’s strategic objectives and changing payment ecosystem. This process involves multiple steps to ensure clarity, alignment and continuous evaluation.
The Key Result Areas (KRAs) setting process plays a critical role in defining the roles and responsibilities of the Management. The HR Department collaborates closely with the Management Team to identify key areas of responsibility and establish specific, measurable objectives that contribute to NPCI’s overall success. These KRAs are designed to align with the organization’s strategic priorities and take into account industry trends and market dynamics.
The MD & CEO’s KRA is approved based on the action plan decided in the Board’s Strategic Action Plan (STRAP) meeting and Nomination and Remuneration Committee. The approved KRA is then cascaded down to CXOs and Functional Heads, ensuring alignment of objectives throughout the organization. The progress on KRAs and action plans outlined in the STRAP is reviewed by the MD & CEO regularly. The Board reviews the performance of the MD & CEO on a periodic basis.
Once the KRAs are established, regular evaluations are conducted to assess the performance of the Management Team. This evaluation process may include various methods such as performance appraisals, goal progress tracking, feedback sessions and periodic reviews. The HR Department works in close coordination with the Management Team to gather relevant data to assess the extent to which the established objectives have been met.
The composition of the Management Team for NPCI Group is disclosed on the website. NPCI’s risk management and operations functions are headed by CXO level officials assisted by team of professionals with high degree of integrity and adequate skill. All employees are screened to meet the requirements as per HR Policy which emphasizes on high degree of integrity and skill set commensurate with job role.
NPCI’s Risk Management Team consists of senior officials who have expertise in the fields of payment system, technology, risk management functions, regulatory requirements, etc. To ensure the appointment of experienced and skilled employees, the ‘Recruitment Policy’ has been established by the Group. The policy specifies the minimum qualification requirements for different employee bands/grades. The policy also describes the details regarding the behavioural and competency assessments undertaken by the Group, to recruit qualified individuals.
As per the CG Handbook and in accordance with the provisions of section 196 of the Companies Act, it is ensured that the MD & CEO shall not be appointed for a term exceeding 5 years at a time and no re-appointment shall be made earlier than one year before the expiry of the term. For the employees of NPCI Group a ‘Separation Policy’, which is applicable to all permanent employees, describes the procedures to be followed in the event of separation on account of reasons such as resignation, termination, etc. This policy is reviewed annually.
Key consideration 6: The board should establish a clear, documented risk-management framework that includes the FMI’s risk-tolerance policy, assigns responsibilities and accountability for risk decisions, and addresses decision making in crises and emergencies. Governance arrangements should ensure that the risk-management and internal control functions have sufficient authority, independence, resources, and access to the board.
Response: NPCI has put in place a documented Enterprise Risk Management (ERM) policy that is applicable to NPCI Group. The ERM policy is reviewed by the Risk Management Committee of the Board (RMC) and the Board annually. The policy describes the roles and responsibilities of the stakeholders involved in the risk management process. As a part of the risk management framework, the Board has delegated the authority to carry out oversight responsibilities relevant to framework, to the RMC. The RMC is responsible for reviewing quarterly risk profiling exercise performed by the ERM team, directing the risk management strategy and defining the risk tolerance limits. The RMC meetings are conducted every quarter in the normal course.
An Internal Executive Committee called the Internal Risk Management Committee (IRMC) has also been established, to review and provide suggestions regarding the framework, policies and risk profile of the Group, before presenting it to the RMC. The Chief Risk Officer is the owner of the ERM framework and is responsible for reporting the risk profile of the Group to the IRMC and RMC.
In addition to the ERM Policy, the following set of policies have been documented by NPCI Group for management of risks:
The day-to-day activities of the Risk Management team have been documented in the Standard Operating Procedures (SOPs). The SOPs include the ERM, ORM, Settlement Risk Management (SRM), TPRM and Fraud Risk Management (FRM). The Chief Risk Officer is the owner of the ERM framework and is responsible for reporting the risk profile of the Group to the IRMC and RMC.
The ERM SOP, ORM SOP, Settlement Risk Management (SRM) SOP and Fraud Risk Management (FRM) SOP are reviewed and approved on an annual basis by the Chief Risk Officer (CRO). The TPRM SOP is reviewed and approved on an annual basis by the head of the Technology Audit department.
The ERM Policy specifies the Risk Appetite of NPCI Group. The policy specifies the risk events or scenarios for which the Group assumes zero tolerance. These events include breach of applicable laws, regulations, sufficiency of liquid net assets funded by equity to cover current operating expenses, internal and external fraud, etc. The Key Risk Indicators (KRI's) for different risk categories applicable to the Group, are also documented in the ERM policy. KRI's have been devised to handle Regulatory Risk, Financial Risks such as Settlement/Liquidity Risk, Fraud Risk, etc.
The Orderly Wind Down document describes the scenarios that could trigger winding down of the product or the organization. The document is applicable to the NPCI Group. The stakeholders responsible for escalating the stress scenarios to the Crisis Management Group have been documented in the policy.
The risk management department for the Group is considered as the second line of defense. The Chief Risk Officer (CRO) is responsible for planning, implementation and continuous monitoring of the risk management framework. The Chief Risk Officer (CRO) functionally reports to the MD & CEO. The Chief Risk Officer (CRO) also has a dotted line reporting to the RMC. The heads of the respective risk management departments namely Enterprise Risk Management (ERM), Fraud Risk Management and Third-Party Risk Department reports to the Chief Risk Officer (CRO).
The Internal Audit Department is the third line of defense and is responsible for ensuring independent assurance on the adequacy and effectiveness of the internal controls surrounding the ERM framework. The Head of Internal Audit has reporting responsibility to the Audit Committee of the Board (ACB). The ACB exercises oversight over the internal control environment. A sub-committee titled the Internal Audit Committee (IAC) has also been constituted to ensure timely compliance to the Audit observations.
The risk management framework of the Group (including the risk management models) is subject to Internal Audit. The findings of the Internal Audit team are discussed in the Board level Audit Committee Meetings. For ensuring timely identification and monitoring of risks pertaining to frauds, NPCI has developed Enterprise Fraud Risk Management (EFRM) solution. The module is applicable to online products offered by NPCI. Member banks are onboarded on the EFRM solution. The module assists in analysis, identification, reporting and mitigation of frauds.
Key consideration 7: The board should ensure that the FMI’s design, rules, overall strategy, and major decisions reflect appropriately the legitimate interests of its direct and indirect participants and other relevant stakeholders. Major decisions should be clearly disclosed to relevant stakeholders and, where there is a broad market impact, the public.
Response: For products offered by NPCI Group, product specific Steering Committees are established, to implement key decisions and product level enhancements as discussed/approved in such Committees. The various product level Steering Committees comprises of representatives from member banks/non-bank participants, RBI authorized payment system providers and special invitees. The Steering Committees are responsible for providing guidance on objectives, such as strategic, business and operational matters. The Committee also forms, as and when required, Working Groups, Task Force or Sub-Committees comprising of Steering Committee members and/or Non-Steering Committee members for recommendations on specific matters.
In the case of NPCI, a board level committee called the ‘Business Strategy Committee’ has been constituted to evaluate strategic proposals submitted by the Management team. To mitigate situations of conflict of interest, the Directors of NPCI are responsible for providing a declaration to the Board Secretariat about the related party transactions involving them or their relatives.
Furthermore, ’The Committee of Independent Directors’ constituted by NPCI is responsible to ensure that decision making on Product pricing is conducted in a fair and unbiased manner, and no preferential treatment is given to any bank, especially the promoter/shareholder banks or any other interested entity.
The initiatives undertaken by the Board of NPCI Group are disclosed in the Annual reports circulated to the shareholders, RBI and CAG. The composition of the Board of Directors of the respective entities are publicly available on the MCA website.
The major decisions made by the Board for NPCI, such as onboarding of new directors are disclosed in the regulatory filings made with the MCA and where appropriate, also form a part of the public domain.
An FMI should have a sound risk-management framework for comprehensively managing legal, credit, liquidity, operational, and other risks.
Key consideration 1: An FMI should have risk-management policies, procedures, and systems that enable it to identify, measure, monitor, and manage the range of risks that arise in or are borne by the FMI. Risk-management frameworks should be subject to periodic review.
Response: The Enterprise Risk Management (ERM) policy of NPCI Group describes the framework for identification, measurement, monitoring and management of risks by the Group. The following principal risk categories have been identified and documented in the ERM policy:
The ERM policy also describes the sub-risk categories associated with the principal risks described above. The sub-risk categories defined by NPCI Group include Fraud Risk, People Risk, Reputational Risk, etc. In addition to the ERM Policy, following policies details management of risks:
For ensuring timely identification and monitoring of risks pertaining to transaction-level frauds, Fraud Risk Management (EFRM) tool is used for all online products offered by NPCI Group. Participants are onboarded on the Fraud Risk Management (EFRM) tool for identification, reporting, trend-analysis and mitigation of frauds. The fraud trends are identified based on the rules defined in the EFRM module and any additional rules based on the member feedback are configured in the system.
The NPCI Group monitors security incidents using the Security Information and Event Management (SIEM) solution. IT incidents are managed and monitored through the BMC remedy tool. Server scalability, adequacy, and capacity are monitored by the network team using the BMC Remedy tool. Database server thresholds have been configured to monitor the database capacity. Data Leakage Prevention solution is used by the Group, to prevent leakage of confidential data.
A dashboard is maintained by the ERM team to measure and monitor Key Risk Indicators (KRI's) based on risk categories. The dashboard is utilized by the ERM team for monitoring the risk exposures, by performing a comparison of the actual value of the exposures with the defined thresholds.
The risk management policies are reviewed annually by the Risk Management team and recommended to the Risk Management Committee (RMC) of the Board for approval. The RMC acts as the oversight authority for risk management related functions. The risk management procedures, SOPs are reviewed and approved annually by the Chief Risk Officer (CRO). Any addition, modification and deletion of rules in the EFRM tool is made post approval of the Chief Risk Officer (CRO).
The TPRM SOP is reviewed and approved annually by the head of the Technology Audit department. The Board approved Information Security Policy contains guiding principles applicable to all IT assets and systems owned by NPCI Group.
The effectiveness of risk management policies, procedures and systems is assessed at the time of their review and put up for approval to the respective authorities. Various internal and external factors are considered at the time of review of the ERM Policy. The external factors include the regulatory environment, economic conditions, technological developments, etc. The internal factors include strategy, business objectives, information systems, etc. Additionally, the ERM framework is also subject to an independent annual review by a third party for ensuring alignment to the latest standards and global best practices.
The risk management functions are also subject to Audit as part of risk-based Audit plan.
Key consideration 2: An FMI should provide incentives to participants and, where relevant, their customers to manage and contain the risks they pose to the FMI.
Response: The procedural guidelines for each of the products of NPCI Group, defines the guidelines to be followed by members/participants of the ecosystem. It authorizes all the members to follow standard procedures to ensure smooth, secure, and effective operations of the network. The guidelines also emphasize the utility of the EFRM solution offered by NPCI to its member participants, for enabling fraud detection and prevention on a real time basis. NPCI carries out workshops and training sessions for the members to enable them to understand the features of the FRM solution, thereby assisting them in mitigating fraud risk exposures. The procedural guidelines also stipulate the requirements for periodicity of Disaster Recovery Drills, Dispute Management and Exception Handling procedures to be followed by the members.
For the Bharat Bill Payment System (BBPS), the procedural guideline describes the risks and fraud mitigation measures that shall be implemented by the participants. Fraud reporting guidelines have also been described. For NIPL, the fraud risk management guidelines describes the procedure that should be followed by International Network Partners and the merchants appointed by them. A brief description regarding the risk management governance framework is also disclosed to the public through the website of NPCI.
Key consideration 3: An FMI should regularly review the material risks it bears from and poses to other entities (such as other FMIs, settlement banks, liquidity providers, and service providers) as a result of interdependencies and develop appropriate risk-management tools to address these risks.
Response: NPCI Group identifies material risk based on the nature of the business activity. Due to interdependencies with other entities, NPCI Group has identified material risk as follows:
Settlement risk is monitored through Settlement Risk Management (SRM) tool. Settlement Guarantee Fund (SGF) is created based on defined formula in the SGM Policy. SGF is monitored on a quarterly basis as per the SGM Policy. Settlement is monitored daily, monthly and quarterly using Settlement Risk Management (SRM) tool.
Investment concentration risk is managed through investment policy whereby thresholds are defined for investments in banks and other forms of financial instruments. These investments are monitored through cash flow / fund flow analysis performed regularly.
NPCI has implemented EFRM tool for real time transaction monitoring. Member Banks are on-boarded on EFRM tool for identifying, monitoring, analyzing and reporting frauds.
The effectiveness of various risk management tools is assessed on an ongoing basis. Any fluctuation observed is reviewed through internal process to address the risk as per the policy document.
Key consideration 4: An FMI should identify scenarios that may potentially prevent it from being able to provide its critical operations and services as a going concern and assess the effectiveness of a full range of options for recovery or orderly wind-down. An FMI should prepare appropriate plans for its recovery or orderly wind-down based on the results of that assessment. Where applicable, an FMI should also provide relevant authorities with the information needed for purposes of resolution planning.
Response: The Orderly Wind Down (OWD) document describes the scenarios that could trigger winding down of the product or the organization. The document is applicable to NPCI Group. The document has been prepared based on inputs from different stakeholders. The stress scenarios, triggers and their recovery and resolution processes are identified. The document is aligned with the recommendations of the Working Group on Resolution Regime for Financial Institutions Resolution Framework recommended by RBI and Key Attributes of Effective Resolution Regimes for Financial Institutions by Financial Stability Board (FSB).
The document describes qualitative and quantitative triggers for a range of stress scenarios arising from changes in the External Environment and Internal Environment. In addition to the above, stress scenarios specific to the different products offered by the Group, have also been specified in the OWD document.
Both systemic and institution specific (idiosyncratic) scenarios have been documented, which take into account both independent and related risks to which the Group is exposed.
For the stress scenarios specified in the OWD document wherein recovery is possible, recovery plans have been documented. As per the OWD document, in situations of distress wherein an orderly wind down is required, the Loss Absorption Capacity (LAC) of NPCI Group would be initiated. The LAC comprises of the liquidity buffer/funds held by the Group, to pay off the liabilities during the winding down process. A transition period is considered by NPCI Group, during which fallback options for critical services would have to be utilized to continue the operations. The Group may also consider a change in the legal structure of the organization via restructuring. The tools and techniques for partial wind down are also documented.
The OWD document is reviewed by the Risk Management Committee of the Board (RMC) and approved by the Board. The document is reviewed on an annual basis.
An FMI should effectively measure, monitor, and manage its credit exposure to participants and those arising from its payment, clearing, and settlement processes. An FMI should maintain sufficient financial resources to cover its credit exposure to each participant fully with a high degree of confidence. In addition, a CCP that is involved in activities with a more-complex risk profile or that is systemically important in multiple jurisdictions should maintain additional financial resources sufficient to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the two largest participants and their affiliates that would potentially cause the largest aggregate credit exposures to the CCP in extreme but plausible market conditions. All other CCPs should maintain, at a minimum, total financial resources sufficient to cover the default of the one participant and its affiliates that would potentially cause the largest aggregate credit exposures to the CCP in extreme but plausible market conditions.
Key consideration 1: An FMI should establish a robust framework to manage its credit exposures to its participants and the credit risks arising from its payment, clearing, and settlement processes. Credit exposure may arise from current exposures, potential future exposures, or both.
Response:
Key consideration 2: An FMI should identify sources of credit risk, routinely measure and monitor credit exposures, and use appropriate risk-management tools to control these risks.
Response: The credit risk is regularly reviewed and identified as follows:
NPCI measures and monitors credit risk with respect to settlement as per rules defined in the SGM policy. The SGF is reviewed every quarter to assess the sufficiency of SGF. For investments, the Investment Committee of NPCI regularly reviews all existing investments with respect to Net worth, Credit Ratings and Net Non-performing Assets (NNPA) criteria as per the investment policy. The Board is periodically informed about the performance of all investments. A status report is presented every quarter to the Investment Committee, Audit Committee and the Board for all the investments made during the quarter.
NPCI has mechanism to control credit risk and it measures the effectiveness in the following ways:
Key consideration 3: A payment system or SSS should cover its current and, where they exist, potential future exposures to each participant fully with a high degree of confidence using collateral and other equivalent financial resources (see Principle 5 on collateral). In the case of a DNS payment system or DNS SSS in which there is no settlement guarantee but where its participants face credit exposures arising from its payment, clearing, and settlement processes, such an FMI should maintain, at a minimum, sufficient resources to cover the exposures of the two participants and their affiliates that would create the largest aggregate credit exposure in the system.
Response: NPCI has established Settlement Guarantee Fund (SGF). As defined in the SGM Policy, a portion of the funds required for SGF is contributed by the participating member banks. For the remaining portion of the SGF is arranged through Line of Credit (LoC) with high creditworthy commercial banks.
Member participants are allocated Net Debit Cap limits to ensure potential exposure remains within specified limits and instills a high level of confidence that the available SGF funds can effectively mitigate the risk of participant default. The SGF requirements are reviewed on a quarterly basis. The investment portfolio of NPCI is liquid investments and the investments are made in low risk and highly liquid avenues such as treasury bills, government securities, bank fixed deposits etc.
Key consideration 4: A CCP should cover its current and potential future exposures to each participant fully with a high degree of confidence using margin and other prefunded financial resources (see Principle 5 on collateral and Principle 6 on margin). In addition, a CCP that is involved in activities with a more-complex risk profile or that is systemically important in multiple jurisdictions should maintain additional financial resources to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the two participants and their affiliates that would potentially cause the largest aggregate credit exposure for the CCP in extreme but plausible market conditions. All other CCPs should maintain additional financial resources sufficient to cover a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would potentially cause the largest aggregate credit exposure for the CCP in extreme but plausible market conditions. In all cases, a CCP should document its supporting rationale for, and should have appropriate governance arrangements relating to, the amount of total financial resources it maintains.
Response: Not applicable to NPCI Group.
Key consideration 5: A CCP should determine the amount and regularly test the sufficiency of its total financial resources available in the event of a default or multiple defaults in extreme but plausible market conditions through rigorous stress testing. A CCP should have clear procedures to report the results of its stress tests to appropriate decision makers at the CCP and to use these results to evaluate the adequacy of and adjust its total financial resources. Stress tests should be performed daily using standard and predetermined parameters and assumptions. On at least a monthly basis, a CCP should perform a comprehensive and thorough analysis of stress testing scenarios, models, and underlying parameters and assumptions used to ensure they are appropriate for determining the CCP’s required level of default protection in light of current and evolving market conditions. A CCP should perform this analysis of stress testing more frequently when the products cleared or markets served display high volatility, become less liquid, or when the size or concentration of positions held by a CCP’s participants increases significantly. A full validation of a CCP’s risk-management model should be performed at least annually.
Response: Not applicable to NPCI Group.
Key consideration 6: In conducting stress testing, a CCP should consider the effect of a wide range of relevant stress scenarios in terms of both defaulters’ positions and possible price changes in liquidation periods. Scenarios should include relevant peak historic price volatilities, shifts in other market factors such as price determinants and yield curves, multiple defaults over various time horizons, simultaneous pressures in funding and asset markets, and a spectrum of forward-looking stress scenarios in a variety of extreme but plausible market conditions.
Response: Not applicable to NPCI Group.
Key consideration 7: An FMI should establish explicit rules and procedures that address fully any credit losses it may face as a result of any individual or combined default among its participants with respect to any of their obligations to the FMI. These rules and procedures should address how potentially uncovered credit losses would be allocated, including the repayment of any funds an FMI may borrow from liquidity providers. These rules and procedures should also indicate the FMI’s process to replenish any financial resources that the FMI may employ during a stress event, so that the FMI can continue to operate in a safe and sound manner.
Response: NPCI has established the mechanism relating to credit losses in its SGM Policy, which has a well-defined SGM and ‘Loss Sharing Mechanism’ in place along with a committed Line of Credit (LoC) to ensure timely completion of settlement in the event of default by any of its member participants. NPCI has constituted a Settlement Guarantee Fund (SGF) to meet the settlement obligations by the member banks in case of any default. The participating member banks are required to contribute certain percentage of the required funds in the ratio of their transaction throughput. NPCI has arranged LoC with multiple banks for the remaining portion. In the event of default, NPCI utilizes the available contribution of the defaulted participant position to offset the loss and the remaining loss gets allocated among the non-defaulting participant members. NPCI has also defined measures to recover the funds along with applicable interest amount and penal charges, if any, from the defaulted participant. NPCI also track the assigned Net Debit Cap on a real time basis to ensure member exposure does not exceed the defined limits.
For its international subsidiary, NIPL enters into arrangements with the international network partner for prefunding obligation of the settlement account maintained with very high creditworthy commercial bank of the network partner.
During stress event or in the case of any settlement failure, following process is followed:
An FMI should effectively measure, monitor, and manage its liquidity risk. An FMI should maintain sufficient liquid resources in all relevant currencies to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate liquidity obligation for the FMI in extreme but plausible market conditions.
Key consideration 1: An FMI should have a robust framework to manage its liquidity risks from its participants, settlement banks, nostro agents, custodian banks, liquidity providers, and other entities.
Response: NPCI has a sound risk management framework to manage liquidity risks due to default by the participant in meeting the settlement obligations and liquidity providers. In order to address the settlement risk, settlement guarantee mechanism has been constituted for NPCI Group comprising the settlement guarantee fund and line of credit arrangements to address any impact on liquidity risk which may be caused by temporary/permanent default by member participant(s).
In order to address the settlement risk in case of international arrangements, the Network Partners sufficiently prefund the settlement account maintained with high creditworthy commercial banks. Also, settlement guarantee funds are maintained to cover situation where pre-funding amount is exhausted for settlement.
The liquidity needs in the event of settlement default is addressed through the Settlement Guarantee Fund and Line of Credit arrangement. The participating members are required to contribute 10% of the required funds in the ratio of their transaction throughput of past 3 months. For the remaining 90%, NPCI has established Line of Credit arrangements with multiple banks. In the event of any failure in settlement, LoC is invoked to the extent of defaulted amount. The required SGF is recalibrated every quarter and the participant members are informed of any additional contribution required and also request is initiated for additional LoC from banks.
In the case of NIPL, in order to ensure liquidity in the event of default by the network partner, the network partner is required to pre-fund the settlement account and contribute to the settlement guarantee fund. The prefunding and the settlement guarantee fund requirement is recalculated periodically based on the average of actual settlement payments made during the defined period.
The NPCI Group avails LoC facility from high creditworthy commercial banks. Similarly, the member contribution toward the SGF is invested in fixed deposits (FDs) with high creditworthy commercial banks. As part of the monthly stress testing exercise, NPCI assesses the default scenario of the Bank with which LoC is arranged and member contribution is invested in FDs.
It is ensured that the SGF constituted is sufficient to address such a scenario of liquidity risk. To avoid any concentration of lines of credit with few banks, NPCI has established LOC with multiple banks.
Key consideration 2: An FMI should have effective operational and analytical tools to identify, measure, and monitor its settlement and funding flows on an ongoing and timely basis, including its use of intraday liquidity.
Response: The Settlement Risk Management (SRM) tool is utilized to monitor the daily settlement risk and posting time for settlements related to NPCI Group. The tool processes the data of settlement files posted in RTGS for all the products and generates reports for monitoring settlement value and posting time. The member banks are provided with settlement reports to ensure timely funding of RTGS settlement account. Further, the Net Debit Cap limit utilization by members of NPCI Group are monitored.
All settlement files are posted automatically in RTGS account of members. Alerts are generated for any failure in posting the settlement file. Though rare, such cases are immediately reviewed, rectified to address reason for failure and reposted in the RTGS.
Daily settlement posting timings are monitored through the Settlement Risk Management (SRM) tool. The tool fetches the daily net settlement report of all products. The daily risk coverage reports are automatically generated and the daily settlement value and timing dashboard is monitored and reviewed. The tool also tracks the actual settlement timings with the scheduled settlement time.
Key consideration 3: A payment system or SSS, including one employing a DNS mechanism, should maintain sufficient liquid resources in all relevant currencies to effect same-day settlement, and where appropriate intraday or multiday settlement, of payment obligations with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate payment obligation in extreme but plausible market conditions.
Response: NPCI processes the settlement in the RTGS settlement account of members with RBI. Settlement amount is calculated automatically after every settlement cycle, and details are shared with the participants to make available funds to meet settlement obligations. In case of shortfall of funds during settlement in RTGS account of a bank, the settlement shall be completed by invoking LOC to the extent of net default amount by the defaulting bank. NPCI has a well-defined Settlement Guarantee Mechanism (SGM) and Loss Sharing Mechanism (LSM) with a committed Line of Credit (LoC) to ensure that the system is capable of timely completion of daily settlement in the event of extreme conditions such as inability of any of the participants to fund the settlement adequately.
NPCI has defined stress testing scenarios to test the resilience in extreme situations and to ensure the sufficiency of settlement guarantee fund in such scenarios. The stress testing model considers different range of scenarios. The stress testing model identifies up to what level the current SGF model can withstand in extreme conditions.
NPCI ensures that sufficient funds are available by way of SGF contribution and Line of Credit if the highest net debit position participating bank is unable to meet their settlement obligation.
Key consideration 4: A CCP should maintain sufficient liquid resources in all relevant currencies to settle securities-related payments, make required variation margin payments, and meet other payment obligations on time with a high degree of confidence under a wide range of potential stress scenarios that should include, but not be limited to, the default of the participant and its affiliates that would generate the largest aggregate payment obligation to the CCP in extreme but plausible market conditions. In addition, a CCP that is involved in activities with a more-complex risk profile or that is systemically important in multiple jurisdictions should consider maintaining additional liquidity resources sufficient to cover a wider range of potential stress scenarios that should include, but not be limited to, the default of the two participants and their affiliates that would generate the largest aggregate payment obligation to the CCP in extreme but plausible market conditions.
Response: Not applicable to NPCI Group.
Key consideration 5: For the purpose of meeting its minimum liquid resource requirement, an FMI’s qualifying liquid resources in each currency include cash at the central bank of issue and at creditworthy commercial banks, committed lines of credit, committed foreign exchange swaps, and committed repos, as well as highly marketable collateral held in custody and investments that are readily available and convertible into cash with prearranged and highly reliable funding arrangements, even in extreme but plausible market conditions. If an FMI has access to routine credit at the central bank of issue, the FMI may count such access as part of the minimum requirement to the extent it has collateral that is eligible for pledging to (or for conducting other appropriate forms of transactions with) the relevant central bank. All such resources should be available when needed.
Response: The NPCI Group maintains liquid net assets funded by equity to cover operational expenses for the period of at least 12 months. In addition to utilizing liquid net assets funded by equity for operational expenses, NPCI Group has the capability to absorb losses and address temporary liquidity requirements in any extreme market conditions.
NPCI has Settlement Guarantee Mechanism (SGM) for addressing liquidity problems faced by one or more members. Liquidity and settlement guarantee in the event of any settlement default by the participant are ensured in the following manner:
NPCI accepts the member contribution towards SGF in cash and collateral. Further, the own funds and the earmarked funds are invested within the overall framework of maximum limits applicable to investments. Investments are made in low risk and highly liquid avenues. The settlement guarantee mechanism ensures availability of liquid resources to cover payment obligations on time.
Key consideration 6: An FMI may supplement its qualifying liquid resources with other forms of liquid resources. If the FMI does so, then these liquid resources should be in the form of assets that are likely to be saleable or acceptable as collateral for lines of credit, swaps, or repos on an ad hoc basis following a default, even if this cannot be reliably prearranged or guaranteed in extreme market conditions. Even if an FMI does not have access to routine central bank credit, it should still take account of what collateral is typically accepted by the relevant central bank, as such assets may be more likely to be liquid in stressed situations. An FMI should not assume the availability of emergency central bank credit as a part of its liquidity plan.
Response: The NPCI Group does not hold any supplementary liquid resources. Therefore, not applicable to NPCI Group.
Key consideration 7: An FMI should obtain a high degree of confidence, through rigorous due diligence, that each provider of its minimum required qualifying liquid resources, whether a participant of the FMI or an external entity, has sufficient information to understand and to manage its associated liquidity risks, and that it has the capacity to perform as required under its commitment. Where relevant to assessing a liquidity provider’s performance reliability with respect to a particular currency, a liquidity provider’s potential access to credit from the central bank of issue may be taken into account. An FMI should regularly test its procedures for accessing its liquid resources at a liquidity provider.
Response: The liquidity providers of NPCI Group are also participating member banks. All member banks are required to contribute to the settlement guarantee fund (SGF) as per the Settlement Guarantee Mechanism (SGM). Few highly creditworthy member banks also provide the Line of Credit (LoC). All the participating members are required to contribute a defined percentage of the total SGF required in the ratio of their transaction throughput. The loss sharing mechanism defines the additional contribution the surviving members have to make in the event of inability of defaulting member to make good the default amount. The members are duly informed of their liabilities and obligations towards settlement mechanism. NPCI has established LoC facility from banks which is invoked in the event of settlement default.
Stress testing is performed to ensure the sufficiency of the SGF in adverse scenarios. The stress testing scenario also envisages default by the bank from whom LoC is taken and the member contribution is deposited. The required SGF and the member contribution along with LoC requirement is reviewed quarterly.
NPCI has the confidence that its liquidity providers have the capacity to perform its commitment on an ongoing basis in the following ways:
The participating members and LoC providers are institutions regulated by RBI and have RTGS account with RBI.
NPCI conducts table-top exercise for interbank settlement and possible settlement defaults and its corrective measures across departments. NPCI also performs testing of the LOC facilities extended by banks to NPCI.
Key consideration 8: An FMI with access to central bank accounts, payment services, or securities services should use these services, where practical, to enhance its management of liquidity risk.
Response: NPCI uses access to RTGS accounts of participants maintained with RBI to conduct all the domestic settlements to manage domestic liquidity risk. The settlement of domestic leg of cross-border transactions is also performed through the member banks' RTGS settlement accounts with RBI.
Key consideration 9: An FMI should determine the amount and regularly test the sufficiency of its liquid resources through rigorous stress testing. An FMI should have clear procedures to report the results of its stress tests to appropriate decision makers at the FMI and to use these results to evaluate the adequacy of and adjust its liquidity risk-management framework. In conducting stress testing, an FMI should consider a wide range of relevant scenarios. Scenarios should include relevant peak historic price volatilities, shifts in other market factors such as price determinants and yield curves, multiple defaults over various time horizons, simultaneous pressures in funding and asset markets, and a spectrum of forward-looking stress scenarios in a variety of extreme but plausible market conditions. Scenarios should also take into account the design and operation of the FMI, include all entities that might pose material liquidity risks to the FMI (such as settlement banks, nostro agents, custodian banks, liquidity providers, and linked FMIs), and where appropriate, cover a multiday period. In all cases, an FMI should document its supporting rationale for, and should have appropriate governance arrangements relating to, the amount and form of total liquid resources it maintains.
Response: NPCI performs stress testing to determine the resilience in extreme situations and to ascertain sufficiency of the funds provided to guarantee the settlement. The Stress Testing exercise considers various scenarios to verify the sufficiency of funds under adverse conditions for NPCI Group. The testing provides an insight into which are the scenarios where the settlement guarantee fund may not be sufficient. NPCI performs stress testing every month to evaluate efficiency and sufficiency of SGF by analyzing different test scenarios.
The results of stress testing scenarios and stressing model are reported on a monthly basis to the Internal Risk Management Committee (IRMC). Stress Testing evaluates whether SGF computed is sufficient enough to withstand the scenarios or failing at certain points and appropriate corrective actions are taken to plug the gap with the approval of RMC.
NPCI conducts thorough assessments of the adequacy of its SGF by evaluating various scenarios and forward-looking stress parameters. These scenarios include the default of multiple banks with maximum exposure, combinations of banks from different sectors defaulting together, consecutive defaults by banks with the highest exposure, failure of banks across different products, instances where the default is of a bank providing Line of Credit (LoC) and where member contributions are invested. These assessments ensure the robustness and resilience of NPCI's SGF against potential risks and uncertainties in the financial landscape.
The Stress test scenarios are based on liquidity risk borne by participants. Testing is performed on a monthly basis as a part of monitoring exercise to ensure sufficiency of funds. Stress testing scenarios take into account the design and operations of the NPCI Group. The adequacy of SGF is assessed under the range of scenarios forecasted which might pose liquidity risk to NPCI Group. It is ensured that the SGF is sufficient to address any liquidity risk.
The Stress Testing model and the results are reviewed and approved by the Risk Management Committee (RMC) of the Board. The model lists all the plausible scenarios and stressing model parameters.
NPCI performs stress testing by stressing the various model parameters. Model parameters such as Highest Net Debit Exposures, collateral contribution by members, Line of Credit from various banks are pushed to extreme scenarios to assess whether the current SGF model can withstand the extreme conditions. Stress testing is performed monthly to test the adequacy of SGF. Stress testing methodology is reviewed annually.
The ERM policy of NPCI describes the risk appetite for internal and external liquidity risk. The policy requires maintaining sufficient liquid net assets funded by equity to cover at least six months of operating expenses. The Orderly Wind Down (OWD) Policy envisages the winding down scenarios and implementation of resolution strategy requiring significant amount of liquidity. The ERM policy and the OWD policy are reviewed and approved by the Risk Management Committee and the Board. The adequacy of funds to mitigate settlement risk is documented in the SGM policy. The policy highlights the Settlement Guarantee Fund arrangements, loss sharing mechanism, stress testing, etc.
In the case of international arrangements, liquidity risks are mitigated by prefunding arrangements and maintaining settlement guarantee fund.
Key consideration 10: An FMI should establish explicit rules and procedures that enable the FMI to effect same-day and, where appropriate, intraday and multiday settlement of payment obligations on time following any individual or combined default among its participants. These rules and procedures should address unforeseen and potentially uncovered liquidity shortfalls and should aim to avoid unwinding, revoking, or delaying the same-day settlement of payment obligations. These rules and procedures should also indicate the FMI’s process to replenish any liquidity resources it may employ during a stress event, so that it can continue to operate in a safe and sound manner.
Response: NPCI has a well-defined failsafe arrangement in the form of SGM Policy, which includes the loss sharing mechanism to enable it to settle payment obligations on time even when there is any default by the participant. The Settlement Guarantee Mechanism and the prefunding arrangements address the unforeseen and potentially uncovered liquidity shortfalls and thereby avoid unwinding, revoking or delaying the same day settlement of payment obligations.
The settlement process is segregated in multiple settlement cycles which run at periodic intervals every day. On completion of settlement cycle, obligations are arrived for each participant through an automated process which are subsequently submitted to participant banks. The settlement obligations are processed to settle the obligation at the end of each settlement cycle in RTGS account.
The Loss sharing mechanism (LSM) which is part of SGM Policy establishes the procedure for replenishment of resources used during a stress event/default.
An FMI should provide clear and certain final settlement, at a minimum by the end of the value date. Where necessary or preferable, an FMI should provide final settlement intraday or in real time.
Key consideration 1: An FMI’s rules and procedures should clearly define the point at which settlement is final.
Response: NPCI performs deferred multi-lateral net settlement. The settlement is considered final and irrevocable as soon as the settlement amount is arrived at through netting process. The settlement executed by NPCI in the RTGS of RBI is deemed as 'final net settlement' carried out by NPCI.
The finality of transfer of funds is governed as per the SGM policy of NPCI and Product Procedural Guidelines. The SGM policy along with the procedural guidelines are circulated to the member participants at the time of onboarding. Any modifications to the same are notified to the participants by way of operating circulars.
NPCI performs deferred multilateral net settlement. Section 23 of Payment and Settlement System Act, 2007 provides a sound legal backing for settlement and netting. Procedural Guidelines also states that PSS Act, 2007 shall be binding on all members of the respective product.
The PSS Act provides the legal backing for the finality of the settlement of transactions. The norms regarding finality of transfer of funds is laid down in SGM policy and Procedural Guideline of NPCI. The settlement terms for cross-border transactions are governed by respective network to network agreements entered between NIPL and the respective network partner.
Key consideration 2: An FMI should complete final settlement no later than the end of the value date, and preferably intraday or in real time, to reduce settlement risk. An LVPS or SSS should consider adopting RTGS or multiple-batch processing during the settlement day.
Response: NPCI processes the settlement as per the settlement cycles defined in the respective procedural guidelines for each product. NPCI systems and processes are designed to complete final settlement on value date. If a participant bank has inadequate funds at the time of settlement, the entire batch gets rejected and put on hold. NPCI co-ordinates with the participating Bank to clear the settlement obligation and the settlement is completed. If the shortfall is not remedied by the defaulting bank during settlement in RTGS, the settlement shall be completed by invoking LOC to the extent of net default amount by the defaulting bank. NPCI has well defined Settlement Guarantee Mechanism and Loss Sharing Mechanism with a committed Line of Credit (LoC) so that the system is capable of carrying out timely completion of daily settlement even if there is a shortfall in the RTGS account of any participant.
Key consideration 3: An FMI should clearly define the point after which unsettled payments, transfer instructions, or other obligations may not be revoked by a participant.
Response: NPCI has obtained irrevocable authority letter/ mandate from each participating member for final settlement in their RTGS account. NPCI does not permit revocation of obligation by participants once a transaction is processed. Transactions which are processed but pending for settlement, cannot be revoked by the participants as provided in PSS Act, 2007. This information is defined in the procedural guidelines which are shared with all participants. NPCI provides the settlement report to its members.
The Settlement Guarantee Mechanism Policy and Procedural Guidelines define the point of finality of settlement for all products.
An FMI should conduct its money settlements in central bank money where practical and available. If central bank money is not used, an FMI should minimize and strictly control the credit and liquidity risk arising from the use of commercial bank money.
Key consideration 1: An FMI should conduct its money settlements in central bank money, where practical and available, to avoid credit and liquidity risks.
Response: For settlement of all the domestic transactions, NPCI performs interbank settlement to the member banks' respective RTGS settlement accounts with RBI. All members issue a one-time authority letter to RBI, authorizing NPCI to credit/debit their RTGS account with RBI for transaction level net settlement. The participant members are required to fund their RTGS settlement account held with RBI with sufficient amount to meet the settlement obligation.
The clearing and settlement of transactions between NIPL and the International Network Partner and International Remittance Partner are done by NIPL, through Network Partner Settlement Account with scheduled commercial bank in India (INR) or Network Partner's specific settlement account outside India (FCY) as agreed in the Network-to-Network Agreement. In the case of international alliance, the international partner prefunds amount equivalent to average of 10 days’ settlement value with designated commercial bank.
Key consideration 2: If central bank money is not used, an FMI should conduct its money settlements using a settlement asset with little or no credit or liquidity risk.
Response: For all domestic transactions, NPCI performs interbank settlement to the member banks' RTGS accounts with RBI.
For cross-border transactions, the international partners maintain its settlement account with scheduled commercial banks in India. The international partner prefunds the amount equivalent to average of 10 days settlement value with designated commercial bank. NPCI has put in place a process to ensure that banks with high creditworthiness and competence are accepted for such arrangements. The availability of funds in such designated account is monitored daily. Additionally, SGF amount is maintained as security deposit with NPCI to cover situations where pre-funding amount is exhausted for daily settlement. The settlement banks are accepted based on creditworthiness and competence of the commercial banks. The Agreement with international alliance partners clearly defines the settlement obligations. Criteria like net worth, operational capabilities, reach, etc. are observed. Such banks are also subject to supervision by RBI.
Key consideration 3: If an FMI settles in commercial bank money, it should monitor, manage, and limit its credit and liquidity risks arising from the commercial settlement banks. In particular, an FMI should establish and monitor adherence to strict criteria for its settlement banks that take account of, among other things, their regulation and supervision, creditworthiness, capitalisation, access to liquidity, and operational reliability. An FMI should also monitor and manage the concentration of credit and liquidity exposures to its commercial settlement banks.
Response: For all domestic transactions, NPCI performs interbank settlement to the member banks' RTGS accounts with RBI.
For cross-border transactions, the international partners maintain its dedicated exclusive settlement account with scheduled commercial banks in India. Such accounts are prefunded so as to meet settlement obligations. As part of the settlement process, NPCI ensures that daily settlement obligations are processed at the time of settlement. Additionally, SGF amount is maintained as security deposit with NPCI to cover situation of potential loss or liquidity pressures due to failure of the settlement bank.
The scheduled commercial banks are licensed and regulated by RBI and have established credit assessment and risk management practices to minimize credit risk and liquidity risk. RBI inspects and supervises these commercial banks and sets the rules & guidelines for commercial banks to maintain a certain level of financial strength and stability.
Key consideration 4: If an FMI conducts money settlements on its own books, it should minimise and strictly control its credit and liquidity risks.
Response: Not applicable, since NPCI does not conduct money settlements in own books.
Key consideration 5: An FMI’s legal agreements with any settlement banks should state clearly when transfers on the books of individual settlement banks are expected to occur, that transfers are to be final when effected, and that funds received should be transferable as soon as possible, at a minimum by the end of the day and ideally intraday, in order to enable the FMI and its participants to manage credit and liquidity risks.
Response: The settlement happens through the RTGS account of the participating members. The settlement is complete as soon as the settlement entries are posted in the RTGS system. The transfer of funds is final and irrevocable. The funds are available immediately upon posting settlement entries.
An FMI should have effective and clearly defined rules and procedures to manage a participant default. These rules and procedures should be designed to ensure that the FMI can take timely action to contain losses and liquidity pressures and continue to meet its obligations.
Key consideration 1: An FMI should have default rules and procedures that enable the FMI to continue to meet its obligations in the event of a participant default and that address the replenishment of resources following a default.
Response: The SGM Policy of NPCI Group defines the event of financial default by the participant. A participating member is declared defaulter if shortfall of funds is experienced in RTGS account during the scheduled interbank settlement. The defaulting member is subject to penalties and/or suspension from the network.
In the event of any default, SGF or LoC, as per the requirement, shall be invoked to the extent of the defaulted amount. NPCI has defined loss sharing mechanism which establishes the procedure for replenishment of resources utilized during default management event. The non-defaulting participants shall contribute towards the loss as defined in SGM policy for loss sharing mechanism. Once the defaulted bank is debarred in the system, exposure is contained immediately.
The SGM requirement is calibrated every quarter. All the member banks are communicated in subsequent month for additional SGF contribution requirement. All member banks are required to adhere to the SGM policy of NPCI. The Group also issues circulars/guidelines which member banks are required to adhere to.
The SGF and LoC, as applicable, utilized due to default of a member has to be repaid by the defaulting member along with interest and penal charges. If a member bank fails to make good such funds, the SGF contribution of the defaulting bank is adjusted.
Key consideration 2: An FMI should be well prepared to implement its default rules and procedures, including any appropriate discretionary procedures provided for in its rules.
Response: NPCI conducts table-top exercise for interbank settlement and possible settlement defaults and its corrective measures across departments namely Operations, Technology, Settlement Risk, Business Development and Finance Team. Table-top exercise is a form of simulation used to practice and evaluate the group's response to a test scenario. Table-Top is a discussion-based exercise that does not involve actual physical activities but rather focuses on decision-making, communication, and coordination among participants. Simulation of test scenario is conducted on the actionable that NPCI will perform to salvage the situations where bank has defaulted, and bank is declared bankrupt, or moratorium is imposed on the bank. Based on past instances, the roles of different stakeholders are defined. Action items as a result of table-top exercise are identified and resolved. The roles, responsibilities, frequency of the table-top exercise are documented as part of Settlement Risk Management (SRM) Operations Process Document.
The communication procedures followed by NPCI in case of default by the participant is defined as a part of the table-top exercise and Settlement Risk Management (SRM) Operations Process Document. In the event of participant default, communication and coordination is initiated with internal and external stakeholders to take necessary action. It is also ensured that communication is passed to all the relevant stakeholders like Business, Technology and Operations. Further the risk containment process defined under the Settlement Risk Management (SRM) Operations Process document outlines the process to be followed in the event of participant default. The defaulted bank is instructed to repay the outstanding settlement amount along with charges immediately. In case the defaulted bank fails to repay the entire amount, LSM is invoked. The surviving banks are required to contribute their share of loss amount. Receipt of LSM amount from the surviving banks is informed to all internal stakeholders and Regulator.
The standardized SGM policy, which is applicable to NPCI Group outlines the internal plans and arrangements to address the default mechanism by the participating member bank. The policy is subject to annual review and is approved by the Risk Management Committee of the Board.
Key consideration 3: An FMI should publicly disclose key aspects of its default rules and procedures.
Response: The key aspect of participants default rules and procedures, regulations governing the settlement obligations, salient aspects of SGM including the LoC and member contribution to the SGF and the loss sharing mechanism are disclosed in NPCI’s website. The disclosure covers the following points:
Key consideration 4: An FMI should involve its participants and other stakeholders in the testing and review of the FMI’s default procedures, including any close-out procedures. Such testing and review should be conducted at least annually or following material changes to the rules and procedures to ensure that they are practical and effective.
Response: NPCI performs the table-top exercise annually for interbank settlement and possible settlement defaults and its corrective measures across departments namely Operations, Technology, Settlement Risk, Business Development and Finance Team. The purpose of the exercise is as follows:
The table-top exercise considers the simulation of the test scenario on the actionable that NPCI shall perform to salvage the situation when member bank may default or declared bankrupt. The scenario also considers the procedure to be followed in case of moratorium being declared by RBI on any member bank. The main purpose of this activity is to ensure seamless deactivation of member bank and their sub member bank from NPCI network at the earliest in the event of settlement default.
The results of these tests and reviews are shared with the Risk Management Committee and other relevant authorities.
An FMI should identify, monitor, and manage its general business risk and hold sufficient liquid net assets funded by equity to cover potential general business losses so that it can continue operations and services as a going concern if those losses materialise. Further, liquid net assets should at all times be sufficient to ensure a recovery or orderly wind-down of critical operations and services.
Key consideration 1: An FMI should have robust management and control systems to identify, monitor, and manage general business risks, including losses from poor execution of business strategy, negative cash flows, or unexpected and excessively large operating expenses.
Response: NPCI Group’s ERM Policy categorizes the general business risks as follows:
NPCI has identified the general business risk as the risk of any potential impairment of the financial condition (as a business concern) due to decline in its revenues or increase in expenses. Such impairment may be due to non-achievement of business plans, poor execution of business strategy, ineffective response to competition, losses in divisional business line of NPCI, or other business factors.
NPCI considers general business risks across all risk categories, as each could result in a potential financial impact. This is represented in NPCI’s risk assessment methodology which considers financial impact as criterion within the risk scoring matrix. The key risk indicators of General Business Risk are as follows:
Business Performance Risk is monitored and assessed based on the transaction volume and transaction revenues and the Eco-system Risk is monitored and assessed on the basis of bank downtime and risk scoring of application service providers. Further the segment-wise concentration in transaction volumes and revenues are also monitored to identify and mitigate the concentration risk.
The risk assessment process to identify, analyze, evaluate and report the outcomes of general business risk are as follows:
NPCI has defined Key Risk Indicator where NPCI keeps track of product wise actual and forecasted revenue, transaction volume and value and other risk indicator.
KRI assessment is conducted every quarter and the results are presented to Internal Risk Management Committee and Risk Management Committee of Board.
The general business risk assessment considers the impact on the cash flow due to potential decline in business performance in terms of transaction revenue. Further, as a part of the capital planning process, NPCI takes into consideration the sufficiency of liquid net assets funded by equity to meet the operational expenses in the event of business risk.
Key consideration 2: An FMI should hold liquid net assets funded by equity (such as common stock, disclosed reserves, or other retained earnings) so that it can continue operations and services as a going concern if it incurs general business losses. The amount of liquid net assets funded by equity an FMI should hold should be determined by its general business risk profile and the length of time required to achieve a recovery or orderly wind-down, as appropriate, of its critical operations and services if such action is taken.
Response: NPCI has adequate liquid net assets funded by equity to meet the operational expenses. Thresholds are defined for Internal Liquidity Coverage Ratio and basis the same, the criticality of the risk is determined, and appropriate actions are taken. NPCI regularly calculates and monitors the minimum net liquid asset that it needs to hold compared to operating expenses to continue with its critical services.
NPCI reviews regularly the liquid net asset it holds as multiple of monthly operating expenses required to continue its operations and services as going concern. The Orderly Wind Down Policy envisages the winding down scenarios and the resolution plan to be adopted in such scenarios. NPCI has sufficient loss absorption capacity to fund the liquidity and capital needs in the event of material financial distress.
Key consideration 3: An FMI should maintain a viable recovery or orderly wind-down plan and should hold sufficient liquid net assets funded by equity to implement this plan. At a minimum, an FMI should hold liquid net assets funded by equity equal to at least six months of current operating expenses. These assets are in addition to resources held to cover participant defaults or other risks covered under the financial resources’ principles. However, equity held under international risk-based capital standards can be included where relevant and appropriate to avoid duplicate capital requirements.
Response: The Orderly Wind Down (OWD) Policy of NPCI describes scenarios that could trigger winding down of the product or the organization during crisis. This will help wind down in an orderly fashion, thus minimizing the disruptions and the impact on the ecosystem. The document captures the criticality of operations of the Group and its impact on the economy. The document further articulates the real and plausible stress scenarios that could trigger the winding down of the organization/product and the possible recovery process. In cases where recovery is not possible, an orderly wind down is envisaged.
The implementation of a resolution strategy requires significant amount of temporary liquidity. NPCI has sufficient loss absorption capacity to fund the liquidity and capital needs in the event of material financial distress. NPCI holds liquid net assets funded by equity equal to at least 6 months of current operating expenses in case of financial distress. This shall provide sufficient time for fall back options for the critical services for take over and continuing the operations of such critical product/services from NPCI. To address financial distress arising due to specific types of loss, Insurance cover is obtained to mitigate such losses.
The liquid assets held are clearly identified to differentiate between business risks and losses and participant default.
NPCI holds equity under international risk-based capital standards to cover general business risks.
Key consideration 4: Assets held to cover general business risk should be of high quality and sufficiently liquid in order to allow the FMI to meet its current and projected operating expenses under a range of scenarios, including in adverse market conditions.
Response: Liquid assets held by NPCI Group are as follows:
The liquid assets are callable in nature and can be converted into cash at short notice with no loss of value.
To ensure that investment portfolio of NPCI is liquid, the investments are restricted to the approved investment products subject to overall exposure limits.
The liquid net assets are reviewed every month to monitor the operating expense coverage ratio. Investments in liquid assets are reviewed periodically by the Investment Committee to ensure the quality and liquidity of liquid net assets.
Key consideration 5: An FMI should maintain a viable plan for raising additional equity should its equity fall close to or below the amount needed. This plan should be approved by the board of directors and updated regularly.
Response: NPCI has adequate liquid net assets funded by equity to cover the operating expenses in the event of distress. NPCI has also laid out the Board approved plan for raising funds to ensure availability of liquid funds if equity fall close to or fall below the amount needed.
NPCI assesses the fund requirement at the beginning of each financial year by way of capital planning process. NPCI assesses whether the funds are adequate to meet the capital plans for current financial year, future capital requirement and discusses the need for further augmentation. The Audit Committee and the Board review and approve the capital planning process every year.
An FMI should safeguard its own and its participants’ assets and minimise the risk of loss on and delay in access to these assets. An FMI’s investments should be in instruments with minimal credit, market, and liquidity risks.
Key consideration 1: An FMI should hold its own and its participants’ assets at supervised and regulated entities that have robust accounting practices, safekeeping procedures, and internal controls that fully protect these assets.
Response: NPCI does not offer custodian services as part of its operations.
Key consideration 2: An FMI should have prompt access to its assets and the assets provided by participants, when required.
Response: NPCI does not offer custodian services as part of its operations.
Key consideration 3: An FMI should evaluate and understand its exposures to its custodian banks, taking into account the full scope of its relationships with each.
Response: NPCI does not offer custodian services as part of its operations.
Key consideration 4: An FMI’s investment strategy should be consistent with its overall risk-management strategy and fully disclosed to its participants, and investments should be secured by, or be claims on, high-quality obligors. These investments should allow for quick liquidation with little, if any, adverse price effect.
Response: Investment policy is approved by the Board and it stipulates the norms for investments to ensure that credit risk, Price risk, Interest Rate risk, Liquidity Risk, Arbitrage Risk on investments is minimized. The Investment policy includes:
The policy specifies criteria for instruments and eligible entities where investments can be made.
The Investment Committee reviews every quarter all existing and new investment with respect to Net-worth, Credit Ratings and NNPA criteria to ensure investments are with high-quality obligors.
Investment Policy defines the limit of investment with overall exposure in liquid funds to any obligor to avoid concentration of credit risk exposures.
NPCI has maintained Fixed Deposits with Public Sector Banks and Large Private sector banks. These investments are callable in nature with assured pre-determined fixed interest rate. Also, the FDs can be quickly liquidated as and when required. The assured return on fixed deposits ensures no adverse price effect.
An FMI should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide-scale or major disruption.
Key consideration 1: An FMI should establish a robust operational risk-management framework with appropriate systems, policies, procedures, and controls to identify, monitor, and manage operational risks.
Response: The Operational Risk Management (ORM) Policy and Standard Operating Procedure (SOP) describes the principles for identification, assessment, monitoring and reporting of operational risks relating to the NPCI Group's activities.
The ORM Policy describes the functions of the three lines of defence. The Business Line Management is the first line of defence in identifying and managing risks inherent to the products. The Risk Management is the second line of defence and is responsible for providing independent oversight of the ORM framework. The third line of defence is the Internal Audit, which is responsible for independently reviewing the operational risk management. Risk and Control Self-Assessment (RCSA) process enables identification, assessment (including quantifying), evaluation of prevention & control system, acceptance, and mitigation of risks.
NPCI has categorized sources of operational risk in the ORM policy into four categories viz. People Risk, Process Risk, Technology Risk and risk due to External factors. ORM tool is used for maintenance of a risk register/RCSA containing the risk events of the Group. The register contains a description of the controls that have been implemented to mitigate the identified risks. The risks identified are reviewed at pre-defined frequency.
NPCI has defined and documented Human Resource policies viz. ‘Recruitment Policy’, Learning and Development guidelines, Retention policy, etc. Succession planning is done for Key Managerial Personnel. Background check and feedback relating to integrity and honesty are obtained before hiring any human resources. Fraud Management solution is offered to participants, for real time fraud detection, reporting and prevention.
NPCI has a Change Management Policy that states the process to be followed for any change related to Application and Infrastructure. The steps followed for the change management process is as follows:
Change Management Committee reviews the preparedness, timings, documents submitted, etc. and approve before change implementation.
Key consideration 2: An FMI’s board of directors should clearly define the roles and responsibilities for addressing operational risk and should endorse the FMI’s operational risk-management framework. Systems, operational policies, procedures, and controls should be reviewed, audited, and tested periodically and after significant changes.
Response: The Board of Directors govern, approve and periodically review the Group’s ORM Framework/policy. The ORM framework is also reviewed by the Internal Audit as a part of the risk-based audit plan. Internal Audit provides inputs to the Risk Management Department the effectiveness and implementation of controls. The ORM framework is audited by external auditors as per the Audit Plan.
Systems, operational policies, procedures and controls are reviewed, audited, and tested periodically and after significant changes are implemented.
Key consideration 3: An FMI should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
Response: The operational reliability objectives are outlined in the IT Continuity Service Management System and Business Continuity Plan (BCP) Policy. To ensure these objectives are met, all incidents are diligently tracked through various tools and their root causes are thoroughly analyzed and documented, in compliance with security and operational reliability requirements.
BCP ensures robust operational reliability, ensuring resilience in the face of unforeseen incidents or disruptions. This high level of operational reliability is attained through a range of essential measures, including risk assessment, business impact analysis, continuity planning, comprehensive training, testing and incident management protocols. In the case of any major incident, immediate notification is made to the Crisis Management Team, swiftly triggering the disaster recovery (DR) process.
Regular drills are conducted to evaluate the effectiveness of BCP procedures. The frequency of DR Drills depends on the type of applications. The findings of DR Drills provide valuable insights into the effective management of BCP-DR activities.
Key consideration 4: An FMI should ensure that it has scalable capacity adequate to handle increasing stress volumes and to achieve its service-level objectives.
Response: The daily assessments of server capacity utilization are monitored and the findings are communicated to relevant stakeholders. Server scalability, adequacy, and capacity are monitored continuously. The alerts for CPU, Memory, and Disk utilization are communicated to the relevant stakeholders for redressal.
Network devices are monitored to meet the defined thresholds. When these thresholds are exceeded/any issue identified, the team initiates timely resolution procedures which may include resource optimization, load balancing or scaling up the infrastructure to accommodate increased demand. Additionally, alerts and notifications are triggered for swift intervention to ensure smooth and uninterrupted functioning of the systems.
Key consideration 5: An FMI should have comprehensive physical and information security policies that address all potential vulnerabilities and threats.
Response: NPCI has a comprehensive Information Security Policy encompassing vulnerability management and Change management. External auditors annually conduct Vulnerability Assessment and Penetration Testing (VAPT). The sources of physical vulnerabilities and threats are identified and addressed through adhering to PCI-DSS, ISO standards, regular physical and environmental audits, Review of changes in infrastructure, applications and underlying systems and are updated to the relevant Committees comprising senior officials.
The Information Security Policy includes Change management and Project management. It defines the process for conducting changes to infrastructure, applications and underlying systems which is reviewed by relevant Committees comprising senior officials. NPCI follows Standard Operating Procedure for conducting application security testing for all applications based on annual predefined schedule. The SOP outlines a well-defined process and timelines for addressing observations made during VAPT exercises. Vulnerability assessments are conducted every quarter and penetration testing is carried out annually. An independent assessment is conducted by an external auditor to provide a comprehensive evaluation of NPCI's security posture.
NPCI consistently follows established policies and processes in accordance with globally recognized information security benchmarks such as PCI-DSS, ISO 27001, ISO 27701, ISO 22301 and ISO 9001. These standards entail deployment of controls that undergo regular testing and review, and validated reports are readily available to ensure ongoing adherence to industry best practices.
Key consideration 6: An FMI should have a business continuity plan that addresses events posing a significant risk of disrupting operations, including events that could cause a wide-scale or major disruption. The plan should incorporate the use of a secondary site and should be designed to ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events. The plan should be designed to enable the FMI to complete settlement by the end of the day of the disruption, even in case of extreme circumstances. The FMI should regularly test these arrangements.
Response: The BCP serves as the key cornerstone for business continuity management, encompassing business impact analysis, and facilitates Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical applications. RPO and RTO are defined in the IT Service Continuity Management policy. This meticulous planning facilitates the timely recovery and resumption of essential operations. The BCP is engineered to ensure the resumption of operations within predefined timelines, even in the face of disruptive events, with RTOs thoughtfully outlined for applications.
Within the purview of the BCP plan, the business processes are distinctly defined, complemented by concrete recovery strategies for each application. The bedrock of business continuity is strengthened by an active-active setup for business-critical applications, where well-defined RTOs and RPOs are rigorously tested on a quarterly basis, with corresponding reports meticulously reviewed. This robust BCP framework empowers NPCI to successfully complete settlement operations by the close of each day, even under extreme circumstances. This comprehensive assessment ensures the effectiveness of disaster recovery measures in these critical systems, providing valuable insights into the readiness and resilience of each application in meeting recovery objectives.
Contingency and Disaster Recovery Plans are integral parts of the IT Service Continuity Management policy. These plans are intentionally crafted to ensure the seamless resumption of operations within predetermined timelines under any conceivable circumstances, including disruptive incidents. To further minimize data loss, critical online applications uphold a stringent Recovery Time Objective (RTO) of under an hour. Each application has a well-crafted recovery strategy. Furthermore, business-critical applications maintain an active-active setup, rigorously tested on a quarterly basis.
The ‘Crisis Management Plan’ articulates the essential steps and requirements for both pre- and post-crisis activities. This plan incorporates detailed contact information for internal and external stakeholders, alongside a defined process for engaging local authorities in times of crisis.
NPCI strategically operates through independent data centers. These data centers are fortified with comprehensive contingency measures (Tier 4), including well-defined procedures and alternative arrangements, all engineered to ensure the uninterrupted processing of time-sensitive transactions. Safeguarding the integrity and efficiency of financial operations is further bolstered by the availability of IT support staff at all locations. Competent officials with the ability and capability to manage business processes are always available for all locations.
The data centers are strategically located to handle large volumes even in disruptive scenarios, thus enabling the processing of time-critical transactions without incurring any adverse impact. The Data centers are Tier-4 and have ISO 27001 and ISO 9001 certification to ensure all the required controls are maintained.
The BCP plan undergoes a systematic annual review, with immediate updates mandated in the event of any significant organizational changes that might impact the plan. Scheduled and surprise drills are conducted to rigorously test a wide spectrum of disruption scenarios.
The frequency of Disaster Recovery (DR) drills is meticulously planned as outlined in the BCP plan. These drills actively involve participants, service providers, and other stakeholders to review and test business continuity and contingency arrangements.
Key consideration 7: An FMI should identify, monitor, and manage the risks that key participants, other FMIs, and service and utility providers might pose to its operations. In addition, an FMI should identify, monitor, and manage the risks its operations might pose to other FMIs.
Response: NPCI has documented ‘Third-Party Risk Management (TPRM) policy for managing and monitoring third-party risk exposure. Due diligence procedure for service providers has been defined in the TPRM Policy. Risk controls have been defined in the policy and are checked for various risks.
Annual audits are conducted for third-party vendors and Application Service Providers. These audits encompass a comprehensive evaluation, considering cybersecurity standards like ISO 27001, ISO 27701, and PCI DSS. The aim is to guarantee the reliability and contingency preparedness of these critical service providers. Risk assessment is conducted for international partners to identify, monitor, and mitigate any potential risks that could impact other FMIs.
An FMI should have objective, risk-based, and publicly disclosed criteria for participation, which permit fair and open access.
Key consideration 1: An FMI should allow for fair and open access to its services, including by direct and, where relevant, indirect participants and other FMIs, based on reasonable risk-related participation requirements.
Response: Procedural guidelines describe the participation requirements for members who participate in different roles/capacities of various NPCI Products including that the participating member bank should be regulated by RBI. The member should comply with the procedural guidelines, certification requirements, operating and risk guidelines issued from time to time.
The procedural guidelines stipulate that each member should abide by the AML/KYC guidelines. The banks can participate as a direct bank or sub-member banks. The direct banks have RTGS accounts with RBI and the sub-member banks participate through direct member bank for the purpose of settlement. NPCI has a non-discriminatory participation criteria thereby allowing a fair and open access based on reasonable risk-based participation requirements.
Key consideration 2: An FMI’s participation requirements should be justified in terms of the safety and efficiency of the FMI and the markets it serves, be tailored to and commensurate with the FMI’s specific risks and be publicly disclosed. Subject to maintaining acceptable risk control standards, an FMI should endeavor to set requirements that have the least-restrictive impact on access that circumstances permit.
Response: The participation criteria specified in the product specific procedural guidelines are justified keeping in view the objectives and role of NPCI Group in providing a robust ecosystem for payments. Product specific participation requirements have been defined for both direct and sub-member banks who participate in the ecosystem. The objective of onboarding criteria defined by NPCI Group is to provide a seamless process of onboarding and ensure that compliance/regulatory aspects are met.
In order to ensure safety and efficiency, eligibility criteria are required to be met by a participant. NPCI admits participant who meet the necessary standards, operational stability, compliance with NPCI/regulatory guidelines, ISO 20022 certified (XML) messaging system, capacity processing, DR site, etc.
The procedural guidelines applicable to NPCI Group specify participation requirements as required by law or regulation. The procedural guidelines are reviewed on an annual basis.
Product booklets are available on the website based on which prospective participants who approach NPCI are explained about restrictions and participation criteria.
Key consideration 3: An FMI should monitor compliance with its participation requirements on an ongoing basis and have clearly defined and publicly disclosed procedures for facilitating the suspension and orderly exit of a participant that breaches, or no longer meets, the participation requirements.
Response: The participation criteria for products offered by NPCI Group is mentioned in each product specific procedural guidelines.
NPCI monitors the compliance with access criteria by participants through ongoing review and periodic compliance statements submitted by participants.
A periodical risk assessment of the participants is conducted depending on the risk category of participants. NPCI ensures that members and participants are adhering to directives mentioned in the operating circulars, procedural guidelines, etc. issued by NPCI. The enforcement team works in close co-ordination with internal stakeholders to enforce corrective action towards non-compliance of regulations by members/participants.
The procedural guidelines indicate that the members may be terminated or suspended from the membership of a particular product in case the member commits a breach of the provisions mentioned in the guidelines. NPCI Group informs the member citing reason for termination/suspension of membership as per the process defined in the guidelines.
For termination of membership, participants are guided by the procedural guidelines issued by NPCI Group. The offboarding procedure for products offered by NPCI is briefly disclosed on the NPCI website.
An FMI should identify, monitor, and manage the material risks to the FMI arising from tiered participation arrangements.
Key consideration 1: An FMI should ensure that its rules, procedures, and agreements allow it to gather basic information about indirect participation in order to identify, monitor, and manage any material risks to the FMI arising from such tiered participation arrangements.
Response: The NPCI Group facilitates indirect participation through sponsor bank which is the direct member of the payment system. Indirect participants are the sub-member banks which are licensed by RBI. A tripartite agreement is entered into between NPCI, sub-member bank and the sponsor bank. The sponsor banks are required to take care of the material aspects relating to fund settlement, collateral, risk mitigation for their sub-member banks. The settlement of transactions by sub-member banks takes place in the RTGS settlement account of the sponsor banks maintained with RBI. Sponsor banks are responsible for the oversight management of their sub-member to ensure compliance with RBI and NPCI guidelines.
NPCI gathers basic information about sub-member participation through its participant onboarding process.
NPCI monitors settlement obligations of sub-member banks through direct member bank’s obligation. Settlement obligations of the sub-member banks are the responsibility of Direct member banks.
In case of NBBL, non-bank BBPOUs participate in the system through the sponsor banks. In such arrangement, the designated settlement account is of its sponsor bank and the sponsor bank is responsible for settlement of transactions of the non-bank BBPOU. It is the responsibility of the sponsor bank to execute the required authorizations, including Settlement Guarantee Fund participation.
Key consideration 2: An FMI should identify material dependencies between direct and indirect participants that might affect the FMI.
Response: The material dependencies between direct and indirect participants is the settlement obligation. Under the tiered participation arrangement, the sponsor bank shall assume complete responsibility for the settlement obligations of the indirect participant.
Key consideration 3: An FMI should identify indirect participants responsible for a significant proportion of transactions processed by the FMI and indirect participants whose transaction volumes or values are large relative to the capacity of the direct participants through which they access the FMI in order to manage the risks arising from these transactions.
Response: NPCI has identified the following measures to identify indirect participants whose transaction volumes or values are large:
Key consideration 4: An FMI should regularly review risks arising from tiered participation arrangements and should take mitigating action when appropriate.
Response: The risk arising from the tiered participation arrangement is the responsibility of the sponsor bank.
The sponsor bank assumes the complete responsibility of the sub-member and also define the transaction limits for its sub-member. NPCI assigns overall exposure limit to Sponsor bank. Sponsor banks assign a portion thereof to each sub-member banks sponsored by them. NPCI monitors the limit utilization at sponsor bank level to determine the overall exposure arising out of tiered participation arrangement.
The sponsor bank must possess a board-approved risk management framework to support sub-members, including the responsibility of conducting fraud monitoring for sub-members and promptly notifying NPCI of any suspicious transactions or breaches.
An FMI should be efficient and effective in meeting the requirements of its participants and the markets it serves.
Key consideration 1: An FMI should be designed to meet the needs of its participants and the markets it serves, in particular, with regard to choice of a clearing and settlement arrangement; operating structure; scope of products cleared, settled, or recorded; and use of technology and procedures.
Response: NPCI Group’s Product Steering Committee consist of representatives from member banks, non-bank players, RBI authorized payment system providers and special invitees. The committee provides guidance on key issues such as product development, fees and interchange structure. The committee is formed to take key decisions with respect to various products on behalf of the ecosystem member banks/entities. Any policy level or product level enhancements are deliberated with participants before implementation and also participants’ suggestions are considered. The Steering Committee may also decide to form Working Groups or Study groups, task force or sub-committees for taking decisions over special matters as and when required.
Key consideration 2: An FMI should have clearly defined goals and objectives that are measurable and achievable, such as in the areas of minimum service levels, risk-management expectations, and business priorities.
Response: NPCI’s objective is to provide efficiency in operations, system availability, etc. and widen the reach of payment systems.
NPCI endeavours to consolidate and integrate multiple systems with varying service levels into nationwide uniform and standard business process for all retail payments system operated by it. NPCI endeavours to promote digital payments and reduce reliance on cash transactions in India. NPCI also ensures maintaining the security and reliability of payment systems managed by it.
NPCI ensures that it has clearly defined goals and objectives that are measurable and achieved through:
Key consideration 3: An FMI should have established mechanisms for the regular review of its efficiency and effectiveness.
Response: In order to measure or evaluate the effectiveness of operations, NPCI has defined Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for various products/process. Internal audits assess its operational efficiency, adherence to policies and procedures and overall effectiveness. The KPIs and KRIs for product/process are measured and analyzed on a monthly basis by the Risk function. The Risk Management Committee of the Board exercises oversight on efficiency and effectiveness regularly.
An FMI should use, or at a minimum accommodate, relevant internationally accepted communication procedures and standards in order to facilitate efficient payment, clearing, settlement, and recording.
Key consideration 1: An FMI should use, or at a minimum accommodate, internationally accepted communication procedures and standards.
Response: The NPCI Group has implemented internationally recognized communication procedures, adhering to ISO or XML specifications. These standards are specifically employed for messaging protocols across TCP/IP and HTTP network protocols, ensuring compatibility and seamless communication in a global context. By adopting these widely accepted norms, the NPCI Group fosters interoperability, facilitates international transactions, and enhances the overall efficiency of its communication processes within the financial ecosystem.
NPCI Group has adopted internationally accepted guidelines of EMVCo specifications and ISO 8583 messaging protocols and standards. XML or JSON or ISO messaging protocols used for interfacing over secure TCP/IP network are chosen as online and back-office communication standards to facilitates efficient payment, clearing, settlement and recording.
An FMI should have clear and comprehensive rules and procedures and should provide sufficient information to enable participants to have an accurate understanding of the risks, fees, and other material costs they incur by participating in the FMI. All relevant rules and key procedures should be publicly disclosed.
Key consideration 1: An FMI should adopt clear and comprehensive rules and procedures that are fully disclosed to participants. Relevant rules and key procedures should also be publicly disclosed.
Response: NPCI has documented procedural guidelines, Technical Specifications document, for each of the products offered which define the guidelines to be followed by members/participants of the ecosystem and mandate all the members to follow certain standard procedures to ensure smooth, secure, and effective operations. It elaborates various aspects such as overview of product, membership and onboarding process, role of NPCI, operating procedures for members, dispute resolution, risk management, administrative policies and procedures etc. The guidelines are circulated to all the members at the time of member onboarding and amended guidelines are issued as and when required.
The product booklets for all the products are available on the NPCI website. The product booklet outlines the overview of the product, business uses, business benefits, participants, use cases and governing rules and regulations. Disclosures are also made on the roles and responsibilities of participants, dispute redressal mechanism, circulars issued, product statistics, steering committee meeting minutes, etc. Further, guidelines related to settlement guarantee mechanism, the operational aspects of SGM and debarring of defaulting bank(s), arrangement for loss sharing mechanism, etc. are documented in the Standardized SGM policy of NPCI.
The guidelines define the overview of the product, responsibilities and liabilities of NPCI and participants in the ecosystem, member eligibility and onboarding requirements, user onboarding procedures, requirements/criteria for third part entities, indirect participants, dispute resolution procedure, compliance and regulations, circulars issued by NPCI and various other relevant aspects.
In order to ensure that all the rules and procedures are clear and understandable, NPCI has constituted Product Steering Committee to discuss and deliberate on business, operational and technical issues. The committee comprises representatives from promoter banks, non-promoter participating banks and subject matter experts. All the procedural guidelines and the NIPL Network Operating Regulations are approved by the respective functional Head of the Product.
NPCI has adequately addressed non-routine yet foreseeable events through a well-structured framework, which is covered in the following documents:
Any proposed changes in rules and procedures are discussed with the participating members in the steering committee/working group meetings. The feedback of participants is taken into consideration and circulars are issued as per the decision taken in Steering Committee/Working Group Meetings.
Key consideration 2: An FMI should disclose clear descriptions of the system’s design and operations, as well as the FMI’s and participants’ rights and obligations, so that participants can assess the risks they would incur by participating in the FMI.
Response: NPCI’s system design and operations are included in Procedural Guidelines (PG), Operating Settlement Guideline (OSG), System Documentation, User manuals and Guides.
Procedural Guidelines and product operations/process flow are disclosed and shared with all the participants at the time of onboarding or in case of any amendment. Technical Specification Document is shared with the members before onboarding.
The Participant Agreement and Procedural Guidelines delineate the roles, responsibilities, rights, and obligations, and these are communicated to participant members during onboarding and periodically thereafter. This ensures transparency and alignment with established frameworks, allowing for effective collaboration and compliance with defined standards.
The rights and obligations of the stakeholders involved in the ecosystem are clearly disclosed and are articulated in the procedural guidelines. The guidelines specify the roles and responsibility of the direct and indirect participants and the third-party application providers with regards to the compliance to all the regulatory requirements, NPCI guidelines, dispute resolution and other rights and obligations of the participants.
Key consideration 3: An FMI should provide all necessary and appropriate documentation and training to facilitate participants’ understanding of the FMI’s rules and procedures and the risks they face from participating in the FMI.
Response: In order to facilitate participants understanding of the rules and procedures and the risk associated with the participation, NPCI provides all the necessary documents including the procedural guidelines, Settlement policies to the participants. The service level agreement entered into with the participating member banks establishes the risk and liabilities of the parties to the agreement. Further, periodic training is organized for the participants to facilitate participant understanding of all the rules and procedures.
Training organized for participants and comprehensive documentation shared with the participants ensure participants understanding of the FMI’s rules, procedures and the risks they face from participating in the ecosystem. Feedback/suggestions of the participants are also sought through the steering committee meetings organized.
The Surveillance and Enforcement function monitors the compliance by the participants of various rules and procedures. Non-compliance by any participant facilitates taking corrective measures so that the participant clearly understands rules and procedures.
Key consideration 4: An FMI should publicly disclose its fees at the level of individual services it offers as well as its policies on any available discounts. The FMI should provide clear descriptions of priced services for comparability purposes.
Response: Fees are determined and revised periodically based on discussion and consultation with members of the Steering committee or as per the regulatory directions. The pricing circulars are made available to members.
NPCI’s customers are mostly financial and other institutions and typically does not have any relationships directly with end consumers.
Key consideration 5: An FMI should complete regularly and disclose publicly responses to the CPSS-IOSCO disclosure framework for financial market infrastructures. An FMI also should, at a minimum, disclose basic data on transaction volumes and values.
Response: NPCI completes PFMI assessment regularly and discloses the responses on its website.
The product statistics for all products of NPCI Group are published on the website.
NPCI discloses information surrounding the governance including the information pertaining to Board of Directors, Board Committees, Management Team, the overall organization structure and the financial information. Product specific information such as product features and offering, transaction flows, participants roles and responsibilities, product circulars, member onboarding process, steering committee members and abridged meeting minutes, dispute resolution mechanism etc. are also disclosed on the website. In addition, the risk management framework, risk circulars, salient features of default rules and procedures including settlement guarantee mechanism are also disclosed on the website.
Press releases are made to announce launch of any new products or services or for creating public awareness. The disclosures are made available in English Language.