The government’s new rules for e-wallet companies may hurt the firms. The Information Technology (IT) Ministry has released a set of guidelines for digital wallet companies to boost a secure electronic payment and grievance redressal system.

According to top e-wallet player Paytm, the new rules will change the way their business is being run. Paytm CEO Vijay Shekhar Sharma feels that the new authentication system will put extra burden on them as the government will decide on the customer authentication system including the way you log in and pay. The companies will also have to disclose information from all sources to the government and purpose for it.

The draft titled Information Technology (Security of Prepaid Payment Instruments) Rules, 2017, requires digital wallets or Prepaid Payment Instruments (e-PPIs) to adopt multiple-factor authentication when a customer initiates payment. That could hit mobile wallets, which often highlight seamless transactions as one of the biggest advantages over credit and debit cards.

The draft rules make it mandatory for e-wallets to develop and implement a privacy policy and an information security policy for their payment systems.  All e-wallet firms will have to display on their website and mobile app the privacy policy and the terms and conditions in easy language.

As part of the privacy policy, the company will have to publish information that includes information collected directly from the customer or otherwise, its usage, period of retention and the circumstances under which can be disclosed and the recipients including law enforcement agencies.

Payments Council of India chairman and ItzCash MD Naveen Surya says the reporting authority may change from Reserve Bank of India to IT ministry. PCI, a lobby group of e-wallet companies which has about 50 mobile wallet companies under its umbrella, is planning to approach the government on seek clarity on the issue.

The draft has also listed security measures that e-wallet companies will have to follow. It mentions standards for data protection and redressal methods for customers including appointing a grievance officer. These will have to be reviewed once a year. The draft policy also says that in case of any breach, the company will have to revamp its policies.

The PPIs will have to put in place a mechanism for monitoring, handling, and follow-up of cyber security incidents and security breaches. The Computer Emergency Response Team (CERT-In), an expert group that handles computer security incidents, has to notify the kind of incidents and breaches that need to be reported to them and to the customers.

Mobile wallet transactions in the country have hit a record high following the demonetisation of high value currency notes by the government in November, last year. However, there are no standardised security terms for e-wallet companies at present. The draft rules have been put up for public consultation. The last date for sending responses is 20 March.