Contents

Contents ........................................................................................................................................................ 1
1.0 Risk management .................................................................................................................................... 2
1.1 Business and Technology ................................................................................................................... 2
1.2 NPCI Strategy for risk management ................................................................................................... 4
1.3 Operational risk management ............................................................................................................. 4
1.4 Fraud risk management ....................................................................................................................... 5
1.5 Settlement risk management ............................................................................................................... 6
1.6 Enterprise risk management ................................................................................................................ 8
1.7 Cyber Security .................................................................................................................................... 9
1.8 Quality drive achievement ................................................................................................................ 10
1.0 Risk management

Risk control is the means of identifying, assessing and controlling threats to the
capital and income of an employer. These threats or hazards may come from a large
source, as well as from economic uncertainty, responsibilities for serious crimes,
strategic control errors, accidents and natural failures. Threats to IT protection,
registry risks, and risk management strategies to mitigate them have become a
priority for digitized agencies. Ultimately, a risk management plan increasingly
consists of approaches to detecting and controlling threats to their virtual objects,
which consist of proprietary data, identifiable customer statistics, and intellectual
property rights. .

1.1 Business and Technology

A total risk management enables control to go for broke in an oversaw manner. So
as to give comprehensive perspective on retail installment structures, dangers and
openings are evaluated and analyzed in a proceeding with way utilizing variables of
top-down and bottoms-up method. As a major aspect of the risk management
executives structure we utilize a lot of gauges that involves the risk control
subculture we want to advance, lecture and practice at NPCI.

We need to follow some process it is as follows

Recognition - identify any chance of risk early on and take proactive steps before it
receives out of hand.

Improvisation - of new methods, strategies and tools to secure better monitoring, and
imparting for a feed-ahead rather than a feed-back system.
Segmentation - to address smaller systems and sub-structures individually on the
way to address their precise functions whilst additionally being mindful of the
systemic effect; and

Knowledge - to allow expertise-based totally choices in a know-how-powered

economy, ensuing in scientifically-engineered and output-oriented movement

Our risk control method is in region for timely identity and assessing of risk facing
the enterprise, monitoring the fashion and pattern of diagnosed risks and
subsequently mitigating the risks in analogy with identified risk the owners. NPCI
has designed the Enterprise Risk Framework drawing steering from regulatory
guidelines of Reserve Bank of India, ISO 31000:2009 standards; COSO framework
and suggestions from Bank for International Settlements. Additionally, foundation
regulatory requirement NPCI is aligned with PFMI tips of applicable ideas. This
guarantees that NPCI has powerful systems and controls in place to discover; degree;
reveal; control and report risks springing up in and throughout NPCI's operations,
enterprise and commercial enterprise allowing features. Ultimately, the
responsibility for setting our risk appetite and for proficient management of risks
rests with the Board of Directors to provide overall risk management supervision.
Board Committees are specifically entrusted to oversight on risk management.
Committees that shape a part of Governance, Risk & Compliance consist of Risk
Management Committee (RMC) of the Board & Internal Risk Management
Committee for efficient governance.
1.2 NPCI Strategy for risk management
Risk management is crucial to the vision assignment and dreams of NPCI to make
certain the protection, safety and sustainability of home retail price schemes.
Effective risk management is important in an effort to produce crucial mass and
optimum risk-reward and is consequently regarded to be the epicenter of decision-
making at NPCI. Risk management are done within the framework of corporate risk
management, with the goal of maximizing risk-adjusted returns while remaining
inside defined risk appetite and tolerance stages.

1.3 Operational risk management

Risk due to inadequate or failed internal approaches, structures, human mistakes, or
external events related to any element of fee, clearing, and settlement schemes.

NPCI ORM: NPCI identifies and evaluates the intrinsic operational risk in all its raw
material products, activities, processes and systems. Furthermore, NPCI ensures that
the operational risk intrinsic in them is concern to appropriate evaluation approaches
before the advent or venture of clean goods, operations, processes and structure

Operation management include measure risk, monitor risk, report risk, identify risk,
evaluate risk, control risk .

The NPCI and ORM framework's objectives are:

Identifying, assessing and controlling, measuring, monitoring and reporting

operational hazards across the organization for all units. Develop a "risk-conscious"
culture that promotes all employees to define and react to hazards and related
possibilities with cost-effective actions.
1.4 Fraud risk management
Fraud Risk Management as a part of NPCI at community level has designed and
implemented a Real-time Fraud Risk Monitoring and Management answer (FRM).
This solution is envisaged as a value-brought service offered by means of NPCI to
member contributors as a real-time monitoring device for fraud detection and
prevention. This solution is intended to be implemented for all the on-line
merchandise supplied with the aid of NPCI and as on date the solution is
implemented for NFS and RuPay. Solution is used for tracking ATM, POS, E-com,
UPI and RuPay credit cards.

System has the capability to procedure transactions in Real Time (RT) and Near Real
Time (NRT) mode. Member banks are tracking the signals via web-based get
admission to furnished through NPCI. Frauds had been diagnosed via member banks
through on line monitoring of the indicators. The device is being upgraded to deal
with acquirer level monitoring; on-line predictive scoring primarily based on
transaction styles and automated Compromise Point and Period (CPP) analysis.
NPCI has conducted numerous workshops and training periods in Mumbai in
addition to different towns and protected majority of the banks. These workshops
and training sessions are conducted to support member banks in understanding the
requirement of fraud risk monitoring and management solution to reduce the fraud
exposure as well as to explain/demonstrate various features and functionalities the
system encapsulates. Compromise factors and period of compromise identification
is some other provider which is supplied via NPCI to member banks. Once fraud is
reported via member banks NPCI Fraud Risk crew analyses the data on the card and
other such cards on which fraud is repoted to identify not unusual utilization factors
to arrive at suspected compromise factors. A collection of fraud incidents passed off
this 12 month and NPCI's function in timely identification of compromise factors
and flagging to member banks in taking proactive measures turned into crucial and
has been nicely appreciated by way of the banking community.

1.5 Settlement risk management

NPCI is subjected to agreement risk requirements as a domestic retail charge system
operator alongside member respondents. The risk of settlement is the risk that a
counterparty, whether or not a player or other entity, could have insufficient price
range to fulfill its financial obligations as and when predicted, although it can be
capable of do so in the future. This risk could also result in the main danger.
(Principal danger is the risk of losing the transaction fee because of bankruptcy or
default). Thus, on the settlement date, each parties to the financial transaction are
possibly subjected to settlement risk. Settlement-associated issues have the
capability to generate systemic issues, in particular in times of insolvency, economic
market infrastructure failure, or central bank moratoriums.

• The Payment and Settlement Systems Act, 2007 (hereinafter referred to as the PSS
Act, 2007)

• Chapter V of the PSS Act, 2007 u / s 23 — Rights and duties of the payment system
provider in regard of settlement and netting

• Chapter VI of the PSS Act, 2007 u / s 24 — Settlement of disputes

NPCI adheres to the legal basis and specific statutes as applicable. As an on-going
process and under relevant laws NPCI demonstrates adequate affirmative position
pertaining to the settlement process, perform risk-based approach thereby
safeguarding the enterprise against the exigencies of settlement risk and
report/communicate of any default situation to the RBI and member banks. NPCI is
aware of the settlement-related danger to payment systems in particular. NFS / ATM,
IMPS, UPI, AEPS, Bharat BillPay, NETC and RuPay. In this respect, NPCI has
created a Settlement Guarantee Mechanism consisting of promised money collateral
and pooling of funds through engaged credit line for payment systems to tackle any
adverse effects of liquidity / credit danger. Effective instruments and methods are in
place to proactively track and handle any plausible stress situations that could lead
to systemic danger, leading to potential downside.

General loss sharing mechanism for payment systems:

Loss occurs when an organization fails to fulfill its payment commitments. In such
a case, NPCI guarantees the commitment not honored by the failed member bank. A
member's failure would not hamper the settlement process as the Settlement
Guarantee Fund [ SGF] would immediately function to satisfy the instant liquidity
financing requirement. The amount is replenished by the defaulting member bank(s)
itself in the event of a temporary failure. In the event of a member bank(s) permanent
failure, the surviving member banks of the respective payment system who
participated in that cycle on that day shall bear the net obligation of the default
member bank(s).The recovered amount from the surviving member banks would be
used to replenish the funds utilized from Settlement Guarantee Fund [SGF] to meet
the settlement.
1.6 Enterprise risk management
NPCI is committed to be established as an institution that ensures risk management
as one of its core capabilities and as an integral part of all of its business and support
functions and culture.

ERM in NPCI:

NPCI has created an Enterprise Risk Management (ERM) framework that relates to
NPCI as an organization and helps to achieve the strategic goals of the NPCI by
providing a systematic strategy for defining, analyzing / evaluating, assessing,
mitigating, tracking and reporting risk and control. The ERM method will lead to
proactive decision-making and will enhance the efficiency of NPCI as it combines
governance, risk and chance management, compliance, and financial reporting.
1.7 Cyber Security
NPCI firmly thinks that cyber safety is critical and has established robust methods
to defend the business enterprise's intellectual assets. The Infosec group of NPCI is
chargeable for shielding facts and systems from foremost cyber threats. Our crew
ensures the safety of information, records, and structures from unauthorized get
admission to, disclosure, disruption, manipulation, or destruction to avoid threats
from disrupting and destructive the confidentiality, integrity, and accessibility of
NPCI facilities. At NPCI, we have brought global-elegance cyber safety to manage
private & touchy data successfully. Our group has developed an extensive set of
strategies and has followed the design, execution and renovation of those policies,
techniques, norms and methods to handle rsik to their facts resources, for that reason
ensuring proper degrees of threat. We ensure that processes must remain effective
and efficient and also adapt to changes occurring within the internal organization,
stakeholders and external environment.

Being certified PCI DSS v3.2, ISO 27001:2013 and ISO 22301:2012, NPCI has
implemented suitable controls including policies, processes, procedures,
organizational structures and software and hardware functions. NPCI shows a
dedication to cyber safety across the organization at all levels. An efficient cyber
security application protects data and information throughout life, from its original
development to its final disposal. NPCI follows globally renowned techniques,
procedures, and procedures supposed to protect networks, gadgets, apps, and facts
from assault, harm, or unauthorized get admission to to improve consumer and
stakeholder self-assurance.
1.8 Quality drive achievement
NPCI has been certified for ISO 9001:2015 (Quality Management System), ISO
22301:2012 (Business Continuity Management System) and ISO 27001:2013
(Information Security Management systems) since the year 2014 across all our office
locations.
I. ISO Recertification
ISO 9001:2015 Standard- NPCI has been certified for Quality Management System
which focuses on process approach and targets at our ability to consistently provide
products/services that meet customer, applicable statutory & regulatory
requirements. It enables us in enhancing our customer satisfaction with active
involvement of our top management and employees. ISO 22301:2012 Standard-
NPCI has been certified for Business Continuity Management System which
demonstrates our ability to resume our most critical processes within a timeframe
during a calamity or disaster to ensure that all products & services are secure, user-
friendly, automated and available round the clock. ISO 27001:2013 Standard– NPCI
has been certified for Information Security Management System which focuses on
systematic approach to manage our sensitive company information so that it remains
secure.
II. IMC Ramakrishnan Bajaj National Quality Award (RBNQA)
The IMC RBNQA criteria for Performance Excellence has been an enriching
journey for all of us at NPCI since the year 2015. In the Year 2015, National
Payments Corporation of India had been honored with “Certificate of Merit” by IMC
RBNQA Trust. Subsequently, NPCI was declared as a winner of Performance
Excellence Trophy in Service Category for “IMC Ramakrishnan Bajaj National
Quality Award Cycle – 2016”.