New Payments Platform (NPP): Mandatory Compliance Regime

The NPPA looks to ensure quality and security for the New Payments Platform

Since launch of the New Payments Platform, the industry has seen a continual increase in consumer awareness and transactional volume. NPPA is now shifting focus to ensuring the platform delivers quality and new functionality through the NPP Mandatory Compliance Framework

NPP Mandatory Compliance Framework to Ensure Quality Standards

In June 2019, the NPPA Board approved the introduction of NPPA’s Mandatory Compliance Framework (MCR) to ensure that all participants comply with a minimum set of capabilities such as performance, security and integrity requirements.

The key objective of implementing a compliance framework, which introduces strong risk and governance procedures for the payment stream, is to ensure a standard of quality across the board for all stakeholders – participants and customers alike.

The NPPA Board will designate requirements as mandatory compliance requirements, categorise them and determine the effective compliance date. NPPA will enforce the adherence to the MCR and any participant found to be non-compliant to the MCR may be subjected to financial penalties.

Requirements for Integrity & Operations

The MCR will be applied across two categories – integrity and operational requirements. Integrity requirements encompass items that are integral to the operation of the NPP. Operational requirements refer to items that do not necessarily affect the functional operation of the NPP, but create operational impacts. Fundamentally, the compliance to these new requirements ensures that all NPP participants are providing a minimum standard of quality and the core payment functionality is uniform across all participants.

By applying this minimum standard, the NPPA is also aiming to make the commercialisation of NPP (and future NPP products) easier for all participants.

Technical Controls and Monitoring to Enhance Security

It is now timely that NPPA has decided to enforce new Addressing Service protocols to ensure the platform provides customers with confidence that they can make payments in a secure environment.  With the execution of the new Addressing Service requirements, new technical controls and monitoring will need to be put in place by all participants to reduce any potential security incidents and identify any system vulnerabilities early.  These new requirements were approved by the NPPA Board in September 2019 and will be designated as mandatory compliance requirements (and thus subject to non-compliance charges) by 12 December 2019.

Indue has engaged directly with its NPP clients to provide the detailed requirements and ensure compliance.