The Pension Fund Regulatory and Development Authority (PFRDA) issued a circular on 21st February, 2024, pertaining to the Risk Management Framework for the Central Recordkeeping Agencies (CRAs) under the National Pension System (NPS) architecture. The framework is mandated under the PFRDA Act, 2013, and aims to ensure high standards of service, due diligence, and proper care in operations to protect the interests of subscribers. It emphasizes the importance of internal control systems, procedures, and safeguards within the CRAs to safeguard subscribers’ interests. The circular requires the CRAs to develop the risk management framework which shall be submitted to the Authority within 120 days from the date of the issuance of this circular. Any exception to the timelines stipulated shall be supported with cogent reasons and with prior approval of the Authority. The framework covers governance and organization, operational risk management policy, risk assessment and control, fraud prevention controls, supplementary risk mitigation measures, red alerts, monitoring or examination of PRANs, and quality policy.
The circular outlines the definitions relevant to the risk management framework, including terms such as cyber risk, cyber incident, cyber-attack, information and communication technology (ICT) risk, and vulnerability. It also emphasizes the applicability of the Risk Management Framework to all registered CRAs and the need for best governance practices for risk management. The circular further details the objectives of the Risk Management Framework, including managing associated risks, fostering a strong risk culture, implementing appropriate risk mitigation and avoidance policies, ensuring sufficient controls, and delivering fair outcomes for subscribers. Additionally, the circular delves into the Risk Management Framework, highlighting the expectations from CRAs regarding the formulation, approval, and implementation of a comprehensive risk management framework, incorporating security management, response and recovery plans, and reassessment of security measures.
Moreover, the framework includes detailed insights into risk assessment and control, emphasizing the need for CRAs to conduct comprehensive risk assessments, design and implement security measures, and establish appropriate security monitoring systems. It also outlines the need for supplementary risk mitigation measures, such as red alerts for potential fraud areas and monitoring or examination of PRANs, along with the implementation of a quality policy to ensure consistent quality assurance for all types of transactions. The circular concludes by underlining the importance of additional measures that aid the risk management process, allowing CRAs to update risk mitigation and management processes in accordance with their experience and the evolving technological environment.