The RBI has barred Mastercard, American Express & Diners Club from enrolling new customers for not storing their data in India. What are the RBI guidelines on data storage, and the issues involved?
The RBI said it had given almost three years for Mastercard to comply with the regulatory directions, but it was unable to complete the process.
The Reserve Bank of India has so far barred three foreign card payment network companies — Mastercard, American Express and Diners Club — from taking new customers on board over the issue of storing data in India. Here’s what it means for customers and the payment system in India:
Why have these companies been barred from enrolling new customers?
On July 14, the RBI imposed restrictions on Mastercard Asia Pacific Pte Ltd from onboarding new domestic customers (debit, credit or prepaid) in India from July 22, citing non-compliance with guidelines for storage of data in India. The RBI said it had given almost three years for Mastercard to comply with the regulatory directions, but it was unable to complete the process.https://images.indianexpress.com/2020/08/1×1.png
In April this year, the RBI had imposed restrictions on American Express Banking Corp and Diners Club International Ltd from enrolling new domestic customers onto their card networks from May 1, 2021, also citing non-compliance of storage of data.
Will existing card users and banks be affected?
No. Existing customers using a credit card or a debit card with Mastercard, American Express or Diners Club as the payment network can continue using these. Banks and non-banking finance companies that were planning to use these payment networks won’t be able to use these platforms to enrol new customers until the RBI lifts the ban.
“This leaves only Visa Inc and homegrown NPCI’s RuPay as payment providers under no restrictions currently. We don’t know if Visa has fulfilled all the requirements of data localisation as envisaged in the Storage of Payment System Data circular of the RBI. In the near term, we don’t foresee any material impact on card issuers (especially credit card issuers), but there could be a medium-term impact if this situation persists,” banking group Nomura said in a report. Banks that were planning for new customers through Mastercard will have to look at Visa for enrolment.
Yes Bank, RBL Bank and Bajaj Finserv are likely to be most impacted as their entire card schemes are allied with Mastercard, Nomura said. Around 60% of HDFC Bank’s card schemes are tied to Mastercard, Diners and AmEx. For ICICI Bank and Axis Bank, 35-36% are linked to Mastercard. The card portfolio of Kotak Mahindra Bank is allied with Visa.
What do the RBI guidelines stipulate?
By the RBI circular on Storage of Payment System Data dated April 6, 2018, all system providers were directed to ensure that within six months the entire data (full end-to-end transaction details, information collected or carried or processed as part of the message or payment instruction) relating to payment systems operated by them is stored in a system only in India. They were also required to report compliance to the RBI and submit a board-approved system audit report conducted by a CERT-In empanelled auditor within the timelines specified. However, credit and card firms with global operations have been resisting the move, citing costs, security risk, lack of clarity, timeline, and the possibility of data localisation demand from other countries.
According to Kazim Rizvi, Founding Director of think-tank The Dialogue, the RBI’s decision to restrict entities from onboarding new customers is a crucial development in their endeavour to ensure that all payment system operators store or localise their end-to-end transaction data only in India. “The motivation behind such a move is to carry out effective law enforcement requirements as data access for law enforcement purposes has been a challenge,” Rizvi said.
Why have these firms not complied?
The RBI had stipulated that data should be stored only in India and no copy — or mirroring — should be stored in other countries. Payment firms like Visa and Mastercard, which currently store and process Indian transactions outside the country, have said their systems are centralised and expressed the fear that transferring the data storage to India will cost them millions of dollars. Besides, once it happens in India, there could be similar demands from other countries, upsetting their plans.
What has upset foreign players is that domestic payment companies, including e-commerce firms, which are storing the data within India, were putting pressure for data storage within the country. While the Finance Ministry had suggested some easing of norms in transferring the data, the RBI has refused to budge, stating that the payment systems need closer monitoring in the wake of the rising use of digital transactions. It’s not clear if Visa has obliged the RBI and transferred data storage to India.
Is there a way out?
Experts agree that it is necessary for all entities to comply with the RBI’s localisation mandate. “At the same time, however, it’s true that hard localisation may impact India’s payments ecosystem,” Rizvi said. 📣 Express Explained is now on Telegram. Click here to join our channel (@ieexplained) and stay updated with the latest
“To have a more effective mechanism for law enforcement, we need to move beyond MLAT (Mutual Legal Assistance Treaty), which is slow and ineffective, to a system based on bilateral treaties on data transfers with the EU, UK and the US. Here, the idea must be to ensure that Indian law enforcement requirements of access to data are met in a timely manner while at the same time allowing data flows to foster innovation and trade in the tech ecosystem,” Rizvi said. However, the RBI is against the suggestion that a copy of data stored outside be brought to India.
What’s the role of card networks?
Firms such as Mastercard, Visa and National Payment Corporation of India (NPCI) are Payment System Operators authorised to operate a card network in India under the Payment and Settlement Systems (PSS) Act, 2007. Under the Act, the RBI is the authority for the regulation and supervision of payment systems in India. The RBI’s payment system enables payments to be effected between a payer and a beneficiary and involves the process of clearing, payment or settlement, or all of them.
Funds transferred using debit or credit cards are routed through platforms such as Mastercard, Visa and NPCI. The RBI has decided to allow non-bank entities — Prepaid Payment Instrument (PPI) issuers, card networks, White Label ATM (WLA) operators, Trade Receivables Discounting System (TReDS) platforms – to become members of the centralised payment system (CPS) and effect fund transfer through RTGS and NEFT.
How big is India’s card business?
According to RBI data, there were 90.23 crore debit cards and 6.23 crore credit cards in India as of May 2021. There were 57,841.30 lakh debit and credit card transactions valued at Rs 12.93 lakh crore during 2020-21. Of these, debit card transactions accounted for a volume of 40,200.24 lakh valued at Rs 6.62 lakh crore.