Over the problem of storing data in India, the Reserve Bank of India has blocked three foreign card payment network providers — Mastercard, American Express, and Diners Club — from taking on new customers. What this entails for Indian clients and the payment mechanism is as follows:
The RBI banned Mastercard Asia Pacific Pte Ltd from onboarding new domestic clients (debit, credit, or prepaid) in India starting July 22 due to non-compliance with Indian data storage requirements. The RBI stated that it had given Mastercard over three years to comply with regulatory directives, but that company had been unable to complete the procedure.
The RBI banned American Express Banking Corp and Diners Club International Ltd from enrolling new domestic users on their card networks from May 1, 2021, citing non-compliance with data storage regulations. Customers who have a credit card or a debit card with the payment networks Mastercard, American Express, or Diners Club can keep using them. Banks and non-banking financing organisations who wanted to use these payment networks to enrol new consumers won’t be allowed to do so until the RBI lifts the restriction.
“As a result, only Visa Inc. and NPCI’s RuPay are currently unrestricted payment providers. We don’t know if Visa has met all of the data localization standards outlined in the RBI’s Storage of Payment System Data circular. We don’t expect any major impact on card issuers (particularly credit card issuers) in the near term, but a medium-term impact is possible.
Yes Bank, RBL Bank, and Bajaj Finserv are the most likely to be affected because their entire card programmes are linked to Mastercard, according to Nomura. Mastercard, Diners, and AmEx account for over 60% of HDFC Bank’s card schemes. Mastercard is linked to 35-36 percent of ICICI Bank and Axis Bank accounts. Kotak Mahindra Bank’s card portfolio is partnered with Visa.All system providers were directed to ensure that the entire data (full end-to-end transaction details, information collected, carried, or processed as part of the message or payment instruction) relating to payment systems operated by them is stored in a system only in India by the RBI circular on Storage of Payment System Data dated April 6, 2018.They were also expected to notify the RBI of their compliance and submit a board-approved system audit report done by a CERT-In empanelled auditor within the prescribed time frames. However, multinational credit and card companies have resisted the move, citing costs, security concerns, a lack of transparency, a tight schedule, and the prospect of data localization demands from other nations as reasons.
The RBI’s move to prohibit entities from onboarding new clients, according to Kazim Rizvi, Founding Director of think-tank The Dialogue, is a critical step in ensuring that all payment system providers keep or localise their end-to-end transaction data only in India. “Such a move is motivated by the desire to carry out effective law enforcement obligations such as data access. The Reserve Bank of India has mandated that data be stored only in India, with no copies — or mirroring — held in other nations. Payment companies such as Visa and Mastercard, who now store and process Indian transactions outside of India, have stated that their systems are centralised and that moving the data storage to India would cost them millions of dollars. What has irritated foreign players is that domestic payment companies, especially e-commerce enterprises, are exerting pressure on the government to store data within India. While the Finance Ministry suggested loosening the rules for exchanging data, the RBI has refused to budge, claiming that the payment systems need to be monitored more closely in light of the growing use of bitcoin.
“In order to have a more efficient law enforcement apparatus, we need to move away from the MLAT (Mutual Legal Assistance Treaty), which is slow and ineffective, and toward a system based on bilateral data transfer accords with the EU, UK, and US. The goal here must be to ensure that Indian law enforcement needs for data access are satisfied in a timely way while also allowing data to flow freely.