Foreign-owned card payment network companies such as Mastercard, American Express and Diners Club have been barred by India’s banking regulator from enlisting new domestic customers in 2021 due to non-compliance with data localisation storage norms.
In the most recent instance, the Reserve Bank of India (RBI) on July 14 imposed curbs on Mastercard Asia Pacific Pte. Ltd. (Mastercard) from onboarding new domestic customers (debit, credit or prepaid) onto its card network from July 22, 2021.
Earlier in April, the RBI had imposed similar curbs on American Express Banking Corp (Amex) and Diners Club International Ltd. from May 1, due to non-compliance on the storage of data.
The RBI's circular dated April 6, 2018, on storage of payment system data had asked all system providers (operating a card network in India under the Payment and Settlement Systems Act, 2007) to store all end-to-end transaction data related to their Indian operations in a system located in the country.
The data includes full end-to-end collected information, processed or carried information, payment instructions in part or full, transaction details among others.
According to RBI data, there were 96.47 crore cards in India, including 90.23 crore debit cards and 6.239 crore credit cards as of May 2021.
The total number of transactions (both ATM and POS) in May 2021 were 81,48,98,429 valued at Rs 3.01 lakh crore, inclusive of 67,96,65,260 debit card transactions valued at Rs 2.46 lakh crore and 13,52,33,169 credit card transactions valued at Rs 55,033.03 crore.
The RBI even vetoed the Finance Ministry’s suggestion to relax norms.
The central bank wanted a single common data source to enforce the law and empower authorities to access an efficient and effective data storage system in the wake of growing digital transactions and frauds.
All such card companies had to file a compliance report and an audit compliance report (as per system approved by the board) by the CERT-In empanelled auditor within a specified time-period.
Mastercard, American Express and Diners Club were among the globally operating card companies that made excuses such as higher operating costs, enhanced security risks, and similar compliance demands from other countries.
The international companies said that they have centralised systems globally and added that they will have to spend a lot of money to create new systems for localised storage of data.
RBI claims to have given Mastercard and others almost three years to comply with India’s regulatory guidelines with respect to storage of data.
Mastercard (and Visa) are the world's most popular payment gateways or card associations, which partner with credit, debit and prepaid card options, but do not issue any cards. There is no clarity on Visa’s status as of now.
(Edited by : Kanishka Sarkar)