The Reserve Bank of India (RBI) will now set audit guidelines for the independent technology audit of Paytm Payments Bank after it banned the company from onboarding new customers for alleged violations of customer acquisition and privacy rules with a possible data flow to companies of Chinese origin.

Paytm Payments Bank will submit a list of third-party auditors for approval in the next few days, two people familiar with the matter told The Economic Times. The central bank will then select and pick the final candidate from the submitted list. The terms and references for the independent technology audit will also be set by the RBI based on its findings, that include the company not meeting the Know Your Customer (KYC) norms.

"The payments bank did not plug the gaps in the system even after repeated relevant references by the regulator. There were consistent deficiencies found in the bank's KYC process, like accounts that needed a full KYC were not done,” said one of the persons with the knowledge of the matter, as per the ET report.

The RBI in its investigation found that data from payments banks was flowing to the wallet operator, which was not secured and against the central bank’s rules. The compliance was pending or unsatisfactory to the RBI, according to the sources.

Last week, the RBI had barred Paytm Payments Bank from onboarding new customers under Section 35A of the Banking Regulation Act, 1949. The bank, in a statement, said the clearance to onboard new customers will be specific to special permission that may be granted after the RBI reviews the report of IT auditors. The action was based on material supervisory concerns observed by the RBI.

However, Paytm’s Founder, Vijay Shekhar Sharma, denied any sharing of data with Chinese companies.

"RBI has clearly articulated a list of tasks that Paytm Bank has to complete and get the audit done. I also want to confirm that none of the obligations mentioned in the letter of observation carries any reference of data access or unauthorised data access or authorised access or data access or data localisation or data system or servers related to any foreign shareholder access or foreign access," Sharma said in a report by Livemint.