Foreign Card Payment Network Companies Barred: RBI
- Recently, the Reserve Bank of India (RBI) has barred three foreign card payment network firms – Mastercard, American Express and Diners Club — from taking new customers on board over the issue of storing data in India.
- As many as five private sector banks, including Axis Bank, Yes Bank, and IndusInd Bank, are to be impacted by the RBI’s decision.
- The Personal Data Protection Bill also has provisions pertaining to ‘data localisation’.
RBI’s Circular on Data Storage-April 2018:
- All system providers were directed to ensure that within six months the entire data (full end-to-end transaction details, information collected or carried or processed as part of the message or payment instruction) relating to payment systems operated by them is stored in a system only in India.
- They were also required to report compliance to the RBI and submit a board-approved system audit report conducted by a Computer Emergency Response Team – India (CERT-IN) empanelled auditor within the timelines specified.
Reason of Non- Compliance given by Payment Firms:
Payment firms like Visa and Mastercard, which currently store and process Indian transactions outside the country, have said their systems are centralised and expressed the fear that transferring the data storage to India will cost them millions of dollars.
Localization Demands from Other Countries:
Once it happens in India, there could be similar demands from other countries, upsetting their plans.
Lack of Clarity:
While the Finance Ministry had suggested some easing of norms in transferring the data, the RBI has refused to change, stating that the payment systems need closer monitoring in the wake of the rising use of digital transactions.
Significance of RBI’s Move:
The RBI’s decision to restrict entities from onboarding new customers is a crucial development in their endeavour to ensure that all payment system operators store or localise their end-to-end transaction data only in India.
The motivation behind such a move is to carry out effective law enforcement requirements as data access for law enforcement purposes has been a challenge.
Regulation of Payment Firms:
- Firms such as Mastercard, Visa and National Payment Corporation of India (NPCI) are Payment System Operators authorized to operate a card network in India under the Payment and Settlement Systems (PSS) Act, 2007.
- Under the Act, the RBI is the authority for the regulation and supervision of payment systems in India. The RBI’s payment system enables payments to be effected between a payer and a beneficiary and involves the process of clearing, payment or settlement, or all of them.
- It includes both, paper-based such as cheque, demand draft and digital such as National Electronic Fund Transfer (NEFT), BHIM app, settlement systems.
- The RBI has decided to allow non-bank entities — Prepaid Payment Instrument (PPI) issuers, card networks, White Label ATM operators, Trade Receivables Discounting System (TReDS) platforms – to become members of the centralised payment system and effect fund transfer through Real Time Gross Settlement (RTGS) and NEFT.
- It is necessary for all entities to comply with the RBI’s localisation mandate. At the same time, however, it’s true that hard localisation may impact India’s payments ecosystem.
- To have a more effective mechanism for law enforcement, India needs to move beyond MLAT (Mutual Legal Assistance Treaty), which is slow and ineffective, to a system based on bilateral treaties on data transfers with the European Union, UK and the US.
- The idea must be to ensure that Indian law enforcement requirements of access to data are met in a timely manner while at the same time allowing data flows to foster innovation and trade in the tech ecosystem