WhatsApp Pay roll-out delayed due to data localisation hurdles, NPCI tells Supreme Court

It took WhatsApp nearly three years to roll out its Unified Payments Interface (UPI) service in India as the Facebook-owned platform faced hurdles in complying  with the Reserve Bank of India’s (RBI) data localisation norms, according to an affidavit filed by the National Payments Corporation of India (NPCI) in the Supreme Court. MediaNama has seen a copy of the affidavit.

Email correspondence between the RBI, NPCI and WhatsApp, reveals that WhatsApp was ready to go-live with its UPI service in November 2019 but the RBI intervened and asked the NPCI to conduct more checks and ensure specific data was not being stored by the company abroad. This led to delays in WhatsApp Pay’s roll-out. The RBI specificially asked the NPCI to ensure that five specific data fields were not being stored by WhatsApp and that data the company stored abroad as part of the messaging service did not contain payments data.

The affidavit shows that the RBI and NPCI were constantly monitoring WhatsApp’s compliance with the regular’s data storage norms for its payments’ business from April 2018 onward. While other third-party players were able to design their UPI apps and data practices in full compliance with the RBI’s circular in the following months, WhatsApp took much longer. The NPCI finally gave the green-light to WhatsApp and its sponsor bank ICICI Bank to go-live with its UPI service in June 2020, and in November it permitted WhatsApp Pay to commercially launch albeit, with some restrictions.

MediaNama sent queries to ICICI Bank and WhatsApp on Tuesday. NPCI declined to comment.

NPCI says WhatsApp does not store customer sensitive data

The plea, filed by the Good Governance Chambers (G2 Chambers) in February 2020, said that WhatsApp “has been known to have failed to secure sensitive data of its users” and has also “failed to assume accountability and responsibility for the same”. It said that WhatsApp has defaulted in securing data of users as per the localisation norms set forth by the RBI and NPCI, and by failing to have a dedicated app for UPI payments. In an affidavit filed by WhatsApp in June last year, the company questioned the credibility of the petitioner stating that it was set up two months before the petition was filed and provided no proof of engaging in privacy-related public interest advocacy.

Advertisement. Scroll to continue reading.

“With respect the issues raised by the petitioner regarding storing of sensitive data and Facebook’s access to such sensitive data, it is submitted that as per UPI Circular No. 32 dated 15 September 2019, UPI transaction data can be stored in the app providers’ system in an encrypted format and customer payment sensitive data can only be stored in the PSP bank’s system. [WhatsApp] has confirmed that it does not store customer sensitive payment data even in encrypted format and stores UPI transaction data in encrypted format known only to [WhatsApp] and that Facebook does not have no access to the same in clear format.” — NPCI affidavit

The affidavit also says that “Deloitte has also validated that Facebook has no access to clear payment data and that for payment transactions processed through systems outside India, the payment data stored for a period of 24 hours’ post which it is automatically deleted from these systems, which is in compliance with Data Localisation Circular.”

Timeline of WhatsApp Pay’s Launch

• January 23, 2018
  • NPCI tells the RBI that WhatsApp is ready launch beta-testing its UPI service, after six months of discussion.
  • NPCI caps user limit at 1% of WhatsApp’s users in India and to gradually release UPI features every 2-3 weeks
• February 2, 2018
  • NPCI writes to ICICI Bank’s head of technology permitting the launch of WhatsApp’s UPI payment service
  • Caps users to 1 million and says there can not be any product or public launch in paper
  • States that beta-phase will continue till other banks are on-boarded
• April 6, 2018
  • Reserve Bank of India issues data localisation circular stating that “all system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India.
• June 14, 2018
  • WhatsApp’s head of operations Mathew Idema writes to ICICI Bank’s head of technology providing clarifications to the banks’ queries
  • These include WhatsApp’s compliance with 2-Factor authentication, data processing practices and intention to comply with RBI’s data localisation circular
  • WhatsApp says it does not store customer sensitive payment data, only encrypted UPI transaction data will be stored in an encrypted format
  • WhatsApp says that Facebook and other subsidiaries will not have access on UPI transaction data
• November 16, 2018
  • NPCI writes to the RBI stating that Trucaller, Amazon and Xiaomi were already compliant , live on UPI, were in compliance with the RBI’s April 2018 circular
  • Samsung said it would comply by June 30, 2019 and Google said it would comply by October 31, 2019 and
  • WhatsApp was yet to provide a compliance date
• July 19, 2019
  • Abhijit Bose, chief executive officer of WhatsApp India, writes to NPCI’s management stating that the company is working to comply with the RBI’s rules
  • Bose said that Deloitte would complete its audit by the end of the month and the report would be submitted to the partner bank
• August 1, 2019
  • NPCI tells RBI that ICICI Bank and it have received WhatsApp’s System Audit Report
• September 12, 2019
  • NPCI writes to the RBI stating that since WhatsApp operates a messaging services, it stores ‘Mobile number’ outside of India
  • NPCI also said that WhatsApp also stores notification data, including payment alert, payee UPI ID and other details, for a maximum of 30 days outside India only for use to whom the notification has not been delivered.
  • NPCI asks for 3-4 weeks time to ensure that WhatsApp complied with the data storage norms issued by the RBI
  • WhatsApp to resubmit its compliance report to the NPCI in 4 weeks time
• October 24, 2019
  • NPCI tells RBI that Deloitte has audited WhatsApp and as of October 3, 2019 WhatsApp is now in compliance with the data localisation norms
  • WhatsApp no longer stores some data fields
  • The backup of data fields stored by WhatsApp and not in compliance with the RBI’s circular, were to be deleted by December 2019
• November 1, 2019
  • RBI writes to NPCI stating that it should follow up on actions taken by WhatsApp on data localisation compliance
  • This includes that payments data stored outside India does not go beyond the permitted timeline
  • WhatsApp application logs which are stored with its support team for 90 days should not contain any payment data elements
  • RBI does not permit NPCI to allow WhatsApp to go live for full scale operations on UPI until it complies with 5 requirements laid out by the RBI
• December 18, 2019
  • Idema writes to NPCI stating that they are committed to become fully compliant with RBI data’s storage guidelines
• January 13, 2020
  • NPCI tells RBI that WhatsApp is now in compliance with 2 out of 5 requirements laid out by the central bank
  • NPCI says WhatsApp will comply with the remaining 3 requirements by May 31, 2020
• March 19, 2020
  • NPCI writes to Will Cathcart, chief executive officer of WhatsApp, requesting that the company comply with the RBI’s requirement and complete their compliance and audit process at the earliest
• May 29, 2020
  • Idema tells NPCI that Deloitte completed its audit of WhatsApp Pay’s UPI service and found it in compliance with RBI’s data localisation norms
• June 5, 2020
  • NPCI tells RBI that Deloitte’s audit report states that WhatsApp is in compliance with the 3 remaining requirements and that it is full compliance with the data localisation circular
  • NPCI says it is giving ICICI Bank to go live with WhatsApp Pay
• November 6, 2020
  • NPCI allows WhatsApp to launch UPI services, with user registration restricted to 20 million
  • WhatsApp Pay is supported by ICICI Bank, HDFC Bank, Axis Bank, the State Bank of India and Jio Payments Bank

Also Read

• SC issues formal notices to WhatsApp, Facebook in UPI data protection case
• WhatsApp says Facebook has no access to UPI transaction data
• ‘Govt should ban WhatsApp Pay for privacy violations’, says Atmanirbhar Digital India Foundation: Report

***Update (2:25 PM, February 4): This article was updated based on editorial direction. Originally published at 12:03 PM, February 3.