The RBI guidelines that Mastercard failed to comply with, state that customer data, payment sensitive data, and transaction data have to be stored in India.
We missed this earlier: Mastercard has complied with the local data storage norms laid down by the Reserve Bank of India (RBI) in 2018, the company informed MediaNama. The payments company added that it filed a new audit report on July 20 to notify the central bank of its compliance.
“When RBI required us to provide additional clarifications about our data localization framework in April, 2021, we retained government-empaneled Deloitte to perform a supplemental audit to help demonstrate our compliance. We have been in a continued dialogue with the RBI from April through the report’s submission on July 20, 2021,” Mastercard’s statement read.
According to a Reuters report, the audit report was submitted after the RBI barred Mastercard from adding new domestic customers in India onto its card network on July 14. The report, citing sources, also said that the RBI was reviewing the new audit report.
Why it matters? India has registered a sizeable growth in its payments ecosystem over the past few years. Despite this, major players like Visa and Mastercard had not made arrangements for the storage of payments information in India. According to the RBI, it is “important to have unfettered supervisory access to (payments) data to ensure better monitoring on a continuous basis.” A report in the Times of India explains that the central bank wants to insure itself against the possibility of losing access to data if payments services host it in another country.
Details of the RBI order mandating data localisation
In 2018, the RBI had issued the following directions after it observed that not all payments companies were storing data in India:
- Entire data relating to payment systems must be stored in a system only in India
- Ensure compliance within a period of six months and report it to the RBI by October 15, 2018
- Furnish the System Audit Report (SAR) by CERT-IN empaneled auditors by December 31, 2018
However, in June 2019 following concerns raised by the industry, RBI went on to clarify the guidelines:
- The central bank elaborated on data that had to be stored in India mandatorily:
- Customer data: Name, mobile number, email, Aadhaar number, PAN number, etc.
- Payment sensitive data: Customer and beneficiary account details
- Payment credentials: OTP, PIN, passwords, etc.
- Transaction data: Origin and destination system information, transaction reference, timestamp, amount, etc.
- The norms were applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors, and other entities in the payments ecosystem apart from all the payment system providers authorised by the RBI.
- The central bank clarified that there is no ban on overseas processing of strictly domestic transactions but the data should be brought back to India within one business day or 24 hours of payment processing and be stored locally here.
What led to the RBI ban on Mastercard?
A brief timeline precipitating the ban, according to a Reuters report:
- April 2018: RBI conveys to all payments system operators in India to ensure payments-related data is stored within the country and gave the companies six months to comply.
- October 2018: Mastercard starts storing data at a facility in Pune to comply with the guidelines but it still processes a part of each Indian transaction through data centres abroad, and later, transfers and stores that data in Pune.
- April 2021: Sources informed Reuters that RBI was unsatisfied with a “system audit report” submitted by Mastercard’s auditor Deloitte. The audit was vague about the time Mastercard took to purge Indians’ card data that is processed abroad before being stored locally.
- May 2021:American Express and Diners Club are banned from issuing new cards for violating the 2018 rules. It was the first time that the central bank issued sanctions against card network companies and payment operators in India due to non-compliance with the data storage norms.
- July 2021: Mastercard had been given multiple extensions to submit clarifications. The ban was enforced after the company requested another extension after the one till July 9 expired.
The subsequent impact of the ban
The ban issued on July 22 prevented Mastercard from issuing new cards—debit, credit, and prepaid— to domestic customers. It did not affect existing customers.
The ban impacted the capacity of banks such as RBL Bank and Yes Bank to issue new cards to their customers. RBL Bank said in a disclosure that it has started issuing cards on the Visa network. RBL Bank is the fifth largest credit card issuer in India with a five percent market share.
Yes Bank issues cards only on the Mastercard network, according to its website and information from Samsung Pay. The ban is likely to hamper its ability to issue new cards to prospective customers.
- How Are RBL Bank And Yes Bank Impacted By RBI’s Mastercard Freeze?
- RBI Bars Mastercard From Adding New Customers In India; Flags Non-Compliance With Data Localisation Guidelines
- Mastercard Bets On Bank Partnerships For Indian Expansion
- RBI Orders HDFC Bank To Examine Lapses Within Digital Platforms
Have something to add? Subscribe to MediaNama and post your comment