RBI Curbs on Foreign Card Firms - Data Localisation

Why in news?

The RBI has so far barred three foreign card payment network companies [Mastercard, American Express and Diners Club] from taking new customers on board, over the issue of storing data in India.

What is the recent decision?

• Recently, the RBI imposed restrictions on Mastercard Asia Pacific Pte Ltd.
• It is kept from onboarding new domestic customers (debit, credit or prepaid) in India.
• The RBI cited as reason the non-compliance with guidelines for storage of data in India.
• It said it had given almost 3 years for Mastercard to comply with the regulatory directions.
• But the firm was unable to complete the process.
• Earlier, the RBI had imposed restrictions on American Express Banking Corp and Diners Club International Ltd, over the same issue.
• Impact - Existing customers using credit or debit cards of these firms can continue using the same.
• However, banks and non-banking finance companies that were planning to use these payment networks will now not be able to use these platforms to enrol new customers.
• This leaves only Visa Inc and homegrown NPCI’s RuPay as payment providers under no restrictions currently.

What are the RBI guidelines in this regard?

• Funds transferred using debit or credit cards are routed through platforms such as Mastercard, Visa and NPCI.
• These operate under the Payment and Settlement Systems (PSS) Act, 2007.
• Under the Act, the RBI is the authority for the regulation and supervision of payment systems in India.
• As part of this came the RBI circular on Storage of Payment System Data, dated April 6, 2018.
• These guidelines on data storage were to be adhered to within 6 months.
• As per this, all system providers are to ensure that the entire data relating to payment systems operated by them is stored in a system only in India.
• It applies to full end-to-end transaction details, information collected or carried or processed as part of the message or payment instruction.
• They were also required to report on their compliance to the RBI.
• They should also submit a board-approved system audit report conducted by a CERT-In empanelled auditor within the timelines specified.
• [CERT-In - Indian Computer Emergency Response Team.
• CERT-In is a government-mandated information technology (IT) security organization.]

What is the rationale?

• Data access for law enforcement purposes has for long been a challenge.
• So, the idea behind the move is to carry out effective law enforcement requirements.
• In the wake of the rising use of digital transactions, the RBI is particular that the payment systems need closer monitoring.

What are the challenges to compliance?

• Credit and card firms with global operations have been resisting the RBI move.
• They cite as reasons the costs, security risk, lack of clarity, and timeline.
• The RBI had stipulated that data should be stored only in India.
• Also, no copy [or mirroring] should be stored in other countries.
• But payment firms like Visa and Mastercard currently store and process Indian transactions outside the country.
• Their systems are centralised.
• So, they expressed the fear that transferring the data storage to India will cost them millions of dollars.
• Besides, once it happens in India, there is a possibility of similar demand from other countries also.

What is the alternative?

• Possibly, hard localisation may impact India’s payments ecosystem.
• For a more effective mechanism for law enforcement, India needs to move beyond the slow and ineffective MLAT (Mutual Legal Assistance Treaty).
• It should move to a system based on bilateral treaties on data transfers with the EU, UK and the US.
• This will ensure that Indian law enforcement requirements of access to data are met in a timely manner.
• It will also allow data flows to foster innovation and trade in the tech ecosystem.
• However, the RBI is against the suggestion that a copy of data stored outside be brought to India.

Source: The Indian Express