SUMMARY
The RBI imposed the ban after deciding a "system audit report" submitted by Mastercard's auditor Deloitte in April was unsatisfactory
Mastercard was banned from issuing new cards on July 14 (effective from July 22) citing non-compliance with the storage of payments data
Payment system providers are required to submit the System Audit Report (SAR) after complying with RBI’s data localisation policy
Global payments technology company Mastercard has submitted a new audit report to the Reserve Bank Of India (RBI) seeking to overturn its ban on card issuance.
Mastercard was banned from issuing new cards on July 14 (effective from July 22) citing non-compliance with the storage of payments data, the Reserve Bank of India (RBI) has restricted Mastercard from acquiring new domestic customers onto its card network.
The RBI imposed the ban after deciding a “system audit report” submitted by Mastercard’s auditor Deloitte in April was unsatisfactory, which is under an RBI review, said a Reuters report.
In a statement to Reuters, Mastercard said Deloitte performed a “supplemental audit” and a new report was submitted on July 20 to the RBI, six days after the ban was announced.
“We look forward to continuing our conversations with the RBI and reinforcing how seriously we take our obligations. We are hopeful that this latest filing provides the assurances required to address their concerns,” it said.
The RBI had furnished no details beyond the statement announcing the ban. The details of RBI’s concerns have not been stated.
American Express, whose Indian presence is much smaller than that of Mastercard and Visa, has also been banned from issuing new cards since April for violating the 2018 rules.
Data Localisation Enforcement By RBI
In April, 2018, the RBI had issued a circular directing all the payments systems providers to ensure that within a period of six months the entire data (full end-to-end transaction details /information collected / carried / processed as part of the message / payment instruction) relating to payment systems operated by them is stored in a system only in India.
India’s 2018 rules do not restrict where the data is processed, but for “unfettered supervisory access”, the RBI mandates that within a day the data – including transaction details and amount – should be stored domestically.
These payment system providers are also required to submit the System Audit Report (SAR) after complying with RBI’s data localisation policy. Mastercard being a payment system operator is authorised to operate a card network in the country under the Payments and Settlement Act 2007.
In the last few years, there has been an increased attention to the data localisation policy in most of the sectors. Besides the RBI, the TRAI too has recommended telecom operators to store end-to-end data locally. The Personal Data Protection Bill 2019 too bats for data localisation stating that critical personal data has to be processed in India only.
In 2018, Mastercard had said it had started storing data at a facility in Pune to comply with localisation requirements. But it still processes a part of each Indian transaction through data centres abroad, and later transfers and stores that data in Pune, according to sources quoted by Reuters.
As per reports, RBI is concerned that Deloitte’s audit did not clearly state how long Mastercard took to purge Indian card data that is processed abroad before being stored locally. The RBI was said to have given Mastercard multiple extensions to submit clarifications and only issued the ban when Mastercard asked for more time when an extension to July 9 lapsed.
