Citing non-compliance with the storage of payments data, the Reserve Bank of India (RBI) has restricted Mastercard from acquiring new domestic customers onto its card network from July 22, 2021.
“Notwithstanding the lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with the directions on Storage of Payment System Data. This order will not impact existing customers of Mastercard,” said the RBI in its notification.
In April, 2018, the RBI had issued a circular directing all the payments systems providers to ensure that within a period of six months the entire data (full end-to-end transaction details /information collected / carried / processed as part of the message / payment instruction) relating to payment systems operated by them is stored in a system only in India.
These payment system providers are also required to submit the System Audit Report (SAR) after complying with RBI’s data localisation policy. Mastercard being a payment system operator is authorised to operate a card network in the country under the Payments and Settlement Act 2007.
Having banned from onboarding new consumers, the central bank has asked the payments giant to advise all card-issuing banks and non-banks to conform to these orders. Commenting on the development, Sijo Kuruvilla George, executive director, Alliance of Digital India Foundation said, “This is a bold move by the central bank and highlights the importance it gives to the protection of our citizen’s personal data – especially sensitive data like that related to financial transactions. It’s imperative that all organisations respect the laws and necessary action be taken towards their implementation.”
The RBI’s October 2018 deadline was earlier missed by foreign firms including credit card giants Visa and Mastercard. These payment providers have been lobbying for free flow of data across borders in order to ensure that customer benefits and fraud analysis are not affected.
Despite having given multiple extensions Mastercard failed to comply with the data localisation rule, observed RBI.
In the last few years, there has been an increased attention to the data localisation policy in most of the sectors. Besides the RBI, the TRAI too has recommended telecom operators to store end-to-end data locally. The Personal Data Protection Bill 2019 too bats for data localisation stating that critical personal data has to be processed in India only.