By Shilpi Sharan and Apalka Bareja
The Reserve Bank of India (RBI) via press release dated July 14, 2021, has imposed restrictions on MasterCard from onboarding new domestic customers (debit, credit or prepaid) onto its card network from July 22, 2021.
As per the press release, these restrictions are being imposed as in spite of providing lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with RBI’s directions on Storage of Payment System Data.
RBI’s guidelines on Storage of Payment System Data
With an advancement in technology and drastic increase in digital payments, the payment ecosystem in India has expanded considerably with the emergence of new payment systems, players and platforms. This has led to a need for supervision by authorities to safeguard the access and storage of such data. In order to ensure better monitoring, surveillance and have unrestricted supervisory access to the data stored by such players, RBI issued guidelines on Storage of Payment System Data.
As per the circular dated April 6, 2018, all System Providers were directed to ensure that within a period of six months, the entire data (full end-to-end transaction details/ information collected/carried/processed as part of the message/payment instruction) relating to payment systems operated by them is stored in a system only in India. In furtherance to this, they were also required to report compliance to RBI and submit a Board-approved System Audit Report conducted by a CERT- In empaneled auditor within the specified timelines.
APPLICABILITY OF PAYMENT OF STORAGE DATA
- The directions are applicable to all Payment System providers authorized / approved by the Reserve Bank of India (RBI) to set up and operate a payment system in India under the Payment and Settlement Systems Act, 2007.
- Banks function as operators of a payment system or as participant in a payment system. They are participants in (i) payment systems operated by RBI viz., RTGS and NEFT, (ii) systems operated by CCIL and NPCI, and (iii) in card schemes. The directions are, therefore, applicable to all banks operating in India.
- The directions are also applicable in respect of the transactions through system participants, service providers, intermediaries, payment gateways, third party vendors and other entities (by whatever name referred to) in the payments ecosystem, who are retained or engaged by the authorized / approved entities for providing payment services.
- The responsibility to ensure compliance with the provisions of these directions would be on the authorized / approved PSOs to ensure that such data is stored only in India as required under the above directions.
NEED OF SUCH RESTRICTIONS
In order to ensure that RBI’s ability to “monitor payments activity” is not curtailed in cases where the data is stored outside the sovereign boundaries of the country such regulations have come into play. Moreover, with the number of digital transactions and scams increasing, law enforcement and regulatory agencies faced difficulties in carrying out cross-border probes and investigations for getting data from such entities.
Impact of MasterCard Ban on Customers
As per the press release, MasterCard will be indefinitely blocked from issuing debit, credit or prepaid cards to customers in Indian from July 22, 2021. However, the Existing customers will not be impacted.
The order passed by RBI banning MasterCard from onboarding new customers is a welcome step ensuring strict compliance with the Storage of Payment Guidelines issued by RBI. However, it is important for the Payment Service Providers to take immediate action and ensure compliance with the directions issued by RBI and store all such customer and payment related data only in India to avoid any unnecessary regulatory repercussions.
 Guidelines on Storage of Payment Data, RBI, available at, https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244