NEW DELHI: The Reserve Bank of India (RBI) has finally cracked the whip on global credit card and payments companies for flouting data localisation norms that require storing transanction data only within India’s national boundaries.
In a first such stern action, the banking regulator on Friday barred American Express Banking Corp and Diners Club International Ltd from adding new domestic credit card customers from May 1. The order, however, will not impact existing customers. "These entities have been found non-compliant with the directions on Storage of Payment System Data," the RBI said in a statement.
American Express, however, said that it has been in regular dialogue with the RBI about data localisation requirements and have demonstrated its progress towards complying with the regulation. "While we're disappointed that the RBI has taken this course of action, we are working with them to resolve their concerns as quickly as possible. This does not impact the services that we offer to our existing customers in India, and our customers can continue to use and accept our cards as normal," American Express said in a statement.
With 15.59 lakh cards in circulation as of February, American Express has the highest number of credit card customers among foreign banks in India after Citigroup Inc, which is looking to exit the Asian market including India. Overall, it was the seventh largest credit card issuer in the country, according to RBI data, used for transactions worth Rs. 2,325 crore.
As far as Diners Club is concerned, it has been operating in India through a tie-up with HDFC Bank since 2011. The RBI's current move coincides with the banking regulator also barring HDFC Bank to source new credit card customers as penalty for repeated digital outages over the past two years.
All these put together could give a further leg-up to domestic issuers such as ICICI Bank, SBI Card and Axis Bank. Meanwhile, two other major global players - Mastercard and Visa - could be next in line to attract the regulator’s ire for missing the data localisation deadline, according to multiple sources. These firms have already sought a 12-month extension to meet these rules.
The latest compliance status of the two companies comes after global firms lobbied hard against the data localisation rules, but the RBI did not change its stance on the issue and instead insisted that Indian financial data must be stored only in India.
The RBI had introduced the data localisation norms in April 2018, with the system supposed to come into effect from October that year. "In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers," it had said in its April order.
The companies were also required to report compliance to RBI and submit a Board-approved System Audit Report (SAR) conducted by a CERT-In empaneled auditor within the timelines specified therein. The data needed to be stored in India included full end-to-end transaction details, information collected and processed as part of the message and payment instruction.
Notably, one of the primary reasons why the global payments providers were not keen on data storage in India was because it would increase the cost of compliance. "Centralised systems help these operators to keep costs low. But if they have to replicate the infrastructure in India it will be costly because they will have to create a lot of processes, hire people and employ higher resources. It becomes even more complicated for larger ones to rework the procedures," a senior payments industry executive said on condition of anonymity.