International Card Companies To Be Fully Compliant With RBI Rules By September

Despite initial hesitation, card companies comply with RBI’s data localisation norms

Chip credit cards are arranged for a photograph (Photographer: Andrew Harrer/Bloomberg)  
Chip credit cards are arranged for a photograph (Photographer: Andrew Harrer/Bloomberg)  

Card companies and payments services providers hope to be fully compliant with the Reserve Bank of India’s data localisation norms by September 2019, two people in the know confirmed. Despite their initial reluctance, these companies have already started complying with the data localisation norms and hope to complete the process of storing data of Indian transactions ‘only in India’ over the next nine months.

According to the people quoted above, global payments firms like MasterCard and Visa have already set up servers in India to store data for all new transactions emanating from India. The next step is to delete data of Indian transactions from global servers. Both major card companies, Visa and Mastercard have submitted a road map to the RBI on the time frame over which this process will be completed, said people familiar with the matter.

In April 2018, the RBI had released new rules asking all payment service providers to store data of local transactions ‘only in India’. Firms needed to comply with the directives by October 15.

Visa has been in compliance with the Reserve Bank of India (RBI) circular on data localisation since October 2018, where it has ensured that all incremental transaction data generated locally is stored only in India, a person close to the developments said, speaking on conditions of anonymity.

The payments firm has also been sending regular updates to the banking regulator, detailing how it has been working towards deleting the data stored on various international servers. This, the official said was a time consuming process. In its updates to the RBI, Visa has given a cut off date within which it intends to complete the process. The company is making all the efforts necessary to meet the deadline, the official said.

Visa did not respond to queries sent by BloombergQuint on Thursday.

In the case of Mastercard too, the company is in the process of deleting the transaction data stored abroad, a consultant said, speaking on conditions of anonymity. In an email statement, Mastercard said that it has been in compliance with RBI’s guidelines since October 6, 2018 and that all new Indian transaction data is being stored at a technology center in Pune.

“In order to ensure that the safety and security of the Indian payment ecosystem is not compromised, and further, that there is no negative impact or disruption to Indian consumers, banks and merchants, Mastercard has submitted its proposal to the RBI which confirms storage of data only in India within a specified time frame,” the statement read.

RBI did not respond to an email sent on Monday. Mastercard and Visa did not respond to queries regarding the timeline they have given to the RBI to become fully compliant with the new rules.

According to the central bank’s rules end-to-end transaction details of all transactions in the country must only be stored on servers in the country. For any foreign leg of the transaction, data maybe stored abroad.

“In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries/ third party vendors and other entities in the payment ecosystem,” the RBI had said in its guidelines.

According to the first person quoted above, a select set of large payments service providers had approached the RBI to ease the guidelines. The companies wanted that, like in other developed economies in the world, data should be free flowing and companies should be able to access this information wherever they choose. This will help companies improve the quality of service and tweak their systems to ensure better safety.

However, the RBI did not agree to any of this and insisted that international payments companies comply with the norms.

“There are two overarching principles that are guiding the data localisation guidelines. One is the issue of sovereignty where countries would want more control over who all gets access to the data and the second principle is that if data is fuel, you need to be able to have the right systems in place to determine how you are going to use the data in the future,” said Vivek Belgavi, partner and fintech leader, PwC India.

According to the two people quoted above, while companies are complying with the RBI’s rules in a step-by-step fashion, they are also engaging with the banking regulator to ease the guidelines. Any tweaking of the guidelines will be in keeping with the two guiding principles, Belgavi said,

New Launches Still On Hold?

While card companies have complied with the RBI’s deadline, some international firms using the unified payments interface (UPI) platform are still seeking extensions.

According to a senior official at National Payments Corporation of India (NPCI), while most international companies have mirrored their transaction data on a local server, they are seeking more time from the RBI to ensure that data is stored exclusively in India. The official did not clarify which companies are seeking more time from the RBI. WhatsApp was among the firms that was waiting for clarity on the RBI’s data localisation norms before a full roll-out of payment services.

The NPCI has not given permission to these companies for a full rollout of UPI services because they are yet to fully comply with the RBI norms.