MUMBAI: Flexing its muscles on the issue of data localisation, the Reserve Bank of India on Wednesday barred Mastercard from onboarding any new domestic customer from July 22.
The directive bars the US-based network from issuing either prepaid, credit or debit cards to new customers under its network in India. The RBI said the order would not impact existing customers of Mastercard.
Mastercard is the second-largest credit card issuer (after Visa) in India and the central bank’s tough stance could have implications on foreign relations. The RBI has been pushing all regulated entities to store data relating to Indian customers on Indian soil since April 2018.
“Notwithstanding lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with the directions on storage of payment system data,” the RBI said in a statement.
While it is banks and finance companies that issue cards, they partner either Mastercard, Visa or RuPay for network usage. Whenever a card is swiped, the processing takes place on the payment network cloud. Mastercard has been directed to advise all card-issuing banks and non-banks to conform to these directions.
“Mastercard is fully committed to our legal and regulatory obligations in the markets we operate in. Since the issuance of the RBI directive requiring on-soil storage of domestic payment transaction data in 2018, we have provided consistent updates and reports regarding our activities and compliance with the required stipulations. While we are disappointed with the stance taken by the RBI in their communication dated July 14, we will continue to work with them to provide any additional details required to resolve their concerns,” the company said.
In terms of the number of employees, India ranks second among all markets for Mastercard. The company has invested $1bn in India and has announced plans to invest $1bn more.
“Building on our considerable and continued investments in India, we remain committed to working with our customers and partners in advancing on the government’s Digital India vision,” the statement added.
Mastercard is the third US company to face an RBI ban after American Express and Diners Club, which faced similar restrictions in April. Amex has said that while it is not accepting fresh applications, it is committed to complying with all regulations.
Banking sources said that Visa has complied with the data-localisation norms, which is why the payment network was not subject to any strictures. Compliance required the company to create storage capacity in India requiring investment in “hundreds of millions”, said sources. Mastercard has repeatedly sought more time.
Sources said that the payment network might have been waiting for personal data protection laws to be in place. Suresh Ganapathy, research analyst, Macquarie Capital, said: “The key concern is that credit cards, which are a profitable product for banks, could get impacted as banks now will have to transition to a Visa or a RuPay platform which will take time. Our conversations with bankers reveal that it could take two months for the new payment platform (say Visa) to issue new plastics and take up the additional capacity vacated by Mastercard.”
The payment network has been arguing for allowing data mirroring as the transaction information was required to ascertain fraud trends. The company’s argument was that if Indian transaction data is disconnected from the world, the Indian market will not have the advantage of global trends.
The RBI’s directive appears to have come as a surprise for Mastercard. As recently as July 8, Mastercard announced the launch of a ‘One Mumbai Metro Card’ in partnership with Axis Bank and Mumbai Metro. Others in the industry were also shocked as MasterCard had agreed to comply.
The local storage norms do not apply to those payments where one leg of the transaction is offshore. RBI norms also allow data to be sent abroad for processing but the same must be deleted from overseas servers by end of the day. The challenge here is that wherever data is being sent overseas, the RBI wants an audit report certifying that data is being deleted.
