Context:
The Reserve Bank of India (RBI) imposed restrictions on Mastercard Asia / Pacific Pte. Ltd. from on-boarding new domestic customers (debit, credit or prepaid) onto its card network for non-compliance with the regulator’s directions.
According to the RBI, the U.S. card-issuer Mastercard has failed to comply with the local data storage rules announced by the central bank in 2018.
Relevance:
GS-III: Internal Security Challenges (Cyber Security, IT & Computers), GS-III: Indian Economy
Dimensions of the Article:
- What is the RBI’s data localisation policy?
- What is the need for local data storage?
- What lies ahead?
What is the RBI’s data localisation policy?
- In 2018, the RBI had issued a circular ordering card companies such as Visa, Mastercard, and American Express to store all Indian customer data locally so that the regulator could have “unfettered supervisory access”.
- This meant that foreign card companies had to store complete information about transactions made by Indian customers in servers located within India.
- The reason offered by the RBI to back up its data localisation rule was that local storage of consumer data is necessary to protect the privacy of Indian users and also to address national security concerns.
As per the data- localisation norms set by RBI:
- While there is no bar on the processing of payment transactions outside India, the Payment System Operators (PSOs) will have to ensure the data is stored only in India after the processing.
- In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India.
- The data stored in India can be accessed for handling customer disputes, whenever required.
- The payment system data may be shared with an overseas regulator if required, but with the approval of RBI.
- Some banks, especially foreign, that had been permitted to store the banking data abroad may continue to do so. However, in respect of domestic payment transactions, the data shall be stored only in India.
- The data stored domestically must include:
- End-to-end transaction details and information related to payment or settlement transaction collected or processed as part of a payment.
- Information such as customer name, mobile number, email, Aadhaar number, PAN number.
- Payment sensitive data such as customer and beneficiary account details; payment credentials such as OTP, PIN, Passwords.
What is the need for local data storage?
- Experts believe that customer privacy and national security are genuine concerns that need to be taken seriously. However, many also believe that data localisation rules are too stringent and they could simply be used by governments as tools of economic protectionism.
- For instance, they argue, it may not be strictly necessary for data to be stored locally to remain protected.
- Broadly speaking, formal international laws to govern the storage of digital information across borders may be sufficient to deal with these concerns.
- Governments, however, may still mandate data localisation in order to favour local companies to foreign ones.
Understanding the move
- China, for example, has used its cyber-security laws to discriminate against foreign companies. A similar trend may be playing out in India with the Centre’s emphasis on economic self-sufficiency.
- In 2018, Mastercard had launched a complaint with the U.S. government that Prime Minister Narendra Modi was actively promoting Indian cards like RuPay and that it was affecting the business of foreign card companies.
- Governments may also believe that mandating foreign companies to set up local infrastructure can boost their local economies.
What lies ahead?
- Indian banks that are currently enrolled in the Mastercard network are expected to make alternative arrangements with other card companies.
- The process is expected to take a few months, and their card business is expected to take a significant hit meanwhile.
- The RBI’s data localisation policy, as it burdens foreign card companies, may end up favouring domestic card issuers like RuPay. Mastercard owns about one-third of the market share in India, and the RBI’s ban is likely to significantly benefit its competitors.
- Similarly, the ban on American Express and Diners Club earlier in 2020 benefited the Indian card network RuPay.
- Some believe that even Visa, a foreign company which dominates card payments in India, may come under regulatory pressure in the near future.
- Thus, the card payments sector may end up being restricted to a few domestic companies, which in turn can lead to reduced competition. This could mean higher costs and lower quality services for customers.
-Source: The Hindu