The Reserve Bank of India (RBI) has imposed restrictions on Mastercard due to a violation of data localization rules. It has restricted the payment company from onboarding new domestic customers onto its card network from July 22, 2021.
In a press release, the RBI said:
Notwithstanding lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with the directions on Storage of Payment System Data.”
The RBI has taken this action under Section 17 of the Payments and Settlements Act. The order will not impact existing customers of Mastercard.
What are RBI’s Storage Rules?
As per the RBI’s April 6, 2018 circular on ‘Storage of Payments Systems Data ‘, all payment system providers were required to ensure that within six months, all data related to their daily operations was stored in a system located in India.
These guidelines state companies must store the data of transactions, purchases, orders, and customer information in a system ‘within India’.
After compliance, companies were expected to notify the RBI. Besides, they also had to send a Board-approved System Audit Report (SAR) performed by a CERT-In empaneled auditor.
Earlier, the RBI had also imposed similar restrictions on American Express and Diners Club. The Central Bank had also communicated recently that many banks were yet to submit the audit reports in compliance with these rules, even though the rules were notified in 2018.
The Issue with Foreign Entities
The RBI had urged banks to declare their compliance with the rules along with a plan of action on or before May 15, 2021. However, multiple international organizations failed to provide an audit report certifying that all personal and non-personal transaction-related data transmitted outside India, for processing, have been permanently erased. They replied to the RBI’s demand by claiming that most of their processing was centralized. Hence, reorganizing worldwide operations and establishing a separate hub in India was not viable.
However, as per the RBI, while data can only be stored locally, it can be sent intraday for processing but must be destroyed from offshore servers within 24 hours.