THE BAN ON MASTERCARD: A QUICK CHECK ON INDIA’S DATA LOCALIZATION NORMS

Background

• In April 2018, the RBI issued a circular mandating all payment system operators (PSOs) to store payment data in India. The PSOs were given six (6) months’ time, i.e., until October 15, 2018, to comply with this requirement
• The PSOs were also required to submit board-approved system audit reports on the completion of this compliance to the RBI on or before December 31, 2018.
• In October 2018, the RBI met with PSOs to understand the technical difficulties and concerns in complying with this requirement. The RBI noted that only 16 non-bank PSOs were non-compliant, and major companies like Visa and Mastercard were taking necessary steps to comply with the requirement.

Recent actions taken by the RBI

• In November 2019, the RBI asked the National Payment Corporation of India to ensure that WhatsApp Pay complies with data localization requirements before launching its payment services in India.
•  In 2020, similar data storage requirements were made applicable to payment aggregators and payment gateways by the RBI.
• In April 2021, the RBI restricted American Express Banking Corporation and Diners Club International Limited from onboarding new customers due to violation of data localization requirements.
• On July 14, 2021, the RBI imposed a similar restriction on Mastercard Asia Pacific Pte Ltd and barred Mastercard from onboarding new customers from July 22, 2021 due to non-compliance with data localization requirements.

Key takeaways

• The RBI has been focusing on data privacy and data security extensively.
• The RBI is proactively taking steps to ensure that customer payment data is processed and stored in India, and is initiating actions against any company (including multinationals) who are in breach.
• New PSOs looking to establish their business in India must ensure due compliance with data localization and data security requirements before launching their services.
• The RBI has also tightened oversight on payment aggregators and payment gateways, who should ensure due compliance of data localization and data security norms to avoid any future actions by the RBI.

By Majmudar & Partners, India, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact india@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.