The Reserve Bank of India has banned payments system operator MasterCard from issuing any new cards here in India from the 22nd of July onwards. The ban is a part of the Central Banks ongoing drive to ensure that payments facilitators comply with data storage rules. This will not affect existing MasterCard customers.
MasterCard becomes the third organisation after American Express Banking Corp. and Diners Club International Ltd. to be banned in India. Back in 2018, the RBI released a circular mandating that all payments system operators must store their data locally, i.e here in India. The statement read as follows:
“All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.”
2018 was shortly after demonetisation which occurred towards the end of 2016. At this point in time, digital transactions had really taken off and the volume of transactions seemed to be ever-expanding. The RBI reasoning for insisting on localised storage of payments data has to do with better monitoring. As the financial regulatory authority of the land, the RBI believes that it should have “unfettered supervisory access to data” and this can be achieved only if all the data is stored within its jurisdiction.
Even at the time, it was believed that the new rules would primarily affect international organisations. Setting up new data centres in India would require hundreds of millions of dollars in investments. The payments operators would also have to spend resources on decoupling the ‘India only’ data. The move is also seen as an entry barrier for new companies trying to set up shop in India, which in turn means that it encourages local players to seek out a portion of the market share. Resultantly, organisations like RuPay have emerged.
The world’s largest payments operators, Visa, who also boasts the most users in India, found it relatively easy to comply with the new rules within the stipulated time period. In fact, even in the case of MasterCard, the news of their ban was met with surprise. The company had recently announced plans to launch the ‘One Mumbai Metro Card’ in partnership with Axis Bank on the 8th of July. MasterCard had agreed to comply but had requested more time from the RBI, and the operator had already invested $1 billion into India with plans of investing a billion more. MasterCards operations in India are huge for the company as the market is its second largest in terms of number of customers and number of employees.
The move to ban is being viewed as a power move on behalf of the RBI, as an effort to send out the message that all companies must comply with the rules regardless of how big they are. The RBI released the following statement with reference to the ban.
“Notwithstanding the lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with the directions on storage of payments system data.”
Some observers are of the opinion that MasterCard may have been waiting for personal data protection laws to be put in place before it went ahead with the compliance. MasterCard itself has argued for data mirroring as an alternative to outright data localised data storage as it would help monitor international fraud trends. If India’s data was disconnected from the rest of the world, then Indian regulators would not have the advantage of global trends.
It is unlikely that this ban will be permanent. MasterCard is one of the biggest companies in the world and it will only be a matter of time until some common ground is reached. Indian banks, who rely on companies like Visa and MasterCard will also be affected as it could take up to two months for banks to switch to alternate payments operators. The RBI, however, is making its stance clear that it is serious about compliance irrespective of who the organisation is.