India’s Ban on ‘System Providers’: Prioritizing Payment Data Localization

The Reserve Bank of India (‘RBI’) first issued payments data localization-related sanctions in April 2021, restricting American Express and Diners Club from adding new customers for six months with effect from May 2021. More recently, in July 2021, it barred Mastercard from onboarding new domestic customers for an indefinite duration. The ban on Mastercard is likely to have a significant impact, since the company holds roughly a third of the entire cards network market in India. These restrictions may be seen as drastic, given that the RBI as a regulator is normally quite restrained and rarely imposes such sweeping sanctions.

These bans, imposed for violations of payment data localization directions, signal a new regulatory approach. They have been placed in pursuance of rules introduced in 2018, without much enforcement action taken until now, indicating that payment data localization has recently gained a crucial place in the Indian fintech ecosystem.  This post explores the evolution of the payment data localization rules over the last three years, and its impact on banks, payment system operators (‘PSOs’) and unlicensed fintech entities.

The initial targets of the 2018 notification

It was on  April 6, 2018, that the RBI first introduced a directive on payment system data storage in India (‘Notification’). The Notification was addressed to banks and authorized payment system operators  operating under the Banking Regulation Act, 1949 and Payment and Settlement Systems Act, 2007 (‘PSS Act’), which are the laws empowering the RBI to regulate banks and payment systems, respectively.

The Notification placed the onus to store payments data within India on ‘system providers’ (ie, banks and PSOs), and required them to begin complying with relevant regulations within a period of six months, ie, before October 6, 2018, and to confirm compliance by submitting system audit reports. The motivation behind the Notification was to ensure ready availability of payment data in India for regulatory oversight purposes, making it easier for the RBI to conduct fraud, money laundering, and other investigations.

However, the directive encountered pushback and resistance from the very beginning. Most likely due to practical difficulties (costs, terminating contracts, etc.), several banks and PSOs resisted compliance. In particular, licensed banks argued that the Notification did not apply to them, claiming that:

1. the nature of the business carried out by banks was not one that was intended to be regulated since the Notification was targeted at PSOs;
2. that banks were licensed under the Banking Regulation Act, 1949, and not under the PSS Act (pursuant to which the Notification was issued); and
3. the RBI’s Master Circular on Customer Service in Banks issued on July 1, 2015 provided for separate data confidentiality requirements for banks.

​The resistance continued

Despite the October 2018 deadline to comply with the Notification, compliance was sporadic. It appeared that the RBI had been delaying its enforcement of the Notification, likely because of continuing negotiations with banks and PSOs regarding compliance. A possible mitigating factor could have also been the nascent stage of India’s data localization framework and the privacy law relating to it, which has been and continues to be in draft form since 2018. Further confusion was fueled by the RBI’s decision to require compliance of the Notification from third-party payments apps; this seems to be the stance of the RBI in the litigation relating to WhatsApp Pay. In 2020, the National Payments Corporation of India (‘NPCI’) updated its guidelines, explicitly specifying that third party application providers of the unified payments interface (such as WhatsApp Pay, etc.) would be required to store all payments data in India. In June 2019, the RBI released frequently asked questions on this subject, with its position unchanged regarding the applicability of the notification to banks and PSOs. 

Non-bank players caught in the crossfire

Apart from licensed banks and PSOs, other entities in the payment ecosystem do not fall within the regulatory ambit of the RBI. However, since 2019-20, entities (for eg, an online merchant, intermediary platform, etc.) availing the services of banks and PSOs have been indirectly, ie, contractually, required to comply with the Notification.

If one were to look at this from a strictly legal perspective, the black letter of the Notification applies only to banks and PSOs. An unofficial ‘outsourcing’ of this compliance appears to be taking place, with banks and PSOs requiring this of their customers, so that they can in turn fulfil obligations under the Notification. Such indirect compliance may be treated as the bank’s or PSO’s own compliance. Of course, nothing official has been said about this by any party involved.

Since non-bank or non-PSO participants are unlicensed, there is no precedent of the RBI directly (and publicly) requiring compliance with the Notification or acting against them (though it has very wide powers under law arguably to do this too). An entity availing financial services from a bank or PSO could potentially be held liable for damages, indemnity, injunctions, etc, by the bank or PSO in the event of a breach of contractual conditions.

What this means, and what happens next

The fintech market in India witnessed a significant boom during the pandemic. It was reported that, in 2020, India was ahead of countries like China and the US, in having the highest number of real-time online payment transactions. PWC reported that despite (or maybe because of) the COVID-19 pandemic, 48 billion digital transactions were recorded in India in the year 2020. There is, however, reason to pause—all this is happening in the absence of clarity on the crucial rule of payment data localization. Clear, certain, and (one hopes) reasonable laws for market participants to look to, are necessary if India’s fintech success story is to continue. 

The ban on American Express, Diners Club, and now Mastercard, indicates that the RBI is no longer negotiating applicability. After nearly three years of aligning with banks and PSOs on the Notification, it appears that the RBI is now (finally) focusing on ‘unfettered supervisory access’ and enforcement. Routine follow-ups on compliance, similar impositions of bans or other penalties (like fines/ imprisonment under the PSS Act) in case of lapses can be expected henceforth.

For the time being, entities availing services from banks and PSOs should also be prepared to comply, albeit contractually, in light of these developments. Costs and time associated with such compliance should also be accounted for, including for local data servers, procuring compliance certificates, providing contractual damages or indemnities to cover any non-compliance, technology integration, purchasing insurances, and the like.

Kalindhi Bhatia is a Senior Associate at BTG Legal in the digital business and regulatory practice of the firm.