What is data localisation & why Mastercard, Amex, Diners Club can’t add more customers in India

Foreign card payment network companies that fail to meet data localisation norms cannot register new customers or issue new cards in India. ThePrint explains.

Illustration: Ramandeep Kaur | ThePrint

New Delhi: The Reserve Bank of India (RBI) has barred Mastercard, American Express and Diners Club from issuing cards in India for their failure to meet data localisation norms prescribed by the regulator in April 2018.

According to RBI’s norms, the three foreign card payment network companies can no longer sign up new customers or issue new cards.

This effectively leaves only two card issuers in the Indian market — Visa and the domestic RuPay.

What are data localisation norms, why India is insisting on them, and what does this mean for the Indian payment ecosystem. ThePrint explains.

What are RBI’s data localisation norms?

Data localisation norms were prescribed by the RBI in 2018. It required all payment system operators to store all payments data in India. Specifically, they were asked to store full end-to-end transaction details and the information collected and processed in India within a period of six months. This includes data such as customer’s name, address, mobile number, Aadhaar and PAN number and other payment-related data.

However, in a relaxation in 2019, through a list of FAQs, the RBI allowed such data to be processed overseas provided it is stored locally. In addition, the data that is processed abroad has to be deleted from the overseas systems within 24 hours, the RBI mandated.

This impacted all foreign card issuers — Visa, Mastercard, American Express and Diners Club.

Why RBI banned Mastercard, American Express & Diners Club

Most of the payment operators opposed data localisation norms and lobbied with the Ministry of Finance and the RBI for a relaxation. They argued that these firms will have to incur substantial costs to build the digital infrastructure required to store data locally.

However, the regulator stuck to its stand, mandating all payment system operators to adhere to the October 2018 deadline.

In two separate orders, the RBI barred Mastercard, American Express and Diners Club from onboarding new customers and issuing new cards for failure to comply with its April 2018 norms despite giving these companies ‘adequate time’. However, the order does not affect existing customers, RBI stressed.

Also read: India’s action against Mastercard shows why the world urgently needs a digital trade deal

What this means for the Indian payment ecosystem

Mastercard and Visa are the two largest global payment systems operating in the Indian market with a substantial presence in both debit and credit card market. While Visa is estimated to have a market share of over 40 per cent, MasterCard’s share is more than 30 per cent.

Banking industry sources confirmed that Visa is compliant with RBI’s data localisation norms. This means that the ban on Mastercard will see banks move their card issuances to Visa and RuPay.

Meanwhile, the banned companies are likely to try to convince the regulator for some leeway from the ban.

Is data localisation only restricted to the payments space?

Taking off from the recommendations of the Justice Srikrishna committee on data protection, the Personal Data Protection Bill 2019 proposes data localisation measures but they are not very stringent. The bill effectively allows flow of data across borders as long as that data is not termed as sensitive or critical.

Since the bill is yet to be passed and the rules notified, what will constitute sensitive and critical data is yet to be defined.

Why data localisation is not just India’s problem

There are various concerns around free flow of data globally. An April 2021 Carnegie India paper pointed out four key concerns expressed by different countries around free flow of data — storage of data on foreign servers impedes data access for domestic national security agencies, the loss of economic benefits due to exploitation of data by foreign firms, concerns about foreign surveillance, and misuse of personal data in violation of privacy rights.

The authors point that many countries have employed data localisation but with varying intensity.

For instance, China requires all important data on critical information infrastructure be localised. Russia requires all personal data of its citizens to be locally stored. The United States requires that all defence-related data be locally stored, they point out.

(Edited by Neha Mahajan)

Also read: What is NUE, the new digital payments buzz Reliance, Tata, Paytm, Google, FB are all chasing