The expansion of credit card issuance which slacked during the year 2020-21 due to the pandemic, is about to experience an additional setback after the Reserve Bank of India (RBI) pressed limitations on the global payment system operator Mastercard. The banking regulator has so far prohibited three foreign card payment network firms-American Express, Mastercard and Diners Club- from allowing new customers on board over the issue of preserving data in India.
In December 2020, the largest credit card issuer in the Indian market-HDFC bank-was prohibited by RBI after successive blackouts in the bank’s internet and mobile banking platform. As a result, HDFC which had a strong card base of 15.38 million in November, witnessed its card base receding to 14.58 million in May. Before the ban, HDFC was expanding its card base by issuing 2 lakh cards per month. Due to the ban imposed by RBI, the comprehensive growth of credit cards in the system was also affected.
Why has RBI imposed such restrictions on these companies?
On July 14, the RBI imposed limitations on Mastercard Asia Pacific Pte Ltd from onboarding new domestic customers-credit, debit, prepaid-in the country effective from July 22, pointing to non-compliance with regulations for storage data in India. The RBI mentioned that it has already given three years for the company to fall with the regulatory framework, but unfortunately, Mastercard failed to fulfil the demands.
This year in April, the RBI had pressed restrictions on American Express Banking Corp and Diners club International Ltd from registering new domestic customers onto their base from May 1, 2021, also pointing at non-compliance of storage data.
Will RBI’s new guidelines impact the existing cardholders and banks?
No. If you’re a customer using a credit or debit card with Mastercard, Diners Club or American Express for your transactions, you can continue using them. Banks and non-banking finance companies that were looking forward to using these payment networks won’t be able to register new customers using these networks until the ban is lifted by the RBI. Nomura bank group in a report said that, currently, Visa Inc and homegrown National Payments Corporation of India’s RuPay as payment facilitators are under no restrictions.
At the same time, they are unsure whether Visa has completed all the procedures and fulfilled all the requirements of data localization as demanded by the Storage of Payment System Data circular of the RBI. They further assured that the existing customers, especially the credit card users are not expected to face any trouble in the near future. But, in the medium term, there could be problems if the situation continues. Banks that were looking forward to adding new customers through Mastercard will have to turn towards Visa for enrollment.
The banks that are expected to suffer the most are Yes Bank, Bajaj Finserv and RBL Bank because their entire card schemes are joint with Mastercard, according to the Nomura group. Almost 60 per cent of HDFC’s card schemes are allied with Mastercard, Diners Club and American Express. For Axis Bank and ICICI Bank, 35-36 per cent are linked to Mastercard. Kotak Mahindra’s card portfolio is tied with Visa.
What do the RBI guidelines specify?
On April 6, 2018, RBI released a circular on Storage of Payment System Data which directed all system providers to ensure that within a time limit of six months the complete data (full end-to-end transaction details, information collected or processed or carried as part of the message or payment instruction) concerned to payment systems managed by them is preserved in a system only inside the country.
The providers were also asked to report abidance to the banking regulator and submit a board-approved system audit review conducted by an auditor selected by CERT-In within the mentioned timeframe. The credit card companies with global operations have since been protesting against RBI’s such move, pointing to high expenses, security threats, lack of clarity, impossible time limit, and the chances of similar data localization demand from various other countries.
According to the Founding Director of think-tank The Dialogue, Mr Kazim Rizvi, the RBI’s resolution to prohibit payment system providers from onboarding new customers is a critical development in their attempt to check that all payment system providers localize or preserve their end-to-end transaction data only in the country. Rizvi further stated that “the driving force behind the RBI’s such restrictions is to carry out effective law enforcement requirements as data access for law enforcement purposes has been a challenge.”
Why have these companies not complied with the guidelines?
The RBI had specified that the data should be preserved only in the country and no copy or mirroring of the data should be stored anywhere outside India. Payment giants like Mastercard and Visa, which presently preserve and process Indian transactions outside India, have said that their systems are centralised and conveyed their anxiety that it will cost them millions of dollars to transfer the data storage to India. They also fear that once they abide by the RBI’s guidelines and transfer the storage to India, several other countries might put forward similar demands which will be harmful to the company’s growth.
What has disturbed foreign companies is that domestic payment firms, including e-commerce companies, which are preserving the data within the country, were imposing pressure for data storage within India. The Finance Ministry, on the other hand, had suggested moderating some norms in transferring the data storage. But, the RBI has refused to shift, expressing that the payment systems need minute observing during the times of rising use of digital transactions.
Is there a possible solution?
According to experts, it is necessary for all payment system providers to abide by the RBI’s localization directive. But at the same time, they also fear that this move may impact India’s payment ecosystem. Mr Rizvi suggested that for India to have a more effective mechanism for law enforcement, the country needs to take a step beyond MLAT (Mutual Legal Assistance Treaty), which is slow and ineffective. India needs to move towards a system that is based on bilateral treaties on data transfers with the UK, the EU and the US.
The treaties must emphasize the idea that the Indian law enforcement requirements of access to data storage are satisfied in a timely manner and consequently permitting data flows to encourage innovation and commerce in the tech environment. However, the RBI is strictly against the proposal that a copy of data stored outside the country be brought to India.
The role of card networks
The payment companies such as Visa, Mastercard and the National Payment Corporation of India (NPCI) are Payment System Operators authorized to manage a card network in India under the Payment and Settlement Systems (PSS) Act, 2007. Under this Act, the RBI has the full power to regulate and supervise the payment systems in the country. The RBI’s payment system authorizes payments to be managed between a payer and a beneficiary and includes the process of payment, or settlement, or clearing, or all of them.
Money transferred using credit cards or debit cards are routed through payment platforms like Mastercard, NPCI and Visa. The RBI has authorized non-bank entities-Prepaid Payment Instrument (PPI) issuers, White Label ATM operators, card networks, Trade Receivables Discounting Systems (TReDS) platforms- to become members of the country’s centralized payment system (CPS) and manage transactions through RTGS and NEFT.
India’s card business
According to the data supplied by the RBI, as of May 2021, there were 90.23 crore debit cards and 6.23 crore credit cards in the country. There were 57,841 lakh debit and card transactions valued at Rs 12.93 lakh crore during 2020-21. Of these, debit card transactions amounted to Rs 6.62 lakh crore.
Edited by Tanish Sachdev