While Visa had partially complied with the RBI mandate in 2018, it has now become the first global financial services company to begin storing user data only in India.
Payment card network Visa has complied with the Reserve Bank of India’s 2018 circular on localising payments data, The Hindu Business Line reported. While the company has not made any public announcements on its compliance with that circular, which requires payments industry players to store all user data in India, and only in India, circumstances point to Visa being unlikely to have run afoul of the requirements. Earlier this month, RBI froze banks from issuing new Mastercard payment cards, but has not signalled that it is likely to do the same for Visa.
Why this matters: While Mastercard and Visa are a practical duopoly in many parts of the world, the payment localisation requirements seem to have thrown them off. Mastercard grumbled in 2018 that no other country in the world has such stringent data localisation norms that disallow mirroring, the practice of localising user data while also storing it in servers around the world. As long as Mastercard remains non-compliant, the Indian card payment network market is still a duopoly; but this time, the other player is RuPay, the National Payments Corporation of India’s homegrown alternative.
All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required. — RBI’s 2018 circular (emphasis ours)
The RBI on July 14 said that despite three years passing since its circular, Mastercard had failed to prove that it was storing data in India only. “Notwithstanding lapse of considerable time and adequate opportunities being given, the entity has been found to be non-compliant with the directions on Storage of Payment System Data,” RBI said. This forced RBL Bank and YES Bank to find alternatives for credit cards — these banks have been issuing cards only in the Mastercard network. But that process could take months.
While RBL Bank said it obtained a deal with Visa in the days before the Mastercard ban, it said it would take at least two months to start issuing Visa cards. YES Bank reportedly said it would sign such an agreement this week, and would take at least three months to start issuing Visa credit cards.
Compliance with RBI circular
The circular pegged the compliance time at six months, and some companies said that they had complied in 2018 itself. However, global payments companies resisted, or took time to comply with the RBI’s order. PhonePe said in 2018 that Big Tech companies like Google and Facebook were resisting the order because compliance could potentially increase their tax burden.
In October 2018, the following companies had complied with the circular:
- October 9, 2018: WhatsApp confirms its compliance with the circular.
- October 24, 2018: Alfred Kelly, CEO of Visa says that as of October 15, Visa is storing data locally.
- October 30, 2018: Amazon India says it has started storing payments data locally without mirroring in overseas servers.
The circular has also led to some international pushback: the United States Trade Representative cited data localisation requirements as onerous to American businesses, and partly due to these restrictions imposed (but immediately suspended) sanctions on Indian imports to the US.
- RBI Bars Mastercard From Adding New Customers In India; Flags Non-Compliance With Data Localisation Guidelines
- How Are RBL Bank And Yes Bank Impacted By RBI’s Mastercard Freeze?