American Express (Amex) on March 1 emailed its credit-card holders that it will be sharing financial information about their card accounts with National E-Governance Services Limited (NeSL) starting April 2022. Amex cited a 2017 RBI circular as the reason for this decision, but cardholders and other experts have raised concerns on the legality of this data-sharing mandate by RBI, as well as the privacy implications of such data sharing and the precedence it sets for future sharing of financial information of Indian citizens.
Vinayak Hedge, an Amex cardholder who received the email and flagged the issue on Twitter, said that the sharing appears “to be a wrong interpretation of the law and/or bureaucratic overreach. Sharing personal credit card spend information with govt agencies without consent.” Speaking with MediaNama, Hegde laid out the following key concerns:
- No-opt out from this sharing
- Not obvious how much data will be shared
- No idea how the data is kept by NeSL and if there is any purpose limitation
- No clarity on the purpose of sharing of data of individuals under laws meant for corporate insolvency
“I just bought a credit card and there was nowhere in the contract that this data will be reported. My only option now is to cancel. But then I have subscriptions and other things on that card and it’s a headache to get new cards. It also affects your CIBIL score, a three-digit numeric summary of your credit history. So again, there is some amount of lock-in, for lack of better word. Not exactly lock-in, but something similar. There is some friction.” – Vinayak Hedge
These concerns apply to the RBI mandate and not necessarily to Amex’s decision because other card issuers are also expected to follow suit. An American Express (Amex) spokesperson told MediaNama:
“Amex confirms that it acted in adherence to RBI circular and NeSL directions provided to Banking and Credit Card industry, which advised a phased reporting approach for corporate and consumer portfolios respectively.”
The “phased reporting approach” could explain why a 2017 RBI circular is only gaining attention now.
Why is Amex sharing credit card account information with NeSL?
The RBI circular states:
“According to Section 215 of Insolvency and Bankruptcy Code (IBC), 2016, a financial creditor shall submit financial information and information relating to assets in relation to which any security interest has been created, to an information utility (IU) in such form and manner as may be specified by regulations.” (emphasis ours)
In other words, the RBI circular mandates financial creditors like Amex to submit information related to debts to an information utility (IU). NeSL is currently the only IU registered with the Insolvency and Bankruptcy Board of India (IBBI).
What does NeSL do? “The primary role of NeSL is to serve as a repository of legal evidence holding the information pertaining to any debt/claim, as submitted by the financial or operational creditor and verified and authenticated by the parties to the debt,” NeSL’s website reads.
Why this data-sharing mandate by RBI might be illegal?
1. Contradiction with the CIC Act
Section 3 of the Credit Information Companies (Regulation) Act, 2005, prohibits companies from collecting credit card information such as the amount of credit and the amount outstanding without obtaining a certificate of registration from the RBI under the Act. Companies that are registered with RBI as CICs include CIBIL, Experian, Equifax, and CRIF High Mark. NeSL is not registered with RBI as a CIC, which makes its collection of credit card information illegal according to the CIC Act.
MediaNama reached out to NeSL pointing out this contradiction, but the company did not directly acknowledge the issue and instead stated that its practices are being carried out under IBC, 2016. MediaNama has also filed an RTI with RBI and IBBI seeking clarification on this issue.
Commenting on this, Srikanth Lakshmanan of Cashless Consumer Collective told MediaNama:
“RBI, which should actually oversee entities collecting credit information without license, is suggesting financial institutions to share data to an entity not regulated by it. The IBC itself doesn’t resolve the conflict it has with CIC Act, leave alone their compliance to spirit of privacy judgement.”
2. The IBC is not well-defined for individual insolvency
The Insolvency and Bankruptcy Code (IBC), 2016, which RBI uses as the legal basis for this data sharing, is laid out clearly for corporate insolvency, but when it comes to individuals there is no clear insolvency regime.
The provisions of IBC that pertain to individuals are yet to be notified by the government with the exception of personal guarantors, Sandeep Bajaj, Managing Partner at PSL Advocates, told MediaNama.
Srikanth Lakshmanan noted that as recently as December 2021, the Insolvency and Bankruptcy Board of India was still discussing a (tentative) legislative framework for individual insolvency, but NeSL in August 2020 announced that it will collect individual’s financial information including credit card information, gold, MFI loans from financial providers, with no law backing it.
— Srikanth.CashlessConsumer | ஸ்ரீகாந்த் (@logic) March 1, 2022
Nirav Shah, Partner at DSK Legal, an Indian law firm, said that:
“NeSL makes sense for corporate debtors because it makes it easier for creditors to make out a case for default before National Company Law Tribunal (NCLT) / National Company Law Appellate Tribunal (NCLAT) simply by producing a report from NeSL. However, this may be bit tricky because insofar as personal insolvency is concerned, there is still a grey area whether lender can straight away go against an individual for personal insolvency under IBC.”
Given this lack of clarity, Amex sharing the credit card information of individuals with NeSL raises eyebrows as to whether the RBI circular is extralegal in using the IBC as the basis to demand this data sharing.
However, the IBC has broad definitions of who all are covered under the code. For example, Section 2 of the IBC says that the provisions apply to “partnership firms and individuals” even though there is no clearly defined set of provisions when it comes to individuals. Because of this inclusion, multiple lawyers who spoke to MediaNama said that IBC might allow the collection of debt data pertaining to individuals as well.
Even though the laws for individual insolvency are yet to be implemented under the code, “NeSL can basically collect information on any kind of financial debt which is due and unpaid.” – Aditya Chopra, the Managing Partner at Victoriam Legalis
NeSL also responded to MediaNama’s query stating: “The IBC covers all categories of Debtors viz., Corporates, Other Commercial Entities and Individuals.”
What are the privacy concerns of this RBI mandate?
“Of course, I would have concerns about my data being shared. The thing is India has no privacy law. Data is shared without warning and information,” Prasanto Kumar Roy, a technology and public policy analyst who is also an Amex cardholder, told MediaNama. But, Roy said that this is not a concern that is specific to Amex’s sharing with NeSL and that it applies to information sharing with CICs like Experian and CIBIL as well, and to the wider range of data sharing currently taking place.
Vinayak Hegde, in addition to the key concerns, pointed out earlier, brought up the issue of scope creep:
“If you follow this place for a while, you know that there is a lot of scope creep. People can say now we have this data, let’s use it for this, let’s use it for that. And that kind of continues, right?”
Srikanth Lakshmanan pointed out that this will go against the Puttaswamy judgement:
“If one sees the spirit of proportionality in Puttaswamy judgement — and if the IBC law actually codifies individual insolvency regime — why should card dues data of all card holders be shared to an IU and then have them validate the credit claim, presuming they all will go bankrupt? What prompted to cite RBI circular that is dated 5 years ago, which is open worded for IBC compliance to share personal data that is specifically outlawed in CIC Act? If this is RBI doing it, why is that no other credit card issuer telling it to customer?”
Lakshmanan also noted that it helps RBI build an extralegal database like the Public Credit Registry.
— Srikanth.CashlessConsumer | ஸ்ரீகாந்த் (@logic) March 1, 2022
Adding to this, Lakshmanan told MediaNama:
“This collection of all credit data – is fundamentally akin to build a Public Credit Registry (which RBI again is building without a law, regulatory powers to build one) and resting these with a private entity that is quassi owned by a Public Sector Undertaking (PSU) titled with ‘National’ is deceiving users at multiple levels to part with their data.”
Other credit card issuers are not sharing data with NeSL
As of now, it appears that Amex is the only credit card issuer that is sharing data with NeSL. This can be ascertained because the data shared with NeSL by credit card companies need to be verified and authenticated by the cardholder on the NeSL website, which means cardholders of other banks would have been aware of any such sharing was taking place.
Good move by Amex:
“Once the information is filed with NeSL and that person suppose maxes out the card and incurs lot of debt, then to that extent it makes bank’s life easier if they want to take that person to the court for insolvency. Once the report from NeSL is produced, the Tribunal need not look at any other document to ascertain the fact that there has been a debt due and payable and that there has been a default. It may be a good move because it kind of eliminates all sorts of future arguments that a borrower could take that this amount has been paid or the interest is excessively charged.” – Nirav Shah, DSK Legal
Amex is going by its global disclosure norms:
One of the experts who spoke to MediaNama said that other banks are also working on data sharing with NeSL but they are yet to announce it and Amex is doing so in accordance with its global privacy and disclosure norms.
Part of an ongoing review of compliance? Since May 2021, Amex has been barred by RBI from onboarding new customers for violations of the data localisation norms. Back then, the company said that they are in regular dialogue with RBI about data localisation requirements and have demonstrated their progress towards complying with the regulation. Amex’s compliance with the 2017 RBI circular on data sharing with NeSL could be part of this compliance overhaul.
MediaNama has reached out to HDFC, ICICI, and Citibank asking if they share data with NeSL as per the RBI circular and will update this post if we get a response.
What data will Amex share with NeSL?
Amex said that the following information about cardholders will be shared with NeSL, but the list does not appear to be exhaustive:
- Demographics including name, email address, PAN number, etc
- Total outstanding
- Credit limit
How will credit card debts be calculated?
Rahul Matthan, Partner at Trilegal, raised concerns on how credit card debts will be calculated for reporting:
It is also unclear to me as to how they will comply. They have to submit Loan Agreement Numbers, Date of Disbursement, Date of Maturity, etc. Are they planning to do this for each credit card transaction?
— Rahul Matthan (@matthan) March 1, 2022
How will the data sharing take place?
Sharing financial information with NeSL is a bilateral process:
- Amex submit financial information about cardholders to the NeSL database every month
- NeSL sends a notice to the cardholder to authenticate the details submitted by Amex
- Cardholders are required to register on the NeSL portal to authenticate/dispute the information submitted by Amex
- Once a record is authenticated or disputed by the cardholder, NeSL send a confirmation email to the cardholder
- If a customer does not authenticate/dispute a transaction after three reminders, then the transaction is deemed authenticated.
Will it impact credit rating?
Unlike reports sent to CICs, information sent to NeSL will not impact credit ratings, Amex clarified.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
What will be the future of payments in India?
Do you want to keep track of all government and RBI policies related to payments in India but don’t have the time? Relying on scattered content from across the web makes it feel harder than it needs to be.
Subscribe to MediaNama and get crisp, timely updates on tech policy developments in India and across the world.
- RBI Blocks American Express And Diners Club From On-Boarding New Customers
- NeSL Receives Final Approval To Become India’s First Information Utility
- Exclusive: Visa, MobiKwik And 17 Other Payment Operators Did Not Submit RBI-Mandated Audit Report
- RBI Allows Diners Club To Start Reissuing Credit Cards In India, Mastercard And Amex Continue To Be Barred
Have something to add? Subscribe to MediaNama here and post your comment.