The Reserve Bank of India (RBI) has announced that it will lift its business restrictions imposed on American Express Banking Corp. (Amex), according to a press release. The decision was taken after Amex complied with the RBI’s 2018 circular mandating storage of payment system data within India, the central bank said in the release.
Why it matters: Amex has a paltry market share in India’s credit card space but it was the only international card issuer which was yet to comply with the RBI circular. Visa, Mastercard, and Diners Club, had already complied with the circular so Amex’s compliance now ensures that all international car issuers can operate in India.
What does it mean: The restrictions imposed by the central bank prevented Amex from inducting new domestic customers into its fold from May 1, 2021. The order was issued by the RBI on April 23, 2021.
- Amex can now commence its operations and onboard new domestic customers with immediate effect.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
What did Amex say: The company released a boilerplate statement welcoming RBI’s decision while extending its “gratitude” to all its stakeholders.
— Amex India (@AmexIndia) August 24, 2022
Who else has complied with the circular: Mastercard was the last company to comply with the RBI circular before Amex. The central bank lifted its restrictions on June 16, 2022 allowing banks to start issuing cards on the Mastercard network again.
- Visa was the first to comply with the circular in July 2021 and has managed to take advantage of Mastercard’s absence.
- The RBI lifted restrictions on Diners Club in November 2021 leaving only Mastercard and Amex under the central bank’s restrictions.
How did this hurt Mastercard’s business: The restriction on Mastercard resulted in many banks shifting to Mastercard’s arch-rival, Visa, including RBL Bank and Yes Bank. The issue also reportedly irked the US government and a senior US trade official termed the move “draconian.”
- Mastercard said that it complied with the local data storage norms a month after it was barred, but it’s not clear why RBI took so long to vacate its restrictions.
What are RBI’s card localisation guidelines: In April 2018, the RBI had issued the following directions after it observed that not all payments companies were storing data in India:
- Entire data relating to payment systems must be stored in a system only in India
- Ensure compliance within a period of six months and report it to the RBI by October 15, 2018
- Furnish the System Audit Report (SAR) by CERT-IN empanelled auditors by December 31, 2018
What happened in 2019: The RBI went on to clarify the guidelines in June 2019 following concerns raised by the industry:
- What data should be stored in India: The central bank elaborated on data that had to be stored in India mandatorily:
- Customer data: Name, mobile number, email, Aadhaar number, PAN number, etc.
- Payment sensitive data: Customer and beneficiary account details
- Payment credentials: OTP, PIN, passwords, etc.
- Transaction data: Origin and destination system information, transaction reference, timestamp, amount, etc.
- Applicable to: The norms were applicable to transactions made through system participants, service providers, intermediaries, payment gateways, third-party vendors, and other entities in the payments ecosystem apart from all the payment system providers authorized by the RBI.
- Data processed outside: The central bank clarified that there is no ban on overseas processing of strictly domestic transactions but the data should be brought back to India within one business day or 24 hours of payment processing and be stored locally here.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also read:
- RBI has zero info on payment ecosystem readiness for new card storage rules, RTI reveals
- India’s data localisation norms and IT Rules are significant barriers to digital trade: US government
- RBI bars Mastercard from adding new customers in India; flags non-compliance with data localisation guidelines
