The Reserve Bank of India (RBI) on Wednesday, July 14, barred MasterCard from onboarding new domestic customers including debit, credit or prepaid cards users onto its network. The ban will come into effect from July 22. The supervisory action has been taken in the exercise of powers vested in RBI under Section 17 of the Payment and Settlement Systems Act, 2007 (PSS Act). In terms of the RBI circular on Storage of Payment System Data dated April 6, 2018, all System Providers were directed to ensure that within a period of six months the entire data (full end-to-end transaction details/ information collected/ carried /processed as part of the message/payment instruction) relating to payment systems operated by them is stored in a system only in India.
MasterCard has remained defiant. Several private-sector lenders like HDFC Bank, Yes Bank, ICICI Bank, RBL Bank have tie-ups with MasterCard for debit and credit cards. However, from July 22, no banks will be able to issue new cards on the MasterCard network anymore. According to the data released by London-based payment startup PPRO, MasterCard accounted for over 30 percent of all card payments in India. Earlier, the RBI had restricted American Express Banking Corp and Diners Club International Ltd from onboarding new domestic customers onto their card networks from May 1 for violating data storage norms.
Data security the primary concern
The RBI reading the riot act to card service providers may seem to be of a piece with the government’s new regulations on ecommerce portals and social media websites. The common thread of course is if you wantto operate in India, you should abide by Indian laws, period. But in case of card business, there is something more vital at stake –the financial data security. The RBI is on dot when it says the financial data relating to Indian users must be stored in India i.e. in servers located in India. Otherwise, such data can become a matter of commerce with anyone at all being able to access them gratis or for a price.
The advent of co-branding has heightened the possibility of one’s financial data dangerously floating around for crooks and blackmailers to access. These card schemes are 14 percent and 15 percent of outstanding cards for Axis and ICICI, with the former patronising MasterCard for its Flipkart tie-up and the latter Visa for its Amazon tie-up. The multinational card service providers and multinational ecommerce firms can combine to make a meal of Indian data rooted in foreign servers. And up close, ‘Alexa’, which to be sure while being a huge help for homemakers, is resented for its unobtrusive peeping tom role. That family powwows are captured by it and quietly passed on to its distant data storage servers is indeed a disquieting development.
Leg up to atamanirbhar
MasterCard’s loss would be Visa’s and the indigenous Rupay’s gain. But then Rupay despite its impressive market share in the card space remains a major debit card player with international payment gateways shunning its credit card. So visa is going to step into the breach left by MasterCard in the credit card space. Be that as it may, the government’s aim is to ultimately elbow out the foreign card providers from their preeminent position as there is a sizeable outgo of foreign exchange towards their commission for their services which is not exactly a rocket science. The homegrown Rupay has captured 58% of the card market (in terms of number of cards issued) with the abolition of merchant discount rate (MDR) acting as a gravitas to make the switch in its favor. Mobile apps by our fintechs are also rendering cards redundant pro tanto. But it would be unfair to attribute their successes to the RBI reading the riot act to the multinational card service providers. Security concerns are genuine.
Cyber war too real to be ignored
It is now almost axiomatic that nuclear war is passé and that cyberwar is more potent. The suspected Russian hacking of New York gas system recently as well as the suspected hacking of BSNL data by the Chinese is not mere products of paranoia or feverish imagination of overwrought minds. While hackers in particular and the virtual world in general don’t respect borders, people are chary of giving away their data on a platter to those with evil intent. The Chinese of all the people were chary of buying Tesla electric cars as they suspected its cars being secretly equipped with eavesdropping devices. Well if the devil can quote the scripture, it can also suspect devilish behavior from others!! The short point is whether it is through the brazenly clandestine hacking/eavesdropping or through clever use of data stored on servers, the bottom line is compromising with data security.
Net-net, the RBI’s tough stand kills two birds with one stone—- addressing data security concerns and leg up to domestic payment platforms.
S. Murlidharan is a CA by qualification and writes on economic issues, fiscal and commercial laws. The views expressed in the article are his own.