Card declined: Behind India's decision to ban Mastercard
This isn’t the first time that the RBI has penalised a firm for noncompliance with data-storage rules. In April it restricted American Express and Diners Club from adding new customers, violation of the same rules
The Reserve Bank of India (RBI) has barred Mastercard indefinitely from issuing new debit or credit cards to domestic customers for violating the country’s data storage laws.
The central bank said Mastercard had not complied with rules requiring foreign card networks to store data on Indian payments exclusively in India.
Mastercard will be prohibited from issuing debit, credit or prepaid cards to customers from 22 July.
2018 Notification
Mastercard violated a 2018 order directing payments data to be stored in India. This would allow the regulator “unfettered supervisory access” to payment details.
The order in question was issued on April 6, 2018, to all authorised payment systems; scheduled commercial banks including regional rural banks; urban co-operative banks; state co-operative banks; district central co-operative banks; payment banks; small finance banks and local area banks.
It said, in part: “It is observed that not all system providers store the payments data in India. In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries / third party vendors and other entities in the payment ecosystem. It has, therefore, been decided that:
- All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
- System providers shall ensure compliance of (i) above within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018.
- System providers shall submit the System Audit Report (SAR) on completion of the requirement at (i) above. The audit should be conducted by CERT-IN empaneled auditors certifying completion of activity at (i) above. The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank not later than December 31, 2018.
“Notwithstanding (the) lapse of considerable time and adequate opportunities being given, the entity (Mastercard) has been found to be non-compliant with the directions of Storage Payment System Data,” the RBI said in a statement on Wednesday.
Also read: Gold loan to ease cash crunch? Pledging vs selling is a key debate
The decision will not have any impact on Mastercard’s existing customers. “Mastercard shall advise all card-issuing banks and non-banks to conform to these directions,” the central bank said.
Mastercard said it was “disappointed” with the decision and that it had provided regular updates on its compliance with the rules since 2018.
“We will continue to work with them to provide any additional details required to resolve their concerns,” it said late Wednesday.
Recent Bans, Lobbying
This isn’t the first time that the RBI has penalised a firm for noncompliance with data-storage rules. In April it restricted American Express and Diners Club from adding new customers, violation of the same rules.
US-based payment service providers have lobbied against the 2018 directive, saying such a move would increase their costs of doing business in India. In fact, in 2019 Mastercard had announced it would invest $1 billion as part of its expansion plans in India. iIt had invested a similar amount in 2014-2019.
Discussions have also taken place at the highest levels, with the US government requesting New Delhi to reconsider the rules.
How the Ban Affects Indian Banks
Indian banks may see card spends and new card issuance decline after the ban. Mastercard has a 33% market share in India while Visa is the biggest player. Most banks have tie-ups with multiple card network operators.
Co-branded cards – issued by a bank in association with a second party, which could be a retail partner, hotel chain, etc – tend to have only one specific operator. “If a particular Mastercard co-branded credit card has high contribution to the overall mix of a credit card player, it will have a higher impact on the issuer’s business growth,” ICICI Securities said in a note.
Some lenders have already begun to migrate from Mastercarad to Visa. On Thursday RBL Bank said that it has signed an agreement with Visa to issue cards to its customers. But it will take RBL eight to 10 weeks to start issuing cards based on Visa’s network.