The Reserve Bank of India (RBI) on April 23 imposed restrictions on American Express Banking Corp. and Diners Club International Ltd. from on-boarding new domestic customers onto their card networks from May 1, 2021.
"These entities have been found non-compliant with the directions on Storage of Payment System Data. This order will not impact existing customers," the RBI said in a release.
American Express Banking Corp. and Diners Club International Ltd. are Payment System Operators authorised to operate Card Networks in the country under the Payment and Settlement Systems Act, 2007 (PSS Act).
The supervisory action has been taken in exercise of powers vested in RBI under Section 17 of the PSS Act, the RBI said.
In terms of RBI circular on Storage of Payment System Data dated April 6, 2018, all Payment System Providers were directed to ensure that within a period of six months the entire data (full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction) relating to payment systems operated by them is stored in a system only in India, the RBI said.
They were also required to report compliance to RBI and submit a Board-approved System Audit Report (SAR) conducted by a CERT-In empanelled auditor within the timelines specified therein, the RBI said.
The RBI action follows the failure of these companies to comply with the central bank’s instructions.
What is the non-compliance?
On 6 April, 2018 the RBI said it has observed that not all system providers store the payments data in India. In recent times, there has been considerable growth in the payment ecosystem in the country. Such systems are also highly technology dependent, which necessitate adoption of safety and security measures, which are best in class, on a continuous basis, the RBI had said.
“In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries/ third party vendors and other entities in the payment ecosystem,” the RBI said.
Subsequently, the central bank said all system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details, information collected, carried, processed as part of the message and payment instruction, the RBI said, adding for the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required, the RBI said.
The RBI diktat
The RBI asked the system providers to ensure compliance within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018. For this, the RBI said system providers should submit the System Audit Report (SAR) on completion of the requirement at (i) above.
“The audit should be conducted by CERT-In empanelled auditors certifying completion of activity at (i) above. The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank not later than December 31, 2018,” the RBI had said.
Going by the RBI statement today, American Express Banking Corp. and Diners Club International failed to meet these directions even after two years since the RBI first issued the directions, thereby inviting the regulatory action.
American Express has lost market share in recent months along with other major players in the credit card market, according to a report by Financial Express on April 21.
The report, which quoted the RBI data, said the issuance of new credit cards fell in February by 47 percent on a year-on-year (y-o-y) basis and 21.57 percent month-on-month. The total credit card base stood at 61.6 million at the end of the month, down 8 percent on a y-o-y basis. ICICI Bank continued to lead in fresh issuances, accounting for over 36 percent of new cards.