The Reserve Bank of India has barred American Express Banking Corp (American Express) and Diners Club International Ltd (Diners Club) from taking on new credit card customers after they failed to comply with the banking regulator's directive to store payments data only in the country.
“The RBI has, by order dated April 23, imposed restrictions on American Express and Diners Club from on-boarding new domestic customers onto their card networks from May 1. These entities have been found non-compliant with the directions on Storage of Payment System Data. This order will not impact existing customers,” the central bank said in a statement today.
American Express and Diners Club are payment system operators authorised to operate card networks in the country under the Payment and Settlement Systems Act, 2007 (PSS Act).
The RBI said the supervisory action had been taken in exercise of powers vested under Section 17 of the PSS Act.
According to RBI data, as of February this year, American Express had more than 15.59 lakh credit cards outstanding.
Back in April 2018, the central bank had directed payment system providers to store all the data pertaining to payment systems only in India within a period of six months. They were required to report compliance to RBI and submit a board-approved system audit report (SAR).
The directive was issued after the banking regulator observed that not all system providers were storing the payments data in India.
The data storage directive is designed to ensure better monitoring of payment system operators. It will also provide unfettered supervisory access to data stored with these system providers, their service providers or intermediaries and other entities in the payments ecosystem.
The payment system operators are required to store end-to-end transaction details in the country.
If there is a foreign leg in the transaction, then only that portion of the data can be stored overseas.
However, some of the overseas firms were worried that the RBI directives would raise costs and compliance requirements. Some of the overseas firms had reportedly suggested data mirroring options instead of a rigid storage requirement in India.
The RBI, however, did not budge from its stand. In an FAQ issued in 2019, it said if the payment processing is done abroad, the data should be deleted from the systems there and brought back to India within 24 hours.