The Reserve Bank of India on Thursday told the Supreme Court that third party applications (TPAP) such as Amazon, Google and WhatsApp, which had been allowed to facilitate UPI payments (unified payments interface) through mobile and internet banking, do not store customers data outside India.
However, it added that the decision to permit them to operate in the country was taken by the National Payment Corporation of India (NCPI).
According to the RBI, the TPAPs have access to a large customer base running into several million accounts and connect to the UPI system operated by the NPCI only through multiple PSP (payment service provider) banks.
The TPAPs provide the customer interface, while the transactions are processed through the sponsor PSP banks.
However, it said: “The decision to allow an entity to operate on UPI is solely taken by the NPCI under the system rules governing the UPI payment system, which have been framed by NPCI as an operator of UPI.”
“The NPCI has allowed Amazon under the single sponsor bank model of UPI, Google and WhatsApp under the multi bank model to operate as TPAPs,” the apex bank said in an affidavit.
The affidavit has been filed in response to a PIL filed by Rajya Sabha MP Binoy Viswam seeking privacy safeguards and data protection for UPI platforms such as Google Pay, Amazon Pay, Paytm, PhonePe and BHIM.
Viswam had alleged that the RBI and the Centre had compromised the interests of millions of Indians by providing access to these TPAPs to carry out UPI transactions without any proper regulations.
“It is important to note that the RBI does not give any approval to TPAPs (as they do not operate a payment system) and thus they are not system providers as defined in Section 2(q) of the PSS (Payments Settlement System) Act, i.e. authorised payment system operators, and, therefore, they do not fall under the regulatory domain of the RBI directly.”
“NPCI is the system provider of UPI and, therefore, comes under the regulatory radar of the RBI. Since it was NPCI that allowed Amazon, Google and WhatsApp to operate under the UPI, the responsibility to ensure that these entities comply with all the rules governing UPI lies with it,” the RBI said.
However, RBI said that it had, issued a circular dated April 6, 2018, by giving directions under section 10(2) read with section 18 of the PSS Act, 2007, mandating all system providers to, ensure that the entire data relating to payment systems operated by them is stored in a system only in India.
“This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction.
“…The circular places the onus on the system providers, which in the case of UPI is NPCI, to ensure that the entire data (i.e. end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction) related to the payment systems operated by them is stored only in India.”
Adding : “It is submitted that RBI’s directions issued vide circular dated April 6, 2018 on Storage of Payment System Data pertain only to payment data storage and not data sharing or privacy.
“RBI has not issued any instructions on data sharing by TPAPs or the participants of UPI. Matters related to data privacy and data sharing come under the domain of the Government of India,”the affidavit added.
The case would come up for hearing on Monday.