A media outlet that stands for a free market, Sirf News does not but condone callous regard for regulations by any player, domestic or foreign, which is exactly what Mastercard has done by ignoring deadlines that the Reserve Bank of India had set for moving customers’ data on servers located outside the country and also failing to erase the Indian leg of data of the transactions from overseas servers within 24 hours as mandated. The US-based payments major’s defiance adds a new dubious chapter to the act of thumbing the nose at the government by brazen social media companies. Mastercard did not stop at that. The card network failed to appoint a domestic auditor certified by the country’s nodal cybersecurity agency, the Indian Computer Emergency Response Team, to conduct its external compliance audit, which was again like Twitter dragging its feet over the mandatory compliance with new IT rules that include recruiting a grievance redress officer separately for this country. For internal fraud checks of its own, Mastercard may send a copy to their international servers to weed out malicious transactions, but it must appreciate that the company has been registered as a payment system operator authorised to operate a card network in the country under the PSS Act.
With a total of 62.3 million credit cards and 902.3 million debit cards in circulation in the market of this country, the RBI had to tighten data storage norms for PSOs through a notice issued to chief executives of all such licensed companies in India. In accordance with the rules introduced in March, all PSOs from FY2022 had to submit detailed compliance certificates to the central bank twice a year, signed by the respective chief executives or managing director, confirming adherence to all RBI regulations around security and storage of payment data besides the rules announced in April of 2018 where it asked these corporations to submit board-approved annual system audit report by CERT-empanelled auditors. The firms were also asked to submit a one-time compliance report with data localisation norms, which make it compulsory that the data relating to payments in India will be stored in a server physically present in the country by December of 2018. The RBI had asked these certificates to be submitted on 30 April and 31 October every year. Mastercard simply did not care. With some part of the transaction data kept in India but a significant part of information related to transaction processing and fraud checks going out, the foreign firm has been indulging in dual record maintenance, which the regulator could not have been okay with. Hackneyed corporate responses like saying Mastercard has continuously been engaging with the regulator including submitting system audit reports on a regular basis or that the company is “fully committed to legal and regulatory obligations” in India do not wash although it is for the RBI to issue a clarification about the firm’s data localisation framework in April 2021, which the company submitted late on 20 July.
The central bank rightly imposed regulatory restrictions on Mastercard last week from onboarding new domestic debit, credit, or prepaid customers on its card network in India from 22 July. Of course, the restrictions are on Mastercard’s new cards alone and not the existing ones customers hold. The rule that all foreign payment operators storing card and customer-related data must do so in servers physically present in India is unexceptionable. The matter is not merely of customers getting hassled by targeted advertisement; the ability of an overseas company, especially one that is headquartered in a country like the US where capitalism happens through a truck with the state, to exploit Indian data compromises national security or at least creates the possibility of the country getting arm-twisted by a government that is not its own. Since April 2018, when the relevant RBI rules were issued, the foreign payment processors did get the leeway of transferring card storage data abroad for a seamless flow, provided they deleted the data within 24 hours. For Mastercard, there are robust fraud risk engines that collate data from different switches across the world to prevent cross-jurisdiction cloning or phishing attacks, but the company’s insistence on storing the data abroad got it on the wrong side of the Indian regulations. The regulator had reasons to not trust Mastercard when it wanted its overseas auditor appointed by the global unit to perform the external audit.
But Mastercard was hardly singled out for harsh treatment. The decision of the RBI to tighten data storage norms, earlier this year, attracted curbs also on US-based American Express and Diners Club for non-compliance. Notably, however, neither the US-based Visa nor the National Payments Corp of India’s RuPay is forwarding the defence that a certain part of the data on transactions processed has been moved to this country. If the RBI wants end-to-end stored locally in the country, the said foreign and domestic companies are complying with it. This addresses the usual refrain that India scores poorly on ‘ease of doing business’, as there are players happily adhering to the rules. With Visa and Mastercard together processing a significant chunk of over 70% of India’s credit cards, why should one major player be uncomfortable with the regime if the other is not? Being pro-market means being pro-consumer. Unruly foreign businesses are hurting the interests also of that part of the market — the customers — whose concerns must be the regulator’s priority.