The Master Card Story– Master (Card) to fall in line with the dictum of the real Master (RBI)

Leave a Comment / Published / By

24/09/2021

Published in Linkedin on 24/09/2021

In this Article we will try to cover all the aspects of the payments card- Master card fallout with the Reserve Bank of India (“RBI”) which is the regulatory Central bank of India responsible for regulating the currency and credit systems of India.

Let start by first understanding what are payments card, how many are active in India and what is the market share of each of them?

Visa and Mastercard are international payment processing networks who had almost a duopoly in most of the countries for a very long time. They do not issue cards of their own but get in arrangements with other banks, credit unions and financial institutions to issue cards and perform transactions. Some payment networks like American Express and Discover also issue direct cards. 

Rupay is also an international card system, but it is khalis desi venture started by NPCI in 2012 which targeted the duopoly and excessive fees charged by Master bank and VISA and we can say it has quite achieved its goal in a span of few years. Data released by the Reserve Bank of India reveals that in 2020 there were 60.36 crore RuPay cards issued and Rupay had a total market share of over 60 per cent of the total cards issued. But it should be noted that a significant proportion of RuPay cards is in the nature of debit cards with only 9.7 lakh credit cards issued as in 2020.

Market trends indicate that Visa has the second largest issuance of cards followed by Mastercard though there is no official data.

All the payment networks are authorized to operate under the Payment and Settlement Systems Act, 2007 (PSS Act).

So, what are the RBI’s data localisation norms?

RBI issued a Directive on 06 April 2018 under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007) which mandates that:

  • all system providers should ensure that the entire data relating to payment systems operated by them are stored in a system only in India.
  • this data should include the full end-to-end transaction details/ information collected / carried / processed as part of the message / payment instruction.
  • for the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.[1]

The RBI also specified a timeline for completing this requirement which was within a period of six months from the date of the notification and asked to report compliance of the same to the Reserve Bank latest by October 15, 2018. 1

It further asked the System providers to submit the System Audit Report (SAR) based on audit conducted by CERT-IN empaneled auditors certifying the completion of the requirement, duly approved by the Board of the system providers was required to be submitted to the Reserve Bank not later than December 31, 2018. 1

It was later clarified that SAR should inter-alia include Data Storage, Maintenance of Database, Data Backup Restoration, Data Security, etc.[2]

RBI issued clarification on implementation issues raised by the Payment System operators (PSO’s) in the form of FAQ’s on June 26th, 2019 which clarified further points like:2

  • The data stored in India should include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered / transmitted / processed as part of a payment message / instruction. This may, interalia, include – Customer data (Name, Mobile Number, email, Aadhaar Number, PAN number, etc. as applicable); Payment sensitive data (customer and beneficiary account details); Payment Credentials (OTP, PIN, Passwords, etc.); and, Transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).
  • or cross border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required.
  • Regarding processing of payment transactions, there is no bar on processing of payment transactions outside India if so desired by the PSOs. However, the data shall be stored only in India after the processing. The complete end-to-end transaction details should be part of the data.
  • In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier. The same should be stored only in India.
  • However, any subsequent activity such as settlement processing after payment processing, if done outside India, shall also be undertaken / performed on a near real time basis. The data should be stored only in India.
  • In case of any other related processing activity, such as chargeback, etc., the data can be accessed, at any time, from India where it is stored.

And the most important question that was answered by RBI was can the payment system data be shared with overseas regulators?

RBI Clarified that the data may be shared with the overseas regulator, if so required, depending upon the nature / origin of transaction with due approval of RBI.

Master card woes:

On July 14, 2021, RBI imposed an indefinite ban on Mastercard from issuing new credit, debit, and prepaid cards to be effective from July 22, 2021. 

As per reports published in Economic Times, the Reserve Bank of India barred Mastercard Inc. from issuing new cards in India after it found that the US-based payments major was storing customers’ data on servers located outside the country and also failing to erase from overseas servers the Indian leg of the transactions data within 24 hours as mandated.

Therefore, Mastercard has been barred by RBI from issuing new cards acquiring because of its non-compliance with the data localization norms laid out by RBI. Master card was third to be banned after American Express Banking Corp and Diners Club International.

RBI has categorically stated that Master card was given adequate opportunities but still it has not complied to its satisfaction. However, relief was given by RBI that it can continue to service existing customers.

What is the position of the other Payments cards in India and who can benefit from the woes of Master Card?

One of the first payment card systems to comply with the RBI requirements on data localization was VISA and it can surely expect reward for coming first. With RBI’s move to ban Master card and American Express from servicing new users in India not difficult to guess who gets a major piece of the cake…VISA offcourse … no points for guessing, a larger market share and new users are awaiting to be captured. Most the banks who were earlier tied up with Mastercard are already reaching out to VISA and home grown Rupay.

Coming to Rupay, the home-grown desi boy hardly 5 to 6 years old but already being hailed as the one who would break the sort of duopoly of VISA and Mastercard in India. It has managed to become the largest issuer of Debit cards by volume and second largest by value in India. Now with Mastercard facing restrictions like being bitten by the snake in the snake and ladder game of sorts, Rupay has a got a ladder in front of it to climb higher.

A little necessary background important to understand the complete picture

In the year 2018, startled and overwhelmed by the growing market of Rupay, Master card and Visa accused the Indian government of favoring the home-grown card by helping it with its reach, influence and policies. The words used by them were strong which showed that the frustration was another level. After all they are used to enjoying the duopoly from decades. There were also allegations of an unspoken ‘mandate’ to all banks to help the spread of RuPay cards.

Rupay also had a lower transaction fees upto almost 30% which is hailed to be a major factor contributing to its success.

What is the stand of Master card and where are things as on date?

After the ban, Mastercard’s auditor Deloitte performed a “supplemental audit” and a new report was submitted on 20th July 2021 to the RBI, as per Reuters report.

“We have been in a continued dialogue with the RBI from April through the report’s submission on July 20, 2021,” Mastercard said in a statement in response to a set of queries sent by PTI.[3]

Furthermore, Mastercard said, “We look forward to continuing our conversations with the RBI and reinforcing how seriously we take our obligations. We are hopeful that this latest filing provides the assurances required to address their concerns.”

What is RBI going to do next is something that we have to wait and watch but one thing is sure that India has started to take some tough calls and making a statement that it is serious about the data of its citizens, and we all know data is the new oil.

[1] Notification RBI/2017-18/153 DPSS.CO.OD No. 2785/06.08.005/2017-2018

[2] https://rbi.org.in/scripts/FS_FAQs.aspx?Id=130&fn=9 , Storage of Payment System Data

[3] Mastercard submits new audit to Reserve Bank of India after ban over data handling | Business News – India TV (indiatvnews.com)

Leave a Comment

Your email address will not be published. Required fields are marked *

Contact us

Quick Links

Social Media

Facebook Instagram Twitter Linkedin-in

DISCLAIMER :- The information provided on this website, including articles authored by various individuals, is intended for general informational purposes only. We do not accept responsibility for any decisions made by readers based solely on the information presented on the website. Readers are advised to independently verify the information and seek professional advice before making any decisions based on the content provided. The firm shall not be held liable for any consequences arising from the reliance on the information contained on the website. This disclaimer is subject to change without notice, and it is recommended that users review it periodically for any updates.
The contents, claims, and views expressed on the website are solely those of the respective authors and the firm. As such, they bear exclusive responsibility for the content and ‘The Institute of Company Secretaries of India’ (ICSI) does not own any responsibility whatsoever for any contents or claims made in this website.