Mastercard’s failure to comply with the Reserve Bank of India’s (RBI) directive to store payment data in the country has left private sector banks including HDFC Bank, ICICI Bank, RBL Bank and Yes Bank, in the lurch.
RBL Bank and Yes Bank, in particular, had issued cards exclusively on the Mastercard network. All the other above-mentioned banks fortunately have tie-ups with Visa for the issuance of their debit and credit cards, although the majority of their card business is on the Mastercard network.
Effective from 22 July, Mastercard was barred from onboarding new customers in India because it failed to comply with data localisation rules laid down by the RBI in April 2018. Mastercard accounts for 33% of all card payments in India, according to a 2020 study by London-based payment startup, PPRO.
The RBI took similar action against American Express and Diners Club, which have a much smaller market share, barring them from onboarding new domestic customers from 1 May.
The central bank’s imposition of the three-year-old directive on these three multinational card networks has unsettled and disrupted India’s financial services industry. Investment bankers say that the “sledgehammer approach has sent the wrong message to investors”, especially as covid-19 allegedly caused a procedural delay for Mastercard to meet the RBI directive.
Many banks and financial services companies have started migrating their card offerings to other payment networks. In the interim, Mastercard’s revenues from its new card business will take a hit.
Fortunately, existing customers will not be impacted, especially regarding transactions. There were 62.39 million credit cards and 902.3 million debit cards in circulation as of 31 May, according to latest available RBI data.
Mastercard’s loss is Visa’s gain, at least until the latter complies with the RBI directive. Visa has a 45% market share in the country, and its group country head for India and South Asia, TR Ramachandran, said in December 2019 that it would comply and process all domestic transactions at its data centres in Bengaluru and Mumbai.
The indigenous RuPay is equally likely to gain at the expense of MasterCard. However, it is largely a national player in the debit card market because not many international payment gateways have accepted its credit card offering.
Options for the banks
A Delhi-based data privacy lawyer suggests that banks could resort to litigation as agreements signed with Mastercard or any of the other card payment networks would have included indemnity and severability clauses.
However, Kumar Saurabh Singh, a Mumbai-based partner at Khaitan & Co, adds that banks can only rely upon the indemnity clause in their contractual agreement with Mastercard if these clauses cover involuntary actions, which could include regulatory action. “It is likely that losses incurred as a result of business disruption may not be protected under the indemnity clause,” he told India Business Law Journal.
Involuntary actions would probably have been carved out from clauses in the agreements signed with banks, says one financial services consultant. “Considering how hard multinational companies tend to negotiate, clause by clause, it is unlikely that global credit card companies with their sophisticated team of advisers would agree to an open-ended or wide indemnity, which could cause them liability later.”
Singh is certain that banks will be more cautious in future, “now that the RBI has taken action against three credit card companies”. He says banks would be best served if they “migrate quickly to other service providers and have the flexibility to work again with Mastercard once it complies and the RBI ban is lifted”.
Entering into agreements with other payment networks such as Visa and RuPay could take months, not only to sign the deal but also to integrate the respective back-ends.
Data localisation push
Today it is Mastercard, American Express and Diners Club. Tomorrow it could be any technology-driven company that deals with data, especially once India’s Personal Data Protection (PDP) Bill is enacted. The draft data protection law requires a copy of all “sensitive” personal data – including financial and health data, biometric and genetic data, and sexual orientation – to be stored on local servers.
When the RBI first suggested data localisation in 2018, US government officials sent warning letters to Narendra Modi’s administration that such measures could trigger trade barriers, and suggested that India should adopt a softer stance and introduce data mirroring instead of exclusive storage.
But the central bank stood its ground and prepared the roadmap for India to introduce data localisation in the PDP bill. This means that every multinational wanting to do business in India will have to put up data centres to store and process local Indian data. Insistence on exclusive data storage will make India the strictest country globally when it comes to data localisation.
With many cross-border transactions, data control is necessary to prevent terrorism and money laundering. After all, the idea behind data localisation is better monitoring and unfettered supervisory accessibility to Indian data.
“It is difficult for the government to investigate if data is stored overseas, hence the need for data localisation,” says Singh, adding that the issue will always be “a tug-of-war”. He advises technology-driven companies not to underestimate Indian regulators.
Anish Narang, an associate consultant with KPMG in Mumbai, points out that setting up dedicated data centres in India will require institutions to onboard domestic IT resources, leading to employment.
Transactions involving domestic senders and receivers are stored only in India, and not available overseas. This will lead to the inability to perform analytics on this data, says Narang.
Insistence on data localisation could discourage foreign banks from continuing their business in India, and they will have to perform a cost-benefit analysis of their business models to continue operations in the country, he says. This is especially true for entities with only a few branches and not much business.
Narang fears that maintenance of data centres or cloud services being a costly affair could “push these companies to increase service costs for consumers”. He does not dismiss the likelihood of a conflict with foreign regulations, which could create more confusion for banks.