New Delhi: The Reserve Bank of India (RBI) has, by order dated April 23, 2021, imposed restrictions on American Express Banking Corp. and Diners Club International Ltd. from on-boarding new domestic customers onto their card networks from May 1, 2021. These entities have been found non-compliant with the directions on Storage of Payment System Data. This order will not impact existing customers.
American Express Banking Corp. and Diners Club International Ltd. are Payment System Operators authorised to operate Card Networks in the country under the Payment and Settlement Systems Act, 2007 (PSS Act).
The supervisory action has been taken in exercise of powers vested in RBI under Section 17 of the PSS Act.
Background
In terms of RBI circular on Storage of Payment System Data dated April 6, 2018, all Payment System Providers were directed to ensure that within a period of six months the entire data (full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction) relating to payment systems operated by them is stored in a system only in India. They were also required to report compliance to RBI and submit a Board-approved System Audit Report (SAR) conducted by a CERT-In empanelled auditor within the timelines specified therein.
Storage of Payment System Data
Please refer to paragraph 4 of the Statement on Development and Regulatory Policies of the First Bi-monthly Monetary Policy Statement for 2018-19 dated April 5, 2018. In recent times, there has been considerable growth in the payment ecosystem in the country. Such systems are also highly technology dependent, which necessitate adoption of safety and security measures, which are best in class, on a continuous basis.
2. It is observed that not all system providers store the payments data in India. In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries/ third party vendors and other entities in the payment ecosystem. It has, therefore, been decided that:
- All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
- System providers shall ensure compliance of (i) above within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018.
- System providers shall submit the System Audit Report (SAR) on completion of the requirement at (i) above. The audit should be conducted by CERT-IN empaneled auditors certifying completion of activity at (i) above. The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank not later than December 31, 2018.
3. The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).
