RBI Bans American Express & Diners Club From Onboarding New Domestic Customers

“The guidelines for storing payment system data were found to be breached by these organizations. Existing customers will be unaffected by this order,” according to a statement on the RBI’s website.

“We have been in continuous discussion with the Reserve Bank of India regarding data localisation requirements and have been demonstrating our progress toward compliance with the regulation,” American Express said in a statement. “Although we are not at all satisfied with the decision that is being made by the Reserve Bank of India, we are working with them to address their concerns as soon as possible. This has no bearing on the services we provide to our current customers in India, and they can continue to use and accept our cards as usual.”

American Express was the seventh-largest credit card issuer in the nation at the end of February, with 1.56 million credit cards outstanding. According to RBI numbers, its cards were used for transactions reaching ₹2,325 crores.

Diners Club data was not available separately; it has a partnership with HDFC Bank, which is India’s largest card issuer. While a spokesperson for HDFC Bank was not immediately available for comment, it is known that Diners Club accounts for a small percentage of the bank’s overall card portfolio.

Both of these cards are premium as well as are mostly used for international travels and high-value purchases.

“This requirement for local data storage is close to the one in the Personal Data Privacy Bill, which proposes very specific data localization requirements for industries, which MNCs opposed to,”  said Salman Waris, Partner – Head TMT and IP Practice at Delhi-based TechLegis Advocates & Solicitors. However, given recent mega data and cyberattacks, it might be worthwhile to store data on local servers to escape enforcement, governing law, and liability concerns in the event of a breach, according to Waris. Complete end-to-end transaction details, as well as information gathered, carried, and processed as part of the message and payment instruction, had to be stored in India.

These companies had been given six months to comply with the RBI.

As per the reports, this caused a major outrage, and US-based businesses decided to work with the US government to persuade India and the RBI to relax the laws.

Visa, Mastercard, American Express, PayPal, Google, Facebook, Microsoft, and Amazon, as well as international banks, had intended to form industry-level lobby groups to oppose the RBI’s data localisation guidelines.

According to reports, the Securities Industry and Financial Markets Association (SIFMA), the Global Financial Markets Association (GFMA), and the US-India Business Council (USIBC) were also enlisted to represent the American companies.

The RBI, on the other hand, stuck to its weapons. Almost all payment firms followed the RBI’s guidance and processed data locally as a result.

In India, there is currently no specific law addressing user data violations or the fines that can be applied as a result of them. Since 2019, the Lok Sabha has been debating the Personal Data Protection Bill, which is intended to address such data breaches.

Recent data breach cases have brought the issue to the forefront. An alleged data breach at MobiKwik exposed the data of 3.5 million of its customers, including emails, phone numbers, Aadhaar cards, PAN cards, and other know-your-customer documents. The data was estimated to be 8.2 TB in size. The violation has been dismissed by MobiKwik.

Earlier this month, Millions of customer records from the Domino’s pizza chain were leaked online. This month, millions of users’ data were leaked on Facebook and LinkedIn, including Indian users’ data. Although both acknowledged that consumer data had been stolen, they said that it had been scrapped rather than hacked from their networks. This involves retrieving valuable data from a website using an application.