The story so far: The Reserve Bank of India (RBI) on Wednesday banned Mastercard from issuing new debit and credit cards to customers in India with effect from July 22. According to the RBI, the U.S. card-issuer has failed to comply with the local data storage rules announced by the central bank in 2018. The ban has unsettled banks operating in India that use Mastercard’s services to issue a variety of cards to their customers.
What is the RBI’s data localisation policy?
In 2018, the Indian central bank had issued a circular ordering card companies such as Visa, Mastercard, and American Express to store all Indian customer data locally so that the regulator could have “unfettered supervisory access”. This meant that foreign card companies had to store complete information about transactions made by Indian customers in servers located within India. Companies were initially required to comply with these rules within six months. The reason offered by the RBI to back up its data localisation rule was that local storage of consumer data is necessary to protect the privacy of Indian users and also to address national security concerns. Since the order, Mastercard, Visa and other foreign card companies have lobbied to dilute the rules . But the RBI has remained strict that companies must comply with its data localisation rules. Consequently, Mastercard deleted Indian customer data from its foreign servers and promised to invest in building local servers in India to store local customer data. The RBI, however, has not been impressed. It has banned Mastercard from issuing new cards to customers from July 22. Reuters reported Mastercard as having said it was “disappointed” with the RBI’s decision and it had provided regular updates on its compliance with the rules since 2018. The company was quoted as saying it would continue to work with the Indian central bank to provide any additional details required to resolve its concerns.
Existing Mastercard customers, however, can continue to use their cards. Earlier this year, American Express and Diners Club International were also banned by the RBI from issuing new cards after they failed to comply with the 2018 circular.
What is the need for local data storage?
Experts believe that customer privacy and national security are genuine concerns that need to be taken seriously. However, many also believe that data localisation rules are too stringent and they could simply be used by governments as tools of economic protectionism. For instance, they argue, it may not be strictly necessary for data to be stored locally to remain protected. Broadly speaking, formal international laws to govern the storage of digital information across borders may be sufficient to deal with these concerns. Governments, however, may still mandate data localisation in order to favour local companies to foreign ones.
China, for example, has used its cyber-security laws to discriminate against foreign companies. A similar trend may be playing out in India with the Centre’s emphasis on economic self-sufficiency. In 2018, Mastercard had launched a complaint with the U.S. government that Prime Minister Narendra Modi was actively promoting Indian cards like RuPay and that it was affecting the business of foreign card companies. Governments may also believe that mandating foreign companies to set up local infrastructure can boost their local economies.
What lies ahead?
Indian banks that are currently enrolled in the Mastercard network are expected to make alternative arrangements with other card companies. The process is expected to take a few months, and their card business is expected to take a significant hit meanwhile. The RBI’s data localisation policy, as it burdens foreign card companies, may end up favouring domestic card issuers like RuPay. Mastercard owns about one-third of the market share in India, and the RBI’s ban is likely to significantly benefit its competitors. RBL Bank, for instance, has decided to enter into an agreement with Visa after the RBI’s ban on Mastercard. Similarly, the ban on American Express and Diners Club earlier this year benefited the Indian card network RuPay. Some believe that even Visa, a foreign company which dominates card payments in India, may come under regulatory pressure in the near future. Thus, the card payments sector may end up being restricted to a few domestic companies, which in turn can lead to reduced competition. This could mean higher costs and lower quality services for customers.
It is also worth noting that in today’s digital economy data have turned out to be a valuable commodity, which companies as well as governments have tried to gain control over. Information about spending patterns and other customer data can be monetised by companies in a variety of ways. With no clear rules on who owns customer data and to what extent, conflicts over data ownership are likely to continue for some time.