American Express, Diners Club Banned In India From Adding New Users; 15 Lakh Existing Users Impacted?

Card companies American Express and Diners Club International, failing to comply with the guidelines on local data storage, have been asked by the Reserve Bank of India (RBI) to not get any new domestic customers on-board from May 1.

Existing Customers Should Not Worry : RBI

RBI clarified that this order shall not impact the existing customers.

Reacting to this course of action, American Express expressed their disappointment but said that they are working with RBI to resolve the concerns at the earliest. They also said that they were in regular dialogue with the RBI about data localisation requirements and demonstrations of their progress towards the compliance with regulation was already shown. American Express added that the existing customers need not worry and go on to use them.

According to the RBI data, American Express cards were used for transactions worth Rs 2,325 crore and at the end of February had credit cards outstanding of 1.56 million and was also the seventh-largest credit card issuer in the country.

Speaking of theDiners Club, in India it has a tie-up with HDFC Bank . Though the share of Diners Club in the HDFC Bank’s total cards portfolio is not much.

Both, American Express and Diners Club are extensively used for international travels and high value spending.

RBI’s Guidelines & Compliance

In April 2018, RBI instructed all payment system providers to store their entire data in a system only in India. In addition to reporting compliance to the RBI within a period of six months, a board-approved System Audit Report (SAR), prepared by a CERT-In-empaneled auditor was asked to be submitted by them within the specified timelines. Full end-to-end transaction details, information collected, carried and processed as part of the message and payment instruction is the data that must be stored in India.

This led to a huge hue and cry, and industry-level lobby groups in order to oppose the RBI’s data localisation guidelines were formed by companies like Visa, Mastercard, American Express, PayPal, Google, Facebook, Microsoft, and Amazon, as well as global banks.

If sources are to believed, on behalf of the American companies, powerful lobby groups such as the Securities Industry and Financial Markets Association (SIFMA), the Global Financial Markets Association (GFMA), and the US-India Business Council (USIBC) were tapped in order to exert pressure on RBI. However, RBI didn’t bat an eye and hence almost all the payments companies complied with the RBI’s guidelines and stored data locally.

No specific legislation dealing with user data breach cases or penal actions relating to the same is there in place in our country and the bill proposed to deal with such cases of data breaches, The Personal Data Protection Bill, has been pending in the Lok Sabha since 2019.

The issue has become a cynosure recently with alleged data breaches. One such breach was one by Mobikwik, wherein the information of 3.5 million of its users, of the size of 8.2 TB, was breached. The company however rejected this happening. Another such incident involves pizza chain Dominos, where millions of records of customer data were leaked online. Also Facebook and LinkedIn are said to be a victim of data leak, however both the companies said that the data was not hacked but scraped which means that the information was extracted from their websites.