Data storage norms: Mastercard submits audit report to RBI

The RBI's restrictions were put in place because Mastercard failed to comply with India's local data storage norms. (Representative Image: REUTERS/Eduard Korniyenko)

The RBI’s restrictions were put in place because Mastercard failed to comply with India’s local data storage norms. (Representative Image: REUTERS/Eduard Korniyenko)

After being banned by the RBI from issuing new cards, US-based payments technology major Mastercard on Friday said it has submitted an audit report to the regulator showing compliance with the local data storage norms.

The Reserve Bank had on July 14 put an indefinite ban on Mastercard from issuing new credit, debit and prepaid cards. The ban came into effect from July 22.

The restrictions were put in place because of the company’s failure to comply with local data storage norms that require payments companies to store data related to Indian customers only in the country.

“When RBI required us to provide additional clarifications about our data localisation framework in April 2021, we retained government-empaneled Deloitte to perform a supplemental audit to help demonstrate our compliance.

“We have been in a continued dialogue with the RBI from April through the report’s submission on July 20, 2021,” Mastercard said in a statement in response to a set of queries sent by PTI.

The company said since the RBI’s 2018 directive on data localisation and storage, it has worked closely with the central bank and Indian government to ensure that Mastercard is compliant with both the letter and the spirit of the order.

“This includes submitting reports as required by the RBI. We look forward to continuing our conversations with the RBI and reinforcing how seriously we take our obligations. We are hopeful that this latest filing provides the assurances required to address their concerns,” it said.

Further, the company said it is committed to put in whatever resources are required to meet any additional requirements raised by RBI and bring this matter to a close “expeditiously”.

“In the meantime, we remain focused on ensuring our current business continues to operate as usual, working in lockstep with our customers and partners to minimize any impact on cardholders,” it added.

Mastercard, a major card issuing entity, is the third company to have been barred by RBI from acquiring new customers over data storage issues, after American Express Banking Corp and Diners Club International.

RBI had said that Mastercard was found to be non-compliant with the directions on ‘Storage of Payment System Data’ despite being given adequate opportunities.

However, the regulator had said the ban on issuing new cards was not going to impact the services of the existing customers of Mastercard in India.

Mastercard is a payment system operator authorised to operate a card network in the country under the Payment and Settlement Systems Act, 2007 (PSS Act).

RBI’s circular on Storage of Payment System Data on April 6, 2018 had directed all system providers to ensure that within a period of six months the entire data relating to payment systems was stored only in India.

They were also required to report compliance to RBI and submit a board-approved System Audit Report conducted by a CERT-In empanelled auditor within specified timelines.