 "American Express")
The Reserve Bank of India (RBI) on Friday asked card companies American Express and Diners Club International not to get new domestic customers onboard from May 1 as they did not adhere to the guidelines on local data storage.
“These entities have been found non-compliant with the directions on storage of payment system data. This order will not impact existing customers,” the RBI said in a notification on its website.
Reacting to the development, American Express in a statement said: "We have been in regular dialogue with the Reserve Bank of India about data localisation requirements and have demonstrated our progress towards complying with the regulation. While we’re disappointed that the RBI has taken this course of action, we are working with them to resolve their concerns as quickly as possible. This does not impact the services that we offer to our existing customers in India, and our customers can continue to use and accept our cards as normal.”
At the end of February, American Express had credit cards outstanding of 1.56 million and was the seventh-largest credit card issuer in the country. Its cards were used for transactions worth Rs 2,325 crore, according to the RBI data.
The Diners Club data was not separately available; it has a tie-up with HDFC Bank in India, the country’s largest card issuer. A spokesperson for HDFC Bank was not immediately available for comment, but it is understood that the share of Diners Club in the bank’s total cards portfolio is not much.
Both these cards are premium and are used widely for international travels and high value spending.
"This local data storage obligation is similar to the one proposed under the Personal Data Privacy Bill which suggested very hard data localisation obligation on entities, which were objected to by MNCs,’’ said Salman Waris, Partner - Head TMT and IP Practice at Delhi-based TechLegis Advocates & Solicitors. However, with recent mega data and cyber breaches, it might be worthwhile to have data stored on local servers so as to avoid jurisdiction and governing law and liability issues at a later date in case of such a breach, Waris said.
“These entities have been found non-compliant with the directions on storage of payment system data. This order will not impact existing customers,” the RBI said in a notification on its website.
Reacting to the development, American Express in a statement said: "We have been in regular dialogue with the Reserve Bank of India about data localisation requirements and have demonstrated our progress towards complying with the regulation. While we’re disappointed that the RBI has taken this course of action, we are working with them to resolve their concerns as quickly as possible. This does not impact the services that we offer to our existing customers in India, and our customers can continue to use and accept our cards as normal.”
At the end of February, American Express had credit cards outstanding of 1.56 million and was the seventh-largest credit card issuer in the country. Its cards were used for transactions worth Rs 2,325 crore, according to the RBI data.
The Diners Club data was not separately available; it has a tie-up with HDFC Bank in India, the country’s largest card issuer. A spokesperson for HDFC Bank was not immediately available for comment, but it is understood that the share of Diners Club in the bank’s total cards portfolio is not much.
Both these cards are premium and are used widely for international travels and high value spending.
"This local data storage obligation is similar to the one proposed under the Personal Data Privacy Bill which suggested very hard data localisation obligation on entities, which were objected to by MNCs,’’ said Salman Waris, Partner - Head TMT and IP Practice at Delhi-based TechLegis Advocates & Solicitors. However, with recent mega data and cyber breaches, it might be worthwhile to have data stored on local servers so as to avoid jurisdiction and governing law and liability issues at a later date in case of such a breach, Waris said.
