The Reserve Bank of India (RBI) has asked the National Payments Corporation of India (NPCI) to ensure that WhatsApp Pay is fully compliant with data localisation norms before it gets permission to roll out its services across the country.
In a letter to the NPCI on November 1, the central bank made it clear that WhatsApp Pay, the payment services of the Facebook-owned messaging giant, needs to keep all financial data in every form in India. It stressed that financial data in any form cannot at any given point be stored abroad. The RBI also made it clear to the NPCI that if WhatsApp Pay does not follow the guidelines, it will have to intervene and won’t allow the payment services to go live.
WhatsApp and the NPCI hadn’t replied to emailed queries at the time of going to press. Business Standard has a copy of the RBI’s letter, titled ‘WhatsApp’s compliance to data storage guideline and Go-Live on UPI platform’.
The banking regulator has asked the NPCI specific questions on the status of compliance with data localisation norms. The NPCI, it seems from the letter, had informed the RBI of the compliance status of WhatsApp Pay’s on September 12 and October 24.
“WhatsApp application (client) logs, query screenshot (uploaded by the customer), and customer email message, which are stored with its support team for 90 days, do not contain any elements of payment data. We further advise you to ensure that WhatsApp does not store any of the payment transaction data elements in hashed/de-identified/ encrypted form in systems outside India,” the letter stated.
It further stated that in case of non-compliance by WhatsApp to the RBI’s circular, it may not be permitted to go live for full-scale operations on the UPI system. “It may be noted that this does not preclude the RBI from initiating any other action as deemed fit in this regard,” it stated in the letter.
The NPCI, the umbrella organisation for operating retail payments and settlement systems in India, has been one of the big supporters of WhatsApp Pay and Google Pay in India. In October, the NPCI had claimed that WhatsApp Pay would be compliant with the RBI’s guidelines in two months.
The chat app has been running the beta version of its payments system since last February. WhatsApp Pay is built on the Unified Payments Interface (UPI), a platform developed by the NPCI.
According to recent reports, the NPCI said WhatsApp would be able to pass the RBI’s litmus test. “There are still a couple of intermediaries where work is in progress. One is Google, second is WhatsApp. We believe WhatsApp will be fully compliant in the next two months,” the NPCI’s chief executive Dilip Asbe recently told media.
According to cyber law experts, in the current situation when the safety of data with WhatsApp, following a software breach that allowed hackers to target 121 Indian citizens among 1,400 people globally, is in question, it should not be allowed to run payments or have UPI on its platform. “WhatsApp, by allowing its platform to compromise, has lost the confidence of Indian users. Hence, until data is localised and until it implements controls to guard against future exploitation of its platform, a licence should not be granted,” said Prashant Mali, a cyber law expert.
RBI sources said the central bank’s officials are upset with WhatsApp because even after asking it multiple times, the messaging platform has not maintained the same level of transparency that banks in the country, as well as other payment platforms, maintain.
There is an ongoing case in the Supreme Court, filed by Centre for Accountability and Systemic Change (CASC), an NGO which has alleged that WhatsApp launched its payment services without having fully complied with the RBI’s directives on data localisation.
The banking regulator had earlier told the apex court that it does not give approval to entities like WhatsApp to act as authorised payment system operator; it is the NPCI which has allowed such entities to operate under the multi-bank model of the UPI.