For breaching data storage norms, the Reserve Bank has barred American Express Banking Corp and Diners Club International Ltd from onboarding new domestic customers into their card networks as of May 1. Current customers of these two organisations will be unaffected by the move, the central bank stated in a release on Friday. Under the Payment and Settlement Systems Act of 2007 (PSS Act), American Express Banking Corp and Diners Club International Ltd are Payment System Operators licensed to run card networks in India. By an order dated April 23, 2021, the RBI enforced the bans on American Express Banking Corp and Diners Club International. The RBI stated that these institutions were found to be in violation of the regulations on Payment System Data Storage.
The supervisory move has been adopted in accordance with RBI's rights under Section 17 of the PSS Act. All payment system operators were instructed in April 2018 to make sure that all the data (full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction) pertaining to payment systems run by them is processed in a system only in India within a six-month timeframe. They were also mandated to delineate compliance to RBI and file a board-approved System Audit Report (SAR) undertaken by a CERT-In impanelled auditor within the prescribed time periods. In response to the report, American Express issued a statement that "We have been in regular dialogue with the Reserve Bank of India about data localisation requirements and have demonstrated our progress towards complying with the regulation. While we're disappointed that the RBI has taken this course of action, we are working with them to resolve their concerns as quickly as possible. This does not impact the services that we offer to our existing customers in India, and our customers can continue to use and accept our cards as normal."