In the recent development of events, the Reserve Bank of India has announced the lifting of the ban from Diners Club International. The ban was imposed on the latter in the month of April of this year for disregarding data storage norms and was barred from onboarding new customers. RBI decided to lift the ban on Diners Club International after they complied with specified guidelines.
The Data Localization Rules by RBI
The bank regulator RBI released a statement which said that in view of the satisfactory compliance demonstrated by Diners Club International Ltd. with the Reserve Bank of India (RBI) circular dated April 6, 2018, on Storage of Payment System Data, the restrictions imposed, vide order dated April 23, 2021, on on-boarding of fresh domestic customers have been lifted with immediate effect.
Along with Diners Club International, MasterCard and American Express have also been banned by the RBI from doing business in the domestic territory as these entities have been found disregarding local data storage rules which are set by RBI. It is to be noted that all three of these are US-based card networks.
All these companies have been found violating similar compliance rules. The rules set by RBI in regards to data localization which was initiated in April of 2018, states that any payment operator of the country must have a storage server that is physically based in India. Moreover, these companies are also required to submit System Audit Report (SAR) conducted by a CERT-In empanelled auditor.
The Central Bank of India had already issued a notice to chief executives of all the PSOs operating in India in order to create secured data storage norms. One of the rules suggest that the PSOs need to submit “compliance certificates” twice a year which will be mandatory and needs to be signed by the chief executive or the managing director of the entity,
The other mandated requirement included submission of board-approved annual System Audit Report (SAR) by CERT-empanelled auditors by the PSOs operating in India. Last but not the least, the companies are also required to submit a one-time compliance report confirming that the payment data of these companies will be saved in a server that is physically located in India.
These certificates are needed to be submitted to the RBI on April 30th and October 31st of every year.