RBI allows American Express to add new customers after 16-month ban – Times of India

MUMBAI: The Reserve Bank of India (RBI) on Wednesday lifted its 16-month-old ban on global credit cards major American Express (AmEx) from taking on new customers after the company complied with the central bank’s data localization & storage policy. This policy, put in place in April 2018, stipulates that all banks and payment system companies operating in India should store all its customer data only in India.
In view of the satisfactory compliance demonstrated by AmEx with the RBI circular of April 6, 2018 on Storage of Payment System Data, the restrictions imposed on the company relating to on-boarding of new domestic customers have been lifted with immediate effect, an RBI release said.
This policy by the central bank made it compulsory for all system providers (meaning banks and card issuing companies) to ensure that their entire customer data, that include “full end-to-end transaction details, information collected, carried, processed as part of the message, payment instructions” etc. relating to payment systems operated by them is stored in a system only in India. These entities are also required to report “compliance to RBI and submit a board-approved system audit report conducted by a CERT-In empaneled auditor.”

The central bank’s main objective to have such a policy in place was “to ensure better monitoring” of the operations of these entities. For the same RBI needed “unfettered supervisory access to data stored with these system providers as also with their service providers, intermediaries, third party vendors and other entities in the payment ecosystem,” the central bank had said while issuing the directives in April 2018.
Welcoming the RBI decision, Sanjay Khanna, Interim CEO & COO, AmEx India said that India was a key strategic market for the US cards major and this decision was the result of its significant local investments “in technology, infrastructure and resources.”
Earlier the RBI had put similar restrictions on Mastercard and Diners Club International, both payment system companies like AmEx, for similar violations. The regulatory diktat did not affect the existing customers of these companies. The ban on Diners Club was lifted on November 9, 2021 and on Mastercard on June 14, 2022.
Although it was in April 2018 that the central bank had asked all the banks and payments system companies to comply with its data localization and storage policy, some entities were reluctant to adhere to the directions. Initially RBI had given these companies six months to comply with its directions. Thereafter even though it had given several extensions, some companies failed to comply.
In its order against Mastercard, dated July 14, 2021, RBI had said that “notwithstanding lapse of considerable time and adequate opportunities being given, (Mastercard) has been found to be non-compliant with the directions on Storage of Payment System Data.” Within weeks of the RBI direction, Mastercard had approached the central bank with a compliance audit report.