Mastercard submits new audit to India after ban over data handling – Metro US

Mastercard submits new audit to India after ban over data handling

FILE PHOTO: Smartphone with Mastercard logo is seen in front
FILE PHOTO: Smartphone with Mastercard logo is seen in front of displayed stock graph in this illustration

MUMBAI (Reuters) – Mastercard has submitted a new audit report to India’s central bank, it told Reuters, as it seeks to overturn a ban on card issuance linked to concerns over the U.S. giant’s handling of data processed abroad.

The Reserve Bank of India (RBI) on July 14 sent panic-waves through Indian banking partners by announcing a ban, effective from July 22, to prevent the U.S. giant from issuing new cards. It cited non-compliance with 2018 rules that required it to store payments data only in India.

The RBI imposed the ban after deciding a “system audit report” submitted by Mastercard’s auditor Deloitte in April was unsatisfactory, three sources familiar with its decision-making said, asking not to be named because of the sensitivity of the issue. Two of the sources said the RBI was reviewing the new report.

In a statement to Reuters, Mastercard said Deloitte performed a “supplemental audit” and a new report was submitted on July 20 to the RBI, six days after the ban was announced.

“We look forward to continuing our conversations with the RBI and reinforcing how seriously we take our obligations. We are hopeful that this latest filing provides the assurances required to address their concerns,” it said.

Deloitte declined to comment, citing confidentiality obligations. The RBI did not respond to a request for comment.

The sources said the RBI was concerned Deloitte’s audit did not clearly state how long Mastercard took to purge Indians’ card data that is processed abroad before being stored locally.

India’s 2018 rules do not restrict where the data is processed, but for “unfettered supervisory access”, the RBI mandates that within a day the data – including transaction details and amount – should be stored domestically.

Mastercard in 2018 said it had started storing data at a facility in India’s western city of Pune to comply. But it still processes a part of each Indian transaction through data centres abroad, and later transfers and stores that data in Pune, one of the sources said.

The RBI has given no details beyond a seven-line statement announcing the ban. The details of RBI’s concern with Deloitte’s submissions have not previously been reported.

American Express, whose Indian presence is much smaller than that of Mastercard and Visa, has also has been banned from issuing new cards since April for violating the 2018 rules.

A fourth person with direct knowledge of the matter said the RBI had given Mastercard multiple extensions to submit clarifications and RBI only issued the ban when Mastercard asked for more time when an extension to July 9 lapsed.

Mastercard did not comment on the extension and the situation in Pune.

(Reporting by Nupur Anand, Aditya Kalra and Euan Rocha; editing by Barbara Lewis)

More from our Sister Sites