The banking regulator has asked the NPCI specific questions on the status of compliance with data localisation
norms. The NPCI, it seems from the letter, had informed the RBI
of the compliance status of WhatsApp Pay’s on September 12 and October 24.
“WhatsApp application (client) logs, query screenshot (uploaded by the customer), and customer email message, which are stored with its support team for 90 days, do not contain any elements of payment data. We further advise you to ensure that WhatsApp does not store any of the payment transaction data elements in hashed/de-identified/ encrypted form in systems outside India,” the letter stated.
It further stated that in case of non-compliance by WhatsApp to the RBI’s circular, it may not be permitted to go live for full-scale operations on the UPI system. “It may be noted that this does not preclude the RBI
from initiating any other action as deemed fit in this regard,” it stated in the letter.
The NPCI, the umbrella organisation for operating retail payments and settlement systems in India, has been one of the big supporters of WhatsApp Pay
and Google Pay in India. In October, the NPCI had claimed that WhatsApp Pay
would be compliant with the RBI’s guidelines in two months.
The chat app has been running the beta version of its payments system since last February. WhatsApp Pay
is built on the Unified Payments Interface (UPI), a platform developed by the NPCI.
According to recent reports, the NPCI said WhatsApp would be able to pass the RBI’s litmus test. “There are still a couple of intermediaries where work is in progress. One is Google, second is WhatsApp. We believe WhatsApp will be fully compliant in the next two months,” the NPCI’s chief executive Dilip Asbe recently told media.
According to cyber law experts, in the current situation when the safety of data with WhatsApp, following a software breach that allowed hackers to target 121 Indian citizens among 1,400 people globally, is in question, it should not be allowed to run payments or have UPI on its platform. “WhatsApp, by allowing its platform to compromise, has lost the confidence of Indian users. Hence, until data is localised and until it implements controls to guard against future exploitation of its platform, a licence should not be granted,” said Prashant Mali, a cyber law expert.
RBI sources said the central bank’s officials are upset with WhatsApp because even after asking it multiple times, the messaging platform has not maintained the same level of transparency that banks in the country, as well as other payment platforms, maintain.
There is an ongoing case in the Supreme Court, filed by Centre for Accountability and Systemic Change (CASC), an NGO which has alleged that WhatsApp launched its payment services without having fully complied with the RBI’s directives on data localisation.
The banking regulator had earlier told the apex court that it does not give approval to entities like WhatsApp to act as authorised payment system operator; it is the NPCI which has allowed such entities to operate under the multi-bank model of the UPI.