RBI to Supreme Court: Not responsible for auditing UPI ecosystem members

RBI to Supreme Court: Not responsible for auditing UPI ecosystem members

In its affidavit filed in the top court, the Reserve Bank of India (RBI) also said that data privacy and data sharing- related matters come under the domain of the central government

NEW DELHI: The Supreme Court has been told by the RBI that the latter is not responsible for conducting an audit of members of the United Payments Interface (UPI) ecosystem and that the National Payments Corporation of India (NPCI) is responsible for ensuring that private firms such as Google and WhatsApp comply with norms.

In its affidavit filed in the top court, the Reserve Bank of India (RBI) also said that data privacy and data sharing-related matters come under the central government domain. Filed in response to a plea by Rajya Sabha MP Binoy Viswam seeking direction to it to draft regulation to make sure that data collected on UPI platforms is used only for processing payments, the RBI affidavit also sought the PIL's dismissal.

The plea of the Rajya Sabha MP was fixed for hearing on February 1 by a bench constituted by Chief Justice S A Bobde and Justices A S Bopanna and V Ramasubramanaian. The RBI's directions issued through the April 6, 2018 circular on payment system data storage pertain only to payment date storage and not sharing or privacy, the affidavit said.

No instructions on data sharing by TPAPs (Third Party Application Providers) or the UPI participants have been issued by the RBI. Data privacy and data sharing-related matters come under the Government of India domain.

The NPCI and not RBI is responsible for ensuring that companies such as Amazon, Google and WhatsApp comply with the laws and norms governing the UPI. Because NPCI is UPI's owner and operator, it would be more appropriate for it to respond on WhatsApp's compliance with system rules/procedural guidelines governing UPI, the affidavit said.

The lawmaker's plea was also rejected which said that the RBI is obliged to audit firms involved in UPI transactions. That the RBI is responsible for conducting audit of UPI ecosystem members was also denied, it said. Since WhatsApp and Google were already providing customer services and later complied with the conditions in RBI's circular, no disruptive action had earlier been taken against the duo, the federal bank said.

No disruptive action was contemplated against WhatsApp and Google in the interest of the general public as they were already operating as TPAPs and providing customer services at the time the circular was issued. The RBI followed the same approach with all non-compliant entities that are similarly placed.

The NPCI was advised not to allow full-scale WhatsApp operations till such time they were fully compliant with the RBI directions. Subsequently, the NPCI permitted WhatsApp's "go live" on UPI only after making sure that WhatsApp was fully compliant with the circular, the affidavit said.

WhatsApp had earlier refuted allegations in court that its data could be hacked by Israeli spyware Pegasus which had last year led to a controversy over the breach of privacy of Indian human rights' activists and journalists who were among those globally being spied upon by unnamed entities.

Before this on October 15 last year, the apex court had issued notice to the central bank and others on the Viswam plea seeking direction for drafting regulation to make sure that data collected on UPI platforms was not used for any other purpose than processing payments. Responses had also been sought from the Centre, RBI, NPCI and others including Amazon Inc., WhatsApp, Facebook Inc. and Google Inc.

Communist Party of India (CPI) leader A. Viswam has sought direction to the RBI and NPCI to make sure that data collected on UPI platforms is not shared with their parent company or any other third party under any circumstances. According to the plea, Respondent no. 1 (RBI) and Respondent no. 2 (NPCI) that are regulating and supervising the UPI payments system in India are compromising Indian users' interest by permitting non-compliant foreign entities to operate payment services in India rather than fulfilling their statutory obligations and protecting and securing users' sensitive data.

The plea said that three members of the Big Four Tech Giants i.e. Amazon, Google and Facebook/WhatsApp (Beta phase) have been allowed by the RBI and NPCI to participate in the UPI ecosystem sans much scrutiny and despite blatant violations of UPI guidelines and RBI regulations. Sensitive financial data of Indian users is at huge risk due to this conduct of the RBI and NPCI, the plea states.