Have no responsibility to audit members of UPI ecosystem: RBI tells SC

RBI has told the Supreme Court that it has no responsibility to conduct “audit of members of United Payments Interface (UPI) ecosystem” and responsibility to ensure that private firms like Google and WhatsApp comply with norms lie with National Payments Corporation of India (NPCI).

The Reserve Bank of India (RBI), in its affidavit filed in the top court, also said that the matters related to “data privacy and data sharing” come under the domain of the central government.

The RBI's affidavit, which also sought dismissal of the PIL, was filed in response of a plea of Rajya Sabha MP Binoy Viswam seeking direction to it to frame regulation to ensure that data collected on UPI platforms is not “exploited” or used in any manner other than for processing payments.

A bench comprising Chief Justice S A Bobde and Justices A S Bopanna and V Ramasubramanaian Thursday fixed the plea of the Rajya Sabha MP for hearing on February 1.

The affidavit said “it is submitted that RBI's directions issued vide circular dated April 6, 2018 on storage of payment system data pertain only to payment date storage and not sharing or privacy. RBI has not issued any instructions on data sharing by TPAPs (Third Party Application Providers) or the participants of UPI. Matters related to data privacy and data sharing come under the domain of Government of India.”

It also said that the responsibility to ensure that companies like Amazon, Google and WhatsApp comply with the laws and norms governing the UPI lied with NPCI and not with RBI.

The affidavit said that since NPCI is the owner and operator of the UPI, it would be more appropriate for them to respond on the status of “compliance of WhatsApp with the system rules /procedural guidelines governing UPI. “

It also rejected the plea of the lawmaker that the RBI was under an obligation to audit the firms engaged in UPI transactions.

“It is also denied that the RBI has the responsibility to conduct audit of the members of the UPI ecosystem,” it said.

The federal bank said that earlier it had not taken any “disruptive” action against WhatsApp and Google as they were already providing customer services and later they complied with the conditions given in the RBI's circular.   

 “…Accordingly as WhatsApp and Google were already functioning as TPAPs and providing customer services at the time of issuance of the circular, no disruptive action against them was contemplated in the interest of general public. The same approach was followed by RBI with all the non-compliant entities which are similarly placed.

“It may also be noted that NPCI was advised not to permit full-scale operations of WhatsApp till the time they are fully compliant with the requirements of the RBI directions. NPCI subsequently allowed 'go live' of WhatsApp on UPI only after ensuring that WhatsApp was fully compliant with the circular,” the affidavit said.

Earlier, WhatsApp had denied in the court the allegations that its data can be hacked by Israeli spyware Pegasus, which had led to a controversy last year over breach of privacy following claims that Indian journalists and human rights activists were among those globally spied upon by unnamed entities.

Prior to this, the apex court On October 15 last had issued notice to RBI and others on the plea of Viswam seeking direction for framing regulation to ensure that data collected on UPI platforms is not “exploited” or used in any manner other than for processing payments.

 It had also sought responses of the Centre, Reserve Bank of India (RBI), National Payments Corporation of India (NPCI) and others including Google Inc, Facebook Inc, WhatsApp and Amazon Inc on the plea.

 Viswam, the Communist Party of India (CPI) leader, has sought a direction to the RBI and the NPCI to ensure that data collected on Unified Payments Interface (UPI) platforms is not shared with their parent company or any other third party under any circumstances.

 “In India, the UPI payments system is being regulated and supervised by Respondent no. 1 (RBI) and Respondent no. 2 (NPCI), however, the RBI and the NPCI instead of fulfilling their statutory obligations and protecting and securing the sensitive data of users are compromising the interest of the Indian users by allowing the non-compliant foreign entities to operate its payment services in India,” the plea has alleged.  

“The RBI and NPCI have permitted the three members of 'Big Four Tech Giants' i.e. Amazon, Google and Facebook/WhatsApp (Beta phase) to participate in the UPI ecosystem without much scrutiny and in spite of blatant violations of UPI guidelines and RBI regulations,” it claimed.

The plea has alleged that this conduct of RBI and NPCI put the sensitive financial data of Indian users at huge risks, especially when these entities have been “continuously accused of abusing dominance and compromising data”, among other things.

It said these allegations have become particularly worrisome at a time when India has banned the host of Chinese applications on the ground that those applications were or could be used for data theft and could lead to security breaches.

It has further sought a direction that RBI and NPCI should ensure that WhatsApp is not permitted to launch full-scale operations of 'WhatsApp Pay' in India without fulfilling all legal compliances to the satisfaction of the court regarding requisite regulatory compliances.